Full Report
The Trump administration’s abrupt firing of Election Assistance Commission commissioners last week and a Department of Justice warning threatening states with criminal prosecution have created new legal peril for officials who run, administer and secure elections. The EAC is an obscure but important agency that oversees testing and standards for voting machines, including around security. While federal certification is…
Analysis Summary
# Regulation/Compliance: Federal Voting System Standards & EAC Oversight
## Overview
This compliance landscape concerns the federal standards for testing and certifying voting system hardware and software. While federal certification has traditionally been the benchmark for election security, the recent dismissal of the Election Assistance Commission (EAC) leadership and new DOJ legal warnings have shifted the burden of security validation toward individual state authorities.
## Key Details
- **Issuing Authority:** U.S. Election Assistance Commission (EAC) / Department of Justice (DOJ)
- **Effective Date:** Ongoing; major leadership disruption occurred July 10, 2026
- **Jurisdiction:** United States (Federal and State Election Officials)
- **Status:** In Effect (In a state of administrative transition)
## Requirements
### Mandatory Requirements
1. **State-Level Validation:** In the absence of a fully functional EAC, state officials must now independently verify that voting machines meet local security standards.
2. **DOJ Compliance:** Election officials must comply with Department of Justice directives regarding the administration of elections or face potential criminal investigation.
3. **Chain of Custody:** Maintenance of rigorous physical and digital security for voting equipment to prevent unauthorized access.
### Recommended Practices
1. **Voluntary Federal Certification:** Transitioning to machines that have previously received EAC certification (though oversight is currently diminished).
2. **Independent Third-Party Auditing:** Hiring private cybersecurity firms to replace the "stamp of approval" previously provided by the EAC.
3. **State Defense Networks:** Collaborative information sharing between states to identify common threats in the absence of federal support.
## Affected Organizations
- **Industries:** Government (State and Local Election Boards), Voting Machine Manufacturers.
- **Organization Size:** All jurisdictions responsible for election administration.
- **Geographic Scope:** United States (All 50 states and territories).
## Compliance Timeline
- **July 10, 2026:** Firing of EAC Commissioners; loss of a functional quorum for new federal certifications.
- **Immediate:** DOJ warnings regarding criminal prosecution for election administration irregularities take effect.
- **November 2026 (General Election):** Critical deadline for states to have validated security protocols in place.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Evaluate the security of current voting machinery without relying solely on existing federal certifications.
- **Legal Review:** Counsel should review recent DOJ warnings to ensure administrative procedures do not trigger criminal liability.
### Implementation Phase
- **State-Led Testing:** Establish state-run labs or partnerships with universities (e.g., McCrary Institute) to test equipment.
- **Procurement Reform:** Update purchasing contracts to require vendor transparency and independent security audits.
### Validation Phase
- **Post-Election Audits:** Implement robust paper-trail audits to verify digital tallies.
- **Penetration Testing:** Conduct vulnerability assessments on voter registration databases and polling place equipment.
## Technical Requirements
- **VVSG Alignment:** Adherence to the Voluntary Voting System Guidelines (VVSG) for hardware integrity.
- **Encryption:** Requirements for data-at-rest and data-in-transit for election results.
- **Multi-Factor Authentication (MFA):** Mandatory for all election officials accessing central tabulating systems.
## Penalties & Enforcement
- **Fines:** Potential civil penalties for failure to protect voter data.
- **Other Consequences:** Loss of public trust; potential decertification of election results.
- **Enforcement:** The DOJ has explicitly threatened **criminal prosecution** for officials found in violation of federal election laws or security mandates.
## Related Standards
- **NIST SP 800-53:** Often used as the baseline for the EAC’s security frameworks.
- **VVSG 2.0:** The latest iteration of voting standards (currently at risk due to EAC leadership vacancies).
## Resources
- **Official Documentation:** [eac[.]gov] / [justice[.]gov]
- **Guidance Documents:** Cybersecurity and Infrastructure Security Agency (CISA) Election Security Toolkit.
- **Tools:** EI-ISAC (Elections Infrastructure Information Sharing and Analysis Center).
## Practical Recommendations
- **Decentralize Security:** States should not wait for federal guidance; they must build autonomous "defense networks."
- **Budgeting:** Reallocate funds to cover the costs of independent security testing previously subsidized by federal oversight.
- **Documentation:** Maintain meticulous records of security decisions to defend against DOJ scrutiny.