CIS Logo
tagline: Confidence in the Connected World

Handbook for Elections Infrastructure Security

The following best practices address the risks identified elsewhere in this handbook. References to resources are listed in the appendix.
Protect your elections infrastructure with this free best practices handbook and other resources from CIS and our elections partners.


Connectedness Class Priority
Network Connected High
1

Whitelist which IPs can access the device

Applicable CSS Controls

#14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Low Low
Resource
CISCO recommendations on how to implement Access Control Lists on Perimeter Devices: https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html.
Connectedness Class Priority
Network Connected High
2

Regularly scan the network to ensure only authorized devices are connected

Applicable CSS Controls

#1.1: Automated Asset Inventory Tool

Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to an organization’s public and private network(s). Both active tools that scan through IPv4 or IPv6 network address ranges and passive tools that identify hosts based on analyzing their traffic should be employed.

#12.8: Periodically Scan For Back-channel Connections To The Internet

Periodically scan for back-channel connections to the Internet that bypass the DMZ, including unauthorized VPN connections and dual-homed hosts connected to the enterprise network and to other networks via wireless, dial-up modems, or other mechanisms.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Medium Medium
Resource
Automated tools should be available to actively scan the internal environment, while DHS and MS-ISAC services can assist organizations with scanning their externally facing assets.
Connectedness Class Priority
Network Connected High
3

Limit the devices that are on the same subnet to only those devices required

Applicable CSS Controls

#14.1: Implement Network Segmentation Based On Information Class

Segment the network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Medium Medium
Resource
NIST guidance is available to help the technical team determine how to appropriately segregate assets and permit access to only those devices or systems requiring access: https://nvd.nist.gov/800-53/Rev4/control/SC-7.
Connectedness Class Priority
Network Connected High
4

Only utilize approved and managed USB devices with appropriate device encryption and device authentication

Applicable CSS Controls

#14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Medium Low
Resource
CISCO recommendations on how to implement Access Control Lists on Perimeter Devices:https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html.
Connectedness Class Priority
Network Connected High
5

Disable wireless peripheral access of devices unless required and the risk is formally approved by election officials

Applicable CSS Controls

#15.8: Disable Wireless Peripheral Access (i.e. Bluetooth, WiFi, radio, microwave, satellite, etc.) unless Required

Disable wireless peripheral access of devices (such as Bluetooth and WiFi), unless such access is requiredand risk acceptance is formally documented.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Low Low
Resource
Microsoft guidance on how to disable Bluetooth: https://technet.microsoft.com/en-us/library/dd252791.aspx.
Connectedness Class Priority
Network Connected High
6

Ensure the system is segregated from other independent election systemsand non-election supporting systems

Applicable CSS Controls

#14.1: Implement Network Segmentation Based On Information Class

Segment the network based on the type of information and the sensitivity of the information processes and stored. Use virtual LANS (VLANS) to protect and isolate information and processing with different protection requirements with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No High Medium
Resource
While this is an often overlooked control and can require architectural redesigns, this is an important control to pursue. NIST guidance on boundary protection: https://nvd.nist.gov/800-53/Rev4/control/SC-7.
Connectedness Class Priority
Network Connected High
7

Deploy Network Intrusion Detection System (IDS) (e.g., MS-ISAC Albert sensor)on Internet and extranet DMZ systems

Applicable CSS Controls

#12.2: Record At Least Packet Header Information On DMZ Networks

On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Medium Medium
Resource
The Albert device is part of the MS-ISAC offering: https://www.cisecurity.org/ms-isac/services/albert/.There are a number of commercially-available options, such as: https://www.cisecurity.org/ms-isac/services/albert/.There
Connectedness Class Priority
Network Connected High
8

If wireless is required, ensure all wireless traffic use at least Advanced Encryption Standard (AES) encryption with at least Wi-Fi Protected Access 2 (WPA2)

