Updated January 28, 2019
The Designation of Election Systems as Critical Infrastructure
Prior to the 2016 federal election, a series of cyberattacks
chemical and transportation systems. It serves as SSA for
occurred on information systems of state and local election
several, including the EIS.
jurisdictions. Subsequently, in January 2017 the
Department of Homeland Security (DHS) designated the
The components of the EIS as described by DHS include
election infrastructure used in federal elections as a
physical locations (storage facilities, polling places, and
component of U.S. critical infrastructure. The designation
locations where votes are tabulated) and technology
sparked some initial concerns by state and local election
infrastructure (voter registration databases, voting systems,
officials about federal encroachment of their prerogatives,
and other technology used to manage elections and to report
but progress has been made in overcoming those concerns
and validate results). It does not include infrastructure
and providing assistance to election jurisdictions.
related to political campaigns.
What Led to the Designation?
Does the Designation Permit Federal
In August 2016, the Federal Bureau of Investigation (FBI)
Regulation of Election Infrastructure?
announced that some state election jurisdictions had been
DHS does not have regulatory authority over EIS. Five
the victims of cyberattacks aimed at exfiltrating data from
other agencies have significant roles with respect to federal
information systems in those jurisdictions. The attacks
elections, but none has claimed regulatory authority over
appeared to be of Russian-government origin. That same
the EIS:
month, DHS contacted state election officials to offer
cybersecurity assistance for their election infrastructure.
The Election Assistance Commission (EAC), created by
Most states accepted the offer. Although the cyberattacks
the Help America Vote Act (HAVA, P.L. 107-252),
did not appear to affect the integrity of the election
provides a broad range of assistance to states, including
infrastructure, some observers began calling for it to be
development of voluntary technical standards for voting
designated as critical infrastructure (CI). On January 6,
systems, voluntary guidance on implementing HAVA
2017, the Secretary of Homeland Security announced that
requirements, and research on issues in election
designation.
administration. It also has statutory authority for
administering formula payments to states to assist them
What Is Critical Infrastructure?
in meeting HAVA requirements and improving election
Under federal law, CI refers to systems and assets for which
administration, including $380 million appropriated in
“incapacity or destruction … would have a debilitating
FY2018 in response to security concerns.
impact on security, national economic security, national
public health or safety, or any combination” of them (42
The National Institute of Standards and Technology
U.S.C. §5195c(e)). Most CI entities are not government-
(NIST) assists the EAC on technical matters, including
owned or -operated. Presidential Policy Directive 21(PPD
development of the voting system standards,
21) identified 16 CI sectors, with some including
certification of voting systems, and research.
subsectors. Sectors vary in scope and in degree of
regulation. For example, the financial services sector is
The Department of Justice (DOJ) has some enforcement
highly regulated, whereas the information technology sector
responsibilities with respect to requirements in HAVA
is not. Election infrastructure has been designated as a
and other relevant statutes.
subsector (EIS) of government facilities. That sector
includes two previously established subsectors: education
The Department of Defense (DOD) assists military and
facilities, and national monuments and icons.
overseas voters.
The Homeland Security Act of 2002 (P.L. 107-296) gave
The Federal Election Commission (FEC) is responsible
DHS responsibility for several functions aimed at
for enforcement of campaign finance law but is not
promoting the security and resilience of CI with respect to
involved in election administration by state and local
both physical and cyber-based hazards, either human or
jurisdictions.
natural in origin. Among those functions are providing
assessments, guidance, and coordination of federal efforts.
HAVA expressly prohibits the EAC from issuing
regulations of relevance to the CI designation, and it leaves
Each CI sector has been assigned one or two federal sector-
the methods of implementation of the act’s requirements to
specific agencies (SSAs), which are responsible for
the states. However, it does permit DOJ to bring civil
coordinating public/private collaborative efforts to protect
actions if necessary to implement HAVA’s requirements.
the sector, including incident management and technical
assistance. DHS has regulatory authority over two sectors:
https://crsreports.congress.gov
The Designation of Election Systems as Critical Infrastructure
What Does the Designation Mean?
are generally updated on a four-year cycle. The most
While both DHS and the EAC provided assistance to states
recent versions were released in 2015 and therefore do
in addressing the security concerns that arose in the run-up
not yet include the EIS.
to the November 2016 election, the CI designation had
several notable consequences:
The CI designation for election infrastructure is also
intended to facilitate use of existing resources, such as
It raised the priority for DHS to provide security
assistance to election jurisdictions that request it and for
National Cybersecurity and Communications
other executive branch actions, such as economic
Integration Center. The NCCIC is the primary federal
sanctions that the Department of the Treasury can
focus for sharing CI cybersecurity.
impose against foreign actors who attack elements of
U.S. CI, including tampering with elections.
Critical Infrastructure Partnership Advisory Council.
CIPAC provides election officials access to a broad
It brings the subsector under a 2015 United Nations
range of relevant expertise and participation in sensitive
nonbinding consensus report (A/70/174) stating that
planning conversations.
nations should not conduct or support cyber-activity that
intentionally damages or impairs the operation of CI in
Multi-State Information Sharing and Analysis Center.
providing services to the public. It also states that
The MS-ISAC is one of the centers created to facilitate
nations should take steps to protect their own CI from
the sharing of security information for different CI
cyberattacks and to assist other nations in protecting
sectors. It works with the NCCIC, all states, and many
their CI and responding to cyberattacks on it. The report
local governments to assist them in cybersecurity. The
was the work of a group of governmental experts from
MS-ISAC supports the EIS-ISAC, created in 2018 to
20 nations, including Russia and the United States.
facilitate information-sharing activities for and among
more than 500 members consisting of state and local
It provided DHS the authority to establish formal
election offices, as well as the National Association of
coordination mechanisms for CI sectors and subsectors
Secretaries of State (NASS) and the National
and to use existing entities to support the security of the
Association of State Election Directors (NASED).
subsector. Those mechanisms are used to enhance
information sharing within the subsector and to facilitate
Pursuant to the EIS designation, DHS and the EAC assisted
collaboration within and across subsectors and sectors.
both jurisdictions and vendors in preparations on election
For example, both the FBI and the Office of the Director
security for the 2018 federal election. For more
of National Intelligence (ODNI) have participated in
information, see https://www.dhs.gov/topic/election-
briefing election officials on threats to the EIS.
security, https://www.eac.gov/election-officials/elections-
critical-infrastructure/, https://www.cisecurity.org/ei-isac/.
Among the coordination mechanisms for the subsector are
the following:
Why Was the Designation Initially
Controversial?
Government Coordinating Council. The GCC consists
Misgivings about DHS involvement were raised when it
of representatives of DHS, the EAC, state election
first offered assistance to election jurisdictions in August
offices from 13 states, 7 counties, and 1 city,
2016. Some observers feared that DHS would begin to exert
representing 18 states altogether. The GCC facilitates
control over the administration of elections or to engage in
coordination across government entities both within EIS
unrequested security activities.
and in other sectors. Activities include communications,
planning, issue resolution, and implementation of the
Controversy over the federal role in election administration
security missions of the entities.
is not new. Concerns about federal regulation of the
election process were prominent during the legislative
Sector Coordinating Council. The SCC consists of
debate over HAVA and led to the inclusion of the
representatives of 28 nongovernment entities, most of
regulatory restrictions in the law. Furthermore, bills in prior
which are providers of voting systems and other
Congresses that would have provided DHS broad
election-related products and services. SCCs are self-
regulatory authority over cybersecurity have all failed.
organized and self-governed. They are intended to
represent private-sector interests and to facilitate
The CI designation does not contravene the HAVA
collaboration activities, including information sharing,
restrictions on EAC regulations or create DHS regulatory
among the private-sector entities in the CI sector and
authority for the EIS. DHS provides assistance to election
with government entities.
jurisdictions only on a voluntary basis. In the 115th
Congress, a few bills would have established mandatory
Sector-Specific Plan. Public- and private-sector partners
standards or federal rule-making authority, but none
have created SSPs for each of the 16 CI sectors. There is
received committee or floor action. Bills with relevant
also a plan for the State, Local, Tribal, and Territorial
provisions have also been introduced in the 116th Congress.
Government Coordinating Council. The plans are
components of an overall National Infrastructure
Eric A. Fischer, Senior Specialist in Science and
Protection Plan and provide a means for the sectors to
Technology
establish goals and priorities for addressing risks. They
https://crsreports.congress.gov
The Designation of Election Systems as Critical Infrastructure
IF10677
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10677 · VERSION 6 · UPDATED