See other bills
under the
same topic
PRIOR PRINTER'S NO. 1331
PRINTER'S NO. 1555
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
1018
Session of
2022
INTRODUCED BY AUMENT, YAW, MARTIN, ARGALL, BARTOLOTTA, ROBINSON,
J. WARD, SCAVELLO, REGAN, BROOKS, PITTMAN, STEFANO,
MASTRIANO, PHILLIPS-HILL, HUTCHINSON AND BAKER,
JANUARY 20, 2022
SENATOR ARGALL, STATE GOVERNMENT, AS AMENDED, APRIL 6, 2022
AN ACT
Amending Title 25 (Elections) of the Pennsylvania Consolidated
Statutes, in registration system, providing for updating the
SURE system; and making inconsistent repeals.
AMENDING TITLE 25 (ELECTIONS) OF THE PENNSYLVANIA CONSOLIDATED
STATUTES, IN REGISTRATION SYSTEM, FURTHER PROVIDING FOR SURE
SYSTEM; IN VOTER REGISTRATION, FURTHER PROVIDING FOR APPROVAL
OF REGISTRATION APPLICATIONS; IN CHANGES IN RECORDS, FURTHER
PROVIDING FOR DEATH OF REGISTRANT; IN PROVISIONS CONTINGENT
ON FEDERAL LAW, FURTHER PROVIDING FOR REMOVAL OF ELECTORS;
AND MAKING A RELATED REPEAL.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Title 25 of the Pennsylvania Consolidated
Statutes is amended by adding a section to read:
§ 1224. Updating the SURE system.
(a) Creation of new system.--The department shall begin the
process for replacing the current SURE system. The new system
shall incorporate all of the following improvements:
(1) Automated processes, including a hard stop, to
prevent the inclusion of duplicate driver's license numbers.
(2) Automated processes in the replacement system for
<--
<--
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
SURE to prevent the recording of obviously inaccurate date of
births and voter registration dates.
(3) Current leading security features.
(b) Changes for new and existing system.--The department
shall incorporate the following information technology
enhancements into the design of the replacement SURE system
and implement some or all of the following enhancements into
the current SURE system:
(1) A Geographic Information System feature and related
enhancements that would check addresses to:
(i) Ensure the address is within the county
identified on the application.
(ii) Ensure that electronic applications are
forwarded to the correct county for processing.
(iii) In the case of paper applications, ensure that
county staff can be immediately alerted if the address
posted to SURE is not within the county listed on the
application.
(2) An edit check that would alert or prevent county
staff from approving applications that have non-Pennsylvania
states or zip codes within the residential addresses.
(3) A read-only feature for certain data fields that
typically do not change, including date of birth, driver's
license number and Social Security number to prevent
unintended edits. These fields may be edited only by
designated management staff along with documenting the reason
for the edit.
(4) A hard-stop feature in the SURE system that would
prevent county staff from canceling voter records using
unallowable codes within 90 days of an election.
20220SB1018PN1555 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(5) A declination notice to be automatically generated
and mailed to individuals that are not currently registered
to vote but submit a change of address request for their
voter registration record. This will assist in notifying
those individuals that they are not registered to vote.
(6) The ability for department and county staff to build
and run their own reports.
(c) Updates.--The department shall make the following
updates to the SURE system:
(1) Require the provision of specific policies and
direction from Federal authorities supporting the
department's position in the event that the secretary
believes the department cannot provide information due to
security concerns.
(2) Evaluate the lists of voter registration records
with the same driver's license numbers and potential
duplicate cases provided by the Department of the Auditor
General and work with the county election offices to
investigate and eliminate the specific duplicate information
identified during the audit.
(3) Perform additional data analysis and cleansing
procedures and work with the counties to remove duplicate and
incorrect data from the SURE system before migration into the
replacement system for SURE.
(4) Evaluate and update, as needed, the instructions
provided to the counties in the SURE job aids to ensure the
instructions provide adequate guidance on how to check for
duplicates in the SURE system or the replacement system for
SURE.
(5) Work with the Department of Health to ensure the
20220SB1018PN1555 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
process is working properly regarding forwarding death
records to the department with all relevant, appropriate and
corrected information so that counties can evaluate the
information and cancel the voter registrations of deceased
individuals.
(6) Ensure agreements with other agencies include
requirements that vendors comply with all Commonwealth
security policies and that the agencies update vendor
contracts to include the most recent Department of General
Services Information Technology's Contracts Terms and
Conditions policy for security, confidentiality and audit
provisions.
(7) Implement the security guidelines issued by the
United States Department of Homeland Security, Cybersecurity
and Infrastructure Security Agency in May 2019, entitled Best
Practices for Securing Election Systems.
(8) Monitor vendors through a documented process that
complies with Management Directive 325.13, Service
Organization Controls, including documented reviews of
service organization control reports.
(9) Collaborate with the Department of Transportation
and Governor's Office of Administration, Office for
Information Technology, to identify key contacts at each
agency and delivery center who would provide oversight and
evaluation of each service organization's internal controls.
Specific consideration should be given to the following:
(i) Timely reviewing Service Organization Controls
reports and documenting the assessment of the review.
(ii) Reviewing Service Organization Controls reports
for noted exceptions that may affect department processes
20220SB1018PN1555 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
and follow up with the vendor's corrective action plans.
(iii) Reviewing Service Organization Controls
reports' complementary user entity controls to ensure
those controls are in place and operating effectively at
agencies or applicable sub-service organizations.
(iv) Ensuring Service Organization Controls report
results are communicated to all affected agencies and
escalation procedures exist when the report includes
control objective exceptions, testing deviations or a
qualified opinion.
(10) Update the SURE equipment use policy to address the
risk of counties connecting county-owned equipment to the
SURE system or deviating from the preferred architectural
model.
(11) Ensure that all county users, including county
administrators and vendors, review and sign an updated
version of the SURE equipment use policy.
(12) Correct the reference to the SURE user and
equipment policy on the SURE user ID request form to
eliminate confusion as to policy requirements applicable to
county users of the SURE system.
(13) Create a master list of all SURE system policies
applicable to the counties and the county's information
technology vendors, which clearly specifies the most recent
approved versions for each policy.
(14) Emphasize to the counties the vital need and
importance of having a second person review the data entered
into SURE to reduce data entry errors and increase the
accuracy of voter records.
(15) Request that legal counsel make a determination as
20220SB1018PN1555 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
to whether the department can:
(i) Direct the counties to review pending
applications and reject them.
(ii) Establish a time period for requiring counties
to process, or reject if applicable, all applications
placed into pending status.
(16) Instruct the counties to review the applications in
pending status to determine if another application for the
person has been approved which would then lead the county to
reject the initial application currently in pending status.
(17) Develop detailed written procedures, including
detailed processes to be performed and by whom, regarding the
department monitoring the activities of the counties to
ensure required processes are completed properly and timely.
(18) Instruct the counties that have not been updating
the status of voters from active to inactive, for those
voters who meet the criteria of an inactive voter, to perform
list maintenance and update voters' status as necessary. The
department shall determine the deadline for counties to
complete this update. A formal reminder shall be sent to each
county on the importance of the need to perform this type of
list maintenance.
(19) Instruct the counties that have not been canceling
the records of the inactive voters who meet the criteria for
cancellation to perform list maintenance and update voters'
status as necessary. The department shall determine the
deadline for counties to complete this update. A formal
reminder shall be sent to each county on the importance of
the need to perform this type of list maintenance.
(20) Utilize information available from the Electronic
20220SB1018PN1555 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Registration Information Center to assist in improving the
accuracy of voter registration records.
(21) Forward information for the four voting records
that contained non-Pennsylvania residential information to
the applicable counties for follow up and possible
cancellation.
(22) Forward information for the 23 voting records that
appeared to contain inaccurate non-Pennsylvania residential
data to the specific counties to research or correct the
state name or zip code within SURE.
(23) Formally remind counties of the need to properly
code transactions when they cancel voter registrations as a
result of list maintenance in order to reduce the number of
cancellations with no reason code or incorrect reason codes.
(24) Continue to offer hands-on training on the SURE
system and ensure that each county is made aware of the
availability of this training.
(25) Update the applicable job aids as appropriate to
reflect changes in processes, including added steps for
identifying duplicate voters when processing applications or
linking a Department of Health death record with a registered
voter.
(26) Include an issued date on all job aids distributed
to the counties and an indexed list of all job aids readily
available on the department's publicly accessible Internet
website to provide a reference as to which version of a job
aid is the most current and the date of the revision.
(27) Provide guidance to the counties regarding the
maximum length of time that an application can remain in
pending status and how to appropriately determine whether the
20220SB1018PN1555 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
application should be approved or rejected, if it is
determined that the department has the legal authority.
(d) Audits, studies and reviews.--The department shall
implement the following:
(1) Require an annual independent audit of each part of
the SURE system, supporting architecture and connected
systems using a comprehensive framework of security standards
which includes a test of the information technology's general
controls, tests of cyber-security controls, vulnerability
assessments and penetration testing. The following shall
apply:
(i) Require that auditors have full and confidential
access to all information and documents.
(ii) Require sufficient and appropriate evidence to
back up assertions that the disclosure of certain
information to auditing agencies is legally impossible.
(iii) Require counties, the Department of
Transportation and other related agencies involved in
voter registration to cooperate with future audits.
(iv) Require results of audits be provided to those
in charge of the governance of the SURE system.
(2) After conducting cleansing procedures in preparation
for migrating to the replacement system for SURE, perform
periodic data analysis to ensure that duplicate records
created in error are identified and removed from SURE in a
timely manner.
(3) Evaluate the lists of voter records provided by DAG
with a date of birth listed in SURE as January 1, 1800,
January 1, 1900, or January 1, 1901, and who appear to be 100
years of age or older and instruct the counties to determine
20220SB1018PN1555 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
the correct date of birth and ensure the record is still
valid and the voter is not deceased.
(4) Evaluate the lists of potentially deceased voters
provided by the Department of the Auditor General and
instruct the counties to investigate and take appropriate
action to cancel deceased voters' records in SURE.
(5) Study the benefits of an additional periodic
comparison of the cumulative file of deaths received from the
Department of Health to records in SURE to identify any
voters that may have been missed during past reviews. The
department should consider performing the match using data
analysis techniques and provide matching records to the
counties for follow-up.
(6) Study the creation of an oversight body to regularly
meet about the SURE system consisting of members with SURE
system knowledge, relevant expertise and the appropriate
independence to perform oversight duties. The secretary may
appoint members who represent all key stakeholders of the
SURE system, including the counties and the Governor's Office
of Administration, Office for Information Technology.
(7) Study instituting the use of a form for counties to
request and receive approval from the department for
deviations from the approved network architectural model or
the use of county-owned equipment.
(8) Study supplementing the data analysis by contracting
with a third-party vendor to periodically perform analysis on
the data in SURE to identify potentially inaccurate or
missing data for the department or counties to investigate
and resolve.
(9) Study working with the Department of Transportation
20220SB1018PN1555 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
to revise the voter registration process to ensure all
required voter registration information is obtained when an
individual requests to update an individual's voter
registration address.
(10) Develop an effective audit trail for registration
applications received through the Electronic Registration
Information Center to enable either department or county
election staff to review and confirm the accuracy of
information in SURE to the original point of entry of
information by the registrant in accordance with the
following:
(i) (Reserved).
(ii) If the department is unable to implement this
policy electronically, the department should develop a
policy requiring county election staff to print out and
scan into SURE voter registration related documents that
are received through the Electronic Registration
Information Center and attach the documents to the
voter's record.
(11) Develop and issue a directive regarding records
retention for SURE and work with the Pennsylvania Historical
and Museum Commission to confirm that the County Records
Manual regarding election records is entirely uniform with
the SURE records retention directive to help ensure
consistency of records retention amongst all the counties.
The directive shall be in accordance with the following:
(i) The availability of source documentation for
purposes of evaluating accuracy of the voter registration
information by an external party must be considered.
(ii) The directive should be placed in a prominent
20220SB1018PN1555 - 10 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
location on the department's publicly accessible Internet
website.
(iii) Require that the directive be sent at least
yearly to all county election offices.
(12) Update the SURE regulations to ensure that the
records are in accordance with the newly developed and
distributed record retention policy and the updated
Pennsylvania Historical and Museum Commission's County
Records Manual.
Section 2. The department may promulgate rules and
regulations to administer and enforce this act.
Section 3. The following acts and parts of acts are repealed
insofar as they are inconsistent with this act:
(1) 25 Pa.C.S. § 1323(a)(1).
(2) 25 Pa.C.S. § 1328(c).
(3) 25 Pa.C.S. § 1401(c).
(4) 25 Pa.C.S. § 1402(b)(3).
(5) 25 Pa.C.S. § 1405(c).
(6) 25 Pa.C.S. § 1707.
(7) 25 Pa.C.S. § 1901(b)(1)(i).
Section 4. This act shall take effect in 60 days.
SECTION 1. SECTION 1222 OF TITLE 25 OF THE PENNSYLVANIA
CONSOLIDATED STATUTES IS AMENDED BY ADDING SUBSECTIONS TO READ:
§ 1222. SURE SYSTEM.
* * *
(B.1) ADVISORY BOARD.--
(1) THE SURE ADVISORY BOARD IS ESTABLISHED TO ADVISE THE
DEPARTMENT REGARDING THE IMPLEMENTATION AND DEPLOYMENT OF THE
SURE SYSTEM.
(2) THE ADVISORY BOARD SHALL CONSIST OF THE FOLLOWING
20220SB1018PN1555 - 11 -
<--
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
MEMBERS:
(I) INDIVIDUALS IDENTIFIED UNDER SUBSECTION (C.4)(1)
FROM THE DEPARTMENT OF TRANSPORTATION, THE DEPARTMENT OF
STATE, THE OFFICE OF ADMINISTRATION AND THE OFFICE OF
INFORMATION TECHNOLOGY TO BE APPOINTED BY THE SECRETARY.
(II) ONE COUNTY DIRECTOR OF ELECTIONS APPOINTED BY
EACH OF THE FOUR CAUCUSES IN THE GENERAL ASSEMBLY.
(III) THE PRESIDENT AND VICE PRESIDENT, OR A
DESIGNEE OF THE PRESIDENT AND VICE PRESIDENT, OF THE
COUNTY COMMISSIONERS ASSOCIATION OF PENNSYLVANIA.
(IV) THE CHAIR AND MINORITY CHAIR OF THE STATE
GOVERNMENT COMMITTEE OF THE SENATE, OR A DESIGNEE.
(V) THE CHAIR AND MINORITY CHAIR OF THE STATE
GOVERNMENT COMMITTEE OF THE HOUSE OF REPRESENTATIVES, OR
A DESIGNEE.
(3) THE TERM OF OFFICE OF EACH MEMBER OF THE ADVISORY
BOARD SHALL BE COTERMINOUS WITH THE TERM OF THE AUTHORITY
APPOINTING THAT MEMBER.
(4) THE ADVISORY BOARD SHALL MEET WITHIN 90 DAYS OF THE
EFFECTIVE DATE OF THIS SUBSECTION AND SHALL SELECT ONE OF THE
MEMBERS APPOINTED UNDER PARAGRAPH (2) AS THE CHAIR OF THE
ADVISORY COMMITTEE. THE FOLLOWING APPLY:
(I) AFTER THE INITIAL MEETING, THE CHAIR OF THE
ADVISORY BOARD SHALL ORGANIZE MONTHLY MEETINGS OF THE
ADVISORY BOARD UNTIL THE ADVISORY BOARD DETERMINES BY A
TWO-THIRDS VOTE TO CHANGE THE FREQUENCY OF THE MEETINGS.
(II) THE RELEVANT DEPARTMENT STAFF AND
REPRESENTATIVES OF RELEVANT PROJECT VENDORS SHALL ATTEND
EACH MEETING OF THE ADVISORY BOARD.
(III) THE DEPARTMENT SHALL PROVIDE ADMINISTRATIVE
20220SB1018PN1555 - 12 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
SUPPORT FOR THE ADVISORY BOARD.
(5) THE ADVISORY BOARD SHALL HAVE THE FOLLOWING POWERS
AND DUTIES:
(I) TO MONITOR THE DEVELOPMENT, IMPLEMENTATION,
DEPLOYMENT AND MAINTENANCE OF THE SURE SYSTEM.
(II) TO REQUEST INFORMATION RELATED TO THE SURE
SYSTEM. THE DEPARTMENT SHALL PROVIDE INFORMATION
REQUESTED UNLESS THE SPECIFIC INFORMATION IS DETERMINED
BY THE DEPARTMENT TO BE OF A PROPRIETARY INTEREST OR THE
RELEASE OF THE INFORMATION IS PROHIBITED BY LAW, IN WHICH
CASE, THE DEPARTMENT SHALL PROVIDE SUFFICIENT AND
APPROPRIATE EVIDENCE TO BACK UP ASSERTIONS THAT THE
DISCLOSURE OF CERTAIN INFORMATION TO THE ADVISORY BOARD
IS LEGALLY IMPOSSIBLE.
(III) TO MAKE RECOMMENDATIONS TO THE DEPARTMENT
REGARDING THE SURE SYSTEM.
(IV) TO PROVIDE THE DEPARTMENT WITH ASSISTANCE
RELATED TO TESTING OF THE SURE SYSTEM.
(V) TO PROVIDE A REPORT, NO LATER THAN JUNE 30 OF
EACH YEAR, TO THE STATE GOVERNMENT COMMITTEE OF THE
SENATE AND THE STATE GOVERNMENT COMMITTEE OF THE HOUSE OF
REPRESENTATIVES. THE REPORT SHALL INCLUDE THE ADVISORY
BOARD'S ASSESSMENT OF THE PROGRESS REGARDING THE
DEVELOPMENT, IMPLEMENTATION, DEPLOYMENT AND MAINTENANCE
OF THE TECHNOLOGICAL UPGRADES, A LIST OF RECOMMENDATIONS
THAT THE ADVISORY BOARD HAS MADE TO THE DEPARTMENT AND
WHETHER THOSE RECOMMENDATIONS HAVE BEEN ACCEPTED. THE
DEPARTMENT SHALL BE PROVIDED WITH A DRAFT COPY OF THE
REPORT AT LEAST 30 DAYS PRIOR TO SUBMISSION UNDER THIS
SUBPARAGRAPH AND SHALL BE PERMITTED TO INCLUDE THE
20220SB1018PN1555 - 13 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DEPARTMENT'S RESPONSE TO THE CONTENTS OF THE REPORT. THE
DEPARTMENT MAY NOT DELAY THE SUBMISSION OF THE REPORT BY
THE ADVISORY BOARD.
* * *
(C.1) REQUIRED FEATURES.--NOTWITHSTANDING ANY OTHER
PROVISION OF LAW, THE DEPARTMENT SHALL INCORPORATE THE FOLLOWING
TECHNOLOGY ENHANCEMENT FEATURES WITHIN THE SURE SYSTEM:
(1) AUTOMATED PROCESSES, INCLUDING A HARD STOP, TO
PREVENT THE INCLUSION OF DUPLICATE DRIVER'S LICENSE NUMBERS.
(2) AUTOMATED PROCESSES IN THE REPLACEMENT SYSTEM FOR
THE SURE SYSTEM TO PREVENT THE RECORDING OF OBVIOUSLY
INACCURATE DATE OF BIRTHS AND VOTER REGISTRATION DATES.
(3) CURRENT LEADING SECURITY FEATURES.
(4) A GEOGRAPHIC INFORMATION SYSTEM FEATURE AND RELATED
ENHANCEMENTS THAT WOULD CHECK ADDRESSES TO ENSURE THAT:
(I) THE ADDRESS IS WITHIN THE COUNTY IDENTIFIED ON
THE APPLICATION.
(II) ELECTRONIC APPLICATIONS ARE FORWARDED TO THE
CORRECT COUNTY FOR PROCESSING.
(III) FOR PAPER APPLICATIONS, COUNTY STAFF CAN BE
IMMEDIATELY ALERTED IF THE ADDRESS POSTED TO THE SURE
SYSTEM IS NOT WITHIN THE COUNTY LISTED ON THE
APPLICATION.
(5) AN EDIT CHECK THAT WOULD ALERT OR PREVENT COUNTY
STAFF FROM APPROVING APPLICATIONS THAT HAVE NON-PENNSYLVANIA
STATES OR ZIP CODES WITHIN THE RESIDENTIAL ADDRESSES.
(6) A READ-ONLY FEATURE FOR CERTAIN DATA FIELDS THAT
TYPICALLY DO NOT CHANGE, INCLUDING DATE OF BIRTH, DRIVER'S
LICENSE NUMBER AND SOCIAL SECURITY NUMBER TO PREVENT
UNINTENDED EDITS. THE FIELDS MAY ONLY BE EDITED BY DESIGNATED
20220SB1018PN1555 - 14 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
MANAGEMENT STAFF ALONG WHO MUST DOCUMENT THE REASON FOR THE
EDIT.
(7) A HARD STOP FEATURE THAT WOULD PREVENT COUNTY STAFF
FROM CANCELING VOTER RECORDS FOR REASONS OTHER THAN PROVIDED
FOR IN THIS TITLE WITHIN 90 DAYS OF AN ELECTION.
(8) A DECLINATION NOTICE TO BE AUTOMATICALLY GENERATED
AND MAILED TO INDIVIDUALS THAT ARE NOT CURRENTLY REGISTERED
TO VOTE BUT SUBMIT A CHANGE OF ADDRESS REQUEST FOR THEIR
VOTER REGISTRATION RECORD.
(9) THE ABILITY FOR DEPARTMENT AND COUNTY STAFF TO BUILD
AND RUN THEIR OWN REPORTS.
(C.2) DEPARTMENT RESPONSIBILITIES.-- NOTWITHSTANDING ANY
OTHER PROVISION OF LAW, THE DEPARTMENT SHALL PERFORM THE
FOLLOWING ACTIONS WITHIN 30 DAYS OF THE EFFECTIVE DATE OF THIS
SUBSECTION:
(1) IDENTIFY VOTER REGISTRATION RECORDS WITH THE SAME
DRIVER'S LICENSE NUMBERS AND POTENTIAL DUPLICATE CASES AND
DIRECT COUNTY ELECTION OFFICES TO INVESTIGATE AND ELIMINATE
THE SPECIFIC DUPLICATE INFORMATION IDENTIFIED WITHIN 14 DAYS
AFTER NOTIFICATION FROM THE DEPARTMENT.
(2) IN COORDINATION WITH COUNTIES, PERFORM ADDITIONAL
DATA ANALYSIS AND CLEANSING PROCEDURES TO REMOVE DUPLICATE
AND INCORRECT DATA FROM THE SURE SYSTEM.
(3) EVALUATE AND UPDATE THE INSTRUCTIONS PROVIDED TO THE
COUNTIES IN THE SURE SYSTEM JOB AIDS TO ENSURE THAT THE
INSTRUCTIONS PROVIDE ADEQUATE GUIDANCE ON HOW TO CHECK FOR
DUPLICATES IN THE SURE SYSTEM OR A REPLACEMENT SYSTEM FOR THE
SURE SYSTEM.
(4) IDENTIFY AND COLLABORATE WITH COUNTIES TO RESOLVE
PENDING APPLICATIONS.
20220SB1018PN1555 - 15 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(5) IDENTIFY VOTER RECORDS WITH A DATE OF BIRTH LISTED
IN THE SURE SYSTEM AS JANUARY 1, 1800, JANUARY 1, 1900, OR
JANUARY 1, 1901, AND WHO APPEAR TO BE 100 YEARS OF AGE OR
OLDER AND INSTRUCT THE COUNTIES TO DETERMINE THE CORRECT DATE
OF BIRTH AND ENSURE THAT THE RECORD IS STILL VALID AND THE
VOTER IS NOT DECEASED.
(6) PROVIDE A STATUS REPORT ON THE SURE SYSTEM TO ALL
COUNTIES, INCLUDING CURRENTLY KNOWN CHALLENGES WITH THE SURE
SYSTEM, NUMBERS OF OPEN HELP DESK TICKETS AND PLANNED
DEPLOYMENTS OF SYSTEM CHANGES WITHIN THE NEXT 90 DAYS,
INCLUDING ANY NECESSARY SOFTWARE, HARDWARE, POLICY OR
PROCEDURAL CHANGES THAT WILL BE NEEDED FOR DEPLOYMENT. THESE
STATUS UPDATES SHALL BE PROVIDED ON A BIWEEKLY BASIS
THEREAFTER.
(C.3) ACCURACY OF RECORDS.--THE DEPARTMENT SHALL INSTITUTE
THE FOLLOWING PROCEDURES TO ENSURE THE ACCURACY OF THE VOTER
REGISTRATION LISTS WITHIN THE SURE SYSTEM:
(1) ANNUALLY REVIEW THE PROCESS OF RECEIVING DEATH
RECORDS FROM THE DEPARTMENT OF HEALTH AND NOTIFYING COUNTIES
OF DECEASED INDIVIDUALS AND ENSURE COMPLIANCE WITH SECTION
1505(A) AND (B) (RELATING TO DEATH OF REGISTRANT).
(2) IN COORDINATION WITH THE OFFICE OF ADMINISTRATION
AND OFFICE FOR INFORMATION TECHNOLOGY, IMPLEMENT ELECTION
SECURITY GUIDELINES ISSUED BY THE UNITED STATES DEPARTMENT OF
HOMELAND SECURITY, CYBERSECURITY AND INFRASTRUCTURE SECURITY
AGENCY.
(3) UPDATE THE SURE SYSTEM EQUIPMENT USE POLICY TO
ADDRESS THE RISK OF COUNTIES CONNECTING COUNTY-OWNED
EQUIPMENT TO THE SURE SYSTEM OR DEVIATING FROM THE PREFERRED
ARCHITECTURAL MODEL.
20220SB1018PN1555 - 16 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(4) UTILIZE INFORMATION AVAILABLE FROM THIRD-PARTY
PROVIDERS, INCLUDING THE ELECTRONIC REGISTRATION INFORMATION
CENTER TO ASSIST IN IMPROVING THE ACCURACY OF VOTER
REGISTRATION RECORDS.
(5) ENSURE THAT EACH COUNTY USER, INCLUDING COUNTY
ADMINISTRATORS AND VENDORS, REVIEW AND SIGN AN UPDATED
VERSION OF THE SURE SYSTEM EQUIPMENT USE POLICY.
(6) CREATE A MASTER LIST OF EACH SURE SYSTEM POLICY
APPLICABLE TO THE COUNTIES AND THE COUNTY'S INFORMATION
TECHNOLOGY VENDORS, WHICH CLEARLY SPECIFIES THE MOST RECENT
APPROVED VERSIONS FOR EACH POLICY.
(7) DEVELOP DETAILED WRITTEN PROCEDURES, INCLUDING
DETAILED PROCESSES TO BE PERFORMED AND BY WHOM, REGARDING THE
DEPARTMENT MONITORING THE ACTIVITIES OF THE COUNTIES TO
ENSURE THAT REQUIRED PROCESSES ARE COMPLETED PROPERLY AND
TIMELY.
(8) DETERMINE AND ENFORCE COMPLIANCE WITH SECTION
1901(C) AND (D) (RELATING TO REMOVAL OF ELECTORS).
(9) OFFER HANDS-ON TRAINING ON THE SURE SYSTEM AND
ENSURE THAT EACH COUNTY IS MADE AWARE OF THE AVAILABILITY OF
THE TRAINING.
(10) UPDATE THE APPLICABLE JOB AIDS AS APPROPRIATE TO
REFLECT CHANGES IN PROCESSES, INCLUDING ADDED STEPS FOR
IDENTIFYING DUPLICATE VOTERS WHEN PROCESSING APPLICATIONS OR
LINKING A DEPARTMENT OF HEALTH DEATH RECORD WITH A REGISTERED
VOTER.
(11) INCLUDE AN ISSUED DATE ON EACH JOB AID DISTRIBUTED
TO THE COUNTIES AND AN INDEXED LIST OF EACH JOB AID READILY
AVAILABLE ON THE DEPARTMENT'S PUBLICLY ACCESSIBLE INTERNET
WEBSITE TO PROVIDE A REFERENCE AS TO WHICH VERSION OF A JOB
20220SB1018PN1555 - 17 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
AID IS THE MOST CURRENT AND THE DATE OF THE REVISION.
(C.4) SURE SYSTEM REPORTING AND INFRASTRUCTURE OVERSIGHT.--
NOTWITHSTANDING ANY OTHER PROVISION OF LAW, THE DEPARTMENT SHALL
DO THE FOLLOWING:
(1) IN COORDINATION WITH THE DEPARTMENT OF
TRANSPORTATION, THE OFFICE OF ADMINISTRATION AND THE OFFICE
FOR INFORMATION TECHNOLOGY, CREATE A CLEARLY DEFINED
GOVERNANCE STRUCTURE AND REPORTING REQUIREMENTS FOR THE
OVERSIGHT OF THE MAINTENANCE AND OPERATION OF THE SURE
SYSTEM. THE DEPARTMENT SHALL SHARE THE INFORMATION ALONG WITH
CONTACT INFORMATION WITH COUNTIES.
(2) COLLABORATE WITH THE DEPARTMENT OF TRANSPORTATION,
THE OFFICE OF ADMINISTRATION AND THE OFFICE FOR INFORMATION
TECHNOLOGY TO IDENTIFY KEY CONTACTS AT EACH AGENCY
RESPONSIBLE FOR THE OVERSIGHT AND EVALUATION OF EACH SERVICE
ORGANIZATION'S INTERNAL CONTROLS. SPECIFIC CONSIDERATION
SHALL BE GIVEN TO THE FOLLOWING:
(I) TIMELY REVIEWING SYSTEM AND ORGANIZATION
CONTROLS REPORTS AND DOCUMENTING THE ASSESSMENT OF THE
REVIEW.
(II) REVIEWING SYSTEM AND ORGANIZATION CONTROLS
REPORTS FOR NOTED EXCEPTIONS THAT MAY AFFECT DEPARTMENT
PROCESSES AND FOLLOW UP WITH THE VENDOR'S CORRECTIVE
ACTION PLANS.
(III) REVIEWING SYSTEM AND ORGANIZATION CONTROLS
REPORTS' COMPLEMENTARY USER ENTITY CONTROLS TO ENSURE
THAT THE CONTROLS ARE IN PLACE AND OPERATING EFFECTIVELY
AT AGENCIES OR APPLICABLE SUBSERVICE ORGANIZATIONS.
(IV) ENSURING THAT SYSTEM AND ORGANIZATION CONTROLS
REPORT RESULTS ARE COMMUNICATED TO EACH AFFECTED AGENCY
20220SB1018PN1555 - 18 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
AND ESCALATION PROCEDURES EXIST IF THE REPORT INCLUDES
CONTROL OBJECTIVE EXCEPTIONS, TESTING DEVIATIONS OR A
QUALIFIED OPINION.
(3) ENSURE THAT AGREEMENTS WITH OTHER AGENCIES INCLUDE
REQUIREMENTS THAT VENDORS COMPLY WITH EACH COMMONWEALTH
SECURITY POLICY AND THAT THE AGENCIES UPDATE VENDOR CONTRACTS
TO INCLUDE THE MOST RECENT DEPARTMENT OF GENERAL SERVICES
INFORMATION TECHNOLOGY'S CONTRACTS TERMS AND CONDITIONS
POLICY FOR SECURITY, CONFIDENTIALITY AND AUDIT PROVISIONS.
(4) MONITOR VENDORS THROUGH A DOCUMENTED PROCESS THAT
COMPLIES WITH MANAGEMENT DIRECTIVES, INCLUDING THE FOLLOWING:
(I) IDENTIFY SERVICE ORGANIZATIONS WITHIN THEIR
PURVIEW.
(II) EVALUATE APPROPRIATE LEVELS OF OVERSIGHT, AS
WELL AS DETERMINE WHICH MONITORING REQUIREMENTS,
INDEPENDENT AUDITS, OR ASSESSMENTS ARE NEEDED TO CONFIRM
THE OPERATING EFFECTIVENESS OF A SERVICE ORGANIZATION'S
INTERNAL CONTROL SYSTEM.
(III) INTEGRATE MONITORING, INDEPENDENT AUDIT AND
ASSESSMENT ACTIVITIES INTO THE CONTRACT PROCESS AS
APPROPRIATE, INCLUDING:
(A) D EFINING REQUIRED MONITORING REPORTS AND ON-
SITE ACTIVITIES DURING THE PROCUREMENT PROCESS;
(B) ALERTING POTENTIAL SERVICE ORGANIZATIONS TO
THE NEED FOR INDEPENDENT AUDITS OR ASSESSMENTS DURING
THE PROCUREMENT PROCESS;
(C) ASSESSING A POTENTIAL SERVICE ORGANIZATION'S
ABILITY TO PROVIDE INDEPENDENT AUDITS OR ASSESSMENTS;
AND
(D) INCLUDING INDEPENDENT AUDITS OR ASSESSMENTS
20220SB1018PN1555 - 19 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
IN CONTRACT REQUIREMENTS.
(IV) COMMUNICATE MONITORING, AUDITING OR ASSESSMENT
FINDINGS TO SERVICE ORGANIZATIONS.
(V) DEVELOP, IMPLEMENT AND MONITOR CORRECTIVE ACTION
PLANS BASED ON MONITORING, AUDITING OR ASSESSMENT
FINDINGS, AS NEEDED.
(VI) DEVELOP UP-TO-DATE CONTINGENCY PLANS FOR
SERVICES PROVIDED BY SERVICE ORGANIZATIONS THAT ARE
CRITICAL TO THE AGENCY'S CORE FUNCTIONS, PROCESSES OR
DATA.
(VII) MAINTAIN A RECORD OF EACH SERVICE ORGANIZATION
AND THE SERVICES THEY PROVIDE AND EVIDENTIARY
DOCUMENTATION TO SUPPORT THEIR SELECTED OVERSIGHT OPTION.
(VIII) ENSURE TIMELY SERVICE ORGANIZATION REPORTING.
(IX) ENSURE COMPLIANCE WITH CONTRACT REQUIREMENTS.
(C.5) AUDITS, STUDIES AND REVIEWS.--NOTWITHSTANDING ANY
OTHER PROVISION OF LAW, THE DEPARTMENT SHALL DO THE FOLLOWING:
(1) CONDUCT AN ANNUAL INDEPENDENT AUDIT OF EACH PART OF
THE SURE SYSTEM, SUPPORTING ARCHITECTURE AND CONNECTED
SYSTEMS USING A COMPREHENSIVE FRAMEWORK OF SECURITY STANDARDS
WHICH INCLUDES A TEST OF THE INFORMATION TECHNOLOGY'S GENERAL
CONTROLS, TESTS OF CYBERSECURITY CONTROLS, VULNERABILITY
ASSESSMENTS AND PENETRATION TESTING. THE FOLLOWING SHALL
APPLY:
(I) AUDITORS SHALL HAVE FULL AND CONFIDENTIAL ACCESS
TO ALL INFORMATION AND DOCUMENTS. IF THE DEPARTMENT
DETERMINES THAT CERTAIN INFORMATION CANNOT BE DISCLOSED,
THE DEPARTMENT SHALL SUBMIT TO AUDITORS, SUFFICIENT AND
APPROPRIATE EVIDENCE TO BACK UP ASSERTIONS THAT THE
DISCLOSURE OF CERTAIN INFORMATION TO AUDITING AGENCIES IS
20220SB1018PN1555 - 20 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
LEGALLY IMPOSSIBLE.
(II) COUNTIES, THE DEPARTMENT OF TRANSPORTATION AND
OTHER RELATED AGENCIES INVOLVED IN VOTER REGISTRATION
SHALL COOPERATE WITH FUTURE AUDITS.
(III) RESULTS OF AUDITS SHALL BE PROVIDED TO THOSE
IN CHARGE OF THE GOVERNANCE OF THE SURE SYSTEM, THE SURE
ADVISORY BOARD AND THE MEMBERS OF THE STATE GOVERNMENT
COMMITTEE OF THE SENATE AND THE STATE GOVERNMENT
COMMITTEE OF THE HOUSE OF REPRESENTATIVES.
(2) AS FOLLOWS:
(I) AFTER CONDUCTING THE CLEANSING PROCEDURES IN
SUBSECTION (C.2), PERFORM QUARTERLY DATA ANALYSIS TO DO
THE FOLLOWING:
(A) IDENTIFY DUPLICATE RECORDS CREATED IN ERROR
AND ENSURE THAT THEY ARE REMOVED FROM THE SURE
SYSTEM.
(B) IDENTIFY INACTIVE VOTERS AND ENSURE THAT
THEY ARE APPROPRIATELY MARKED AND IDENTIFY INCORRECT
RECORDS.
(C) IDENTIFY, INVESTIGATE AND RESOLVE INACCURATE
OR MISSING DATA IN THE SURE SYSTEM.
(D) COMPARE DEATH RECORDS RECEIVED FROM THE
DEPARTMENT OF HEALTH AND RECORDS IN THE SURE SYSTEM
AND REMOVE RECORDS FOR DECEASED INDIVIDUALS.
(II) THE DEPARTMENT MAY CONTRACT WITH A THIRD-PARTY
VENDOR TO COMPLY WITH THE REQUIREMENTS UNDER THIS
PARAGRAPH.
(3) DEVELOP AN EFFECTIVE AUDIT TRAIL FOR REGISTRATION
APPLICATIONS RECEIVED THROUGH THE ELECTRONIC REGISTRATION
INFORMATION CENTER TO ENABLE EITHER DEPARTMENT OR COUNTY
20220SB1018PN1555 - 21 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
ELECTION STAFF TO REVIEW AND CONFIRM THE ACCURACY OF
INFORMATION IN THE SURE SYSTEM TO THE ORIGINAL POINT OF ENTRY
OF INFORMATION BY THE REGISTRANT IN ACCORDANCE WITH THE
FOLLOWING:
(I) (RESERVED).
(II) IF THE DEPARTMENT IS UNABLE TO IMPLEMENT THE
POLICY ELECTRONICALLY, THE DEPARTMENT SHALL DEVELOP A
POLICY REQUIRING COUNTY ELECTION STAFF TO PRINT OUT AND
SCAN INTO THE SURE SYSTEM VOTER-REGISTRATION-RELATED
DOCUMENTS THAT ARE RECEIVED THROUGH THE ELECTRONIC
REGISTRATION INFORMATION CENTER AND ATTACH THE DOCUMENTS
TO THE VOTER'S RECORD.
