II
115th CONGRESS
2d Session
S. 2593
IN THE SENATE OF THE UNITED STATES
March 22, 2018
Mr. Lankford (for himself, Ms. Klobuchar, Mr. Graham, Ms. Harris, Ms. Collins, Mr. Heinrich, Mr. Burr, and Mr. Warner) introduced the following bill; which was read twice and referred to the Committee on Rules and Administration
A BILL
To protect the administration of Federal elections against cybersecurity threats.
Short title
This Act may be cited as the Secure Elections Act
.
Sense of Congress
It is the sense of Congress that—
the States conduct elections and should maintain control of and responsibility for them;
it is important to maintain State leadership in election administration;
free and fair elections are central to our democracy;
protecting our elections is a national security priority; and
an attack on our election systems by a foreign power is a hostile act and should be met with appropriate retaliatory actions, including immediate and severe sanctions.
Definitions
In this Act:
Advisory panel
The term Advisory Panel means the advisory panel of independent experts on election cybersecurity established under section 5(a)(1).
Appropriate congressional committees
The term appropriate congressional committees means—
the Committee on Rules and Administration, the Committee on Armed Services, the Committee on Homeland Security and Governmental Affairs, the Committee on Appropriations, the Select Committee on Intelligence, the majority leader, and the minority leader of the Senate; and
the Committee on House Administration, the Committee on Armed Services, the Committee on Homeland Security, the Committee on Appropriations, the Permanent Select Committee on Intelligence, the Speaker, and the minority leader of the House of Representatives.
Appropriate Federal entities
The term appropriate Federal entities means—
the Department of Commerce, including the National Institute of Standards and Technology;
the Department of Defense;
the Department, including the component of the Department that reports to the Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department;
the Department of Justice, including the Federal Bureau of Investigation;
the Commission; and
the Office of the Director of National Intelligence, the National Security Agency, and such other elements of the intelligence community (as defined in section 3 of the National Security Act of 1947 (50 U.S.C. 3003)) as the Director of National Intelligence determines are appropriate.
Chairman
The term Chairman means the Chairman of the Election Assistance Commission.
Commission
The term Commission means the Election Assistance Commission.
Department
The term Department means the Department of Homeland Security.
Election agency
The term election agency means any component of a State or any component of a county, municipality, or other subdivision of a State that is responsible for administering Federal elections.
Election cybersecurity incident
The term election cybersecurity incident means any incident involving an election system.
Election cybersecurity threat
The term election cybersecurity threat means any cybersecurity threat (as defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) to an election system.
Election cybersecurity vulnerability
The term election cybersecurity vulnerability means any security vulnerability (as defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)) that affects an election system.
Election service provider
The term election service provider means any person providing, supporting, or maintaining an election system on behalf of an election agency, such as a contractor or vendor.
Election system
The term election system means a voting system, an election management system, a voter registration website or database, an electronic pollbook, a system for tabulating or reporting election results, an election agency communications system, or any other information system (as defined in section 3502 of title 44, United States Code) that the Secretary identifies as central to the management, support, or administration of a Federal election.
Federal election
The term Federal election means any election (as defined in section 301(1) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(1))) for Federal office (as defined in section 301(3) of the Federal Election Campaign Act of 1971 (52 U.S.C. 30101(3))).
Federal entity
The term Federal entity means any agency (as defined in section 551 of title 5, United States Code).
Incident
The term incident has the meaning given the term in section 227(a) of the Homeland Security Act of 2002 (6 U.S.C. 148(a)).
Secretary
The term Secretary means the Secretary of Homeland Security.
State
The term State means each of the several States of the United States, the District of Columbia, the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands.
State election official
The term State election official means—
the chief State election official of a State designated under section 10 of the National Voter Registration Act of 1993 (52 U.S.C. 20509); or
in the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, and the United States Virgin Islands, a chief State election official designated by the State for purposes of this Act.
State law enforcement officer
The term State law enforcement officer means the head of a State law enforcement agency, such as an attorney general.
