STATE OF COLORADO Department of State Wayne W Williams Secretary of State 1700 Broadway Suite 200 Denver CO 80290 Judd Choate Director of Elections 2018 HAVA Grant Funds Program Narrative The Consolidated Appropriations Act of 201 8 provided $380 000 000 in Help America Vote Act HAVA money to improve the administration of US elections Colorado s share ofthis appropriation funded through the Election Assistance Commission EAC is $6 342 979 This narrative lays out how Colorado will use these funds to improve the administration ofa federal election through enhanced technology and security improvements in Colorado s election process under Section 101 of HAVA P L 107-252 the Help America Vote Act of 2002 The Colorado Secretary of State serves as Colorado s Chief Election Official The Department of State s Department mission is to ensure that every eligible Coloradan can register to vote with ease and cast their vote with the confidence that their choices are accurately tallied and that those voting in the election are legally eligible to do so These past several years the Department has expended extraordinary time and resources to protect the Colorado voter registration database SCORE and all other physical and technical election systems and processes The Secretary of State s of ce will use the newly appropriated HAVA funds to further harden its systems and improve the state s security posture through various additional methods described below In addition the Department has received interim spending authority from the Joint Budget Committee ofthe Colorado General Assembly to provide the required state match of $317 149 The funds were appropriated for use upon signature by President Donald Trump on March 22 2018 Thus the Department commits to fully utilize the additional HAVA funds by March 22 2023 Project Overview The Colorado Department of State followed a multi-pronged approach to determine how the HAVA funds should be utilized First election and information technology personnel from the office solicited experts in the field for their recommendations Second internal meetings were held to determine prioritization When that list was completed a public meeting ofthe Bipartisan Election Advisory Committee was held with county clerks and community representatives to advise them on the Department s preliminary ideas and solicit their input Citizens and election of cials provided feedback including recommendations for changes and additions Those were incorporated into the nal document and budget The Colorado Department of State plans to use the 2018 HAVA appropriation in various ways to further harden its systems and improve the state s security posture These include three general categories 1 Improved Technology and Software for Both State and County Election Of cials 2 Improved Risk-Limiting Audits and Audits of Elections-Related Systems and 3 Improved Main Number 303 894-2200 TDDITTY 303 869-4867 Administration 303 860-6900 Web Site uvw sos state_co us Fax 303 869-4860 E-mail Incident Preparedness Exercises and Training Along With Certi cation Program Integration The following section details some of the ways in which Colorado currently plans to use the awarded funds Improved Technology and Software for Both State and County Election Officials 0 Expansion of secure portal for sensitive information exchange 0 Currently use a commercial product for secure return of ballots from UOCAVA voters The Department is exploring the possibility of leveraging the same platform for sensitive information and data exchanges between counties and between counties and the state to improve the security of that information sharing I Implementation Timeline 2018-2019 0 Smart secure removable media for elections data exchanges Sophisticated USB devices for transmitting information in a secure manner from system to system I Implementation Timeline 2018-2019 0 Dev team for modernization of core SCORE application 0 Legislative changes to SCORE and continue to affect the ability to carry through on efforts to modernize legacy SCORE functionality The Department will add a new development team for an 18-24 month period to increase our capacity and deliver needed functionality along with upgraded security I Implementation Timeline 2018-2019 0 Software Service for tracking social media and dark web for threats and indicators of compromise Situational awareness of actual threats claimed threats and sensitive elections data may provide an early warning system to assist in preparation for elections The Department is exploring the potential of adding social media and dark web intelligence gathering as part of our defenses I Implementation Timeline 2018-2020 0 Security