On July 9, 2026, the last sitting commissioners of the U.S. Election Assistance Commission (EAC) were removed, leaving the agency without the three-vote quorum it needs to act. The removal of EAC commissioners doesn’t change who runs elections in this country—states and localities do. It doesn’t switch off the machines already in service, and it does not, by itself, put this fall’s elections at risk. The EAC’s career staff can continue doing routine work: certifying voting systems against existing standards, disbursing grants, and running the clearinghouse that election offices rely on.
What a quorum-less EAC cannot do is revise its existing certification programs. And in a field where technology and the threats against it are constantly evolving, the inability to adapt is the danger. This is a structural problem intensified by the EAC's paralysis in the absence of commissioners, not a verdict on any equipment now in use.
What Still Works, and What Freezes
The distinction that matters is between operating a standard and updating one. EAC staff can continue to certify voting systems against the Voluntary Voting System Guidelines (VVSG) 2.0, the current version in force. However, without three commissioners, they cannot adopt updates, create or expand programs, or accredit and re-accredit the federal test laboratories whose authority to test expires on a schedule and must be renewed by a commissioner vote.
We have seen a version of this before. The EAC lacked a quorum from 2010 to 2015—and again from 2017 to 2019—and voting system guidelines sat frozen for a decade. Software and the people attacking it move faster now than they did even a few years ago. According to Verizon’s 2026 Data Breach Investigations Report, “31% of breaches now start with software vulnerabilities,” overtaking social engineering methods for the first time. That statistic is not a claim about election systems specifically. It’s a reminder that exploiting software vulnerabilities is becoming a more prominent path into systems in general, which is why certification programs need a way to keep pace. That shift makes it more important that products are designed, built, and maintained in accordance with security best practices that certification can recognize. A multi-year gap in the ability to revise a standard is far longer when measured by the technology it governs.
This is not an immediate cause for alarm. A static standard is not evidence that current systems are compromised. It simply means the standard may become less useful at identifying risks as technology and attack methods change. As Center for Democracy and Technology Fellow, Geoff Hale, points out, “claiming that vulnerabilities in voting systems exist is different from claiming that vulnerabilities in voting systems have been exploited.” However, another class of technology should be examined more closely.
The Part Worth Watching: Supporting Technology
The concern I keep returning to lies one layer beyond the voting machine itself. Beginning in 2021, the EAC began developing federal standards for technologies surrounding voting systems that aren’t covered by the VVSG—electronic poll books, electronic ballot delivery, election-night reporting, and voter registration systems. That effort became the Election Supporting Technology Evaluation Program (ESTEP), which commissioners unanimously approved as a permanent part of the agency in December 2023.
ESTEP’s only operational program today is the Voluntary Electronic Poll Book Certification Program, which covers the tablets and laptops—currently only the physical equipment, not the connected services they rely on—used to check voters in at the polls. That boundary may make sense for a device-centered program, but it is poorly aligned with how electronic poll books are actually deployed: as endpoints in a larger service environment. The standard is now in use across a few jurisdictions. The other three categories exist as defined program areas, not yet as running certification programs. Standing them up and revising the poll-book requirements as new risks emerge both require commissioner action. With no commissioners, that work is rendered immobile.
This immobility matters because non-voting technology is more connected than voting systems. Poll books sync voter data; ballot-delivery and reporting systems live on the public internet by design. Those are persistent security targets, which makes the ability to raise the bar over time more important, not less.
The Bind This Puts Technology Providers In
Technology providers are caught in the same freeze. Under a certification regime, a meaningful change to a product can trigger retesting. But if the underlying standard cannot be updated, re-certification can consume time and capital without necessarily moving products closer to the risks election offices actually need addressed. A certification program that is expensive to satisfy but slow to recognize meaningful security improvements can become a drag on security rather than a driver of it.
A national certification program is valuable because it can create a single trusted baseline for states, local election offices, and technology providers. That value depends on the baseline staying current. If the federal program freezes, states may reasonably look elsewhere or create their own requirements. The result is a patchwork: higher costs for providers, less consistency for election offices, and fewer incentives to invest in security improvements that do not cleanly map onto an outdated test.
What a Resilient Model Looks Like
A more resilient certification model starts from the assumption that non-voting election technology evolves continuously, so evaluation must keep pace with it. RABET-V™—a Center for Internet Security (CIS) program operated and administered by The Turnout—continuously verifies non-voting technology rather than at a single point in time. It assesses a provider’s development practices, the product’s architecture, and the product itself against a defined set of security requirements. It is designed to evolve as software and threats do. Its controls are organized in maturity levels that can be revised over time, allowing today’s advanced practices to become tomorrow’s baseline.
That design is not just more flexible; it is more efficient. Mature products with strong practices earn a lighter-touch re-check when they change, so a routine update is a routine review rather than a months-to-years-long wait. That reduces the cost and delay of maintaining certification without treating every change as equally risky. The program can also add state-specific functional testing where needed, making it adaptable without forcing every jurisdiction into a separate certification path.
Breadth matters as much as speed. RABET-V assesses not just a product in isolation but everything one hop away from it: the APIs, peripherals, and connected services it depends on. An electronic pollbook that syncs voter check-in data via an external API is assessed alongside that API. The current federal approach is narrower: it evaluates the pollbook device rather than the broader environment on which the pollbook depends.
That is why RABET-V is more than a workaround for a frozen EAC. It is a better certification architecture for modern election-supporting technology: faster to update, less costly to maintain, and more comprehensive in what it evaluates.
The Quiet Cost of a Frozen Standard
The federal certification apparatus has survived leadership gaps before, and it can survive this one. But survival is not the right benchmark. The longer the standards remain frozen, the wider the distance grows between what certification measures and where real-world risks are moving. Restoring the EAC’s ability to act should be a priority. So should replacing static, device-centered certification with models that can evolve as technology and threats do. RABET-V offers that path now.
Jared Marcotte