Election Security Resources and Standards
Election security encompasses the policies, technical standards, and operational frameworks that protect voting systems, voter registration infrastructure, and election administration processes from cyberattack, physical tampering, and interference. Federal agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission (EAC) coordinate national-level guidance, while state and local election officials retain primary administrative authority. The intersection of federal standards and decentralized administration creates a layered security environment that professionals navigating this sector must understand to assess service needs, compliance obligations, and vendor qualifications.
Definition and scope
Election security as a formal policy domain was elevated to critical infrastructure status in January 2017, when the Department of Homeland Security designated election systems a subsector of the Government Facilities Sector under Presidential Policy Directive 21. This designation extended federal protective resources — including threat intelligence sharing and cybersecurity assessments — to state and local jurisdictions without overriding their constitutional authority over elections.
The scope of election security covers three primary asset categories:
- Voter registration systems — databases and online portals used to register and maintain voter records
- Election management systems (EMS) — software platforms used to configure ballots, tabulate results, and generate reports
- Voting equipment — optical scan tabulators, ballot-marking devices, and direct-recording electronic (DRE) systems subject to federal certification through the EAC's Voluntary Voting System Guidelines (VVSG)
The CISA Election Security resource library provides sector-specific risk assessments, physical security checklists, and incident response protocols distributed to jurisdictions across all 50 states and U.S. territories. Professionals researching vendor qualifications or consulting the broader digital security providers landscape should distinguish between federally funded resources and commercially offered services.
How it works
Election security operates through a federated model. Federal bodies set standards and offer assistance; state election officials implement controls and oversee local jurisdictions. The EAC administers the VVSG, currently at version 2.0, which defines hardware and software requirements that voting system manufacturers must meet before federal certification. EAC certification does not mandate state adoption — each state determines its own certification requirements — but VVSG 2.0 compliance is widely used as a procurement benchmark.
At the federal level, NIST contributes technical guidance through publications including NISTIR 7711 (Security Best Practices for the Electronic Transmission of Election Materials) and the broader NIST Cybersecurity Framework, which election administrators adapt for asset identification, risk assessment, and recovery planning.
The operational security cycle for an election typically follows four phases:
- Pre-election preparation — Logic and accuracy testing of voting equipment, network isolation verification, and staff training against phishing and social engineering
- Election Day operations — Physical chain-of-custody enforcement, anomaly monitoring, and incident escalation protocols tied to CISA's 24/7 reporting line
- Post-election audit — Risk-limiting audits (RLAs), as promoted by the American Statistical Association and adopted by 42 states in at least limited form, provide statistical confidence in reported outcomes without requiring a full hand count
- After-action review — Documentation of incidents, near-misses, and system anomalies submitted to the EAC's Election Administration and Voting Survey (EAVS)
Contrasting approaches to post-election verification illustrate a key structural divide: jurisdictions using paper-ballot optical scan systems can conduct RLAs directly from physical ballots, while jurisdictions using paperless DRE systems cannot perform ballot-level audits, a limitation that VVSG 2.0 addresses by requiring a voter-verifiable paper audit trail (VVPAT) for all newly certified equipment.
Common scenarios
Election security professionals and researchers encounter a recurring set of operational scenarios across jurisdictions:
- Ransomware targeting county election offices — Several county governments have experienced ransomware infections affecting administrative networks in the months preceding elections, prompting CISA to issue a specific advisory series on segmentation and backup practices for election infrastructure.
- Voter registration database compromise attempts — State voter registration systems have been probed or accessed without authorization, as documented in the bipartisan Senate Intelligence Committee report on 2016 election interference (Volume 1, released 2019), which identified intrusion attempts against election infrastructure in all 50 states.
- Disinformation campaigns targeting election administration credibility — These fall outside the technical security perimeter but intersect with incident communication protocols developed by CISA's Election Infrastructure Information Sharing and Analysis Center (EI-ISAC).
- Supply chain risk in voting system components — Hardware and software components sourced from third-party manufacturers introduce supply chain risk, a concern addressed in NIST SP 800-161r1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.
The digital security providers reference covers vendors active in election technology auditing and penetration testing services, which jurisdictions procure independently of EAC certification processes.
Decision boundaries
Navigating election security services requires clear distinctions between overlapping categories of resources and authority:
| Dimension | Federal Role | State/Local Role |
|---|---|---|
| Standards setting | EAC (VVSG), NIST (NISTIR, SP series) | State certification boards |
| Threat intelligence | CISA, FBI cyber division | State fusion centers |
| Incident response | CISA CSIRT support (voluntary) | State election directors, county officials |
| Vendor certification | EAC testing and certification program | State procurement offices |
Professionals assessing service providers should verify whether a vendor's products carry current EAC certification under VVSG 2.0, distinct from older VVSG 1.0 certifications. The EAC maintains a publicly searchable Certified Products List updated as certifications are granted or withdrawn.
The how-to-use-this-digital-security-resource and pages describe the classification structure applied to cybersecurity service providers, including those operating specifically in election infrastructure security.