- (a) Any person who has directly or indirectly obtained voter registration information from a source agency must exercise due diligence in maintaining and securing the voter registration information in order to reduce the risk of information exposure and/or breach.
(b) Any person who has directly or indirectly obtained voter registration information from a source agency shall:
- (1) Use a strong and unique password (“strong password hygiene”) per account with access to the voter registration information or privileges to grant access.
(2) Apply security best practices, which includes the following:
- (A) Obtain training on security awareness to avoid social engineering and phishing attacks.
- (B) Practice the principles of “least privilege” By restricting user access to the minimum need based on users' job necessity.
- (C) Ensure user accounts are logged off or the session is locked after a period of inactivity, which shall be no more than 15 minutes.
- (D) Remove, deactivate, or disable accounts or default credentials.
- (E) Erase or wipe voter registration information that is no longer needed for its retention and sanitized following National Institute of Standards and Technology (NIST) 800-88 Guidelines for media sanitization.
- (F) Restrict physical access by not leaving your computer in places unlocked and unattended.
- (G) Limit the use of portable devices. If a portable device is used, strong storage encryption procedures must be applied utilizing Federal Information Processing Standards (FIPS) 197, commonly referred to as “Advanced Encryption Standard” or “AES.”
- (H) Use wireless technology securely with Wi-Fi Protected Access 2 (WPA2) or better.
(c) In addition to the requirements set forth in (b) above, any vendor shall:
(1) Apply additional security best practices, which include the following:
- (A) Use strong identity and access management, preferring multi-factor authentication for any and all privilege accounts and/or accounts with access to voter registration data.
- (B) Initiate an account lockout after a pre-defined number of failed attempts, no more than 10. Any automated account unlock actions must wait no less than 30 minutes from the lockout event.
- (C) Force password changes on a pre-defined basis, but not less than 365 days.
- (D) Backups of voter registration information shall be securely stored separately and utilizing FIPS 197 encryption at rest.
(2) Implement security log management, which includes the following:
(A) Enable logging on all systems and network devices with sufficient information collection that answers the following:
- (i) What activity was performed?
- (ii) Who or what performed the activity, including where or on what system the activity was performed?
- (iii) What activity was the action performed on?
- (iv) What tool(s) were used to perform or performed the activity?
- (v) What was the status, outcome, or results of the activity?
- (B) Review log(s) regularly for any errors, abnormal activities and any system configuration changes.
- (C) Securely store log files separately from the systems monitored, archived, and protect from unauthorized modification, access, or destruction.
- (D) Use log monitoring tools to send real-time alerts and notifications.
- (E) Utilize multiple synchronized United States-based time sources.
(3) Employ system hardening techniques, which include the following:
- (A) Update and install all firmware and patches from a trusted and verifiable source.
- (B) Use only the most up-to-date and certified version of vendor software.
- (C) Install and maintain active malware and anti-virus software.
- (D) Implement firewalls, also known as host-based firewalls, and/or port filtering tools with host-based intrusion protection services.
- (E) Encrypt voter registration information using FIPS 197 at rest.
- (F) Encrypt voter registration information in transit such as Transport Layer Security (TLS) 1.2 or better with a valid certificate and certificate chain.
- (G) Do not use self-signed certificates.
- (H) Conduct regular vulnerability scanning and testing for known or unknown weaknesses.
- (I) Use application whitelisting on all endpoints and systems.
Note: Authority cited: Section 2188.2, Elections Code; and Sections 6254.4 and 12172.5, Government Code. Reference: Sections 2188 and 2194, Elections Code.
History
1. New section filed 5-11-2022; operative 7-1-2022. Transmission deadline specified in Government Code section 11346.4(b) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20 (Register 2022, No. 19).