Home
Recent Structural Changes in CISA Election Security Support and Infrastructure Programs
The Cybersecurity and Infrastructure Security Agency (CISA) has implemented a fundamental reorganization of its election security operations, marking a significant departure from the expansive support model maintained between 2017 and 2024. Beginning in early 2025, the agency initiated an internal review that led to the suspension of numerous operational programs, the termination of major funding agreements, and a substantial reduction in specialized personnel dedicated to state and local election jurisdictions.
These changes represent a shift in federal strategy, moving away from hands-on coordination and toward a more restricted "core mission" focus. For election officials at the state, local, tribal, and territorial (SLTT) levels, this transition has created a landscape characterized by reduced federal resources, the loss of centralized threat intelligence hubs, and increased financial responsibility for cybersecurity defense.
Immediate Overview of 2025 Policy Shifts
The landscape of federal election security changed abruptly following the 2024 election cycle. The most critical changes implemented by CISA in early 2025 include:
- Suspension of Field Operations: A temporary freeze on many election-specific cybersecurity and physical security assessments as part of a comprehensive internal program review.
- Defunding of the EI-ISAC: The termination of the cooperative agreement with the Center for Internet Security (CIS), which previously provided the financial backbone for the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC).
- Workforce Reductions: The elimination of specialized Regional Election Security Advisors and a reported reduction of over one-third of the agency's total workforce involved in election-related tasks.
- Disinformation Policy Withdrawal: A formal exit from activities involving the monitoring of social media for election-related narratives, refocusing instead on purely technical infrastructure vulnerabilities.
The Evolution of Election Infrastructure as Critical Infrastructure
To understand the magnitude of recent changes, it is necessary to examine the baseline established nearly a decade ago. In January 2017, the Department of Homeland Security (DHS) designated election infrastructure as a subsector of the "Government Facilities" critical infrastructure sector. This designation authorized CISA (and its predecessor, NPPD) to provide a wide range of voluntary services to state and local officials.
The Support Pillar (2017–2024)
For seven years, CISA functioned as the primary federal partner for over 8,000 election jurisdictions. This support was built on several pillars:
- Cyber Hygiene Services: Automated vulnerability scanning of internet-facing systems used for voter registration, ballot marking, and unofficial results reporting.
- Physical Security Assessments: On-site inspections of polling places, storage facilities, and election offices to mitigate risks from domestic threats or physical sabotage.
- Threat Intelligence Sharing: Funding the EI-ISAC allowed even the smallest counties to receive real-time alerts about suspicious IP addresses, ransomware trends, and nation-state probing.
- Incident Response: Deploying specialized teams to assist jurisdictions in the event of a breach or a coordinated Distributed Denial of Service (DDoS) attack.
The #PROTECT2024 campaign represented the apex of this model, during which CISA conducted nearly 1,300 physical assessments and over 700 cyber assessments within a single election cycle.
The 2025 Pivot: Internal Review and Operational Freezes
Following the inauguration of the new administration in early 2025, CISA’s leadership announced a comprehensive review of all activities deemed "non-core." The agency asserted that certain programs had expanded beyond the original intent of the 2017 designation or were redundant with private-sector offerings.
Suspension of Activities
In February 2025, many active support programs were placed on "administrative hold." This included the deployment of "Red Teams"—specialists who simulate cyberattacks to find weaknesses in election networks—and the pause of new physical security training modules. While the agency maintained that essential services would continue, the lack of transparency regarding the review's findings has led to significant uncertainty among local administrators.
Termination of the EI-ISAC Cooperative Agreement
Perhaps the most impactful change was the decision to end the federal funding of the Center for Internet Security (CIS) for the operation of the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC).
The EI-ISAC was widely considered the "connective tissue" of the election community. It provided:
- Albert Sensors: Intrusion detection systems that monitored network traffic for signs of malicious activity.
- Malicious Domain Blocking: A tool that prevented election staff from inadvertently clicking on phishing links.
- 24/7 Security Operations Center (SOC): A dedicated hub for reporting and analyzing threats specific to election hardware and software.
Without federal funding, the EI-ISAC has been forced toward a subscription-based model. Estimates suggest that up to two-thirds of previous members—particularly smaller, rural counties with limited budgets—may no longer be able to afford these services, effectively creating a "cyber-security divide" between wealthy and underfunded jurisdictions.
Workforce Reductions and the Loss of Regional Expertise
A hallmark of CISA's previous success was its decentralized approach. The agency had hired 10 Regional Election Security Advisors (RESAs), many of whom were former election officials with decades of practical experience. These advisors served as trusted intermediaries, helping state secretaries of state navigate federal bureaucracy and tailor security services to local needs.
As part of the 2025 workforce reductions, these advisor roles were largely eliminated. The loss of these positions has severed many of the informal lines of communication that allowed for rapid information flow during the 2020 and 2024 cycles. Additionally, broader agency-wide cuts have reduced the number of cybersecurity technicians available to perform deep-dive "hunt" missions on state networks.
The Reframing of Priorities: Core Mission vs. Perceived Overreach
The administration has defended these changes by arguing that CISA must return to its "core mission" of protecting heavy industry, energy grids, and water systems. Officials have pointed to several areas where they believe the agency's role had become overly politicized or expanded:
Social Media and Disinformation
In previous years, CISA operated a "Mis-, Dis-, and Malinformation" (MDM) team that worked with social media companies to flag false claims about election mechanics (e.g., incorrect polling dates or fake claims about ballot machine hacking). This practice became a focal point of legislative criticism, with opponents arguing that federal involvement in speech-related issues constituted government overreach. In 2025, CISA effectively disbanded these efforts, shifting the responsibility for "truth in elections" entirely back to state officials and private platforms.
Redundancy and Private Sector Role
Agency leadership has suggested that many services CISA once provided for free are now available through private cybersecurity firms. By withdrawing federal competition, the agency argues it is encouraging a more robust market for election security services. However, critics note that private firms often lack the cross-jurisdictional threat data that only a federal agency or a federally-funded ISAC can aggregate.
Impact on State and Local Election Jurisdictions
The practical consequence of these changes is a state of "strategic isolation" for many local officials. According to reports from policy analysts at the Center for Democracy and Technology (CDT), the retreat of federal support has led to several immediate challenges:
1. Reduced Situational Awareness
Without the centralized feeds from the EI-ISAC and the active monitoring by CISA advisors, local officials have described the feeling of "flying blind." In previous cycles, a bomb threat or a phishing attempt in one state would be immediately anonymized and shared across all 50 states within minutes. Today, that intelligence sharing is fragmented and delayed.
2. Budgetary Strain
States that previously relied on free federal assessments must now find the funds to hire private auditors. In many states, legislative budgets for the 2026 midterm cycle were finalized before the CISA cuts were announced, leaving election directors with no way to fill the security gap.
3. Frayed Trust and Reluctance to Share Data
A more subtle but damaging impact is the erosion of trust. Some state officials have expressed concern that providing data to a centralized federal agency could now carry professional or political risks. There have been reported instances where state officials declined to report foreign-linked hacking attempts to CISA, citing a lack of confidence in how the information would be handled or used.
The Outlook for the 2026 Midterm Elections
As the 2026 midterm elections approach, the election security community is operating under a significantly different framework than in 2024. While the 2024 election was hailed as the "most secure in history," experts warn that the erosion of the defenses that built that success could lead to vulnerabilities.
Foreign adversaries, including state-sponsored actors from Russia, Iran, and China, have historically ramped up probing activities during "off-year" and midterm cycles. Without the robust, federally-funded net of sensors and advisors, the detection of these probes may fall to individual counties, many of which lack even a single full-time IT security professional.
Legislative Responses
There are ongoing efforts in Congress to restore some of CISA's authorities and funding. Proposed appropriations bills for the 2026 fiscal year include language that would earmark funds specifically for the rehiring of regional advisors and the full restoration of the EI-ISAC grant. However, these bills face an uncertain path in a divided legislature focused on broader fiscal consolidation.
Frequently Asked Questions
What is the EI-ISAC, and why was its funding cut?
The Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) is a collaborative organization that helps election officials share threat data. CISA terminated its funding as part of a 2025 policy shift to reduce "non-core" federal spending and shift responsibilities to the private sector or state governments.
Are Albert sensors still operational?
Many Albert sensors remain in place, but their maintenance and the analysis of the data they produce have transitioned from a federally-funded model to a paid-service model through the Center for Internet Security. Smaller jurisdictions that cannot afford the subscription may see these sensors decommissioned.
Does CISA still offer vulnerability scanning for elections?
While CISA maintains a general cyber hygiene scanning program for critical infrastructure, its "surged" support specifically tailored for election deadlines and specific election-night systems has been significantly scaled back or folded into broader, less frequent assessments.
How can local officials get security help now?
Local officials are increasingly encouraged to work through their state's Secretary of State office or to procure services through state-level cybersecurity grants (such as the State and Local Cybersecurity Grant Program), though these funds are often oversubscribed and highly competitive.
Summary of Changes
The transformation of CISA's role in 2025 marks the end of the "proactive partnership" era of election security that followed the 2016 foreign interference attempts. By freezing operational support, defunding the EI-ISAC, and reducing its specialized workforce, the federal government has effectively transferred the burden of election defense back to the states.
While this realignment aims to focus the agency on broader national security infrastructure, it has introduced new risks for the 2026 midterms. The ability of the United States to maintain the integrity of its democratic processes will now depend more heavily on the resilience of individual state budgets and the willingness of local jurisdictions to fund their own cybersecurity defenses in the absence of a federal safety net.
-
Topic: 2024 Year in Review | CISAhttps://www.cisa.gov/about/2024YIR
-
Topic: Defending Democracy: The #PROTECT2024 Chapter in Election Infrastructure Security | CISAhttps://www.cisa.gov/news-events/news/defending-democracy-protect2024-chapter-election-infrastructure-security
-
Topic: Countdown to the Midterms: Mapping the Rapid Evolution of Election Security - Center for Democracy and Technologyhttps://cdt.org/insights/countdown-to-the-midterms-mapping-the-rapid-evolution-of-election-security/
