Election work has a way of stretching across boundaries that don’t show up on an org chart.
County election offices run parts of it. County IT runs other parts of it. The state may own key systems. Vendors host and manage platforms that everyone depends on. And when something breaks, it rarely breaks in just one place.
That’s why elections tech can create “scope surprises” under CIRCIA. Not because anyone did something wrong, but because the ecosystem is shared, distributed, and deeply interconnected.
For the wider CIRCIA picture, start here:
circia-2026-covered-entities-what-to-do-now
Why elections ecosystems create scope surprises
Election infrastructure rarely lives inside a single organization. It operates across a web that can include:
-
- county election offices
-
- state election authorities
-
- voter registration systems
-
- election management platforms
-
- managed service providers
-
- identity and network infrastructure operated by county IT
Because those dependencies are shared, a cybersecurity event can touch systems that sit outside the immediate control of election staff, and sometimes outside the immediate visibility of local IT, too.
In 2017, the U.S. Department of Homeland Security designated election infrastructure as part of the nation’s critical infrastructure.
https://www.dhs.gov/archive/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical
That designation is broader than voting machines. It also includes supporting technology assets like voter databases, election management systems, and the IT infrastructure that enables election operations.
The U.S. Election Assistance Commission’s overview is a good plain-language reference for leaders who need context without a deep technical dive:
https://www.eac.gov/election-officials/elections-critical-infrastructure
CISA’s election security program also reinforces how wide this footprint is, and how many partners it involves:
https://www.cisa.gov/topics/election-security
The practical takeaway is simple: even if your “elections team” is small, the environment is not, and that can affect coverage and reporting readiness in ways people don’t expect.
Coverage triage: what public-sector leaders should document
Before you debate coverage, document the ecosystem. You’ll need it either way.
CISA recommends evaluating potential CIRCIA coverage using a three-step covered entity framework that considers sector alignment, organizational size, and operational role.
https://www.cisa.gov/sites/default/files/2024-05/24-0630-Covered-Entity-Infographic-04242024-508c.pdf
CISA’s plain-language covered entity fact sheet helps frame the question without getting lost in legalese:
https://www.cisa.gov/resources-tools/resources/covered-entity-fact-sheet
And if you need the authoritative explanation of how CISA evaluates coverage and reporting requirements, use the Federal Register notice for the proposed rule:
https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
What to include in a short “coverage memo”
Think of this memo as the thing you’ll want on hand when leadership, counsel, insurers, or auditors ask, “Are we covered, and why?”
For election-related environments, document:
-
- election management systems operated by the jurisdiction
-
- voter registration infrastructure and ownership (county vs state vs vendor)
-
- supporting IT services managed by county or state IT teams
-
- managed service providers supporting election systems
-
- identity and network services used during election operations
-
- jurisdictional responsibilities, including shared services
Then capture it in a tight format:
-
- What we operate (systems, services, and dependencies)
-
- What we outsource (vendors, hosted platforms, MSP scope)
-
- What we can access quickly (logs, audit trails, escalation contacts)
For a structured evaluation process:
circia-covered-entity-quick-test
Incident types that matter most for elections infrastructure
Election-related incidents often raise concerns about availability and integrity, even when no clear data breach exists. The public impact can be immediate, and the pressure on the investigation can spike quickly.
Under CIRCIA, certain cyber incidents affecting critical infrastructure may require reporting within 72 hours of an organization’s reasonable belief that a covered cyber incident occurred.
https://www.law.cornell.edu/uscode/text/6/681b
Here are the incident categories that tend to matter most in elections-adjacent environments.
Availability disruptions
Examples include:
-
- denial-of-service attacks affecting voter information portals
-
- disruptions to election management platforms
-
- outages affecting identity or authentication systems used by election staff
Even if you don’t see data theft, an availability hit can still be operationally significant, especially close to key dates.
Integrity concerns
Elections depend on public trust. Integrity questions can become the story, even before you confirm compromise.
