Election Infrastructure Cybersecurity Standards in the US

Election infrastructure in the United States spans a complex web of hardware, software, networks, and administrative processes — all subject to overlapping federal and state-level cybersecurity requirements. In 2017, the Department of Homeland Security designated election infrastructure as a critical infrastructure subsector under the existing 16-sector framework established by Presidential Policy Directive 21. This designation unlocked federal resources, threat intelligence sharing, and voluntary security assistance coordinated through the Cybersecurity and Infrastructure Security Agency (CISA). The standards and frameworks governing this sector define how jurisdictions assess risk, implement controls, respond to incidents, and coordinate across the fragmented landscape of roughly 8,000 election jurisdictions nationwide.

Definition and scope

Election infrastructure cybersecurity encompasses the technical and procedural controls applied to systems that support voter registration, ballot preparation, vote casting, vote tabulation, and results reporting. The scope extends beyond voting machines to include:

  1. Voter registration databases — state-managed systems containing personally identifiable voter data
  2. Election management systems (EMS) — software used to configure ballots and tabulate results
  3. Voting equipment — optical scan tabulators, ballot marking devices, and direct-recording electronic (DRE) systems
  4. Poll-book systems — electronic devices used at precincts to verify voter eligibility
  5. Results reporting websites — public-facing portals that aggregate and display election night data
  6. Back-office IT networks — the administrative infrastructure of county and state election offices

CISA's Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), operated by the Center for Internet Security (CIS) under cooperative agreement, serves as the primary hub for threat intelligence sharing across this sector. Membership in the EI-ISAC is available at no cost to election officials and provides access to the Multi-State Information Sharing and Analysis Center (MS-ISAC) network.

The federal framework governing election infrastructure intersects with broader critical infrastructure protection standards and the NIST Cybersecurity Framework, which CISA formally recommends as a baseline reference for election offices at all jurisdictional levels.

How it works

The operational security architecture for election infrastructure is built around a layered model that combines federal guidance, state-level mandates, and local implementation capacity. The process moves through discrete phases:

Phase 1 — Risk identification
CISA and the EI-ISAC publish the Election Infrastructure Cybersecurity: Strategy and Goals document and conduct voluntary Cybersecurity Risk and Vulnerability Assessments (CRVAs) at no cost to jurisdictions. These assessments benchmark controls against NIST SP 800-53 (NIST SP 800-53, Rev 5) and the CIS Controls framework.

Phase 2 — Baseline hardening
CIS publishes A Handbook for Elections Infrastructure Security, which maps controls to the CIS Controls v8 framework across 18 control families. Jurisdictions are expected to implement controls prioritized by the Implementation Group (IG) model — IG1 representing the minimum baseline for resource-constrained offices.

Phase 3 — Testing and certification
Voting systems in the US are tested by federally accredited Voting System Test Laboratories (VSTLs) against the Voluntary Voting System Guidelines (VVSG 2.0), published by the U.S. Election Assistance Commission (EAC). The VVSG 2.0, adopted in February 2021, introduced software independence requirements and significantly expanded cybersecurity-specific testing criteria compared to the prior 2005 standards.

Phase 4 — Monitoring and incident response
The Albert Network Monitoring System, deployed by CIS/EI-ISAC, provides passive network monitoring for participating jurisdictions. As of reporting in the EAC's 2022 Election Administration and Voting Survey, 48 states and territories had some level of participation in CISA-supported security services. Cybersecurity incident reporting requirements for election infrastructure flow through CISA's 24/7 operations center and, in some states, through mandatory disclosure to the state chief election official.

Common scenarios

Election cybersecurity threats cluster around three operational periods: pre-election, election day, and post-election certification. The threat profile for each differs materially.

Pre-election period: Voter registration database intrusions represent the highest-frequency threat. The 2016 Russian interference campaign, documented by the Senate Intelligence Committee's Volume 1: Russian Interference in the 2016 US Elections, targeted voter registration systems in all 50 states, with confirmed access achieved in at least one state. Spear-phishing targeting election office staff is the dominant initial access vector, consistent with patterns documented in phishing and social engineering reference resources across sectors.

Election day: Denial-of-service attacks against results-reporting websites and poll-book connectivity failures represent the primary operational risks. Because tabulation equipment in most jurisdictions operates on air-gapped networks or removable media, direct network compromise of vote-counting hardware during the election is structurally constrained — though supply chain risks at the firmware and software development level remain a documented concern tracked under supply chain cybersecurity risks frameworks.

Post-election: Disinformation campaigns targeting the perceived integrity of results are catalogued by CISA's #Protect2024 initiative as a compound threat that blends cyber operations with influence activity. Forensic audit procedures and chain-of-custody documentation serve as primary countermeasures in this phase.

Decision boundaries

Understanding how election infrastructure cybersecurity standards differ from adjacent frameworks clarifies where each applies:

Voluntary vs. mandatory controls: Unlike HIPAA cybersecurity requirements or financial sector mandates enforced through prudential regulators, federal election cybersecurity standards — including CISA assessments and EI-ISAC participation — are entirely voluntary at the federal level. Binding mandates exist only where state law imposes them; state-level variation is documented through state cybersecurity laws by state.

Federal jurisdiction limits: The administration of elections is a state function under the U.S. Constitution. CISA's role is advisory and supportive, not regulatory. The EAC certifies voting systems but cannot mandate their adoption; 14 states used non-EAC-certified equipment in some capacity as of the 2020 election cycle, per EAC reporting.

VVSG vs. state testing requirements: EAC's VVSG 2.0 sets the national testing standard for voting equipment, but individual states may layer additional certification requirements. California's Secretary of State certification process, for example, imposes source code review requirements that exceed VVSG minimums. Texas and Louisiana maintain independent certification programs that run in parallel to federal testing.

EI-ISAC vs. MS-ISAC membership: Election offices that primarily process non-election governmental data may fall under the broader MS-ISAC umbrella rather than the EI-ISAC. The distinction matters for which threat feeds and incident response resources are accessible. Both are administered by CIS under CISA cooperative agreement but serve distinct member populations.

The intersection of election infrastructure with federal cybersecurity agencies and roles — including the FBI, NSA's Cybersecurity Directorate, and CISA — means that significant incidents trigger multi-agency coordination under the National Cyber Incident Response Plan (NCIRP) framework rather than a single-agency chain of command.

References

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator