Uniqcli

InsightsSector Guides

Election Infrastructure Network Security Checklist: What County IT Teams Should Close First

Certification deadlines compress a year's worth of hardening work into a few weeks. Here is the order county IT teams actually close it in.

By Uniqcli Team · · 7 min read

Certification Deadlines

The network controls that matter most before certification

Election systems have been designated critical infrastructure since 2017, which means county election offices inherit federal-infrastructure-grade expectations without federal-infrastructure-grade budgets. Most jurisdictions run election management systems, e-pollbook networks, and results-reporting links on the same general fund that pays for the assessor's office printer. When a certification or accreditation deadline lands, the temptation is to work top-down from a compliance framework. That produces long lists and short weeks. A better approach is to work bottom-up from the network: segmentation first, then who and what can reach a segment, then whether anyone would notice if something went wrong, then whether the equipment itself is current. This election infrastructure network security checklist lays out that order and the specific controls inside each layer, written for the IT director closing gaps before a hard date, not for a policy audience.

Why segmentation comes before anything else

Election management system (EMS) servers, ballot-marking device programming stations, and e-pollbook sync networks should sit on VLANs that do not route to the general county network by default. This is the single highest-leverage control available, because it bounds the blast radius of every other gap: a phished payroll clerk's laptop or an unpatched printer on the general network cannot reach election systems if there is no path between the segments in the first place.

Segmentation is not the same as air-gapping, and conflating the two causes real problems. A fully air-gapped EMS still needs a documented, auditable process for moving election definition files and results on removable media, and that process is itself an attack surface if it is informal. A logically isolated but network-connected EMS, firewalled with explicit allow-listed rules and no default route out, is often more defensible in practice because every permitted path is visible in a firewall rule set rather than in someone's memory of who carries the USB drive.

The practical test for a county network: pick any workstation outside the election VLANs and confirm, at the switch and firewall layer, that it has zero route to EMS servers, tabulation equipment, or e-pollbook sync infrastructure. If that test requires tracing static routes across three devices to answer, the segmentation is not real yet — it is aspirational.

Access control: fewer accounts, stronger proof, shorter windows

Once segmentation bounds the network, access control determines who can act on what is inside it. Every account with EMS or tabulation access should be named to an individual, never shared, and should require phishing-resistant multi-factor authentication — a hardware key or platform authenticator, not SMS. Shared vendor or admin accounts are the most common finding in post-election security reviews, because they survive staff turnover and nobody remembers to disable them.

Privileged access to election systems should also be time-bound. Standing admin rights that exist year-round are a bigger target than admin rights provisioned for the specific configuration, testing, or canvassing window and revoked afterward. A short list of who has access, why, and when it expires is more defensible in an audit than a long-standing group membership nobody has reviewed since the last election cycle.

Vendor remote access deserves its own line item. If an EMS or voting equipment vendor needs remote support access, that access should route through a jump host the county controls, be logged independently of the vendor's own logging, and require the county to actively enable the session rather than leave a standing tunnel open. This is a frequent gap: the connection gets set up once during initial deployment and is never revisited.

Logging and monitoring: assume you will need the record

Segmentation and access control reduce the chance of an incident. Logging determines whether anyone can reconstruct what happened if one occurs anyway — and reconstruction is often what a canvass or post-election audit actually needs, independent of whether anything malicious occurred. Firewall logs at the election VLAN boundary, authentication logs on EMS and e-pollbook servers, and configuration-change logs on network devices should all be retained centrally, not just locally on the device generating them, and retained long enough to cover a full election cycle plus any contest period.

Most counties do not staff a 24/7 security operations center, and they do not need to build one from scratch. The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provides monitoring, threat intelligence, and incident support specifically scoped to election offices, and many state election authorities extend additional monitoring during active election windows. The IT team's job is making sure county logs are actually flowing to whatever monitoring relationship exists — a monitoring subscription with no log feed behind it is a false sense of coverage.

