Cybersecurity Toolkit to Protect Elections

As the lead federal agency responsible for national election security, CISA—through the Joint Cyber Defense Collaborative (JCDC)—has compiled a toolkit of free services and tools intended to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure. This toolkit includes free tools, services, and resources provided by CISA, JCDC members, and others across the cybersecurity community.

How To Use This Toolkit

First, use the Election Security Risk Profile Tool to assess your risk. The tool, developed by CISA and the U.S. Election Assistance Commission, can help state and local election officials understand the range of risks they face and how to prioritize their mitigation efforts. With this tool, you can:

  • Address areas of greatest risk.
  • Ensure that technical cybersecurity assessments and services are meeting critical needs. 
  • Gain a sound analytic foundation for managing election security risk with key partners at the federal, state, and local level.

Second, review the icons below. These icons correspond to the election infrastructure assets most commonly targeted by phishing, ransomware, and distributed denial-of-service (DDoS) attacks, and will be used later in the toolkit

Newspaper outline

Voter information: Cyber threat actors may try to compromise or manipulate electronic poll books and voter registration databases in attempt to cause confusion or delay voting.

Internet outline

Websites: Cyber threat actors often target state and local websites with DDoS, phishing, and defacement.

Email outline

Email systems: Cyber threat actors use phishing as the preferred vector with which to target state and local email systems.

Social network outline

Networks: Cyber threat actors commonly use vectors, such as phishing or malware, in their attempts to infiltrate state and local networks that election offices rely on for regular business functions


Third, the toolkit has categorized cybersecurity tools and services by 3 threat categories - phishing, ransomware, and distributed denial of service - along with a general listing of useful cybersecurity tools and services. These threat categories may interrelate to one another—for example, cyber threat actors may use phishing to establish initial access to a system in order to deploy ransomware.

Officials seeking to secure election infrastructure should carefully review each section to identify tools and services appropriate to address their primary risks. Each threat category has been divided into tools and services that can protect against the threat, and those that can detect malicious activity associated with the threat. The services and tools are aligned with the Protect and Detect functions of the NIST Cybersecurity Framework. Protect outlines safeguards to ensure the delivery of critical services and Detect defines activities to identify the occurrence of a cybersecurity event. 

Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

Preliminary Actions to Defend Against Common Cyber Threats:

Before using the toolkit to address specific threats, take the following actions to establish your cybersecurity baseline.


    Step 1: Understand Phishing Attacks.

    Phishing attacks use email, text messaging, social media, and/or malicious websites to solicit personal information or to trick individuals into downloading malicious software. Cyber threat actors often use elections and political events to capture attention and lure recipients into clicking a link or downloading a file that contains malicious code. Election officials are often required to open email attachments, which could contain malicious payloads, to facilitate election administration processes (e.g., absentee ballot applications).

    Step 2: Protect against phishing attacks.


    Product Link




    Election Security Risk in Focus: Phishing


    CISA’s free training on phishing details phishing types, detection, and impacts with an emphasis on election infrastructure-related risks and available resources.

    Cisco OpenDNS Home

    OpenDNS blocks phishing websites that try to steal a user/organization identity and login information by pretending to be a legitimate website.

    Cloudflare DNS resolver with malware filter

    Cloudflare DNS resolver with malware filter is a private and fast DNS resolver that prevents user/organization devices from accessing known malware threats. For example, if an employee opens and clicks on a phishing email link, the link in the email won’t work. This prevents attackers from compromising sensitive internal information.


    Quad9’s DNS platform is designed to prevent computers and devices from connecting to malware or phishing sites.

    Google Advanced Protection Program

    The Google Advanced Protection Program safeguards users with high visibility and sensitive information from targeted online attacks. New protections are automatically added to defend against today’s wide range of threats.

    Google Web Risk

    Google Web Risk is a User Protection Service from Google Cloud designed to reduce the risk of threats targeting user-generated content. Google Web Risk lets organizations compare URLs in their environment against a repository of more than one million unsafe URLs.


    Secureworks PhishInSuits  

    The Secureworks Adversary Group and Counter Threat Unit research team developed the PhishInSuits tool to conduct security assessments and test control frameworks against scenarios such as business email compromise (BEC) attacks. The tool combines this variation of illicit consent attack with text message (SMS)-based phishing (smishing) to emulate BEC campaigns and includes automated data-exfiltration capabilities.

    Step 3: Detect phishing attempts.


    Product Link




    Google Safe Browsing

    This toolset identifies known phishing and malware across the web and helps notify users and website owners of potential harm. It is integrated into many major products and provides tools to webmasters.

