Security Requirements#
The RABET-V security requirements form the backbone of the RABET-V program. Pulled from several national security standards for non-voting equipment, these 153 discrete security requirements are tailored to the product throughout the RABET-V assessments. Some security requirements apply to all components and product types, and others apply to only some components or product types, such as web components, hosted components, or on-premises components. All products must meet certain baseline security requirement standards to achieve verified status. Each of the ten overarching requirements are stratified into three maturity levels to ensure a focus on growth throughout the RABET-V process. Accredited assessor organizations use security requirements directly or indirectly in each of the three main RABET-V activities: the architecture assessment, the organizational assessment, and the product verification.
The following security requirements reference three national security standards for non-voting equipment: CIS Security Best Practices for Non-Voting Election Technology, CIS Controls, and NIST 800-53r5.
1. Authentication Requirements#
1.1 Maturity Level 1#
1.1.1 Requirement: Default passwords are not used or are automatically changed as part of set up#
Details: Before deploying any new asset or instances, change all default passwords to have strong values consistent with policy.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.2
CIS Controls v8 5.1
NIST 800-53r5 AC-2
1.1.2 Requirement: Authentication is applied consistently through the application#
Details: Users are authenticated consistently through the application using an authentication service, with variations for different user types being permitted.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.1
CIS Controls v8 6.6
NIST 800-53r5 CM-8, IA-8(2)
1.1.3 Requirement: Encrypt or hash all authentication credentials#
Details: Ensure that local accounts and accounts with third parties use this approach to store your credentials. This will limit the impact of a third-party provider breach from impacting the election technology. The encryption or hashing algorithm should be one approved for use by NIST.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.4
CIS Controls v8 5.1
NIST 800-53r5 AC-2
1.1.4 Requirement: Customer administrators have access to an inventory of their user accounts#
Details: Maintain an inventory of all accounts organized by authentication system. Maintain an up-to-date list of accounts for each system and tie each account to an individual person wherever possible. Having this ability in the platform helps organizations manage their users.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.6
CIS Controls v8 5.3
NIST 800-53r5 AC-2(3)
1.1.5 Requirement: Implement protections against brute force attacks#
Details: Account lockout needs to be implemented to guard against brute forcing attacks against both the authentication and password reset functionality. After several tries on a specific user account, the account should be locked for a period of time or until unlocked by an administrative action or use of a separate authenticator controlled by the user. Additionally, it is best to continue the same failure message indicating that the credentials are incorrect or the account is locked to prevent an attacker from harvesting usernames.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.4
NIST 800-53r5 AC-7
1.1.6 Requirement: Require multi-factor authentication for all administrative access#
Details: Use multi-factor authentication (MFA) via encrypted channels for all administrative account access. Election technology administrative accounts have tremendous capabilities to do harm if taken over through a social engineering or other attack. Protecting them with MFA is extremely important.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.5
CIS Controls v8 6.5
NIST 800-53r5 IA-2(1)
1.2 Maturity Level 2#
1.2.1 Requirement: Implement a strong password reset system#
Details: The password reset systems will leverage access to email or other known authenticators, such as confirming possession of a hardware token or a mobile device. Email alone should be augmented by security questions. When you do ask questions for password resetting, base them on questions that are both hard to guess, hard to brute force, and are not available through social media or previous data breaches. Additionally, any password reset option must not reveal whether an account is valid, preventing username harvesting.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.2
NIST 800-53r5 IA-5(1)
1.2.2 Requirement: Block commonly used passwords#
Details: When credentials are set up for a new account, those credentials are run against a list of commonly used password and password patterns to ensure that users are not using passwords that are easily guessable.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.4
CIS Controls v8 5.2
NIST 800-53r5 IA-5(1)
1.2.3 Requirement: Provide options for multi-factor authentication#
Details: Allow users to protect their accounts with MFA. Allow users to choose the authenticator that works best for them, subject to meeting security requirements. Where possible, allow the issuance of multiple authenticators so that multiple combinations can still meet an MFA requirement and be used in the reissuance of lost or stolen authenticators.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.8
NIST 800-53r5 IA-2(1)(2)
1.2.4 Requirement: Ensure authentication is centrally managed#
Details: Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems. This makes it easier to ensure all users are being properly authenticated with the appropriate level of scrutiny and can centralize authentication logging as well.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.2
CIS Controls v8 5.6
NIST 800-53r5 IA-2(1)
1.2.5 Requirement: Provide capability to identify unassociated accounts#
Details: Provide the ability for customer admins to identify and disable any account that cannot be associated with a business process or business owner. Try to document relevant business processes and owners to make auditing and maintaining accounts easier.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.8
CIS Controls v8 5.3
NIST 800-53r5 IA-2(3)
1.2.6 Requirement: Require multi-factor authentication#
Details: Require MFA for all user accounts, on all systems, whether managed on-site or by a third-party provider. This is one of the best protections against social engineering attacks.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.3
CIS Controls v8 6.3
NIST 800-53r5 IA-2(1)(2)
1.3 Maturity Level 3#
1.3.1 Requirement: Enable the integration with organization authentication systems#
Details: By enabling customers to integrate their authentication system, such as Oauth and SAML, with the platform it makes it easier for them manage their users and ensure that users are maintained throughout the user life cycle.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.2
CIS Controls v8 5.6
NIST 800-53r5 IA-2(1)
1.3.2 Requirement: Automatically disable dormant accounts#
Details: Automatically disable dormant accounts after a set period of inactivity. This is especially helpful for critical components of the election technology and assist with the manual accounts audits that should be done on a periodic basis.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.9
CIS Controls v8 5.3
NIST 800-53r5 IA-2(3)
1.3.3 Requirement: Ensure temporary accounts have an expiration date#
Details: Ensure that all temporary accounts have an expiration date that is monitored and enforced. This best practice should be applied to contractor accounts and accounts that are meant to be temporary, such as election-specific accounts. It is acceptable for service accounts and employee accounts to not have an expiration date. Treat users as temporary whenever there is uncertainty
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.10
CIS Controls v8 5.3
NIST 800-53r5 IA-2(3)
1.3.4 Requirement: Provide the ability for customer administrators to revoke access#
Details: Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Employee new hire, termination, promotion, and demotion checklists should include the steps to setting user permissions commensurate with the employee’s job responsibilities, or lack thereof. This should apply to employees and contractors.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.7
CIS Controls v8 6.2
NIST 800-53r5 IA-2(1)
1.3.5 Requirement: Allow password policy customization#
Details: Allow customers to configure and enforce a strong password policy according to best practices - A password policy should be created and implemented so that passwords meet specific strength criteria.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.3
NIST 800-53r5 IA-5(1)
1.3.6 Requirement: Authentication visibility#
Details: Provide customers with visibility on user logins including the time, IP address of the login and user agents of the browser.
