Current through Register Vol. 46, No. 43, October 23, 2024
Section 6220.3 - Cyber Security Program Requirements(a) A cyber security program shall have the following elements: (1) Data Classification (i) Each Board of Elections shall conduct a data classification exercise to: identify Board of Elections data assets and information systems; determine the criticality of data assets and information systems; determine the order and scope of data assets required to be backed up based on the criticality derived from the data classification exercise; and determine the priority to restore data based on the criticality derived from the data classification exercise.(ii) Each Board of Elections shall conduct such data classification exercise for each new information system that creates, modifies, stores, or transmits election data.(iii) The data classification exercise must be initiated in the first year of this regulation and must be completed no later than August 1st prior to the general election each year; however, if a new information system is created subsequent to August 1st, but prior to election day, a new data classification exercise must be conducted as soon as practicable.(2) Asset Inventory (i) Each Board of Elections shall maintain an asset inventory of all devices and software that access, store, process, and transmit election data. At a minimum, the Board shall review said inventory for accuracy on a monthly basis.(ii) At a minimum, the inventory shall include: network address(es), machine name(s), purpose of each device, whether the device is portable, and an asset owner responsible for each device. Mobile devices that handle election data must be included whether or not they connect to the Board of Elections network. (iii) Each Board of Elections shall deploy a network-based asset discovery tool to build an initial asset inventory of Board of Elections systems, both hardware and software. The network-based asset discovery tool must be run on a monthly basis to discover new assets on the Board of Elections network segment and update the asset inventory. Any non-approved or unknown devices or software should be documented, investigated, and removed.(3) Patch Management (i) Each Board of Elections shall ensure all information systems and electronic equipment, other than voting systems, that access, store, process, and transmit election data are up-to-date through the use of a monthly patching program. This includes every network-connected device, including but not limited to desktops, laptops, tablets, servers, virtual machines, network equipment (routers, switches, firewalls, wireless access points, etc.), mobile devices, printers, storage area networks, and Voice Over-IP telephones.(ii) Each Board of Elections shall implement automated patch management and software update tools for operating systems and applications identified in the asset inventory.(iii) Any software products that cannot be automatically patched should be reviewed on a monthly basis and updated manually.(iv) Each Board of Elections shall implement an evaluation process for available patches and accelerate its deployment where they are critical in nature.(v) When checking for updates, the version should be validated to ensure it is still supported by the vendor. If not, the technology must be updated following vendor best practices. Any technology that cannot be updated or patched must be documented and communicated to the State Board of Elections when certifying the cyber security program.(vi) No system that requires State Board certification or approval for use, such as voting systems, shall be updated without express written approval of the State Board.(4) Vulnerability scanning (i) Each Board of Elections shall run vulnerability scans and, where practicable, authenticated vulnerability scanning tools, against all information systems and electronic equipment that accesses, stores, processes, and transmits election data on the network. At a minimum, such vulnerability scanning tools shall comply with the following: (1) the scanning interval must occur on a continuous basis, but not less than a bi-weekly basis.(2) reports must deliver a prioritized list based on criticality.(3) the scans must assess code-based vulnerabilities, configuration-based vulnerabilities, and web application vulnerabilities.(4) The network border must undergo a vulnerability scan on at least a bi-weekly basis.(ii) Each Board of Elections shall undergo an annual penetration test of its network(s) to identify vulnerabilities in the environment. Verified vulnerabilities must be added to existing Remediation Plans.(5) Backups of Election Data (i) At a minimum, to ensure recovery of information systems and data, Boards of Elections shall, at weekly intervals, perform a full backup Election Data. (ii) Each Board of Elections shall store at least one full backup, rotated weekly, at an off-site location. This backup shall be stored securely and offline (not connected to a network).(iii) Each Board of Elections utilize a separate service account for backups that is prevented from interactive logon of workstations and servers.(iv) Each Board of Elections shall attest to the proper configuration of backup accounts and services in its annual compliance certification to the State Board pursuant to section 6220.2(b) of this regulation.(6) Restoration of Data (i) Each Board of Elections shall test, at least once ninety days prior to each primary and general election, the restoration of critical data and information systems from its backup and verify that the restored data and information systems are useful, accessible, and fully functional to meet operational requirements.(ii) Each Board of Elections shall attest to completion of the restoration tests in its annual compliance certification to the State Board pursuant to section 6220.2(b) of this regulation.(iii) If such tests are unsuccessful, results shall be reported to the Secure Elections Center no later than two weeks from the date of the test. (7) Network Segmentation (i) Each Board of Elections shall establish its own network segment(s), segregating data communications from other interconnected networks, by establishing separate Virtual Local Area Networks (VLANs) and, if feasible, physical network segmentation.(ii) Each Board of Elections network traffic must be restricted following the principle of least privilege (e.g. network traffic shall be restricted solely for legitimate election administration purposes) implemented through access control lists and updated documentation must be maintained.(iii) Each Board of Elections shall only allow elections-related VLANs to communicate with information systems unrelated to elections on an as-needed basis.