BAG17434 S L C 115TH CONGRESS 1ST SESSION S ll To establish the Vulnerability Equities Review Board and for other purposes IN THE SENATE OF THE UNITED STATES llllllllll Mr SCHATZ for himself Mr JOHNSON and Mr GARDNER introduced the following bill which was read twice and referred to the Committee on llllllllll A BILL To establish the Vulnerability Equities Review Board and for other purposes 1 Be it enacted by the Senate and House of Representa- 2 tives of the United States of America in Congress assembled 3 4 SECTION 1 SHORT TITLE This Act may be cited as the ''Protecting Our Ability 5 to Counter Hacking Act of 2017'' or ''PATCH Act of 6 2017'' 7 8 SEC 2 VULNERABILITY EQUITIES REVIEW BOARD a DEFINITIONS --In this section BAG17434 S L C 2 1 1 FEDERAL AGENCY --The term ''Federal 2 agency'' has the meaning given such term in section 3 551 of title 5 United States Code 4 5 2 PUBLICLY A IN KNOWN -- GENERAL --Except as provided in 6 subparagraph B the term ''publicly known'' 7 with respect to information regarding a vulner- 8 ability means information that-- 9 i is-- 10 I a verbal or electronic presen- 11 tation or discussion in a publicly ac- 12 cessible domain or 13 II in a paper or other published 14 documentation in the public domain 15 and 16 ii that specifically discusses the vul- 17 nerability and how the vulnerability could 18 be exploited 19 B CLASSIFIED MATERIAL --Information 20 about a vulnerability shall not be considered 21 ''publicly known'' if the information is currently 22 protected as classified and has been inappropri- 23 ately released to the public BAG17434 S L C 3 1 3 VENDOR --The term ''vendor'' with respect 2 to a technology product system service or applica- 3 tion means the person who-- 4 5 A developed the technology product system service or application or 6 B is responsible for maintaining the tech- 7 nology product system service or application 8 4 VULNERABILITY --The term ''vulnerability'' 9 means a design configuration or implementation 10 weakness in a technology product system service 11 or application that can be exploited or triggered to 12 cause unexpected or unintended behavior 13 b ESTABLISHMENT --There is established the Vul- 14 nerability Equities Review Board in this section the 15 ''Board'' 16 17 18 c MEMBERSHIP -- 1 PERMANENT MEMBERS --The permanent members of the Board consist of the following 19 A The Secretary of Homeland Security 20 or the designee of the Secretary who shall be 21 the chair of the Board 22 23 24 25 B The Director of the Federal Bureau of Investigation or the designee of the Director C The Director of National Intelligence or the designee of the Director BAG17434 S L C 4 1 D The Director of the Central Intel- 2 ligence Agency or the designee of the Director 3 E The Director of the National Security 4 5 Agency or the designee of the Director F The Secretary of Commerce or the 6 designee of the Secretary 7 2 AD HOC MEMBERS --The Board shall in- 8 clude as members on an ad hoc basis the following 9 A The Secretary of State or the designee 10 of the Secretary when the Board considers 11 matters under the jurisdiction of such sec- 12 retary 13 B The Secretary of the Treasury or the 14 designee of the Secretary when the Board con- 15 siders matters under the jurisdiction of such 16 secretary 17 C The Secretary of Energy or the des- 18 ignee of the Secretary when the Board con- 19 siders matters under the jurisdiction of such 20 secretary 21 D The Federal Trade Commission or the 22 designee of the Commission when the Board 23 considers matters relating to the Commission 24 3 OTHER 25 PARTICIPANTS --Any member of the National Security Council under section 101 of the BAG17434 S L C 5 1 National Security Act of 1947 50 U S C 3021 2 who is not a permanent or ad hoc member of the 3 Board may with the approval of the President par- 4 ticipate in activities of the Board when requested by 5 the Board 6 d DUTIES -- 7 1 POLICIES -- 8 A IN GENERAL --The Board shall estab- 9 lish policies on matters relating to whether 10 when how to whom and to what degree infor- 11 mation about a vulnerability that is not publicly 12 known should be shared or released by the Fed- 13 eral Government to a non-Federal entity 14 B AVAILABILITY TO THE PUBLIC --To 15 the degree that the policies established under 16 subparagraph A are unclassified the Board 17 shall make such policies available to the public 18 C DRAFT POLICIES -- 19 i SUBMITTAL 20 I IN TO CONGRESS -- GENERAL --Not later than 21 180 days after the date of the enact- 22 ment of this Act the Board shall sub- 23 mit to Congress and the President a 24 draft of the policies required by sub- 25 paragraph A along with a descrip- BAG17434 S L C 6 1 tion of any challenges or impediments 2 that may require legislative or admin- 3 istrative action 4 II FORM --The draft submitted 5 under subclause I shall be in unclas- 6 sified form but may include a classi- 7 fied