Voter registration databases (VRDBs) store centralized state voter registration lists and perform critical functions in election administration, including verifying voter eligibility.[1] Election officials have worked hard in recent years to strengthen VRDB security to ensure elections are secure and successful.[2] The Center for Election Innovation & Research (CEIR) has surveyed states about VRDB security every two years since 2018.[3] These surveys have demonstrated widespread best practices in respondent states. This report shows that respondent states once again had strong security practices in place for the 2024 elections.
The demands of election security continue to evolve. Decision makers must consider best practices for VRBD security as they upgrade systems.[4] And looking ahead, some officials and experts are concerned that the federal government may stop providing assistance that was instrumental to securing past elections.[5] The aim of this report is to help election officials and policymakers navigate the complexities of VRDB security, including these new obstacles.
Takeaways & Findings
1. Election officials have reported concern over the continued availability of crucial federal resources for VRDB security. These resources include cybersecurity training, network monitoring, and security coordination and information sharing. Since the current administration has cut funding and capacity for election security, some officials are looking to state resources and other partnerships to fill potential gaps. Officials and policymakers need clarity and solutions.
2. Most states have adopted best practices across five key areas, according to CEIR’s analysis of the most recent survey responses from all 40 states that have participated since 2018. These areas are: 1) backing up VRDBs, 2) conducting system audits, 3) participating in tabletop exercises for cybersecurity training, 4) using a network monitoring system, and 5) requiring multi-factor authentication for access.
3. The 2024 VRDB security survey showed widespread best practices, with some specific areas for improvement. The report adapts the NIST 2.0 Cybersecurity Framework to organize findings into four security dimensions: Protect, Detect, Respond, and Recover. Table 1 below summarizes key findings in these dimensions.Table 1. Key Findings Among 24 Survey Respondents [6]Widespread Best Practices
Potential Areas for Improvement
Protect
· All states have dedicated IT support staff and comprehensive cyber threat training for users.
· All states have strong user validation and access restrictions for their VRDB systems.
· All states regularly conduct system audits to identify security vulnerabilities.
· Several states do not supplement the use of federal training resources with other resources, making them less resilient in case the federal government reduces existing resources.
· Most states have some identity verification and authentication requirements that do not align with current best practices, but these guidelines evolve and may not be one-size-fits-all.
Detect
· Most states use one or more monitoring services to detect threats.
· Most states record failed logins to monitor unauthorized access attempts.
· Some states were unsure of the details of the various monitoring approaches used by their third-party vendor service, which may indicate a breakdown in communication or understanding.
· Several states do not audit their recorded login attempts to identify malicious activity.
Respond
· Most states use Content Distribution Networks or other DDoS-mitigation tools to ensure operations continue in the case of a DDoS attack.
· Several states do not use Content Distribution Networks or other DDoS-mitigation tools and may be vulnerable to DDoS attacks.
Recover
· All states regularly backup their VRDBs, and all but one store a backup offline to preserve data and access in the case of a cyberattack.
· Most states encrypt their VRDB backups to protect the data and prevent unauthorized access.· Some states do not regularly test their VRDB backups to verify backup and recovery functions.
· Several states that use e-pollbooks do not require local election officials to keep paper pollbooks and provisional ballots on hand in case of e-pollbook or VRDB issues.Federal Resources for Voter Registration Database Security
In 2017, the Department of Homeland Security formally designated election infrastructure -including voter registration databases – as critical infrastructure.[7] Thereafter, the federal government took a more active role in providing important cybersecurity support and tools to state and local election administrators. But the continued availability of those resources is now in question:
· While the landscape continues to evolve, the current federal administration has, as of this writing, reduced funding and capacity across key federal agencies and federally funded programs that have traditionally provided significant security support to state and local election offices.
· Responses to the 2024 Voter Registration Database (VRDB) Security Survey fielded by the Center for Election Innovation & Research (CEIR) showed widespread reliance on federal resources for cybersecurity.
· Election officials across the country have expressed serious concerns about the impact of cuts to these crucial resources that help detect, monitor, and share information about election threats between election offices and law enforcement agencies nationwide.[8]
Use of Federal Resources Among 2024 VRDB Security Survey RespondentsTwenty-one of 24 respondent states indicated using at least one federal resource for cybersecurity training or network monitoring in the 2024 VRDB security survey. States may also be using other federal resources not covered in the survey.
Training VRDB Users
Nineteen of 24 respondent states indicated using Cybersecurity and Infrastructure Security Agency (CISA) Cyber Exercise Consulting, the Federal Virtual Training Environment (FedVTE), National Initiative for Cybersecurity Careers and Studies (NICCS) education and training, or some combination of the three.
States also reported using federal resources for tabletop exercises. A common resource for tabletop exercises has been CISA’s Election Security Tabletop Exercise Packages (CTEPs), which provide election offices with tailored opportunities to analyze security threats and their response capabilities.[9] CISA has also conducted annual “Tabletop the Vote” (TTV) exercises for public and private stakeholders, including officials from respondent states, in coordination with the U.S. Election Assistance Commission, National Association of Secretaries of State, and National Association of State Election Directors.[10]
Monitoring VRDB Systems
Sixteen of 23 respondent states indicated using Albert sensors, a network monitoring solution offered exclusively to state, local, tribal, and territorial governments via a federally supported program. [11] When Albert sensors detect a potential threat, the information is shared with a security operations center hosted by the federally funded Multi-State Information Sharing and Analysis Center (MS-ISAC). [12] The center operates around the clock to review detected alerts, dismiss false positives, and report actionable threats.
In addition to some of the resources explicitly asked about in the survey, respondent states also reported using other MS-ISAC resources, Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) resources, and CISA Cyber Hygiene services.
Insights on Federal Resources from Interviews with States
To supplement the survey and gain more insight into VRDB security resources provided by the federal government, CEIR interviewed three respondent states—Arizona, Connecticut, and Washington.[13] Each state repeatedly emphasized the importance of federal resources and collaboration with federal agencies, not just in securing VRDBs, but broadly in administering secure elections. For example, Arizona, as a swing state, is a prime target for cyberattacks. The state shared how CISA has played a key role in helping counties strengthen their VRDB security, especially in counties that would not be able to afford alternative resources. The cyber tools, monthly meetings, and general information provided by CISA have been critical to running secure elections and promoting trust and confidence in the state.
An Uncertain Landscape
Cuts to agency funding and staffing have fueled concern about the continued availability of federal resources for cybersecurity and election administration. The future of these resources remains uncertain.
CISA has eliminated funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) and cut millions in funding from the Multi-State Information Sharing and Analysis Center (MS-ISAC).[14] These centers provided critical cybersecurity tools and services including cyber incident response teams, penetration testing, threat notifications, and information sharing for enhanced security coordination and collaboration.[15]
The EI-ISAC webpage currently says, “In response to federal funding cuts, the EI-ISAC Executive Committee is exploring options to continue its vital support to election offices.”[16] The MS-ISAC, which is particularly important to the functioning of the Albert sensors that many states use for network monitoring, has also been impacted by funding cuts.
Staffing reductions within CISA further restrict the agency’s capacity to fight foreign election interference and provide security resources to election offices.[17] The agency’s election-related funding and staffing cuts will likely have wide-reaching effects and may impact resources such as threat intelligence briefings, cybersecurity assessments, vulnerability scanning, and more. Additional cuts may occur in the future.
