×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Election Security Spotlight – Election 2020: Conducting After Action Reviews

What it is

An After Action Review (AAR) is a retrospective analysis performed after an event. AARs are used by election offices to study and improve the effectiveness of their operations or security program following an election, specific incidents, and other periods of elevated threat. The AAR process facilitates communication between leadership and staff through guided conversations and open discussion. AARs are structured into a combination of informal and formal engagements.
Initially, informal debriefs are scheduled with smaller teams directly involved in a recent operation. These are conducted as soon after the event as possible, while memories are fresh, and focus on individual or team performance. Formal AARs compile this information and take more time to complete. They include leadership and teams across an organization and evaluate activities overall. The format of AARs can vary based on the needs of the organization. They are typically conducted in a structured staff meeting and published as a written report.

The key components of an AAR are:

  • Overview: Chronological summary of events, including operational practices.
  • Review actions taken and outstanding needs
  • Identify any affected infrastructure, systems, or processes
  • Strengths: Discussion of methods that worked well, and should continue to be in use.
  • Existing practices that should continue with little to no core modification
  • Improvement: Areas for improvement are identified and changes are suggested.
  • Practices that did not add value, and can be safely discontinued
  • Practices that had a negative impact on operations
  • Identify surprises that were previously unaccounted for in the planning phase.
  • Solutions for issues identified.

Why it matters

Post-election tools like AARs are most helpful in the periods following elections and major incidents. Expanded staff roles and a high volume of activity during
elections may be challenging to process without structured review. AARs can empower you to implement changes that will protect election infrastructure both immediately and in the future. Holding AARs or debriefs across multiple events creates a valuable record of decisions that have been made in the past. Evaluating the change in those decisions allows you to measure growth, evaluate trends, and pose more holistic solutions.
Conducting an AAR can allow you to:

  • Communicate incidents and their impact to stakeholders and partners.
  • Enhance strengths and eliminate pain points in operations.
  • Identify gaps in staff training.
  • Learn from improvised changes to the base plan.
  • Successfully return to baseline operations post-election.
  • Identify and remediate security vulnerabilities.

What you can do

Conduct reviews of election operations, and all major incidents:

  • Evaluate your activities in all environments (physical, cyber, communications) against your initial operations or response plan.
  • Ensure skilled staff and leadership contribute to debriefs and AARs.
  • Separating groups by role may produce the most transparent and fair exchange of ideas, only later including all roles in cumulative meetings.
  • Involve relevant external partners (other election offices, federal partners, and vendors) in AARs and consider sharing after action materials with partner organizations.
  • Review and document actions taken on pertinent intelligence, such as EIISAC Cyber Alerts and CISA/FBI Joint Cybersecurity Advisories.
  • Compile written after action reports and debriefs.
  • Review resources like the Belfer Center’s Election Battle Staff Playbook for best practice recommendations that may address issues identified in the AAR.
  • Create a schedule and commit to implementing changes before the next event.

Transition to baseline operations after peak election periods for major elections.

  • Review and address issues requiring immediate attention as identified in the AAR.
  • Review the corresponding transition action for each of the following election Security best practices in the CIS Handbook for Election Infrastructure Security:
      • Best practice: Implementation of a change freeze prior to peak election periods.
          • Post-Election: Identify and unfreeze systems that have not received software and security updates, or hardware maintenance. Gradually resume normal project schedule and IT operations.
      • Best practice: Ensure logging is enabled on systems, and logs are securely archived.
          • Post-Election: Create fresh backups of system event log archives collected in the weeks before, during, and after the election period. Event logs offer important security insight into the activity on your infrastructure, and you may need to keep that information for use in future investigations.
      •  Best practice: Limit the use and storage of sensitive data.
          • Post-Election: The collection of voter data may have increased during the election period. Protect backup data at the same level as production data, especially if backups contain personally identifiable information (PII). This process may include securely storing information offline, and auditing data to retain only necessary fields.
      • Best practice: Maintain an asset inventory of election infrastructure systems.
          •  Post-Election: Update inventory tracking to reflect any changes to systems location and status. Equipment transported to polling places and returned to storage should be recorded in inventory. The status of new, transferred, and decommissioned machines should be updated.
      •  Best practice: Whitelist IP addresses with critical election functions.
          •  Post-Election: Review temporary additions to whitelists that were the result of adjustments during elections. Remove entries that are no longer necessary to operations.

 

---
Spotlights provide election officials with an overview of common cybersecurity topics, and how they relate to election infrastructure security. Please reach out to elections@cisecurity.org to request a topic.