Current with changes from the 2024 Legislative Session
Section 115.225 - Automated equipment to be approved by secretary of state - standards to be met - rules, promulgation, procedure - touchscreen machines - cyber security review, requirements1. Before use by election authorities in this state, the secretary of state shall approve the marking devices and the automatic tabulating equipment used in electronic voting systems and may promulgate rules and regulations to implement the intent of sections 115.225 to 115.235.2. No electronic voting system shall be approved unless it: (1) Permits voting in absolute secrecy;(2) Permits each voter to vote for as many candidates for each office as a voter is lawfully entitled to vote for;(3) Permits each voter to vote for or against as many questions as a voter is lawfully entitled to vote on, and no more;(4) Provides facilities for each voter to cast as many write-in votes for each office as a voter is lawfully entitled to cast;(5) Permits each voter in a primary election to vote for the candidates of only one party announced by the voter in advance;(6) Permits each voter at a presidential election to vote by use of a single mark for the candidates of one party or group of petitioners for president, vice president and their presidential electors;(7) Accurately counts all proper votes cast for each candidate and for and against each question;(8) Is set to reject all votes, except write-in votes, for any office and on any question when the number of votes exceeds the number a voter is lawfully entitled to cast;(9) Permits each voter, while voting, to clearly see the ballot label;(10) Has been tested and is certified by an independent authority that meets the voting system standards developed by the Federal Election Commission or its successor agency. The provisions of this subdivision shall not be required for any system purchased prior to August 28, 2002.3. The secretary of state shall promulgate rules and regulations to allow the use of a computerized voting system. The procedures shall provide for the use of a computerized voting system with the ability to provide a paper audit trail. Notwithstanding any provisions of this chapter to the contrary, such a system may allow for the storage of processed ballot materials in an electronic form.4. Any rule or portion of a rule, as that term is defined in section 536.010, that is created under the authority delegated in this section shall become effective only if it complies with and is subject to all of the provisions of chapter 536 and, if applicable, section 536.028. This section and chapter 536 are nonseverable and if any of the powers vested with the general assembly pursuant to chapter 536 to review, to delay the effective date or to disapprove and annul a rule are subsequently held unconstitutional, then the grant of rulemaking authority and any rule proposed or adopted after August 28, 2002, shall be invalid and void.5. If any election authority uses any touchscreen direct-recording electronic vote-counting machine, the election authority may continue to use such machine. Upon the removal of such voting machine from the election authority's inventory because of mechanical malfunction, wear and tear, or any other reason, the machine shall not be replaced and no additional direct-recording electronic vote-counting machine shall be added to the election authority's inventory. Such machines shall not be used beginning January 1, 2024. Equipment that is designed for accessibility shall provide a paper ballot audit trail.6.(1) Each election authority that controls its own information technology department shall, once every two years, allow a cyber security review of their office by the secretary of state or alternatively by an entity that specializes in cyber security reviews. Each political subdivision that controls the information technology department for an election authority shall, once every two years, allow a cyber security review of the information technology department by the secretary of state or alternatively by an entity that specializes in cyber security reviews. The secretary of state shall, once every two years, allow a cyber security review of its office by an entity that specializes in cyber security reviews. For purposes of this section, an entity specializes in cyber security review if it employs one or more individuals who: (a) Have at least five years management experience in information security or five years' experience as an information security analyst;(b) Have worked in at least two of the domains listed in paragraph (c) of this subdivision that are covered in the exam required by such paragraph; and(c) Have attained an information security certification by passing an exam that covers at least three of the following topics:a. Information technology risk management, identification, mitigation, and compliance;b. Information security incident management;c. Information security program development and management;d. Risk and control monitoring and reporting;e. Access control systems and methodology;f. Business continuity planning and disaster recovery planning;g. Physical security of election authority property;h. Networking security; ori. Security architecture application and systems development.(2) If an election authority or political subdivision fails to have a cyber security review as required by this subsection, the secretary of state may publish a notice of noncompliance in a newspaper within the jurisdiction of the election authority or in electronic format. The secretary of state is also authorized to withhold funds from an election authority in violation of this section unless such funding is a federal mandate or part of a federal and state agreement.7. The secretary of state shall have authority to require cyber security testing, including penetration testing, of vendor machines, programs, and systems. Failure to participate in such testing shall result in a revocation of vendor certification. Upon notice from another jurisdiction of cyber security failures or certification withholds or revocation, the secretary of state shall have authority to revoke or withhold certification for vendors. The requirements of this section shall be subject to appropriation for the purpose of cyber security testing.8. The secretary of state may designate an organization of which each election authority shall be a member, provided there is no membership fee and the organization provides information to increase cyber security and election integrity efforts.9. All audits required by subsection 6 of this section that are conducted by the secretary of state shall be solely paid for by state and federal funding.Amended by 2022 Mo. Laws, HB 1878,s A, eff. 8/28/2022.Amended by 2018 Mo. Laws, SB 592,s A, eff. 11/7/2018.L. 1977 H.B. 101 § 8.005, A.L. 1993 S.B. 52, A.L. 1995 S.B. 3, A.L. 2002 S.B. 675, A.L. 2006S.B. 1014 & A.730