Administrative Rules of the State of Montana

BEFORE THE SECRETARY OF STATE

OF THE STATE OF MONTANA

In the matter of the adoption of New Rules I through V pertaining to election security definitions, security assessment requirements, security awareness training requirements, physical security requirements, and additional election security requirements; and the amendment of ARM 44.3.1701 pertaining to definitions related to the examination of voting machines and devices

)

NOTICE OF PUBLIC HEARING ON PROPOSED ADOPTION AND AMENDMENT

TO: All Concerned Persons

1. On April 5, 2022, the Secretary of State submitted MAR Notice No. 44-2-255 to be published on April 15, 2022, on page 507 of the 2022 Montana Administrative Register, Issue Number 7. Due to a court order halting all activity related to HB 530 (2021 Legislature), public notice regarding the notice was not provided. Given the modification to the court order on April 22, 2022, the Secretary of State is resuming the proposed rule activity.

2. On June 3, 2022, at 10:00 a.m., the Secretary of State will hold a public hearing in the Secretary of State's Office conference room, Room 260, State Capitol, Helena, Montana, to consider the proposed adoption and amendment of the above-stated rules.

3. The Secretary of State will make reasonable accommodations for persons with disabilities who wish to participate in this rulemaking process or need an alternative accessible format of this notice. If you require an accommodation, contact the Secretary of State no later than 5:00 p.m., May 27, 2022, to advise us of the nature of the accommodation that you need. Please contact Sue Ames, Secretary of State's Office, P.O. Box 202801, Helena, MT 59620-2801; telephone (406) 444-2807; fax (406) 444-3976; TDD/Montana Relay Service (406) 444-9068; or e-mail sames@mt.gov.

4. The rules proposed to be adopted provide as follows:

NEW RULE I DEFINITIONS As used in this subchapter, unless the context clearly indicates otherwise, the following definitions apply:

(1) "Election security" means the process of implementing and maintaining protective measures that preserve the confidentiality, integrity, and availability of the election process. This includes network and information security as well as physical security.

(2) "Endpoint detection and response tool(s)" or "EDR tool(s)" means a software that continually monitors end-user devices to detect and respond to cyber threats.

(3) "Qualified assessor" means a security professional who, at the time of engagement, is certified and in good standing with at least of one of the following security credentials which require passing an exam covering related security subject matter and possessing the required amount of relevant information security work experience (based on certification requirements in effect on April 15, 2022):

(a) Certified Authorization Professional (CAP). The requirements to obtain a CAP credential can be found at https://www.isc2.org;

(b) Certified Information Security Manager (CISM). The requirements to obtain a CISM credential can be found at https://www.isaca.org;

(c) Certified Information Systems Auditor (CISA). The requirements to obtain a CISA credential can be found at https://www.isaca.org;

(d) Certified Information Systems Security Professional (CISSP). The requirements to obtain a CISSP credential can be found at https://www.isc2.org;

(e) Certified in Risk and Information Systems Control (CRISC). The requirements to obtain a CRISC credential can be found at https://www.isaca.org;

(f) GIAC Critical Controls Certification (GCCC). The requirements to obtain a GCCC credential can be found at https://www.giac.org;

(g) GIAC Security Leadership Certification (GSLC). The requirements to obtain a GSLC credential can be found at https://www.giac.org; or

(h) GIAC Systems and Network Auditor (GSNA). The requirements to obtain a GSNA credential can be found at https://www.giac.org.

AUTH: 13-1-205, MCA

IMP: 13-1-205, MCA

REASONABLE NECESSITY: On May 14, 2021, the Governor of Montana signed into law House Bill (HB) 530. HB 530 required the Secretary of State to adopt rules defining and governing election security.

The Office of the Secretary of State is proposing New Rule I to clarify definitions of terms used within this subchapter in response to the legislative audit recommendation and to fulfill the requirements of the new law. In addition, the definition of "qualified assessor" outlines the required credentials for completing the security assessments to ensure those performing the review have the knowledge and training necessary to adequately complete the assessment.

NEW RULE II ANNUAL SECURITY ASSESSMENTS (1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization:

(a) the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity," Version 1.1, published April 16, 2018, found at https://www.nist.gov;

(b) the National Institute of Standards and Technology's Special Publication 800-53 Revision 5 titled "Security and Privacy Controls for Information Systems and Organizations," published December 10, 2020, found at https://www.nist.gov;

(c) the Center for Internet Security's "CIS Critical Security Controls," Version 8, published May 2021, found at https://www.cisecurity.org; or

(d) the Center for Internet Security's "A Handbook for Elections Infrastructure," version 1.0, published February 2018, found at https://www.cisecurity.org.