Examples include:
-
- unauthorized configuration changes
-
- suspicious access attempts against admin functions
-
- unexplained data modifications
CISA’s covered cyber incident fact sheet is helpful for sorting “this is concerning” from “this likely meets reporting thresholds.”
https://www.cisa.gov/resources-tools/resources/covered-cyber-incident-fact-sheet
CISA also encourages election infrastructure stakeholders to voluntarily share cyber incident information when events may affect election systems, which can be especially useful when facts are emerging and coordination matters.
https://www.cisa.gov/sites/default/files/2024-07/2024-Voluntary-Incident-Reporting-Guidance-for-EI-Stakeholder_6.26.24_508c.pdf
Vendor or supply chain incidents
Election operations rely heavily on vendors, and vendor confirmation often arrives late.
Examples include:
-
- voter registration databases
-
- ballot management systems
-
- hosted election reporting platforms
-
- network and identity infrastructure
This is where “reasonable belief” can become complicated, because your team may be waiting on third-party findings to confirm scope. If you want to coordinate multiple clocks cleanly during incidents, build one unified timeline early:
circia-72-hour-unified-timeline
Evidence checklist for elections-adjacent IT
When election systems or supporting infrastructure are involved, evidence needs to be collected quickly and carefully. Not because you’re trying to write a perfect report in a day, but because early facts disappear.
NIST’s incident response guide is a strong backbone for what to preserve and how to document it.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
A practical minimum evidence checklist usually includes:
Identity and access logs
Authentication logs often show the earliest “something’s wrong” signal, especially for admin accounts and shared access.
System configuration and change logs
Election systems live and die on controlled changes. If you can’t show what changed, when, and by whom, the integrity conversation gets harder.
Endpoint and network telemetry
Even a lightweight set of endpoint alerts and network indicators can help confirm malware activity, lateral movement, or suspicious outbound connections.
Vendor investigation artifacts
If third-party systems are involved, request artifacts early, and request them in writing. You’ll often need:
-
- incident timelines
-
- forensic findings summaries
-
- relevant logs
-
- indicators of compromise
For log retention and integrity basics (and the “why” behind centralization), NIST log management guidance is still one of the clearest references:
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-92.pdf
CISA’s event logging and threat detection guidance is a practical companion when you’re trying to build a minimum viable telemetry set across identity, endpoints, and network:
https://www.cisa.gov/resources-tools/resources/best-practices-event-logging-and-threat-detection
One small operational detail that helps a lot: assign a timeline owner during an incident. Not the lead investigator. Someone whose job is to time-stamp facts, save artifacts, and keep the narrative grounded in evidence while everyone else is responding.
Communication and narrative control under time pressure
Incidents involving election systems can quickly become public-facing. Sometimes the technical reality is manageable, but the communication reality is not.
That’s why the most useful discipline is also the simplest:
Maintain one authoritative incident narrative, updated as facts change.
Include:
-
- confirmed facts about the incident
-
- systems affected (working list, time-stamped)
-
- containment steps taken
-
- current investigation status and next update time
This narrative becomes your source of truth for:
-
- leadership briefings
-
- regulator and partner communications
-
- public statements (when required)
NIST emphasizes consistent communications and defined approval lanes during incidents, which is exactly what prevents conflicting statements when time is short.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r3.pdf
For federal coordination touchpoints, the EAC’s “Election Incident Response Federal Contacts” reference is worth keeping bookmarked:
https://www.eac.gov/sites/default/files/2024-10/Election_Incident_Response_Federal_Contacts_v2_508.pdf
And if you want to pressure-test communications decisions, CISA tabletop exercise packages are straightforward to adapt to election scenarios:
https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
Conclusion: Election infrastructure requires early coordination
Election systems operate across multiple organizations, shared technology platforms, and high-visibility public responsibilities.
Because election infrastructure is considered critical infrastructure, cyber incidents affecting these systems can trigger added scrutiny and tighter expectations around coordination and reporting.
The readiness work that pays off most is not flashy. It’s practical:
-
- Document coverage considerations and the ecosystem you actually operate in
-
- Identify vendor dependencies and set expectations for evidence delivery
-
- Establish incident response workflows that produce a clean timeline quickly
-
- Coordinate communication and reporting approvals so the narrative stays consistent
When incidents happen, preparation is what keeps leadership calm, keeps partners aligned, and keeps public confidence from getting dragged into the technical noise.