Applies to: All components
References
N/A
3. Boundary Protections Requirements#
3.1 Maturity Level 1#
3.1.1 Requirement: Deny communications with known malicious IP addresses#
Details: Deny communications with known malicious or unused Internet IP addresses. Limit access to trusted and necessary IP address ranges at each of the organization’s application and network boundaries. This can be done using a network firewall at the perimeter of your election network. Preventing access from known malicious IP addresses can be done for all election applications, even public facing ones. The Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) provides list of known malicious IP addresses.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.1.3
CIS Controls v8 9.2
NIST 800-53r5 SI-8
3.1.3 Requirement: Deploy network-based IDS sensors#
Details: Deploy network-based intrusion detection systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries. The EI-ISAC and the Albert sensors together capture and monitor networks traffic of election jurisdictions. Election technology deployed outside of the jurisdictions’ network should have a similar technology deployed and monitored.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.1.6
CIS Controls v8 13.3
NIST 800-53r5 SI-4, SI-4(4)
3.1.4 Requirement: Document traffic configuration rules#
Details: All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need. This is important for production networks that host election solutions. Exceptions are normal but should be few and must be removed when no longer necessary. This is one good reason to keep general purpose workstations in a separate network segment.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.3.2
CIS Controls v8 4.4, 4.5
NIST 800-53r5 CA-9, SC-7, SC-7(5)
3.1.5 Requirement: Use MFA for managing network infrastructure#
Details: Manage network infrastructure using multi-factor authentication and encrypted sessions.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.3.5
CIS Controls v8 12.3
NIST 800-53r5 CM-6,CM-7, SC-23
3.1.6 Requirement: Configure perimeter devices to prevent common types of attacks#
Details: Define strict “TCP keepalive” and “maximum connection” on all perimeter devices, such as firewalls and proxy servers. This assists with preventing the success of SYN Flood attacks. Another approach is leveraging SYN cookies to prevent TCP SYN floods. A SYN Flood is one of the most common forms of DDoS attacks observed by the MS-ISAC.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.5.4
3.1.7 Requirement: Disable wireless access on devices if it is not required#
Details: Disable wireless access on devices that do not have a business purpose for wireless access. Disable all wireless options on election technology devices that are not authorized to use wireless. Periodically review device settings to ensure wireless options (Wi-Fi, Bluetooth, etc.) remain off.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.4
CIS Controls v8 4.8
NIST 800-53r5 CM-6, CM-7
3.1.8 Requirement: Documentation clearly identifies wireless capabilities#
Details: Product documentation clearly defines any required wireless capability associated with the product along with information regarding the security and management of those wireless capabilities. Identify election technology that uses a wireless connection, and document each access point. For Wi-Fi, this will be a Wi-Fi router and any endpoint devices. For Bluetooth and NFC, this may be multiple devices. The decision to enable wireless technology should be made by the election administrator using a risk-based decision-making process.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.1
CIS Controls v81.1
NIST 800-53r5 CM-8, CM-8(1), PM-5
3.1.9 Requirement: Provide dedicated wireless networks#
Details: Create a separate wireless network for each separate use. Access from the wireless network should be treated as untrusted and filtered and audited accordingly. Use of any wireless technology in election technology should be isolated for a very specific purpose, and incoming connections from the wireless network should be handled with care.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.10
CIS Controls v8 12.2
NIST 800-53r5 CM-7, CP-6, CP-7, PL-8, PM-7, SA-6, SC-7
3.1.10 Requirement: Disable wireless peripheral access to devices#
Details: Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such access is required for a business purpose. Printers and other peripherals often have Bluetooth capabilities.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.9
CIS Controls v8 4.8
NIST 800-53r5 CM-6, CM-7
3.2 Maturity Level 2#
3.2.1 Requirement: Enable firewall logging#
Details: Enable firewall logging of accepted and denied traffic to determine where a DDoS may be originating from. Most election technology must be careful not to block based on IP address unless there is evidence of malicious behavior.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.5.3
CIS Controls v8 8.2
NIST 800-53r5 AU-2, AU-7, AU-12
3.2.2 Requirement: Configure devices to detect and alarm on traffic anomalies#
Details: Configure firewalls and intrusion detection/prevention devices to alarm on traffic anomalies. Establish and regularly validate baseline traffic patterns (volume and type) for public-facing websites. Active and automated monitoring during peak election periods is critical to early detection and mitigation of DDoS attacks.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.5.5
CIS Controls v8 13.6
NIST 800-53r5 SI-4, SI-4(4)
3.2.4 Requirement: Disable peer-to-peer wireless network capabilities on wireless clients#
Details: Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.6
CIS Controls v8 12.6
NIST 800-53r5 AC-18, SC-23
3.2.5 Requirement: Segment the network based on sensitivity#
Details: Segment the network based on the label or classification level of the information stored on the servers, and locate all sensitive information on separated Virtual Local Area Networks (VLANs). Consider establishing unique networks for each election technology and service offering.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.5
CIS Controls v8 3.12
NIST 800-53r5 SC-7, SC-7(13)
3.2.6 Requirement: Apply upstream port and packet size filtering#
Details: Have upstream network service provider or network appliance apply port and packet size filtering to limit unnecessary traffic to the product’s network infrastructure. Work with upstream providers to filter out as much as possible that is not related to the election service being provided.