(iv) Any communications to information systems unrelated to elections must be documented and submitted annually when certifying the cyber security program pursuant to section 6220.2(b) of this regulation.(v) Other network traffic, such as wireless communications or public terminals, shall be segmented or explicitly denied.(vi) Security features on any network appliance, cloud service, or security software that blocks or prevents malware and malicious network traffic shall be enabled.(vii) Each Board of Elections shall use dedicated servers or electronic devices for elections-related tasks, such as but not limited to voter registration, election management systems, and election night reporting.(viii) For dedicated servers or electronic devices for elections-related tasks, only software necessary and relevant to carry out said tasks shall be installed.(ix) Dedicated servers or specialized electronic devices for elections-related tasks, such as poll pads, shall not be used for general purpose computing, such as word processing or browsing the internet.(x) Technical controls shall be implemented to prevent internet browsing from dedicated servers or specialized electronic devices intended for elections-related tasks.(xi) Each Board of Elections shall use secure protocols for all remote connections on the Board of Elections network segment(s).(xii) Each Board of Elections shall use encryption to protect elections data both in transit and at rest where practicable.(xiii) Each Board of Elections shall disable Server Message Block (SMB) Protocol version 1 communications on the Board of Elections network segment.(xiv) Each Board of Elections shall disable all Server Message Block (SMB) Protocol communications at the private/public network boundary.(xv) Each Board of Elections shall disable macros, programs common in office documents, on Board of Elections workstations unless there is an explicit need.(xvi) Any macros enabled on a Board of Elections workstation must be documented and submitted annually when certifying the cyber security program pursuant to section 6220.2(b) of this regulation.(xvii) Any Windows system that supports PowerShell must be updated to a current supported version and must enable module, script block, and transcript logging or have PowerShell disabled from running.(xviii) Each Board of Elections must compare their expected network traffic with the rules from their network boundary firewalls to ensure that the rules are acting as intended and align with industry best practices on an annual basis.(xix) Each Board of Elections must establish and document the configuration of a "Baseline Image" for user workstations and dedicated servers on their network(s), including but not limited to: voter registration systems, desktops, and laptops. The documentation should be updated, along with the image, on regular intervals but no less than quarterly. Any exceptions to the Baseline Image must be documented and submitted annually when certifying the cyber security program.(8) Remote Access (i) Each Board of Elections shall follow best practices for remote access to its network segment(s), which shall include, but is not limited to:(1) the use of bi-directional authentication to establish trust between the sender and receiver.(2) the use of secure protocols for all remote connections to the systems and applications of the board of elections network segment, such as transport layer security (TLS) or Internet protocol security (IPSEC).(9) Logging (i) Each Board of Elections shall enable, retain, and secure logs from network devices and network-connected servers, desktops, and laptops that access, store, modify, and transmit election data.(ii) Such log data must be forwarded to a centralized log management server that is separated from the current network for retention of a minimum of ninety-two days.(10) Incident Response (i) Each Board of Elections shall ensure that a written incident response plan is maintained and designed to promptly respond to any cyber security incident materially affecting the confidentiality, integrity or availability of the Board's information systems or the continuing functionality of any aspect of the Board's operations.(ii) At a minimum, the incident response plan must address: the internal processes for responding to a cyber security incident; the goals of the incident response plan; the definition of clear roles, responsibilities and levels of decisionmaking authority; and external and internal communications and information sharing.(iii) Each Board of Elections shall update its incident response contacts list and shall notify the State Board upon any changes and, at a minimum, shall submit a copy of the incident response contact list to the State Board bi-annually, but no later than ninety days prior to the primary and general election.(iv) Each Board of Elections shall must report to the State Board of Elections, through the cyber incident reporting procedure, all cyber security incidents or any disruptions which impact or have the potential to impact election operations. Cyber security incidents includes, but is not limited to: (I) any unauthorized entry or attempt to gain unauthorized access to storage facilities, polling sites, early vote centers, and/or offices of the county Board of Elections (regardless of whether on private or public property that is used by the county Board of Elections); (II) incidences of phishing, including spear-phishing, which seemingly target the county Board of Elections; (III) attempts to access, alter, or destroy the county Board of Elections critical information systems or public-facing websites; (IV) attempts to hack, phish, or compromise professional e-mail accounts and the county Board of Elections social media accounts; (V) attempts to interfere with votes sent through the U.S. Postal Service; or (VI) instances of any unexplained disruption at a polling place or training locations for Election Inspectors and other poll workers, including early voting locations, which block or inhibit voter participation. Disruptions may include social media posts or robocalls or texts reporting closed or changed polling places, or physical incidents at polling places, including distribution of false information; disinformation efforts to alter voter participation (including via US postal mail, social media, or other electronic or physical Means); impacts to critical infrastructure that limit access to polling places or information from elections officials, such as power, natural gas, water, internet, telephone (including cellular), and transportation (including traffic controls and roads) outages.