Election Security Risk Assessment

Sauk County is soliciting proposals for a Security Risk Assessment for the County's Election Management System 

Answers to Vendor questions:

• Can you please confirm if there is any portion of this project that the County wishes to be performed on-site?    Answer:  No, the vendor is welcome to perform all work remotely, provided they have the capability of doing so.
• Has Sauk County completed a risk assessment previously?  Answer:  Not for the election management system.
• Does Sauk County have a desired completion date for all parts of the risk assessment?  Answer:  The project is being funded through a WEC subgrant and must be completed and paid for by January 31, 2021.  The County would prefer that the project be completed by the end of 2020.
• What are the WEC standards?  Answer:  See supporting documentation below from the WEC and US Elections Assistance Commission
• Should the assessment include the system end-user PCs?  Answer:  Yes
• How many public IPs will be in scope for the external penetration testing?  Answer:  2
• How many IPs will be in scope for the internal network penetration testing? Answer: 6 - 10 (exclusive of end-user PCs)
• How many end-user PCs or Tablets are in scope?  Answer: no more than 10.
• How many end-user accounts are in scope? Answer: no more than 20
• How many servers are in scope? Answer: 2 
• For the external network penetration test, is the public environment cloud-hosted?  Answer:  The "public environment" is a page on the County's website where the election results are posted and a GIS application used to display results by district.  The website itself is hosted in the cloud.  The GIS system is on-premise.
• Do any of the devices within the election system use wireless communications?  Answer: Yes, the election tabulators, located at the various municipalities, communicate with the main server here at Sauk County via a cellular WAN.  Internally, end-user devices connect to the County's internal private network via secure wireless access points.
• What is meant by Election System Wireless WAN? Answer: This is the cellular network that provides for the communication between the election tabulators, located at municipalities through Sauk County, and the main server here at the Courthouse.
• Do you require NESSUS to be used for scanning, or can we use another tool built on similar Open Source frameworks as NESSUS?  Answer: See Item 1. in Part Three of the RFP
• Do all of the services specified in Part Two of the RFP need to be provided in full?  Answer:  This is preferred, however, the County may consider a piecemeal approach, depending upon the proposals received.
• For the election results web page, how many pages are contained within the application?  Answer: the results are displayed on a single page on the County's website.  The website itself is comprised of thousands of pages supported on a cloud-hosted Content Management System (CMS).
• How many levels of user access are there for the website?  Answer: four: viewer, publisher, admin and host access.
• Regarding the election process and procedure:
  • Is the scope limited to information systems and the data they are processing?  Answer: Yes, including the data input processes.
  • Are there formal guidelines or checklists for this to assess against?  Answer: Yes, see the attached supporting documents below.
• ​For the vulnerability scan, assets are likely at a number of locations throughout the county. Is this an internal credentialed scan, and are all target assets scannable from a single point?  Answer: It is an internal scan and all target assets are scannable from a single point.
• Are any portions of the in-scope assets cloud-based?  Answer: No, however, the election results web page is on a hosted CMS and we do wish to assess the risk associated with the use of this page.
• .On page 10, section 11.1.13 of the RFP, states "unless expressly set forth in writing in an SOW, the Software shall not contain any open source software and shall not be an alpha or beta version."  Specifically, what is "Software" referring to in this case?  Answer:  This term relates only to software being sold to the County and not tools used in the provision of services.
•  What is the start date of this contract?  Answer: as soon as possible following the award of a contract.
• How much has Sauk County budgeted for this contract?  Answer: this project is to be grant-funded and has not been budgeted.  The project budget will be determined by the proposals received.
• How does the election system integrate into other County Systems?  Answer: the election management system resides on the County's private network, on a secure vlan and is segregated from all other systems.
• Is there potential to spill over into critical systems like law enforcement, and nursing facility?  Answer:  this is not the intent of the project.
• Is a general overview of overlap expected instead of exact specifics? Answer: this is a vendor-defined parameter.
• Is there a remote access solution? If so, how many users are remote?  Answer:  Yes, all election system users have remote access to County network resources, however, the election management system is not accessible remotely.
• Since the testing is allowed to be remote will connectivity to internal network resources be supplied?  Answer: this is dependant on the vendor's access requirements.
• Where is the website currently hosted, AWS, Azure, other hosting company?  Answer: the website is hosted by Municode.
• Approximately how many processes, policies, procedures are there for the items listed in section 1.3?  Answer:  unknown at this time.
• Does the vendor need to provide details on licensing for internal tools a bidder may use on the security assessment services? Answer: No, this condition applies only to software being purchased by Sauk County.  However, the County may require specifications for the tools a vendor proposes to use, including the license agreement, in order to determine the security risk such tools might present.
• The RFP evaluation criteria includes Continuing Vendor Support. Could the County please clarify what level of continuing support they are requesting?  Answer: this is somewhat contingent upon the findings of the assessment.  The County presumes the vendor would be able to make recommendations for improvements, based upon findings, and assist in verifying the effectiveness of such improvements, if necessary.
• How quickly will the work begin? Answer: early to mid-November, the work cannot begin until the completion of the November 3 election process. 
• Roughly, how many total devices on the County's private network?  Answer: 1000 - roughly.
• How many external Web Server IPs to be tested? Answer: none
• Is the vulnerability scan a one-time scan or need to be ongoing - if ongoing, what is the duration?  Answer: a one-time scan but it may require a follow up to verify recommended corrective measures.
• What type of devices are on the public/private network that pertain to elections. Voting systems, workstations, printers etc?  Answer: workstations, printers, servers, firewall - the external private cellular WAN connects to the vote tabulators.
• Can you explain in more detail what is meant by "Election process and procedure analysis "? Is this question aimed at best cybersecurity process/procedure around election network security? Or actual election processes and procedures?  Answer: this is aimed primarily at cybersecurity but includes those manual processes through which data is entered into the County's on-premise election system. 
• How are the voting systems connected to WWAN devices and how this is implemented?  Answer: each voting tabulator has a cellular card installed.  To transfer the results from the tabulator to the main server here, the polling place staff initiate a connection via the cellular network and transfer the results via a hotspot here that connects to the server.
• Of the many devices on Sauk County's private network, how many have access to election resources?  Answer: Roughly 10
• Will the security assessors be giving clear delineation points between the systems? Answer: Yes
• Is it possible that there will be inadvertent cross over due to how the county systems are connected?  Answer: I presume this means cross-over between devices that comprise the election system and the rest of the network devices.  This is something we wish to determine with the assessment.