Applies to: Hosted Components
References
CIS Security Best Practices for Non-Voting Election Technology 1.5.2
3.3 Maturity Level 3#
3.3.1 Requirement: Deploy network-based intrusion prevention systems#
Details: Deploy network-based intrusion prevention systems (IPS) to block malicious network traffic at each of the organization’s network boundaries. This should be applied to all network-connected election technology. It must be monitored and configured to ensure it does not prevent legitimate traffic.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.1.7
CIS Controls v8 13.8
NIST 800-53r5 SI-4, SI-4(4)
3.3.2 Requirement: Manage all vendor-issued devices remotely accessing sensitive networks#
Details: Scan all vendor issued devices remotely logging into the organization’s network prior to accessing the network to ensure that each of the organization’s security policies has been enforced.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.1.12
CIS Controls v8 13.5
NIST 800-53r5 AC-17, AC-17(1), SC-7, SI-4
3.3.3 Requirement: Manage system’s external removable media’s read/write configurations#
Details: Configure systems not to write data to external removable media, if there is no business need for supporting such devices. This prevents someone with physical access to a system storing sensitive information from extracting that information onto a USB drive.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 4.1.7
NIST 800-53r5 SC-34(1)
3.3.4 Requirement: Limit workstation-to-workstation communication#
Details: When not in use, limit workstation-to-workstation communication using technologies such as private VLANs or micro-segmentation. Whenever possible, workstations should be limited to talking only to servers thereby limiting lateral movement between workstations.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.7
CIS Controls v8 4.1
NIST 800-53r5 CM-1, CM-2, CM-6, CM-7, CM-7(1), CM-9, SA-3, SA-8, SA-10
3.3.5 Requirement: Use wireless authentication protocols that require mutual, multi-factor authentication#
Details: Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS) that requires mutual, multi-factor authentication. Use of wireless technology in election technology demands that all parties be properly and fully authenticated.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.8
CIS Controls v8 12.6
NIST 800-53r5 AC-18, SC-23
3.3.6 Requirement: Limit access to trusted IP address ranges#
Details: By applying an allowlist of known trusted IP addresses this allows organizations to greatly reduce their attack surface. This can be done using a network firewall at the perimeter of your election network. Preventing access from known malicious IP addresses can be done for all election applications, even public facing ones. The Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) provides list of known malicious IP addresses.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.1.3
CIS Controls v8 9.2
NIST 800-53r5 SI-8
4. Data Confidentiality and Integrity Requirements#
4.1 Maturity Level 1#
4.1.2 Requirement: Encrypt transmittal of username and authentication credentials#
Details: Ensure that all account usernames and authentication credentials are transmitted across networks using encrypted channels. This includes network traffic and data moved using removable media.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.5
CIS Controls v8 3.10
NIST 800-53r5 AC-17(2), IA-5, IA-5(1), SC-8, SC-8(1)
4.1.3 Requirement: Use the Strict-Transport-Security header#
Details: The Strict-Transport-Security header ensures that the browser does not talk to the server over non-TLS. This helps reduce the risk of TLS stripping attacks as implemented by the TLSsniff tool.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.10
4.1.4 Requirement: Disable data caching using cache control headers and autocomplete#
Details: Browser data caching should be disabled using the cache control HTTP headers or meta tags within the hypertext markup language (HTML) page. Additionally, sensitive input fields, such as the login form, should have the autocomplete=off setting in the HTML form to instruct the browser not to cache the credentials.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.3
4.1.5 Requirement: Updated TLS configuration on servers#
Details: Weak ciphers must be disabled on all servers. For example, SSL v2, SSL v3, and TLS protocols prior to v1.2 have known weaknesses and are not considered secure. Additionally, disable the NULL, RC4, DES, and MD5 cipher suites. Ensure all key lengths are greater than 128 bits, use secure renegotiation, and disable compression.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.5
4.1.6 Requirement: Use TLS everywhere#
Details: TLS should be used whenever data is transferred over a network. TLS must be applied to any authentication pages as well as all pages after the user is authenticated. If sensitive information (e.g., personal information) can be submitted before authentication, those features must also be sent over TLS.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.6
CIS Controls v8 3.10
NIST 800-53r5 AC-17(2), IA-5, IA-5(1), SC-8, SC-8(1)
4.1.7 Requirement: Disable HTTP access for all TLS-enabled resources#
Details: For all pages requiring protection by TLS, the same URL should not be accessible via the non-TLS channel.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.9
4.1.8 Requirement: Do not disclose too much information in error messages#
Details: Messages for authentication errors must be clear and, at the same time, must be written so that sensitive information about the system is not disclosed. For example, error messages that reveal that the userid is valid but that the corresponding password is incorrect confirms to an attacker that the account does exist on the system. Instead, provide only a message that indicates that the login failed.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.5
4.1.9 Requirement: Display generic error messages#
Details: Error messages should not reveal details about the internal state of the application. For example, file system path and stack information should not be exposed to the user through error messages.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.1
4.1.10 Requirement: Store user passwords using a strong, iterative, salted hash#
