Election Security Resources and Standards

Election security sits at the intersection of critical infrastructure protection and democratic governance, governed by a layered framework of federal standards, state authorities, and independent technical bodies. This page covers the regulatory landscape, technical standards, operational phases, and decisional boundaries that define how election infrastructure is secured across the United States. The sector involves distinct service categories — from voting system certification to cyber threat intelligence sharing — each with its own governing structures and compliance expectations.

Definition and scope

The federal government formally designated election infrastructure as a subsector of critical infrastructure under the Department of Homeland Security in January 2017, a classification that triggers specific federal assistance obligations and information-sharing protocols. The Cybersecurity and Infrastructure Security Agency (CISA) holds primary federal responsibility for election security support, operating under the authority of the Homeland Security Act of 2002 and subsequent amendments.

Election security encompasses three discrete infrastructure categories:

1. Voter registration systems — databases and networks used to collect, store, and validate voter eligibility data
2. Voting systems — hardware and software used to cast and tabulate ballots, subject to certification by the Election Assistance Commission (EAC)
3. Election night reporting systems — public-facing infrastructure used to aggregate and publish results, which carry distinct threat profiles from tabulation systems

The U.S. Election Assistance Commission administers the Voluntary Voting System Guidelines (VVSG), the technical standard set for voting equipment certification. VVSG 2.0, adopted in February 2021 (EAC Resolution EAC-2021-002), introduced requirements covering software independence, auditability, and accessibility. Compliance with VVSG 2.0 is voluntary at the federal level but is referenced by state certification processes across the country.

Jurisdictional authority over elections is constitutionally reserved to states. This creates a 50-state regulatory mosaic in which standards, procurement rules, and audit requirements vary significantly — a structural reality tracked across the state cybersecurity laws by state landscape.

How it works

Federal election security support operates through a hub-and-spoke model in which CISA provides resources, assessments, and intelligence to state and local election officials who retain operational control.

CISA's election security services include:

1. Risk and Vulnerability Assessments (RVAs) — on-site or remote evaluations of election office networks and systems
2. Cyber hygiene scanning — continuous external scanning of internet-facing election infrastructure
3. Albert Sensor deployment — network intrusion detection sensors deployed to state and local election networks, operated in partnership with the Center for Internet Security (CIS)
4. Information sharing through the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) — a sector-specific ISAC operated by CIS that disseminates threat indicators and advisories to over 3,600 election offices as of 2023 (CIS EI-ISAC)
5. Tabletop exercises — scenario-based exercises structured around the CISA Tabletop Exercise Package (CTEP) framework

The NIST Cybersecurity Framework provides the underlying risk management structure applied to election systems. NIST Special Publication 800-53, Revision 5, supplies the security control catalog that election system vendors and administrators reference for access control, audit logging, and incident response planning. The incident response standards applicable to election offices generally follow SP 800-61 Rev. 2 guidance.

Physical security, chain-of-custody controls, and post-election auditing are operationally distinct from cyber controls but are integrated into the overall security posture. Risk-limiting audits (RLAs), statistically grounded post-election ballot sampling methods, represent the leading standard for confirming tabulation accuracy independent of software output.

Common scenarios

Election security incidents and operational challenges fall into recognizable categories that inform both defensive prioritization and response planning.

Voter registration database targeting — Registration systems represent the highest-frequency target in observed intrusion campaigns. Their internet connectivity, third-party vendor access, and large personal data holdings make them analogous in risk profile to the healthcare and financial sector databases covered under federal cybersecurity compliance requirements.

Disinformation amplified by infrastructure ambiguity — Unauthorized access or even the appearance of unauthorized access to election night reporting systems — which are not tabulation systems — has historically been exploited to cast doubt on results. Separating the threat surface of reporting infrastructure from tabulation infrastructure is a standing architectural guidance point in CISA advisories.

Supply chain exposure in voting system components — Voting system hardware and software supply chains involve components sourced from global manufacturers. This mirrors supply chain cybersecurity risks in industrial and defense sectors. EAC certification testing does not currently mandate comprehensive software bill of materials (SBOM) submission, though NIST guidance on SBOMs (NIST SP 800-161r1) is referenced in federal procurement contexts.

Ransomware against county election offices — Smaller county offices, which may lack dedicated IT staff, face ransomware exposure consistent with patterns observed in the broader ransomware defense resources sector. CISA's Pre-Ransomware Notification Initiative, launched in 2023, includes election offices among its early-warning notification recipients.

Decision boundaries

The regulatory and operational authority structure creates distinct decisional lanes that practitioners must navigate:

• Federal vs. state authority: CISA can offer assistance; it cannot compel state adoption of security controls or certification standards. Federal grant funding — including Help America Vote Act (HAVA) funds administered by the EAC — creates indirect leverage but not mandate authority.
• Voluntary vs. mandatory standards: VVSG 2.0 certification is a voluntary federal standard. State adoption of VVSG 2.0 as a condition of procurement is state-level policy. At least 32 states reference EAC certification in their voting system approval processes (EAC, State Certification Processes, 2022).
• Voting system certification vs. administrative network security: EAC certification applies exclusively to voting equipment. The cybersecurity posture of election office administrative networks — email, voter registration, and reporting infrastructure — falls outside EAC jurisdiction and is addressed through CISA guidance and CIS controls.
• Pre-election vs. post-election security functions: Post-election audit requirements, including RLA mandates, are state statutory matters. Comparing states that mandate RLAs against those using fixed-percentage audits reveals a meaningful divergence in auditability assurance — a distinction tracked by Verified Voting Foundation's annual state audit law database.

References

• Cybersecurity and Infrastructure Security Agency (CISA) — Election Security
• U.S. Election Assistance Commission (EAC)
• EAC Voluntary Voting System Guidelines 2.0
• Center for Internet Security — Election Infrastructure ISAC (EI-ISAC)
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls
• NIST SP 800-161r1 — Cybersecurity Supply Chain Risk Management
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• Verified Voting Foundation — State Audit Law Database
• Help America Vote Act (HAVA), 52 U.S.C. § 20901 et seq.