annex 8 ii PUBLICATION --Not later than 9 240 days after the date of the enactment 10 of this Act the Board shall make available 11 to the public a draft of the policies re- 12 quired by subparagraph A to the degree 13 that such policies are unclassified 14 2 REQUIREMENT --The head of each Federal 15 agency shall upon obtaining information about a 16 vulnerability that is not publicly known subject such 17 information to the process established under para- 18 graph 3 A 19 3 PROCESS -- 20 A IN GENERAL --The Board shall estab- 21 lish the process by which the Board determines 22 whether when how to whom and to what de- 23 gree the Federal Government shares or releases 24 information to a non-Federal entity about a vul- 25 nerability that is not publicly known BAG17434 S L C 7 1 B CONSIDERATIONS --The process estab- 2 lished under subparagraph A shall include 3 with respect to a vulnerability consideration of 4 the following 5 i Which technologies products sys- 6 tems services or applications are subject 7 to the vulnerability including whether the 8 products or systems are used in core Inter- 9 net infrastructure in other critical infra- 10 structure systems in the United States 11 economy or in national security systems 12 13 ii The potential risks of leaving the vulnerability unpatched or unmitigated 14 iii The harm that could occur if an 15 actor such as an adversary of the United 16 States or a criminal organization were to 17 obtain information about the vulnerability 18 iv How likely it is that the Federal 19 Government would know if someone exter- 20 nal to the Federal Government were ex- 21 ploiting the vulnerability 22 23 v The need of the Federal Government to exploit the vulnerability BAG17434 S L C 8 1 vi Whether the vulnerability is need- 2 ed for a specific ongoing intelligence or na- 3 tional security operation 4 vii If a Federal entity would like to 5 exploit the vulnerability to obtain informa- 6 tion whether there are other means avail- 7 able to the Federal entity to obtain such 8 information 9 viii The likelihood that a non-Fed- 10 eral entity will discover the vulnerability 11 ix The risks to foreign countries and 12 the people of foreign countries of not shar- 13 ing or releasing information about the vul- 14 nerability 15 x Whether the vulnerability can be 16 patched or otherwise mitigated 17 xi Whether the affected non-Federal 18 entity has a publicly disclosed policy for re- 19 porting and disclosing vulnerabilities 20 4 EXCLUSION FROM PROCESS OF 21 VULNERABILITIES PRESUMPTIVELY SHAREABLE OR 22 RELEASABLE -- 23 A IN GENERAL --Under guidelines estab- 24 lished by the Board a Federal agency may 25 share or release information to a non-Federal BAG17434 S L C 9 1 entity about a vulnerability without subjecting 2 such information to the process under para- 3 graph 3 A if the agency determines that such 4 information is presumptively shareable or re- 5 leasable The guidelines shall specify the stand- 6 ards to be used to determine whether or not in- 7 formation is presumptively shareable or releas- 8 able for purposes of this paragraph 9 B RULE OF CONSTRUCTION --Subpara- 10 graph A shall not be construed to imply that 11 information which is determined under such 12 subparagraph to be presumptively shareable or 13 releasable is exempt from the requirements of 14 subparagraph A of paragraph 5 or the shar- 15 ing process established under subparagraph B 16 of such paragraph 17 5 18 DISSEMINATION OF ON VULNERABILITIES -- 19 A SHARING 20 HOMELAND SECURITY -- 21 INFORMATION i IN THROUGH SECRETARY OF GENERAL --In any case in 22 which the Board determines under para- 23 graph 3 A that information about a vul- 24 nerability not otherwise publicly known 25 should be shared with or released to an ap- BAG17434 S L C 10 1 propriate vendor the Board shall provide 2 the information to the Secretary of Home- 3 land Security and the Secretary shall on 4 behalf of the Federal Government share or 5 release the information as directed by the 6 Board 7 ii PRESUMPTIVELY SHAREABLE OR 8 RELEASABLE INFORMATION --In 9 in which a Federal agency determines 10 under paragraph 4 A that information 11 about a vulnerability is presumptively 12 shareable or releasable the Federal agency 13 shall provide such information to the Sec- 14 retary and the Secretary shall on behalf of 15 the Federal Government share or release 16 the information 17 B SHARING 18 i IN any case PROCESS -- GENERAL --Not later than 180 19 days after the date of the enactment of 20 this Act the Secretary of Homeland Secu- 21 rity in coordination with the Secretary of 22 Commerce shall establish the process by 23 which the Secretary of Homeland Security 24 shares or releases information pursuant to 25 subparagraph A BAG17434 S L C 11 1 ii USE 2 STANDARDS --The 3 that OF VOLUNTARY CONSENSUS Secretary shall ensure 4 I any sharing or release of in- 5 formation under subparagraph A is 6 