If you would like to ensure that your state is protecting your critical infrastructure election systems from cyber threats, then send this three part document into your SOS public records division to have all EVIDENCE of OUR elections being SAFE AND SECURE, BEFORE they can certify this election, as the burden of proof is upon them to prove that they are remembering and following their oaths to protect us from all enemies foreign or domestic.
[Your Name]
[Your Address]
[City, State, ZIP Code]
[Email Address]
[Phone Number]
Date: [Insert Date]
Public Records Officer
[State] Secretary of State
Public Records Division
[Address of the Office]
[City, State, ZIP Code]
Email: [Public Records Email for the State]
Subject: Public Records Request for FISMA, NIST.SP.800-53A, and NIST.SP.800-171A Compliance Records and Testing for Election Systems
Dear Public Records Officer,
Pursuant to the Public Records Act of [State’s Public Records Law, e.g., RCW 42.56 in Washington], I am writing to formally request access to records and compliance
documentation related to federal cybersecurity requirements for the State’s election systems.
Authority for Request:
Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (May 11, 2017), issued by President Trump, directed federal agencies to manage cybersecurity risks across the government, including those relating to critical infrastructure. By this time, election systems had been designated as critical infrastructure (by the Department of Homeland Security under the Obama administration in January 2017). The order also referenced the National Institute of Standards and Technology (NIST), requiring federal agencies to use the NIST Cybersecurity Framework to assess and manage cybersecurity risks.EO 13800 played a role in mandating the adoption of NIST cybersecurity standards for federal networks and critical infrastructure, including elections. Therefore, the cybersecurity of elections falls under the broader guidelines set by this order, as all critical infrastructure sectors are subject to the NIST framework under this EO.
Public Records Request:
As such, I am requesting the following documentation related to the Federal Information Security Modernization Act (FISMA), NIST.SP.800-53A, and NIST.SP.800-171A standards for the State’s election systems:
1. FISMA Compliance Documentation
Please provide the following documentation that ensures the State’s election systems comply with the requirements set forth by the Federal Information Security Modernization Act (FISMA):
Security Assessments:
Records of all security assessments conducted for election systems, ensuring compliance with FISMA requirements.
Any third-party or internal risk assessments that have been conducted as part of the FISMA compliance process, ensuring election systems meet the necessary standards for securing sensitive information.
Continuous Monitoring Reports:
Copies of continuous monitoring reports showing real-time oversight of the election systems. These reports should include evidence of ongoing vulnerability detection, system monitoring, and incident response mechanisms that ensure election systems are protected throughout the election period.
Incident Response Plans:
The election system's Incident Response Plans that comply with FISMA standards,
detailing the protocols in place for responding to cybersecurity incidents, data breaches, and system vulnerabilities related to election security.
Penetration Testing Results:
Results from any penetration tests conducted to identify vulnerabilities within the election systems before the election. This should include reports detailing the findings, risks identified, and any remediation efforts taken.Third-Party Audits:
Reports of any third-party audits or evaluations conducted on election systems to verify compliance with FISMA, ensuring an independent review of the system’s cybersecurity posture.
2. NIST.SP.800-53A Compliance Records
Please provide documentation demonstrating that the State’s election systems have undergone full security assessments in compliance with NIST.SP.800-53A standards, including:
Completed NIST.SP.800-53A Checklists:
Detailed compliance checklists showing the election systems' adherence to all relevant security and privacy controls outlined in NIST.SP.800-53A. This includes:
Verification that all controls have been assessed and implemented as required.
Documentation showing any remediation actions taken to address non-compliant areas.
Vulnerability Scans and Reports:
Vulnerability scan reports for the election systems that assess potential security
weaknesses, including findings, risks, and corrective actions taken in response to
vulnerabilities identified during scans.
Penetration Testing Reports:
Reports from penetration testing conducted on election systems to simulate cyberattacks and identify vulnerabilities, with detailed findings and actions taken to improve the security posture of the systems.
Security Control Family Compliance:
Evidence of compliance with the 19 control families specified in NIST.SP.800-53A, including independent assessment results. The control families include:
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)
Security Assessment and Authorization (CA)
Configuration Management (CM)
Contingency Planning (CP)
Identification and Authentication (IA)Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Physical and Environmental Protection (PE)
Planning (PL)
Personnel Security (PS)
Risk Assessment (RA)
System and Services Acquisition (SA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Program Management (PM)
Privacy (PT)
3. NIST.SP.800-171A Compliance Checklists for CUI
Please provide documentation showing compliance with the NIST.SP.800-171A standards for protecting Controlled Unclassified Information (CUI) within the election systems, including:
Completed NIST.SP.800-171A Checklists:
Compliance checklists showing the implementation of all security controls required by NIST.SP.800-171A, ensuring the election systems meet the necessary requirements for safeguarding CUI.
Penetration Testing Reports:
Reports of penetration tests performed on election systems to ensure compliance with the 17 control families outlined in NIST.SP.800-171A, including any remediation efforts to address identified vulnerabilities.
Third-Party Audits:
Copies of third-party audit reports that verify the implementation and compliance of NIST.SP.800-171A controls. These audits should provide independent validation of the election systems' adherence to the necessary security measures.
Security Control Family Compliance:
Detailed evidence of compliance with the 17 control families specified in NIST.SP.800-171A:
Access Control (AC)
Awareness and Training (AT)
Audit and Accountability (AU)Configuration Management (CM)
Identification and Authentication (IA)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Personnel Security (PS)
Physical Protection (PE)
Risk Assessment (RA)
Security Assessment (CA)
System and Communications Protection (SC)
System and Information Integrity (SI)
Contingency Planning (CP)
System and Services Acquisition (SA)
Planning (PL)
Purpose of Request:
The purpose of this request is to verify that the State’s election systems are fully compliant with the federally mandated cybersecurity requirements before any election takes place, ensuring the integrity and security of the election process.
Transparency and compliance with these frameworks are critical to maintaining public trust in our democratic systems. If certain portions of the requested records are exempt from disclosure, I request that you provide a redacted version of the documents with any applicable exemptions clearly marked, and a key chart provided with the specific Statutes or codes for each redaction marked.
Thank you for your attention to this matter. If you have any questions or need further clarification regarding this request, please feel free to contact me via email at:
[Your Email]
or by phone at [Your Phone Number].
Sincerely,
[Your Full Name]