BEFORE THE SECRETARY OF STATE
OF THE STATE OF MONTANA
TO: All Concerned Persons
1. On January 16, 2024, at 2:00 p.m., the Secretary of State will hold a public hearing in the Secretary of State's Office conference room, Room 260, State Capitol, Helena, Montana, to consider the proposed amendment of the above-stated rules.
2. The Secretary of State will make reasonable accommodations for persons with disabilities who wish to participate in this rulemaking process or need an alternative accessible format of this notice. If you require an accommodation, contact the Secretary of State no later than 5:00 p.m., January 9, 2024, to advise of the nature of the accommodation needed. Please contact Andy Ritter, Secretary of State's Office, P.O. Box 202801, Helena, MT 59620-2801; telephone (406) 444-7911; fax (406) 444-3976; TTY/Montana Relay Service 711; or email [email protected].
3. The rules proposed to be amended provide as follows, new matter underlined, deleted matter interlined:
44.3.2901 DEFINITIONS As used in this subchapter, unless the context clearly indicates otherwise, the following definitions apply:
(1) and (2) remain the same.
(3) "Qualified assessor" means a security professional who, at the time of engagement, is certified and in good standing with at least of one of the following security credentials which require passing an exam covering related security subject matter and possessing the required amount of relevant information security work experience (based on certification requirements in effect on April 15, 2022 December 1, 2023):
(a) Certified Authorization Professional (CAP). Certified in Governance, Risk, and Compliance (CGRC). The requirements to obtain a CAP CGRC credential can be found at https://www.isc2.org;
(c) through (h) remain the same.
AUTH: 13-1-205, MCA
IMP: 13-1-205, MCA
REASONABLE NECESSITY: The naming of the Certified Authorization Professional credential has changed to Certified in Governance, Risk, and Compliance. The exam and required experience have remained the same. The change to ARM 44.3.2901(3)(a) addresses the name change for the credential.
44.3.2902 ANNUAL SECURITY ASSESSMENTS (1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization:
(a) through (c) remain the same.
(d) the Center for Internet Security's "A Handbook for Elections Infrastructure Essential Guide to Election Security," version 1.0 1.4.1, published February 2018 September 29, 2023, found at https://www.cisecurity.org https://essentialguide.docs.cisecurity.org/.
(2) Assessments shall be performed according to the following schedule:
(a) remains the same.
(b) during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of April 15, 2022 December 1, 2023, and found at https://www.cisecurity.org/, or the Election Infrastructure Assessment Tool (EIAT) based on requirements as of April 15, 2022, and found at https://www.cisecurity.org/. This These tools details the security best practices for mitigating security risks to an organization.
(3) remains the same.
(4) County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.
(5) remains the same.
AUTH: 13-1-205, MCA
IMP: 13-1-205, MCA
REASONABLE NECESSITY: The Center for Internet Security's "A Handbook for Election Infrastructure" has changed its name and online location. The change to ARM 44.3.2902(1)(d) reflects this change. The Center for Internet Security's Election Infrastructure Assessment Tool (EIAT) is no longer available. The change to ARM 44.3.2902(2)(b) removes the tool. The change to ARM 44.3.2902(4) clarifies that the results of the third-party assessments must be provided to the Secretary of State's Office.
44.3.2903 ANNUAL SECURITY AWARENESS TRAINING (1) through (3) remain the same.
(4) The county election administrator shall provide the Secretary of State with records of their election staff's completion of the security awareness training in January of each calendar year within two weeks after the end of each annual training cycle.
AUTH: 13-1-205, MCA
IMP: 13-1-205, MCA
REASONABLE NECESSITY: The change to ARM 44.3.2903(4) simplifies the reporting requirements by aligning the timeframes with reporting requirements in ARM 44.3.2902(4) and 13-1-205(1)(b), MCA.
44.3.2904 PHYSICAL SECURITY (1) remains the same.
(2) County election administrators shall maintain an inventory record and a chain of custody for any type of component that is used within a voting system as defined in 13-1-101, MCA, and any keys, cards, fobs, or other controls used to access election-related equipment or storage locations.
(a) County election administrators shall document records and chains of custody on forms prescribed by the Secretary of State and located on the Secretary of State website.
(b) through (4) remain the same.
AUTH: 13-1-205, MCA
IMP: 13-1-205, MCA
REASONABLE NECESSITY: Counties already electronically document inventories of assets in asset management systems. The proposed update to ARM 44.3.2904(2)(a) changes the word "record" to "inventory" for clarity and removes the requirement that inventories must be documented on forms prescribed by the Secretary of State.
44.3.2905 OTHER ELECTION SECURITY REQUIREMENTS (1) remains the same.
(2) Workstations, desktops, laptops, or other computing devices used by county election departments and connected to a computer network shall have endpoint detection and response (EDR) tools or behavioral-based anti-virus software installed, operating as recommended by the vendor and updated with the latest signatures or other version as required and supported by the vendor.
AUTH: 13-1-205, MCA
IMP: 13-1-205, MCA
REASONABLE NECESSITY: The proposed change incorporates specific anti-virus software into the requirements. Both endpoint detection and response (EDR) tools and behavioral-based anti-virus software provide significant improvements in protection over traditional signature-based anti-virus.
4. With regard to the requirements of 2-4-302(1)(c), MCA, it has been determined that these proposed rule amendments will not have a fiscal impact.
5. Concerned persons may submit their data, views, or arguments either orally or in writing at the hearing. Written data, views, or arguments may also be submitted to: Angela Nunn, Secretary of State's Office, P.O. Box 202801, Helena, Montana 59620-2801, or by e-mailing [email protected], and must be received no later than 5:00 p.m., January 19, 2024.
6. Austin James, Secretary of State's Office, has been designated to preside over and conduct the hearing.
7. The Secretary of State maintains a list of interested persons who wish to receive notices of rulemaking actions proposed by this agency. Persons who wish to have their name added to the list may submit their request online at https://sosmt.gov/arm/secretary-of-state-administrative-rules/ or submit a written request which includes the name and contact information of the person who wishes to receive notices. Written requests may be mailed or delivered to the Secretary of State's Office, Administrative Rules Services, 1301 E. 6th Avenue, P.O. Box 202801, Helena, MT 59620-2801, or emailed to [email protected].
8. The bill sponsor contact requirements of 2-4-302, MCA, do not apply.
9. With regard to the requirements of 2-4-111, MCA, the Secretary of State has determined that the amendment of the above-referenced rules will not significantly and directly impact small businesses.
/s/ AUSTIN MARKUS JAMES /s/ CHRISTI JACOBSEN
Austin Markus James Christi Jacobsen
Rule Reviewer Secretary of State
Dated this 12th day of December, 2023.