(1) Election security practices performed at county election offices shall be annually assessed based on controls derived from one of the following frameworks that detail security best practices for mitigating security risks to an organization:
- (a) the National Institute of Standards and Technology's "Framework for Improving Critical Infrastructure Cybersecurity," Version 2.0, published February 26, 2024, found at https://www.nist.gov;
- (b) the National Institute of Standards and Technology's Special Publication 800-53 Revision 5 titled "Security and Privacy Controls for Information Systems and Organizations," published December 10, 2020, found at https://www.nist.gov;
- (c) the Center for Internet Security's "CIS Critical Security Controls," Version 8, published May 2021, found at https://www.cisecurity.org; or
- (d) the Center for Internet Security's "Essential Guide to Election Security," version 1.4.1, published September 29, 2023, found at https://essentialguide.docs.cisecurity.org/.
(2) Assessments shall be performed according to the following schedule:
- (a) at least once every three years, the security assessment shall be performed by an independent, third-party, and qualified assessor; and
- (b) during all other years, the security assessments may be performed using a self-assessment.
- (3) County election administrators shall maintain storage of security assessment results according to the local government records retention schedule.
- (4) County election administrators shall provide the results of the third-party assessments to the Secretary of State in January of each calendar year. The results provided to the Secretary of State will include a management description detailing the controls assessed and the effectiveness of each control. The management description shall include the name and qualification of the assessor including their security credential's verification, certification, or identification number.
- (5) Security assessments are considered confidential information as defined in 2-6-1002(1), MCA. Security assessment results and supporting security information are prohibited from disclosure to the public.
Authorizing statute(s): 13-1-205, MCA
Implementing statute(s): 13-1-205, MCA
History: NEW, 2022 MAR p. 1089, Eff. 6/25/22; AMD, 2024 MAR p. 285, Eff. 2/10/24; AMD, 2025 MAR, Notice No. 2025-256, Eff. 11/22/25.