CIS Launches Election Technology Procurement Guide

East Greenbush, NY

May 1, 2019

CIS® (Center for Internet Security, Inc.) announced today the release of A Guide for Ensuring Security in Election Technology Procurements to help election officials understand and navigate the complex election procurement process. The Guide can be found with the rest of the CIS election resources here:  https://www.cisecurity.org/elections-resources/.

CIS led the development of A Guide for Ensuring Security in Election Technology Procurements, and its companion online tool, to assist election officials with ensuring security is properly accounted for in their election technology procurements.

Computer hardware, software, and other services are essential for election operations. In nearly all election jurisdictions, most of the services that underpin our elections—from voter registration and election management systems to pollbooks and vote capture devices—are procured from private vendors. In addition, election officials have limited resources, and procurements often have long lead times.

“Our goal is improving the security of election infrastructure by providing a set of specific security best practices for IT procurements in elections that complement the CIS publication, A Handbook for Elections Infrastructure Security, and other CIS best practices work,” said John Gilligan, CIS President and CEO.

CIS has been a leader in providing cybersecurity best practices for more than a decade. A little more than a year ago, CIS released A Handbook for Elections Infrastructure Security, which includes 88 best practices that election organizations can implement to improve security outcomes in election infrastructure.

Following the release of the Handbook, many stakeholders in the election community identified an ongoing difficulty of getting quality security outcomes in procurements. This isn’t unique to elections; getting procurement language right is a challenge across every industry.

CIS developed A Guide for Ensuring Security in Election Technology Procurements to help with this challenge. CIS worked with a group of election stakeholders from federal, state, and local governments, community associations, and election technology vendors to develop a set of best practices tailored to improving security in election procurements.

There are several goals of having best practices for procurement. Below are some of this new Guide’s suggestions for election officials to help them make elections safer.

  1. Ask questions about security in a way that will elicit meaningful responses from proposers.
  2. Evaluate responses to separate well-crafted language from truly secure solutions.
  3. Incorporate the right language into contracts to foster quality ongoing contract management.
  4. Increase consistency in vendor expectation, helping to move the market to more secure offerings.

To address these goals, A Guide for Ensuring Security in Election Technology Procurements provides helpful context for procurement decisions and 33 best practices that cover the categories of people, process, and technology. Each best practice provides suggested Request for Proposal language, ideas on how to tell good and bad responses apart, as well as helpful tips and other resources.

A Document and Tool

This procurement project includes an online tool that allows filtering and exporting of the best practices. This means election officials can tailor the best practices to the type of procurement they are doing, such as a procurement for cloud services for an operationally critical system. Officials can use the exported best practices to copy and paste into Requests for Proposals, as an evaluation checklist, or however else they see fit.

Funding

This project was made possible through support from the Democracy Fund. The content of this project is the sole responsibility of CIS, and may not reflect the views of the Democracy Fund.

About CIS

CIS (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. The CIS Controlsand CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. Our CIS Hardened Images are virtual machine emulations preconfigured to provide secure, on-demand, and scalable computing environments in the cloud. CIS is home to both the Multi-State Information Sharing & Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC®), which supports the cybersecurity needs of U.S. State, Local, and Territorial election offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.