Details: User passwords must be stored using secure hashing techniques with strong algorithms like PBKDF2, bcrypt, or SHA-512. Simply hashing the password a single time does not sufficiently protect the password. Use adaptive hashing (a work factor) combined with a randomly generated salt for each user to make the hash strong.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.8
CIS Controls v8 3.11
NIST 800-53r5 IA-5(1), SC-28, SC-28(1)
4.2 Maturity Level 2#
4.2.1 Requirement: Encrypt the hard drive of all vendor-issued devices#
Details: Utilize approved whole disk encryption software to encrypt the hard drive of all devices issued by the vendor. Determine what sensitive information you will permit on employees’ laptops and mobile devices. Ensure the hard drives of laptops and mobile devices are fully encrypted to prevent information from being stolen.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 4.1.5
CIS Controls v8 3.6
NIST 800-53r5 SC-28
4.2.2 Requirement: Encrypt data on USB storage devices#
Details: If USB storage devices are required, all data stored on such devices must be encrypted while at rest.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 4.1.8
CIS Controls v8 3.6
NIST 800-53r5 SC-28
4.2.3 Requirement: Encrypt all sensitive information in transit#
Details: Encrypt all sensitive information in transit. Consider whether the election data’s confidentiality is sensitive. If you are unsure, consider it sensitive.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.3
CIS Controls v8 3.10
NIST 800-53r5 AC-17(2), IA-5, IA-5(1), SC-8, SC-8(1)
4.2.4 Requirement: Encrypt sensitive information at rest#
Details: Encrypt all sensitive information at rest. Election databases and their backups, for example, should be encrypted to ensure they are protected from manipulation.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.4
CIS Controls v8 3.11
NIST 800-53r5 IA-5(1), SC-28, SC-28(1)
4.2.5 Requirement: Leverage the Advanced Encryption Standard (AES) to encrypt wireless data#
Details: Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. Wi-Fi, Bluetooth, and NFC all support encrypted communication. Ensure Wi-Fi uses Wi-Fi Protected Access 2 (WPA2) or better.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 1.6.7
CIS Controls v8 3.10
NIST 800-53r5 AC-17(2), IA-5, IA-5(1), SC-8, SC-8(1)
4.2.6 Requirement: Limit the use and storage of sensitive data#
Details: Product ensures that sensitive data is not being unnecessarily transported or stored. Where possible, use tokenization to reduce data exposure risks.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.1
4.2.7 Requirement: Do not use unvalidated forwards or redirects#
Details: An unvalidated forward can allow an attacker to access private content without authentication. Unvalidated redirects allow an attacker to lure victims into visiting malicious sites. Prevent these from occurring by conducting the appropriate access control checks before sending the user to the given location.
Applies to: Web Components
References
CIS Security Best Practices for Non-Voting Election Technology A1.4.3
4.2.8 Requirement: Follow secure configuration guidance for cloud storage#
Details: Follow guidance from CIS Foundations Benchmarks or other secure configuration guidance to ensure all cloud storage containers with sensitive election data are properly secured. CIS Foundations Benchmarks are available for Amazon Web Services, Microsoft Azure, Google Cloud, and Microsoft Office 365.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 4.3.1
CIS Controls v8 4.1
NIST 800-53r5 CM-1, CM-2, CM-6, CM-7, CM-7(1), CM-9, SA-3, SA-8, SA-10
4.2.9 Requirement: Use only standardized and extensively reviewed encryption algorithms#
Details: Use only standardized and extensively reviewed encryption algorithms that are validated by trusted third parties, such as NIST. Use standard libraries available from reputable sources instead of developing your own cryptographic solutions.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 3.2.15
CIS Controls v8 16.11
NIST 800-53r5 SA-15
4.3 Maturity Level 3#
4.3.2 Requirement: Utilize an active discovery tool to identify sensitive data#
Details: Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider, and update the organization’s sensitive information inventory. This helps an organization find and secure all instances of sensitive election information.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.8
CIS Controls v8 3.13
NIST 800-53r5 CA-7, CM-12, CM-12(1), SC-4
4.3.3 Requirement: Digitally sign sensitive information in transit#
Details: Sensitive data should be digitally signed by its originator and verified by all components which read, store, or process the data. The integrity of election data must be maintained throughout its lifecycle.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.2
NIST 800-53r5 SC-8(1)
4.3.4 Requirement: Encrypt data stored in cloud storage containers#
Details: Use application encryption with secret keys only known to the data owner(s) to protect confidential data stored in a cloud storage container.
This protects the data even in the event of a data breach of the cloud hosting provider or a misconfiguration of the cloud storage container’s permissions.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 4.3.2
CIS Controls v8 3.11
NIST 800-53r5 IA-5(1), SC-28, SC-28(1)
4.3.5 Requirement: Use separate storage containers for unique data classifications#
Details: Don’t overload one container with data at various classification levels. Create separate containers with appropriate names and configuration settings for each data classification level. Follow your data classification scheme and establish containers based on sensitivity. Also, don’t mix production and test data.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 4.3.4
CIS Controls v8 3.12
NIST 800-53r5 SC-4
4.3.6 Requirement: Remove or isolate sensitive data or systems not regularly accessed by the organization#
Details: Remove sensitive data or systems not regularly accessed by the organization from the network. These systems should only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed. In addition, disconnect systems that store or process election data that do not absolutely have to be online. Do not leave USB devices with sensitive information plugged into machines when they are not in use.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.1.2
CIS Controls v8 3.5
NIST 800-53r5 MP-6
5. System Availability Requirements#
5.1 Maturity Level 1#
5.1.1 Requirement: Ensure regular automated backups#
Details: Ensure that all system data is automatically backed up on a regular basis.
