The EI-ISAC’s Guide to Election Technology Procurements#
Computer hardware, software, and services are essential for election operations. Many of the hardware, software, and services that underpin our elections—from voter registration and election management systems to pollbooks and vote capture devices—are procured from private vendors. Even simple public-facing websites may be procured. The security of each of these systems may have consequences on election administration. The industry partners from which information technology (IT) is procured play a critical role in managing the security risks inherent in elections. Understanding and properly managing security expectations in the procurement process can have a substantial impact on the success of the election process.
About this Guide#
The Election Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) at the Center for Internet Security® (CIS®) developed this guide benefiting from input and feedback from state and local government, federal government, academic, and commercial stakeholders. The goal is to impact and improve the security of election infrastructure by providing a set of specific security best practices for IT procurements in elections that complement the EI-ISAC’s Essential Guide to Election Security, and other CIS best practices work.
This is an updated version of the original guide, released in 2019, which is available
This guide contains:
A brief summary of IT procurements in elections.
A summary of the best practices and model language found in this guide.
A set of best practices that election administrators can use in their procurements.
Model procurement language that election officials can use to communicate their security priorities, better understand vendor security procedures, and facilitate a more precise cybersecurity dialogue with the private sector. NOTE: This section is still in development and we need your help! Submit model language to use and we’ll post it here.
An overview of security risk in election technology procurement, including information on assessing and managing security risk in election systems.
A description of a typical IT product and services lifecycle, describing product purchase and support, system development and maintenance (including updates and patching), and the services lifecycle.
A more detailed primer on the IT Procurement Process, with descriptions of the typical IT procurement processes applicable across a range of organizations.
Additional resources for procurement and related information with links to procurement opportunities, training, and other useful information related to election procurement.
Copyright © 2023, Center for Internet Security