Security Directive 3.0 Reinforces Ohio’s Position as THE Leader in Election Security

COLUMBUS - Ohio Secretary of State Frank LaRose has issued Directive 2022-38 to the state’s 88 county boards of elections. Security Directive 3.0 once again boosts security requirements for Ohio’s 88 county boards of elections, setting the bar even higher and reinforcing Ohio as the gold standard for election security.

The directive, building off the success of similar directives in 2019 and 2020, incorporates a 31-point checklist that establishes new security standards for vendors, strengthens physical security requirements, prevents purchasing of equipment from dangerous foreign entities, and modernizes cybersecurity capabilities. Each county will be allotted up to $10,000 to implement the directive. Requirements within the directive were piloted in five counties where they were successfully implemented, all for under the $10,000. All counties will be expected to complete the requirements by December 30th, 2022.

“It’s not unusual for our team to get calls from other states asking, ‘how do you do it?’,” said LaRose. “Ohio has established a national reputation among election security experts because we refuse to rest on our laurels. Threats are out there every day, both foreign and domestic, and we’re doing everything we can to ensure our boards are ready.”

Included in Security Directive 3.0 are the following:

New Security Standards for Vendors. Nationwide, election systems don’t hold the private vendors who support them accountable. In what is likely a first among states, new standards will be put in place which will boost election integrity and provide safer and more secure service from election vendors.

Fully Comprehensive Vulnerability Scans. Currently, only surface-level security assessments can be made in real-time by the Secretary of State’s Cyber Security Liaisons. New modifications at the county-level will now enable state security professionals to move quickly to identify and mitigate any risks to better protect election systems.

Strengthened Physical Security Protocols: County Boards of Elections will begin utilizing enhanced video surveillance and protocols to ensure the integrity of their voting equipment, including voting machines. Additionally, better protection from potential fires will be implemented and bipartisan dual-lock and key requirements reinforced.

Vulnerability Disclosure Policies for County Vendors: Ohio was the first statewide election system in the nation to implement a Vulnerability Disclosure Policy. This has allowed for the Secretary of State’s office to discover and mitigate vulnerabilities before they can be compromised. Security Directive 3.0 provides a template to require vendors to implement their own Vulnerability Disclosure Policy.

Prohibition on Products from Foreign Vendors Banned by the Federal Government: County Boards looking to purchase certain equipment or products are not allowed to utilize vendors identified as potentially dangerous by the federal government.

Read the Security Directive 3.0 document in its entirety.

Background on the 2019 Security Directive: https://www.ohiosos.gov/media-center/press-releases/2019/2019-06-11/

Background on the 2020 Security Directive: https://www.ohiosos.gov/media-center/press-releases/2020/2020-07-14/

# # #