Election Outlook: More about Identification Requirements for Voting  |  What’s on the Ballot?  |  Am I Registered to Vote?  |  Find My Polling Place  |  Election Results  |  Voter Information  |  Voting Issues for Texas Evacuees Due to Natural Disasters  |  Texas Election Security Update  |  2020 Meeting of Presidential Electors
Close this message COVID-19 - As recommended precautions continue to increase for COVID-19, the James E. Rudder Building will be closed to visitors and customers beginning Wednesday, March 18, 2020. The Office of the Secretary of State is committed to continuing to provide services to ensure business and public filings remain available 24/7 through our online business service, SOSDirect or use the new SOSUpload. Thank you in advance for your patience during this difficult time. Information on Testing Sites is now available.

WE WILL BE CLOSED FROM NOON, WEDNESDAY, NOVEMBER 25TH THROUGH THE 27TH IN OBSERVANCE OF THANKSGIVING DAY. HOLIDAY CLOSURE DETAILS

Election Advisory No. 2020-04

To: Election Officials
From: Keith Ingram, Director of Elections
Keith Ingram's signature
Date: January 23, 2020
RE: Election Security Best Practices Guide (HB 1421)

Introduction

To protect elections throughout the state from cyber threats, HB 1421(2019) requires the Texas Secretary of State (SOS) to adopt rules defining classes of protected election data and  establishing best practices for identifying and reducing risk to the electronic use, storage and transmission of election data and the security of election systems. 

In order to comply with the requirements outlined in Chapter 279 of the Texas Election Code, the SOS has prescribed the following guide

Election Security Best Practices Guide (PDF)

The best practices prescribed were developed by reviewing aggregate findings from the Election Security Assessments (ESAs) of county election offices that were conducted as required by HB 1421, reviewing election security documentation published by the Center for Internet Security and the State and Local Election Security Playbook by Belfer Center, the National Institute for Standards and Technology Cybersecurity Framework, and consultation with select election security experts.

This Election Security Best Practices Guide is intended to help Election Authorities, defined as any organization that holds responsibility for conducting elections, by providing guidance on address cyberattack and other disaster risks that the Internet introduces to the election process. Defending elections not only involves protecting voting machines and ballots, but also protecting the functions and technologies that support election processes and manage voter and election result data. While most of the recommendations are directed towards county election offices, these best practices could apply to any entity and individual with a role in conducting elections or managing election-related data before and after elections. 

It is important to note that these guidelines do not apply directly to any specific voting machine and tabulation system equipment manufacturer types, and do not supersede or otherwise replace the various election processes identified in the Texas Election Code, the Texas Administrative Code and Texas Secretary of State Elections Division Advisories.

It is recommended that Election Authorities review this Election Security Best Practices Guide in its entirety with all personnel, Information Technology (IT) teams and other election support teams. The purpose of the review is to determine if current election processes and technology management and use, including items relevant to external vendors and suppliers, follow these cybersecurity best practices. In this way, election authorities can use the guide to identify any security measures that should be put in place.

Organization of Election Security Best Practices Guide

The Election Security Best Practices Guide is broken into two parts. First, we have defined the different classes of election data and provided some general guidelines as to how to develop policies related to securing these data classifications. Second, after defining the classes of election data, we provide the list of best practices. The best practices have been broken into four general categories: (1) Policy and Processes, (2) Election Processes, (3) Network and IT Infrastructure, and (4) Supporting Technology.

Within each category, the Election Security Best Practices Guide separates the recommendations into two levels according to their criticality to help Election Authorities prioritize the implementation of the practices: (1) Priority Best Practices and (2) Standard Best Practices. Priority Best Practices are urgently critical and form the foundation of election cybersecurity. It is recommended that Election Authorities consider it an imperative priority to implement, at a minimum, the Priority Best Practices. After achieving the Priority Best Practices, election officials should then work on implementing the Standard Best Practices which will assist election officials in moving closer to the optimum level of cybersecurity readiness for elections.

This document also includes a summary of the data classifications in Appendix A and a prioritized checklist in Appendix B that presents the best practices in a summarized format to help Election Authorities track the progress of their election security implementation efforts. Additionally, we’ve included a glossary in Appendix C with definitions of the technical terms used throughout the document.

Texas SOS Resources to Help Improve Election Security

To assist election officials in adhering to the best practices provided, the Texas SOS has hired election security trainers to provide election officials with individual guidance on how to meet the best practices prescribed. The trainers can also direct election officials to free and low-cost resources that are available to assist with implementing both priority and standard best practices.

Additionally, we have created a Texas Election Security Toolkit to help Election Authorities secure their elections. The election security trainers can provide access to the toolkit and can guide election officials in completing the templates in a way that meets their county needs and adheres to prescribed best practices. Including this document, the toolkit consists of a total of six guides:

  1. Election Security Best Practices Guide
  2. Election Information Security Policy Template
  3. Election Incident Response Plan Template
  4. Election Continuity of Operations Plan Template
  5. Election System Security Plan Template
  6. Election Vendor Risk Management Policy Template

Within each guide, we reference the best practices to show which are being addressed when completing different portions of the guides.

The election security trainers are available to work individually with a county or to provide regional trainings on the information contained in the Election Security Toolkit as well as on other general election security topics. To contact our election security trainers or to get access to the Texas Election Security Toolkit, please email electionsecurity@sos.texas.gov with your request.

KI:CA