(v) Each Board of Elections shall allow on-site visits for incident handling and response by the State Board of Elections and its employees and/or designees.(11) Continuity of Operations (i) Each Board of Elections shall create or update and maintain a continuity of operations plan to recover from incidents and ensures that the Board of Elections is able to perform essential functions under a broad range of circumstances(ii) The continuity of operations plan must address recovery, contingency processes, communication plans, and processes for operational data availability.(iii) Each Board of Elections shall submit a copy of the continuity of operations plan to the State Board annually pursuant to section 6220.2(b) of this regulation.(12) Credential Management and Access (i) Each Board of Elections shall ensure that a Complex Password Management Policy is implemented on all information technology systems and assets in use by the Board and, at minimum, all passwords shall be changed on a regular basis but no less than annually.(ii) Passwords or Pass Phrases must be at least fourteen characters in length, must support special characters, and must be changed at least once every year. When passwords are used as part of multi-factor authentication, a minimum of eight characters in length shall be used. Information systems that do not support these password settings must be documented and submitted annually when certifying the cyber security program pursuant to section 6220.2(b) of this regulation.(iii) Default passwords must be changed and may not be used on any device or software for elections-related tasks.(iv) Access to Board of Elections systems and devices must utilize unique and individually accountable credentials. Use of logins such as anonymous, guest, etc. or sharing of credentials among multiple users is not allowed. Information systems that do not support the use of unique credentials must be documented and submitted annually when certifying the cyber security program pursuant to section 6220.2(b) of this regulation.(v) Each Board of Elections shall review all users who have data entry access or change privileges, based on the principle of least privilege, and shall review such access whenever an employee's status changes and users who are no longer employed by the Board of Elections shall have their accounts disabled.(vi) Each Board of Elections shall conduct periodic reviews of all user accounts who have access to Board of Elections information systems at least annually.(13) Multi-factor Authentication (i) Each Board of Elections shall implement multi-factor authentication for administrative access to information systems that store, process, and grant access to election data, including domain administrative access. Multi-factor authentication may be employed through a variety of methods, including smart cards, certificates, one-time password (OTP) tokens, biometrics, or similar authentication methods.(ii) Each Board of Elections shall implement multi-factor authentication on remote access to county Board of Elections assets.(iii) Each Board of Elections shall implement multi-factor authentication for all user accounts that have access to election data or systems that create, modify, transmit, or store election data.(iv) Any information system that manages election data in the aforementioned manner and does not support multi-factor authentication shall be documented and reported when certifying the cyber security program.(14) Email and Web Protections (i) Each Board of Elections shall ensure all incoming emails are scanned for malicious attachments and links prior to delivery and shall quarantine emails as necessary.(ii) Each Board of Elections shall implement transport layer security (TLS) to secure web and email communications and ensure any certificates used do not expire.(iii) Each Board of Elections shall implement a mechanism, through an automated service, to protect Domain Naming System (DNS) queries from connecting to malicious domains.(iv) Each Board of Elections shall implement a web application firewall to protect its web applications and web sites from malicious traffic.(v) Each Board of Elections shall utilize .GOV domains for email communications and web traffic to the extent practicable.(vi) Starting no later than August 1, 2024, the Board of Elections shall implement domain-based message authentication, reporting, and conformance (DMARC) for email.(15) Third Party Risk Management (i) Each Board of Elections shall address technology procurement risk through an appropriate risk assessment prior to the adoption of new technologies or managed services.(ii) Each Board of Elections shall follow a Secure System Development Life Cycle in the development of all Board of Elections applications and systems, including applications and systems developed for the Board by outside entities.(16) Continuous Monitoring and Reporting (i) In order to maintain awareness of elections assets and any malicious activity, the Board of Elections shall maintain an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) on network-connected election systems.(ii) Each Board of Elections shall maintain up-to-date contacts for alerts generated by such system.(17) Removable Media (i) Any information system which utilizes removable media and handles Election Data, shall sanitize, scan for viruses and malware, encrypt, and physically secure the device pursuant to guidance provided by the State Board.(ii) Any information system that does not have a documented business requirement for using removable media shall have its ability to access removable media disabled.(18) Security Awareness Training (i) All employees of a Board of Elections that access and use any Board of Elections systems, including but not limited to email and voter registration systems, shall successfully complete a cyber security awareness training program and must attest to successful completion annually.(ii) Each Board of Elections shall conduct a phishing assessment of employees of the Board of Elections at least once annually and shall report the results to the State Board of Elections.(iii) Each Board of Elections shall participate in tabletop exercises hosted by the State Board of Elections, including Commissioners, Deputy Commissioners, and significant staff as selected by Commissioners of Boards of Elections.(19) Elections Infrastructure Information Sharing and Analysis Center(i) Each Board of Elections shall be responsible for acquiring and maintaining membership in the Center for Internet Security's Elections Infrastructure Information Sharing and Analysis Center ("EI-ISAC").N.Y. Comp. Codes R. & Regs. Tit. 9 § 6220.3
Adopted New York State Register August 18, 2021/Volume XLIII, Issue 33, eff. 8/18/2021