EAC posted and/or linked to the reports and studies on this page as part of its clearinghouse function. EAC is not endorsing any non-EAC resource listed below and offers the information as a courtesy to election officials. Note: For election administration resources related to the COVID-19 pandemic, please see the EAC COVID-19 resources page.
Election security resources (top)
Protecting U.S. Elections: A CISA Cybersecurity Toolkit (August 10, 2022) - The Cybersecurity and Infrastructure Security Agency (CISA) released this toolkit as a one-stop catalog of free services and tools available for state and local election officials to improve the cybersecurity and resilience of their infrastructure. As the lead federal agency responsible for election security, CISA regularly works with state and local election officials to secure their systems and offers a number of services, information products, and other resources. This toolkit was developed through CISA’s Joint Cyber Defense Collaborative (JCDC), which worked with private and public sector organizations, including in the election community, and JCDC alliance members – to compile these free resources. The toolkit is organized into broad categories designed to help election officials:
Assess their risk using an Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission;
Find tools related to protecting voter information, websites, email systems, and networks; and
Protect assets against phishing, ransomware, and distributed denial-of-services (DDoS) attacks.
- Chain of Custody Best Practices (2021) - Chain of custody is essential to a transparent and trustworthy election. Every election office should have written chain of custody procedures available for public inspection prior to every election. Once a chain of custody process is initiated, it must be followed with every step documented. Upon completion, the process should be reviewed and updated based on any lessons learned. This EAC report outlines items election officials should consider when developing or revising their chain of custody procedures for physical election materials, voting systems, and the use of third-party auditors for conducting audits and electronic discovery.
- Incident Response Checklist - During early voting and Election Day, communications between election officials and voting locations are extremely important. When incidents occur, communication needs to be quick and should convey informed decisions about how to respond. Election officials, poll workers, community leaders, and election stakeholders should help develop and understand the plan. This EAC checklist aims to make incident response easier to plan, implement, and assess.
- Security Resources for the Election Infrastructure Subsector (2022) - The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have developed a summary of some of the resources available across the federal government for state, local, territorial, and tribal (SLTT) election officials and their private sector partners to assist in responding to threats to personnel and guidance on assessing and mitigating risks to their physical assets. All of the resources cited in this document are available at no-cost to the user and can be found on the listed websites.
- CISA 2020 #Protect2020 Strategic Plan – CISA leverages a wide range of offerings and services to build outreach programs and engage local election officials in the over 8,000 election jurisdictions across the country. This plan outlines CISA products and communication strategy for the elections subsector.
- Center for Internet Security Handbook for Election Infrastructure Security – The Center for Internet Security (CIS) and its partners publish this handbook as part of a comprehensive, nationwide approach to protect the democratic institution of voting.
- Global Cybersecurity Alliance Election Toolkit – The GCA toolkit is intended to support election offices and community organizations to improve their resilience against threat posed by use of information and communication technology in elections. The toolkit is designed to augment the security programs of election offices with free operational tools and guidance that have been selected and curated to implement the recommendations in the CIS Handbook for Elections Infrastructure Security.
- EAC Blogpost: Challenges to Better Security in U.S. Elections: The Last Mile – In this blogpost, former Testing & Certification Director Brian Hancock provides thoughts on election security.
- EAC Election Management Guidelines: Chapter 2 System Security – This chapter of the EMGs focuses on best practices for software installation, password management, physical access logs, and personnel accountability.
- EAC Election Management Guidelines: Chapter 3 Physical Security – This chapter of the EMGs documents plans, policies, and procedures to manage the various election administration processes and voting system security vulnerabilities. State and county election commissions and municipalities should review these plans, policies, and procedures and consider incorporating them into their local processes.
- NCSL on Election Security: State Policies – The National Conference on State Legislatures explores elections processes and procedures pertaining to election security, and identifies options that are in place in some states that legislators around the nation can consider to further improve elections security. These are provided in four categories: before an election, during an election, after an election and ongoing.
- DHS Cybersecurity Services Catalog for Election Infrastructure – This catalog lists and describes cybersecurity services available to the EI community. The purpose of the catalog is to inform the EI community of these services, advance information sharing among the community, and promote the protection of EI systems. All services featured in this catalog are voluntary, non-binding, no cost, and available to stakeholders upon request.
- NIST Election Terminology Glossary Glossary – This glossary contains election terms including those used in the next Voluntary Voting System Guidelines (VVSG) requirements and glossary, and in the NIST Common Data Format (CDF) specifications. The glossary is being built via a joint effort by The Democracy Fund, the VVSG Election Modeling public working group, NIST, and other individuals in the election community. The Democracy Fund in particular has recognized that a glossary of common election terms would help states and others working in elections to all “speak the same language.” The glossary provides synonyms and as much as is possible, descriptions of how a term’s meaning may differ depending on its usage across different states and territories.
- Common Cybersecurity Terminology – This glossary contains a list of common cybersecurity terminology aggregated from NIST, the Committee on National Security Systems (CNSS), ISO/IEC, and CISA (US-CERT, NIPP).
- EAC Election Security Forum, August 2019 – A video archive of an election security forum hosted by the EAC featuring a 3-panel discussion regarding election security and voting system certification.
- EAC 2020 Elections Summit: Shelby Pierson Remarks – The election Threats Executive for the Office of the Director of National Intelligence (ODNI) provided an overview of the threat landscape as it relates to foreign interference in elections and election security, and shared information on the intelligence community’s efforts to coordinate and respond to these threats.
- EAC 2020 Elections Summit: Securing the 2020 Elections – A video archive of a panel discussion focused on the efforts of election officials and their federal partners to secure U.S. election infrastructure in the lead up to the 2020 elections. Discussion topics included protecting election infrastructure against cybersecurity threats and foreign interference, lessons from the 2018 elections, the use of 2018 and 2020 HAVA funds, and the work of the Election Infrastructure Subsector Government Coordination Council (GCC).
- American elections: understanding cybersecurity, October 2017 – A video archive of an election security roundtable moderated by former EAC Commissioner Matt Masterson and featuring Joseph Lorenzo Hall, Amber McReynolds, Scott Cardenas, Ben Spear, and Thomas Connolly. The roundtable kicked off Cybersecurity Awareness Month with a discussion on how to prevent cyberattacks and resources available for election officials developing incident response plans. The panel also discussed the unique challenges hackers present, understanding what it means to be the target of a nation-state actor, and the collaborative approach needed to update and strengthen jurisdictions’ cyber safeguards.
Resources for voters (top)
- Voting System Security Measures - May 2022 - This guide from the EAC outlines some of the many best practices local election officials follow to secure voting systems through an election cycle. It's important to note this is a broad list of common security measures and procedures to protect the integrity of an election. The types of security measures may vary based on the voting systems in use in state and local jurisdictions.
- EAC Election Security Voter Pamphlet – The pamphlet can be printed, folded, and provided to voters to describe how elections are secured in the United States.
- EAC Presenter's Guide to Election Security – This guidebook complements the EAC’s election security video and contains the following resources that provide a concise and accessible, yet comprehensive, overview of election security that officials can offer voters:
- Election Security Presentation Script
- Voter Handout
- Frequently Asked Questions
- Other EAC Voter Materials About Election Security
Performing self-assessments (top)
- Center for Internet Security Performing an Election Security Self-Assessment – CIS has developed a program to help your agency conduct an election security self-assessment. The Election Infrastructure Assessment Tool (EIAT) helps election officials and IT personnel speak a common language. Users can assess the security readiness of their election infrastructure using this program.
- CISA Election Security Questionnaire – CISA created the following questionnaire to assist state, local, tribal, and territorial (SLTT) governments with implementing cybersecurity best practices to strengthen the security of their election infrastructure.
Securing non-voting election technology (top)
- MITRE Recommended Security Controls for Voter Registration – This report is directed at technical members of state and local governments that maintain such systems. It recommends actionable security controls that can be applied to protect these systems.
- EAC Checklist for securing voter registration data – This list is intended to provide election officials information on best practices to protect their voter registration data. State and local election officials have already implemented many of these items. Election officials may use it to provide assurance to members of the public who may question the security measures that have been implemented in their State.
- US CERT Security Tip (ST 16-001) Securing Voter Registration Data – Technical guidance from US CERT on securing voter registration systems. Any database containing personal information should be protected with strategic layers of physical and technological security. Election officials may use this list as a baseline to assess the current security protocol surrounding the voter registration database as well as a reference to guide the public on what has already been implemented to protect their voter registration data and the integrity of their vote.
- EAC Checklist for securing election night reporting systems – EAC developed a list of mitigations to assist in defending election night reporting systems.