State and local election officials consider these federal resources essential, especially for election offices that do not have existing or robust in-house cybersecurity support. Even states with in-house cybersecurity support are concerned about the impact of these lost resources on election security, with one Secretary of State stating that “right now, we are effectively flying blind.”[18]
The uncertain availability of federal resources presents an enormous challenge for election officials. There is no easy replacement for the accessible and wide-reaching federal resources that have been so crucial for officials in preventing and mitigating cybersecurity breaches and the spread of false information. Any kind of reduction in the ability to monitor systems and add security makes election infrastructure more vulnerable.[KU1] Training Challenges in the Current Landscape
The potential loss of federal resources risks amplifying some logistical challenges related to training. In interviews with Arizona and Connecticut, officials highlighted the sheer number of users that need to be trained as an existing challenge. Connecticut, for example, must train nearly 1,000 different users across the state and its 169 towns. In the past, accessible federal training resources served as an equalizer between local jurisdictions with different resource capabilities. Now, state and local election offices across the country—already often short-staffed and under-resourced—are likely to struggle to fill the training resource void left by the cuts to federal resources.
Moving Forward: Other Resources and Partnerships
Losing important federal resources will be damaging to election security. To the extent possible, local and state officials will have to find solutions and fill some of the gaps. Policymakers can help election officials by providing more funding and resources and exploring partnerships and collaborations. Interviews with officials from Arizona, Connecticut, and Washington provide some insight into ways states can supplement or partially replace federal security resources.
Washington’s Information Security & Response Division
The Washington Office of the Secretary of State established the Information Security & Response Division in 2022. With its focus on cybersecurity and strategic messaging, the Division helps safeguard election infrastructure and administration in part by providing support directly to counties. Staff travel to every county to meet with local election officials and IT teams to discuss best practices and jurisdiction-specific security information. The Division also has a dedicated team stationed in eastern Washington to support and maintain a stronger touchpoint with the more isolated and underserved counties of that region. By taking this “whole of state” approach, the Division has developed a strong relationship with county election officials and legislative authorities to further facilitate county election security efforts.
Productive Relationship Between Washington Officials and other State Entities
State Legislature: Election and security officials in Washington also highlighted their productive relationship with the state legislature as a major reason the state’s VRDB security programs have been successful. The legislature appropriates state funds to the security programs created by the secretary of state’s office, so counties do not have to rely solely on federal resources. In concrete terms, the Information Security & Response Division has distributed nearly $5 million in grants to counties over the course of three years to support their physical and cyber security. The secretary of state’s office also worked with the legislature to pass a bill requiring every county to install intrusion detection systems and report cyber incidents to the secretary’s office. With those priorities and minimum requirements set in statute, counties can engage with the legislature about the resources needed to achieve those requirements.
State National Guard: Washington officials have worked closely with the state’s National Guard cybersecurity program since at least 2016 to help secure election infrastructure.[19] In 2022, the state expanded its Security Operations Center to enhance its partnerships with entities like the state National Guard, which provides important cyber protections, training, and information-sharing.[20]
Arizona’s In-House Security Team and State Partnerships
Arizona has a robust in-house security team that hosts monthly meetings with VRDB users across the state to talk about emerging security issues and discuss the concerns in context, including through mini tabletop exercises. Additionally, the state’s Department of Homeland Security and National Guard already help with county-level security and may be able to fill some of the gaps created by the reduction in federal resources.
External Partnerships in Connecticut
The Connecticut Secretary of the State’s office has collaborated with the University of Connecticut Center for Voting Technology Research (VoTeR) on various security issues, including the state’s new VRDB. State officials noted that the VoTeR Center was crucial in helping the state review its security requirements for the new VRDB and select a vendor that would implement robust security features.
Connecticut officials also use external sources for user training. The state and vendor worked to develop a multi-pronged approach to VRDB training that includes in-person training, online office hours, and a library of topic-specific training videos that users can access at any time. The state also provided licenses for SANS Institute cybersecurity training for all system users in 169 municipal election offices.Voter Registration Database Security Survey
To better understand voter registration database (VRDB) security and the landscape of security practices across the country, the Center for Election Innovation & Research (CEIR) has administered a VRDB security survey every two years since 2018.
This section begins with a time series analysis of important findings across survey years before presenting a summary of findings from the 2024 survey with spotlights on security practices in states. The time series analysis and the 2024 survey findings demonstrate widespread use of best practices among respondent states, along with a few areas for improvement.
To preserve cybersecurity and prevent adversaries from using this information to refine their attacks, CEIR does not identify the states that responded to the survey and reports only on aggregated responses and trends.
Time Series Snapshot, 2018-2024
Across all survey years, 40 of the 50 states and Washington, D.C. have responded to the survey. Many states have responded across multiple years to update their previous answers. The analysis below includes the most recent responses collected from each of the 40 states, which represents the most up-to-date information CEIR has on their VRDB security practices.[xxi]
Looking at the most recent information we have from each of the 40 states, CEIR identified some nearly universal security practices:
• Backups: 39 states responded that they backup their VRDB and one declined the question.
• System Audits: 37 states responded that they conduct system audits, one state responded that they did not as of 2020, and two states declined the question.
• Tabletop Exercises: 37 states responded that they attend tabletop exercises as part of their cybersecurity training and three responded that they did not as of 2018 (two states) and 2024 (one state).
• Monitoring Systems: 36 states responded that they use a network monitoring system, three responded that they did not as of 2018 (one state), 2024 (two states), and one state declined the question.
• Multi-Factor Authentication: 34 states responded that they require MFA to access their VRDB and six responded that they did not as of 2018 (one state), 2020 (two states), and 2024 (three states).
These are practices that states should consider adopting. Some states have likely adopted the practices since officials last responded to the survey. These near-universal practices demonstrate that election officials are taking security seriously and may suggest best practices to officials in other states.
The 2024 VRDB Security Survey
CEIR sent the 2024 VRDB security survey, which contained 43 questions, to chief election officials in every state and the District of Columbia; nearly half (24 states) responded. As in past years, some respondent states opted out of specific questions for security reasons.[xxii]
The 24 respondent states represent 55% of the country’s Citizen Voting Age Population and represent:[xxiii]
· All four census regions (Northeast, South, Midwest, and West)
· Elections departments run by Democratic officials, Republican officials, and independent or bipartisan commissions
· Top-down, bottom-up, and hybrid VRDB systems
· States with innovative registration methods, including online, same-day, and automatic voter registration
Without responses from all 50 states, there are limitations to what this survey can say about VRDB security across the country. However, with nearly half of states responding, this report can point to important strengths and weaknesses among those states and identify trends and developments in VRDB security practices.
The 2024 survey report partially adapts the NIST 2.0 Cybersecurity Framework to organize findings into four security dimensions: Protect, Detect, Respond, and Recover.[xxiv] These dimensions cover specific topics summarized below:
· Protect: User training, access controls, email protection, system audits
· Detect: Login attempts, traffic, network and input monitoring
· Respond: Content Distribution Networks (CDNs) and Distributed Denial-of-Service (DDoS) mitigation
· Recover: Backup automation, storage, and encryption, and paper pollbooks
This report also highlights insights from qualitative interviews with several states to add detailed insight into state cybersecurity practices and considerations.[xxv]
Protect
Protecting VRDB systems and data means preventing unauthorized access, strengthening core infrastructure, and proactively managing risks. This requires both human and digital dimensions, including vetting and training VRDB users, controlling user access, and ensuring system integrity through audits.
VRDB Users
VRDB users include state and local election officials, IT staff, and third-party contractors or vendors. To maintain security at every access point, these users must be trained appropriately and supported by IT staff.
IT Staff: All 24 respondent states reported having a designated IT staff member responsible for managing their VRDB. States should employ experienced IT staff in-house or through a third party to help election administrators with technical VRDB management and maintenance.Of the 22 states that provided additional information on their designated IT staff, at least 20 states reported that one or more of their IT staff members manage the VRDB full-time. Some states noted that their designated staffer is supported by other in-house employees who help as needed. The two states that report some other staffing solution specified that IT support for their VRDB is managed by a combination of in-house staff and external contractors or vendors.