Voting system
The term voting system has the meaning given the term in section 301(b) of the Help America Vote Act of 2002 (52 U.S.C. 21081(b)).
Information sharing
Designation of responsible Federal entity
The Secretary shall have primary responsibility within the Federal Government for sharing information about election cybersecurity incidents, threats, and vulnerabilities with Federal entities and with election agencies.
Presumption of Federal information sharing to the department
If a Federal entity receives information about an election cybersecurity incident, threat, or vulnerability, the Federal entity shall promptly share that information with the Department, unless the head of the entity (or a Senate-confirmed official designated by the head) makes a specific determination in writing that there is good cause to withhold the particular information.
Presumption of Federal and State information sharing from the department
If the Department receives information about an election cybersecurity incident, threat, or vulnerability, the Department shall promptly share that information with—
the appropriate Federal entities;
all State election agencies;
to the maximum extent practicable, all election agencies that have requested ongoing updates on election cybersecurity incidents, threats, or vulnerabilities; and
to the maximum extent practicable, all election agencies that may be affected by the risks associated with the particular election cybersecurity incident, threat, or vulnerability.
Technical resources for election agencies
In sharing information about election cybersecurity incidents, threats, and vulnerabilities with election agencies under this section, the Department shall, to the maximum extent practicable—
provide cyber threat indicators and defensive measures (as such terms are defined in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501)), such as recommended technical instructions, that assist with preventing, mitigating, and detecting threats or vulnerabilities;
identify resources available for protecting against, detecting, responding to, and recovering from associated risks, including technical capabilities of the Department; and
provide guidance about further sharing of the information.
Declassification review
If the Department receives classified information about an election cybersecurity incident, threat, or vulnerability—
the Secretary shall promptly submit a request for expedited declassification review to the head of a Federal entity with authority to conduct the review, consistent with Executive Order 13526 or any successor order, unless the Secretary determines that such a request would be inappropriate; and
the head of the Federal entity described in paragraph (1) shall promptly conduct the review.
Role of non-Federal entities
The Department may share information about election cybersecurity incidents, threats, and vulnerabilities through a non-Federal entity.
Protection of personal and confidential information
In general
If a Federal entity shares information relating to an election cybersecurity incident, threat, or vulnerability, the Federal entity shall, within Federal information systems (as defined in section 3502 of title 44, United States Code) of the entity—
minimize the acquisition, use, and disclosure of personal information of voters, except as necessary to identify, protect against, detect, respond to, or recover from election cybersecurity incidents, threats, and vulnerabilities;
notwithstanding any other provision of law, prohibit the retention of personal information of voters, such as—
voter registration information, including physical address, email address, and telephone number;
political party affiliation or registration information; and
voter history, including registration status or election participation; and
protect confidential Federal and State information from unauthorized disclosure.
Exemption from disclosure
Information relating to an election cybersecurity incident, threat, or vulnerability, such as personally identifiable information of reporting persons or individuals affected by such incident, threat, or vulnerability, shared by or with the Federal Government shall be—
deemed voluntarily shared information and exempt from disclosure under section 552 of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records; and
withheld, without discretion, from the public under section 552(b)(3)(B) of title 5, United States Code, and any State, tribal, or local provision of law requiring disclosure of information or records.
Duty To assess possible cybersecurity incidents
Election agencies
If an election agency becomes aware of the possibility of an election cybersecurity incident, the election agency shall promptly assess whether an election cybersecurity incident occurred and notify the State election official.
Election service providers
If an election service provider becomes aware of the possibility of an election cybersecurity incident, the election service provider shall promptly assess whether an election cybersecurity incident occurred and notify the relevant election agencies consistent with subsection (j).
Information sharing about cybersecurity incidents by election agencies
If an election agency has reason to believe that an election cybersecurity incident has occurred with respect to an election system owned, operated, or maintained by or on behalf of the election agency, the election agency shall, in the most expedient time possible and without unreasonable delay, provide notification of the election cybersecurity incident to the Department.
