March 5, 2020
The Election Infrastructure Subsector: Development and
Challenges
In January 2017, in accordance with Presidential Policy
DHS and its federal, state, and local partners chartered the
Directive 21 (PPD-21), the Department of Homeland
EIS GCC in October 2017, and private sector partners
Security (DHS) designated the systems and assets used in
chartered the EIS SCC in February 2018. The EIS GCC
elections as the Election Infrastructure Subsector (EIS) of
created the Elections Infrastructure (EI) ISAC in 2018 to
the Government Facilities critical infrastructure sector.
provide state, local, tribal, and territorial (SLTT) officials
DHS defines critical infrastructure as “the physical and
with services such as 24-hour threat monitoring, readiness
cyber systems and assets that are so vital to the United
exercises, and assistance with incident response. The same
States that their incapacity or destruction would have a
year, the EIS SCC and the industry-focused Information
debilitating impact on our physical or economic security or
Technology (IT) ISAC established an Elections Industry
public health or safety.”
Special Interest Group (EI-SIG). The EI-SIG focuses on the
needs of elections industry companies, providing them with
The critical infrastructure designation was intended to help
a platform to engage with other members of the IT sector
address some of the obstacles election stakeholders faced in
and exchange information on common threats.
responding to foreign interference in the 2016 elections,
such as a lack of timely information sharing about threats to
Sector Progress
election systems. It gave DHS a new role in election
The federal critical infrastructure security framework relies
security, authorizing it to help coordinate among and
on voluntary participation and community-wide
prioritize assistance to election security stakeholders.
contributions to increase risk awareness and security.
Observers have offered mixed assessments of the overall
This In Focus provides an overview of the EIS. It describes
effectiveness of the voluntary collaboration framework, but
the formation and development of the subsector and some
they have generally found that critical infrastructure sectors
of the ongoing challenges it faces.
become more effective as they increase active membership,
pool resources, and find ways to more efficiently generate
Background
and share security-related information.
DHS established the EIS under an existing policy
framework for critical infrastructure security that was first
When DHS first designated election systems as critical
outlined during the Clinton Administration. Current critical
infrastructure, it lacked experience with election
infrastructure security guidance derives from the most
administration practices or well-developed relationships
recent iteration of that framework, PPD-21, published in
with the SLTT officials who administer elections.
2013. PPD-21 designated 16 critical infrastructure sectors,
Furthermore, officials from the National Association of
directing DHS to coordinate security collaboration among
Secretaries of State and the Election Assistance
public and private stakeholders and prioritize provision of
Commission—the federal agency with the most experience
its support services to those stakeholders.
working with SLTT election officials—objected to the
critical infrastructure designation as agency overreach.
Primary coordination mechanisms for each sector include
Government Coordinating Councils (GCCs), which consist
However, observers have indicated that relations between
of relevant federal agencies and other public sector
DHS and federal, state, and local partners have since
stakeholders, and Sector Coordinating Councils (SCCs),
improved and that the EIS has made progress in the areas of
which consist primarily of private sector stakeholders.
active membership growth, resource pooling, and
These coordinating councils may also support
information sharing listed above. For example, as of
independently organized Information Sharing and Analysis
February 2020, the EI-ISAC has nearly 2,500 members,
Centers (ISACs) to help identify and address threats to
including many SLTT election authorities. As such, the EI-
infrastructure in the sector they represent.
ISAC was the fastest growing of the existing ISACs,
according to DHS.
According to DHS, election infrastructure includes both
elections-related information and communications
By design, the value of the services the EI-ISAC provides
technology, such as voter registration databases and voting
increases with the network of stakeholders that use them.
machines, and physical infrastructure, such as polling
For example, the EI-ISAC uses analysis of network traffic
places and elections storage facilities. DHS’s Cybersecurity
on SLTT government systems to help develop cyber threat
and Infrastructure Security Agency (CISA) serves as the
signatures, so its ability to identify malicious network
lead federal agency for the EIS.
activity increases as more SLTT authorities share network
data. Since 2018, the EI-ISAC has expanded deployment of
intrusion detection sensors—known as Albert sensors—to
https://crsreports.congress.gov
The Election Infrastructure Subsector: Development and Challenges
elections-related systems in all 50 states. Some states have
GCC has established protocols for improving
also deployed the sensors on local or vendor networks.
communication among EIS stakeholders. Congress might
opt not to intervene in the subsector’s processes, allowing
DHS officials report that states have also used the EI-ISAC,
EIS stakeholders to address challenges within the existing
along with other EIS coordination mechanisms, to share
policy framework.
information about common threats. For example, in one
case described by a CISA official, state officials provided
However, Congress might also choose to be more involved.
DHS with information about possible malicious activity
Congress has held hearings on election security
targeting their election systems. DHS then distributed the
preparations and directed GAO to examine DHS’s elections
information to relevant stakeholders and issued a national
work, and it might choose to conduct further oversight of
alert. Some state officials report a general increase in
the EIS. Some Members have also proposed legislation—
information sharing and collaboration at all levels of
including in the areas described below—to address
government following the creation of the EIS, which they
subsector challenges.
believe has contributed to improvements in threat reporting
and awareness nationwide.
Funding for States: Congress appropriated $380
million for FY2018 and $425 million for FY2020 for
Continuing Challenges
payments to states to improve election administration,
The Government Accountability Office (GAO) raised
including election security. SLTT officials have
concerns about DHS’s election security planning in a
requested further funding—and, in particular, ongoing
February 2020 report. CISA has since taken steps to address
funding—for election security. Congress might consider
some of those concerns, including releasing a strategic plan,
whether to provide either one-time or ongoing payments
but GAO’s focus on the importance of planning highlights
to states and, if so, whether to set conditions or limits on
the scope of some of the challenges facing the EIS.
their use. Congress might also consider whether to
provide for additional evaluation of states’ use of
One of those challenges is participation. Participation in the
existing funding.
EIS has increased rapidly in general, but CISA and state
officials have reported difficulty getting some local officials
Funding for DHS: Congress might consider how much
to engage with the subsector. Some states, localities, and
to appropriate to CISA for its election infrastructure
vendors have also been reluctant to share information about
security work and whether to specify funding levels for
threats and vulnerabilities in their systems, which is a
particular activities. For example, some Members
common challenge across critical infrastructure sectors.
expressed concern that CISA’s budget request for
FY2020 would not maintain EI-ISAC services at
Some participation issues may be due in part to a mismatch
existing levels. Congress subsequently provided CISA
between certain resources available through the EIS and the
with more FY2020 funding for its election security
needs and capabilities of subsector stakeholders. The
initiative than the agency requested, and CISA’s director
February 2020 GAO report recounted problems with the
confirmed in a February 2020 hearing that the EI-ISAC
tailoring of certain CISA offerings, and some states have
would be fully funded.
purchased third-party security services rather than using
similar no-cost options from CISA. Some SLTT election
Requirements: Critical infrastructure sectors and
officials have reported that the volume of information they
federal action on election administration both generally
receive as part of the EIS can be overwhelming and that
rely on voluntary participation by stakeholders.
security notifications are not always actionable. The scope
However, some have suggested that there are
of some of the resources provided is also limited. For
advantages to universal adoption of certain election
example, Albert sensors provide security alerts about
security measures, such as cyber incident reporting or
potential intrusions into a network but are not designed to
risk-limiting audits. Congress might consider how to
block threats or detect malicious traffic within the network.
weigh the potential benefits of requiring adoption of
such measures against other considerations, such as the
Some states have taken action to address these gaps—for
roles and responsibilities of SLTT officials.
example, by setting up systems to process EIS information
for local officials—but that option might not always be
Codification: Creation of the EIS was an agency action,
viable for states with more limited resources. SLTT
which could be rescinded or otherwise challenged at the
resource limitations represent a continuing challenge for the
agency level. Some bills introduced in the 116th
EIS. States and localities might lack the resources needed to
Congress would make the EIS permanent by codifying it
act on information they receive through the EIS or
in federal law (see, for example, H.R. 1 and H.R. 1612).
implement recommendations from CISA. Election security
Congress might consider whether to adopt such a
fixes can be costly and may include ongoing costs like
proposal and whether to codify any of the specific
salaries or license renewal fees, which states and localities
activities that federal agencies carry out—or might carry
might not be able to fund without federal aid.
out—as part of the EIS.
Issues for Congress
Brian E. Humphreys, Analyst in Science and Technology
CISA has released plans to address some of these
Policy
challenges, as described above, and the EIS has
Karen L. Shanton, Analyst in American National
mechanisms for addressing others. For example, the EIS
Government
https://crsreports.congress.gov
The Election Infrastructure Subsector: Development and Challenges
IF11445
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF11445 · VERSION 1 · NEW