Applicable CSS Controls

#15.5: Protect All Wireless Traffic with AES and WPA2

Ensure that all wireless traffic leverages at least Advanced Encryption Standard (AES) encryption used with at least Wi-Fi Protected Access 2 (WPA2) protection.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Medium Low
Resource
NIST guidance on how to implement secure wireless networks: https://www.nist.gov/publications/guidelines-securing-wireless-local-area-networks-wlans.
Connectedness Class Priority
Network Connected High
9

Use trusted certificates for any publicly-facing website

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected High No Low Low
Resource
Vendor recommendation on deploying certificates with the system. Also, test to verify SSL certificate configuration, with products such as with Qualys: https://www.ssllabs.com/ssltest/.
Connectedness Class Priority
Network Connected High
10

Ensure logs are securely archived

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Medium Medium
Resource
Work with appropriate vendors. Additionally, see Microsoft’s How to Set Event Log Security: https://support. microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy.
Connectedness Class Priority
Network Connected High
11

On a regular basis, review logs to identify anomalies or abnormal events

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Medium Medium
Resource
Connectedness Class Priority
Network Connected High
12

Ensure critical data is encrypted and digitally signed

Applicable CSS Controls

#13.2: Deploy Hard Drive Encryption Software

Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Medium Medium
Resource
Work with appropriate vendors. Additionally, see Microsoft guidance on digital signatures: https://technet. microsoft.com/en-us/library/cc962021.aspx.
Connectedness Class Priority
Network Connected High
13

Ensure staff is properly trained on cybersecurity and audit procedures and audit every election in accordance with local, state, and federal guidelines

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Low Low
Resource
Work with appropriate vendors. Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Network Connected High
14

Perform system testing prior to elections (prior to any ballot delivery),such as acceptance testing

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Medium Low
Resource
Work with appropriate vendors. Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Network Connected High
15

Ensure acceptance testing is done when receiving or installing new/updated software or new devices

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Low Low
Resource
Work with appropriate vendors. Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Network Connected High
16

Conduct criminal background checks for all staff including vendors, consultants,and contractors supporting the election process

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected High No Medium Medium
Resource
Examples of this include National Agency Check Criminal History: https://www.gsa.gov/forms-library/basic-national-agency-check-criminal-history.
Connectedness Class Priority
Network Connected High
17

Deploy application whitelisting

Applicable CSS Controls

# 2.2: Deploy Application Whitelisting

Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No Medium Low
Resource
NIST guidance on how to implement application whitelisting: http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-167.pdf. May have to work with the vendors to implement it on their systems.
Connectedness Class Priority
Network Connected High
18

Work with election system provider to ensure base system components(e.g., OS, database) are hardened based on established industry standards

Applicable CSS Controls

#3.1: Establish Standard Secure Configurations For OS And Software

Establish standard secure configurations of operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.

#18.7: Use Standard Database Hardening Templates

For applications that rely on a database, use standard hardening configuration templates. All systems that are part of critical business processes should also be tested.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No High Low
Resource
CIS Benchmarks provide hardened configurations for consumer grade operating systems and applications: https://www.cisecurity.org/cis-benchmarks/. In addition, NIST provides additional recommendations for baselines https://www.cisecurity.org/cis-benchmarks/. Some vendor products may require tailoring to work with benchmark configured systems. Deviations from the benchmark should be documented.
Connectedness Class Priority
Network Connected High
19

Regularly run a SCAP-compliant vulnerability scanner

Applicable CSS Controls

#4.1: Weekly Automated Vulnerability Scanning

Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Use a SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by the Common Configuration Enumeration Project).