Information sharing about cybersecurity incidents by election service providers
If an election service provider has reason to believe that an election cybersecurity incident may have occurred, or that an incident related to the role of the provider as an election service provider may have occurred, the election service provider shall—
notify the relevant election agencies in the most expedient time possible and without unreasonable delay; and
cooperate with the election agencies in providing the notifications required under subsections (h)(1) and (i).
Content of notification by election agencies
The notifications required under subsections (h)(1) and (i)—
shall include an initial assessment of—
the date, time, and duration of the election cybersecurity incident;
the circumstances of the election cybersecurity incident, including the specific election systems believed to have been accessed and information acquired; and
planned and implemented technical measures to respond to and recover from the incident; and
shall be updated with additional material information, including technical data, as it becomes available.
Security clearance
Not later than 30 days after the date of enactment of this Act, the Secretary—
shall establish an expedited process for providing appropriate security clearance to State election officials and designated technical personnel employed by State election agencies;
shall establish an expedited process for providing appropriate security clearance to members of the Commission and designated technical personnel employed by the Commission; and
shall establish a process for providing appropriate security clearance to personnel at other election agencies.
Protection from liability
Nothing in this Act may be construed to provide a cause of action against a State, unit of local government, or an election service provider.
Assessment of inter-State information sharing about election cybersecurity
In general
The Secretary and the Chairman, in coordination with the heads of the appropriate Federal entities and appropriate officials of State and local governments, shall conduct an assessment of—
the structure and functioning of the Multi-State Information Sharing and Analysis Center for purposes of election cybersecurity; and
other mechanisms for inter-state information sharing about election cybersecurity.
Comment from election agencies
In carrying out the assessment required under paragraph (1), the Secretary and the Chairman shall solicit and consider comments from all State election agencies.
Distribution
The Secretary and the Chairman shall jointly issue the assessment required under paragraph (1) to—
all election agencies known to the Department and the Commission; and
the appropriate congressional committees.
Congressional notification
In general
If an appropriate Federal entity has reason to believe that a significant election cybersecurity incident has occurred, the entity shall—
not later than 7 calendar days after the date on which there is a reasonable basis to conclude that the significant incident has occurred, provide notification of the incident to the appropriate congressional committees; and
update the initial notification under paragraph (1) within a reasonable period of time after additional information relating to the incident is discovered.
Reporting threshold
The Secretary shall—
promulgate a uniform definition of a significant election cybersecurity incident
; and
shall submit the definition promulgated under subparagraph (A) to the appropriate congressional committees.
Advisory panel and guidelines
Advisory Panel
In general
The Commission shall establish an advisory panel of independent experts on election cybersecurity.
Membership
The Advisory Panel shall consist of not less than 9 members, of whom—
one shall be appointed by the Chairman, in consultation with the Secretary and the Director of the National Institute of Standards and Technology, and shall be designated as the Chairman of the advisory panel;
four shall be appointed by the Chairman, in consultation with the Secretary; and
four shall be appointed by the Secretary, in consultation with the Chairman and the Director of the National Institute of Standards and Technology.
Eligibility
Individuals appointed to the Advisory Panel established under paragraph (1)—
may not be officers or employees of the United States;
if appointed under paragraph (2)(A), shall possess expertise in election law, election administration, or cybersecurity; and
if appointed under subparagraph (B) or (C) of paragraph (2), shall possess expertise in cybersecurity.
Terms; vacancies
Members of the Advisory Panel shall serve for a term set by the Commission. Any vacancy in the Advisory Panel shall be filled in the same manner as the original appointment.
Compensation
Members of the Advisory Panel shall serve on the Advisory Panel without compensation, except that members of the Advisory Panel may be allowed travel expenses, including per diem in lieu of subsistence, at rates authorized for employees of agencies under subchapter I of chapter 57 of title 5, United States Code, while away from their homes or regular places of business in the performance of services for the Advisory Panel.
Administrative staff
Upon request of the Advisory Panel, the Commission shall provide to the Advisory Panel, on a reimbursable basis, the administrative support services necessary for the Advisory Panel to carry out its responsibilities under this Act.
