Summary of Best Practices and Model Language#
The following table contains a brief summary of all of the best practices in this guide. You can read the full best practices here.
Number |
Best Practice Name |
|---|---|
1 |
Qualifications and experience of individuals proposed for work |
2 |
Demonstrated past performance performing proposed work. Includes awareness of, and experience adhering to, applicable certifications and legal and regulatory requirements. |
3 |
Proposer personnel policies regarding hiring and conduct standards, including background check, citizenship, and visa requirements. |
4 |
Proposer location(s) where work will be performed and equipment supported as well as administrative and facility security at the location(s). |
5 |
Training procedures for the proposer. |
6 |
Company ownership, board members, and stakeholders. |
7 |
Proposer process for identifying and approving changes of key personnel who perform most critical management and technical functions. |
8 |
Proposer authorization procedures for personnel with access to sensitive information and systems. |
9 |
Proposer policies and practices for subcontractor personnel. |
10 |
Proposer’s regular process for identifying and remediating cyber risks, with particular focus on components and information that are critical for mission success and increased attention to these elements. |
11 |
Security processes that include incident handling, recovery, and contingency arrangements to ensure availability. Includes incident response, such as when and how the government will be notified in the event of an incident. |
12 |
Transition plan for the end of the contract. |
13 |
Proposer’s understanding of the scope of security tasks under the project, responsibilities and processes for monitoring adherence to those requirements, and security controls and their applicability in the solution. |
14 |
Proposer’s understanding and staying aware of the threat environment, its proposed risk mitigation approaches, and identification of any residual risks. |
15 |
Processes for moving information, whether digitally or physically, to ensure that security is maintained at all times. This includes moving vote data, such as for tabulation or election night reporting. Specific focus on security requirements that apply to information and communication products or services. |
16 |
Proposer’s agreement to implement a specific set of security controls such as the CIS Critical Security Controls |
17 |
Proposer’s willingness to adhere to your organization’s established security practices. |
18 |
Service level agreements (SLAs) for security that can be defined and agreed to as a part of the contract that address day-to-day activities and activities around an election. |
19 |
Proposer’s experience in using standardized information technology lifecycle management processes for the exact scope of work. Includes proposer’s lifecycle approach for development of its own hardware and software. |
20 |
Security plan for proposed work. |
21 |
Proposer’s processes for monitoring adherence to standard information and physical security processes in its products and its own operations. |
22 |
Companywide process certifications and demonstrated adherence to proposer’s documented processes. |
23 |
Proposer’s supply chain management and selection process for suppliers, including contractor’s approach to evaluating replacement components or new technologies evaluated for use in the environment to ensure adequate security. |
24 |
Processes for managing and documenting access to different categories of sensitive information. |
25 |
Controls on data and access, including where the data reside, who has access, and how access rights are maintained; encryption approach; and incident capabilities, including logging and forensics. |
26 |
Cloud security options. |
27 |
Use of open standards and common approaches in software and common data formats. |
28 |
Security architecture for proposed or required solution. |
29 |
Approach to cryptography and key management for data security |
30 |
Ownership of software and other assets. |
31 |
Certifications received for the solution, including EAC, RABET-V verification, and applicable state or local security standards. Or, in lieu of certification, rationale for lacking certification and approach to ensure that security in the solution is mature and reliable. |
32 |
Personal information management, including transmission and approach to protection. |
33 |
Advanced endpoint protection on core systems. |
34 |
Experience with the needed system or service. |