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No Low Medium
Resource
Principal cost beyond the purchase of the tool is the adjudication and remediation of the findings. SCAP validated tools can be found at: https://nvd.nist.gov/scap/validated-tools and there are a number of other commercially available tools.
Connectedness Class Priority
Network Connected High
20

Utilize EAC certified or equivalent software and hardware productswhere applicable

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No Medium Medium
Resource
Guidance from EAC about their vendor certification process: https://www.eac.gov/voting-equipment/ frequently-asked-questions/.
Connectedness Class Priority
Network Connected High
21

Store secure baseline configuration on hardened offline system and securelydeploy baseline configurations

Applicable CSS Controls

#3.3: Store Master Images Securely

Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No Low Low
Resource
NIST guidance on Software Integrity: https://nvd.nist.gov/800-53/Rev4/control/SI-7.
Connectedness Class Priority
Network Connected High
22

Utilize write once media for transferring critical system files and system updates. Where it is not possible to use write-once media, that media should be used one time (for a single direction off transfer to a single destination device) and securely dispose of the media.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected High No Low Low
Resource
NIST guidance on Media Protection: https://nvd.nist.gov/800-53/Rev4/control/MP-7.
Connectedness Class Priority
Network Connected High
23

Maintain detailed maintenance record of all system components

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected High No Low Low
Resource
Maintenance process, procedures and recommendations based on NIST guidance: https://nvd.nist.gov/800-53/ Rev4/control/MA-2.
Connectedness Class Priority
Network Connected High
24

Require the use of multi-factor authentication

Applicable CSS Controls

#5.6: Use Multi-factor Authentication For All Administrative Access

Use multi-factor authentication for all administrative access, including domain administrative access.Multi-factor authentication can include a variety of techniques, to include the use of smart cards,certificates,One Time Password (OTP) tokens, biometrics, or other similar authentication methods.

#12.6: Require Two-factor Authentication For Remote Login

Require all remote login access (including VPN, dial-up, and other forms of access that allow login to internal systems) to use two-factor authentication.

#16.11: Use Multi-factor Authentication For Accounts Accessing Sensitive Data Or Systems

Require multi-factor authentication for all user accounts that have access to sensitive data or systems. Multi-factor authentication can be achieved using smart cards, certificates, One Time Password (OTP) tokens, or biometrics.
Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected High No High Medium
Resource
Vendor specific. NIST guidance on authentication: https://pages.nist.gov/800-63-3/sp800-63b.html.
Connectedness Class Priority
Network Connected High
25

Require users to use strong passwords (14 character passphrases)if multi factor authentication is not available

Applicable CSS Controls

#5.7: User Accounts Shall Use Long Passwords

Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).

#16.12: Use Long Passwords For All User Accounts

Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters).

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected High No Low Low
Resource
Vendor specific. CIS Benchmarks details how this can be implemented for consumer grade operating systems and applications: https://www.cisecurity.org/cis-benchmarks/.
Connectedness Class Priority
Network Connected High
26

Limit the number of individuals with administrative access to the platformand remove default credentials

Applicable CSS Controls

#5.1: Minimize And Sparingly Use Administrative Privileges

Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected High No Low Low
Resource
Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Network Connected Medium
27

Ensure that all devices are documented and accountedfor throughout their lifecycle

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected Medium No Low Low
Resource
NIST guidance on maintaining hardware inventories: https://nvd.nist.gov/800-53/Rev4/control/CM-8.
Connectedness Class Priority
Network Connected Medium
28

Utilize tamper evident seals on all external ports that are not required for useand electronically deactivate ports where feasible

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected Medium No Low Low
Resource
Check to see if vendors have this information as part of their Technical Data Product (TDP). Additional information on tamper evident seals: http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-0269.
Connectedness Class Priority
Network Connected Medium
29

Maintain an inventory of assets that should be on the same subnetas the election system component

Applicable CSS Controls

#1.4: Asset Inventory Accounts For All Devices

Maintain an asset inventory of all systems connected to the network and the network devices themselves, recording at least the network addresses, machine name(s), purpose of each system, an asset owner responsible for each device, and the department associated with each device. The inventory should include every system that has an Internet protocol (IP) address on the network, including but not limited to desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must also include data on whether the device is a portable and/or personal device. Devices such as mobile phones, tablets, laptops, and other portable electronic devices that store or process data must be identified, regardless of whether they are attached to the organization’s network.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected Medium No Low Low
Resource
NIST guidance on maintaining hardware inventories: https://nvd.nist.gov/800-53/Rev4/control/CM-8.
Connectedness Class Priority
Network Connected Medium
30

Establish and follow rigorous protocol for installing tamper evident sealsand verifying their integrity upon removal

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected Medium No Low Low
Resource
Check to see if vendors have this information as part of their Technical Data Product (TDP). Additional information on tamper evident seals: http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-0269.
Connectedness Class Priority
Network Connected Medium
31

Conduct load and stress tests for any transactional related systems to ensurethe ability of the system to mitigate potential DDoS type attacks

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Network Connected Medium No Medium Low
Resource
Connectedness Class Priority
Network Connected Medium
32

Limit the use of personally identifiable information. When it is required, ensure that that it is properly secured and staff with access are properly trained on how to handle it.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected Medium No Low Low
Resource
Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Network Connected Medium
33

Conduct mock elections prior to major elections to help eliminate gapsin process and legal areas

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected Medium No Medium Medium
Resource
Connectedness Class Priority
Network Connected Medium
34

Identify and maintain information on network service providers and third-party companies contacts with a role in supporting election activities

Applicable CSS Controls

#19.5: Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an email address of security@organization.com or have a web page http://organization.com/security).

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected Medium No Low Low
Resource
Connectedness Class Priority
Network Connected Medium
35

Implement a change freeze prior to peak election periods for major elections

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected Medium No Low Low
Resource
Connectedness Class Priority
Network Connected Medium
36

Prior to major elections, conduct in person site audits to verify complianceto security policies and procedures

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Network Connected Medium No Medium Medium
Resource
Connectedness Class Priority
Network Connected Medium
37

Work with vendors to establish and follow hardening guidance for their applications

Applicable CSS Controls

#3.1: Establish Standard Secure Configurations For OS And Software

Establish standard secure configurations of operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Low Low
Resource
Vendors will typically provide recommendations on how to securely deploy and manage their systems.
Connectedness Class Priority
Network Connected Medium
38

Ensure logging is enabled on the system

Applicable CSS Controls

#6.2: Ensure Audit Log Settings Support Appropriate Log Entry Formatting

Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Low Medium
Resource
Work with Vendor to identify logging capabilities. CIS-CAT can check this configuration item for consumer grade operating systems and applications: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/. CIS Benchmarks provides logging recommendations for major platforms: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
Network Connected Medium
39

Use automated tools to assist in log management and where possibleensure logs are sent to a remote system

Applicable CSS Controls

#6.6: Deploy A SIEM OR Log Analysis Tools For Aggregation And Correlation/Analysis

Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No High High
Resource
A variety of tools that have various capabilities and costs as well as the effort and rigor of the review and retention of the logs which will have varying costs. Windows Event Subscription Guide: https://technet. microsoft.com/en-us/library/cc749183(v=ws.11).aspx.
Connectedness Class Priority
Network Connected Medium
40

Where feasible, utilize anti-malware software with centralized reporting

Applicable CSS Controls

# 8.1: Deploy Automated Endpoint Protection Tools

Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus,anti-spyware, personal firewalls, and host-based IPS functionality. All malware detection events should be sent to enterprise anti-malware administration tools and event log servers.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Medium Low
Resource
Vendor specific.
Connectedness Class Priority
Network Connected Medium
41

Ensure only required ports are open on the system through regular port scans

Applicable CSS Controls

#9.3: Perform Regular Automated Port Scanning

Perform automated port scans on a regular basis against all key servers and compare to a known effective baseline. If a change that is not listed on the organization’s approved baseline is discovered, an alert should be generated and reviewed.

