The goal of this document is to provide community-driven, comprehensive security best practices and implementation guidance for non-voting election technology to election officials and election technology providers.
CIS developed this set of best practices for securing non-voting election technology with a community of state and local election technologists, election technology providers, and other stakeholders. This initiative was built on the set of security controls from the CIS guide titled A Handbook for Elections Infrastructure Security to provide specific guidance for securely implementing and deploying non-voting election technology.
Non-voting election technology refers to network-connected products and services that handle sensitive ballot, voter, and election results data.1 This includes election night reporting systems, electronic pollbooks, electronic ballot delivery systems, and voter registration systems.
Election night reporting (ENR) systems receive election results from the voting system and distribute these to various data feeds and host them on a public web application.
Electronic pollbooks (EPB) are used by poll workers to assist with the voter verification and check-in process at a polling location. EPBs typically use the internet to synchronize voter check-ins among all pollbooks.
Electronic ballot delivery (EBD) systems take blank ballot information from the voting system and distribute blank ballots to eligible voters using a web portal.
Other internet-connected voter service applications like online voter registration, polling place lookup, and sample ballot portals are also covered by the best practices in this guide.
These best practices are not intended to secure internet voting systems. Internet voting systems have a very different risk profile and a complex set of unique requirements not covered in this guide.
1 For the purposes of this document, we use the terms internet-connected and network-connected interchangeably. While not the case in a technical sense, network-connected devices typically share the network with at least one internet-connected device and thus inherit their risks.
This comprehensive set of best practices is intended to be used by technology providers to build and deploy more secure products, as well as help election jurisdictions vet and obtain more secure products. CIS worked with broad group of industry stakeholders to help develop these best practices, including:
- Election technology providers, particularly those who provide election night reporting, electronic pollbooks, and electronic ballot delivery systems.
- Technologists from state and local election offices, particularly those personnel who implement and deploy technology solutions.
- Other government and private organizations involved in the development, implementation, deployment, or monitoring of internet-connected election technology.
Background and Purpose
To enable the free and fair elections that define our democracy, we must protect the security and reliability of election infrastructure. Through a best practices approach, we aim to help organizations involved in elections better understand how to prioritize and parse the enormous amount of guidance available on protecting information technology (IT) systems and engage in additional collaboration to address common threats to this critical aspect of democracy.
Election infrastructure is all the physical, technological, and procedural components required to facilitate free and open elections. Following from the highly decentralized nature of elections in the United States, there is no single catalog of these components nor any agreed-upon way to group them. There are more than 8,000 jurisdictions across the country responsible for the administration of elections. And while the federal government provides some laws and regulations, states have substantial discretion on the process of conducting elections. Moreover, most local election jurisdictions have autonomy to execute elections according to their own customs within the framework permitted by the state.
A Handbook for Elections Infrastructure Security — released by CIS in February 2018 — addressed the totality of election infrastructure. This yielded 88 best practices organized by Connected Class (Network Connected and Indirectly Connected) and Asset Class (Device, Process, Software, and User).
As follow-on work to the Handbook, this guide focuses on a subsection of the overall election infrastructure to provide more specific guidance on internet-connected services. While vote-capture and vote-tabulation devices are not typically connected to the internet, there are several election technologies that are internet-connected. Many of these systems interact with the voting systems or voter registration systems, and some play critical voter-service roles during the election. Due to their connection to the internet, these services are the most at-risk components of the election infrastructure. An attack on one of these services can have significant operational impact on an election, can cause confusion and stress, may potentially disenfranchise legitimate voters, and may ultimately reduce voter confidence in the process. From the perspective of our adversaries, an impact to voter confidence is as good as, or perhaps even better than, an actual disruption to the election infrastructure.
The purpose of this document is to provide a comprehensive set of best practices that, when implemented, will significantly reduce the risk of any of these technologies being compromised and adversely impacting election operations.
The development of the best practices in this guide was governed by the following goals:
- Risk-based: The best practices in this guide are recommended and prioritized based on the security risk they are designed to reduce. This helps ensure the best practices that have the highest likelihood of mitigating true threats are prioritized and implemented.
- Practical and implementable: The best practices presented are intended to be easily translated into implementable product requirements. We focus on tangible ways to reduce risk that are implementable by most organizations. While we hope this guide sets a bar that technology developers are able to reach, we acknowledge that some organizations will be able to implement some recommendations more readily.
- Implementation agnostic: The goal is to elevate the security of all implementations of election technology. To that end, these best practices are written to be implementation and technology agnostic. The intent is for a technology provider to implement these best practices with their current technology in a manner most appropriate for their solution. For some, this may mean they need to update some parts of their products. We can’t always prevent that, but there are multiple ways to implement each best practice.
- Verifiable: It is important that the best practices be translatable into product requirements for providers, and also translatable into test cases for verification.
This guide is organized into five areas: Networking and Architecture, Servers and Workstations, Software Applications, Data, and Administration. The best practices are grouped into one of these areas. The areas were chosen carefully based on similar threats within each area, and common approach to mitigations and governance. Threats are the types of attacks that malicious attackers are known to perpetrate on target systems. Mitigations are the actions that the system owners and operators take to reduce the likelihood that the threats succeed. Governance refers to the how this area of the election technology stack is typically managed and by whom.
For each area, we introduce the area and provide a discussion on the threats to, and governance of, that area. We then group the mitigations together and provide a discussion on why these mitigations are important for internet-connected election technology. Many of the mitigations are based on the CIS Controls ® . For full descriptions of the CIS Controls used, please refer to Appendix B.
The longer narrative texts are designed for nontechnical management personnel who need to understand the rationale and security context. The mitigations are intended for technical audiences who will be implementing the best practices.
Information Hub : Elections Resources
Blog post • 12 Nov 2019
Media mention • 04 Nov 2019
Media mention • 03 Nov 2019
Blog post • 31 Oct 2019