The Homeland Security Department must launch a program offering cash rewards for hackable computer vulnerabilities discovered by non-government researchers under a reauthorization bill a Senate committee advanced last week.

The program, known as a bug bounty, would be limited to the department’s public-facing apps, websites and web tools, according to an amendment to the reauthorization bill the Senate Homeland Security Committee forwarded March 7.

The amendment, which was adopted on a voice vote, was sponsored by Sen. Maggie Hassan, D-N.H., who also sponsored a standalone version of the bug bounty bill that the committee passed in October.

Bug bounties are increasingly prevalent among major tech firms, such as Google and Microsoft, but are less common in government. The Pentagon, Army and Air Force have all run pilot bug bounties in recent years, but the civilian government has been more wary of the programs.

The amendment provides $250,000 to carry out the bug bounty program and requires a report to Congress six months later about who participated in the program, what they found and how much Homeland Security paid out for vulnerabilities

The bug bounty provision was not included in a House version of the reauthorization bill, which passed that chamber in December, though a standalone version of the plan was introduced by Rep. Ted Lieu, D-Calif.

Cyber R&D Back to S&T

A separate amendment to the Senate reauthorization bill would return authority for Homeland Security’s cybersecurity research and development programs to the department’s science and technology division.

The Trump administration shifted that responsibility in its most recent budget proposal to the department’s cyber operations agency.

The move followed complaints that the Science and Technology Directorate’s cyber research was not closely aligned enough with the department’s immediate cybersecurity concerns.

The amendment, offered by Sen. Steve Daines, R-Mont., specifies major focus areas for the department’s cyber research, including cyber defense technologies, advanced encryption tools and ways to monitor systems for insider threats.

CISA’s on a Roll

In general, the Senate version of the reauthorization bill, sponsored by Homeland Security Chairman Ron Johnson, R-Wisc., and ranking member Claire McCaskill, D-Mo., wraps in more priorities, while the House version is more pared back.

A proposal to elevate and rename the department’s main cyber division, for example, was included in the Senate legislation but not in the House where it passed as a standalone bill.

Both the House and Senate versions of that provision would rename the division that’s currently called the National Protection and Programs Directorate, or NPPD, as the Cyber and Infrastructure Security Agency, or CISA.

That agency would have a director who reports directly to the Secretary of Homeland Security and assistant directors for cybersecurity and infrastructure security.

The Senate bill mandates a report from CISA within six months about the most efficient and effective way for the new agency to consolidate its facilities, personnel and programs.

A separate report, due within three months, would focus on how the agency is filling its cyber workforce needs.

The bill also mandates a privacy officer at CISA who’s responsible, among other things, for “ensuring that the use of technologies by the agency sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information.”

If a compromise version of the reauthorization bills becomes law it will mark the first time Homeland Security’s work has been codified in statute since the department was formed in the wake of the Sept. 11 attacks.

Let’s Form a Commission

The Senate version of the reauthorization bill also breaks with its House counterpart by appointing a congressional commission to explore ways to pare back the morass of overlapping congressional committees that Homeland Security agencies must report to.

That complicated oversight structure is largely a result of Homeland Security’s ad hoc composition out of existing divisions and offices moved from other federal agencies.

Johnson championed the idea of a congressional commission early in the reauthorizing process and the idea was largely supported by Republicans and Democrats on the committee.

As described in the Senate bill, the commission would include six members—three Republicans and three Democrats—who would provide recommendations for reforming the department’s congressional reporting lines within nine months.

The commission would be able to hire staff and consultants and hold hearings with funding provided by Homeland Security. That funding could not exceed $1 million, according to the bill.

Commission members would be appointed two each by the Senate majority and minority leaders and one each by the House majority and minority leaders. All recommendations would require a majority vote of commissioners before being included in the final report.

Cloud Security as a Service

The Senate bill also mandates a report within four months on how Homeland Security is helping other civilian agencies ensure the cybersecurity of their computer cloud-based systems.

That report must include a briefing on the department’s efforts to provide “security operations center as a service” to agencies that lack the resources or expertise to manage their own security operations centers, or SOCs. SOCs are essentially central command centers where an organization evaluates and responds to cyber threats.

A group of technology advisers to the White House urged Homeland Security to consider developing such services in a December report.

The report must also focus on how Homeland Security is helping agencies buy commercial SOC services and how it’s adapting its Continuous Diagnostics and Mitigation program—essentially a suite of cybersecurity services the department provides to other agencies—for the cloud era.

Other provisions in the Senate reauthorization bill would: