1. Purpose & Scope

This policy outlines technical and legal requirements for securing digital communications—including website traffic and emails—through SSL/TLS encryption. It ensures compliance with:

• Federal requirements for FEC‑registered political committees (e.g., disclaimers on websites and emails) FEC.gov,
• Florida state rules for electronic filing systems, disclaimers, and registered agent obligations The Florida SenateThe Florida Senate,
• Special rules for electioneering communication disclaimers in CA, NY, DE, etc. (where applicable)NCSL .

2. Technical Requirements (SSL/TLS Configuration)

• TLS Version: Use TLS 1.2 (minimum) with strong cipher suites (e.g., ECDHE_RSA with AES‑256‑GCM).
• Certificates:
  • Must be from a trusted Certificate Authority (CA).
  • Enforce HTTP Strict Transport Security (HSTS) to prevent downgrade attacks.
  • Enable OCSP stapling for faster, secure revocation checking.
• Server Configuration:
  • Enable forward secrecy.
  • Disable insecure protocols (e.g., SSL v2/v3, TLS 1.0/1.1).
• Monitoring & Renewal:
  • Automate certificate renewals.
  • Run periodic scans (e.g., Qualys SSL Labs) to audit vulnerabilities.

3. Website Disclaimers & Legal Integration

Federal FEC Requirements:

• Website: Must display a disclaimer—"[Name of PAC] is responsible for the content of this website"—in compliance with 11 CFR 110.11.FEC.gov
• Emails: If sending over 500 substantially similar emails, each must include the required disclaimer FEC.gov .

Florida-Specific Filings & Security:

• All filings (campaign finance reports, etc.) must go through Florida’s secure electronic filing system, which requires secure access and must prevent unauthorized access The Florida SenateThe Florida Senate .
• Credentials for filing are confidential and exempt from public disclosure The Florida SenateThe Florida Senate .

4. State‑Specific Disclaimer Variations & Communication Rules

While SSL/TLS is consistent across jurisdictions, state laws differ in structuring electioneering communications and disclaimer phrasing.

• California, New York, Delaware (via NCSL):
  • Definition: Communications within specified windows before elections (e.g., 30 days before primary, 60 before general), across various media, that refer to candidates without expressly advocating for their election or defeat—are considered electioneering communications. NCSL
  • Reporting & Disclosures: Third-party groups making such communications must disclose contributor details, amounts, dates, occupations (if over $100), etc. NCSL
• Florida:
  • Requires disclaimers for electioneering communications: “Paid electioneering communication paid for by [name & address]” on non‑telephone or text media The Florida SenateNCSL .
  • For text messages and phone calls: include “Paid for by…”, followed by name; text messages may also rely on a URL link to a disclosure page (must stay online 30 days after election) The Florida Senate.

5. Enforcement, Oversight & Incident Response

• Responsibilities:
  • IT/Security team must oversee SSL/TLS deployment, monitor certificate expiration, and run security testing.
  • Communications team must maintain accurate disclaimers per section 3 and 4.
• Audit & Testing: Quarterly audits, including vulnerability scans and disclaimer reviews, should be conducted.
• Incident Response: A plan must exist for responding to certificate compromise, expired certificates, or unauthorized disclosures.