made in accordance with voluntary 7 consensus standards for disclosure of 8 vulnerabilities and 9 II the process established under 10 clause i is consistent with such 11 standards 12 C INFORMATION 13 14 15 NOT DETERMINED TO BE SHAREABLE OR RELEASABLE -- i IN GENERAL --The policies under paragraph 1 shall provide for-- 16 I the periodic review of 17 vulnerabilities that are determined by 18 the Board pursuant to the process es- 19 tablished under paragraph 3 A not 20 to be shareable or releasable in order 21 to 22 vulnerabilities may be shared or re- 23 leased in a manner consistent with the 24 national security interests of the 25 United States and determine whether such BAG17434 S L C 12 1 II the sharing with or releasing 2 to appropriate non-Federal entities of 3 information about vulnerabilities that 4 may be shared or released in a man- 5 ner consistent with the national secu- 6 rity interests of the United States fol- 7 lowing review under subclause I 8 ii IN 9 10 CASE OF LATER BECOMING PUBLICLY KNOWN -- I IN GENERAL --In the case of 11 a vulnerability that was not publicly 12 known and determined not to be 13 shareable or releasable pursuant to 14 clause i I and then subsequently 15 becomes publicly known the vulner- 16 ability shall not be subject to the 17 process established under paragraph 18 3 A and shall be subject to such 19 other Federal procedures and inter- 20 agency operation processes as may be 21 applicable such as procedures and 22 processes established to carry out the 23 Cybersecurity 24 Act of 2015 6 U S C 1501 et seq Information Sharing BAG17434 S L C 13 1 II APPLICABILITY TO CLASSI- 2 FIED MATERIAL --In 3 paragraph B of subsection a 2 4 shall not apply 5 this clause sub- e COMPLIANCE --Each head of a Federal agency 6 shall ensure that the agency complies with the policies 7 issued by the Board under this section 8 f OVERSIGHT -- 9 1 ANNUAL 10 A IN REPORTS BY BOARD -- GENERAL --Not less frequently 11 than once each year the Board shall submit to 12 the appropriate committees of Congress a re- 13 port on the activities of the Board and the poli- 14 cies issued under subsection d 15 B CONTENTS --In addition to informa- 16 tion about the activities and policies described 17 in subparagraph A the report required by 18 such subparagraph shall also include the fol- 19 lowing 20 21 22 23 i The frequency of meetings held by the Board ii The aggregate number vulnerabilities reviewed by the Board of BAG17434 S L C 14 1 iii The number of vulnerabilities de- 2 termined by the Board to be shareable or 3 releasable 4 iv The number of vulnerabilities de- 5 termined by the Board not to be shareable 6 or releasable 7 v Such other matters as the Board 8 considers appropriate 9 C AVAILABILITY TO THE PUBLIC --For 10 each report submitted under subparagraph A 11 the Board shall make an unclassified version of 12 the report available to the public 13 2 ANNUAL 14 A IN REPORTS ON ACTIVITIES OF IGS -- GENERAL --Not less frequently 15 than once each year the Inspector General of 16 the Department of Homeland Security shall in 17 consultation with the Inspectors General of 18 other Federal agencies whose work is affected 19 by activities of the Board submit to the appro- 20 priate committees of Congress a report on the 21 activities of all such Inspectors General during 22 the preceding year in connection with the activi- 23 ties of the Board the policies issued under sub- 24 section d and the sharing and releasing of in- BAG17434 S L C 15 1 formation about vulnerabilities pursuant to 2 such policies 3 B AVAILABILITY TO THE PUBLIC --For 4 each report submitted under subparagraph A 5 the Inspector General of the Department of 6 Homeland Security shall make an unclassified 7 version of the report available to the public 8 3 FORM --Each report under paragraphs 1 9 and 2 shall be submitted in unclassified form but 10 may include a classified annex 11 4 REVIEW 12 OVERSIGHT BOARD -- 13 A IN BY PRIVACY AND CIVIL LIBERTIES GENERAL --The Privacy and Civil 14 Liberties Oversight Board shall review each re- 15 port submitted under paragraph 1 16 B CONSULTATION --The Vulnerability 17 Equities Review Board may consult with the 18 Privacy and Civil Liberties Oversight Board as 19 the Vulnerability Equities Review Board con- 20 siders appropriate 21 5 APPROPRIATE COMMITTEES OF CONGRESS 22 DEFINED --In 23 priate committees of Congress'' means-- this subsection the term ''appro- 24 A the Committee on Homeland Security 25 and Governmental Affairs the Committee on BAG17434 S L C 16 1 Commerce Science and Transportation and 2 the Select Committee on Intelligence of the 3 Senate and 4 B the Committee on Homeland Security 5 the Committee on Oversight and Government 6 Reform the Committee on Energy and Com- 7 merce and the Permanent Select Committee on 8 Intelligence of the House of Representatives                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu