Communications Coordination & Response Checklist
Elections Crisis Communications Checklist
A cyber crisis has the potential to cast a negative light on the [CHIEF ELECTION OFFICIAL] or a local county elections office—as well as to undermine faith in the elections system. If you are uncertain whether a situation could escalate into a crisis, err on the side of standing up response teams, because you can always stand down if the incident does not escalate. (Consult [JURISDICTION’S]—Continuity of Operations Plan—in crises that impact operations.)
The checklists below can be adapted to your jurisdiction’s processes. They provide guidance on actions to be taken in the lead up to, and days following, a cyber incident. Action: Once a cyber crisis becomes public
Action: Before a cyber crisis
Identify office protocol and a crisis communications team. (Should include IT).
Create a list of terms with common nomenclature for use by all stakeholders.
Set an internal communication plan with elections staff. (How often, when, and where will all staff meet? Information must travel up and down the chain of command with clear boundaries for dissemination and interfacing with the public/media.)
Ensure that all stakeholders can be reached in a crisis without access to the [CHIEF ELECTION OFFICIAL] network or smart phones.
Craft communications materials that can be used in a potential cyber incident. For examples, elections officials may request sample materials from the National Association of Secretaries of State, the National Association of State Election Directors, or the U.S. Election Assistance Commission.)
Ensure that staff understand their role in a cyber incident. For those who do not have a specific task to carry out, reassure them that their work is important and inform them how they can continue doing their jobs while designated managers handle the cyber incident.
Ensure that communications plans can be accessed and are regularly updated.
Action: Before a cyber crisis becomes public
Obtain technical briefing. (Assess and verify all information.)
Decide whether to activate CCRT.
Decide whether website can remain online. If you must disable it, launch a microsite (hosted on a different network) in its place.
If email is potentially compromised, use an outside communications channel
Consult authorities, if needed.
Meet internally in war room; set internal communication schedule.
Determine CCRT roles and responsibilities, if you have not already done so.
Assess stakeholders.
Determine broad communications strategy.
Prepare holding statement.
Develop communications plan.
Draft additional communications required to execute plan, including a communications rollout plan (includes communication with media, stakeholders and employees).
Establish plan for traditional and social media monitoring.
Establish media response protocol.
Notify [CHIEF ELECTION OFFICIAL] employees, if necessary. It may be that only a small group of employees are informed initially. Communicate internally, as needed.
Notify stakeholders (See list on next page), if appropriate, and galvanize support.
Action: Once a cyber crisis becomes public
Fact check: Make sure communications materials reflect current facts.
Execute rollout plan, including informing media, if appropriate.
Determine if microsite/web page is needed.
Record an office greeting for phone system, if necessary.
Maintain a record of inbound media inquiries and responses.
[ADD BULLETS ON FEEDBACK INFO FORM COVERAGE, CONVERSATIONS WITH REPORTERS AND OTHER DATA ON EXTERNAL REACTION]
Begin media (social and traditional) monitoring.
Review and revise messaging, as needed, based on feedback.
General Media Inquiries Checklist
Gather basic facts:
Story topic/angle/deadline
Platform (blog, newspaper, television, radio, etc.) plus request content and images
Other potential interview subjects
Remember: Only designated spokespeople should speak or provide content.
Remember: You have rights when you communicate with journalists, especially when asked about technical details you wouldn’t be expected to know. “Let me see what I can find out for you” is always an option for a response. This response may mean that you return to the reporter without any additional information. You are not obligated to provide details.
Remember: Reporters are under pressure from their editors and may shift the pressure to you. Do not speculate to fill gaps for them.
Notify key people:
Meet internally.
Craft media plan. Includes internal plans for staff and stakeholder communications.
Designate key spokespeople and content providers. Assign tasks.
Assist in crafting messaging. Reflect key audiences, people affected now, and those who will be affected in the future.
Voters
Counties
Candidates
Campaigns
Media
Other government offices
Vendors
General public
SOS employees and their families (if necessary)
Demonstrate leadership by describing the steps you are taking to address this cyber incident. Consider contacting stakeholders who may be affected, especially if you think they may dislike or disagree with your messages.
Key Messages for Baseline Communications
You need to set a baseline understanding for the public that your [JURISDICTION] is taking cybersecurity seriously, and integrating best practices throughout the elections process. Below [are a few/is one example/s] of these baseline communications. In addition to a standing website message, develop key messages for [JURISDICTION’S] cyber preparedness activities and integrate them into current web content and future public remarks by [JURISDICTION’S] elections officials.
Below is one example of baseline communications. For your state, add relevant additional communications.
Sample State Website Message Emphasizing Cybersecurity
Note: Counties can modify to fit their jurisdiction.
Welcome to [STATE] State Elections! We are honored to serve you, the voters of [STATE]. Our mission is to ensure accessible, fair, and accurate elections.
Our office facilitates federal, state, and local elections conducted by all [X NUMBER OF] county election departments. We maintain voting equipment and software integrity, provide training and certification for election administrators, and support the statewide voter registration database.
Through educational programs and materials, we help all eligible [STATE] residents register to vote and cast an informed ballot. This website is one of many ways we provide information about [STATE’S] unique election system, our [INSERT DETAIL ON SYSTEM THAT SETS IT APART]. It provides [STATE] voters the power of citizen legislators, and the special services available to military voters, college students, voters with disabilities, and minority language communities.
We’re proud that [STATE] is at the forefront of elections by embracing technology and innovation to better serve voters. Some of our achievements include:
[INSERT COMBINATION OF ACCOMPLISHMENTS ON TECHNOLOGY AND SECURITY:]
- Second state to provide online voter registration
- First to provide voter registration via Facebook
- Ranked second for election administration in 2010 by the PEW Election Performance Index
- Annual security audit of election equipment
- Paper backup for electronic voting to provide auditable trail of voting records
- Daily review of change log to identify unusual activity
- One of first states to work with Homeland Security to provide cyber hygiene security scans and risk and vulnerability assessments
[STATE] State Elections is passionate about bringing access and transparency to the elections process. I hope you register and vote in our great state!
[CHIEF ELECTION OFFICIAL OR STATE ELECTIONS DIRECTOR]