Election Security Spotlight – Election Technology Procurement Guide

Election officials must procure computer hardware, software, and services necessary to conduct and support elections. Examples include, but are not limited to, voter registration and election management systems, poll books, and voting systems. Given that elections is a specialized area, the Center for Internet Security® (CIS®) and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) updated its “A Guide for Ensuring Security in Election Technology Procurements” to provide a roadmap for election officials and all parties through the procurement process. This guide was first published in 2019 but has been updated in a new format and with updated content.

Why It Matters

Many of the systems and services needed to conduct and support elections are procured from private technology providers, so the role of these technology provider is vital in mitigating risk and maintaining the integrity of the election process. Election literacy involves best practices including information technology (IT) procurement. This guide will help you make informed decisions as to the vendors with whom you'd like to partner.

What You Can Do

Before your organization releases its next request for proposal (RFP), review “A Guide for Ensuring Security in Election Technology Procurements.” This document provides you with an overview of the procurement process and shares examples of the information you should be requesting from technology providers in your RFP. 

Please review and consider the following procurement recommendations:

Best Practices for Cybersecurity in IT Procurement

  • Decide which best practices listed in the guide apply to you. These best practices will generate responses from potential technology providers so that you can make an informed decision.
  • Note that the recommendations described in the guide are based on three facets of a potential technology provider's offering: people, process, and technology.
  • Identify the information you expect to be provided in the technology provider's proposal and recognize if the response is satisfactory.

Security Risk in Election Technology Procurement

  • Conduct regular risk assessments to determine which risks are acceptable based on your available resources and the type of system you are procuring.
  • Ensure that your RFPs and contracts include requirements for desirable system properties and risk mitigation.

The Procurement Process 

  • To get the most important information from a potential technology provider, ensure the technology provider's proprietary and confidential information (such as security) will not be disclosed.
  • Ensure a multidisciplinary team is involved. This usually includes election officials as well as the procurement and IT teams supporting them.
  • Identify the most appropriate type of contract for the technology you are procuring and ensure that contract type is permitted for use in your jurisdiction.

IT Product and Services Lifecycle

  • Ensure that the lifecycle of the technology under consideration meets your requirements, including maintenance expenses.
  • Recognize that any deficiencies in design, implementation, integration, or configuration can result in vulnerabilities.

Cybersecurity Beyond Procurement

  • Reference approaches developed by other jurisdictions and organizations that provide resources about cybersecurity protections.
  • Develop policies and procedures to maintain the security posture you have attained as a result of the procurement process.

Prepare for Your Next Election Technology Procurement

CIS and EI-ISAC are constantly working to add new best practices and make this guide even more user-friendly for election officials. Please go to https://election-procurement.docs.cisecurity.org/ to ensure you have the most updated version of the guide before your next election technology procurement. And don't forget that CIS now offers the RABET-V program to test the non-voting election technology you use in your environment. Learn more at https://cisecurity.org/elections/rabetv.

Please contact us at [email protected] if you have any questions.