- Best Practices for Securing Non-Voting Systems – The goal of this document is to provide community-driven, comprehensive security best practices and implementation guidance for non-voting election technology to election officials and election technology providers. Non-voting election technology refers to internet-connected products and services that handle sensitive ballot, voter, and election results data. This includes election night reporting systems, electronic pollbooks, electronic ballot delivery systems, and voter registration systems
Using your procurement process to improve security (top)
- 10 things you should know about purchasing new voting equipment – This series of guides to managing election technology identify the primary areas in which the effective Election Official must recognize their role as an IT manager and provides ideas and best practices to assist in accommodating the demands of the modern election’s office.
- A Procurement Guide for Better Election Cybersecurity – Seven (7) key areas are examined that election officials and policymakers may consider in order to achieve better vendor cybersecurity. They include: 1. Source Code Disclosure 2. Robust Security Incident Reporting 3. Patching/Software Updates 4. Security Assessments/Audits 5. Regular Penetration Testing 6. Risk-Limiting Audit Support,. and 7. Foreign Nexus Disclosure.
- CIS Security for Election Technology Procurements – This guide includes best practices that election offices can use for planning, developing, and executing procurements. Each best practice has language that can be copied and pasted directly into requests for proposals (RFPs), requests for information (RFIs), and the like. The best practices also include descriptions of good and bad responses, tips, and helpful references and links. In addition to the best practices, the earlier sections of this guide (on the procurement process, the IT procurement lifecycle, and cybersecurity beyond procurement) contain valuable information to improve your general knowledge and to be used as a reference.
- EAC Considerations for Implementing Voting Systems with COTS Products – Over the course of the past several years, election jurisdictions seeking to purchase new election systems have begun a significant shift in focus away from the traditional approach of procuring predominantly proprietary election systems and toward procuring systems largely composed of commercial products. This technical paper details benefits and drawbacks of using COTS technology in elections.
A closer look at remote voting (top)
- NIST A Threat Analysis on UOCAVA Voting Systems – This report examines electronic transmission options (telephone, fax, e-mail, web) for UOCAVA voting that are in limited use or have been proposed as methods for improving UOCAVA voting, and analyzes the security-related threats to these transmission options. This report presents initial conclusions regarding the use of these electronic technologies and suggested next steps.
- NIST Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters – This document outlines the basic process for the distribution of election material including registration material and blank ballots to Uniformed and Overseas Citizen Absentee Voting Act (UOCAVA) voters. It describes the technologies that can be used to support the electronic dissemination of election material along with security techniques – both technical and procedural – that can protect this transfer. The purpose of the document is to inform Election Officials about the current technologies and techniques that can be used to improve the delivery of election material for UOCAVA voters.
- NIST Information System Security Best Practices for UOCAVASupporting Systems – This document provides voting jurisdictions with security best practices for IT and networked systems that are used to support UOCAVA voting by sending or receiving voter registration or ballot request materials, or by delivering blank ballots to voters. Some of these best practices are unique to voting systems, but most are similar to, or the same as, best practices in IT and networked systems in general. For the latter, this document summarizes and points to other security-related documents published by NIST.
- NIST Security Considerations for Remote Electronic UOCAVA Voting – This paper identified desirable security properties of remote electronic voting systems, threats of voting over the Internet from personally-owned devices, and current and emerging technologies that may be able to mitigate some of those threats.
- EAC Uniformed and Overseas Citizens Absentee Voting Act Registration and Voting Processes – The purpose of this white paper is to provide a framework to assist federal and state policy makers, state and local election officials, the TGDC, and other stakeholders engaged in making decisions about the use of electronic technology for voting or creating standards for testing voting systems. This framework consists of a set of functional descriptions of the election administration and voter processes associated with absentee voting as prescribed by the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) and other federal and state laws related to this Act.
- EAC Survey of Internet Voting – EAC researched the standards used for the development and testing of Internet voting systems, detailing the level of risk assumed and how it was estimated and providing an overview of each project.
Preparing and responding to cybersecurity incidents (top)
- EAC’s Disaster Preparedness and Recovery – EAC’s disaster preparedness and recovery page provides a variety of resources developed by election administrators, including presentations materials, videos, and planning templates.
- EAC Incident response best practices – The information contained in this document is derived from documents developed, vetted, and published by the EAC’s federal partners, including the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS). It primarily summarizes key points from NIST Special Publication (SP) 800-61 Revision 2: Computer Security Incident Handling Guide.
- EAC Election Management Guidelines Chapter 11: Contingency Planning and Change Management – This chapter of the EMGs provides election officials general guidelines on how to identify, assess, and respond to events that may disrupt election and voter registration services in their local jurisdictions.
