Part 1: IntroductionComputer hardware, software, and services are essential for election operations. In nearly all election jurisdictions, many of the hardware, software, and services that underpin our elections—from voter registration and election management systems to pollbooks and vote capture devices—are procured from private vendors. Even simple public facing websites may be procured and their security—or lack thereof—may have consequences on elections. The industry partners from which information technology (IT) is procured play a critical role in managing the security risks inherent in elections. Understanding and properly managing security expectations in the procurement process can have a substantial impact on the success of the election process.
About This GuideElection officials have limited resources, and procurements often have long lead times. Election officials are typically left with tight windows between elections that move forward regardless of procurement and implementation schedules. Therefore, improving outcomes in the procurement process can have outsized impacts on the security of administering elections. The Center for Internet Security® (CIS®) developed this guide benefiting from input and feedback from state and local government, federal government, academic, and commercial stakeholders. It provides model procurement language that election officials can use to communicate their security priorities, better understand vendor security procedures, and facilitate a more precise cybersecurity dialogue with the private sector. The goal is to impact and improve the security of election infrastructure by providing a set of specific security best practices for IT procurements in elections that complement the CIS publication, A Handbook for Elections Infrastructure Security, and other CIS best practices work.
AudienceThis guide is intended for a nontechnical audience, including election officials, their staffs, and procurement officials, but may also be instructive for technical members of election teams. Vendors may find this information useful to help understand how state and local election organizations will construct and evaluate their procurements.
StructureThis guide is divided into these six main sections and two appendices, along with two online tools that will accompany the traditional document:
- The Introduction includes “About This Guide” and “Audience”, and provides an overview of the motivation for the guide and how to use it
- Security Risk in Election Technology Procurement briefly describes assessing and managing security risk in election systems.
- The Procurement Process broadly describes the relationships between an election office, a procurement office, and state and local IT departments. This section provides some suggestions regarding governance that could help improve procurement outcomes.
- IT Product and Services Lifecycle describes product purchase and support, system development and maintenance (including updates and patching), as well as services effort lifecycles showing that the work of securing a procurement neither starts nor ends with the procurement itself.
- Cybersecurity Beyond Procurement describes the relationship between best practices in procurement and other practices and processes that should exist to provide assurance in the election security lifecycle.
- Best Practices for Cybersecurity in IT Procurement is a set of best practices that election officials can put into requests for proposals and other procurement documents.
- Appendix A—Resources for Procurement and Related Information: Links to procurement opportunities, training, and other useful information related to election procurement.
- Appendix B—Primer on the IT Procurement Process: Description of the typical IT procurement process applicable across a range of organizations.
- Online Tools
- Elections Infrastructure Procurement Best Practice Tool: A web tool that allows filtering and exporting of the best practices in this document so that election officials can tailor the list to any given procurement.
- State IT buying guides and related information (coming soon): A set of links to individual state procurement and IT buying resources. They may be binding in your state or locality or may just be informational.
UseThis guide includes best practices that election offices can use for planning, developing, and executing procurements. Each best practice has language that can be copied and pasted directly into requests for proposals (RFPs), requests for information (RFIs), and the like. The best practices also include descriptions of good and bad responses, tips, and helpful references and links. In addition to the best practices, the earlier sections of this guide (on the procurement process, the IT procurement lifecycle, and cybersecurity beyond procurement) contain valuable information to improve your general knowledge and to be used as a reference. While many of the best practices are derived from real-world procurements, those interested in reviewing language from procurement materials should consult the U.S. Election Assistance Commission (EAC) Voting Technology Procurement clearinghouse.
Information Hub : Elections Resources
Webinar • 19 Sep 2019
Advisory • 19 Sep 2019
White paper • 18 Sep 2019
Media mention • 18 Sep 2019