A Set of Best Practices for Securing Election Technology through Procurement
Computer hardware, software, and other services are essential for election operations. In nearly all election jurisdictions, most of the services that underpin our elections—from voter registration and election management systems to pollbooks and vote tabulation devices, are procured from private vendors. These systems are them often managed by election staff.
While election officials put in a great deal of effort to protect their systems, some of the biggest gains can be made by incorporating the right security best practices into their procurement process to cover project inception through close and transition. Responding to this need, CIS led the development of A Guide for Ensuring Security in Election Procurements and its companion online tool to assist election officials with ensuring security is properly accounted for in their election technology procurements.
Incorporating best practices in procurement
CIS has been a leader in providing cybersecurity best practices for more than a decade. A little more than a year ago, CIS released A Handbook for Election Infrastructure Security, which included 88 best practices that election organizations can implement to improve security outcomes in elections infrastructure.
Following the release of the handbook, many stakeholders in the election community identified an ongoing difficulty of getting quality security outcomes in procurements. This isn’t unique to elections; getting procurement language right is a challenge across every industry.
CIS developed this procurement guide to help with this challenge. CIS worked with a group of election stakeholders from federal, state, and local governments, community associations, and election technology vendors to develop a set of best practices tailored to improving security in election procurements.
Best practices you can use
The procurement process can be cumbersome and is often time consuming and frustrating. Because of long lead times and the risk of sunk costs, procurements can be difficult to manage and very difficult to unwind. This means you must get them right from the start.
There are several goals of having best practices for procurement. Specifically, the best practices aim to help election officials:
- Ask questions about security in a way that will elicit meaningful responses from proposers
- Evaluate responses to separate well-crafted language from truly secure solutions
- Incorporate the right language into contracts to foster quality ongoing contract management
- Increase consistency in vendor expectation, helping to move the market to more secure offerings
To address these goals, the procurement guide provides helpful context for procurement decisions and 33 best practices that cover the categories of people, process, and technology. Each best practice provides suggested RFP language, ideas on how to tell good and bad responses apart, as well as helpful tips. Knowing that not all procurements will demand implementation of all 33 best practices, the guide also attempts to help election officials identify the applicability of each best practice based on the type of system being procured. Of course, every procurement is different and the election official, in consultation with their procurement professionals, will ultimately decide how to best apply the suggestions.
A document…and also a tool
One of the problems with writing guidance like this is that paper and PDFs have limited means of displaying information. You can’t filter or reorder best practices in a printed booklet or PDF, and CIS felt a more flexible presentation was necessary.
Therefore, today we’ve also released a tool that allows filtering and exporting of the best practices. This will allow election officials to tailor the best practices to the type of procurement they are doing, such as a procurement for cloud services for an operationally critical system. Officials can use the exported best practices to copy and paste into requests for proposals, as an evaluation checklist, or however else they see fit.
A word on vendors
Election vendors are a major partner in the election community. We developed the best practices we’re releasing today in concert with the Department of Homeland Security’s Sector Coordinating Council for the Election Infrastructure Subsector and its members to create a product that is mutually beneficial for everyone. While this is guidance is intended for election officials, we believe it will also be useful for vendors by helping provide more consistency in what they’re being asked, giving an opportunity for those vendors that are doing a better job of security to more clearly articulate it.
Both the Guide and the Searchable best practices are available on the election resource page of the CIS website. Thank you to all those who helped us develop this important work and we hope the community will find it valuable. Take a look today.View Elections Resources