NEW HAMPSHIRE DEPARTMENT OF STATE Robert P Ambrose William M Gardner Secretary of State Senior Deputy Secretary of State David M Scanlan Deputy Secretary of State Anthony B S Stevens Assistant Secretary of State July 12 2018 Mr Brian D Newby Executive Director U S Election Assistance Commission 1335 East West Highway Suite 4300 Silver Spring MD 20910 Re Input Plan Narrative and Budget for the period March 23 2018 through September 30 2019 pursuant to the 2018 Election Reform Program payments authorized by the U S Congress in the Consolidated Appropriations Act of 2018 and the 5% State match Dear Mr Newby Please find herewith New Hampshire’s Input Plan Narrative and Budget for the period March 23 2018 through September 30 2019 to satisfy the United States Election Assistance Commission’s request for “1-3 page project narrative budget for how the funds will be used in your state territory ” I Stakeholder Input Plan Following passage of the 2018 Election Reform Program the Secretary of State has gathered input for this plan in over 40 sessions at multiple locations throughout the State with state election officials moderators clerks supervisors of the checklist state cybersecurity officials and individuals with disabilities During this time frame the Secretary of State has conducted the following     Security training during the town and city clerks’ regional workshops and introductory training in the statewide voter registration system Interviews and listening sessions with a variety of local election officials Cybersecurity assessments and An attack surface assessment 1 In addition two of the Secretary of State’s staff and a local election official participated in an election cybersecurity tabletop exercise conducted by the Harvard Kennedy School’s Belfer Center In connection with the 2018 Election Reform Program adopted by Congress the Secretary of State has  Identified and is working with cybersecurity companies to assess vulnerabilities and strengthen resilience  Assessed a number of attack surfaces  Tested and used cybersecurity training methodologies  Obtained feedback from election officials on readiness to learn adopt internalize and implement cybersecurity and security practices  Obtained input and recommendations concerning training and election integrity issues  Obtained feedback on goals best practices and local needs toward achieving cybersecurity and resilience  Identified ongoing priorities and maintenance requirements to achieve goals associated with HAVA and  Assessed the need to improve the accessible voting system and discussed the issues involved with people with disabilities Based on the above stakeholder input the Secretary of State has identified and prioritized cybersecurity needs in order to develop the following narrative and budget for Congress’s anticipated 2018 Election Reform Program payment and the State’s 5% match II Narrative The Secretary of State may use Congress’s 2018 payments as set forth by Congress in the 2018 Election Reform Program and HAVA Section 101 as follows A B C D E F G H Enhance election technology and make election security improvements Comply with the requirements under HAVA Title III Improve the administration of elections for Federal office Educate voters concerning voting procedures voting rights and voting technology Train election officials poll workers and election volunteers Review the State’s plan for any necessary modifications regarding HAVA payments Improve voting systems and technology and methods for casting and counting votes and Provide access for individuals with disabilities Goals The following are New Hampshire’s ongoing cybersecurity goals  Resilience training for election officials 2      Encouraging developing of local Continuity of Operations Plans Operating a polling place without dependence on the electrical grid Conducting quick and accurate hand counting Effective reconciliation Saving printing checklist before election day  Cybersecurity training for election officials       Terms and concepts Threats Hacker awareness Avoiding phishing ransomware and social engineering attacks Incident and threat reporting Incident response  Leveraging existing cybersecurity programs offering free services  Information sharing with states and local governments  Vulnerability assessment and remediation     Ongoing risk assessments Insider threat analysis External threat analysis Penetration testing internal and external  Hardening databases and servers            Avoiding phishing ransomware and social engineering attacks Monitoring those who access elections databases Multi-factor authentication USB port analysis User log analysis Endpoint security – scanning emails anti-virus Visibility and analysis of all data on servers Device compliance Software to investigate and obtain visibility of each attack step addressing malware ransomware etc User behavioral analysis looking for and reporting anomalies Security scans 24 7 365  State employee training and monitoring     Avoiding phishing ransomware and social engineering attacks Cybersecurity courses Monitoring server and email use Tabletop exercises in cybersecurity resilience 3  Avoiding inadvertent creation of new attack surfaces  Automated threat response  Actionable analysis  Breach protection  Compromise assessment  On-board networking III Budget $977 216 for 18 months Based on Congress’s 2018 Election Reform Program appropriation the State anticipates receiving 2018 federal payments of $3 102 253 and a state match of $155 133 for an anticipated total of $3 257 386 The State plans to implement this plan by spending the amount of $977 216 in the 18 months between March 23 2018 and September 30 2019 the Federal fiscal year end The U S Election Assistance Commission has indicated that from a federal perspective 2018 federal payments can be spent starting on March 23 2018 This federal perspective does not preempt the need to comply with state laws For more than 12 years the Secretary of State’s office has sought to avoid creation of new attack surfaces and conducted regular cybersecurity and resilience training Back-ups have been saved in multiple locations and election officials have been encouraged to save and if necessary print out checklists well before each election Subject to the above Narrative these funds will be used to build on prior efforts to enhance cybersecurity and resilience It would be neither prudent nor efficient at this time to define budget needs by small categories Flexibility in using staff and or consultants leads to better cybersecurity outcomes and posture Cybersecurity and resilience has and continues to be integrated into procedures training Help Desk services and hardware and software This plan narrative and budget is intended to provide the general public and interested parties with a useful description of our plans to use the 2018 Election Reform Program payment and the 5% State match Sincerely yours William M Gardner CC Mark Abbott U S Election Assistance Commission 4