Recommendations

voter roll registration to changes in driver’s licenses or other state identification.
Legislation should be considered that requires voter rolls be validated against the NCOA both 90 days or more prior to the election, in addition to a week before mail-in ballots are sent out. This validates whether a mail-in ballot should be sent before its sent.
Legislation should be considered that gives a legally required frequency where the voter rolls should be periodically be compared against ERIC, the Social Security’s Master Death List, or other commercially available tools that give access to this information.

© Copyright 2021 - Cyber Ninjas - All Rights Reserved - Slide

require applications developed and utilized for voter rolls or voting to be developed to rigorous standards that ensure the confidentiality and integrity of the systems.
Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) Level 3 is recommended.
Legislation should be considered which requires voter roll and voting equipment, or any other election software to go through regular assessments to confirm ASVS Level 3 requirements are meant.
Software should not be allowed to be utilized until any Critical or High issues are remediated and there should be a remediation plan for other severity vulnerabilities.

© Copyright 2021 - Cyber Ninjas - All Rights Reserved - Slide

following all CISA Guidelines for Election Systems and Equipment, the documentation of any variations among these guidelines, and the signing off on a risk memo by the appropriate party for any derivations from those guidelines.
Legislation should be considered which requires the assignment of individual usernames and passwords for all election related equipment and matters.
Legislation should be considered that requires the real-time network monitoring of all election equipment, even on air gapped networks.
Legislation should be considered that would prohibit internet capable Election Management System Servers or similar equipment from being utilized; or any other type of hardware or equipment that could potentially allow remote access.
No built-in capability such as a Wi-Fi card or cellular modem, regardless of whether this used.

© Copyright 2021 - Cyber Ninjas - All Rights Reserved - Slide

to all administrative functions of all election equipment and have sufficient access to independently validate any configuration items on the device without requiring the involvement of any 3rd party vendor.
In addition, electronic voting machines must always have a paper backup of all ballots which can be used to confirm that votes were cast as intended; and these machines must be regularly maintained according to the vendors recommended maintenance schedule.
Legislation should be considered that would require that paper stocks utilized on election day conform to manufacturer recommendations to ensure that the paper that has been tested in the device is what is actually utilized to cast votes.

© Copyright 2021 - Cyber Ninjas - All Rights Reserved - Slide

an election audit department in charge of regularly conducting audits on a rotating basis across all counties in Arizona after elections.
Legislation should be considered that requires batches of ballots to be clearly labeled, separated from each other in a manner where they cannot easily mix together, and easily connected to the batches run through the tabulation equipment for easy auditing of the system.
Legislation should be considered to penalize purposely inhibiting a legislative investigation, or an officially sanctioned audit of an election.

© Copyright 2021 - Cyber Ninjas - All Rights Reserved - Slide