    CrowdStrike Hybrid Analysis

    This tool is a free malware analysis service that detects and analyzes unknown threats using a unique Hybrid Analysis technology. Users can submit suspicious URLs and receive aggregated malicious verdicts as well as the contents at said URL. Hybrid Analysis is also a file sandbox and free alternative to other public malware repositories for file/threat hunting.


    Google VirusTotal

    VirusTotal inspects items with more than 70 antivirus scanners and URL/domain blocklisting services, in addition to a variety of other tools, to extract signals from the studied content. Users can select a file from a computer via the browser and send it to VirusTotal. Submissions may be scripted in any programming language using the HTTP-based public application programming interface (API).


    Step 1: Understand ransomware attacks.

    Ransomware is malicious software designed to deny access to computer systems or data. In a ransomware attack, the ransomware actor encrypts systems and/or data, rendering them inaccessible to owners and users. In some cases, data is also taken (exfiltrated) from the user’s computer or network.  The actor demands payment to decrypt the systems and/or data. However, paying this ransom does not guarantee the user will regain access to their systems and/or data; these assets can be permanently lost or leaked. 

    For elections, a ransomware attack could leak or deny access to voter registration data, unofficial results reporting, and other sensitive information. It could also inhibit access to important election systems during critical operational periods, such as registration and candidate filing deadlines. 

    Step 2: Protect against ransomware attacks.


    Product Link




    CISA Free Ransomware Services

    CISA offers free services and training to protect organizations against ransomware.


    Microsoft controlled folder access/ransomware protection in Windows

    Controlled folder access in Windows helps protect against threats like ransomware by safeguarding folders, files, and memory areas on the device from unauthorized changes by unfriendly applications.

    Microsoft Windows Backup and Restore

    This tool sets up automatic backups of Windows 10 and 11 operating systems to an external drive or network location.

    Zscaler’s Ransomware Risk Assessment

    This service assesses an organization’s ability to counteract a ransomware infection and its spread, as well as an organization’s ability to resume operations after an infection. This web-based tool scans defenses against ransomware-specific intrusion, lateral movement, and exfiltration methods. It is safe to use and runs within the browser.

    Cisco Immunet Antivirus  

    Immunet is a malware and antivirus protection system for Windows that utilizes cloud computing to provide enhanced community-based security.

    Google Drive for desktop

    This tool backs up files on Windows or Mac computers. Note: It does not allow users to restore their system; it only saves copies of files.

    Google Chrome OS and Chromebooks

    Chrome OS is a cloud-first platform that provides protection against ransomware by default through built-in proactive security measures such as safe browsing practices, blocking executables, and automatic data and file backups.

    Microsoft Defender Antivirus in Windows

    Built into Windows 10 and 11 and in versions of Windows Server, this tool is used to protect and detect endpoint threats, including file-based and fileless malware.


    Cisco ClamAV

    ClamAV is an open-source (general public license [GPL]) antivirus engine used in a variety of situations, including email and web scanning and endpoint security. It provides many utilities for users, including a flexible and scalable multithreaded daemon, a command-line scanner, and an advanced tool for automatic database updates.

    Step 3: Detect ransomware attacks.


    Product Link




    Google Security Command Center

    This tool helps users strengthen their security posture by evaluating their security and data attack surface; providing asset inventory and discovery; identifying misconfigurations, vulnerabilities, and threats; and mitigating and remediating risks.

    Microsoft Safety Scanner

    Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes made by identified threats.

    AWS GitHub Security Assessment Tool

    An AWS tool to help users create a point in time assessment of their AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.


    Cisco Snort

    This network intrusion detection and prevention system conducts traffic analysis and packet logging on Internet Protocol (IP) networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. The related free Basic Analysis and Security Engine (BASE) is a web interface for analyzing Snort alerts.

    Mandiant Red Team and Investigative Tools

    These tools are designed to confirm and investigate suspected security compromises.

    Distributed Denial of Service (DDoS) Attacks

    Step 1: Understand DDoS attacks.

    DDoS attacks on election infrastructure can hinder access to voting information. A DDoS attack occurs when malicious cyber actors flood a public-facing, internet-accessible server with requests, rendering the targeted server slow or inaccessible. This prevents users from accessing online resources, such as web pages and online accounts, and may disrupt an organization’s activities for a period of time, potentially hindering voters’ ability to access voting information or unofficial election results.

    For more information on DDoS attacks, please see CISA’s DDoS Quick Guide

    Step 2: Protect against DDoS attacks.


