HB 626 - AS AMENDED BY THE HOUSE
13Feb2025... 0217h
2025 SESSION
25-0617
08/02
HOUSE BILL 626
SPONSORS: Rep. McFarlane, Graf. 18; Rep. Kuttab, Rock. 17; Rep. Spillane, Rock. 2; Rep. Popovici-Muller, Rock. 17; Sen. Murphy, Dist 16
COMMITTEE: Election Law
-----------------------------------------------------------------
ANALYSIS
This bill directs the secretary of state to implement a vulnerability disclosure program for certain election systems and gives the cyber security committee oversight therefor.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
13Feb2025... 0217h 25-0617
08/02
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty Five
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 Secretary of State; Chief Election Officer; Duty to Investigate System Vulnerabilities. Amend RSA 652:23 to read as follows:
652:23 Chief Election Officer.
I. The secretary of state shall be the chief election officer for the state. The secretary of state shall provide information regarding voter registration procedures and absentee ballot procedures for all voters, including absent uniformed services voters, absent voters temporarily residing outside the United States, and federal ballot only voters domiciled outside the United States. Instructional and informational materials published by the secretary of state for clerks to provide such voters shall include information on how to communicate electronically with election officials.
II. Within 180 days of the effective date of this paragraph, the secretary of state shall implement and operate a public vulnerability disclosure program which substantially meets or exceeds the recommendations contained within the publication "Guide to Vulnerability Reporting for America's Election Administrators" published by the Cybersecurity and Infrastructure Security Agency of the United States Department of Homeland Security, to make it easier for security researchers and the general public to report security vulnerabilities appropriately. The scope of the program shall include at least all of the secretary’s information technology systems which bear on the integrity of the voter registration and election processes, including the centralized voter registration database and the user interfaces used by voters, town clerks, ballot clerks, and supervisors of the checklist relative to elections and voter registration. The secretary shall work with the cybersecurity advisory committee established in RSA 21-R:16, and such committee shall be responsible for the oversight of the public vulnerability disclosure program.
III. Upon identification of a security vulnerability, the secretary of state shall have a reasonable period to implement corrective measures before the vulnerability is publicly disclosed. The secretary shall coordinate with the cybersecurity advisory committee, established in RSA 21-R:16, to assess the nature and severity of the vulnerability and determine an appropriate remediation timeline. Until the vulnerability is adequately mitigated, disclosure shall be limited to those individuals or entities necessary to facilitate remediation and prevent exploitation. If the vulnerability remains unresolved beyond the agreed remediation period, the cybersecurity advisory committee shall determine whether disclosure is necessary in the interest of election security.
2 New Paragraph; Cybersecurity Advisory Committee; Duties. Amend RSA 21-R:16 by inserting after paragraph III the following new paragraph:
IV. The committee shall oversee the public vulnerability disclosure program operated by the secretary of state pursuant to RSA 652:23, II.
3 Effective Date. This act shall take effect upon its passage.