#9.1: Limit Open Ports, Protocols, and Services

Ensure that only ports, protocols, and services with validated business needs are running on each system.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Low Low
Resource
Checkable by CIS-CAT and other SCAP-validated tools (https://nvd.nist.gov/scap/validated-tools), and other network scanning tools such as NMAP: https://nvd.nist.gov/scap/validated-tools),.
Connectedness Class Priority
Network Connected Medium
42

Where feasible, implement host-based firewalls or port filtering tools

Applicable CSS Controls

#9.2: Leverage Host-based Firewalls

Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Medium Medium
Resource
If host-based, can be verified by CIS-CAT: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/. Microsoft guidance on implementing firewalls: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
Network Connected Medium
43

Verify software updates and the validity of the code base through the useof hashing algorithms and digital signatures where available

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Medium Low
Resource
NIST guidance on Software Integrity: https://nvd.nist.gov/800-53/Rev4/control/SI-7. For EAC certified voting systems, System Validation Tools are required which provide a process for validating the hash values on the system versus the trusted build (certified software).
Connectedness Class Priority
Network Connected Medium
44

Ensure vendors distribute software packages and updates using secure protocols

Applicable CSS Controls

#3.4: Use Only Secure Channels For Remote System Administration

Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as , TLS or IPSEC.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Network Connected Medium No Low Low
Resource
Work with the election software vendors.
Connectedness Class Priority
Network Connected Medium
45

Maintain a chain of custody for all core devices

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Connectedness Class Priority
Network Connected Medium
46

All remote connection to the system will use secure protocols (TLS, IPSEC)

Applicable CSS Controls

#3.4: Use Only Secure Channels For Remote System Administration

Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that do not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as, TLS or IPSEC.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
CIS-CAT can identify whether secure protocols are configured consumer grade operating system: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/. Microsoft guidance on securing remote access: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
Network Connected Medium
47

Users will use unique user IDs

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Individual accountability is one of the linchpins in cybersecurity and is useful for auditing eventsand actions taken on a system. Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Network Connected Medium
48

Use a dedicated machine for administrative tasks to separate day to day functions from other security critical functions (For some components this may not be practical to implement)

Applicable CSS Controls

#5.9: Use Dedicated Administrative Machines

Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access.This machine shall be isolated from the organization’s primary network and not be allowed Internet access.This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Medium Low
Resource
For some components this may not be practical to implement.
Connectedness Class Priority
Network Connected Medium
49

Ensure that user activity is logged and monitored for abnormal activities

Applicable CSS Controls

#16.10: Profile User Account Usage And Monitor For Anomalies

Profile each user’s typical account usage by determining normal time-of-day access and access duration. Reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration. This includes flagging the use of the user’s credentials from a computer other than computers on which the user generally works.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Medium Medium
Resource
CIS-CAT can identify these at the consumer grade operating systems and applications: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/. It is desirable to have a log aggregation or SIEM system in place to aggregate and analyze logs for abnormal behaviors.
Connectedness Class Priority
Network Connected Medium
50

Regularly review all accounts and disable any account that can’t be associatedwith a process or owner

Applicable CSS Controls

#16.3: Ensure System Access Is Revoked Upon Employee/Contractor Termination

Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor. Disabling instead of deleting accounts allows preservation of audit trails.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Network Connected Medium
51

Establish a process for revoking system access immediately upon terminationof employee or contractor

Applicable CSS Controls

#16.3: Ensure System Access Is Revoked Upon Employee/Contractor Termination

Establish and follow a process for revoking system access by disabling accounts immediately upon termination of an employee or contractor. Disabling instead of deleting accounts allows preservation of audit trails.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Resources on the process potentially involved with termination process NIST: https://nvd.nist.gov/800-53/Rev4/ control/PS-4.
Connectedness Class Priority
Network Connected Medium
52

Ensure that user credentials are encrypted or hashed on all platforms

Applicable CSS Controls

#16.14: Encrypt/Hash All Authentication Files And Monitor Their Access

Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
CIS-CAT can identify this configuration on consumer grade operating systems and applications, work with vendor to verify: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
Network Connected Medium
53

Ensure all workstations and user accounts are logged off after a period of inactivity

