55% Board of STATE Elections 18-07 New York State Board of Elections APPROVED RESOLUTION May 3 2018 RESOLUTION APPROVING THE CYBERSECURITY PLAN PURSUANT TO THE SFY 2018-19 BUDGET WHEREAS the New York State Board of Elections State Board has been closely monitoring the ever-growing threat posed to information and elections systems by nation-states terrorist organizations and independent criminal actors and WHEREAS the State Board has been working extensively with federal state local and other important partners the Elections Assistance Commission EAC the federal General Services Administration GSA the federal Department of Homeland Security DHS the Federal Bureau of Investigation FBI the Center for internet Security CIS the Multi-State Information Sharing and Analysis Center the Elections Infrastructure information Sharing and Analysis Center NYS Office for Information Technology Services Governor s Cybersecurity Advisory Board CSAB the Belfer Center for Science and International Affairs at Harvard University and the University at Albany s Center for Technology in Government to develop a comprehensive plan to ensure the security of New York State s elections infrastructu re - and WHEREAS the SFY 2018-19 budget allocates $5 million dollars for services and expenses related to securing election infrastructure from cyber-related threats including but not limited to the creation of an election support center development of an elections cybersecurity support toolkit and providing cyber risk vulnerability assessments and support for local board of and WHEREAS per the SFY 2018-19 budget expenditures of such funds shall be approved by a vote of the State Board of Elections Commissioners pursuant to subdivision 4 of section 3-100 of the election law WHEREAS the State Board staff through their work with the federal state local and other partners mentioned above have drafted an allocation plan WHEREAS the State Board staff has been leveraging existing Federal and State resources such as attending the Belfer Center of Science and International Affairs Cybersecurity Tabletop Exercise Train the Trainer program and WHEREAS the State Board staff has partnered with the federal Department of Homeland Security both have an Internal risk assessment conducted and to execute six regional cybersecurity table top exercises across New York State and WHEREAS the State Board has been leveraging existing technological and security resources by partnering with the federal Department of Homeland Security MS-ISAC and and WHEREAS the federal Elections Administration Commission EAC has allocated New York State $19 483 647 19 5 M dollars subject to a State 5% match of cybersecurity related funds WHEREAS the $5 million dollar State cybersecurity funds will be leveraged to meet the federal 5% match requirement to secure federal Cybersecurity grant funding NOW THEREFORE BE IT RESOLVED the state cybersecurity plan attached hereto is hereby approved and the State Board of Elections is authorized to implement such plan NOW THEREFORE BE lT FURTHER RESOLVED that the State Board staff is authorized to expend up to $1 25 million in State cybersecurity funds in the implementation of the state cybersecurity plan and NOW THEREFORE BE IT FURTHER RESOLVED that the State Board staff is authorized to expend federal HAVA cybersecurity funds at a limit to not exceed $5 million dollars in the implementation of the state cybersecurity plan Approved May 3 2018 VOTE 4-0 New York State Board of Elections Cybersecurity Plan The New York State Board of Elections NYSBOE has been closely monitoring the ever-growing threat posed to information and elections systems by nation-states terrorist organizations and independent criminal actors Collaboration and Consultation NYSBOE has been working extensively with federal state local and other important partners the Elections Assistance Commission EAC the federal General Services Administration GSA the federal Department of Homeland Security DHS the Federal Bureau of Investigation FBI the Center for Internet Security CIS the Multi-State Information Sharing and Analysis Center the Elections infrastructure information Sharing and Analysis Center NYS Office for Information Technology Services OITS Governor s Cybersecurity Advisory Board CSAB the Beifer Center for Science and International Affairs at Harvard University and the University at Albany's Center for Technology in Government to develop a comprehensive plan to ensure the security of New York State s elections infrastructure Eugding See Attachment Al State funds are coming from the SFY 2018-19 executive budget which allocates $5 million dollars1 for services and expenses related to securing election infrastructure from cyber-related threats including but not limited to the creation of an election support center development of an elections cybersecurity support toolkit and providing cyber risk vulnerability assessments and support for local board of elections in addition federal funding is available through the 2018 HAVA Help America Vote Act Election Security Grant allocates $19 483 647 dollars to the State of New York to improve the administration of elections for Federal office including to enhance election technology and make security improvements 2 In order to be eligible for newly allocated federal cybersecurity funds the State must provide a 5% match The State funding would meet the match requirements NYSBOE is confident that the current State HAVA plan would not require any update to accept additional federal funding The Plan Our comprehensive allocation plan is to Assess the risk to the State and County election systems Remediate the vulnerabilities Monitor ongoing Operations and Respond to incidents 1 State Operations Budget Bill S7500-A A9500-A 2018-19 page 130 3 2018 Help America Vote Act Elections Security Grants Award Packet April 17 2018 page 1 New York State Board of Elections Cybersecurity Plan Assess the Risk Comprehensive Risk Assessment for the New York State Board of Elections The New York State Board of Elections has entered into a partnership with the federal Department of Homeland Security to have a free comprehensive Risk and Vulnerability Assessment conducted on the State's elections infrastructure This one-on-one engagement will combine national level threat and vulnerability information with data collected and discovered through the assessment from which DHS will provide NYSBOE with specific risk analysis reports and strategic remediation recommendations prioritized by risk Comprehensive Risk Assessment for all County Board of Elections NYSBOE will contract for professional services to conduct a comprehensive uniform and verified risk assessment at every County Board of Elections CBOE NYSBOE has already conducted a CBOE elections risk survey to gain an understanding of the security posture of each county board County Boards are responsible for procuring inventorying securing and training staff on elections infrastructure and technologies