Election Infrastructure Cybersecurity Standards in the US

Election infrastructure in the United States operates under a layered cybersecurity framework involving federal agencies, state election authorities, and voluntary standards bodies. The Cybersecurity and Infrastructure Security Agency (CISA) designated election infrastructure as critical infrastructure in January 2017, establishing a formal federal role in protecting voting systems, voter registration databases, and election-night reporting systems. This page describes the regulatory and standards landscape governing that sector, including the principal frameworks, classification structures, and decision thresholds that determine which controls apply to which systems.

Definition and scope

Election infrastructure cybersecurity encompasses the technical and procedural controls applied to systems that support the administration of federal, state, and local elections. Under CISA's critical infrastructure framework, election infrastructure is organized into three primary asset categories:

  1. Voter registration systems — databases and web portals used to register voters, verify eligibility, and maintain voter rolls.
  2. Voting systems — ballot-marking devices, optical scanners, direct-recording electronic (DRE) machines, and associated election management software.
  3. Election night reporting systems — platforms used to tally, transmit, and publicly display unofficial results.

Federal jurisdiction over election cybersecurity is diffuse. The Election Assistance Commission (EAC) sets voluntary federal standards for voting system testing and certification under the Help America Vote Act of 2002 (HAVA, 52 U.S.C. § 20901 et seq.). CISA provides technical assistance and threat intelligence but holds no regulatory authority over state systems. Operational control remains with the 50 states, plus the District of Columbia and U.S. territories, each of which administers elections under its own statutes and procurement rules.

The Voluntary Voting System Guidelines (VVSG) 2.0, adopted by the EAC in February 2021, replaced the 2005 VVSG framework and introduced 15 high-level principles covering software independence, auditability, and access control — a substantive expansion from the previous edition's hardware-centric focus.

How it works

The cybersecurity governance structure for elections operates through three parallel channels: federal guidance, state-level regulation, and independent testing and certification.

Federal guidance channel: CISA publishes election security advisories, conducts risk and vulnerability assessments (RVAs) for state and local election offices upon request, and coordinates threat information sharing through the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), operated by the Center for Internet Security (CIS). The EI-ISAC, as of its public reporting, serves election offices across all 50 states.

Testing and certification channel: Voting systems submitted for federal certification undergo testing by EAC-accredited Voting System Test Laboratories (VSTLs). As of the EAC's published accreditation list, three laboratories hold active VSTL accreditation: Pro V&V, SLI Compliance, and Wyle Laboratories. Certification under VVSG 2.0 requires passing functional, security, and usability testing before a system may receive an EAC certificate.

State-level channel: States independently determine whether to adopt EAC-certified equipment, set additional procurement requirements, and establish their own cybersecurity mandates. Colorado, for example, requires post-election audits using risk-limiting audit (RLA) methodology under Colorado Revised Statutes § 1-7-515. Georgia mandates paper ballot trails under O.C.G.A. § 21-2-300.

The NIST Cybersecurity Framework (CSF) — organized around the five functions Identify, Protect, Detect, Respond, and Recover — is the baseline reference document that CISA recommends election offices use to structure their security programs. For voter registration systems specifically, NIST SP 800-53 Rev. 5 control families including Access Control (AC), Audit and Accountability (AU), and Configuration Management (CM) are referenced in CISA's published Election Security Resource Library.

Common scenarios

Three operational scenarios illustrate how these standards apply in practice:

Scenario A — Voting system procurement: A county purchases a new ballot tabulation system. The vendor presents an EAC certificate under VVSG 2.0. The state election office verifies the certificate against the EAC-published certified systems list, confirms the system meets any additional state-specific requirements (e.g., paper ballot mandates), and forwards documentation to the state's designated CISA liaison for advisory review. The county then conducts logic and accuracy testing prior to each election under its state election code.

Scenario B — Voter registration database breach attempt: An intrusion attempt is detected against a state's voter registration portal. The state's IT security team triggers its incident response plan, notifies CISA's 24/7 Elections Infrastructure cybersecurity operations line, and shares indicators of compromise with the EI-ISAC for cross-state correlation. The response follows the NIST SP 800-61 Rev. 2 Computer Security Incident Handling Guide structure: Preparation → Detection and Analysis → Containment → Eradication and Recovery → Post-Incident Activity.

Scenario C — Election night reporting system outage: A county's unofficial results reporting platform experiences a denial-of-service condition. Because unofficial results carry no legal weight under most state statutes, election certification timelines are unaffected. The incident is documented under CISA's Incident Reporting taxonomy and reviewed post-election for infrastructure hardening.

Decision boundaries

Determining which specific standards govern a given election system depends on four classification factors:

  1. Asset category — Voter registration systems, voting systems, and reporting systems are governed by distinct control sets and testing regimes.
  2. Federal certification status — Only systems submitted to and tested by an EAC-accredited VSTL can carry an EAC certificate; state-certified-only systems operate outside the federal certification regime.
  3. State mandate applicability — State statutes determine whether EAC certification is required, optional, or irrelevant to procurement; 14 states as of EAC-published survey data mandate the use of EAC-certified systems.
  4. Connection topology — Air-gapped voting systems face different threat models and control requirements than internet-connected voter registration portals. CISA's Security for Voter Registration Databases guidance addresses network-connected systems specifically.

The distinction between VVSG 2.0 (for voting system hardware and software) and NIST SP 800-53 (for organizational information systems including voter registration databases) is the primary framework boundary. The cyber safety providers available through this provider network can assist in identifying practitioners qualified in election infrastructure security. Service seekers navigating federal versus state jurisdiction questions are directed to the reference, and researchers requiring broader context on how this vertical is structured can consult the how to use this cyber safety resource page.

 ·   · 

References

Read Next

Cyber Safety Listings ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Providers The providers contained within... Cyber Safety Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Network: Purpose and Scope The National... Healthcare Cybersecurity and HIPAA Security Standards ANA › Professional Services Authority › National Cyber › National Cyber Safety Healthcare Cybersecurity and HIPAA Security Standards...