Alerting thresholds matter as much as log volume. A network generating thousands of unreviewed alerts a week trains staff to ignore the dashboard. Tuning alerts down to the handful that genuinely indicate lateral movement toward the election VLANs — unexpected cross-segment traffic, new admin account creation, after-hours authentication on tabulation systems — keeps the signal usable when it counts.

Equipment lifecycle and patch cadence

Election equipment runs on longer replacement cycles than general office IT, often ten years or more between full hardware refreshes, which means the network layer around it has to compensate for firmware and OS versions that will not always be current. Switches, firewalls, and access points touching election VLANs should be on a patch cadence independent of the broader county IT schedule, reviewed before every election rather than on a generic quarterly cycle.

Network equipment past vendor end-of-life support is the most overlooked risk in this category. A firewall or switch no longer receiving security patches is a fixed, growing liability sitting at the exact boundary meant to contain everything discussed above. Sourcing and staging replacement network hardware — with TAA country-of-origin and NDAA §889 supply-chain screening handled up front rather than discovered during procurement — is the kind of lead-time item that needs to start well before a certification deadline, not during the week of it.

Election infrastructure network security checklist, in priority order

Work top to bottom. Each item assumes the ones above it are already in place.

  • Confirm zero default route from general county network to any election VLAN
  • Move EMS, tabulation, and e-pollbook sync systems onto dedicated, firewalled VLANs
  • Eliminate shared or generic admin accounts on election systems
  • Require phishing-resistant MFA on every EMS and tabulation account
  • Route vendor remote access through a county-controlled, independently logged jump host
  • Centralize firewall, authentication, and config-change logs off the source devices
  • Confirm log feeds are actually reaching your EI-ISAC or state monitoring relationship
  • Inventory network equipment for vendor end-of-life status and patch cadence
  • Time-bound all privileged access to the configuration, testing, and canvassing windows
  • Document the removable-media process for any air-gapped transfer, with sign-off

Frequently asked

What network segmentation is required for election systems?

There is no single federal mandate specifying VLAN design, but standard practice is to isolate EMS servers, tabulation equipment, and e-pollbook sync networks on dedicated VLANs with no default route to the general county network, enforced by explicit firewall allow-lists rather than implicit trust between segments.

Is an air-gapped election network more secure than a segmented one?

Not automatically. Air-gapping removes network-based attack paths but shifts risk to the removable-media process used to move files. A well-firewalled, logically isolated network with tightly controlled, logged access can be more auditable than an air gap with an informal media-transfer process.

Do county election offices need their own SOC or can they use MS-ISAC?

Most counties rely on the Elections Infrastructure ISAC (EI-ISAC) rather than building an internal security operations center. The IT team's responsibility is ensuring local logs actually flow into that relationship — a subscription without a connected log feed provides little practical coverage.

How often should election management system network equipment be patched?

Network gear touching election VLANs should be reviewed on its own cadence tied to the election calendar — before configuration, before testing, and before the election itself — rather than folded into a generic quarterly county IT patch schedule that may not align with certification timing.

What is the biggest network security gap counties find during pre-election review?

Shared or standing admin accounts on election systems and vendor remote-access tunnels left open after initial deployment are the two most common findings, followed by network equipment past vendor end-of-life support sitting at the election VLAN boundary.

Sourcing the network hardware behind these controls

Firewalls, managed switches, and access points for election VLAN segmentation, staged and screened before they reach your network.

Ask AI about Uniqcli

Volume & contract pricing

About the author

Uniqcli Team

Uniqcli's newsroom, buying guides and glossary are produced by our in-house team — seven procurement and technology professionals who source, screen and integrate IT and security hardware every day, working with two editors. Practitioners draft from live sourcing and integration work; editors review every piece for accuracy and plain language before it publishes.

More about the Uniqcli Team

Ready to scope your program?

Talk to a Uniqcli engineer, or send a bill of materials for a TAA-verified quote — no payment up front.