Guidelines
In general
The Advisory Panel shall develop a set of guidelines for election cybersecurity, including standards for procuring, maintaining, testing, auditing, operating, and updating election systems.
Requirements
In developing the guidelines, the Advisory Panel shall—
identify the top risks to election systems;
describe how specific technology choices can increase or decrease those risks; and
provide recommended policies, best practices, and overall security strategies for identifying, protecting against, detecting, responding to, and recovering from the risks identified under subparagraph (A).
Grant program
The Advisory Panel shall assist the Commission and the Department in carrying out the grant program required under section 7 by—
submitting recommendations to the Commission about the grant program application process;
submitting recommendations, including recommended criteria, to the Commission for the grant program review process;
submitting recommendations, including recommended criteria, to the Commission for use of remaining grant funds;
submitting recommendations, including recommended criteria, to the Commission for the interim grant program for non-paper equipment replacement; and
providing any other assistance that the Commission or the Department requests.
Voting systems and statistical audits
The guidelines developed under subsection (b) shall include provisions regarding voting systems and statistical audits for Federal elections, including that—
each vote is cast using a voting system that—
would be eligible to be purchased under section 7(f); and
allows the voter an opportunity to inspect and confirm the marked ballot before casting it (consistent with accessibility requirements); and
each election result is determined by tabulating marked ballots (by hand or device), and prior to certification by a State of the election result, election agencies within the State inspect (by hand and not by device) a random sample of the marked ballots and thereby establish high statistical confidence in the election result.
Issues considered
In general
In developing the guidelines required under subsection (b), the Advisory Panel shall consider—
applying established cybersecurity best practices to Federal election administration by States and local governments, including appropriate technologies, procedures, and personnel for identifying, protecting against, detecting, responding to, and recovering from cybersecurity events;
mechanisms to verify that election systems accurately tabulate ballots, report results, and identify a winner for each election for Federal office, even if there is an error or fault in the voting system;
specific types of election audits, including procedures and shortcomings for such audits;
durational requirements needed to facilitate election audits prior to election certification, including variations in the acceptance of postal ballots, time allowed to cure provisional ballots, and election certification deadlines;
providing actionable guidance to election agencies that have not applied for or received grant funds under section 7, and to agencies that seek to implement additional cybersecurity protections;
how the guidelines could assist other components of State and local governments; and
any other factors that the Advisory Panel determines to be relevant.
Relationship to voluntary voting system guidelines and National Institute of Standards and Technology Cybersecurity guidance
In developing the guidelines required under subsection (b), the Advisory Panel shall consider—
the voluntary voting system guidelines developed by the Commission; and
cybersecurity standards and best practices developed by the National Institute of Standards and Technology, including frameworks, consistent with section 2(c) of the National Institute of Standards and Technology Act (15 U.S.C. 272(c)).
Public comment
The Advisory Panel shall—
provide a reasonable opportunity for public comment, including through Commission publication in the Federal Register, on the guidelines required under subsection (b), including a 45-day opportunity for public comment on a draft of the guidelines before they are submitted under subsection (i), which shall, to the extent practicable, occur concurrently with the other activities of the Advisory Panel under this section; and
consider the public comments in developing the guidelines.
Consultation
In developing the guidelines required under subsection (b), the Advisory Panel shall consult with—
the appropriate Federal entities;
the Standards Board, Board of Advisors, and Technical Guidelines Development Committee of the Commission;
the Federal Communications Commission;
the Federal Trade Commission;
the National Governors Association;
the National Association of Secretaries of State;
the National Association of State Election Directors;
the National Association of Election Officials;
the National Association of Counties;
the National League of Cities;
the International Association of Government Officials;
the Multi-State Information Sharing and Analysis Center;
the National Science Foundation; and
any other interested entities that the Advisory Panel determines are necessary to the development of the guidelines.
Submission to Commission
Not later than 180 days after the date of enactment of this Act, the Advisory Panel shall submit the guidelines required under subsection (b) to the Commission.
