Election officials bear responsibility for election security, so they need their own election-specific Incident Response Plan to address situations that may impact election infrastructure. Whether they adopt a jurisdiction-wide plan and refine it or create a separate one, election officials don’t – and shouldn’t – own every part of the response and reporting process. The Election Security Working Group (ESWG) needs to develop and own the Incident Response Plan, with election staff and security partners fulfilling specific roles and responsibilities.
The Incident Response Plan needs to include all information and instructions essential for responding to and reporting an election security incident. There is no perfect format, but poor organization can limit the plan’s effectiveness. A plan’s format is effective if the users understand it, are comfortable with it, and can find the information they need.
It’s imperative that the plan define who is in charge, identify roles and responsibilities, and guide users through responding and reporting. Using the all-hazards approach, an Incident Response Plan created by an ESWG would include:
- Basic Plan: An overview of the ESWG members and election security policies, this explains the framework for election operations and assigns responsibilities for responding to and reporting a confirmed or suspected incident.
- Functional Annexes: Oriented toward operations, each annex focuses on one of the critical emergency functions, such as evacuation; securing critical assets to set up a temporary location; and communicating changes to the public.
- Hazard-Specific Appendices: These provide additional detailed information applicable to the performance of a particular function in the face of a particular hazard (e.g., hurricane or potentially hazardous material). Include unique considerations such as response procedures, protective actions, and emergency public information in handling the hazard. They should not duplicate information in the functional annex.
- Processes & Checklists: These are detailed instructions that an organization, office, or individual needs to perform tasks assigned in the Functional Annexes. These can be in a separate section or incorporated into functional annexes.
Because the Functional Annexes carry most of the operational detail, the example below shows one option for formatting them.
- Objective: General statement of what the function is meant to do.
- Key Security Partners and Stakeholders: Accurate, up-to-date list of ESWG members, organizations, positions, and contact details for persons involved with the response and reporting processes.
- Delegation of Responsibilities: Tasks that each ESWG member is to perform (not the actual processes, just the general task, such as “evacuate people to safety”). When two or more organizations perform the same task, give one primary responsibility and the other a supporting role.
- Incident Notification Plans: Standardized procedures and methods of communication – including redundancies from your PACE Plan – for notifying appropriate security partners and stakeholders based on observed symptoms and level of criticality.
- Characterization of the Situation: Outline of hazards addressed in the annex, details of the nature/indicators of the hazards, and what characteristics may affect response activities. Users can reference this to identify suspected or confirmed incidents and initiate the appropriate notification plan for escalation and reporting.
- Plan of Action: Sequence of actions before, during, and after the emergency situation.
- Information on Resources and Administrative Support: General support requirements and availability of services necessary for accomplishing the tasks.
Gauge the usability of your incident response plan by regularly testing it. This doesn’t have to be a formal event or TTX, but make sure to test it beforehand. After an incident, go back and conduct an after-action review or lessons-learned meeting to update and refine your incident response plan. If it’s not user-friendly or has some gaps, a change of format may be necessary.
Check out these nonpartisan resources for a deeper dive into Incident Response Plans:
Next week, we’ll move into the Detection and Analysis phase of the incident response process.
The Planning Desk is a running timeline of key election security tasks. You can find prior editions in the newsletter archive.