House
File
2250
-
Introduced
HOUSE
FILE
2250
BY
MASCHER
A
BILL
FOR
An
Act
relating
to
election
systems
security.
1
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
2
TLSB
6053YH
(2)
88
ss/jh
H.F.
2250
Section
1.
ELECTION
SYSTEMS
SECURITY.
1
1.
The
state
commissioner
of
elections
shall
adopt
rules
2
requiring
each
county
commissioner
of
elections
to
do
all
of
3
the
following:
4
a.
Become
or
remain
a
member
of
the
election
infrastructure
5
information
sharing
and
analysis
center.
6
b.
Use
the
following
services
provided
by
the
United
States
7
department
of
homeland
security:
8
(1)
Phishing
campaign
assessment.
9
(2)
Vulnerability
scanning.
10
(3)
Risk
and
vulnerability
assessment.
11
(4)
Remote
penetration
testing.
12
(5)
Validated
architectural
design
review.
13
(6)
Cyber
threat
hunt.
14
(7)
Tabletop
exercise.
15
(8)
Physical
security
assessment.
16
c.
Review
the
elections
infrastructure
playbook
of
17
the
center
for
internet
security
and
create
an
elections
18
infrastructure
security
assessment.
19
d.
Use
transport
layer
security
or
secure
socket
layer
20
certificates
for
all
publicly
facing
and
internal
web-based
21
applications.
22
e.
Consider
participating
in
the
cloudflare
athenian
23
project.
24
f.
Consider
using
google
project
shield.
25
g.
Use
a
domain
name
ending
in
“.gov”
or
“.us”
for
each
26
elections-related
internet
site
and
all
elections-related
27
official
electronic
mail
communications.
28
h.
Conduct
annual
training
on
election
cybersecurity
and
29
physical
security.
30
i.
Require
each
employee,
vendor,
and
contractor
that
31
performs
services
that
require
access
to
personal
information
32
relates
to
computer
networks,
information
systems,
databases,
33
or
secure
facilities
of
the
commissioner
or
the
state
34
commissioner
of
elections
under
circumstances
that
would
permit
35
-1-
LSB
6053YH
(2)
88
ss/jh
1/
3
H.F.
2250
modifications
to
such
systems,
or
involve
unsupervised
access
1
to
secure
facilities,
to
undergo
a
criminal
background
check.
2
j.
Comply
with
the
center
for
internet
security
guide
for
3
ensuring
security
in
elections
technical
procurements.
4
k.
Use
domain-based
message
authentication,
reporting,
and
5
conformance
to
prevent
electronic
mail
spoofing.
6
2.
The
state
commissioner
of
elections
shall
do
all
of
the
7
following:
8
a.
Ensure
that
all
computers
used
by
the
state
commissioner
9
of
elections
and
employees
are
fully
updated.
10
b.
Modernize
the
software
used
to
operate
the
statewide
11
voter
registration
database.
12
c.
Implement
multifactor
authentication
for
all
web-based
13
applications
available
to
election
officials.
14
d.
Provide
albert
intrusion
detection
devices
to
all
15
counties
that
do
not
currently
use
such
a
device
or
a
16
substantially
similar
device.
17
e.
Provide
security
information
and
event
management
18
services
for
elections-related
computer
and
network
systems.
19
Sec.
2.
IMPLEMENTATION
OF
ACT.
Section
25B.2,
subsection
20
3,
shall
not
apply
to
this
Act.
21
EXPLANATION
22
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
23
the
explanation’s
substance
by
the
members
of
the
general
assembly.
24
This
bill
relates
to
election
systems
security.
The
bill
25
requires
the
state
commissioner
of
elections
to
adopt
rules
26
requiring
county
commissioners
of
elections
to
take
certain
27
actions
relating
to
election
security,
including
using
services
28
provided
by
the
United
States
department
of
homeland
security,
29
using
certain
third-party
security
services
and
guides,
30
and
requiring
background
checks
for
certain
employees
and
31
contractors.
32
The
bill
requires
the
state
commissioner
of
elections
to
33
ensure
that
all
computers
used
by
the
state
commissioner
of
34
elections
and
employees
are
fully
updated,
modernize
the
35
-2-
LSB
6053YH
(2)
88
ss/jh
2/
3
H.F.
2250
software
used
to
operate
the
statewide
voter
registration
1
database,
implement
multifactor
authentication
for
all
2
web-based
applications
available
to
election
officials,
provide
3
albert
intrusion
detection
devices
to
all
counties
that
do
not
4
currently
use
such
a
device
or
a
substantially
similar
device,
5
and
provide
security
information
and
event
management
services
6
for
elections-related
computer
and
network
systems.
7
The
bill
may
include
a
state
mandate
as
defined
in
Code
8
section
25B.3.
The
bill
makes
inapplicable
Code
section
25B.2,
9
subsection
3,
which
would
relieve
a
political
subdivision
from
10
complying
with
a
state
mandate
if
funding
for
the
cost
of
11
the
state
mandate
is
not
provided
or
specified.
Therefore,
12
political
subdivisions
are
required
to
comply
with
any
state
13
mandate
included
in
the
bill.
14
-3-
LSB
6053YH
(2)
88
ss/jh
3/
3