The proposed rules require that each county board of elections establish a cyber security program that includes certain elements to ensure data assets and information systems are protected from cyber threats or attacks. The elements the cyber security program must have include plans, methods, and standards to deal with: data classification; asset inventory; patch management; vulnerability scanning; backups of election data; restoration of data; network segmentation; multi-factor authentication; credential management; remote access; incident response; continuity of operations; email/web protections; third party risk management; removable media; and security awareness training. County boards of elections must also maintain membership in the Center for Internet Security’s Elections Infrastructure Information Sharing and Analysis Center.

1. Statutory authority: Election Law §§ 3-103(1) and 5-614(1) of NYS Election Law provides that the State Board shall set security standards for the county and state's elections systems. Election Law § 3-102(17) authorizes the State Board of Elections to “perform such other acts as may be necessary to carry out the purposes of this chapter.”

2. Legislative objectives: The legislative objective furthered by the proposed regulation is to ensure local and statewide election systems have adequate protection against cyber theft or attacks.

3. Needs and benefits: Election Law 3-103(1) provides that: "(t)he state board of elections shall promulgate rules and regulations setting minimum standards for computerized record keeping systems maintained by county boards of elections." Experience from the past four years have revealed that this country's election infrastructure is under constant threat from cyberattacks from outside groups and countries. One of the biggest challenges faced by local boards of elections is to focus limited resources to obtain the greatest return related to risk reduction efforts. After a detailed survey related to cyber security from each county board of elections, including input and remediation plans from such county boards, the state board of elections determined that regulations were required to ensure that local county boards focus their limited resources to better protect New York's election infrastructure, consistent with section 3-103 of the Election Law. The proposed rules ensure that each county board of elections implement a cyber security program that will maintain standards that are necessary to protect New York's election infrastructure from cyber threats or attacks. These standards are considered best industry standards by leading cyber security experts.

4. Costs: As stated above, a detailed survey from each county board of elections related to cyber security was conducted, which included input and remediation plans from county boards of elections, which assisted the State Board in estimating costs of these rules. Costs may vary based on the data assets and information systems maintained by the county boards of elections. Much of the requirements under these rules are IT industry standards, such as patch management; vulnerability scanning; asset inventory; and multi-factor authentications. Costs to counties will depend upon the salaries of the employees responsible for maintaining the counties information technology infrastructure. To mitigate these costs, counties have, and will continue to receive, federal and state funds dedicated to combat cyber threats against New York's election systems. Once the program is implemented, the cost of maintaining the program would be nominal, as activities required are considered standard IT industry practices.

5. Local government mandates: The proposed rules requires county boards of elections to implement a cyber security program to ensure that adequate standards are being applied in the protection of New York's election system against cyber threats or attacks.

6. Paperwork: This proposed rule requires county boards of elections to certify that it has complied with the requirements outlined in the proposed rule.

7. Duplication: There is no jurisdictional duplication created by this rulemaking.

8. Alternatives: The alternative is to have no standards in relation to cyber security for local boards of elections; however, that could lead to vulnerabilities in New York's election system. Notably, much of the county board's election system is integrated with the statewide system; meaning, if one county is vulnerable, then the entire state is vulnerable. If a cyber-attack occurred on a county board's election system, or even, at a minimum, a board's website, it could lead to a decrease in the confidence of New York's election system, compromising the very underpinnings of our democracy.

9. Federal standards: Not applicable.

10. Compliance schedule: The rule provides that a county board of elections must certify compliance with cyber security standards annually, no later than August 1st of each year.

1. Effect of rule: There is no impact on small businesses due to this rule. This rule will have an impact on local governments. The proposed rules requires county boards of elections to implement a cyber security program to ensure that adequate standards are being applied in the protection of New York's election system against cyber threats or attacks. There are 58 local county boards of elections, with New York City having a board of elections comprising all of New York City; and each remainder county having its own county board of elections.

2. Compliance requirements: This proposed rule requires county boards of elections to certify that it has complied with the requirements outlined in the proposed rule. The proposed rules require that each county board of elections establish a cyber security program that includes certain elements to ensure data assets and information systems are protected from cyber threats or attacks. The elements the cyber security program must have include plans, methods, and standards to deal with: data classification; asset inventory; patch management; vulnerability scanning; backups of election data; restoration of data; network segmentation; multi-factor authentication; credential management; remote access; incident response; continuity of operations; email/web protections; third party risk management; removable media; and security awareness training. County boards of elections must also maintain membership in the Center for Internet Security’s Elections Infrastructure Information Sharing and Analysis Center. This rule has no impact on small businesses.

3. Professional services: In a recent cyber security assessment, some counties have indicated, via their Remediation Plans, the need to utilize professional services to implement some requirements; however, these counties are eligible for reimbursement (up to their limits) via the Remediation Grant.

4. Compliance costs: As stated in the Regulatory Impact Statement, a detailed survey from each county board of elections related to cyber security was conducted, which included input and remediation plans from county boards of elections, which assisted the State Board in estimating costs of these rules. Costs may vary based on the data assets and information system maintained by the county boards of elections. Much of the requirements under these rules are IT industry standards, such as patch management; vulnerability scanning; asset inventory; and multi-factor authentications. Costs to counties will depend upon the salaries of the employees responsible for maintaining the counties information technology infrastructure. To mitigate these costs, in some circumstances, some counties may have access to cybersecurity remediation funds. Once the program is implemented, the cost of maintaining the program would be nominal, as activities required are considered standard IT industry practices.

5. Economic and technological feasibility: Our assessment of the economic and technological feasibility of compliance is that certain counties will, at some point, require an upgrade in software or information system hardware; however, much of these costs will be mitigated by state and federal funding.

6. Minimizing adverse impact: To mitigate these costs, in some circumstances, some counties may have access to cybersecurity remediation funds.

7. Small business and local government participation: The State Board of Elections has advised and worked with affected counties regarding these requirements. The State Board will continue to work with counties, and seek their input, during the rule making process.

8. For rules that either establish or modify a violation or penalties associated with a violation: Not applicable.

9. Initial review of the rule, pursuant to SAPA § 207: Initial review of this regulation shall occur no later than the third calendar year in which it is adopted.

Effect on Rural Areas:

Rural areas are defined as counties with a population less than 200,000 and, for counties with a population greater than 200,000, includes towns with population densities of 150 persons or less per square mile. The following 44 counties have a population less than 200,000:

The following 9 counties have certain townships with population densities of 150 persons or less per square mile:

1. Nature of impact: This rule should have minimal or no impact on jobs as the rule relates to implementing cyber security protocols which should be able to be performed by existing county staff.

2. Categories and numbers affected: This rule will impact local county boards of elections. This rules will not create employment opportunities.

3. Regions of adverse impact: This rules has a statewide applicability, and has no disproportionate adverse impact on jobs or employment opportunities in any region.

4. Minimizing adverse impact: The State Board of Elections has not taken any measures to minimize adverse impact on existing jobs or promote the development of new employment opportunities because the State Board of Elections has determined this rule would not have an adverse impact on jobs.

5. Self-employment opportunities: Not applicable.

6. Initial review of the rule, pursuant to SAPA § 207: Not applicable.