Backups of election data should be done on a nightly basis. There may be applications which need to back up data at even higher frequencies during critical election periods.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.1
CIS Controls v8 11.2
NIST 800-53r5 CP-8, CP-9
5.1.2 Requirement: Backup data should be restorable#
Details: Verify backup data is restorable by performing a data restoration.
This is important to do once per election or more frequently for some systems.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.3
CIS Controls v8 11.5
NIST 800-53r5 CP-4, CP-9(1)
5.1.3 Requirement: Local distributed storage capability#
Details: Ensure data storage components have local fail over options in the event of a service degradation for primary component.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.3
CIS Controls v8 11.4
NIST 800-53r5 CP-6
5.1.4 Requirement: Local distributed processing capability#
Details: Ensure application components have local fail over options in the event of a service degradation for primary component.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.3
CIS Controls v8 12.2
NIST 800-53r5 CP-7
5.2 Maturity Level 2#
5.2.1 Requirement: Perform complete system backups#
Details: Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system. On premises products must provide this capability. These types of backups should be done prior to each election for each type of election system used. This allows for quick recovery back to the known good version. Maintaining extra units created from these system backups is another good approach.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.2
CIS Controls v8 11.2
NIST 800-53r5 CP-9, CP-10
5.2.2 Requirement: Remote distributed storage capability#
Details: Ensure data storage components have fail over options in separate geographic regions in the event of a service degradation for primary component.
This is important to do once per election or more frequently for some systems.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.3
CIS Controls v8 11.4
NIST 800-53r5 CP-6
5.2.3 Requirement: Remote distributed processing capability#
Details: Ensure application components have fail over options in separate geographic regions in the event of a service degradation for primary component.
This is important to do once per election or more frequently for some systems.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology 1.4.3
CIS Controls v8 12.2
NIST 800-53r5 CP-7
5.3 Maturity Level 3#
5.3.1 Requirement: Establish DDoS mitigation services with a third-party DDoS mitigation provider#
Details: Obtain third-party DDoS mitigation services. A number of DDoS protection services have made their offerings available to election jurisdictions. Whether free or at a cost, these services can be very helpful to protect the most critical internet-connected election functions.
Applies to: Hosted components
References
CIS Security Best Practices for Non-Voting Election Technology 1.5.6
CIS Controls v8 12.2
NIST 800-53r5 SC-5, SC-5(1), SC-5(2)
5.3.2 Requirement: Fail in a known state#
Details: When a system fails in a known state, it safeguards the confidentiality, integrity, or availability of data, even in the event of faults in organizational systems or their components. By maintaining system state information, the restart of the system and its return to operational mode can occur with minimal disruption to mission-critical and business processes.
Applies to: All components
References
NIST 800-53r5 SC-24
5.3.3 Requirement: No single points of failure#
Details: The system should be designed in a manner that does not contain a single point of failure that could bring down the entire system.
Applies to: All components
References
CIS Controls v8 12.2
NIST 800-53r5 SA-8
6. Injection Prevention Requirements#
In these requirements, interpreted is defined as: Input that may be treated as data or as code depending on its content.
6.1 Maturity Level 1#
6.1.1 Requirement: Use secure HTTP response headers#
[Public key pins is deprecated. Unclear if replacement is well supported]
Details: To protect against cross-site scripting (XSS) and man-in-the-middle (MITM) attacks, use the Content Security Policy (CSP) and Public-Key-Pins headers.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.2
6.1.2 Requirement: Validate uploaded files#
Details: When accepting file uploads from the user, make sure to validate the size of the file, the file type, and the file contents as well as ensure that it is not possible to override the destination path for the file.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.6
6.1.3 Requirement: Set the encoding for your application#
Details: For every page in your application, set the encoding using HTTP headers or meta tags within HTML. This ensures that the encoding of the page is always defined and that the browser will not have to determine the encoding on its own. Setting a consistent encoding, like Unicode transformation format 8 bit (UTF-8), for your application reduces the overall risk of issues like XSS.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.7
6.1.4 Requirement: Validate all input#
Details: For each user input field, there should be validation on the input content.
Examples of validation include data type validation, length validation, pattern validation, among others.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.10
CIS Controls v8 16.10
NIST 800-53r5 PL-8, SA-8, SI-10, SI-10(6)
6.2 Maturity Level 2#
6.2.1 Requirement: Use parameterized inputs#
Details: Input to an interpreter (e.g. an SQL Engine) should be passed using parameterized input, such as a bind variable. If Dynamic SQL is constructed within stored procedures, the procedural database code must also use bind variables. For example dbms_sql (Oracle), EXECUTE IMMEDIATE (Oracle) and execute sp_executesql (SQL Server) allow dynamic SQL to be constructed from within stored procedures or triggers. Satisfies: Prefer Whitelists Over Blacklists for Input Validation
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.9
6.2.2 Requirement: Use the X-Frame-Options header#
Details: Use the X-Frame-Options header to prevent content from being loaded by a foreign site in a frame. This mitigates Clickjacking attacks. For older browsers that do not support this header, add frame busting JavaScript code to mitigate Clickjacking (although this method is not foolproof and can be circumvented). The use of frame busting is only required for products that support browsers that do not support X-Frame-Options.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.1
6.2.3 Requirement: Use the nosniff header for uploaded content#
Details: When hosting user uploaded content that can be viewed by other users, use the X-Content-Type-Options: nosniff header so that browsers do not try to guess the data type. Sometimes the browser can be tricked into displaying the data type incorrectly (e.g., showing a GIF file as HTML). Always let the server or application determine the data type.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.3
6.2.4 Requirement: Conduct contextual output encoding#
Details: All output functions must contextually encode data before sending it to the user. Depending on where the output will end up in the HTML page, the output must be encoded differently. For example, data placed in the URL context must be encoded different than data placed in JavaScript context within the HTML page.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.5
6.3 Maturity Level 3#
6.3.1 Requirement: Deploy web application firewalls (WAFs)#