Background Checks: To minimize the risk of security breaches due to insider threats, state or local jurisdictions should thoroughly vet VRDB users.
Four of the 23 states that responded to this question indicated that all users with VRDB access are subject to background checks. One of the four states provided more information on its background checks, specifying that its designated IT staff member holds active an security clearance, and vendors are also required to conduct background checks on all employees with access.
Fifteen states reported that at least some users—but possibly not all—undergo background checks. Several of these states explained that all state employees and contractors are subject to general background checks required for state personnel, but screening users at the local level is up to the discretion of each jurisdiction. Two states reported that they do not conduct background checks for any users with VRDB access.
Training VRDB Users
VRDB users receive targeted training to help them identify and respond to potential cyber threats. States have strengthened their VRDB security through initiatives like comprehensive training programs and customized tabletop exercises.
All 23 respondent states reported training VRDB users on social engineering, a common threat that weaponizes human interaction to get confidential information that can be used to gain control over a system (e.g., phishing).[xxvi] Twenty of the 23 states also train for insider threats or poor cyber hygiene, and 19 reported training on all three topics.
Seven of the 23 states reported training VRDB users on other types of threats such as ransomware and denial of service attacks. Several states also mentioned training users on physical security.All 23 respondent states indicated that they conduct user trainings at least annually. Additionally, some of these states provided greater detail on the structure and regularity of their training. One state described a monthly statewide training course administered through KnowBe4, which trains all users on a changing set of topics related to cybersecurity best practices. Another state specified that state-level employees receive quarterly cybersecurity training and share information on cybersecurity threats with local election officials leading up to elections.
The one state that did not respond to this question still noted that users receive quarterly cybersecurity training and share information on cybersecurity threats with local election officials leading up to elections.
Tabletop Exercises (TTX): Tabletop exercises are a specific type of user training that simulates different scenarios and challenges staff to think about how they would respond.
Twenty-three of 24 respondent states reported that they conduct or attend tabletop exercises. Five of the 23 states require all users to attend tabletop exercises. Eighteen states only require some users to attend these exercises, but several of these states note that they give all users the option to attend.Training Resources: States use a variety of resources to train their users, including those produced by the federal government, third-party vendors, and internally. However, as the availability of federal resources becomes increasingly uncertain, states may need to adapt their approach and rely more on other resources. See “Federal Resources for Voter Registration Database Security” for more information.
Nineteen of 24 respondent states indicated using some federal training resources, including CISA Cyber Exercise Consulting, the Federal Virtual Training Environment (FedVTE) and National Initiative for Cybersecurity Careers and Studies (NICCS) education and training. The most common training resource among respondent states was CISA Cyber Exercise Consulting, which 19 states reported using. Seven of the 19 states also use FedVTE, and four use NICCS education and training.
Sixteen of 24 states reported using other resources for cybersecurity training, including KnowBe4, Sans Institute, InfoSec, Security Mentor, and State Homeland Security. Several states noted using custom training resources, often developed in partnership with other state agencies and third-party security experts. Fourteen of 24 states reported using multiple resources to train users. Eleven of the 14 states use a combination of resources from the federal government and other organizations, giving them a more resilient training program in an environment where federal resource availability may change.Controlling User Access
Managing user access means both controlling user permissions and securing how users access the VRDB.
Principle of Least Privilege: Twenty-two of 23 respondent states reported applying the principle of least privilege (POLP) to manage and restrict VRDB access. POLP is an information security practice in which user access is limited to only the data, resources, and applications necessary to perform their specific job functions.[xxvii]
Voter Registration Database Security: Successes, Challenges, and Areas for Improvement
Voter registration databases (VRDBs) store centralized state voter registration lists and perform critical functions in election administration, including verifying voter eligibility.[1] Election officials have worked hard in recent years to strengthen VRDB security to ensure elections are secure and successful.[2] The Center for Election Innovation & Research (CEIR) has surveyed states about VRDB security every two years since 2018.[3] These surveys have demonstrated widespread best practices in respondent states. This report shows that respondent states once again had strong security practices in place for the 2024 elections.
The demands of election security continue to evolve. Decision makers must consider best practices for VRBD security as they upgrade systems.[4] And looking ahead, some officials and experts are concerned that the federal government may stop providing assistance that was instrumental to securing past elections.[5] The aim of this report is to help election officials and policymakers navigate the complexities of VRDB security, including these new obstacles.
- Election officials have reported concern over the continued availability of crucial federal resources for VRDB security. These resources include cybersecurity training, network monitoring, and security coordination and information sharing. Since the current administration has cut funding and capacity for election security, some officials are looking to state resources and other partnerships to fill potential gaps. Officials and policymakers need clarity and solutions.
- Most states have adopted best practices across five key areas, according to CEIR’s analysis of the most recent survey responses from all 40 states that have participated since 2018. These areas are: 1) backing up VRDBs, 2) conducting system audits, 3) participating in tabletop exercises for cybersecurity training, 4) using a network monitoring system, and 5) requiring multi-factor authentication for access.
- The 2024 VRDB security survey showed widespread best practices, with some specific areas for improvement. The report adapts the NIST 2.0 Cybersecurity Framework to organize findings into four security dimensions: Protect, Detect, Respond, and Recover. Table 1 below summarizes key findings in these dimensions.
Federal Resources for Voter Registration Database Security
In 2017, the Department of Homeland Security formally designated election infrastructure — including voter registration databases — as critical infrastructure.[7] Thereafter, the federal government took a more active role in providing important cybersecurity support and tools to state and local election administrators. But the continued availability of those resources is now in question:
- While the landscape continues to evolve, the current federal administration has, as of this writing, reduced funding and capacity across key federal agencies and federally funded programs that have traditionally provided significant security support to state and local election offices.
- Responses to the 2024 Voter Registration Database (VRDB) Security Survey fielded by the Center for Election Innovation & Research (CEIR) showed widespread reliance on federal resources for cybersecurity.
- Election officials across the country have expressed serious concerns about the impact of cuts to these crucial resources that help detect, monitor, and share information about election threats between election offices and law enforcement agencies nationwide.[8]
Use of Federal Resources Among 2024 VRDB Security Survey Respondents
Twenty-one of 24 respondent states indicated using at least one federal resource for cybersecurity training or network monitoring in the 2024 VRDB security survey. States may also be using other federal resources not covered in the survey.
How States Use Federal Resources
Training VRDB Users
Nineteen of 24 respondent states indicated using Cybersecurity and Infrastructure Security Agency (CISA) Cyber Exercise Consulting, the Federal Virtual Training Environment (FedVTE), National Initiative for Cybersecurity Careers and Studies (NICCS) education and training, or some combination of the three.
States also reported using federal resources for tabletop exercises. A common resource for tabletop exercises has been CISA’s Election Security Tabletop Exercise Packages (CTEPs), which provide election offices with tailored opportunities to analyze security threats and their response capabilities.[9] CISA has also conducted annual “Tabletop the Vote” (TTV) exercises for public and private stakeholders, including officials from respondent states, in coordination with the U.S. Election Assistance Commission, National Association of Secretaries of State, and National Association of State Election Directors.[10]
Monitoring VRDB Systems
Sixteen of 23 respondent states indicated using Albert sensors, a network monitoring solution offered exclusively to state, local, tribal, and territorial governments via a federally supported program. [11] When Albert sensors detect a potential threat, the information is shared with a security operations center hosted by the federally funded Multi-State Information Sharing and Analysis Center (MS-ISAC). [12] The center operates around the clock to review detected alerts, dismiss false positives, and report actionable threats.
In addition to some of the resources explicitly asked about in the survey, respondent states also reported using other MS-ISAC resources, Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) resources, and CISA Cyber Hygiene services.