Submission to Congress; modification
Not later than 14 calendar days after the date on which the Commission receives guidelines under subsection (h) or (l), the Commission shall submit the guidelines to the appropriate congressional committees. The Commission may modify the guidelines in advance of submission to Congress if—
the Commission determines that there is good cause to modify the guidelines, consistent with the considerations established in subsection (e) and notwithstanding the recommendation of the Advisory Panel; and
the Commission submits a written justification of the modification to the Advisory Panel and the appropriate congressional committees.
Distribution to election agencies
The Commission shall distribute the guidelines required under subsection (b) to all election agencies known to the Commission and the Department.
Publication
The Commission shall make the guidelines required under subsection (b) available on the public website of the Department.
Periodic review
Not later than January 31, 2019, and once every 2 years thereafter, the Advisory Panel shall review and update the guidelines required under subsection (b).
Rule of construction
Nothing in this section shall be construed to subject the process for developing the guidelines required under subsection (b) to subchapter II of chapter 5, and chapter 7, of title 5, United States Code (commonly known as the Administrative Procedure Act
).
Conforming amendment
Section 202 of the Help America Vote Act of 2002 (52 U.S.C. 20921) is amended by striking and
at the end of paragraph (5), by striking the period at the end of paragraph (6) and inserting ; and
, and by adding at the end the following new paragraph:
establishing the advisory panel of independent experts on election cybersecurity under section 5(a)(1) of the Secure Elections Act.
.
Reports to Congress
Reports on foreign threats to elections
In general
Not later than 30 days after the date of enactment of this Act, and 30 days after the end of each fiscal year thereafter, the Secretary and the Director of National Intelligence, in coordination with the heads of the appropriate Federal entities, shall submit a joint report to the appropriate congressional committees on foreign threats to elections in the United States, including physical and cybersecurity threats.
Voluntary participation by States
The Secretary shall solicit and consider comments from all State election agencies. Participation by an election agency in the report under this subsection shall be voluntary and at the discretion of the State.
Reports on grant program
In general
Not later than 2 years after the date of enactment of this Act, and, subject to paragraph (2), every 4 years thereafter, the Comptroller General of the United States shall submit a report to the appropriate congressional committees on the grant program established under section 7, including how grant funds have been distributed and used to implement the guidelines required under section 5(b).
Sunset
If the Comptroller General determines that over 90 percent of the funds appropriated under section 7(h)(1) have been expended by the States, the reporting requirement in paragraph (1) shall cease to be effective after the Comptroller General submits a final report.
State election system cybersecurity and modernization grants
Authority
In general
The Commission shall award grants in accordance with this section.
Coordination
In general
The Commission shall coordinate with the Secretary in carrying out this section.
Joint program
If the Chairman determines that jointly carrying out this section with the Secretary would increase State participation and cybersecurity preparedness, the Chairman shall—
submit notice of the determination to the Committee on Homeland Security and Governmental Affairs and the Committee on Rules and Administration of the Senate and the Committee on Homeland Security and the Committee on House Administration of the House of Representatives; and
enter into a Memorandum of Understanding with the Secretary to carry out the grant program.
Cybersecurity and modernization grants
Application process
In general
The Commission shall—
establish a process for States to apply for election system cybersecurity and modernization grants;
in establishing the application process, consider the recommendations of the Advisory Panel under section 5(c); and
ensure that the application process requires that a State seeking a grant provide a detailed explanation of how election agencies within the State will implement the guidelines established under section 5(b).
Review
The Commission—
shall fund a State application submitted under subparagraph (A) if the Commission determines that—
the election agencies within the State will likely implement the guidelines established under section 5(b);
with respect to the guidelines related to statistical audits, consistent with section 5(d), the State will complete a statewide pilot program during a biennial Federal general election not later than 2022; and
the State will match at least ten percent of the total grant allocation for election cybersecurity improvements; and
in reviewing a State application, shall consider the recommendations and criteria of the Advisory Panel under section 5(c).
