HR6315-119

Introduced

To amend the Help America Vote Act of 2002 to require the Election Assistance Commission to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems.

119th Congress Introduced Nov 25, 2025

Analysis under review: This bill has generated analysis that may be too generic or incomplete. Clause-level evidence remains available below.

Summary

What This Bill Does

This bill strengthens cybersecurity for U.S. voting systems in two ways. First, it requires mandatory penetration testing as part of the Election Assistance Commission's certification process for voting hardware and software. Second, it creates a 5-year pilot program where vetted cybersecurity researchers can test election systems for vulnerabilities, with a structured process for disclosing and patching any issues found.

Who Benefits and How

Cybersecurity firms and penetration testing companies gain new revenue opportunities from mandatory testing contracts and the vulnerability disclosure program. Election integrity benefits from systematic security testing. Researchers participating in the program receive legal safe harbor protections from the Computer Fraud and Abuse Act and DMCA anti-circumvention rules.

Who Bears the Burden and How

Election system vendors must make their systems (including source code) available for testing and must patch critical vulnerabilities when notified. The Election Assistance Commission must set up and administer both the penetration testing accreditation process and the 5-year pilot program. NIST must evaluate and recommend entities for accreditation.

Key Provisions

  • Mandatory penetration testing for all voting system certification, decertification, and recertification
  • 5-year vulnerability disclosure pilot program with vetted researchers and 180-day confidentiality windows
  • Safe harbor for researchers from CFAA and DMCA liability
  • Vendors must patch critical/high vulnerabilities; patches auto-certified if EAC doesn't review within 90 days

Evidence Chain:

This summary is generated from the full bill text using AI analysis. Expand "Detailed Analysis" below for identified beneficiaries/burden bearers with clause-level evidence links.

At a Glance

What This Bill Does

Requires mandatory penetration testing for voting system certification and establishes a 5-year coordinated vulnerability disclosure pilot program for election systems.

Key Policy Areas

Cybersecurity, Elections

Primary Purpose

Requires mandatory penetration testing for voting system certification and establishes a 5-year coordinated vulnerability disclosure pilot program for election systems.

Policy Domains

Cybersecurity Elections

Section 2 - Penetration Testing for Voting System Certification

Identified Gains
  • Cybersecurity firms and penetration testing companies
  • Election integrity
Model: N/A | Version: bill_summary_v2 | Source: ih
Election integrity:
Cybersecurity firms and penetration testing companies:
Identified Costs
  • Election Assistance Commission
  • NIST
  • Election system vendors
Model: N/A | Version: bill_summary_v2 | Source: ih
NIST:
Election system vendors:
Election Assistance Commission:

Section 3 - Vulnerability Disclosure Pilot Program (VDP-E)

Identified Gains
  • Cybersecurity researchers
  • Election security
Model: N/A | Version: bill_summary_v2 | Source: ih
Election security:
Cybersecurity researchers:
Identified Costs
  • Election system vendors
  • Election Assistance Commission
Model: N/A | Version: bill_summary_v2 | Source: ih
Election system vendors:
Election Assistance Commission:

Legislative Progress

Introduced
Introduced Committee Passed
Nov 25, 2025

Mr. Valadao (for himself and Mr. Deluzio) introduced the following …

Stakeholder Effects

cui bono?

How this legislation distributes effects. Mention counts reflect frequency, not effect magnitude.

Technology
6 mentions across 3 clauses
+3 positive -3 negative

Cybersecurity firms and penetration testing companies, Cybersecurity researchers participating in VDP-E, Cybersecurity researchers receiving CFAA and DMCA safe harbor

Positive-direction: Cybersecurity firms and penetration testing companies, Cybersecurity researchers participating in VDP-E, Cybersecurity researchers receiving CFAA and DMCA safe harbor

Negative-direction: Election system vendors required to provide systems and patch vulnerabilities, Election system vendors required to share source code and patch critical vulnerabilities, Election system vendors seeking EAC certification

Government
3 mentions across 3 clauses
+1 positive -2 negative

Election Assistance Commission, Election Assistance Commission administering the program, State and local election officials receiving security patches

Positive-direction: State and local election officials receiving security patches

Negative-direction: Election Assistance Commission, Election Assistance Commission administering the program

3/4
sections analyzed
Full impact breakdown

Bill Structure & Actor Mappings

Who is "The Secretary" in each section?

Domains
Cybersecurity Elections
Actor Mappings
"the_commission"
→ Election Assistance Commission
"the_director_nist"
→ Director of NIST
Domains
Cybersecurity Elections
Actor Mappings
"the_secretary"
→ Secretary of Homeland Security
"the_commission"
→ Election Assistance Commission
"the_director_cisa"
→ Director of CISA

Key Definitions

Terms defined in this bill

5 terms
"cybersecurity vulnerability" §297(e)(1)

Any security vulnerability that affects an election system

"election infrastructure" §297(e)(2)

Storage facilities, polling places, centralized vote tabulation locations, and related ICT including voter registration databases, election management systems, voting machines, and communications systems

"election system" §297(e)(3)

Any information system that is part of election infrastructure

"election system vendor" §297(e)(4)

Any person providing, supporting, or maintaining an election system on behalf of State or local election officials

"Secretary" §297(e)(6)

Secretary of Homeland Security

We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.

Learn more about our methodology