Details: Protect web applications by deploying WAFs that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, specific application firewalls should be deployed if such tools are available for the given application type. If the traffic is encrypted, the device should either sit behind the encryption or be capable of decrypting the traffic prior to analysis. If neither option is appropriate, a host-based web application firewall should be deployed.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 3.2.14
CIS Controls v8 13.10
NIST 800-53r5 SC-7(8)
6.3.2 Requirement: Use allowlist on interpreted input#
Details: For input that will be interpreted, allowlist acceptable inputs. Only inputs that appear on the whitelist will be accepted.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.10
6.3.3 Requirement: Validate the source of input#
Details: The HTTP method used to make a request must be validated. For example, if input is expected from a POST request, do not accept the input variable from a GET request.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.3.4
7. Logging/Alerting Requirements#
7.1 Maturity Level 1#
7.1.1 Requirement: Activate audit logging#
Details: Ensure that logging has been enabled on all systems and networking devices. Components of election technology solutions must utilize available logging capabilities to store system activity.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.3.1
CIS Controls v8 8.2
NIST 800-53r5 AU-2, AU-7, AU-12
7.1.2 Requirement: Ensure adequate storage for logs#
Details: The product must provide a mechanism to maintain the storage of logs over a certain period of time. Election technology components should be designed to store audit logs for multiple significant election events without losing any data. Logs should be retained for a minimum of 180 days with the option to archive logs for longer periods of time.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.3.2
CIS Controls v8 8.3
NIST 800-53r5 AU-4
7.1.3 Requirement: Log all authentication activities#
Details: Log all authentication activities, whether successful or not.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.4
CIS Controls v8 8.12
NIST 800-53r5 AU-2
7.1.4 Requirement: Log all privilege changes#
Details: Log all activities or occasions where the user’s privilege level escalates.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.5
CIS Controls v8 8.12
NIST 800-53r5 AU-2
7.1.5 Requirement: Do not log inappropriate data#
Details: While logging errors and auditing access is important, sensitive data must never be logged in an unencrypted form. For example, under HIPAA and PCI, it would be a violation to log sensitive data into the log itself unless the log is encrypted on the disk. Additionally, it can create a serious exposure point should the application itself become compromised.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.8
7.1.6 Requirement: Store logs securely#
Details: Logs must be stored and maintained appropriately to avoid information loss or tampering by an intruder. Log retention should also follow the retention policy set forth by the organization to meet regulatory requirements and provide enough information for forensic and incident response activities.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.9
CIS Controls v8 8.10
NIST 800-53r5 AU-9, AU-11
7.1.7 Requirement: Log and alert on changes to administrative group membership#
Details: Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges. Changes to election technology administrator accounts must be logged and alerted. Quick notification allows for timely remediation in the event of privilege escalation or other attack.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.8
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.2 Maturity Level 2#
7.2.1 Requirement: Alerting#
Details: Provide a mechanism to alert responsible parties to the occurrence of certain logged events. The method of alerting can vary, but must take the form of a “push” notification.
Applies to: All components
References
NIST 800-53r5 AU-5, AU-5(2)
7.2.2 Requirement: Centralize anti-malware logging#
Details: The product must allow all malware detection events to be sent to enterprise anti-malware administration tools and event log servers for analysis and alerting. This assists in the early detection of an incident and ensures the proper security personnel are alerted to malware on the network.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.4
CIS Controls v8 8.2
NIST 800-53r5 AU-2, AU-7, AU-12
7.2.3 Requirement: Enable DNS query logging#
Details: Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. This is used to detect attempts to reach known malicious sites from within your network. This will help detect malware and prevent it from communicating with its command and control infrastructure.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.5
CIS Controls v8 8.2
NIST 800-53r5 AU-2
7.2.4 Requirement: Enable command-line audit logging#
Details: Enable command-line audit logging for command shells, such as Microsoft Powershell and Bash. A large percentage of malware uses Powershell and Bash. This logging will assist in the detection of malware and a better understanding of its impact.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.6
CIS Controls v8 8.8
NIST 800-53r5 AU-2
7.2.5 Requirement: Enable detailed logging#
Details: Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. Election technology components particularly servers and those devices in publicly accessible network interfaces should capture detailed enough information to fully understand and reconstruct security incidents.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.3.6
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.2.6 Requirement: Log user activity#
Details: Log relevant use activity, at a minimum login times, pages/screens viewed. Take care to not log information that would violate voter or ballot privacy. This can greatly assist with understanding the impact of security incidents involving user accounts. This is especially important for administrators.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.10
CIS Controls v8 8.2
NIST 800-53r5 AU-2
7.2.7 Requirement: Log administrative activities#
Details: Log all administrative activities on the application or any of its components.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.6
CIS Controls v8 8.2
NIST 800-53r5 AU-2
7.3 Maturity Level 3#
7.3.1 Requirement: Log and alert on unsuccessful administrative account login#
Details: Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account. This enables election technology administrators to detect attempts to brute force or socially engineer access to administrator accounts.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.9
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.3.2 Requirement: Enforce detail logging for access or changes to critical or sensitive data#
Details: Enforce detailed audit logging for access to sensitive data or changes to sensitive data using tools such as file integrity monitoring or security information and event monitoring. This can help detect a malicious attempt to alter the integrity of the data. Database level logging can be enabled to track all changes to the database.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 4.2.10
CIS Controls v8 3.14
NIST 800-53r5 AC-6(9), AU-2, AU-12
7.3.3 Requirement: Monitor attempts to access deactivated accounts#
Details: Monitor attempts to access deactivated accounts through audit logging. This can alert election system administrators to likely malicious behavior.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.12
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.3.4 Requirement: Alert on account login behavior deviation#
Details: Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration.