State implementation
In general
A State receiving a grant under this subsection may adopt any reasonable implementation of the guidelines established under section 5(b).
Inconsistency with State law
If implementation of the guidelines would be inconsistent with State law, the State shall—
identify in the application of the State the legal issue and the guidelines that the State cannot implement;
specify in the application of the State the amount of grant funds that the State would spend implementing those guidelines if the law were not inconsistent; and
not spend the amount of grant funds specified under subclause (II) until the legal issue is resolved.
Protection of personal information
The application process established under this paragraph shall not require a State to disclose the personal information of any voter.
Use of funds
In general
Except as provided in subparagraph (B), a State receiving a grant under this subsection shall use the funds received under the grant to implement the guidelines established under section 5(b).
Remaining funds
A State may use funds from a grant under this subsection to improve, upgrade, or acquire hardware, software, or services for the purposes of improving administration of Federal elections, consistent with the guidelines established under section 5(b), if—
the State election official submits a written certification to the Commission that the election agencies within the State have implemented the guidelines established under section 5(b); and
the Commission, after consideration of the recommendations and criteria of the Advisory Panel under section 5(c), approves the use of funds.
Limitation on amount of grants
In general
Subject to subparagraph (C), the amount of funds provided to a State under a grant under this subsection shall be equal to the product obtained by multiplying—
the total amount appropriated for grants pursuant to the authorization under subsection (h) reduced by the amounts described in subsections (d)(6) and (e)(5); by
the State allocation percentage for the State (as determined under paragraph (2)).
State allocation percentage
The State allocation percentage for a State is the amount (expressed as a percentage) equal to the quotient obtained by dividing—
the total voting age population of all States (as reported in the most recent decennial census); by
the voting age population of the State (as reported in the most recent decennial census).
Minimum amount of payment
The amount determined under this subsection may not be less than—
in the case of any of the several States or the District of Columbia, 0.5 percent of the total amount appropriated for grants under this section; or
in the case of the Commonwealth of Puerto Rico, Guam, American Samoa, the Commonwealth of Northern Mariana Islands, or the United States Virgin Islands, 0.1 percent of such total amount.
Pro rata reductions
The Commission shall make such pro rata reductions to the allocations determined under subparagraph (A) as are necessary to comply with the requirements of subparagraph (C).
Grants for local jurisdictions
Eligibility
If a State notifies the Commission that it will not apply for election system cybersecurity and modernization grants under this subsection, the Commission shall award grants to election agencies within the State.
Application process
The Commission shall establish a process for election agencies that are eligible under subparagraph (A) to apply for election system cybersecurity and modernization grants, consistent with the application process for States established under paragraph (1).
Use of funds
An election agency that receives a grant under this subsection is subject to the use of funds restrictions in paragraph (2).
Limitation on amount of grant
The amount of funds provided to an election agency under a grant under this subsection shall be equal to the amount obtained by multiplying the amount available to the State under paragraph (3) by the quotient obtained by dividing—
the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems operated by the election agency (under current State law); by
the voting age population of the State (as reported in the most recent decennial census).
Interim grant program for election preparedness
In general
The Commission, in consultation with the Secretary, shall award a grant to an election agency, regardless of State submission of an application under subsection (b)(1)(A), that—
receives a cyber hygiene
scan, a risk and vulnerability assessment, or a similar cybersecurity evaluation by the Department or a contractor approved by the Department; and
not later than November 6, 2018, submits to the Commission and the Department—
the results of the evaluation described in subparagraph (A);
a plan for rapidly remediating the vulnerabilities identified by the evaluation, including specific expenditures; and
in the case of an application by any election agency of a political subdivision of a State, a certification of approval from the State election agency.
Prioritization for local governments
A State election agency may authorize some or all other election agencies within the State to apply for interim grants under paragraph (1). If the amount available under paragraph (5) is not sufficient to fund the applications received from election agencies within the State, the State election agency may establish a priority order for funding applications.
