As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure. This toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community.
How To Use This Toolkit
First, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:
- Address areas of greatest risk.
- Ensure that technical cybersecurity assessments and services are meeting critical needs.
- Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.
Preliminary Actions to Defend Against Common Cyber Threats:
Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline:
- Implement free CISA Cyber Hygiene Services Vulnerability Scanning.
- Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
- Follow password best practices, e.g., multifactor authentication enforcement, password manager.
- Make and secure offline backups of data.
Once you understand your risks and capability gaps, use the below resources to learn more about how you can better protect against cybersecurity threats.
Resources
The resources featured in this toolkit are grouped based on three threat categories:
- Phishing,
- Ransomware, and
- Distributed denial of service
Officials seeking to secure election infrastructure should carefully review each section to identify tools and services appropriate to address their primary risks.
The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event.
Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.
Category 1: Phishing
Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Cyber threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).
Services that help protect against phishing attempts
Election Security Risk in Focus: Phishing
CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.
Cisco OpenDNS Home
OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.
Cloudflare DNS resolver with malware filter
Cloudflare DNS resolver with malware filter is a private and fast DNS resolver that prevents user/organization devices from accessing known malware threats.
Quad9
Quad9’s DNS platform is designed to prevent computers and devices from connecting to malware or phishing sites.
Google Advanced Protection Program
The Google Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats.
Google Web Risk
A User Protection Service from Google Cloud designed to reduce the risk of threats targeting user-generated content. Google Web Risk lets organizations compare URLs in their environment against a repository of more than one million unsafe URLs.
Services that help detect phishing attempts
Google Safe Browsing
This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.
CrowdStrike Hybrid Analysis
Inspects items using 70+ antivirus scanners and URL/domain blocklisting services, to extract signals from the studied content. Users can select files from computer via the browser and send to VirusTotal.
Category 2: Ransomware
Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network. The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked.
For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines.
Services that help protect against ransomware attacks
CISA Free Ransomware Services
CISA offers free services and training to protect organizations against ransomware.
Microsoft controlled folder access/ransomware protection in Windows
Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.
Microsoft Windows Backup and Restore
This tool sets up automatic backups of Windows 10 and 11 operating systems to an external drive or network location.
Zscaler’s Ransomware Risk Assessment
Assesses an organization’s ability to 1. counteract a ransomware infection and its spread and 2. to resume operations after an infection. Scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods.
Cisco Immunet Antivirus
A malware and antivirus protection system for Windows that utilizes cloud computing to provide enhanced community-based security.
Google Drive for desktop
This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.
Google Chrome OS and Chromebooks
Chrome OS is a cloud-first platform that provides protection against ransomware by default through built-in proactive security measures such as safe browsing practices, blocking executables, and automatic data and file backups.
Microsoft Defender Antivirus in Windows
Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.
Cisco ClamAV
An open-source antivirus engine used in a variety of situations, including email and web scanning and endpoint security. Provides a flexible, scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.
Services and tools that help detect ransomware attacks
Category 3: Distributed Denial of Service (DDoS) Attacks
DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.
For more information on DDoS attacks, please see CISA’s DDoS Quick Guide.
Services and tools that help protect against DDoS attacks
Cloudflare DDoS Protection
Cloudflare DNS
Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])
Google reCAPTCHA
Google Jigsaw Project Shield
Services and tools that help detect a DDoS attack
Cloudflare Web Analytics
Cloudflare Logs
Cloudflare Rate Limiting
Additional Tools for Election Security
The following tools and services can help:
- Reduce the likelihood of a damaging cyber incident.
- Quickly detect a potential intrusion.
- Support preparation and response efforts if an intrusion does occur.
- Maximize an organization’s resilience to a damaging cyber incident.
Microsoft AccountGuard
Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and optionally
Additional CISA & Partner Cybersecurity Resources
In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:
- Election Infrastructure Security webpage. CISA’s primary hub for election security announcements, resources, and materials.
- Free Cybersecurity Services and Tools webpage. A general toolkit of free cybersecurity services compiled by CISA to help critical infrastructure owners and operators further advance their cybersecurity capabilities.
- CISA Tabletop Exercises Packages. A comprehensive set of resources designed to assist stakeholders in conducting their own exercises.
- Automated Indicator Sharing. Automated Indicator Sharing is a CISA capability that enables the real-time exchange of machine-readable cyber threat indicators and defensive measures.
- Cyber Guidance for Small Businesses. CISA has compiled the top cybersecurity tasks for IT leads and their staff, including enforcing multifactor authentication for all users, keeping systems patched, and monitoring CISA’s Known Exploited Vulnerabilities (KEV) Catalog.
Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.
MS-ISAC and EI-ISAC Resources
The Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide no-cost services to secure U.S. election infrastructure. MS-ISAC is the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the EI-ISAC supports the rapidly changing cybersecurity needs of U.S. elections offices.
Membership in the Multi-State ISAC is free and open to all state, local, tribal, and territorial government organizations.
Membership in the Elections Infrastructure ISAC is free and open to all state, local, tribal, and territorial government organizations that support U.S. elections.
- EI-ISAC Membership Registration
- 24/7 Security Operations Center (SOC) and Cyber Incident Response Services
- SecureSuite Membership
- MS-ISAC Malicious Code Analysis Platform (MCAP)
- MS-ISAC Real-Time Indicator Feeds
- Albert Network Monitoring
U.S. Election Assistance Commission
Global Cyber Alliance (GCA)