Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency

Search

 
 
  • Topics
    Cybersecurity Best Practices
    Cyber Threats and Advisories
    Critical Infrastructure Security and Resilience
    Election Security
    Emergency Communications
    Industrial Control Systems
    Information and Communications Technology Supply Chain Security
    Partnerships and Collaboration
    Physical Security
    Risk Management
    How can we help?
    GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help Locally
  • Spotlight
  • Resources & Tools
    All Resources & Tools
    Services
    Programs
    Resources
    Training
    Groups
  • News & Events
    News
    Events
    Cybersecurity Alerts & Advisories
    Directives
    Request a CISA Speaker
    Congressional Testimony
  • Careers
    Benefits & Perks
    HireVue Applicant Reasonable Accommodations Process
    Hiring
    Resume & Application Tips
    Students & Recent Graduates
    Veteran and Military Spouses
    Work @ CISA
  • About
    Culture
    Divisions & Offices
    Regions
    Leadership
    Doing Business with CISA
    Contact Us
    Site Links
    Reporting Employee and Contractor Misconduct
    CISA GitHub
Report a Cyber Issue
Breadcrumb
  1. Home
Share:

Cybersecurity Toolkit and Resources to Protect Elections

As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure. This toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community.

How To Use This Toolkit

First, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:

  • Address areas of greatest risk.
  • Ensure that technical cybersecurity assessments and services are meeting critical needs. 
  • Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.

Preliminary Actions to Defend Against Common Cyber Threats:

Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline:

  • Implement free CISA Cyber Hygiene Services Vulnerability Scanning.
  • Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
  • Follow password best practices, e.g., multifactor authentication enforcement, password manager.
  • Make and secure offline backups of data.

Once you understand your risks and capability gaps, use the below resources to learn more about how you can better protect against cybersecurity threats.

Resources

The resources featured in this toolkit are grouped based on three threat categories:

  1. Phishing,
  2. Ransomware, and
  3. Distributed denial of service

Officials seeking to secure election infrastructure should carefully review each section to identify tools and services appropriate to address their primary risks.

The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event. 

Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Category 1: Phishing

Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Cyber threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).

Services that help protect against phishing attempts

Election Security Risk in Focus: Phishing

CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.

Cisco OpenDNS Home

OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.

Cloudflare DNS resolver with malware filter

Cloudflare DNS resolver with malware filter is a private and fast DNS resolver that prevents user/organization devices from accessing known malware threats. 

Quad9

Quad9’s DNS platform is designed to prevent computers and devices from connecting to malware or phishing sites.

Google Advanced Protection Program

The Google Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats.

Google Web Risk

A User Protection Service from Google Cloud designed to reduce the risk of threats targeting user-generated content. Google Web Risk lets organizations compare URLs in their environment against a repository of more than one million unsafe URLs.

Services that help detect phishing attempts

Google Safe Browsing

This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.

CrowdStrike Hybrid Analysis

Inspects items using 70+ antivirus scanners and URL/domain blocklisting services, to extract signals from the studied content. Users can select files from computer via the browser and send to VirusTotal.

Category 2: Ransomware

Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network.  The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked. 

For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines. 

Services that help protect against ransomware attacks

CISA Free Ransomware Services

CISA offers free services and training to protect organizations against ransomware.

Microsoft controlled folder access/ransomware protection in Windows

Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.

Microsoft Windows Backup and Restore

This tool sets up automatic backups of Windows 10 and 11 operating systems to an external drive or network location.

Zscaler’s Ransomware Risk Assessment

Assesses an organization’s ability to 1. counteract a ransomware infection and its spread and 2. to resume operations after an infection. Scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods. 

Cisco Immunet Antivirus

A malware and antivirus protection system for Windows that utilizes cloud computing to provide enhanced community-based security.

Google Drive for desktop

This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.

Google Chrome OS and Chromebooks

Chrome OS is a cloud-first platform that provides protection against ransomware by default through built-in proactive security measures such as safe browsing practices, blocking executables, and automatic data and file backups.

Microsoft Defender Antivirus in Windows

Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.

Cisco ClamAV

An open-source antivirus engine used in a variety of situations, including email and web scanning and endpoint security. Provides a flexible, scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.

Services and tools that help detect ransomware attacks

Google Security Command Center

Microsoft Safety Scanner

AWS GitHub Security Assessment Tool

Cisco Snort

Mandiant Red Team and Investigative Tools

Category 3: Distributed Denial of Service (DDoS) Attacks

DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.

For more information on DDoS attacks, please see CISA’s DDoS Quick Guide. 

Services and tools that help protect against DDoS attacks

Cloudflare DDoS Protection

Cloudflare DNS

Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])

Google reCAPTCHA

Google Jigsaw Project Shield

Services and tools that help detect a DDoS attack

Cloudflare Web Analytics

Cloudflare Logs

Cloudflare Rate Limiting

Additional Tools for Election Security

The following tools and services can help:

  • Reduce the likelihood of a damaging cyber incident.
  • Quickly detect a potential intrusion.
  • Support preparation and response efforts if an intrusion does occur.
  • Maximize an organization’s resilience to a damaging cyber incident.

Microsoft AccountGuard

Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and optionally

Additional CISA & Partner Cybersecurity Resources

In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:

  • Election Infrastructure Security webpage. CISA’s primary hub for election security announcements, resources, and materials.
  • Free Cybersecurity Services and Tools webpage. A general toolkit of free cybersecurity services compiled by CISA to help critical infrastructure owners and operators further advance their cybersecurity capabilities. 
  • CISA Tabletop Exercises Packages. A comprehensive set of resources designed to assist stakeholders in conducting their own exercises.
  • Automated Indicator Sharing. Automated Indicator Sharing is a CISA capability that enables the real-time exchange of machine-readable cyber threat indicators and defensive measures.
  • Cyber Guidance for Small Businesses. CISA has compiled the top cybersecurity tasks for IT leads and their staff, including enforcing multifactor authentication for all users, keeping systems patched, and monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.

MS-ISAC and EI-ISAC Resources

The Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide no-cost services to secure U.S. election infrastructure. MS-ISAC is the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the EI-ISAC supports the rapidly changing cybersecurity needs of U.S. elections offices.

Membership in the Multi-State ISAC is free and open to all state, local, tribal, and territorial government organizations.

Membership in the Elections Infrastructure ISAC is free and open to all state, local, tribal, and territorial government organizations that support U.S. elections.

  • EI-ISAC Membership Registration 
  • 24/7 Security Operations Center (SOC) and Cyber Incident Response Services 
  • SecureSuite Membership
  • MS-ISAC Malicious Code Analysis Platform (MCAP)
  • MS-ISAC Real-Time Indicator Feeds 
  • Albert Network Monitoring

U.S. Election Assistance Commission

  • Clearinghouse Resources for Election Officials 

Global Cyber Alliance (GCA)

  • The GCA Cybersecurity Toolkit for Elections 

 

 

Return to top
  • Topics
  • Spotlight
  • Resources & Tools
  • News & Events
  • Careers
  • About
Cybersecurity & Infrastructure Security Agency
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
  • About CISA
  • Accessibility
  • Budget and Performance
  • DHS.gov
  • FOIA Requests
  • No FEAR Act
  • Office of Inspector General
  • Privacy Policy
  • The White House
  • USA.gov
  • Website Feedback