Use of funds
An election agency that receives a grant under paragraph (1) shall only use the funds received under the grant to implement the remediation plan submitted under paragraph (1)(B)(ii).
Unavailability of department services
If an election agency requests an evaluation by the Department consistent with paragraph (1)(A), and the Department is not able to provide the evaluation during the 30-calendar-day period following the request, the agency may—
procure a reasonably equivalent evaluation from a private-sector entity; and
use funds received from a grant under paragraph (1) as reimbursement for the cost of the evaluation.
Limitation on amount of grant; coordination with cybersecurity and modernization grants
Limitation
The aggregate amount of grants under this subsection to all election agencies in a State shall not exceed 10 percent of the limitation with respect to such State under subsection (b)(3).
Coordination with cybersecurity and modernization grants
The amount under subsection (b)(3) for purposes of grants under subsection (b) to a State shall be reduced by the amount of grants provided under this subsection to election agencies within the State, less any unused amount returned to the Department.
Interim grant program for non-Paper equipment replacement
In general
The Commission shall award grants to States designated under paragraph (2) for the purpose of replacing voting systems that would not be eligible for purchase under subsection (f).
Eligibility
Not later than 60 days after the date of enactment of this Act, the Commission shall develop a list of States in which 10 percent or more of votes in the first Federal election occurring after the date of enactment of this Act are expected to be cast using voting systems that would not be eligible for purchase under subsection (f), and shall submit the list to the appropriate congressional committees.
Application process
The Commission shall—
establish an application process for States designated under paragraph (2) to apply for grants under this subsection; and
consider the recommendations of the Advisory Panel under section 5(c) in establishing the application process; and ensure that a State applying for a grant submits—
an inventory of voting systems in the State that would not be eligible for purchase under subsection (f);
a plan to expeditiously replace those voting systems; and
a commitment to State funding for replacements that is at least equivalent to the grant amount.
Review
The Commission—
shall fund a State application if the Commission determines that the State will likely replace the voting systems that would not be eligible for purchase under subsection (f); and
in reviewing a State application, shall consider the recommendations and criteria of the Advisory Panel under section 5(c).
Use of funds
A State election agency that receives funds under paragraph (1) shall only use the funds to replace voting systems that would not be eligible for purchase under subsection (f).
Limitations; coordination with cybersecurity and modernization grants
Limitations
Of the total amount authorized to be appropriated under subsection (h), $186,000,000 shall be used for grants awarded under this subsection.
Formula for grant amounts
The grant amount made available to each State shall be set according to the proportional formula described in subsection (b)(3), as applied to the list of States designated under paragraph (2) and the number of votes cast in those States using voting systems that would not be eligible for purchase under subsection (f).
Coordination with cybersecurity and modernization grants
If the Secretary determines that no additional State will receive a grant under this paragraph, the Secretary shall reallocate any amounts remaining under subparagraph (A) to the cybersecurity and modernization grant program under subsection (b).
Grants for local jurisdictions
Eligibility
If a State designated under paragraph (2) notifies the Commission that it will not apply for grants under this subsection, the Commission shall award grants to election agencies within such State.
Application process
The Commission shall establish a process for election agencies that are eligible under subparagraph (A) to apply for grants under this subsection, consistent with the application process for States established under paragraph (3).
Review
The Commission shall review applications of election agencies under this paragraph in a similar manner to the manner required for applications by States under paragraph (4).
Use of funds
An election agency that receives a grant under this subsection is subject to the use of funds restrictions in paragraph (5).
Limitation on amount of grant
The amount of funds provided to an election agency under a grant under this subsection shall be equal to the amount obtained by multiplying the amount available to the State under paragraph (6)(B) by the quotient obtained by dividing—
the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems that are operated by the election agency (under current State law) and that would not be eligible for purchase under subsection (f); by
the voting age population of the State (as reported in the most recent decennial census) who would cast their ballots in a Federal election using voting systems that would not be eligible for purchase under subsection (f).