Insights on Federal Resources from Interviews with States
To supplement the survey and gain more insight into VRDB security resources provided by the federal government, CEIR interviewed three respondent states—Arizona, Connecticut, and Washington.[13] Each state repeatedly emphasized the importance of federal resources and collaboration with federal agencies, not just in securing VRDBs, but broadly in administering secure elections. For example, Arizona, as a swing state, is a prime target for cyberattacks. The state shared how CISA has played a key role in helping counties strengthen their VRDB security, especially in counties that would not be able to afford alternative resources. The cyber tools, monthly meetings, and general information provided by CISA have been critical to running secure elections and promoting trust and confidence in the state.
An Uncertain Landscape
An Uncertain Landscape
Cuts to agency funding and staffing have fueled concern about the continued availability of federal resources for cybersecurity and election administration. The future of these resources remains uncertain.
CISA has eliminated funding for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) and cut millions in funding from the Multi-State Information Sharing and Analysis Center (MS-ISAC).[14] These centers provided critical cybersecurity tools and services including cyber incident response teams, penetration testing, threat notifications, and information sharing for enhanced security coordination and collaboration.[15]
The EI-ISAC webpage currently says, “In response to federal funding cuts, the EI-ISAC Executive Committee is exploring options to continue its vital support to election offices.”[16] The MS-ISAC, which is particularly important to the functioning of the Albert sensors that many states use for network monitoring, has also been impacted by funding cuts.
Staffing reductions within CISA further restrict the agency’s capacity to fight foreign election interference and provide security resources to election offices.[17] The agency’s election-related funding and staffing cuts will likely have wide-reaching effects and may impact resources such as threat intelligence briefings, cybersecurity assessments, vulnerability scanning, and more. Additional cuts may occur in the future.
State and local election officials consider these federal resources essential, especially for election offices that do not have existing or robust in-house cybersecurity support. Even states with in-house cybersecurity support are concerned about the impact of these lost resources on election security, with one secretary of state stating that “right now, we are effectively flying blind.”[18]
The uncertain availability of federal resources presents an enormous challenge for election officials. There is no easy replacement for the accessible and wide-reaching federal resources that have been so crucial for officials in preventing and mitigating cybersecurity breaches and the spread of false information. Any kind of reduction in the ability to monitor systems and add security makes election infrastructure more vulnerable.
Training Challenges in the Current Landscape
The potential loss of federal resources risks amplifying some logistical challenges related to training. In interviews with Arizona and Connecticut, officials highlighted the sheer number of users that need to be trained as an existing challenge. Connecticut, for example, must train nearly 1,000 different users across the state and its 169 towns. In the past, accessible federal training resources served as an equalizer between local jurisdictions with different resource capabilities. Now, state and local election offices across the country—already often short-staffed and under-resourced—are likely to struggle to fill the training resource void left by the cuts to federal resources.
Moving Forward
Moving Forward
Losing important federal resources will be damaging to election security. To the extent possible, local and state officials will have to find solutions and fill some of the gaps.
Policymakers can help election officials by providing more funding and resources and exploring partnerships and collaborations. Interviews with officials from Arizona, Connecticut, and Washington provide some insight into ways states can supplement or partially replace federal security resources.
Washington’s Information Security & Response Division
The Washington Office of the Secretary of State established the Information Security & Response Division in 2022. With its focus on cybersecurity and strategic messaging, the Division helps safeguard election infrastructure and administration in part by providing support directly to counties. Staff travel to every county to meet with local election officials and IT teams to discuss best practices and jurisdiction-specific security information. The Division also has a dedicated team stationed in eastern Washington to support and maintain a stronger touchpoint with the more isolated and underserved counties of that region. By taking this “whole of state” approach, the Division has developed a strong relationship with county election officials and legislative authorities to further facilitate county election security efforts.
Productive Relationship Between Washington Officials and other State Entities
State Legislature: Election and security officials in Washington also highlighted their productive relationship with the state legislature as a major reason the state’s VRDB security programs have been successful. The legislature appropriates state funds to the security programs created by the secretary of state’s office, so counties do not have to rely solely on federal resources. In concrete terms, the Information Security & Response Division has distributed nearly $5 million in grants to counties over the course of three years to support their physical and cyber security. The secretary of state’s office also worked with the legislature to pass a bill requiring every county to install intrusion detection systems and report cyber incidents to the secretary’s office. With those priorities and minimum requirements set in statute, counties can engage with the legislature about the resources needed to achieve those requirements.
State National Guard: Washington officials have worked closely with the state’s National Guard cybersecurity program since at least 2016 to help secure election infrastructure.[19] In 2022, the state expanded its Security Operations Center to enhance its partnerships with entities like the state National Guard, which provides important cyber protections, training, and information sharing.[20]
Arizona’s In-House Security Team and State Partnerships
Arizona has a robust in-house security team that hosts monthly meetings with VRDB users across the state to talk about emerging security issues and discuss the concerns in context, including through mini tabletop exercises. Additionally, the state’s Department of Homeland Security and National Guard already help with county-level security and may be able to fill some of the gaps created by the reduction in federal resources.
External Partnerships in Connecticut
The Connecticut Secretary of the State’s office has collaborated with the University of Connecticut Center for Voting Technology Research (VoTeR) on various security issues, including the state’s new VRDB. State officials noted that the VoTeR Center was crucial in helping the state review its security requirements for the new VRDB and select a vendor that would implement robust security features.
Connecticut officials also use external sources for user training. The state and vendor worked to develop a multi-pronged approach to VRDB training that includes in-person training, online office hours, and a library of topic-specific training videos that users can access at any time. The state also provided licenses for SANS Institute cybersecurity training for all system users in 169 municipal election offices.
Voter Registration Database Security Survey
To better understand voter registration database (VRDB) security and the landscape of security practices across the country, the Center for Election Innovation & Research (CEIR) has administered a VRDB security survey every two years since 2018.
This section begins with a time series analysis of important findings across survey years before presenting a summary of findings from the 2024 survey with spotlights on security practices in states. The time series analysis and the 2024 survey findings demonstrate widespread use of best practices among respondent states, along with a few areas for improvement.
To preserve cybersecurity and prevent adversaries from using this information to refine their attacks, CEIR does not identify the states that responded to the survey and reports only on aggregated responses and trends.
Time Series Snapshot, 2018-2024
Across all survey years, 40 of the 50 states and Washington, D.C. have responded to the survey. Many states have responded across multiple years to update their previous answers. The analysis below includes the most recent responses collected from each of the 40 states, which represents the most up-to-date information CEIR has on their VRDB security practices.[21]
Expand
Looking at the most recent information we have from each of the 40 states, CEIR identified some nearly universal security practices:
- Backups: 39 states responded that they backup their VRDB and one declined the question.
- System Audits: 37 states responded that they conduct system audits, one state responded that they did not as of 2020, and two states declined the question.
- Tabletop Exercises: 37 states responded that they attend tabletop exercises as part of their cybersecurity training and three responded that they did not as of 2018 (two states) and 2024 (one state).
- Monitoring Systems: 36 states responded that they use a network monitoring system, three responded that they did not as of 2018 (one state), 2024 (two states), and one state declined the question.
- Multi-Factor Authentication: 34 states responded that they require MFA to access their VRDB and six responded that they did not as of 2018 (one state), 2020 (two states), and 2024 (three states).
These are practices that states should consider adopting. Some states have likely adopted the practices since officials last responded to the survey. These near-universal practices demonstrate that election officials are taking security seriously and may suggest best practices to officials in other states.
