Friday, January 29, 2021

HR 118 Introduced – Vulnerability Disclosure Reporting

Earlier this month Rep Jackson-Lee introduced HR 118, the Cyber Vulnerability Disclosure Reporting Act. The bill would require DHS to prepare “a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures” {§2(a)}. This is the same language that Ms Jackson-Lee introduced as HR 43 in the 116th Congress. No action was taken on HR 43.

The Report

The unclassified report would be submitted to Congress within 240 days of the date of enactment. The requirement for establishing the policies and procedures is found in 6 USC 659(m). That subsection provides that:

“The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures.”

The bill would require an annex to the report that would contain information on {§2(a)}:

• Instances in which such policies and procedures were used to disclose cyber vulnerabilities in the prior year; and

• The degree to which such information was acted upon by industry and other stakeholders.

Moving Forward

Jackson-Lee is (as of yesterday) a member of the House Homeland Security Committee to which this bill was assigned for consideration. She should have enough influence in the Committee to ensure that this bill could be considered if she is willing to exert that influence. There is nothing in this bill that cause any organized opposition to the bill. The bill would very likely receive strong bipartisan support (as an earlier version, HR 3202  did in the 115th Congress) both in Committee and on the floor of the House.

Commentary

It is odd that this bill was being introduced this year when there was no action taken on the bill in the previous session. Jackson-Lee did not use her significant influence in Committee last year to have the bill considered.

On the other hand, with the current concern about cybersecurity, there is a good chance that this bill will move forward early in this session, either as a standalone measure or included in some larger cybersecurity legislation.

One last item, the bill probably should have been updated to require CISA to prepare the report not DHS.

No comments:

 
/* Use this with templates/template-twocol.html */