The Purpose of Maturities#
Not all election offices have the same experience, resources, or needs. States and territories vary from a few thousand residents to tens of millions, counties and municipalities from a few dozen residents to more than ten million. The differences in populations-served result in widely varying tax bases, staffing levels, number and type of IT and physical assets, and more. Correspondingly, different election offices will implement different best practices at different times.
While an election office should implement best practices that best fit its needs, establishing maturities provides rough contours around these differences. By defining maturities, the EI-ISAC can provide a starting point that any given office can implement or use to tailor its approach.
Maturities in the Essential Guide#
This section will help election officials determine their current maturity. This Guide defines three levels to reflect an organization’s capabilities in managing cybersecurity risk. The maturities closely align to the three CIS Controls Implementation Groups (IGs), with important differences based on the nature of and risks associated with election administration. You can learn more about the CIS Controls and its IGs in the CIS Controls best practice.
The three maturities are:
Level 1: The organization responds to threats when presented to them or when attacked but has little capacity to predict, foresee, or model attacks.
Level 2: The organization focuses on deploying tools to stay ahead of threats and attempts to implement lessons learned. Some staff and contractors may specialize in cybersecurity but generally don’t have specialized domains within cybersecurity.
Level 3: The organization assesses its risks and employs experts in the different facets of cybersecurity—e.g., risk management, penetration testing, application security.
Using the Maturity Levels#
The next page will provide questions that can help guide you to one of the three maturities. Use it as a starting point and adjust as needed.
Each best practice has tailored guidance for each maturity, ranging from simple guidance and (usually free) tools for the Level 1 maturity to enterprise-driven and sophisticated guidance and tools for the Level 3 maturity. Use the best practices priorities for your maturity level: