Election Security and Cybersecurity

Election security encompasses the technical, procedural, and regulatory measures applied to protect voting systems, voter registration infrastructure, and the broader digital ecosystem that supports democratic processes in the United States. This page covers the classification of election security threats, the federal and state regulatory framework governing election infrastructure, the operational structure of cybersecurity services in this sector, and the boundaries that define when federal resources apply versus state jurisdiction. The integrity of electoral systems is a matter of critical infrastructure protection, formally designated under the authority of the Department of Homeland Security.

Definition and scope

Election infrastructure was designated as a subsector of critical infrastructure in January 2017 by then-Secretary of Homeland Security Jeh Johnson, placing it under the protections defined in Presidential Policy Directive 21 (PPD-21). This designation authorized the Cybersecurity and Infrastructure Security Agency (CISA) to provide technical assistance, threat intelligence sharing, and vulnerability assessments to election officials at no cost.

The scope of election security covers three primary categories:

  1. Voting systems — electronic poll books, optical scan tabulators, ballot-marking devices, and direct-recording electronic (DRE) machines
  2. Election management systems (EMS) — software platforms used to program ballots, manage election data, and aggregate results
  3. Voter registration databases — state-administered systems containing personally identifiable voter data, connected in varying degrees to broader state IT networks

The federal role is advisory and voluntary at the state level, given the constitutional assignment of election administration to individual states. The Election Assistance Commission (EAC) maintains the Voluntary Voting System Guidelines (VVSG), the primary federal technical standard against which voting systems are certified — though adoption of EAC certification is not mandated by federal law.

How it works

Election cybersecurity operates through a layered structure of federal support, state administration, and third-party vendor compliance. CISA's Election Security program provides four categories of services: risk and vulnerability assessments, physical security assessments, cybersecurity training for election officials, and access to the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).

The EI-ISAC, operated by the Center for Internet Security (CIS), provides 24/7 security monitoring, threat intelligence, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) network to all 50 states, the District of Columbia, and 6 U.S. territories. As of the 2020 election cycle, more than 2,400 election jurisdictions had enrolled in EI-ISAC services (Center for Internet Security, EI-ISAC).

The operational security lifecycle for a U.S. election follows discrete phases:

  1. Pre-election hardening — network segmentation of election management systems, patch management, and credential auditing
  2. Logic and accuracy testing — pre-certification testing of voting equipment against programmed ballots
  3. Election Day monitoring — real-time threat detection and incident response coordination through CISA and state fusion centers
  4. Post-election audit — risk-limiting audits (RLAs), paper trail reconciliation, and forensic analysis where anomalies are detected

Voting systems that connect — even temporarily — to internet-facing infrastructure represent the highest-risk configuration. NIST guidance in NIST SP 800-82 addresses industrial and operational technology security controls applicable to isolated election systems.

Common scenarios

Election cybersecurity incidents are classified by attack surface and actor type. The three most operationally significant scenarios in the U.S. threat landscape are:

Voter registration database intrusions — State voter registration systems have been targeted by foreign nation-state actors. The Senate Intelligence Committee's 2019 report confirmed that actors affiliated with Russian intelligence targeted voter registration infrastructure in all 50 states during the 2016 election cycle (U.S. Senate Select Committee on Intelligence, Volume 1).

Ransomware against election vendors and county networks — County government networks, which frequently host election administration functions alongside other municipal services, are targets for ransomware groups. An attack does not need to directly compromise voting machines to disrupt election operations.

Disinformation amplified through compromised infrastructure — Credential theft from election official email accounts and website defacement have been used to spread false information about polling locations, procedures, or results. This class of attack targets public confidence rather than vote totals directly.

Comparing insider threats versus external threats: external nation-state and criminal actors dominate the threat intelligence picture for election systems, while insider risk — including accidental misconfiguration by election staff — accounts for a disproportionate share of actual data exposures in voter registration systems.

For a broader view of how cybersecurity service providers are structured across critical infrastructure sectors, the security providers on this site include firms operating in government and election-adjacent markets.

Decision boundaries

The boundary between federal authority and state autonomy in election security is legally significant. CISA cannot compel a state to accept assistance or adopt specific security controls. Federal jurisdiction activates under distinct conditions: when a federal election is affected, when foreign interference is confirmed, or when critical infrastructure statutes under 6 U.S.C. § 652 apply.

Organizations navigating this sector — including cybersecurity firms seeking election security contracts — must distinguish between EAC certification work, which requires accreditation as a Voting System Test Laboratory (VSTL) under EAC oversight, and general IT security services to election jurisdictions, which do not require federal accreditation but must comply with applicable state procurement rules.

The security provider network purpose and scope outlines how service providers across critical infrastructure sectors are categorized within this reference framework. Additional context on using these providers for sector-specific research is available via how to use this security resource.

 ·   · 

References

Read Next

Critical Infrastructure Protection in the US ANA › Professional Services Authority › National Cyber › National Security Critical Infrastructure Protection in the US Critical... Healthcare Cybersecurity: National Standards and Risks ANA › Professional Services Authority › National Cyber › National Security Healthcare Cybersecurity: National Standards and Risks... Energy Sector Cybersecurity in the US ANA › Professional Services Authority › National Cyber › National Security Energy Sector Cybersecurity in the US The US energy sector...