Risk Methodology for UOCAVA Voting Systems

1. Risk Methodology for UOCAVA Voting Systems TGDC Presentation Matt Scholl NIST, Information Technology Laboratory, Computer Security Division http://vote.nist.gov

2. Purpose Tutorial on Risk Methodology Definition of Terms Categorization Process Risk Decisions Applying Risk Methodology to Voting Agenda

3. Purpose • Present a methodology to solicit decisions and drive requirements for voting systems. • The methodology is based on the NIST Risk Management Framework. • A foundational approach for information system security used throughout U.S., state and local Governments, private industry, and other governments world-wide. • Use terms and definitions found in NIST information system security publications, standards and Federal laws.

4. Goal • The process will result in a set of security, auditability, human factors (usability, accessibility) mitigations molded to fit various voting architectures with varying levels of assurance and capabilities. • NIST will assist the TGDC in identifying and applying a risk methodology to UOCAVA voting systems. • The Risk Management Framework is used to make specific risk based decisions. Security Auditability Accessibility/ Usability

5. Risk Methodology Tutorial • Brief the TGDC on NIST risk methodology for developing security controls. • Ensure the TGDC understands the information needed by NIST to develop the controls. • Define key terms.

6. Security Objectives • Confidentiality • Preserving authorized restrictions on information access and disclosure, including means for protection of personal privacy and proprietary information. • Integrity • Guarding against improper information modification or destruction, and include ensuring information non-repudiation and authenticity. • Availability • Ensuring timely and reliable access to and use of information. Source: 44 U.S.C Sec. 3542

7. Risk Approach • Risk is a function of the following: • Likelihood • Threat • Vulnerability • Impact • The NIST Risk Management Framework begins with assessing the potential impact on an organization should events occur to jeopardize the information and information system.

8. Examples of Voting Information Types • Example types of voting information: • Voted Ballot • Blank Ballot • Tabulation Reports • Example threats: • Loss of ballot secrecy • Incorrect ballot received by voter • Tabulation Reports cannot be accessed by voting officials

9. Example- Voting Categorization – Step 1

10. Impact Levels • High Impact – severe or catastrophic adverse effect • Moderate Impact – serious adverse effect • Low Impact – limited adverse effect • Why is this important? • Common framework for expressing security needs. • Aids in selection of appropriate security controls. • TGDC identifies possible criteria for determining voting-specific impact. Source: FIPS 199

11. Example- Voting Categorization – Step 2

12. Example- Voting Categorization – Step 2

13. Confidentiality Voted Ballot Loss of Ballot Secrecy Low Impact Moderate Impact High Impact Voting Categorization – Step 3

14. Confidentiality Voted Ballot Loss of Ballot Secrecy Low Impact Moderate Impact High Impact Voting Categorization – Step 3

15. Moderate Impact Level Examples of Architecture Types Electronic Delivery/Mail Return Kiosk PC-based Security Controls Security Controls Security Controls Security Control Identification

16. Security Control Identification • Use the NIST SP 800-53 “NIST Recommended Security Controls for Federal Information Systems”.

17. Overall Structure

18. Overall Structure

19. Next Steps for Security • TGDC identifies possible: • Information types • Voting threats • Voting-specific impact criteria • NIST assists the TGDC in identifying and tailoring security controls for all impact levels and all architectures. • Refine security controls as architectures mature. • An impact level can be selected for each information type. • Using risk assessment – refine security controls as threats and vulnerabilities become known.