(2) Assessments shall be performed according to the following schedule:

(a) at least once every three years, the security assessment shall be performed by an independent, third-party, and qualified assessor; and

(b) during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of April 15, 2022, and found at https://www.cisecurity.org/, or the Election Infrastructure Assessment Tool (EIAT) based on requirements as of April 15, 2022, and found at https://www.cisecurity.org/. These tools detail the security best practices for mitigating security risks to an organization.

(3) County election administrators shall maintain storage of security assessment results according to the local government records retention schedule.

(4) County election administrators shall provide the results of the assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.

(5) Security assessments are considered confidential information as defined in 2-6-1002(1), MCA. Security assessment results and supporting security information are prohibited from disclosure to the public.

AUTH: 13-1-205, MCA

IMP: 13-1-205, MCA

REASONABLE NECESSITY: On May 14, 2021, the Governor of Montana signed into law House Bill (HB) 530. HB 530 required the Secretary of State to adopt rules defining and governing election security.

The Office of the Secretary of State is proposing New Rule II in response to the legislative audit recommendation and to fulfill the requirements of the new law.

Election infrastructure is considered critical infrastructure with a higher impact and likelihood of security risks. HB 530 required counties to conduct annual security assessments which will identify current threats and risks to their office and identify the effectiveness of their security controls at mitigating those threats and risks. New Rule II provides clarification on the framework that should be used to conduct the security assessments to ensure adequacy and consistency of the reviews. New Rule II also outlines the format of the results to be provided to the Secretary of State.

NEW RULE III ANNUAL SECURITY AWARENESS TRAINING (1) All county and state elections staff shall complete security awareness training at least once per year.

(2) The security awareness training will be provided by the Secretary of State. The Secretary of State may approve equivalent security awareness training on a case-by-case basis.

(3) The county election administrator shall maintain records of their election staff's completion of the security awareness training in accordance with the local government records retention schedule.

(4) The county election administrator shall provide the Secretary of State with records of their election staff's completion of the security awareness training within two weeks after the end of each annual training cycle.

AUTH: 13-1-205, MCA

IMP: 13-1-205, MCA

REASONABLE NECESSITY: On May 14, 2021, the Governor of Montana signed into law House Bill (HB) 530. HB 530 required the Secretary of State to adopt rules defining and governing election security.

The Office of the Secretary of State is proposing New Rule III in response to the legislative audit recommendation and to fulfill the requirements of the new law.

Phishing emails are one of the biggest threats to a county election office. Security awareness training is a measure to mitigate the threat by ensuring election staff can identify phishing emails. New Rule III implements an annual security awareness training requirement and outlines what should be done with those records.

NEW RULE IV PHYSICAL SECURITY (1) Any type of component that is used within a voting system as defined in 13-1-101, MCA, shall be physically secured using tamperproof seals and access control to prevent unauthorized tampering or use.

(2) County election administrators shall maintain a record and a chain of custody for any type of component that is used within a voting system as defined in 13-1-101, MCA, and any keys, cards, fobs, or other controls used to access election-related equipment or storage locations.

(a) County election administrators shall document records and chains of custody on forms prescribed by the Secretary of State and located on the Secretary of State website.

(b) The chain of custody shall be documented every time there is a change in custody of the items or a removal of a tamperproof seal.

(3) For each election, county election administrators shall perform a reconciliation comparing the number of ballots printed to the number of issued, voided, or unissued ballots.

(a) Ballot reconciliations shall be completed prior to the start of the county canvass.

(b) Ballot reconciliations shall be maintained according to applicable federal or local government records retention schedules.

(4) Based on security best practices, it is recommended that the room or other areas where ballots are opened, processed, tabulated, or hand-counted be surveilled during the time that such activities are performed.

(a) Surveillance devices should be positioned to view and record all activities related to opening, processing, and tabulating or hand-counting ballots except that the devices must be positioned so that ballot secrecy is maintained.

(b) The storage of surveillance device footage shall be maintained according to applicable federal or local government records retention schedules.

AUTH: 13-1-205, MCA

IMP: 13-1-205, MCA

REASONABLE NECESSITY: On May 14, 2021, the Governor of Montana signed into law House Bill (HB) 530. HB 530 required the Secretary of State to adopt rules defining and governing election security.

In August 2020, the Montana Legislative Audit Division released the Information Systems Audit related to the "Security and Maintenance of Montana Election Systems." One of the recommendations indicated, "SOS should align the definition of election security within rule with statute and provide further guidance on necessary security measurements." On page 11, the report indicated that SOS should adopt rules clarifying election security measures that "include physical security of voting technology assets, such as tabulators, USB flash drives, and various computers." The audit noted, "This would assist counties in understanding what is necessary for securing voting systems before, during, and after an election."

