Election Infrastructure Cybersecurity in the US
Election infrastructure cybersecurity encompasses the technical controls, regulatory frameworks, and operational protocols that protect voting systems, election management software, voter registration databases, and associated networks from unauthorized access, manipulation, and disruption. The Department of Homeland Security designated election infrastructure as critical infrastructure under Presidential Policy Directive 21 in January 2017, placing it alongside sectors such as energy and financial services. This designation established a formal federal role in securing systems that underpin democratic processes across all 50 states, the District of Columbia, and U.S. territories.
Definition and scope
Election infrastructure includes a broad set of physical and digital assets. The Cybersecurity and Infrastructure Security Agency (CISA) identifies the following primary asset categories:
The scope extends to physical security of polling locations and storage facilities, but the cybersecurity perimeter is defined by any digital pathway that could affect vote integrity, voter access, or public confidence in reported results. The resource provides context on how this sector fits within the broader U.S. cybersecurity landscape.
Responsibility is distributed across three governance levels. The federal level is led by CISA's Election Security Initiative. State-level authority rests with secretaries of state or state boards of elections. Local jurisdictions — roughly 8,000 distinct election jurisdictions exist nationwide (CISA, Election Security) — manage physical operations and often independently procure equipment.
How it works
Federal support operates primarily through voluntary services. CISA offers the following discrete service tiers to state and local election officials:
- Risk and Vulnerability Assessments (RVAs): Comprehensive network penetration testing and architecture reviews conducted at no cost to jurisdictions.
- Cyber Hygiene Scanning: Remote, continuous scanning of internet-facing election infrastructure for known vulnerabilities.
- Albert Sensor Deployment: Network intrusion detection sensors installed at state and local election offices, maintained in coordination with the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
- Tabletop Exercises: Scenario-based preparedness exercises simulating ransomware attacks, disinformation campaigns, and supply chain compromises.
The EI-ISAC, operated by the Center for Internet Security (CIS), serves as the primary threat intelligence sharing hub. Membership grew from 1,376 election offices in 2018 to over 3,700 by 2022 (CIS EI-ISAC). The EI-ISAC distributes indicators of compromise, patches, and advisories to member jurisdictions under Traffic Light Protocol (TLP) classifications.
Technical standards governing voting system hardware and software are set by the Election Assistance Commission (EAC) through the Voluntary Voting System Guidelines (VVSG). VVSG 2.0, adopted by the EAC in February 2021, introduced explicit cybersecurity requirements including auditability, software independence, and physical security provisions (EAC VVSG 2.0). Certification testing is conducted by federally accredited Voting System Test Laboratories (VSTLs).
For a structured overview of how service providers in this sector are organized and vetted, the cybersecurity-providers section covers credentialed vendors operating in election technology and security assessment services.
Common scenarios
Ransomware targeting county election offices: Local jurisdictions with limited IT staff represent the highest-risk entry points. Ransomware incidents affecting county networks in the weeks before an election can disrupt voter roll access and result tabulation logistics, even if voting machines themselves remain isolated.
Voter registration database compromise: Centralized statewide voter registration systems present a high-value target. Unauthorized modification of voter records — changing addresses, party affiliations, or eligibility status — creates operational disruption on Election Day even without any change to vote tallies.
Disinformation paired with technical intrusion: CISA's 2020 Joint Statement (CISA/EAC Joint Statement, November 2020) noted that technical intrusions are frequently combined with disinformation operations intended to amplify perceived impact, undermining public confidence independently of whether any vote data was actually altered.
Supply chain vulnerabilities in voting equipment: The procurement and maintenance chain for voting hardware involves manufacturers, firmware update processes, and third-party service technicians. NIST's Cybersecurity Framework (CSF) supply chain risk management guidelines, formalized in NIST SP 800-161 (NIST SP 800-161r1), apply directly to this exposure surface.
Decision boundaries
The federal-state boundary in election cybersecurity is constitutionally significant. Election administration is a state function under Article I and the Tenth Amendment; federal cybersecurity support is offered, not mandated. This contrasts with sectors like banking or nuclear energy, where federal standards carry direct enforcement authority.
The distinction between federally certified and state-certified voting systems marks another critical boundary. EAC certification under VVSG is voluntary — states may adopt certified systems, develop their own testing standards, or accept systems that have not completed federal certification. As of 2023, not all states require EAC-certified equipment (Verified Voting Foundation, Verifier Database).
A third boundary separates election systems from election-adjacent systems. Campaign networks, political party infrastructure, and candidate communication systems fall outside CISA's election infrastructure mandate, though they receive separate attention under broader critical infrastructure programs. For further context on how this sector's security professionals and service organizations are classified, see how-to-use-this-cybersecurity-resource.