The 2024 VRDB Security Survey
CEIR sent the 2024 VRDB security survey, which contained 43 questions, to chief election officials in every state and the District of Columbia; nearly half (24 states) responded. As in past years, some respondent states opted out of specific questions for security reasons.[22]
The 24 respondent states represent 55% of the country’s Citizen Voting Age Population and represent:[23]
- All four census regions (Northeast, South, Midwest, and West)
- Elections departments run by Democratic officials, Republican officials, and independent or bipartisan commissions
- Top-down, bottom-up, and hybrid VRDB systems
- States with innovative registration methods, including online, same-day, and automatic voter registration
Without responses from all 50 states, there are limitations to what this survey can say about VRDB security across the country. However, with nearly half of states responding, this report can point to important strengths and weaknesses among those states and identify trends and developments in VRDB security practices.
The 2024 survey report partially adapts the NIST 2.0 Cybersecurity Framework to organize findings into four security dimensions: Protect, Detect, Respond, and Recover.[24] These dimensions cover specific topics summarized below:
- Protect: User training, access controls, email protection, system audits
- Detect: Login attempts, traffic, network and input monitoring
- Respond: Content Distribution Networks (CDNs) and Distributed Denial-of-Service (DDoS) mitigation
- Recover: Backup automation, storage, and encryption, and paper pollbooks
This report also highlights insights from qualitative interviews with several states to add detailed insight into state cybersecurity practices and considerations.[25]
Protect
Protecting VRDB systems and data means preventing unauthorized access, strengthening core infrastructure, and proactively managing risks. This requires both human and digital dimensions, including vetting and training VRDB users, controlling user access, and ensuring system integrity through audits.
Expand
VRDB Users
VRDB users include state and local election officials, IT staff, and third-party contractors or vendors. To maintain security at every access point, these users must be trained appropriately and supported by IT staff.
IT Staff: All 24 respondent states reported having a designated IT staff member responsible for managing their VRDB. States should employ experienced IT staff in-house or through a third party to help election administrators with technical VRDB management and maintenance.
Of the 22 states that provided additional information on their designated IT staff, at least 20 states reported that one or more of their IT staff members manage the VRDB full-time. Some states noted that their designated staffer is supported by other in-house employees who help as needed. The two states that report some other staffing solution specified that IT support for their VRDB is managed by a combination of in-house staff and external contractors or vendors.
Background Checks: To minimize the risk of security breaches due to insider threats, state or local jurisdictions should thoroughly vet VRDB users.
Four of the 23 states that responded to this question indicated that all users with VRDB access are subject to background checks. One of the four states provided more information on its background checks, specifying that its designated IT staff member holds active an security clearance, and vendors are also required to conduct background checks on all employees with access.
Fifteen states reported that at least some users—but possibly not all—undergo background checks. Several of these states explained that all state employees and contractors are subject to general background checks required for state personnel, but screening users at the local level is up to the discretion of each jurisdiction. Two states reported that they do not conduct background checks for any users with VRDB access.
Training VRDB Users
VRDB users receive targeted training to help them identify and respond to potential cyber threats. States have strengthened their VRDB security through initiatives like comprehensive training programs and customized tabletop exercises.
All 23 respondent states reported training VRDB users on social engineering, a common threat that weaponizes human interaction to get confidential information that can be used to gain control over a system (e.g., phishing).[26] Twenty of the 23 states also train for insider threats or poor cyber hygiene, and 19 reported training on all three topics.
Seven of the 23 states reported training VRDB users on other types of threats such as ransomware and denial of service attacks. Several states also mentioned training users on physical security.
All 23 respondent states indicated that they conduct user trainings at least annually. Additionally, some of these states provided greater detail on the structure and regularity of their training. One state described a monthly statewide training course administered through KnowBe4, which trains all users on a changing set of topics related to cybersecurity best practices. Another state specified that state-level employees receive quarterly cybersecurity training and share information on cybersecurity threats with local election officials leading up to elections.
The one state that did not respond to this question still noted that users receive quarterly cybersecurity training and share information on cybersecurity threats with local election officials leading up to elections.
Tabletop Exercises (TTX): Tabletop exercises are a specific type of user training that simulates different scenarios and challenges staff to think about how they would respond.
Twenty-three of 24 respondent states reported that they conduct or attend tabletop exercises. Five of the 23 states require all users to attend tabletop exercises. Eighteen states only require some users to attend these exercises, but several of these states note that they give all users the option to attend.
Training Resources: States use a variety of resources to train their users, including those produced by the federal government, third-party vendors, and internally. However, as the availability of federal resources becomes increasingly uncertain, states may need to adapt their approach and rely more on other resources. See “Federal Resources for Voter Registration Database Security” for more information.
Nineteen of 24 respondent states indicated using some federal training resources, including CISA Cyber Exercise Consulting, the Federal Virtual Training Environment (FedVTE) and National Initiative for Cybersecurity Careers and Studies (NICCS) education and training. The most common training resource among respondent states was CISA Cyber Exercise Consulting, which 19 states reported using. Seven of the 19 states also use FedVTE, and four use NICCS education and training.
Sixteen of 24 states reported using other resources for cybersecurity training, including KnowBe4, Sans Institute, InfoSec, Security Mentor, and State Homeland Security. Several states noted using custom training resources, often developed in partnership with other state agencies and third-party security experts. Fourteen of 24 states reported using multiple resources to train users. Eleven of the 14 states use a combination of resources from the federal government and other organizations, giving them a more resilient training program in an environment where federal resource availability may change.
Controlling User Access
Managing user access means both controlling user permissions and securing how users access the VRDB.
Principle of Least Privilege: Twenty-two of 23 respondent states reported applying the principle of least privilege (POLP) to manage and restrict VRDB access. POLP is an information security practice in which user access is limited to only the data, resources, and applications necessary to perform their specific job functions.[27]
Passwords: Cybersecurity experts consistently recommend robust password practices to defend against unauthorized access, but specific guidelines around what constitutes a strong password may change over time. Currently, guidelines from the National Institute of Standards and Technology’s (NIST) recommend setting a minimum eight-character password requirement and advise against requiring complex passwords (with various character types).[28]
Twenty of 23 respondent states require users to change their passwords on a routine basis. Of the states that provided additional details, 13 require password changes at least every three months and two require changes every four to six months.
While regular password updates may contribute to stronger security by reducing the window for attacks, current best practices emphasize password strength and uniqueness over frequent changes.[29]
Complicated password requirements can burden users and risk increasing human error. Password managers can help users generate and store strong, unique passwords and avoid some of the drawbacks of complex password requirements.[30] While NIST has not explicitly recommended the use of password managers, it notes that some of the functionality of password managers, including the “paste” function, can increase the likelihood that users will choose stronger passwords.[31]
Among 24 respondent states, one state requires the use of password managers, 16 permit their use, and seven reported that they neither permit nor require them.
Multi-Factor Authentication: Twenty-one of 24 respondent states require multi-factor authentication (MFA) for system access. MFA adds a layer of security by requiring users to verify their identity using a secondary physical, digital, or biometric authentication factor.[32]
Thirteen of the 21 states require more than one form of additional authentication. Among the three states that do not have MFA, two are currently in the process of implementing it.
The most common form of additional authentication is a physical device, like a security token, smartcard, grid card, or security key. Another common form of authentication is a secondary Time-Based One-Time Password (TOTP), which is often provided by mobile phone apps. SMS authentication is among the least used forms of authentication, in line with NIST guidelines that suggest restricting its use.[33]
Remote Third-Party Access: Nineteen of 23 respondent states allow third-party access to their voter registration database system. States often allow limited VRDB access for third-party contractors and consultants to service and maintain the system.
All 19 states that allow third-party access restrict that access based on the principle of least privilege. These states further protect their system through a combination of other requirements and practices.
