HOME    SEARCH    ABOUT US    CONTACT US    HELP   
           
Rule: 44.3.2902 Prev     Up     Next    
Rule Title: ANNUAL SECURITY ASSESSMENTS
Add to My Favorites
Add to Favorites
Department: SECRETARY OF STATE
Chapter: ELECTIONS
Subchapter: Security
 
Latest version of the adopted rule presented in Administrative Rules of Montana (ARM):
Printer Friendly Version

44.3.2902    ANNUAL SECURITY ASSESSMENTS

(1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization: 

(a)  the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity," Version 1.1, published April 16, 2018, found at https://www.nist.gov; 

(b)  the National Institute of Standards and Technology's Special Publication 800-53 Revision 5 titled "Security and Privacy Controls for Information Systems and Organizations," published December 10, 2020, found at https://www.nist.gov;

(c)  the Center for Internet Security's "CIS Critical Security Controls," Version 8, published May 2021, found at https://www.cisecurity.org; or

(d)  the Center for Internet Security's "Essential Guide to Election Security," version 1.4.1, published September 29, 2023, found at https://essentialguide.docs.cisecurity.org/.

(2)  Assessments shall be performed according to the following schedule:

(a)  at least once every three years, the security assessment shall be performed by an independent, third-party, and qualified assessor; and

(b)  during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of December 1, 2023, and found at https://www.cisecurity.org/.  This tool details the security best practices for mitigating security risks to an organization.

(3) County election administrators shall maintain storage of security assessment results according to the local government records retention schedule.

(4) County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year.  The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.

(5)  Security assessments are considered confidential information as defined in 2-6-1002(1), MCA.  Security assessment results and supporting security information are prohibited from disclosure to the public. 

 

History: 13-1-205, MCA; IMP, 13-1-205, MCA; NEW, 2022 MAR p. 1089, Eff. 6/25/22; AMD, 2024 MAR p. 285, Eff. 2/10/24.

 

 
MAR Notices Effective From Effective To History Notes
44-2-271 2/10/2024 Current History: 13-1-205, MCA; IMP, 13-1-205, MCA; NEW, 2022 MAR p. 1089, Eff. 6/25/22; AMD, 2024 MAR p. 285, Eff. 2/10/24.
44-2-255 6/25/2022 2/10/2024 History: 13-1-205, MCA; IMP, 13-1-205, MCA; NEW, 2022 MAR p. 1089, Eff. 6/25/22.
Home  |   Search  |   About Us  |   Contact Us  |   Help  |   Disclaimer  |   Privacy & Security
For questions regarding the content, interpretation, or application of a specific rule, please contact the agency that issued the rule.
A directory of state agencies is available online at http://www.mt.gov/govt/agencylisting.asp.

For questions about the organization of the ARM or this web site, contact sosarm@mt.gov.