Applicable CSS Controls

#16.5: Configure screen locks on systems to limit access to unattended workstations.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Work with dedicated purpose election system vendors to verify their products. CIS-CAT can identify this configuration on consumer grade operating systems and applications: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
Network Connected Medium
54

Ensure your organization has a documented Acceptable Use policy that users are aware of which details the appropriate uses of the system

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Network Connected Medium No Low Low
Resource
Connectedness Class Priority
Indirectly Connected High
55

For data transfers that utilize physical transmission, utilize tamper evident sealson the exterior of the packaging

Applicable CSS Controls

#13.5: Disable Write Capabilities To USB Devices

If there is no business need for supporting such devices, configure systems so that they will not write data to USB tokens or USB hard drives. If such devices are required, enterprise software should be used that can configure systems to allow only specific USB devices (based on serial number or other unique property) to be accessed, and that can automatically encrypt all data placed on such devices. An inventory of all authorized devices must be maintained.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Indirectly Connected High No Medium Low
Resource
Windows guidance on how to restrict hardware devices: https://technet.microsoft.com/en-us/library/ cc771759(v=ws.10).aspx. Best practice is the use of specially designed USB keys that allow for encryption and device authentication.
Connectedness Class Priority
Indirectly Connected High
56

Disable wireless peripheral access of devices

Applicable CSS Controls

#15.8: Disable Wireless Peripheral Access (i.e. Bluetooth) Unless Required

Disable wireless peripheral access of devices (such as Bluetooth), unless such access is required for a documented business need.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Indirectly Connected High No Low Low
Resource
Windows guidance on how to restrict hardware devices: https://technet.microsoft.com/en-us/library/ cc771759(v=ws.10).aspx. Best practice is the use of specially designed USB keys that allow for encryption and device authentication.
Connectedness Class Priority
Indirectly Connected High
57

Ensure staff is properly trained on cybersecurity and audit procedures and audit every election in accordance with local, state, and federal guidelines

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected High No Low Low
Resource
Work with appropriate vendors. Review EAC Guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Indirectly Connected High
58

Conduct criminal background checks for all staff including vendors, consultants and contractors supporting the election process

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected High No Medium Medium
Resource
Examples of this include National Agency Check Criminal History: https://www.gsa.gov/forms-library/basic-national-agency-check-criminal-history.
Connectedness Class Priority
Indirectly Connected High
59

Ensure staff is properly trained for reconciliation procedures for the pollbooks to the voting systems and reconcile every polling place and voter record in accordance with local, state, and federal guidelines

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected High No Low Low
Resource
Connectedness Class Priority
Indirectly Connected High
60

Store secure baseline configuration on hardened offline systemand securely deploy baseline configurations

Applicable CSS Controls

#3.3: Store Master Images Securely

Store the master images on securely configured servers, validated with integrity checking tools capable of continuous inspection, and change management to ensure that only authorized changes to the images are possible. Alternatively, these master images can be stored in offline machines, air-gapped from the production network, with images copied via secure media to move them between the image storage servers and the production network.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected High No Low Low
Resource
NIST guidance on Software Integrity: https://nvd.nist.gov/800-53/Rev4/control/SI-7.
Connectedness Class Priority
Indirectly Connected High
61

Work with the vendor to deploy application whitelisting

Applicable CSS Controls

#2.2: Deploy Application Whitelisting

Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist vendors), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected High Yes Medium Low
Resource
NIST guidance on how to implement application whitelisting: http://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-167.pdf. May have to work with the vendors to implement it on their systems.
Connectedness Class Priority
Indirectly Connected High
62

Utilize the most up-to-date and certified version of vendor software

Applicable CSS Controls

#4.5: Use Automated Patch Management And Software Update Tools

Deploy automated patch management tools and software update tools for operating system and software/ applications on all systems for which such tools are available and safe. Patches should be applied to all systems, even systems that are properly air gapped.