Email Protection
VRDB users can be trained to identify email threats like phishing, which attempts to trick people into sharing personal information.[34] However, protections built into the email infrastructure can prevent many threats, including phishing emails, from reaching users in the first place. [35]
All 23 states that responded to this question have spam filters. Sixteen states have Domain-based Message Authentication Reporting and Conformance (DMARC) or Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).[36] Thirteen states use URL-rewriting software.[37]
Eleven states have all listed protections in place. Five states have other third-party protections, such as Zscaler and Mimecast. Two states commented that they were unsure whether they had certain protections.
System Audits
All 22 respondent states reported regularly conducting system audits to identify security vulnerabilities. Among the states that provided greater detail about the frequency of their system audits, most conduct them between once a day and once a month. A few states only conduct these audits every few months or every year. States that conduct system audits less frequently or not at all risk creating a window for new vulnerabilities.
Security Considerations for Different
Voter Registration Database (VRDB) Systems[38]
Top-Down vs Bottom-up System Security Considerations: Top-down VRBD systems are characterized by a single, central platform maintained at the state level where officials read and record voter registration data. This contrasts with bottom-up systems, which gather and aggregate data from voter registration lists maintained by local jurisdictions. Top-down systems allow for a greater degree of security standardization across jurisdictions than bottom-up systems. However, as both Connecticut and Washington noted in their interviews, too much standardization across local jurisdictions can lead to pain points for jurisdictions that have fewer resources or skills.
Hybrid System Security Considerations: Hybrid systems include elements of both top-down and bottom-up systems. The nature of hybrid systems introduces additional security considerations. For example, 13 of Arizona’s 15 counties use the state managed VRDB while Maricopa County and Pima County manage their own separate VRDBs. As a result, officials must make sure the three platforms sync in near real time and the data processes accurately across the three databases. This structure also introduces more access points to the system, all of which must be protected and monitored to ensure systemwide security. The state and its two largest counties are constantly collaborating to maintain data integrity across all pathways and protect all access points.
Detect
States must be prepared to detect and analyze threats quickly by continuously monitoring and auditing their VRDB activity. This includes examining login attempts, inputs, and overall VRDB traffic as well as using network monitoring tools to look for signs of problematic trends or incidents.
Expand
Login Attempts
Recording and auditing VRDB login attempts helps states detect unauthorized or unusual login attempts that may be signs of malicious activity.
Among the 23 states that responded to the question, 20 states record failed login attempts, and 19 states also record successful login attempts.
Seventeen states audit failed login attempts, and 12 states also audit successful attempts. Two of the 23 respondent states do not record or audit login attempts at all.
Two of 23 respondent states were unsure of some practices implemented by their third-party service provider around recording or auditing login attempts.
Traffic
Eighteen of 23 respondent states regularly conduct traffic audits. States monitor VRDB traffic over time to know when VRDB activity deviates from past trends.
An increase in traffic is usually benign, like when a voter registration drive registers many people at once. However, in rare cases an increase in traffic may indicate an attack. Additionally, changes to high-profile records, like those of celebrities, can be a sign of VRDB tampering.
Every respondent state that provided greater detail about the frequency of their traffic audits reported conducting traffic audits at least once a year. Most of these states reported conducting them once a week to once a day.
Seventeen of 23 respondent states monitor the volume of traffic compared to the baseline. Two of the 17 states also reported monitoring high-profile records (e.g., voter registration records of celebrities or other public figures) for unexpected changes. Four of the 23 respondent states indicated that they were unsure of the monitoring approach used by their third-party service provider.
Network Monitoring Systems
Network monitoring systems continuously monitor external network traffic to prevent VRDB intrusions and/or alert IT staff about suspicious activity. Twenty-one of 23 respondent states reported that they use a network monitoring solution.
Sixteen of the 21 states use Albert sensors. Six of the 16 states also use another network monitoring solution. Albert network monitoring is a solution offered exclusively to U.S. state, local, tribal, and territorial governments.[39] Albert network monitoring pairs an intrusion detection system with real-time expert threat analysis by the Multi-State Information Sharing and Analysis Center (MS-ISAC).[40] The MS-ISAC is hosted by the Center for Internet Security and receives funding from the federal government, though recent cuts to this funding may impact services.
Eleven of the 21 states noted using another monitoring solution, alone or in addition to Albert sensors. These solutions include: Defender for Cloud, CrowdStrike 24×7, NetScaler WAF, FortiGate IDS, Palo Alto IDS, QRadar SIEM, Red Shield (SOC), Security Onion, Core light sensors, AWS, SolarWinds, AlienVault, and other custom solutions.
Malicious Inputs
Malicious actors may also threaten VRDBs through injection attacks, which attempt to exploit accessible forms to inject database commands or other code that would alter the system.[41] By monitoring all input form injection attempts, states can differentiate between valid and malicious input.
Eleven of the 20 states that responded to this question monitor the results of all successful input format injection attempts.
Four states do not monitor input forms or application programming interface (API) endpoints that interact with their VRDB. Two of the four states indicated that they audit all input forms and API endpoints to ensure that only permitted inputs are accepted. But the other two states are potentially more vulnerable to injection attacks. Five states were unsure of the approach taken by their third-party vendor and may also be vulnerable without knowing.
One state that opted out of this question explained that it does not apply to their system, which is not internet-based and requires a physical connection for access. This means that there are no publicly accessible forms that could be exploited in an injection attack.
Application Management and Monitoring
Proactively protecting VRDBs with application management and monitoring helps prevent cybersecurity issues down the line. Application monitoring measures key VRDB performance metrics (e.g., load speed and response time) and computational resources (e.g., system capacity and performance bottlenecks). In an interview, Washington officials highlighted their use of application management and monitoring to enhance VRDB security by proactively rooting out system vulnerabilities. Officials have also been able to prepare for worst-case Election Day scenarios by creating various load tests and monitoring their impacts.
Respond
States must be prepared to respond to cyberattacks quickly and effectively to mitigate any impact on their systems. Certain resources can help ensure that a VRDB remains available to authorized users in the wake of a cyberattack. These resources include content delivery or distribution networks (CDNs) and distributed denial-of-service (DDoS) mitigation tools.
Expand
CDNs and DDoS-Mitigation Tools
At least 16 of the 22 states that responded to the question reported using a CDN or other DDoS-mitigation tool. Six of the 16 states indicated using both a CDN and a separate DDoS mitigation tool. Several of the states that reported not using these tools specified that their VRDBs are not publicly accessible.
Distributed denial-of-service (DDoS) attacks leverage multiple sources of traffic to overwhelm a targeted system and cause service outages.[42] Malicious actors use such attacks to disrupt legitimate users’ access to a website or other networked computer system. Tools such as content delivery networks (CDNs) and DDoS mitigation services—like Cloudflare’s Athenian Project or Google’s Project Shield—can help defend against these and similar threats by keeping systems online and accessible to legitimate users.
CDNs maintain redundant copies of website content across several geographically distributed servers.[43] CDNs can reroute network traffic through these alternate servers to help prevent excessive network traffic from slowing down or disrupting the original server. In the event of a DDoS attack targeting a VRDB, CDNs can absorb the surge in traffic, reducing the risk of network failure and helping ensure authorized users retain access to the database.[44]
Dedicated DDoS-mitigation tools offer a more specialized defense. These tools typically begin by analyzing traffic patterns to establish a baseline. When unusual traffic that deviates from this baseline is detected, it can be harmlessly redirected before it reaches its destination.[45] This keeps a protected system from being overwhelmed, preserving user access and maintaining operational capabilities.
Of the seven states that reported using CDNs, three indicated that they geofence their CDN to control access to data based on geographic location and prevent data from being transmitted outside of the U.S. If a state does not geofence their CDN at the country level, they may instead restrict end user IP, as one state reported doing.
