High Baseline Controls
325
Fully Implemented
312
Not Applicable
13
Implementation Rate
96.0%
Access Control
Access Control (AC)
Control access to information systems and resources through identification, authentication, and authorization
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| AC-1 | Access Control Policy and Procedures — Develop, document, and disseminate access control policy and procedures | COMPLIANT | Comprehensive access control policy documents all authentication, authorization, and access management procedures. Policy reviewed annually by CISO and approved by board. Procedures include role-based access control, least privilege principles, and regular access reviews. |
| AC-2 | Account Management — Manage information system accounts including establishment, activation, modification, review, and removal | COMPLIANT | Automated account lifecycle management with approval workflows. Account provisioning requires dual authorization for privileged accounts. Regular quarterly access reviews with automated deprovisioning of inactive accounts. Integration with HR systems for employee lifecycle events. |
| AC-3 | Access Enforcement — Enforce approved authorizations for logical access to information and system resources | COMPLIANT | Attribute-based access control (ABAC) engine enforces granular permissions based on user attributes, resource classifications, and environmental conditions. Real-time policy evaluation with deny-by-default posture. All access decisions logged with cryptographic integrity. |
| AC-6 | Least Privilege — Employ the principle of least privilege, allowing only authorized accesses | COMPLIANT | Just-in-time (JIT) privileged access with time-limited elevated permissions. Privileged operations require dual authorization and business justification. Zero standing privileges for administrative functions. All privileged sessions recorded and monitored. |
| AC-17 | Remote Access — Establish usage restrictions and implementation guidance for remote access | COMPLIANT | Zero-trust remote access through secure VPN tunnels with certificate-based authentication. Multi-factor authentication required for all remote connections. Remote sessions monitored with real-time threat detection and automatic session termination for suspicious activity. |
Audit
Audit and Accountability (AU)
Establish comprehensive audit trails and accountability measures for all system activities
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| AU-1 | Audit and Accountability Policy and Procedures — Develop, document, and disseminate audit and accountability policy | COMPLIANT | Comprehensive audit policy defines all auditable events, retention requirements, and monitoring procedures. Policy mandates immutable audit trails with cryptographic integrity protection. Annual policy reviews with stakeholder input and regulatory compliance validation. |
| AU-2 | Event Logging — Determine which events to audit and coordinate with other organizational entities | COMPLIANT | Comprehensive logging of all security-relevant events including authentication, authorization, data access, system configuration changes, and privileged operations. Event correlation with threat intelligence feeds for enhanced detection capabilities. |
| AU-3 | Content of Audit Records — Generate audit records containing sufficient information to establish accountability | COMPLIANT | Structured audit records include timestamp, user identity, event type, outcome, source/destination addresses, and cryptographic integrity protection. Machine-readable format with correlation IDs for forensic analysis and compliance reporting. |
| AU-6 | Audit Review, Analysis, and Reporting — Review and analyze information system audit records for inappropriate activity | COMPLIANT | AI-powered audit log analysis with behavioral anomaly detection and automated alerting. Security operations center (SOC) analysts review all high-priority alerts within 15 minutes. Monthly audit reports generated automatically with executive summaries and trend analysis. |
| AU-9 | Protection of Audit Information — Protect audit information and audit logging tools from unauthorized access | COMPLIANT | Immutable audit trail storage using append-only logs with cryptographic hash chains. Audit data replicated to geographically distributed secure facilities with tamper-evident storage. Access controls prevent unauthorized modification or deletion. |
Cryptography
System and Communications Protection (SC)
Protect system and communications through cryptographic mechanisms and secure architectures
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| SC-8 | Transmission Confidentiality and Integrity — Protect the confidentiality and integrity of transmitted information | COMPLIANT | All network communications encrypted with TLS 1.3 using perfect forward secrecy. End-to-end encryption for vote data using AES-256-GCM with unique session keys. Message authentication codes (MAC) ensure data integrity during transmission. |
| SC-12 | Cryptographic Key Establishment and Management — Establish and manage cryptographic keys for required cryptography | COMPLIANT | FIPS 140-2 Level 3 hardware security modules (HSMs) manage all cryptographic keys. Hierarchical key management with automatic key rotation every 90 days. Key escrow and recovery procedures with dual control and split knowledge. |
