The federal government has had an evolving role in cybersecurity, especially in sectors deemed critical infrastructure, such as election administration. With the ebbs and flows of federal involvement in election technology security, the election space has taken it upon itself to facilitate information sharing and a networked approach to cybersecurity support.

In February of last year, the Cybersecurity and Infrastructure Security Agency (CISA) ended its funding for the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). While the Center for Internet Security has continued to maintain the EI-ISAC through a paid membership model, this shift has left the elections community in a difficult position. The federal government’s varying investments in election security have necessitated shifts in who does what in election security and how it is funded.

Prior to 2025, CISA made significant efforts to support election security. According to one election official’s presentation at the 2025 National Association of State Election Directors’ (NASED) conference, in 2024, CISA conducted 2,600 cyber hygiene scans per week and performed monthly penetration tests against all public election websites, enabling the remediation of dozens of critical vulnerabilities. CISA also conducted malicious domain blocking and reporting (MDBR), leveraging cyber intelligence to prevent the loading or visiting of over 50,000 malicious URLs annually. CISA froze support for all these programs in 2025, necessitating a shift in who conducts the cyber hygiene scans, penetration tests, and MDBR support for election offices.

It’s time to get more proactive. Organizations like the Center for Internet Security and the Election Security Exchange, and security programs like RABET-V, are doing more to get vital resources out to election officials. The Center for Internet Security transformed the EI-ISAC into a membership-driven organization to continue to provide many of the services previously supported by CISA. Tabletop exercises have reached a new level of popularity in the elections community. Contingency, emergency planning, and standard operating procedures have also become commonplace. Government offices are relying on their own resources and on nonprofits across the country to fill the gap left by CISA.

At The Turnout, we advocate for greater focus on a supply-chain approach to cybersecurity—ensuring that systems are built and maintained with the highest security in mind. With the Center for Internet Security, The Turnout has built and now fully operates the RABET-V program. If incorporated into procurement processes, RABET-V provides government offices with peace of mind that the software development practices, architecture, and point-in-time defenses of a system work together to secure it against known vulnerabilities and provide greater assurance that it will protect against unknown ones.

Information sharing is still important, and it’s incorporated into the RABET-V security controls, which are a combination of best practices compiled from the Center for Internet Security, the National Institute of Standards and Technology (NIST), and the Open Worldwide Application Security Project (OWASP). The Turnout, in maintaining the program, continually gathers all relevant intelligence from these highly respected organizations and incorporates it into the program's standards, so government offices that adopt RABET-V don’t have to.

Here are some incidents, based on real-world scenarios, where RABET-V could have helped:

• A hacker gained access to the candidate portal of a Secretary of State’s office, where candidates upload information and pictures of themselves, and changed the pictures of candidates that were live on the portal three weeks before a primary election. The RABET-V program could have provided insight into potential security vulnerabilities in the login portal before the breach through its architecture and organizational assessments. The architecture assessment reviews a system’s building blocks to ensure that none of the foundational elements are easy to exploit. The organizational assessment reviews the security policies of the developing organization and identifies any weak protocols.
• A Secretary of State’s site was hit by a cyberattack that displayed explicit content and cash app peddlers on the business registration and official elections websites, due to an issue with the website’s third-party technology provider. A RABET-V program analysis conducted before the cyberattack could have provided insight into the vulnerabilities the hackers exploited to compromise the website. The RABET-V product verification step conducts a point-in-time penetration test to check for any vulnerabilities.
• Unusual activity was detected on a county's IT infrastructure. The incident prompted the state to shut down the county’s access to the statewide voter registration system. If RABET-V had been used prior to the cyberattack, the state would have had threat models for the software and hardware components of the system and would have mapped software bills of materials to ensure that all components adhere to security best practices.

While the RABET-V program does not guarantee that a system will not be compromised by a cyberattack, and the attacks described above may still have occurred, the program could have been used in several ways to help prevent these incidents. First, the program addresses vulnerabilities inherent to the system’s architecture. It then validates all development processes of the organization that develops the technology through the organization assessment. This step determines whether the organization will maintain and produce secure software in the future, thereby reducing the introduction of vulnerabilities through software updates and patches. All security-centric policies, such as multi-factor authentication, are documented and regularly confirmed with the developing organization. Finally, the RABET-V program provides live threat monitoring to all participating technology providers.

RABET-V re-tests products as their software changes, but only performs the assessments necessary, given the scope of the change. This reduces costs over time for technology providers, as assessment costs scale down with fewer changes. The program also offers a discount for states that develop their own technology in-house.

With so much changing in the development and security spaces, including the rapid advances in AI, RABET-V is a program that can be relied on to bolster a proactive cybersecurity approach. If you have any questions or would like to discuss applying this program in your office or company, please reach out to us at team@rabetv.org.

AI Usage Statement: AI-assisted editing via Grammarly