Using “Go Kits” to Respond to Cyberattacks
States must have plans and resources in place to respond to cyberattacks quickly and ensure service and system continuity. In an interview, Washington officials spoke to the importance of network segmentation in responding to a cyberattack, particularly the need to isolate election infrastructure from other local systems.
A 2023 cyber incident in the state prompted the Office of the Secretary of State to develop “Go Kits” which can serve as a temporary solution in the event of a cyber incident. Go Kits essentially establish a network separate from the compromised network, enabling counties to continue performing critical election functions. The kits include a firewall, clean laptops, cables, and a dedicated internet connection. With regular updates and patching, Go Kits have an expected shelf life of approximately ten years. The state currently maintains several Go Kits that can be deployed as needed throughout the state. Additionally, the kits are affordable enough that some counties have procured their own.
Recover
If all else fails and a cyberattack successfully alters or impedes a VRDB, there must be a plan to both recover the system and ensure that election administration continues. Regular VRDB backups and paper pollbook contingency plans are critical for restoring systems to a reliable state and avoiding operational delays.
Expand
Creating VRDB Backups
All 23 respondent states reported regularly backing up their VRDBs.
At least 17 of the 23 states indicated using automated methods such as Paragon Backup Recovery Preview or Apple Time Machine Backup to create some or all of their VRDB backups.
Regularly backing up the VRDB is the best safeguard against the permanent loss of voter data. Secure backups enable administrators to quickly restore systems and preserve unaltered data in the event of a cybersecurity attack. Automating the backup process helps ensure that backups are complete, consistent, and occur on a regular schedule to minimize the risk of data loss due to human error.[46]
Encrypting backups adds another layer of security and protects VRDB information from any unauthorized individuals that try to access it.[47] At least 17 of 21 respondent states reported encrypting their VRDB backups.
Sixteen of 21 respondent states reported testing the backups. These tests help verify that the backup and recovery processes work as intended and operations can continue smoothly in the event of an attack.[48]
The frequency of these tests varies between respondent states, ranging from once per day to once per year, with most states indicating that they conduct these tests every month.
Storing VRDB Backups
Sixteen of 21 respondent states reported backing up their VRDB in line with the 3-2-1 backup rule. Four of the five states that reported not following the 3-2-1 backup rule still store a backup offline.
The 3-2-1 rule states that administrators should maintain three copies of backup data, stored on at least two different types of media, with at least one copy kept off-site.[49] This redundancy helps insulate backups from the effects of an attack, so that even if malicious actors manage to compromise the main system or alter data stored in one medium, election officials can quickly restore the VRDB to a known reliable state using one of the unaffected copies.
States also have different policies for how long VRDB backups must be preserved before being deleted. Among the states that provided more information on back preservation requirements, preservation requirements ranged from one week to five years, with most states reporting that they preserve backups for at least one year.
Pollbooks
Seventeen of 22 respondent states indicated that some or all jurisdictions in their state use electronic pollbooks (e-pollbooks) to process voter information at the polls. These states use a variety of methods to securely connect to their VRDB to load or transmit voter registration data, with the most common method being indirect transfers through physical removable media (e.g., USB stick).
If there are technical issues with an e-pollbook such as faulty Wi-Fi, officials can use paper pollbooks to check in voters and prevent voter delays and confusion.[49] Of the 17 states that reported using e-pollbooks to some extent, fewer than half (8) indicated that they require local election officials to keep a paper pollbook as a backup option. Six other states indicated that they advise or permit local officials to keep a paper pollbook.
In addition to paper pollbooks, having provisional ballots on hand helps ensure voters will still be able to cast a ballot if the e-pollbook fails during early voting or on Election Day.[50] At least 10 of the 17 states that use e-pollbooks to some extent require local election officials to provide provisional ballots in the event of e-pollbook failure.
Eight of the 17 states require officials to have both paper pollbooks and provisional ballots as backup. While states may have other plans in place to ensure backups in case an e-pollbook fails, requiring jurisdictions to keep a paper pollbook and provisional ballots is a best practice.
Insights in Context
This report can be an important guide for states concerned about their VRDB security. Reduced federal resources, new threats, and aging systems are just a few of the evolving considerations for VRDB security that require states to adapt. Election officials and staff have worked hard to secure their systems in the past and will need to continue doing so in the future.
Between 2018 and 2024, CEIR observed significant growth in the security practices of states that have responded to the survey. This report has revealed several best practices that most respondent states have adopted to secure their systems. It has also shown that there are some notable areas for improvement. Election officials and policymakers reading this report should take both into account when assessing and updating their own VRDB security.
Areas for Future Research
While CEIR’s research is the most comprehensive attempt to analyze states’ VRDB security, the limitations of this study leave important questions for future research.
- First, the responses to CEIR’s research suggest that there may be gaps in knowledge among elections staff about security processes, particularly when third parties manage some functions. This suggests a question for future study: who knows what about VRDB security and are there important gaps?
- Second, the field could benefit from more research into how states acquire and use the resources necessary to secure their systems. The question of shifting resources was a point of concern throughout this report.
- Third, it is important to diversify efforts to study VRDB security beyond this survey. This report can only speak to information from states that respond to the survey. More studies from different researchers, organizations, and states themselves can increase the coverage of knowledge about VRDB security. Additionally, deeper dives into technical topics or individual states could uncover nuances and important practical knowledge that this survey cannot.
Further research into VRDB security practices will require communication between states, vendors, researchers, and technical experts. This research is necessary to fully understand the landscape of the field and support states in meeting new challenges.
This report was highlighted in the Sep 18, 2025 edition of electionline Weekly
Contributors
- Kira Flemke: Project lead; project administration (lead); data management (lead); quality control (lead); conceptualization; visualization, writing; review and editing (supporting).
- Kyle Upchurch: Supervision (lead); Conceptualization (lead); writing; review and editing (lead).
- April Tan: Interviews (lead); visualization (lead); conceptualization; quality control; writing; review and editing (supporting).
- Shaniqua Williams: Visualization (supporting); quality control; writing; review and editing (supporting).
- Stefan Martinez-Ruiz: Data management (supporting).
Appendix
Note on Survey Methodology
The questions in CEIR’s 2024 VRDB security survey draw on insights from cybersecurity experts and established best practices. The 2024 survey includes topics from previous years and introduced several new questions on training resources, background checks for VRDB users, and backup automation and encryption. Future VRDB surveys will continue to evolve to keep pace with developments in the cybersecurity field.
CEIR reviewed all 24 state responses to the 2024 survey for completeness and consistency. Certain states were recontacted to clarify their responses as part of this review. If a state could not be reached, their responses are represented as originally submitted. In some cases, responses were re-coded to fit a more limited set of categories in the analysis.
We acknowledge that, without responses from all 50 states, there are limitations to what this survey can say about VRDB security across the country. States that responded to our surveys may be subject to self-selection bias, and responses from any single subset of states do not necessarily generalize to trends across all states. However, with nearly half of states responding, this report can point to important strengths and weaknesses among those states and identify trends over time that may speak to developments in the field. CEIR is confident that this report constitutes a robust assessment of state practices that can contribute to the understanding of VRDB security across the United States.