Major commercial systems have the capability to establish an activity baseline based on time of day, IP address, and other data. Where possible, set up alerts to anomalous behavior for early detection of a possible attack.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.13
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.3.5 Requirement: Deploy SIEM or log analytic tools#
Details: Support the use of Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
Timely and accurate detection of potential security events is critical during peak election periods. A SIEM solution can greatly assist with this.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.3.4
CIS Controls v8 13.1
NIST 800-53r5 AU-6(1), AU-7, IR-4(1), SI-4(2), SI-4(5)
7.3.6 Requirement: Log access to sensitive data#
Details: Log all access to sensitive data. This is particularly important for corporations that have to meet regulatory requirements like Health Insurance Portability and Accountability Act (HIPAA), PCI, or Sarbanes-Oxley Act (SOX).
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.6.7
CIS Controls v8 8.5
NIST 800-53r5 AU-3, AU-3(1), AU-7, AU-12
7.3.7 Requirement: Central log management#
Details: Logs must be aggregated to a central log management system for analysis and review. Networked election technology solutions must utilize central event logging. Central event logging is extremely beneficial for detecting events and ensuring event logs are properly protected.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 5.3.5
CIS Controls v8 8.9
NIST 800-53r5 AU-6(3)
8. Secret Management Requirements#
8.1 Maturity Level 1#
8.1.1 Requirement: Do not hardcode credentials#
Details: Never allow credentials to be stored directly within the application code. While it can be convenient to test the application code with hardcoded credentials during development, this significantly increases risk and should be avoided.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.1
NIST 800-53r5 IA-5(7)
8.1.2 Requirement: Store credentials securely#
Details: Modern web applications usually consist of multiple layers. The business logic tier often connects to the other tiers, such as a database. Connecting to a database, of course, requires authentication. The authentication credentials, if stored, must be stored in a centralized location that is under strict access control. Scattering credentials throughout the source code is not acceptable. Some development frameworks provide a centralized secure location for storing credentials. These encrypted stores should be leveraged when possible.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.2.6
NIST 800-53r5 IA-5(6)
8.1.3 Requirement: Credentials for non-production and production environments are different#
Details: Credentials for non-production environments must be different from production environment credentials and secrets.
Applies to: All components
References
CIS Controls v8 5.2
NIST 800-53r5 IA-5
8.2 Maturity Level 2#
8.2.1 Requirement: Set up secure key generation processes#
Details: When keys are generated and stored in your system, the product must use PKCS standards and provide a way for customers to securely generate those keys to provide mutual authentication and non-repudiation between components.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.4
NIST 800-53r5 SC-12(2), SC-12(3)
8.2.2 Requirement: Securely exchange encryption keys#
Details: If encryption keys are exchanged or preset in your application, any key establishment or exchange must be performed over a secure channel.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.1.7
NIST 800-53r5 SC-12(2), SC-12(3)
8.2.3 Requirement: Developers are not allowed to access production credentials#
Details: Production credentials and secrets should be managed outside of the development team on a need to know basis and injected into the application at runtime whenever feasible.
Applies to: All components
References
CIS Controls v8 5.2
NIST 800-53r5 IA-5
8.3 Maturity Level 3#
8.3.1 Requirement: Use hardware security modules or key management service for keys#
Details: Use a Hardware Security Module (HSM) or Key Management Service (KMS) when using cryptographic keys. These products are tamper evident and provide a secure environment for the management and operation of keys.
Applies to: All components
References
NIST 800-53r5 SC-12(2), SC-12(3)
8.3.2 Requirement: Use a FIPS 140-2 validated module#
Details: Use a cryptographic module that meets or exceeds FIPS 140-2 validation, operating in FIPS mode, for performing cryptographic operations. It is only necessary that the cryptographic software is FIPS 140-2 certified, not the specific hardware.
Applies to: All components
References
NIST Voluntary Voting System Guideline Requirements Version 2.0 (Draft) 13.3-A
NIST 800-53r5 SC-12(2), SC-12(3)
9. System Integrity Requirements#
9.1 Maturity Level 1#
9.1.2 Requirement: Ensure anti-malware software and signatures are updated#
Details: For systems that support the use of anti-malware software, the product must allow an administrator to perform updates to its scanning engine and signature database. Ensure that all anti-malware instances are receiving signature updates. This requires periodic review of devices within the election technology system.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.2
CIS Controls v8 10.2
NIST 800-53r5 SI-3
9.1.3 Requirement: Configure devices to not auto-run content#
Details: Configure devices to not auto-run executable code from removable media. This helps ensure an attacker cannot insert a malicious device and execute it without having user credentials.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 2.5.3
CIS Controls v8 10.3
NIST 800-53r5 MP-7
9.1.4 Requirement: Use port protectors on unused ports#
Details: Cover all unused communication ports (e.g. USB, Thunderbolt, HDMI, etc.) on endpoint devices with locks or tamper-evident port protectors to ensure unauthorized devices are not inserted into the device. This must be done prior to delivery to the customer.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 2.5.6
NIST 800-53r5 CM-7
9.1.5 Requirement: Configure anti-malware scanning of removable devices#
Details: Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected. Use of USB devices is very common in election systems. Therefore, it is critical that all external devices be scanned for malware prior to use.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 2.5.5
CIS Controls v8 10.4
NIST 800-53r5 MP-7, SI-3
9.2 Maturity Level 2#
9.2.1 Requirement: Deploy operating system patches#
Details: Ensure operating systems are running the latest security updates provided by the software vendor. Latest refers to all updates which were available prior to the internal product testing of the product.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.2.4
CIS Controls v8 7.3
NIST 800-53r5 RA-5, RA-7, SI-2, SI-2(2)
9.2.2 Requirement: Deploy software patches#