| SC-13 | Cryptographic Protection — Implement FIPS validated cryptography to protect unclassified information | COMPLIANT | All cryptographic algorithms are FIPS 140-2 validated and CAVP certified. AES-256-GCM for symmetric encryption, RSA-4096 and ECDSA P-384 for asymmetric operations, SHA-384 for hashing. Post-quantum cryptography readiness with hybrid implementations. |
| SC-28 | Protection of Information at Rest — Protect the confidentiality and integrity of information at rest | COMPLIANT | Full disk encryption using AES-256-XTS with FIPS 140-2 Level 3 key management. Database-level encryption with transparent data encryption (TDE). Encrypted backups stored in geographically distributed locations with additional layer of encryption. |
Integrity
System and Information Integrity (SI)
Maintain system and information integrity through monitoring, analysis, and protective measures
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| SI-2 | Flaw Remediation — Identify, report, and correct information system flaws | COMPLIANT | Automated vulnerability scanning with risk-based prioritization and patch management. Critical security patches deployed within 72 hours with emergency change approval process. Comprehensive testing in isolated environment before production deployment. |
| SI-3 | Malicious Code Protection — Implement malicious code protection mechanisms at information system entry points | COMPLIANT | Multi-layered malware protection with real-time scanning, behavioral analysis, and sandboxing. Application whitelisting prevents unauthorized code execution. Endpoint detection and response (EDR) with automated threat hunting and incident response. |
| SI-4 | Information System Monitoring — Monitor the information system to detect attacks and indicators of potential attacks | COMPLIANT | 24/7 security operations center (SOC) with AI-powered threat detection and behavioral analysis. Network intrusion detection systems (IDS/IPS) with signature and anomaly-based detection. Real-time threat intelligence integration with automated response capabilities. |
| SI-7 | Software, Firmware, and Information Integrity — Employ integrity verification tools to detect unauthorized changes | COMPLIANT | Cryptographic integrity verification for all software components using SHA-384 hashes and digital signatures. File integrity monitoring (FIM) with real-time alerting for unauthorized changes. Code signing with timestamping for all software releases. |
Authentication
Identification and Authentication (IA)
Uniquely identify and authenticate users and devices accessing the information system
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| IA-2 | Identification and Authentication (Organizational Users) — Uniquely identify and authenticate organizational users | COMPLIANT | Multi-factor authentication (MFA) required for all users with PIV cards, biometric verification, and hardware tokens. Smart card authentication with certificate-based identity verification. Risk-based authentication with adaptive security controls. |
| IA-5 | Authenticator Management — Manage information system authenticators by verifying identity of individuals | COMPLIANT | Centralized authenticator management with automated provisioning and lifecycle management. Hardware security keys with FIDO2/WebAuthn support. Biometric template storage in secure enclaves with liveness detection and anti-spoofing measures. |
| IA-8 | Identification and Authentication (Non-Organizational Users) — Uniquely identify and authenticate non-organizational users | COMPLIANT | Federated identity management with SAML 2.0 and OAuth 2.0 integration. Third-party identity verification through government-issued credentials and trusted identity providers. Anonymous credential systems for voter authentication with privacy preservation. |
Incident Response
Incident Response (IR)
Establish comprehensive incident response capabilities for security events
| Control ID | Requirement | Status | Implementation Details |
|---|---|---|---|
| IR-1 | Incident Response Policy and Procedures — Develop, document, and disseminate incident response policy | COMPLIANT | NIST SP 800-61 compliant incident response policy with defined roles, responsibilities, and escalation procedures. Quarterly tabletop exercises and annual policy reviews. Integration with election-specific incident response requirements and stakeholder notification procedures. |
| IR-4 | Incident Handling — Implement an incident handling capability for security incidents | COMPLIANT | 24/7 incident response team with security operations center (SOC) integration. Automated incident classification and routing with escalation timers. Digital forensics capabilities with chain of custody procedures and legal hold capabilities. |
| IR-6 | Incident Reporting — Report incidents to appropriate internal and external organizations | COMPLIANT | Automated incident reporting to CISA, FBI, and relevant state/local authorities within required timeframes. Standardized incident classification with appropriate stakeholder notification matrices. Encrypted communication channels for sensitive incident information. |