    Product Link




    Cloudflare DDoS Protection

    Cloudflare's Athenian Project provides provides unmetered and unlimited DDoS protection through their Autonomous DDoS Protection Edge, which automatically detects and mitigates DDoS attacks. The Autonomous Edge includes multiple dynamic mitigation rules exposed as Cloudflare DDoS Attack Protection Managed Rule sets, which provide comprehensive protection against a variety of DDoS attacks across L3/4 and L7 of the OSI model. This tool mitigates against DDoS attacks without incurring latency or interfering with legitimate users. To learn more on DDoS protection and to get started with the Athenian Project, visit the Cloudflare Athenian Project page.

    Cloudflare DNS  


    Cloudflare provides fast and secure managed Domain Name System (DNS) as a built-in service on its network. When users/organizations use Cloudflare DNS, all DNS queries for user/organization domains are answered by Cloudflare’s global Anycast network. The Anycast network allows Cloudflare to mitigate DDoS attacks directed at any site using Cloudflare name servers. In addition, Cloudflare DNS comes with Domain Name System Security Extensions (DNSSEC) protocol, which creates a secure domain name system by adding cryptographic signatures to existing DNS records. By checking its associated signature, users/organizations can verify that a requested DNS record comes from its authoritative name server and wasn’t altered en route, as opposed to a fake record injected in a man-in-the-middle attack.

    Cloudflare HTTPS Encryption (Secure Socket Layer [SSL]/Transport Layer Security [TLS])

    This tool offers free SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. By encrypting any data that goes between a user and a web server, SSL ensures that anyone who intercepts the data can only see a scrambled mess of characters. SSL also stops certain kinds of cyberattacks: It authenticates web servers, which is important because attackers will often try to set up fake websites to trick users and steal data.

    Google reCAPTCHA

    reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on a user’s website.

    Google Jigsaw Project Shield

    Project Shield is a free service that defends news, human rights, and election-monitoring sites from DDoS attacks.


    Lumu Technologies Lumu Free

    Lumu Free offers continuous monitoring across the network by leveraging multiple sources of metadata (DNS, proxy, firewall). Organizations can uncover contact with malicious infrastructure, enabling threat mitigation and attack prevention. Malicious incidents can be labeled to ensure prioritization according to an organization’s risk tolerance.

    Let’s Encrypt

    This tool provides a free digital certificate to enable HTTPS (SSL/TLS) for websites. While Let’s Encrypt provides a free way to enable HTTPS, its lack of enterprise support may require internal support from jurisdictions.


    Step 3: Detect a DDoS attack.


    Product Link




    Cloudflare Web Analytics




    Cloudflare Logs

    Cloudflare’s built-in analytics give users/organizations deeper insights into their traffic patterns, threats observed (and blocked), and other information found in the dashboard. High-level analytic dashboards provide overviews of traffic and security posture, including traffic and firewall events, DNS query traffic, and the geographical distribution of DNS queries over time.


    Cloudflare provides access to detailed logs of HTTP requests for domain. Logs are typically used for debugging, identifying configuration adjustments, and creating analytics, especially when combined with other data sources such as application server logs. Logs are helpful when investigating incidents such as website outages.


    Cloudflare Rate Limiting

    Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain. Request rates are calculated locally for individual Cloudflare data centers. The most common uses for Rate Limiting are DDoS and brute-force attack protection, and to limit access to forum searches, API calls, or resources that involve database-intensive operations at user/organization origin.

    Additional Tools for Election Security

    The following tools and services can help:

    • Reduce the likelihood of a damaging cyber incident.
    • Quickly detect a potential intrusion.
    • Support preparation and response efforts if an intrusion does occur.
    • Maximize an organization’s resilience to a damaging cyber incident.

    Additional tools and services





    Microsoft AccountGuard

    Microsoft AccountGuard is a cybersecurity service that adds an extra layer of protection against Nation-State sponsored attackers to elections organizations. AccountGuard protects both the professional and optionally

    the personal email accounts of staff.

    CISA Crossfeed

    Crossfeed is a tool that continuously enumerates and monitors an organization's public-facing attack surface in order to discover assets and flag potential security flaws. By operating in either passive or active scanning modes, Crossfeed collects data from a variety of open-source tools and data feeds to provide actionable information about organization assets. Crossfeed is offered as a self-service portal and allows customers to view reports and customize scans performed.

    Azure for Elections

    Azure for Elections is a set of security and resiliency assessments & enhanced support for elections-critical workloads running in the Azure cloud

    - Cloud Cybersecurity Assessments

    - Resiliency assessments for high load

    - Prioritized rapid support response during Election Week


    No additional cost, contact: to enroll.


    EI-ISAC Endpoint Detection and Response (EDR)

    EDR provides device-level protection and response: active defense against cybersecurity threats, blocking both known and unknown malicious activity, as well as effective defense against encrypted malicious traffic. It can stop malicious cyber activity by taking an active role in mitigating and remediating malware and killing or quarantining files. This service includes coverage and monitoring by the ISAC’s 24x7x365 security operations center (SOC); is no cost for all state and local election offices; and is easy to deploy low-impact software solution for devices and workstations.