#18.1: Use Only Vendor-supported Software

For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected High No Low Medium
Resource
NIST guidance on Software Integrity: https://nvd.nist.gov/800-53/Rev4/control/SI-7.
Connectedness Class Priority
Indirectly Connected High
63

Utilize write once media for transferring critical system files and system updates. Where it is not possible to use write-once media, that media should be used one time (for a single direction off transfer to a single destination device) and securely dispose of the media.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected High No Low Low
Resource
NIST guidance on Media Protection: https://nvd.nist.gov/800-53/Rev4/control/MP-7.
Connectedness Class Priority
Indirectly Connected High
64

Only use the devices for election related activities

Applicable CSS Controls

#5.9: Use Dedicated Administrative Machines

Administrators shall use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine shall be isolated from the organization’s primary network and not be allowed Internet access. This machine shall not be used for reading e-mail, composing documents, or surfing the Internet.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected High No Medium Low
Resource
Review EAC guidance:https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Indirectly Connected High
65

Maintain detailed maintenance records of all system components

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected High No Low Low
Resource
Maintenance process, procedures and recommendations based on NIST: https://nvd.nist.gov/800-53/Rev4/ control/MA-2.
Connectedness Class Priority
Indirectly Connected High
66

Limit the number of individuals with administrative access to the platform and remove default credentials

Applicable CSS Controls

#5.1: Minimize And Sparingly Use Administrative Privileges

Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected High No Low Low
Resource
Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Indirectly Connected Medium
67

Utilize tamper evident seals on all external ports that are not required for use

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Indirectly Connected Medium No Low Low
Resource
Check to see if vendors have this information as part of their Technical Data Product (TDP). Additional information on tamper evident seals: http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-0269.
Connectedness Class Priority
Indirectly Connected Medium
68

Ensure that all devices are documented and accounted for throughout their lifecycle

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Indirectly Connected Medium No Low Low
Resource
NIST guidance on maintaining hardware inventories: https://nvd.nist.gov/800-53/Rev4/control/CM-8.
Connectedness Class Priority
Indirectly Connected Medium
69

Establish and follow rigorous protocol for installing tamper evident sealsand verifying their integrity upon removal

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Devices Indirectly Connected Medium No Low Low
Resource
Check to see if vendors have this information as part of their Technical Data Product (TDP). Additional information on tamper evident seals: http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-0269.
Connectedness Class Priority
Indirectly Connected Medium
70

Perform system testing prior to elections (prior to any ballot delivery),such as logic and accuracy testing

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Medium Low
Resource
Work with appropriate vendors. Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Indirectly Connected Medium
71

Ensure acceptance testing is done when receiving or installing new or updated software or new devices

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Low Low
Resource
Work with appropriate vendors. Review EAC guidance: https://www.eac.gov/election-officials/election-management-guidelines/.
Connectedness Class Priority
Indirectly Connected Medium
72

Conduct mock elections prior to major elections to help eliminate gapsin process and legal areas

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Medium Medium
Resource
Connectedness Class Priority
Indirectly Connected Medium
73

Identify and maintain information on network service providers and third-party companies contacts with a role in supporting election activities

Applicable CSS Controls

#19.5: Assemble and maintain information on third-party contact information to be used to report a security incident (e.g., maintain an email address of security@organization.com or have a web page http://organization.com/security).

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Low Low
Resource
Connectedness Class Priority
Indirectly Connected Medium
74

Implement a change freeze prior to peak election periods for major elections

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Low Low
Resource
Connectedness Class Priority
Indirectly Connected Medium
75

Prior to major elections, conduct in person site audits to verify complianceto security policies and procedures

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Process Indirectly Connected Medium No Medium Medium
Resource
Connectedness Class Priority
Indirectly Connected Medium
76

Verify software updates and the validity of the code base through the use of hashing algorithms and digital signatures where available

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Software Indirectly Connected Medium No Medium Low
Resource
NIST guidance on Software Integrity: https://nvd.nist.gov/800-53/Rev4/control/SI-7. For EAC certified voting systems, System Validation Tools are required which provide a process for validating the hash values on the system versus the trusted build (certified software).
Connectedness Class Priority
Indirectly Connected Medium
77

