Senate Engrossed
election management systems; security |
State of Arizona Senate Fifty-fifth Legislature Second Regular Session 2022
|
SENATE BILL 1642 |
|
|
An Act
amending title 16, chapter 4, article 4, Arizona Revised Statutes, by adding section 16-453; relating to conduct of elections.
(TEXT OF BILL BEGINS ON NEXT PAGE)
Be it enacted by the Legislature of the State of Arizona:
Section 1. Title 16, chapter 4, article 4, Arizona Revised Statutes, is amended by adding section 16-453, to read:
16-453. Election management systems; gateway computer standards
A. Not later than the 2022 primary election, a county recorder or other officer in charge of elections must have a dedicated special purpose election management system gateway computer that may be used only when necessary to do the following:
1. Download data from an internet-connected system, including downloading ballot language or ballot files, onto a memory stick or other removable electronic storage device for uploading to the election management system gateway computer.
2. Download data, including election results files, from the election management system gateway computer to a memory stick or other similar device for uploading to an internet-connected system.
B. The election management system gateway computer shall serve as the internet-connected system for the purposes prescribed by this section.
No other computer except for the designated election management system gateway computer may be used for these purposes and the designated election management system gateway computer shall not be used for any other purpose.
C. The following security protocols apply to the election management system gateway computer:
1. The computer shall only be connected to a network when necessary, such as to upload to or download from the internet or to install necessary software updates. The computer shall be disconnected from the network before any transfer of data to or from the memory stick or other device that was or will be connected to the election management system gateway computer.
2. The computer shall not be used for any purpose other than moving necessary election data in to or out of the computer.
3. The computer's operating system, browser and endpoint protection software shall have the most recent updates and security patches installed.
4. The computer shall have endpoint protection software that protects the computer from malware, viruses, ransomware, incursions and other cybersecurity risks, with scanning capability installed.
5. The computer shall not have any software installed other than endpoint protection and a web browser.
6. Security shall be the most important criteria when selecting a browser.
7. A firewall applicable to the operating system shall be enabled with the following restrictions:
(a) Incoming connections are prohibited.
(b) Unnecessary outbound ports are prohibited.
(c) Use of an unsecured hypertext transfer protocol is prohibited.
(d) Connections are allowed only to specified internet protocol addresses such as the election management system vendor download site and the secretary of state's site used for election night reporting.
8. If present, all wireless connections and functions and cellular functions shall be disabled.
9. A wireless mouse or wireless keyboard is prohibited.
10. The computer shall be physically secured by the officer in charge of elections or the officer's designee in compliance with the requirements applicable to other election equipment.
11. The default administrator account shall be disabled and customized administrator accounts with specific powers and privileges must be created, providing to persons with administrator access only those powers and privileges necessary for the person's specific job duties.
12. Normal operation of the computer, such as when not conducting system configuration or maintenance that requires administrator access, shall be conducted without administrator rights to ensure that nonadministrators cannot install unauthorized software or otherwise have access to the operating system or internal file structures.
13. Any physical port, plug, door or other method of physical or electronic access to the computer shall be secured in a manner to prevent unauthorized access to the computer.