Elections technology security, ch 29
SECRETARY OF STATE
Adopted and Filed
Rule making related to elections technology security
The Secretary of State hereby adopts new Chapter 29, "Elections Technology Security," Iowa Administrative Code.
Legal Authority for Rule Making
This rule making is adopted under the authority provided in Iowa Code section 47.7.
State or Federal Law Implemented
This rule making implements, in whole or in part, Iowa Code section 47.7.
Purpose and Summary
New Chapter 29 requires that all users authorized to access the statewide voter registration database (I-Voters) undergo annual security training. Chapter 29 further requires that county elections officials immediately report any breaches or cybersecurity incidents to the Secretary of State for escalation to appropriate state and federal entities.
Public Comment and Changes to Rule Making
Notice of Intended Action for this rule making was published in the Iowa Administrative Bulletin on August 1, 2018, as ARC 3914C. Emails were received from county elections personnel for approval of their security training vendors. No changes from the Notice have been made.
Adoption of Rule Making
This rule making was adopted by the Secretary of State on September 24, 2018.
This rule making has no fiscal impact to the State of Iowa.
After analysis and review of this rule making, no impact on jobs has been found.
Any person who believes that the application of the discretionary provisions of this rule making would result in hardship or injustice to that person may petition the Secretary of State for a waiver of the discretionary provisions, if any, pursuant to 721—Chapter 10.
Review by Administrative Rules Review Committee
The Administrative Rules Review Committee, a bipartisan legislative committee which oversees rule making by executive branch agencies, may, on its own motion or on written request by any individual or group, review this rule making at its regular monthly meeting or at a special meeting. The Committee's meetings are open to the public, and interested persons may be heard as provided in Iowa Code section 17A.8(6).
This rule making will become effective on November 28, 2018.
The following rule-making action is adopted:
Adopt the following new 721—Chapter 29:
ELECTIONS TECHNOLOGY SECURITY
721—29.1(47) Definitions. The following definitions are adopted.
"Breach" means a compromise of security processes that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to protected information.
"Commissioner" means the county commissioner of elections as defined in Iowa Code chapter 47.
"Cybersecurity" means the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure their availability, integrity, authentication, confidentiality, and nonrepudiation.
"Elections technology" means the statewide voter registration database, voting system, electronic poll books, and other technologies used to register, maintain, or process voters or conduct any election. For purposes of this rule, these terms shall have the definitions as described in the administrative rules of the secretary of state.
"Encryption" means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
"Incident" means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
"I-Voters" means the statewide voter registration database.
"Office of the chief information officer" or "OCIO" means the state chief information officer.
"Registrar" means the county commissioner of registration as defined in Iowa Code section 48A.3.
"State commissioner" means the state commissioner of elections as described in Iowa Code chapter 47.
"State registrar" means the state registrar of voters as defined in Iowa Code chapter 48A.
"User" means anyone from the state registrar or county registrar or approved third-party vendor who accesses I-Voters.
721—29.2(47) Cybersecurity training.
29.2(1) All users who access the I-Voters database must complete annual training programs on principles of cybersecurity. Upon completion of the training, a user shall transmit proof of completion to the state registrar. The state registrar shall maintain a list of approved training programs on the secretary of state's website. The state registrar shall consult with the OCIO or the federal Election Assistance Commission before adding trainings to the list of approved programs. If requested by the office of the chief information officer, the federal Election Assistance Commission, or a county registrar, the state registrar may review and add recommended cybersecurity training programs to the approved list.
29.2(2) The state registrar may disable any user account if the user does not complete the training within 30 days of access granted, or on the anniversary date set by the state registrar.
29.2(3) The state registrar may temporarily waive this requirement for any user if the state registrar believes it is necessary to the execution of the election.
721—29.3(47) Cybersecurity incident or breach.
29.3(1) A commissioner who identifies or suspects an actual or possible cybersecurity incident or breach shall immediately report the incident to the state commissioner. Upon receiving the report, the state commissioner shall alert the appropriate state or federal law enforcement agencies, the federal Department of Homeland Security, the OCIO, and the vendor responsible for maintaining the affected technology. The state commissioner may disseminate the information to other agencies as the state commissioner deems necessary.
29.3(2) Information reported to the state commissioner under this rule shall be exempt from public records requests pursuant to Iowa Code section 22.7(50).
29.3(3) Nothing in this rule prohibits a commissioner from alerting local law enforcement prior to contacting the state commissioner in the event of an incident or breach.
These rules are intended to implement Iowa Code section 47.7(2).
[Filed 10/1/18, effective 11/28/18]
Editor's Note: For replacement pages for IAC, see IAC Supplement 10/24/18.