Financial assistance for auditing expenses
In general
The Commission shall award grants to reimburse States that conduct statistical audits of a proportionally large number of ballots in close Federal elections if the statistical audit—
is consistent with the guidelines established under section 5(b); and
includes the inspection (by hand and not by device) of an amount of paper ballots in excess of 5 percent of the voting age population within the State (in the case of national or statewide office) or district covered by the election.
Applications process
In general
A State seeking a grant under this subsection shall submit an application in such form and manner and at such time as the Commission may require.
Local governments
A State election agency may authorize some or all other election agencies within the State to apply for grants under paragraph (1). The Commission shall establish rules for the application of paragraphs (3) and (4)(B) to agencies requesting grants under this subparagraph.
Limitation on amount of grants
The amount of funds provided under a grant under this subsection shall be equal to the cost of the statistical audit, less the cost of inspecting (by hand and not by device) a number of ballots equal to 5 percent of—
in the case of an election for a national or statewide office, the voting age population within the State; or
in the case of an election for any other office, the voting age population within the district covered by the election.
Timing; distribution
In general
The Commission shall award grants under this subsection on January 31, 2019, and every 2 years thereafter.
Insufficient funds
If the amount appropriated for carrying out this subsection is insufficient to fund the grants, the Commission shall fund such grants according to the proportional formula described in subsection (b)(3), as applied to the States seeking grants under this subsection and the number of marked paper ballots that were inspected by hand in excess of 5 percent of the voting age population within the State (in the case of national or statewide office) or district covered by the election.
Limitation
Of the total amount authorized to be appropriated under subsection (h), $5,000,000 shall be used for grants under this subsection.
Prohibition on use for certain voting systems
In general
Funds received under a grant under this section may not be used for any voting system that records each vote in electronic storage, unless the system is an optical scanner that reads paper ballots.
Electronic user interfaces
Funds received under a grant under this section may be used for a voting system with an electronic user interface provided that the voting system is consistent with clause (i).
Contracting assistance
Not later than 90 days after the date of enactment of this Act, the Administrator of General Services, in consultation with the Director of the National Institute of Standards and Technology, shall take such actions as may be necessary through competitive processes—
to qualify a set of private sector entities that are capable of assisting States with identifying, protecting against, detecting, responding to, and recovering from election cybersecurity incidents, threats, and vulnerabilities;
to establish contract vehicles to enable States to access the services of 1 or more of the private sector organizations after receiving amounts under a grant under this section;
to ensure that the contract vehicles permit individual States to augment Federal funds with funding otherwise available to the States; and
to provide a list of qualified entities to the Chairman and Secretary in order to ensure it is readily available to State election officials.
Authorization of appropriations
In general
There is authorized to be appropriated to the Commission $386,000,000 to carry out this section for fiscal year 2018.
Availability
Any amounts appropriated pursuant to paragraph (1) shall remain available without fiscal year limitation until expended.
Funding source
Definitions
In this paragraph—
the terms agency, closeout, and Federal grant award have the meanings given those terms in section 2 of the Grants Oversight and New Efficiency Act (Public Law 114–117; 130 Stat. 6); and
the term Director means the Director of the Office of Management and Budget.
Closeout of expired and undisbursed Federal grants
Not later than 1 year after the date of enactment of this Act, the Director shall promulgate procedures requiring the head of each agency to promptly conduct a closeout of each Federal grant award.
Related reports
In promulgating the procedures required under subparagraph (B), the Director shall consider the recommendations and data in the reports required to be submitted under section 2 of the Grants Oversight and New Efficiency Act (Public Law 114–117; 130 Stat. 6) and section 530 of the Commerce, Justice, Science, and Related Agencies Appropriations Act, 2016 (Public Law 114–113; 129 Stat. 2329), and similar reports.
Expiration
The procedures required under subparagraph (B) shall expire 4 years after the date on which the procedures are promulgated.
Conforming amendment
Section 202(7) of the Help America Vote Act of 2002 (52 U.S.C. 20921), as amended by section 5, is amended by inserting and carrying out the grant programs under section 7 of such Act
after Secure Elections Act
.