A uniform and verified third party risk assessment is critical in ascertaining a security baseline for our statewide elections infrastructure Remediate Vulnerabilities NYSBOE Remediation NYSBOE has identi ed several areas of remediation to implement concurrently with the risk assessment County Board Remediation CBOE Risk Assessment ndings will identify any potential vulnerabilities in the New York State s elections system and infrastructure Vulnerabilities will need immediate remediation to ensure the security of our systems and a secure architecture of CBOEs The Secure Elections Center would receive analyze and evaluate and set priorities to address identified vulnerabilities Monitor Operations Cybersecurm Regulation As part of monitoring ongoing operations NYSBOE will develop implement and evaluate a comprehensive cybersecurity regulation designed to set uniform regulatory standards To do this NYSBOE will procure information advisory services to assist in the development of cybersecurity regulations setting standards for the state and county boards to monitor their ongoing cybersecurity The regulation will be designed to promote the protection of election systems while not being overly prescriptive so that cybersecurity programs can match relevant risks and keep pace with technological advances NYSBOE has started this process and has engaged and collaborated with relevant state partners New York State Board of Elections Cybersecurity Plan Creation of a NYSBOE Secure Elections Center The NYSBOE Secure Elections Center is tasked with assisting all Counties with the formulation implementation and evaluation of security measures regulations and policies relative to elections infrastructure The Center is responsible for collecting reviewing consulting and evaluating all elections security policies and regulations and ensure continuity of election administration and operations The Secure Elections Center would work closely with the existing executive management of the Board and report directly to the Chief Information Officer The Secure Elections Center would require the addition of the following one 1 NYSBOE Elections Chief Information Security Officer CISO to oversee the State Board s cybersecurity policy patching internal log review incident management security software management and to oversee the county liaison program one 1 IT Specialist 3 to support security of NYSVOTER the state voter registration list two 2 Election Security Specialists to provide assistance and coordinate the delivery of services of the Center to the County Boards one 1 Elections Security Clerk to manage the Secure Elections Center help desk function and assist with routine questions coordination monitoring and logging of activity one 1 Website Secure Access Specialist to manage the Board's website and ensure the accessibility of documents one 1 Senior Assistant for Elections Continuity to focus on risk assessment and mitigation strategies as part of the evaluation of election systems technology and two 2 Elections Security Specialists to act as liaisons and coordinate with CBOEs relative to policy implementation improved audits of election results risk analysis coordination and connection support Network Monitoring at CBOEs Federal State and other stakeholders EAC CSAB and recommend that network monitoring be immediately implemented at each County Board of Elections if not already in place Monitoring Distributed Denial of Service 0005 protection and site scanning will provide a baseline of security for elections systems and infrastructure County Board of Elections infrastructure may be networked with County infrastructure which increases the scope and cost of network monitoring The State Board plans to provide interim monitoring services to CBOEs through December 2020 Conny Cybersecum Training and Toolkit The NYSBOE will develop a series of training tools for CBOEs based on recognized industry standards in relation to cyber hygiene best practices access management protocols and recommendations for incident handling Comprehensive cybersecurity training will be provided to all CBOEs on a continuous basis This is required to ensure a consistent level of cyber hygiene and combat vulnerabilities raised by staff turnover as well as to stay current with the latest trends and developments in cybersecurity Respond to incidents NYSBOE will establish the Secure Elections Center to increase the cybersecurity of the State and County Boards of Elections The Center's focus on training and preparedness will prevent some incidents from occurring The Center will also develop a comprehensive incident response plan for the State and County Boards to triage coordinate and respond to cyber incidents The incident response plan requires New York State Board of Elections Cybersecurity Plan - personnel to staff and respond to cyber incidents 0 technology to facilitate the intake coordination and tracking response to cyber incidents - the development of a comprehensive cyber incident plan which includes the review and updating of State and County Board of Elections current emergency security and response plans and procedures for incident identification containment eradication recovery and post-response assessment will be fully developed NYSBOE will conduct a series of regional tabletop exercises in conjunction with the US Department of Homeland Security NY State Police the FBI and County Boards of Elections to discuss hypothetical cyber events that may impact a Board s ability to administer an election These exercises are used to identify additional mitigation strategies preparedness needs and enhance collaboration between stakeholders 2018 HAVA ELECTION SECURITY GRANT Budget Information ICFDA 90 404 Non-Construction Program ame of Organization Budget Period Start Budget Period End lNew York State Board of Elections gin 2013 SECTION A - BUDGET SUMMARY FEDERAL NON-FEDERAL FUNDS Match Consolidated Budget for total project term-- up to 5 years as defined by grantee Approving Federal agency D If other than Federal agency please specify The Indirect Cost Rate is B Period Covered by the Indirect Cost Rate Agreement A Do you have an Indirect Cost Rate Agreement approved by the Federal government or some other non-federal entity If yes please provide the following information PROGRAM CATEGORIES voting Eliza Rig- 31 Cyber Security Communications fl Other Other TOTALS Fed Total BUDGET CATEGORIES Equ'i me' Systems 1 fringe 5 000 000 00 5 000 000 00 26% 2 EQUIPMENT 100 000 00 100 000 00 1% 3 SUBGRANTS- to local voting iurisdictions 0% 4 TRAINING 5 200 000 00 5 200 000 00 1% 5 All OTHER COSTS 14 183 647 00 14 183 64700 73% 6 TOTAL DIRECT COSTS 5 5 - - 5 19 483 647 00 - - 5 19 483 647 00 7 INDIRECT COSTS if applied 5 - 0% 8 Total Federal Budget 5 - - 19 483 647 00 - - 5 19 483 647 00 11 Non-Federal Match 974 182 35 974 182 35 12 Total Program Budget 5 - - 5 20 457 82935 - - 5 20 457 82935 13 Percentage By Category 0% 0% 0% 100% 0% 0% Proposed State Match 5 0%