| HOME | SEARCH | ABOUT US | CONTACT US | HELP | ||
 |
 |
|
|
| Montana Administrative Register Notice 44-2-271 | No. 24 12/22/2023 | |
|
||
| Prev | Next | ||
|
BEFORE THE SECRETARY OF STATE OF THE STATE OF MONTANA
TO: All Concerned Persons
1. On January 16, 2024, at 2:00 p.m., the Secretary of State will hold a public hearing in the Secretary of State's Office conference room, Room 260, State Capitol, Helena, Montana, to consider the proposed amendment of the above-stated rules.
2. The Secretary of State will make reasonable accommodations for persons with disabilities who wish to participate in this rulemaking process or need an alternative accessible format of this notice. If you require an accommodation, contact the Secretary of State no later than 5:00 p.m., January 9, 2024, to advise of the nature of the accommodation needed. Please contact Andy Ritter, Secretary of State's Office, P.O. Box 202801, Helena, MT 59620-2801; telephone (406) 444-7911; fax (406) 444-3976; TTY/Montana Relay Service 711; or email Andrew.Ritter@mt.gov.
3. The rules proposed to be amended provide as follows, new matter underlined, deleted matter interlined:
44.3.2901 DEFINITIONS As used in this subchapter, unless the context clearly indicates otherwise, the following definitions apply: (1) and (2) remain the same. (3) "Qualified assessor" means a security professional who, at the time of engagement, is certified and in good standing with at least of one of the following security credentials which require passing an exam covering related security subject matter and possessing the required amount of relevant information security work experience (based on certification requirements in effect on (a) (c) through (h) remain the same.
AUTH: 13-1-205, MCA IMP: 13-1-205, MCA
REASONABLE NECESSITY: The naming of the Certified Authorization Professional credential has changed to Certified in Governance, Risk, and Compliance. The exam and required experience have remained the same. The change to ARM 44.3.2901(3)(a) addresses the name change for the credential.
44.3.2902 ANNUAL SECURITY ASSESSMENTS (1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization: (a) through (c) remain the same. (d) the Center for Internet Security's " (2) Assessments shall be performed according to the following schedule: (a) remains the same. (b) during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of (3) remains the same. (4) County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number. (5) remains the same.
AUTH: 13-1-205, MCA IMP: 13-1-205, MCA
REASONABLE NECESSITY: The Center for Internet Security's "A Handbook for Election Infrastructure" has changed its name and online location. The change to ARM 44.3.2902(1)(d) reflects this change. The Center for Internet Security's Election Infrastructure Assessment Tool (EIAT) is no longer available. The change to ARM 44.3.2902(2)(b) removes the tool. The change to ARM 44.3.2902(4) clarifies that the results of the third-party assessments must be provided to the Secretary of State's Office.
44.3.2903 ANNUAL SECURITY AWARENESS TRAINING (1) through (3) remain the same. (4) The county election administrator shall provide the Secretary of State with records of their election staff's completion of the security awareness training in January of each calendar year
AUTH: 13-1-205, MCA IMP: 13-1-205, MCA
REASONABLE NECESSITY: The change to ARM 44.3.2903(4) simplifies the reporting requirements by aligning the timeframes with reporting requirements in ARM 44.3.2902(4) and 13-1-205(1)(b), MCA.
44.3.2904 PHYSICAL SECURITY (1) remains the same. (2) County election administrators shall maintain an inventory (a) County election administrators shall document (b) through (4) remain the same.
AUTH: 13-1-205, MCA IMP: 13-1-205, MCA
REASONABLE NECESSITY: Counties already electronically document inventories of assets in asset management systems. The proposed update to ARM 44.3.2904(2)(a) changes the word "record" to "inventory" for clarity and removes the requirement that inventories must be documented on forms prescribed by the Secretary of State.
44.3.2905 OTHER ELECTION SECURITY REQUIREMENTS (1) remains the same. (2) Workstations, desktops, laptops, or other computing devices used by county election departments and connected to a computer network shall have endpoint detection and response (EDR) tools or behavioral-based anti-virus software installed, operating as recommended by the vendor and updated with the latest signatures or other version as required and supported by the vendor.
AUTH: 13-1-205, MCA IMP: 13-1-205, MCA
REASONABLE NECESSITY: The proposed change incorporates specific anti-virus software into the requirements. Both endpoint detection and response (EDR) tools and behavioral-based anti-virus software provide significant improvements in protection over traditional signature-based anti-virus.
4. With regard to the requirements of 2-4-302(1)(c), MCA, it has been determined that these proposed rule amendments will not have a fiscal impact.
5. Concerned persons may submit their data, views, or arguments either orally or in writing at the hearing. Written data, views, or arguments may also be submitted to: Angela Nunn, Secretary of State's Office, P.O. Box 202801, Helena, Montana 59620-2801, or by e-mailing angela.nunn@mt.gov, and must be received no later than 5:00 p.m., January 19, 2024.
6. Austin James, Secretary of State's Office, has been designated to preside over and conduct the hearing.
7. The Secretary of State maintains a list of interested persons who wish to receive notices of rulemaking actions proposed by this agency. Persons who wish to have their name added to the list may submit their request online at https://sosmt.gov/arm/secretary-of-state-administrative-rules/ or submit a written request which includes the name and contact information of the person who wishes to receive notices. Written requests may be mailed or delivered to the Secretary of State's Office, Administrative Rules Services, 1301 E. 6th Avenue, P.O. Box 202801, Helena, MT 59620-2801, or emailed to sosarm@mt.gov.
8. The bill sponsor contact requirements of 2-4-302, MCA, do not apply.
9. With regard to the requirements of 2-4-111, MCA, the Secretary of State has determined that the amendment of the above-referenced rules will not significantly and directly impact small businesses.
/s/ AUSTIN MARKUS JAMES /s/ CHRISTI JACOBSEN Austin Markus James Christi Jacobsen Rule Reviewer Secretary of State
Dated this 12th day of December, 2023.
|
A directory of state agencies is available online at http://www.mt.gov/govt/agencylisting.asp.
For questions about the organization of the ARM or this web site, contact sosarm@mt.gov.
