EAST GREENBUSH, N.Y., Oct. 18, 2019 /PRNewswire/ -- The Center for Internet Security (CIS) recently released the Security Best Practices for Non-Voting Election Technology Guide. This fact sheet highlights some of the key takeaways from the guide, which is designed to assist elections officials with non-voting technology security.
What is it?
The latest guide to be released by CIS® is the CIS Security Best Practices for Non-Voting Election Technology. Non-voting election technology includes electronic pollbooks, electronic ballot delivery, election night reporting, and voter registration portals. These new best practices for securing U.S. election infrastructure are heavily informed by our CIS Benchmarks™ and CIS Controls®.
The release of CIS Security Best Practices for Non-Voting Election Technology rounds out the trilogy of guides that continue to help elections officials.
Earlier this year, CIS unveiled A Guide for Ensuring Security in Election Technology Procurements to help election officials understand and navigate the complex election procurement process.
A Handbook for Elections Infrastructure Security, which CIS released in 2018, provides best practices to help elections officials better understand what to focus on, how to prioritize, and how to parse the enormous amount of guidance available on protecting information technology (IT) systems. The Handbook recommends 88 best practices to secure the overall election infrastructure.
Why did CIS develop these documents?
CIS is recognized as a cybersecurity best practice provider, and is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®). The MS-ISAC is the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®). The latter was established by the Elections Government Sector Coordinating Council to support the cybersecurity needs of the elections subsector. The EI-ISAC is an operational threat sharing environment for all voting issues that continually supports SLTT elections officials in their efforts to secure U.S. elections. Election agencies gain access to an elections-focused cyber defense suite, including sector-specific threat intelligence products, incident response and remediation, threat and vulnerability monitoring, cybersecurity awareness and training products, and tools for implementing security best practices from the EI-ISAC.
Who are these documents intended for?
Elections officials, manufacturers, owners, and operators of elections systems and their associated IT components.
How did CIS create the content this guide?
CIS created these guides by working with election technology providers, state and local election technologists, and other community stakeholders to create consensus based best practices. These elections experts decided to create a guide that covers best practices in five areas: Networking and architecture, servers and workstations, software applications, data, and administration. The authors created 20 security controls with 160 best practices, including those that help mitigate attacks such as denial of service, ransomware, spear phishing, and exploitation of software vulnerabilities.
Why did CIS develop the second guide focused on Internet-connected election technology?
As follow-on work to the A Handbook for Elections Infrastructure Security, this guide focuses on a subsection of the overall election infrastructure to provide more specific guidance on internet-connected services. Due to their connection to the Internet, these services are the most at-risk components of the election infrastructure. Implementing the recommendations in CIS Security Best Practices for Non-Voting Election Technology can significantly reduce the risk of Internet-connected election technologies being compromised and adversely impacting Election Day operations.