Survey Questions
Endnotes
1. The Help America Vote Act (HAVA) of 2002 requires that all states with voter registration implement “a single, uniform, official, centralized, interactive computerized statewide voter registration list defined, maintained, and administered at the State level…” (52 U.S.C. § 21083(a))
2. CEIR reports on the specific progress made in Illinois in the 2018 VRDB Security Report. Security practices in Illinois are identified and discussed in that report with permission from state officials. For more, see David Becker, Jacob Kipp, Jack R. Williams, and Jenny Lovell, “Voter Registration Database Security,” The Center for Election Innovation & Research, September 2018
3. David Becker, Jacob Kipp, Jack R. Williams, and Jenny Lovell, “Voter Registration Database Security,” The Center for Election Innovation & Research, September 2018; “Voter Registration Database Security,”; The Center for Election Innovation & Research, August 2020; Kristin Sullivan, Kyle Yoder, Stefan Martinez-Ruiz, Kyle Upchurch, April Tan, and Kira Flemke, “Voter Registration Database Security in 2022,”; The Center for Election Innovation & Research, January 2023
4. Drawn from an interview with Connecticut officials. To learn more about the process of replacing and modernizing VRDBs, see CEIR’s case study report “Lessons Learned from State Upgrades to Voter Registration Databases”
5. Colin Wood, “Federal cuts to election security concern secretaries of state,” StateScoop, February 20, 2025
6. This report adapts the NIST 2.0 Cybersecurity Framework to organize findings into four security dimensions: Protect, Detect, Respond, and Recover. NIST Framework 2.0 is built on the following concepts: Govern, Identify, Protect, Detect, Respond, and Recover. We have adapted that framework to apply to the questions we asked in the survey; the topics in this report may not map exactly onto the concepts in the framework. Please read more in Appendix A. “The NIST Cybersecurity Framework (CSF) 2.0,” National Institute of Standards and Technology, February 26, 2024
7. “Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector,” U.S. Department of Homeland Security, January 6, 2017
8. Colin Wood, “Federal cuts to information-sharing groups may damage nation’s security posture, warn officials,” StateScoop, March 13, 2025; Brennan Center for Justice, “Local Election Officials Survey — July 2025,” July 10, 2025
9.“ Election Security CISA Tabletop Exercise Packages (CTEPs),” Cybersecurity and Infrastructure Security Agency, accessed April 23, 2025
10. “ Tabletop the Vote,” Cybersecurity and Infrastructure Security Agency, accessed April 23, 2025
11. “Albert Network Monitoring and Management,” Center for Internet Security, accessed April 23, 2025
12. About the Albert Sensor,” Center for Internet Security, February 23, 2022
13. We thank the election officials in these states for sharing this information in our interviews with them. All information on VRDB security is included with their permission.
14. Colin Wood, “Federal cuts to information-sharing groups may damage nation’s security posture”
15. Seamus Dowdall, Paige Mellerio, Rita Reynolds, and Emma Conover, “Multi-State Information Sharing and Analysis Center (MS-ISAC) loses federal funding,” National Association of Counties, March 25, 2025; “MS-ISAC Single Organization Membership,” Center for Internet Security, accessed July 18, 2025; “Elections Infrastructure ISAC Handout,” Center for Internet Security, accessed July 18, 2025
16. “EI-ISAC,” Center for Internet Security, accessed June 25, 2025
17. Jessica Huseman and Jen Fifield, “Election officials face limited options as federal security resources fall away.”
18. Matt Cohen, “‘We Are Effectively Flying Blind:’ Election Officials Say Cuts to CISA Are Affecting Operations,” Democracy Docket, March 5, 2025
19. Joseph Siemandel, “Year In Review: 2024 was a busy year for Washington Military Department,” Defense Visual Information Distribution Service, January 7, 2025; Joseph Siemandel, “Washington Guard continues cybersecurity election support,” National Guard, August 20, 2020
20. Washington Office of the Secretary of State, “New state budget paves the way for more secure elections and robust voter education,” March 15, 2022
21. The insights below are taken from questions that were consistently repeated across all survey years. In some cases, there were superficial changes to question wording across years, but the meaning and intention of the questions were not affected by such changes.
22. Because some states opted out of responding to certain questions, the respondent denominator may change across questions.
23. “Citizen Voting Age Population by Race and Ethnicity,” U.S. Census Bureau, January 30, 2025
24. National Institute of Standards and Technology, “The NIST Cybersecurity Framework (CSF) 2.0.”
25. We thank the election officials in Arizona, Connecticut, and Washington for sharing this information in our interviews with them. All information on VRDB security is included with their permission.
26. “Avoiding Social Engineering and Phishing Attacks,” Cybersecurity and Infrastructure Security Agency, February 1, 2021
27. “Least Privilege,” National Institute of Standards and Technology: Computer Security Resource Center, accessed July 18, 2025
28. Paul A. Grassi et al., “Digital Identity Guidelines: Authentication and Lifecycle Management,” Special Publication 800-63B. Gaithersburg, MD: National Institute of Standards and Technology, U.S. Department of Commerce, June 2, 2017, updated March 2, 2020, Sec. 5
29. Paul A. Grassi et al., “Digital Identity Guidelines,” 5.1.1.2.
30. “Use Strong Passwords,” Cybersecurity and Infrastructure Security Agency, accessed July 18, 2025
31. Paul A. Grassi et al., “Digital Identity Guidelines: Authentication and Lifecycle Management,”; “NIST Special Publication 800-63 : Digital Identity Guidelines Frequently Asked Questions,” March 3, 2022
32. “MFA,” National Institute of Standards and Technology: Computer Security Resource Center, accessed July 18, 2025
33. Paul A. Grassi et al., “Digital Identity Guidelines,” 5.1.3.1 and 5.1.3.3 ; NIST Special Publication 800-63 : Digital Identity Guidelines Frequently Asked Questions, ” March 3, 2022
34. CISA, “Avoiding Social Engineering and Phishing Attacks.”
35. CISA, “Avoiding Social Engineering and Phishing Attacks.”
36. SPF and DKIM are email authentication protocols that help prevent bad actors from impersonating a sender by establishing which IP addresses can send emails (SPF) and by creating a digital signature that mailbox providers can use to verify the sender’s identity (DKIM). DMARC is a newer form of email protection that ensures SPF and DKIM are working properly and protects against certain threats that take advantage of weaknesses in SPF and DKIM. “About SPF, DKIM, and DMARC for Email Authentication,” Knowledge Base Indiana University, accessed April 23, 2025, https://kb.iu.edu/d/azlu; “Overview,” DMARC, April 23, 2025, https://dmarc.org/overview/
37. URL-rewriting software rewrites links in emails to thwart phishing attempts. If a user opens a link that has been identified as malicious or is included on a list of blocked URLs, access is restricted. “Email URL Rewriting,” The University of Chicago Information Technology Services, updated July 2, 2024
38.“Election Administration and Voting Survey 2024 Comprehensive Report,” U.S. Election Assistance Commission, June 2025, pg. 30
39. Center for Internet Security, “Albert Network Monitoring and Management.”
40. Center for Internet Security, “About the Albert Sensor.”
41. Bart Lenaerts-Bergmans, “Injection Attacks,” CrowdStrike, May 3, 2024
42. “Understanding Denial-of-Service Attacks,” Cybersecurity and Infrastructure Security Agency, February 1, 2021
43. “What is a CDN? How do CDNs work?” Cloudflare, accessed April 25, 2025, https://www.cloudflare.com/learning/cdn/what-is-a-cdn/
44. CISA, “Understanding and Responding to Distributed Denial-of-Service Attacks.”
45. “Understanding Denial-of-Service Attacks,” Cybersecurity and Infrastructure Security Agency, February 1, 2021
46. Center for Internet Security, “Backups.” Essential Guide to Election Security, updated October 3, 2022
47. Center for Internet Security, “Backups.”
48. Center for Internet Security, “Backups.”
49. “The State and Local Election Cybersecurity Playbook,” Belfer Center for Science and International Affairs, February 2018; Edgardo Cortes, Gowri Ramachandran, Elizabeth Howard, and Lawrence Norden. “Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials,” Brennan Center for Justice, December 19, 2019
50. Edgardo Cortes, et al., “Preparing for Cyberattacks and Technical Failures.”