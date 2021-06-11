H.R. 2980, Cybersecurity Vulnerability Remediation Act

As ordered reported by the House Committee on Homeland Security on May 18, 2021

By Fiscal Year, Millions of Dollars 2021 2021-2026 2021-2031 Direct Spending (Outlays) 0 0 0 Revenues 0 0 0 Increase or Decrease (-) 0 0 0 in the Deficit Spending Subject to * 55 not estimated Appropriation (Outlays) Statutory pay-as-you-go No Mandate Effects procedures apply? Contains intergovernmental mandate? No Increases on-budget deficits in any No of the four consecutive 10-year periods beginning in 2032? Contains private-sector mandate? No

* = between zero and $500,000.

H.R. 2980 would authorize the Cybersecurity and Infrastructure Security Agency (CISA) to disseminate information to the public about vulnerabilities in the software and hardware of information systems. The bill would authorize CISA to establish an award program to encourage researchers to disclose such vulnerabilities to the agency. The bill also would require CISA to assess and report to the Congress on the effectiveness of its vulnerability disclosure programs.

CISA is already performing many of the cybersecurity activities that would be authorized by H.R. 2980. The agency manages several programs that provide services and information to help system administrators, software manufacturers, and the general public mitigate cyber vulnerabilities.

To estimate the cost of providing incentive payments to independent researchers, CBO used information about similar programs of other federal agencies. For example, the Department of Defense (DoD) offers payments to individual researchers through its Hack the Pentagon program for each vulnerability identified. Those payments range from $100 to $15,000 based on how critical the potential target is to DoD's operations. Using budget data from those related programs, CBO estimates that making incentive payments to independent researchers for identifying vulnerabilities would cost $11 million each year. CBO expects that CISA would be ready to implement the program beginning in 2022. Thus, CBO estimates that