Ensure the use of unique user IDs

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Low Low
Resource
Individual accountability is one of the linchpins in cybersecurity and is useful for auditing events and actions taken on a system. Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Indirectly Connected Medium
78

Ensure individuals are only given access to the devices they need for their job

Applicable CSS Controls

#14: Controlled Access Based on the Need to Know

The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Low Low
Resource
How to implement least privilege within an organization according to NIST: https://nvd.nist.gov/800-53/Rev4/ control/AC-6.
Connectedness Class Priority
Indirectly Connected Medium
79

Maintain a chain of custody for all core devices

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Low Low
Resource
Connectedness Class Priority
Indirectly Connected Medium
80

Ensure all workstations and user accounts are logged off after a period of inactivity

Applicable CSS Controls

#16.5: Configure screen locks on systems to limit access to unattended workstations

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Low Low
Resource
CIS-CAT can identify this configuration on consumer grade operating systems and applications: https://www. cisecurity.org/cybersecurity-tools/cis-cat-pro/. Work with special purpose election system vendors to verify their products.
Connectedness Class Priority
Indirectly Connected Medium
81

Regularly review all authorized individuals and disable any accountthat can’t be associated with a process or owner

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Medium Medium
Resource
Microsoft resources for managing users: https://msdn.microsoft.com/en-us/library/cc505882.aspx.
Connectedness Class Priority
Indirectly Connected Medium
82

Ensure your organization has a documented Acceptable Use policy that usersare aware of which details the appropriate uses of the system

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Users Indirectly Connected Medium No Low Low
Resource
Connectedness Class Priority
High
83

Use secure protocols for all remote connections to the system (TLS, IPSEC)

Applicable CSS Controls

#3.4: Use Only Secure Channels For Remote System Administration

Perform all remote administration of servers, workstation, network devices, and similar equipment over secure channels. Protocols such as telnet, VNC, RDP, or others that Table5 not actively support strong encryption should only be used if they are performed over a secondary encryption channel, such as, TLS or IPSEC.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission High No Low Low
Resource
CIS-CAT can identify whether secure protocols are configured for common operating systems and applications: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/. Microsoft guidance on securing remote access: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/.
Connectedness Class Priority
High
84

Ensure critical data is encrypted and digitally signed

Applicable CSS Controls

#13.2: Deploy Hard Drive Encryption Software

Deploy approved hard drive encryption software to mobile devices and systems that hold sensitive data.

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission High No Medium Medium
Resource
Work with appropriate vendors. Additionally, see Microsoft’s How to Set Event Log Security: https://support. microsoft.com/en-us/help/323076/how-to-set-event-log-security-locally-or-by-using-group-policy.
Connectedness Class Priority
Medium
85

Ensure the use of bidirectional authentication to establish trust betweenthe sender and receiver

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission Medium No Medium Low
Resource
Connectedness Class Priority
Medium
86

For data transfers that utilize physical transmission utilize tamper evidentseals on the exterior of the packaging

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission Medium No Low Low
Resource
Check to see if vendors have this information as part of their product offerings. Additionally see information on tamper evident seals: http://permalink.lanl.gov/object/tr?what=info:lanl-repo/lareport/LA-UR-03-0269.
Connectedness Class Priority
Medium
87

Conduct criminal background checks for all staff including vendors,consultants and contractors supporting the election process

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission Medium No Medium Medium
Resource
Examples of this include National Agency Check Criminal History: https://www.gsa.gov/forms-library/basic-national-agency-check-criminal-history.
Connectedness Class Priority
Medium
88

Track all hardware assets used for transferring data throughout their lifecycle

Asset Class Connectedness Class Priority Potential Resistance Upfront Cost Ongoing Maint. Cost
Transmission Medium No Low Low
Resource
NIST guidance on maintaining hardware inventories: https://nvd.nist.gov/800-53/Rev4/control/CM-8.