- CISA Best practices for continuity of operations (handling destructive malware) – This paper provides recommendations and strategies that organizations can employ to actively prepare for and respond to a disruptive event such as destructive malware
Cybersecurity training resources (top)
- CTCL Cybersecurity Training for Election Officials – The EAC has partnered with the Center for Tech and Civic Life (CTCL) to offer no-cost online cybersecurity training for all election officials and elections related staff. This training is focused on election cybersecurity and is delivered in three courses: Cybersecurity 101, 201, and 301. Clicking on the link will take you to a page where you can sign up and begin this self-paced online training today.
- FedVTE – The Federal Virtual Training Environment (FedVTE) provides free online cybersecurity training to federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans. A limited number of courses are also available to the general public.
- Securing Digital Democracy MooC on Coursera – A course developed by the University of Michigan that discusses what every citizen should know about the security risks - and future potential - of electronic voting and internet voting. The course looks at the past, present, and future of election technologies and explores the various spaces intersected by voting, including computer security, human factors, public policy, and more.
- Cybersecurity Risk Management for Election Officials - Cybersecurity Risk Management for Election Officials is provided by the U.S. Election Assistance Commission (EAC) to raise awareness of cyber threats and risks facing Election Agencies in the United States. This webinar is intended for senior executives focused on potential risk to the Election Agency organization. It is meant to inform Election Officials’ cybersecurity strategy while also providing practical advice in alignment with the best practices to protect the Election Process (Business / Process Level) and the information systems and data supporting Elections (Implementation / Operations Level).
- Cybersecurity Crisis Management for Election Officials - Cybersecurity Crisis Management for Election Officials is provided by the U.S. Election Assistance Commission (EAC) and is intended to enable key election stakeholders, acting as frontline defenders, to be best prepared for a cyber crisis situation by increasing the effectiveness and agility of their response, lessening impact, and allowing for continuation of election activities and operations. The approach entails three phases, beginning with pre-election preparedness, shifting to election day War Room activities, and finishing with post-election wrap-up and improvement in order to prepare for the next rounds of election activities.
Information on conducting election audits (top)
- Election Audits Across the United States (2021) - Election audits ensure voting systems operate accurately, that election officials comply with regulations or internal policies, and identify and resolve discrepancies in an effort to promote voter confidence in the election administration process. There is no national auditing standard, and methods can vary from procedural, traditional, risk-limiting, tiered, or a combination of one or more types. This EAC resource provides insight on the following topics related to audits: types of audits, timing, policies, case studies, and state-specific information.
- EAC QuickStart Conducting Election Audits - EAC collaborated with local election officials to develop a series of helpful tips for election management. This series provides tips and suggests best practices that help you to run efficient and effective elections.
- EAC Election Management Guideline Chapter 10: Developing an Audit Trail - This chapter of the EMGs assists election officials leverage documentation and election administration practices to audit each component involved in the conduct of an election.
Your best practices (top)
U.S. EAC welcomes state and local election offices to submit presentations or materials used to demonstrate election security in their jurisdictions. To be considered for posting on the U.S. EAC website, election offices may submit requests here (email link to [email protected]).
- Denver, Colorado Elections - Cybersecurity – An archived video featuring former Denver Elections Director Amber McReynolds and City and County of Denver CIO Scott Cardenas discussing cybersecurity preparations.
- Montgomery County, Maryland Board of Elections overview of security procedures, 2016 Presidential general election – An archived presentation on the security preparations Montgomery County implemented for the 2016 Presidential general election.
- Orange County, California 2018 Election Security Playbook, Orange County Registrar of Voters – A guide covering election security that anticipates, mitigates, and responds to physical and cybersecurity threats. The playbook details threats and vulnerabilities, preventative measures and mitigations, their incident response plan, and future plans.
General security resources (top)
- Easy ways to build a better password (NIST) – In this resource, the U.S. National Institute of Standards & Technology (NIST) describes best practices in creating secure passwords and managing online accounts.
- Ransomware Executive One-Pager and Technical Document – This document is a U.S. Government interagency technical guidance document aimed to inform CIOs and CISOs at critical infrastructure entities, including small, medium, and large organizations. This document provides an aggregate of already existing Federal government and private industry best practices and mitigation strategies focused on the prevention and response to ransomware incidents.
The following are MS-ISAC resources describing types of general cybersecurity best practices:
- General security recommendations
- Importance of patching
- Center for Internet Security general resources
- Cyber threat information sharing
The following are MS-ISAC resources describing types of general cybersecurity attacks: