The EI-ISAC’s Guide to Election Technology Procurements#

Computer hardware, software, and services are essential for election operations. Many of the hardware, software, and services that underpin our elections—from voter registration and election management systems to pollbooks and vote capture devices—are procured from private vendors. Even simple public-facing websites may be procured. The security of each of these systems may have consequences on election administration. The industry partners from which information technology (IT) is procured play a critical role in managing the security risks inherent in elections. Understanding and properly managing security expectations in the procurement process can have a substantial impact on the success of the election process.

About this Guide#

The Election Infrastructure Information Sharing and Analysis Center® (EI-ISAC®) at the Center for Internet Security® (CIS®) developed this guide benefiting from input and feedback from state and local government, federal government, academic, and commercial stakeholders. The goal is to impact and improve the security of election infrastructure by providing a set of specific security best practices for IT procurements in elections that complement the EI-ISAC’s Essential Guide to Election Security, and other CIS best practices work.

This is an updated version of the original guide, released in 2019, which is available here.

Navigating the Guide#

You can navigate this guide by:

Using the back and next links at the bottom of each screen
By using the table of contents at the right
Viewing and downloading a PDF by hovering over the version at the bottom of the navigation bar (where it says “v:latest”) and selecting PDF
Saving or sharing a link to any heading or subheading by hovering over it and copying the link shown by the “#” to the right of the heading.

Contents#

This guide contains:

A brief summary of IT procurements in elections.
A summary of the best practices and model language found in this guide.
A set of best practices that election administrators can use in their procurements.
Model procurement language that election officials can use to communicate their security priorities, better understand vendor security procedures, and facilitate a more precise cybersecurity dialogue with the private sector. NOTE: This section is still in development and we need your help! Submit model language to use and we’ll post it here.
An overview of security risk in election technology procurement, including information on assessing and managing security risk in election systems.
A description of a typical IT product and services lifecycle, describing product purchase and support, system development and maintenance (including updates and patching), and the services lifecycle.
A more detailed primer on the IT Procurement Process, with descriptions of the typical IT procurement processes applicable across a range of organizations.
Additional resources for procurement and related information with links to procurement opportunities, training, and other useful information related to election procurement.