IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

NIST Releases Draft Guidance on Election Cybersecurity

The National Institute of Standards and Technology (NIST) has released draft guidelines to help local election officials prepare for and respond to cyber threats that could affect elections.

person typing on a laptop with an overlay of a lock indicating cybersecurity
Shutterstock.com
The 2020 election season was full of claims of online interference, and in response the National Institute of Standards and Technology (NIST) published a draft Cybersecurity Framework Election Infrastructure Profile on Monday, March 29, to help local election officials prepare for and respond to cyber threats.

“The guide can help these officials reduce the risk of disruptions to the major tasks they must perform in the process of an election,” according to NIST. “These range from the immediate concerns of an election day, such as vote processing or communicating the details of a problem or crisis, to longer-term efforts, like maintaining election and voter registration systems.”

According to an NIST press release:

“Written in everyday language, the Draft Cybersecurity Framework Election Infrastructure Profile (NISTIR 8310) draws upon the experience of election stakeholders and cybersecurity experts from across the country, offering an approach for securing all elements of election technology.

“‘This is the first time we have looked at the entire election infrastructure and put together a cybersecurity playbook,’ said NIST’s Gema Howell, one of the publication’s authors. 

“The guide applies the principles of the NIST Cybersecurity Framework to election systems. Widely adopted by industry, the framework is not a regulation, but a set of recommended best practices for computer security. NIST has been creating tailored guidance called ‘profiles’ to help particular sectors of society — such as manufacturers — adopt the framework to address their specific needs.”

NIST is asking for public comments/input. To submit comments on the draft, you can email them to NISTIR-8310-comments@nist.gov

To get a sense of the draft document at the high level, here is the table of contents:

1. Introduction

   1.1 Purpose

   1.2 Scope

   1.3 Audience

   1.4 Document Structure

2. Overview of Election Infrastructure

3. Overview of the CSF

4. Profile Development Methodology

5. Election Infrastructure Mission Objectives

6. Summary Framework Category Prioritization

7. Priority Subcategories by Mission Objective

The document also currently offers 37 tables regarding subcategories, appendixes on acronyms, workshop attendees and informative references.   

Media Coverage of the Draft Framework

There has been widespread coverage of this document release. FCW.com wrote:

“The framework takes NIST's pre-existing cybersecurity best practices and applies them to election infrastructure such as polling places, voter registration databases and voting machines.

“‘The guide can help these officials reduce the risk of disruptions to the major tasks they must perform in the process of an election,’ according to NIST. ‘These range from the immediate concerns of an election day, such as vote processing or communicating the details of a problem or crisis, to longer-term efforts, like maintaining election and voter registration systems.’

“The new draft framework is the first time NIST has combined election security and cybersecurity in one of its playbooks, according to one of the authors.” 

GCN.com added:

“A declassified assessment of the 2020 elections by the intelligence community (IC) concluded that foreign adversaries for the most part did not attempt to meddle by hacking, but rather through influence campaigns.

“However, the IC did acknowledge there were some number of successful ‘compromises’ of state and local government networks prior to Election Day as well as many more unsuccessful attempts.”

Bankinfosecurity.com also covered the new NIST release.

According to the draft framework:

“The draft guidelines break down U.S. elections into three areas of risk:

  • Pre-election activities, such as managing voters, processing candidates and contests, preparing voting materials, and preparing voting machines and processing early voting.
  • Election day activities, which include the opening and closing of polling places, the security of the machines and the collection of absentee ballots.
  • Post-election duties, such as publishing unofficial accounts and preparing to certify the election.”
This diagram from the document is helpful to describe the three areas:

nist-election-image-2.jpg


The authors worked with state election officials, the Election Assistance Commission (EAC), the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA), the DHS Election Infrastructure CSF Joint Working Group, and technology developers including voting system manufacturers.

Final Thoughts

I often cover these types of NIST documents after the documents become final. However, in this case, and because I have covered election security for the past five years, I felt it was important to help get the word out now on this new opportunity to provide NIST comments now.  

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.