44.3.2902 ANNUAL SECURITY ASSESSMENTS
(1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization:
(a) the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity," Version 1.1, published April 16, 2018, found at https://www.nist.gov;
(b) the National Institute of Standards and Technology's Special Publication 800-53 Revision 5 titled "Security and Privacy Controls for Information Systems and Organizations," published December 10, 2020, found at https://www.nist.gov;
(c) the Center for Internet Security's "CIS Critical Security Controls," Version 8, published May 2021, found at https://www.cisecurity.org; or
(d) the Center for Internet Security's "Essential Guide to Election Security," version 1.4.1, published September 29, 2023, found at https://essentialguide.docs.cisecurity.org/.
(2) Assessments shall be performed according to the following schedule:
(a) at least once every three years, the security assessment shall be performed by an independent, third-party, and qualified assessor; and
(b) during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of December 1, 2023, and found at https://www.cisecurity.org/. This tool details the security best practices for mitigating security risks to an organization.
(3) County election administrators shall maintain storage of security assessment results according to the local government records retention schedule.
(4) County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.
(5) Security assessments are considered confidential information as defined in 2-6-1002(1), MCA. Security assessment results and supporting security information are prohibited from disclosure to the public.
History: 13-1-205, MCA; IMP, 13-1-205, MCA; NEW, 2022 MAR p. 1089, Eff. 6/25/22; AMD, 2024 MAR p. 285, Eff. 2/10/24.