Election Cybersecurity in Florida: Protecting Voting Systems
Florida operates one of the largest and most scrutinized election systems in the United States, with 67 county Supervisors of Elections managing voter registration databases, voting equipment, and results reporting infrastructure for more than 14 million registered voters (Florida Division of Elections). The cybersecurity posture of this infrastructure is governed by a layered framework of federal mandates, state statutes, and operational standards enforced through both the Florida Department of State and the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This page covers the classification of election systems as critical infrastructure, the regulatory and technical standards that apply, and the operational boundaries that determine which entities and threat scenarios fall within Florida's election cybersecurity framework.
Definition and scope
Election cybersecurity refers to the set of technical controls, administrative policies, physical safeguards, and incident response protocols applied to systems that support the conduct of elections — including voter registration platforms, election management systems (EMS), voting equipment firmware, pollbook devices, and results tabulation and reporting networks.
In Florida, election infrastructure is classified as a subset of the Government Facilities Sector, a critical infrastructure category designated under Presidential Policy Directive 21 (PPD-21). CISA, through its Election Security Initiative, provides baseline threat assessments and coordinates with the Florida Division of Elections under the U.S. Department of Homeland Security framework.
Florida statute § 101.015 grants the Florida Department of State authority to adopt minimum security standards for voting systems. Voting systems must also satisfy certification requirements under Florida Administrative Code Rule 1S-5.001, which incorporates federal voluntary voting system guidelines issued by the Election Assistance Commission (EAC).
Scope limitations: This page covers Florida-specific statutory requirements, state agency jurisdiction, and county-level operational obligations. Federal election law administered exclusively by the EAC or the Federal Election Commission (FEC) — including campaign finance cybersecurity — falls outside this page's scope. Private campaign infrastructure, national party networks, and federal contractor systems are not covered by Florida's election security statutes and are not addressed here. Readers seeking broader Florida cybersecurity regulatory context should consult Regulatory Context for Florida Cybersecurity.
How it works
Florida's election cybersecurity operates through four discrete phases aligned with the election calendar:
-
Pre-election system hardening — County Supervisors of Elections submit voting system configurations for testing by certified independent laboratories approved under EAC's Voting System Test Laboratory Program. Florida statute § 101.5605 requires that no voting system be used in an election unless it has received state certification. Network segmentation standards require that tabulation systems not be connected to the public internet during any phase of active election operation.
-
Voter registration database security — The Florida Voter Registration System (FVRS), administered by the Division of Elections, operates under access control policies aligned with NIST SP 800-53 controls for federal and state data systems. Role-based access is enforced across all 67 county supervisor offices, and audit logging is mandatory.
-
Election Day operational monitoring — CISA's Election Infrastructure Information Sharing and Analysis Center (EI-ISAC), operated by the Center for Internet Security (CIS), provides real-time threat intelligence feeds to participating county election offices. Florida counties can enroll in the Albert Network Monitoring sensor program, which detects anomalous network activity at election office perimeters.
-
Post-election audit and reporting — Florida law § 101.591 mandates post-election audits using a statistically valid sample of ballots to verify tabulation system integrity. Any discrepancy between electronic records and physical ballot counts triggers escalated review under Division of Elections protocols.
The Florida Department of Management Services — whose broader cybersecurity role is described at Florida Department of Management Services Cybersecurity — provides shared security services infrastructure that county election offices may utilize for connectivity and incident support.
Common scenarios
Election cybersecurity incidents and threat vectors in Florida fall into three classification categories:
Targeting voter registration infrastructure: The most operationally consequential attack surface is the voter registration database. In 2016, the Florida Division of Elections confirmed that a vendor connected to voter registration systems experienced a network intrusion, later attributed to foreign state actors by U.S. Senate Intelligence Committee findings published in 2019. Unauthorized access to registration data does not alter vote tallies but can create voter suppression conditions at polling locations.
Social engineering and phishing against election staff: County election offices are targeted through spearphishing campaigns designed to harvest credentials for election management system access. The EI-ISAC reported that phishing remains the primary initial access vector for election office incidents nationally. Florida-specific phishing threat patterns are catalogued through the Florida Social Engineering and Phishing Threats reference.
Disinformation operations targeting results reporting: Threat actors have attempted to publish fraudulent or premature election results through spoofed websites mimicking official county results portals. Florida's Division of Elections maintains an official results reporting URL hierarchy through the Florida Election Night Reporting (ENR) system, and CISA issues public advisories identifying fraudulent domains during active election periods.
Ransomware pre-positioning: Florida county government networks — which house election office infrastructure — represent targets for ransomware actors who may pre-position access months before an election. The Florida Ransomware Threats reference covers the broader ransomware landscape across Florida government entities.
Decision boundaries
Understanding which framework applies to a given election cybersecurity situation requires distinguishing between overlapping federal and state jurisdictions, as well as between covered and non-covered systems.
Federal vs. state jurisdiction:
| Dimension | Federal Authority | Florida State Authority |
|---|---|---|
| Voting system certification baseline | EAC Voluntary Voting System Guidelines (VVSG 2.0) | Florida Department of State, Rule 1S-5.001 |
| Threat intelligence sharing | CISA / EI-ISAC | Division of Elections coordination |
| Incident response lead | CISA (upon state request) | Florida Division of Elections / FDLE |
| Audit requirements | No federal mandate for state elections | § 101.591, mandatory post-election audit |
| Voter registration database | Help America Vote Act (HAVA) baseline | FVRS, administered by Division of Elections |
Covered systems vs. non-covered systems:
Florida's election security statutes apply to systems operated by or directly contracted to county Supervisors of Elections and the Division of Elections. Campaign websites, political party databases, ballot initiative campaign networks, and voting equipment manufactured but not certified under Rule 1S-5.001 fall outside statutory coverage. Third-party vendors providing services to election offices must satisfy contractual security requirements but are not directly regulated under election cybersecurity law — their risk management falls under broader Florida vendor risk frameworks referenced at Florida Vendor Third-Party Cybersecurity Risk.
County autonomy vs. state mandate:
Florida's 67 county Supervisors of Elections are constitutionally independent officers under Article VIII of the Florida Constitution. State minimum security standards are mandatory, but counties retain discretion over security investments beyond the statutory floor. This creates a heterogeneous security posture across the state, with larger counties such as Miami-Dade, Broward, and Palm Beach implementing more extensive monitoring infrastructure than smaller rural counties operating on constrained budgets.
The Florida Election Cybersecurity reference on this network provides sector-specific detail on threat actor profiles and county-level preparedness disparities. Professionals seeking the full landscape of Florida's cybersecurity sector — including workforce, incident response, and regulatory frameworks — should start with the Florida Security Authority index.
References
- Florida Division of Elections — Florida Department of State
- Florida Statute § 101.015 — Voting System Standards
- Florida Statute § 101.5605 — Voting System Certification
- Florida Statute § 101.591 — Post-Election Audits
- Florida Administrative Code Rule 1S-5.001 — Voting System Certification Standards
- CISA Election Security Initiative
- EI-ISAC — Election Infrastructure Information Sharing and Analysis Center (Center for Internet Security)
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
- U.S. Election Assistance Commission — Voluntary Voting System Guidelines (VVSG 2.0)
- Presidential Policy Directive 21 (PPD-21) — Critical Infrastructure Security and Resilience
- [U.S. Senate Intelligence Committee — Russian Active Measures Campaigns and Interference in the 2016 U.S. Election,