Re: Yeah, Right
The general drift of what is in the material Snowden took and Greenwald, Poitras, and numerous others published is that the NSA, in general, has adhered to the provisions of the laws under which it operates. To be sure, they have operated at and occasionally exceeded those legal limits. And they have requested and sometimes received Attorney General and FISC permission for expansive interpretations of the powers the law grants them. When denied or overruled, however, they appear to have pulled back appropriately. They seem to have had fairly extensive internal controls and audit trails, and reported errors, as required, to the AG and FISC. All of this apparently was known to congressional oversight committee members, or could have been had they bestirred themselves and looked at the classified material the NSA made available to them. The presumption should be that if this bill is enacted, they will follow the law as modified.
In any case, the NSA presumably is one of the non-enumerated "stakeholders" mentioned in 6 USC 148(m) that is the subject of this bill; That section reads:
"(m) Coordinated vulnerability disclosure
The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures."
The bill in process appears to require only a report of certain DHS policies and procedures that may include NSA activities related to software vulnerabilities NSA know and others do not. At that, it seems to require only one such report where one reasonably would expect it to direct periodic reporting. It also does not require that they release any information about those vulnerabilities, or regulate their use of them beyond limits in place or to be legislated otherwise. So not only can the NSA, based on history, be expected to follow the proposed law, there seems to be no important reason for them, or DHS, not to comply.
As referred to the Senate, the bill seems pretty inconsequential.