Details: Ensure that third-party software on all systems is running the latest security updates provided by the software vendor. Latest refers to all updates which were available prior to the internal product testing of the product.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.2.5
CIS Controls v8 7.4
NIST 800-53r5 RA-5, RA-7, SI-2, SI-2(2)
9.2.3 Requirement: Utilize centrally managed anti-malware software#
Details: Utilize centrally managed anti-malware software to continuously monitor and defend workstations and servers. All endpoints in an election technology solution must use properly installed and constantly running anti-malware software. Central management allows administrators to enforce this rule.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.1
CIS Controls v8 10.6
NIST 800-53r5 SI-3
9.2.4 Requirement: Limit access to scripting tools#
Details: Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities. Election technology may make use of these technologies, but access to them should be limited to only the most trusted and protected accounts.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.4.7
CIS Controls v8 2.7
NIST 800-53r5 CM-7, CM-7(1), SI-7, SI-7(1)
9.2.5 Requirement: Use standard hardening configuration templates for databases#
Details: For applications that rely on a database, use standard hardening configuration templates. CIS Benchmarks are available for various database offerings such as MySQL, SQL Server, and PostgreSQL. Guidance for cloud-based databases are also available.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 3.2.16
CIS Controls v8 16.7
NIST 800-53r5 CM-6, CM-7
9.2.6 Requirement: Establish secure configurations#
Details: Maintain documented, standard security configuration standards for all authorized operating systems and software such as the CIS Benchmarks. Using a vetted configuration standard, identify each component of the election technology and its secure configuration standard to use.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.1.1
CIS Controls v8 4.1
NIST 800-53r5 CM-1, CM-2, CM-6, CM-7, CM-7(1), CM-9, SA-3, SA-8, SA-10
9.3 Maturity Level 3#
9.3.1 Requirement: Implement automated configuration monitoring systems#
Details: Utilize a Security Content Automation Protocol (SCAP) compliant or equivalent configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur. This prevents accidental misconfiguration and allows RTPs the ability to prove the component has been properly and securely configured.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.1.4
CIS Controls v8 16.7
NIST 800-53r5 CM-6
9.3.2 Requirement: Deploy system configuration management tools#
Details: Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals. Where possible, each component should be inspected and updated with the latest known good secure configuration prior to use in any election.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.1.5
CIS Controls v8 4.1
NIST 800-53r5 CM-9, SA-10
9.3.3 Requirement: Enable operating system anti-exploitation features and deploy anti-exploit technologies#
Details: Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space Layout Randomization (ASLR) that are available in an operating system, or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables. This applies to servers and other sensitive endpoints.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology 2.3.3
CIS Controls v8 10.5
NIST 800-53r5 SI-16
9.3.4 Requirement: Disable access to USB devices where possible#
Details: Disable the use of USB devices (including Thunderbolt) on a system. This completely removes the risk of removable USB media based attacks. This may not be feasible for all components. It should be feasible for servers and other devices which do not use USB connected devices.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 2.5.7
9.3.5 Requirement: Use USB Write Blockers to transfer data into sensitive systems#
Details: Use USB Write Blockers to allow a high integrity system to read the content of a USB device. This mitigates the risk of transferring any malicious payload. These devices should be used when transferring data into the voting system or the voter registration system using removable USB media.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 2.5.8
9.3.6 Requirement: Deny application execution by default#
Details: Implement default-deny technologies (such as AppLocker) to only permit applications on an allow-list to execute on the product. An allow-list of acceptable applications should be established by the vendor based on the use-cases of the application.
Applies to: All components
References
CIS Controls v8 2.5
NIST 800-53r5 CM-7(5), CM-10
10. User Session Management Requirements#
10.1 Maturity Level 1#
10.2 Maturity Level 2#
10.2.1 Requirement: Regenerate session tokens#
Details: Regenerate session tokens when the user authenticates to the application. Additionally, should the encryption status change, the session token must be regenerated.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.5.10
NIST 800-53r5 SC-23(3)
10.2.2 Requirement: Ensure that session identifiers are sufficiently random#
Details: Session tokens must be generated by secure random functions and must be at least 128 bits or provide 64 bits of entropy.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.5.5
NIST 800-53r5 SC-23(3)
10.2.3 Requirement: Invalidate the session after logout#
Details: When the user logs out of the application, the session on the server must be destroyed. This ensures that the session cannot be accidentally revived.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.5.6
CIS Controls v8 4.3
NIST 800-53r5 AC-12
10.3 Maturity Level 3#
10.3.1 Requirement: Destroy sessions at any sign of tampering#
Details: Unless the application requires multiple simultaneous sessions for a single user, implement features to detect session cloning attempts. Should any sign of session cloning be detected, the session must be destroyed, forcing the real user to reauthenticate.
Applies to: Web components
References
CIS Security Best Practices for Non-Voting Election Technology A1.5.7
10.3.2. Requirement: Lock endpoint device sessions after inactivity#
Details: Product must provide capability to automatically lock endpoint device sessions after a standard period of inactivity. This is a basic security control that should be used universally. Employees should also be trained to lock their computers whenever they leave them.
Applies to: On-premises components
References
CIS Security Best Practices for Non-Voting Election Technology 5.1.11
CIS Controls v8 4.3
NIST 800-53r5 AC-2(5), AC-11, AC-11(1), AC-12
10.3.3 Requirement: Implement an idle session timeout#
Details: When a user is not active for a period of time, the application should automatically log the user out.
Be aware that Ajax applications may make recurring calls to the application, effectively resetting the timeout counter automatically.
Applies to: All components
References
CIS Security Best Practices for Non-Voting Election Technology A1.5.9
CIS Controls v8 4.3
NIST 800-53r5 AC-12