automation and orchestration platform 0 Cybersecurity solutions today are incorporating more automated analysis and correlation capabilities and are allowing near-real-time defensive countermeasures to threats Orchestration describes the practice of tying disparate tools and people together for focused effective action as threats and incidents occur I Implementation Timeline 2019-2020 0 Emergency Critical communications capability 0 Exploring adding rapid response communications capability to reach not only to HQ- based elections staff but also to the critical individuals leading teams at every Voter Service and Polling Center VSPC I Implementation Timeline 2018-2019 0 New Voting System Implementation Assistance 0 A handful of Colorado counties have not yet purchased and deployed new voting systems within the past ve years that provide better support for post-election risk-limiting audits The department will offer grants to counties to offset half the cost of implementation services and training for these few counties I Implementation Timeline 2019-2020 Improved Risk Limiting Audits and Audits of Elections-Related Systems 0 Improvements to risk-limiting audits RLA systems 0 The Department is currently working to improve the existing RLA system for the 2018 General Election This work will continue beyond this year to extend the RLA system for use in primary elections I Implementation Timeline 2018-2019 0 Security audits of all elections-related systems 0 Risk-limiting audits of ballots post-election are crucial to provide con dence in correct outcomes The Department also plans to add audits of other elections-related systems I Implementation Timeline 2019-2021 Improved Incident Preparedness Exercises and Certi cation Program Integration 0 Table Top Exercises on incident response and preparedness The department is already planning for a rst statewide table top exercise TTX to bolster awareness and test incident response plans of county and state stakeholders TTX and mock election exercises serve to train individuals in stressful situations to better prepare and anticipate real world situations I Implementation Timeline 2018 and continuing in the tture Vulnerability Penetration tests of elections-related systems 0 Work to establish vulnerability and penetration tests of elections-related systems I Implementation Timeline 2019-2021 0 Attacker Defender exercises 0 These simulations involve one team acting as an attacker with another team defending against those attacks These types of exercises not only help reveal weaknesses in cyber security defenses they also provide valuable training and experience in a simulated environment I Implementation Timeline 2019-2020 0 Integration of white hat hacking into SDLC software development life cycle 0 Vulnerability scanning and code reviews form a valuable part of our software development process Incorporating penetration tests into the process earlier than is currently done today will improve the security and resilience of the software created and supported in the of ce I Implementation Timeline 2019 2018 HAVA ELECTION SECURITY GRANT Budget Information CFDA ii 90 404 Non Construction Program Name of Organization Budget Period Start Budget Period End Colorado Secretary of State's Office 1 3 723 720 SECTIONA- BUDGETSUMMARY 3 23 2023 FEDERAL 8 NON-FEDERAL FUNDS Match Consolidated Budget for total project term-- up to 5 years as de ned by grantee PROGRAM CATEGORIES JZLi tft 4 13 ng id Cyber Security Communications Trainiiggol rrams Bl Other TOTALS Fed Total BUDGET CATEGORIES Systems 1 fringe - 0% 2 EQUIPMENT 47 619 05 428 571 43 1 518 095 22 128 571 43 2 122 857 13 33% 3 to local votingjurisdictions 47 474 29 47 474 29 1% 4 TRAINING 47 619 05 428 571 43 476 190 48 8% 5 All OTHER COSTS 476 190 47 1 238 095 22 1 144 076 18 838 095 23 3 696 457 10 58% 6 TOTAL DIRECT COSTS 5 47 474 29 523 809 52 1 666 666 65 2 709 790 45 966 666 66 428 571 43 - 6 342 979 00 7 INDIRECT COSTS if applied - 0% 8 Total Federal Budget 5 47 474 29 523 809 52 5 1 666 666 65 2 709 790 45 5 966 666 66 428 571 43 5 - 6 342 979 00 11 Non-Federal Match 5 2 373 71 26 190 48 5 83 333 35 135 489 55 48 333 34 21 428 57 317 149 00 12 Total Program Budget 5 49 848 00 550 000 00 1 750 000 00 2 845 280 00 5 1 015 000 00 450 000 00 5 - 6 660 128 00 13 Percentage By Category 1% 896 2696 43% 15% 7% Proposed State Match 5 0% A Do you have an Indirect Cost Rate Agreement approved by the Federal government or some other non federa entity If yes please provide the following information B Period Covered by the Indirect Cost Rate Agreement C Approving Federal agency D If other than Federal agency please specify E The Indirect Cost Rate is No