Each county auditor shall implement no later than July 1, 2027, cybersecurity measures including but not limited to:
(1)Implementation and adoption of the ".gov" top-level domain available through the United States department of homeland security through the cybersecurity and infrastructure security agency for all election and voting systems and infrastructure. This adoption is required for election and voting systems and websites and may include all county cyber assets and email domains.
(2)Partitioning the entire auditor's office, including all of its information technology systems and assets, or specifically partitioning election and voting information technology infrastructure from other county assets. The secretary of state shall consult with county auditors on which systems and a
Free access — add to your briefcase to read the full text and ask questions with AI
Each county auditor shall implement no later than July 1, 2027, cybersecurity measures including but not limited to:
(1) Implementation and adoption of the ".gov" top-level domain available through the United States department of homeland security through the cybersecurity and infrastructure security agency for all election and voting systems and infrastructure. This adoption is required for election and voting systems and websites and may include all county cyber assets and email domains.
(2) Partitioning the entire auditor's office, including all of its information technology systems and assets, or specifically partitioning election and voting information technology infrastructure from other county assets. The secretary of state shall consult with county auditors on which systems and assets need to be partitioned or technologically isolated and protected. Eliminating threat actors from moving laterally within a network to target election-related capabilities is paramount. The secretary of state may extend the deadline for a county auditor to comply with this subsection if more time is necessary for implementation.
(3) Isolation of all ballot counting equipment and voting system components as defined in RCW 29A.12.005 from any other network including:
(a) Internal networks within a county election office;
(b) Printer sharing networks external to the ballot counting system;
(c) The internet, world wide web, or other similar networks;
(d) Wifi and radio connectivity;
(e) Wired connectivity; and
(f) Any telephonic or other connectivity.
(4) No configuration of voting systems to:
(a) Establish a connection to an external network; or
(b) Connect to any device external to the voting system.
(5) Purchase of voting systems that include documentation listing security configurations and network security best practices and operating those systems used for conducting primaries and elections in a manner consistent with that documentation.
(6) Restricting all data transfers from any voting system to using single-use, previously erased devices that contain no information prior to connection with the system. This includes pen drives, flash memory drives, memory sticks, and any other removal media used to transfer data. Devices used in data transfer must either be provided by the secretary of state to the county auditor for single use, or the media must be overwritten by the county auditor by following guidelines for media sanitization defined in rules promulgated by the secretary of state.
Findings — Intent — 2025 c 329: "(1) The legislature finds that the electronic and physical security of election and voting infrastructure are of primary importance, and wishes to require new security requirements. The legislature further finds that:
(a) Requiring the use of the ".gov" top-level domain on all websites and email communication reduces opportunities for confusion and cyber threats. The ".gov" top-level domain is managed by the United States department of homeland security through the cybersecurity and infrastructure security agency, is limited to bona fide government agencies, and features fraud prevention controls. There is no fee charged to adopt a ".gov" top-level domain.
(b) Requiring the partitioning of internal government networks, servers, and other supporting electronic infrastructure separate from other electronic equipment housed in the same location provides a more secure environment. Partitioning can involve physically or logically separating the entire auditor's office, including all its information technology systems and assets, or focusing specifically on election and voting infrastructure from other county assets. The goal is to reduce the risk of compromises that may occur on other parts of the county network. Partitioning also enables tighter control and monitoring of access to critical systems, whether it applies to the entire auditor's office or just election-related systems and assets.
(c) Because the secretary of state and county election offices are electronically interconnected and speedy communication with the state when a county is under attack or has suffered a security breach is imperative, requiring all vendors supporting county or state cyber assets to communicate to the secretary of state and the attorney general immediately after detecting a breach or successful cyber attack against their assets is necessary to maintain security.
(2) The legislature intends to require adoption of these security measures in all county election offices as soon as practicable, but no later than July 1, 2027." [ 2025 c 329 s 1 .]