The Office of the Secretary of State is proposing New Rule IV in response to the legislative audit recommendation and to fulfill the requirements of the new law.

Physical security is a large component of security at a county election office. Voting system components and ballots need to be physically secured to prevent unauthorized access and manipulation. Access control, chain of custody, surveillance, and ballot reconciliations are measures being proposed to mitigate and detect unauthorized access and manipulation.

NEW RULE V OTHER ELECTION SECURITY REQUIREMENTS (1) Any type of component that is used within a voting system as defined in 13-1-101, MCA, shall not be connected to a computer network at any time.

(2) Workstations, desktops, laptops, or other computing devices used by county election departments and connected to a computer network shall have endpoint detection and response (EDR) tools or anti-virus software installed, operating as recommended by the vendor and updated with the latest signatures or other version as required and supported by the vendor.

AUTH: 13-1-205, MCA

IMP: 13-1-205, MCA

REASONABLE NECESSITY: On May 14, 2021, the Governor of Montana signed into law House Bill (HB) 530. HB 530 required the Secretary of State to adopt rules defining and governing election security.

In August 2020, the Montana Legislative Audit Division released the information systems audit related to the "Security and Maintenance of Montana Election Systems." One of the recommendations indicated "SOS should align the definition of election security within rule with statute and provide further guidance on necessary security measurements."

The Office of the Secretary of State is proposing New Rule V in response to the legislative audit recommendation and to fulfill the requirements of the new law.

Endpoint detection and anti-virus software are technical controls to mitigate the high risk of malware and ransomware. Voting systems that are connected to a network increase the threat landscape of election infrastructure to an unnecessary level.

5. The rule proposed to be amended is as follows, stricken matter interlined, new matter underlined:

44.3.1701 EXAMINATION OF VOTING MACHINES AND DEVICES

(1) remains the same.

(2) Unless the context clearly requires otherwise, the following terms shall have the following meanings:

(a) through (c) remain the same.

(d) "Device" means a "voter interface device" as defined in 13-1-101, MCA. ~~an apparatus used for voting by the process of marking of a ballot. Ballots are counted using automatic tabulating equipment.~~

(e) through (g) remain the same.

~~(h) "Marking device" means any approved device for marking a paper ballot with ink or other substance which will enable the ballot to be tabulated by means of automatic tabulating equipment.~~

~~(i)~~ (h) "System" means a "voter interface device" and "voting system" as defined in 13-1-101, MCA. ~~includes a self-contained mechanical voting machine or an electronic voting device and the individual components of each.~~

~~(j)~~ (i) "Voting machine" means a "voting system" as defined in 13-1-101, MCA. ~~mechanical apparatus on which to cast votes.~~

(3) through (7) remain the same.

AUTH: 13-1-202, 13-17-103, 13-17-107, MCA

IMP: 13-1-202, 13-17-101, 13-17-103, MCA

REASONABLE NECESSITY: In August 2020, the Montana Legislative Audit Division released the information systems audit related to the "Security and Maintenance of Montana Election Systems." On page 11 of the report, it was noted that the definition of "voting system" in 13-1-101, MCA, and definitions for voting machines and devices in ARM 44.3.1701 were not consistent.

The proposed changes to ARM 44.3.1701 are responsive to the recommendation.

6. Concerned persons may submit their data, views, or arguments either orally or in writing at the hearing. Written data, views, or arguments may also be submitted to: Angela Nunn, Secretary of State's Office, P.O. Box 202801, Helena, Montana 59620-2801, or by e-mailing angela.nunn@mt.gov, and must be received no later than 5:00 p.m., June 10, 2022.

7. Austin James, Secretary of State's Office, has been designated to preside over and conduct the hearing.

8. The Secretary of State maintains a list of interested persons who wish to receive notices of rulemaking actions proposed by this agency. Persons who wish to have their name added to the list may submit their request online at https://sosmt.gov/arm/secretary-of-state-administrative-rules/ or submit a written request which includes the name and contact information of the person who wishes to receive notices. Written requests may be mailed or delivered to the Secretary of State's Office, Administrative Rules Services, 1301 E. 6th Avenue, P.O. Box 202801, Helena, MT 59620-2801, or emailed to sosarm@mt.gov.

9. With regard to the requirements of 2-4-302(2)(d), MCA, the primary bill sponsor, Representative McKamey, was contacted by email on October 19, 2021, and on January 27, 2022.

10. With regard to the requirements of 2-4-111, MCA, the Secretary of State has determined that the adoption and amendment of the above-referenced rules will not significantly and directly impact small businesses.

/s/ AUSTIN JAMES /s/ CHRISTI JACOBSEN

Austin James Christi Jacobsen

Rule Reviewer Secretary of State

Dated this 3rd day of May, 2022.