H.F. 2250 Section 1. ELECTION SYSTEMS SECURITY. 1 1. The state commissioner of elections shall adopt rules 2 requiring each county commissioner of elections to do all of 3 the following: 4 a. Become or remain a member of the election infrastructure 5 information sharing and analysis center. 6 b. Use the following services provided by the United States 7 department of homeland security: 8 (1) Phishing campaign assessment. 9 (2) Vulnerability scanning. 10 (3) Risk and vulnerability assessment. 11 (4) Remote penetration testing. 12 (5) Validated architectural design review. 13 (6) Cyber threat hunt. 14 (7) Tabletop exercise. 15 (8) Physical security assessment. 16 c. Review the elections infrastructure playbook of 17 the center for internet security and create an elections 18 infrastructure security assessment. 19 d. Use transport layer security or secure socket layer 20 certificates for all publicly facing and internal web-based 21 applications. 22 e. Consider participating in the cloudflare athenian 23 project. 24 f. Consider using google project shield. 25 g. Use a domain name ending in “.gov” or “.us” for each 26 elections-related internet site and all elections-related 27 official electronic mail communications. 28 h. Conduct annual training on election cybersecurity and 29 physical security. 30 i. Require each employee, vendor, and contractor that 31 performs services that require access to personal information 32 relates to computer networks, information systems, databases, 33 or secure facilities of the commissioner or the state 34 commissioner of elections under circumstances that would permit 35 -1- LSB 6053YH (2) 88 ss/jh 1/ 3

H.F. 2250 modifications to such systems, or involve unsupervised access 1 to secure facilities, to undergo a criminal background check. 2 j. Comply with the center for internet security guide for 3 ensuring security in elections technical procurements. 4 k. Use domain-based message authentication, reporting, and 5 conformance to prevent electronic mail spoofing. 6 2. The state commissioner of elections shall do all of the 7 following: 8 a. Ensure that all computers used by the state commissioner 9 of elections and employees are fully updated. 10 b. Modernize the software used to operate the statewide 11 voter registration database. 12 c. Implement multifactor authentication for all web-based 13 applications available to election officials. 14 d. Provide albert intrusion detection devices to all 15 counties that do not currently use such a device or a 16 substantially similar device. 17 e. Provide security information and event management 18 services for elections-related computer and network systems. 19 Sec. 2. IMPLEMENTATION OF ACT. Section 25B.2, subsection 20 3, shall not apply to this Act. 21 EXPLANATION 22 The inclusion of this explanation does not constitute agreement with 23 the explanation’s substance by the members of the general assembly. 24 This bill relates to election systems security. The bill 25 requires the state commissioner of elections to adopt rules 26 requiring county commissioners of elections to take certain 27 actions relating to election security, including using services 28 provided by the United States department of homeland security, 29 using certain third-party security services and guides, 30 and requiring background checks for certain employees and 31 contractors. 32 The bill requires the state commissioner of elections to 33 ensure that all computers used by the state commissioner of 34 elections and employees are fully updated, modernize the 35 -2- LSB 6053YH (2) 88 ss/jh 2/ 3

H.F. 2250 software used to operate the statewide voter registration 1 database, implement multifactor authentication for all 2 web-based applications available to election officials, provide 3 albert intrusion detection devices to all counties that do not 4 currently use such a device or a substantially similar device, 5 and provide security information and event management services 6 for elections-related computer and network systems. 7 The bill may include a state mandate as defined in Code 8 section 25B.3. The bill makes inapplicable Code section 25B.2, 9 subsection 3, which would relieve a political subdivision from 10 complying with a state mandate if funding for the cost of 11 the state mandate is not provided or specified. Therefore, 12 political subdivisions are required to comply with any state 13 mandate included in the bill. 14 -3- LSB 6053YH (2) 88 ss/jh 3/ 3