(4) DEVELOP AND ISSUE A DIRECTIVE REGARDING RECORDS
RETENTION FOR THE SURE SYSTEM IN COORDINATION WITH THE
PENNSYLVANIA HISTORICAL AND MUSEUM COMMISSION TO CONFIRM THAT
THE COUNTY RECORDS MANUAL REGARDING ELECTION RECORDS IS
ENTIRELY UNIFORM WITH THE SURE SYSTEM RECORDS RETENTION
DIRECTIVE TO HELP ENSURE CONSISTENCY OF RECORDS RETENTION
AMONGST EACH OF THE COUNTIES. THE DIRECTIVE SHALL BE IN
ACCORDANCE WITH THE FOLLOWING:
(I) THE AVAILABILITY OF SOURCE DOCUMENTATION FOR
PURPOSES OF EVALUATING ACCURACY OF THE VOTER REGISTRATION
INFORMATION BY AN EXTERNAL PARTY MUST BE CONSIDERED.
(II) THE DIRECTIVE MAY BE PLACED IN A PROMINENT
LOCATION ON THE DEPARTMENT'S PUBLICLY ACCESSIBLE INTERNET
WEBSITE.
(III) THE DIRECTIVE MUST BE SENT AT LEAST YEARLY TO
EACH COUNTY ELECTION OFFICE.
(5) UPDATE THE SURE SYSTEM REGULATIONS TO ENSURE THAT
THE RECORDS ARE IN ACCORDANCE WITH THE NEWLY DEVELOPED AND
20220SB1018PN1555 - 22 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DISTRIBUTED RECORD RETENTION POLICY AND THE UPDATED
PENNSYLVANIA HISTORICAL AND MUSEUM COMMISSION'S COUNTY
RECORDS MANUAL.
* * *
SECTION 2. SECTIONS 1328(B) INTRODUCTORY PARAGRAPH, 1505(A)
AND (B) AND 1901(C) OF TITLE 25 ARE AMENDED TO READ:
§ 1328. APPROVAL OF REGISTRATION APPLICATIONS.
* * *
(B) DECISION.--A COMMISSION SHALL DO ONE OF THE FOLLOWING
WITHIN 60 DAYS OF RECEIVING AN APPLICATION:
* * *
§ 1505. DEATH OF REGISTRANT.
(A) DEPARTMENT OF HEALTH.--A COMMISSION SHALL CANCEL THE
REGISTRATION OF A REGISTERED ELECTOR REPORTED DEAD BY THE
DEPARTMENT OF HEALTH. THE DEPARTMENT OF HEALTH SHALL, WITHIN
[60] SEVEN DAYS OF RECEIVING NOTICE OF THE DEATH OF AN
INDIVIDUAL 18 YEARS OF AGE OR OLDER, SEND THE NAME AND ADDRESS
OF RESIDENCE OF THAT INDIVIDUAL TO A COMMISSION IN A MANNER AND
ON A FORM PRESCRIBED BY THE DEPARTMENT. THE COMMISSION SHALL
[PROMPTLY] UPDATE INFORMATION CONTAINED IN ITS REGISTRATION
RECORDS WITHIN SEVEN DAYS.
(B) OTHER SOURCES.--A COMMISSION MAY ALSO UTILIZE PUBLISHED
NEWSPAPER OBITUARIES, FUNERAL HOME RECORDS, COUNTY CORONER
RECORDS, DEATH CERTIFICATES PROVIDED AT THE COMMISSION'S OFFICE,
LETTERS TESTAMENTARY OR LETTERS OF ADMINISTRATION ISSUED BY THE
OFFICE OF THE REGISTRAR OF WILLS TO CANCEL AND REMOVE THE
REGISTRATION OF AN ELECTOR, PROVIDED THAT SUCH REMOVALS ARE
UNIFORM, NONDISCRIMINATORY AND IN COMPLIANCE WITH THE VOTING
RIGHTS ACT OF 1965 (PUBLIC LAW 89-110, 42 U.S.C. § 1973 ET
SEQ.). THE COMMISSION SHALL [PROMPTLY] UPDATE INFORMATION
20220SB1018PN1555 - 23 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
CONTAINED IN ITS REGISTRATION RECORDS WITHIN SEVEN DAYS.
* * *
§ 1901. REMOVAL OF ELECTORS.
* * *
(C) IDENTIFICATION OF INACTIVE ELECTORS.--A COMMISSION SHALL
MARK AN "I" ON THE REGISTRATION RECORDS OF EACH REGISTERED
ELECTOR WHO HAS BEEN MAILED A FORM UNDER SUBSECTION (B)(1) OR
(3) AND HAS FAILED TO RESPOND, WHICH SHALL BE INCLUDED WITH ALL
OTHER REGISTRATION RECORDS FOR THAT POLLING SITE AND LOCATED AT
THE ELECTOR'S POLLING SITE ON THE DAY OF THE ELECTION. THE
COMMISSION SHALL [PROMPTLY] UPDATE THE INFORMATION CONTAINED IN
ITS REGISTRATION RECORDS QUARTERLY.
* * *
SECTION 3. REPEALS ARE AS FOLLOWS:
(1) THE GENERAL ASSEMBLY DECLARES THAT THE REPEAL UNDER
PARAGRAPH (2) IS NECESSARY TO EFFECTUATE THE ADDITION OF 25
PA.C.S. § 1222(B.1).
(2) ARTICLE XIII-C OF THE ACT OF JUNE 3, 1937 (P.L.1333,
NO.320), KNOWN AS THE PENNSYLVANIA ELECTION CODE, IS
REPEALED.
SECTION 4. THE DEPARTMENT OF STATE MAY PROMULGATE RULES AND
REGULATIONS TO ADMINISTER AND ENFORCE THE AMENDMENT OR ADDITION
OF 25 PA.C.S. §§ 1222(B.1), (C.1), (C.2), (C.3), (C.4) AND
(C.5), 1328(B)(9), 1505(A) AND (B) AND 1901(C).
SECTION 5. THIS ACT SHALL TAKE EFFECT IN 60 DAYS.
20220SB1018PN1555 - 24 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25