Montana Regulations § 44.3.2902 ANNUAL SECURITY ASSESSMENTS
Regulation Text
(1)
Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization:
(a)
the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity," Version 1.1, published April 16, 2018, found at
https://www.nist.gov
;
(b)
the National Institute of Standards and Technology's Special Publication 800-53 Revision 5 titled "Security and Privacy Controls for Information Systems and Organizations," published December 10, 2020, found at
https://www.nist.gov
;
(c)
the Center for Internet Security's "CIS Critical Security Controls," Version 8, published May 2021, found at
https://www.cisecurity.org
; or
(d)
the Center for Internet Security's " Essential Guide to Election Security," version 1.4.1, published September 29, 2023, found at
https://essentialguide.docs.cisecurity.org/
.
(2)
Assessments shall be performed according to the following schedule:
(a)
at least once every three years, the security assessment shall be performed by an independent, third-party, and qualified assessor; and
(b)
during all other years, the security assessments may be performed using a self-assessment conducted through the Nationwide Cybersecurity Review (NCSR) based on requirements as of December 1, 2023, and found at
https://www.cisecurity.org/
. This tool details the security best practices for mitigating security risks to an organization.
(3)
County election administrators shall maintain storage of security assessment results according to the local government records retention schedule.
(4)
County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.
(5)
Security assessments are considered confidential information as defined in
2-6-1002
(1)
, MCA. Security assessment results and supporting security information are prohibited from disclosure to the public.
History
NEW,
Explore Related Documents
This section contains links to related documents with the same tags to allow you quickly access other relevant legal materials. These links include document types and counts, enabling you to explore similar content efficiently.