    EI-ISAC Malicious Domain Blocking and Reporting (MDBR)

    MDBR prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. It can block the vast majority of ransomware infections, proactively blocking network traffic to known harmful web domains, helping protect IT systems against cybersecurity threats. It’s easy to implement while it requires virtually no maintenance. It provides a detailed analysis and reporting for the betterment of the community, along with the reporting organization. It can be installed in less than 15 minutes and is free to all SLTTs.

    Cloudflare Anycast Content Delivery Network

    The Cloudflare Anycast Content Delivery Network quickly routes incoming traffic to the nearest data center with the capacity to process the request efficiently, handling surges in web traffic due to registration deadlines and election result updates. Caching content on Cloudflare’s network reduces the number of requests to an origin by serving static content from a Cloudflare data center and minimizing bandwidth consumption.

    Cloudflare Web Application Firewall

    The Cloudflare Web Application Firewall (WAF) provides both automatic protection from vulnerabilities and the flexibility to create custom rules. The WAF protects the integrity of information on the user/organization election website from common vulnerabilities, such as Structured Query Language (SQL) injection attacks, cross-site scripting, and cross-site forgery requests.

    Google Cybersecurity Action Team

    This service provides a number of security resources, including security blueprints, white papers, threat reports, and information on recently detected vulnerabilities.

    Google GRR Rapid Response

    GRR Rapid Response is an incident response framework focused on remote live forensics. The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.

    Microsoft BitLocker for Windows

    This tool encrypts Microsoft Windows systems.

    Microsoft Windows Malicious Software Removal Tool

    This tool is released by Microsoft on a monthly basis as part of Windows Update or as a stand-alone tool. It can be used to find and remove specific prevalent threats and reverse the changes they have made.


    Guardicore Infection Monkey


    Infection Monkey is an open-source tool for breach and attack analysis that tests a data center’s resiliency to perimeter breaches and internal server infections. Infection Monkey helps to validate existing security solutions and provides a view of the internal network from an attacker’s perspective. Infection Monkey gives individuals focused on election security an understanding of potential risks by scanning networks and fingerprinting machines using multiple network protocols.

    IBM X-Force Exchange

    IBM X-Force Exchange is a cloud-based threat intelligence platform that allows users to consume, share, and act on threat intelligence. It enables users to conduct rapid research of the latest global security threats, aggregate actionable intelligence, consult with experts, and collaborate with peers.

    Mandiant Attack Surface Management

    This early warning system for information security allows users/organizations to create comprehensive visibility through graph-based mapping; know when assets change to stay ahead of the threat; and empower security operations to mitigate real-world threats.

    Mandiant Threat Intelligence

    Free access to the Mandiant Threat Intelligence portal helps users understand recent security trends, proactively hunt threat actors, and prioritize response activities.


    Mandiant Digital Threat Monitoring

    Detect and respond to external threats by monitoring the open, deep and dark web. Monitoring provides early warning of threat actors targeting your organization and notification of data and credential leaks so you can respond quicker. 



    Microsoft RiskIQ Community

    The RiskIQ community offers free access to internet intelligence, including thousands of open-source intelligence articles and artifacts. Community users can investigate threats by pivoting through attacker infrastructure data, understanding what digital assets are exposed to the internet, and mapping and monitoring their external attack surface.


    This security configuration framework is designed to help prioritize endpoint hardening recommendations.

    Note: This toolkit is not comprehensive. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.

    Additional CISA & Partner Cybersecurity Resources

    In addition to this toolkit, CISA offers other election cybersecurity resources, such as guidance documents, reports, infographics, and free basic cyber hygiene tools:

    Enhancing the cybersecurity and cyber resilience of U.S. election infrastructure is a partnership; CISA’s election security partners offer the following free resources.

    MS-ISAC and EI-ISAC Resources

    The Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) provide no-cost services to secure U.S. election infrastructure. MS-ISAC is the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the EI-ISAC supports the rapidly changing cybersecurity needs of U.S. elections offices.

    Membership in the Multi-State ISAC is free and open to all state, local, tribal, and territorial government organizations.

    Membership in the Elections Infrastructure ISAC is free and open to all state, local, tribal, and territorial government organizations that support U.S. elections.

    CIS, MS-ISAC, and EI-ISAC Resources

    Additional Partner Resources

    U.S. Election Assistance Commission

    Global Cyber Alliance (GCA)




    Was this webpage helpful?  Yes  |  Somewhat  |  No