W. Va. Code R. § 153-55-4

Current through Register Vol. XLI, No. 44, November 1, 2024
Section 153-55-4 - Minimum Cyber Security Standards
4.1. The county clerk shall develop and maintain an IRP to follow in both response to and recovery from a cyber incident, a copy of which shall be provided to the Secretary of State's Chief Information Officer upon request.
4.1.1. The IRP shall include:
4.1.1.a. The full name, direct phone number(s), and official email address of the county's designated Primary Administrative Contact and Primary Technical Contact;
4.1.1.b. A plan to restore critical services based on the type of incident if failure to restore can predictably jeopardize the normal conduct of elections. For this requirement, types of incidents include ransomware or other malicious cyber attacks that prevent an election official from accessing any election technology or endpoint device;
4.1.1.c. A communication directive to immediately notify the Secretary of State's Chief Information Officer within 24 hours of discovery of any potential or actual cyber incident; and
4.1.1.d. A requirement for developing a POA&M within 48 hours of a cyber incident, which includes a description of the incident and the plan with defined deadline milestones to recover all election technology and devices affected by the incident. The POA&M shall be submitted to the Secretary of State in a secure manner upon completion.
4.1.2. The IRP may be included with or incorporated into a broader COOP.
4.1.3. The county clerk shall review the IRP on an annual basis and make any necessary updates or revisions in a timely manner.
4.1.4. The county clerk shall immediately notify the Secretary of State's Chief Information Officer upon discovery of any potential or actual cyber incident and submit within 48 hours a Plan of Actions and Milestones that includes a description of the incident and sets forth the plan with defined deadline milestones to recover all election technology and devices affected by the incident.
4.2. Any device that accesses, is involved with, or interacts with, election technology shall:
4.2.1. Use a supported operating system that is regularly updated and patched in accordance with the vendor's cyber security recommendations, or following a notification or directive from a state, federal, or industry authority that is applicable to the specific operating system; and
4.2.2. Have current endpoint protection, including up-to-date virus and malware definitions.
4.3. The county clerk shall maintain a roster of authorized users who have access to or credentials for election technology, which shall include internal and external users such as deputy clerks and vendors. The county clerk shall review and update the roster quarterly.
4.3.1. All authorized users must complete annual training selected or provided by the Secretary of State on the principals of cybersecurity awareness, which shall include an annual email phishing campaign assessment: Provided, this requirement does not include poll workers or other temporary contract workers whose access to election technology is supervised or merely incidental, such as working the polls on election day or providing in-office assistance with tracking absentee ballots; and
4.3.2. The county clerk shall remove and revoke all login and access credentials to any device or election technology of any authorized users within 24 hours after that employee's or individual's authorization is revoked. Examples of revoked authorization include employment resignation or termination, or new job duties that no longer justify any purpose for the individual to access or interact with any device or election technology.
4.4. All county clerk offices must maintain membership in the Center for Internet Security's Election Infrastructure Information Sharing and Analysis Center.
4.5. Security and encryption policies around the storage or transmission of sensitive or protected data, unless otherwise specified by a unique transaction, must be compliant with standards enumerated by NIST.
4.6. Password policies around accessing election technology, unless otherwise specified by the platform host, must be compliant with standards enumerated by NIST.
4.7. A full- or part-time county clerk employee shall use only county or state issued email accounts for all election administration related conduct and communications: Provided, that this requirement shall not include poll workers or other temporary contracted workers, such as ballot commissioners. Additionally, out-of-band email communications used in response to a cybersecurity event shall be exempt.
4.8. County clerk offices that utilize social media accounts for official election-related public communications shall protect the account using multifactor authentication, if available.
4.9. County clerk offices must enroll in an external vulnerability scanning program and conduct, at a minimum, an annual vulnerability scan to assess the security of public-facing IP address ranges, websites, and web applications hosted by the county or county clerk for use in election administration.
4.9.1. The vulnerability scanning program scope may vary depending on the type of program and assessment: Provided, that this requirement does not include election technology that does not connect to any network.
4.9.2. Counties shall remediate all critical or high-risk vulnerabilities identified by any assessment. The timeline for remediation will vary based on the type and severity of vulnerability. Follow all NIST industry standards for remediation timeline.
4.10. Counties who identify or suspect an actual or possible election security cyber incident shall report same to the Secretary of State's Chief Information Officer, Elections Director, Chief of Staff, or General Counsel, within 24 hours of the actual or possible incident.

W. Va. Code R. § 153-55-4