Current through Register 2024 Notice Reg. No. 38, September 20, 2024
(a) Any person who
has directly or indirectly obtained voter registration information from a
source agency must exercise due diligence in maintaining and securing the voter
registration information in order to reduce the risk of information exposure
and/or breach.
(b) Any person who
has directly or indirectly obtained voter registration information from a
source agency shall:
(1) Use a strong and
unique password ("strong password hygiene") per account with access to the
voter registration information or privileges to grant access.
(2) Apply security best practices, which
includes the following:
(A) Obtain training on
security awareness to avoid social engineering and phishing attacks.
(B) Practice the principles of "least
privilege" By restricting user access to the minimum need based on users' job
necessity.
(C) Ensure user accounts
are logged off or the session is locked after a period of inactivity, which
shall be no more than 15 minutes.
(D) Remove, deactivate, or disable accounts
or default credentials.
(E) Erase
or wipe voter registration information that is no longer needed for its
retention and sanitized following National Institute of Standards and
Technology (NIST) 800-88 Guidelines for media sanitization.
(F) Restrict physical access by not leaving
your computer in places unlocked and unattended.
(G) Limit the use of portable devices. If a
portable device is used, strong storage encryption procedures must be applied
utilizing Federal Information Processing Standards (FIPS) 197, commonly
referred to as "Advanced Encryption Standard" or "AES."
(H) Use wireless technology securely with
Wi-Fi Protected Access 2 (WPA2) or better.
(c) In addition to the requirements set forth
in (b) above, any vendor shall:
(1) Apply
additional security best practices, which include the following:
(A) Use strong identity and access
management, preferring multi-factor authentication for any and all privilege
accounts and/or accounts with access to voter registration data.
(B) Initiate an account lockout after a
pre-defined number of failed attempts, no more than 10. Any automated account
unlock actions must wait no less than 30 minutes from the lockout
event.
(C) Force password changes
on a pre-defined basis, but not less than 365 days.
(D) Backups of voter registration information
shall be securely stored separately and utilizing FIPS 197 encryption at
rest.
(2) Implement
security log management, which includes the following:
(A) Enable logging on all systems and network
devices with sufficient information collection that answers the following:
(i) What activity was performed?
(ii) Who or what performed the activity,
including where or on what system the activity was performed?
(iii) What activity was the action performed
on?
(iv) What tool(s) were used to
perform or performed the activity?
(v) What was the status, outcome, or results
of the activity?
(B)
Review log(s) regularly for any errors, abnormal activities and any system
configuration changes.
(C) Securely
store log files separately from the systems monitored, archived, and protect
from unauthorized modification, access, or destruction.
(D) Use log monitoring tools to send
real-time alerts and notifications.
(E) Utilize multiple synchronized United
States-based time sources.
(3) Employ system hardening techniques, which
include the following:
(A) Update and install
all firmware and patches from a trusted and verifiable source.
(B) Use only the most up-to-date and
certified version of vendor software.
(C) Install and maintain active malware and
anti-virus software.
(D) Implement
firewalls, also known as host-based firewalls, and/or port filtering tools with
host-based intrusion protection services.
(E) Encrypt voter registration information
using FIPS 197 at rest.
(F) Encrypt
voter registration information in transit such as Transport Layer Security
(TLS) 1.2 or better with a valid certificate and certificate chain.
(G) Do not use self-signed
certificates.
(H) Conduct regular
vulnerability scanning and testing for known or unknown weaknesses.
(I) Use application whitelisting on all
endpoints and systems.
1. New
section filed 5-11-2022; operative 7-1-2022. Transmission deadline specified in
Government Code section
11346.4(b)
extended 60 calendar days pursuant to Executive Order N-40-20 and an additional
60 calendar days pursuant to Executive Order N-71-20 (Register 2022, No.
19).
Note: Authority cited: Section
2188.2,
Elections Code; and Sections
6254.4 and
12172.5,
Government Code. Reference: Sections
2188 and
2194,
Elections Code.
