The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act (SECURE IT Act) amends the Help America Vote Act of 2002 to require the Election Assistance Commission to oversee penetration testing as part of the testing and certification of voting system hardware and software. It also creates an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP-E) to probe for and disclose cybersecurity vulnerabilities.
The bill adds a formal accreditation pathway for penetration testers through the Director of the National Institute of Standards and Technology (NIST), with a focus on competence rather than broad lab requirements. Together, these provisions aim to standardize security testing and accelerate responsible disclosure and remediation of vulnerabilities in election technology.
At a Glance
What It Does
Not later than 180 days after enactment, the Commission must provide for penetration testing as part of voting system testing, certification, decertification, and recertification, carried out by accredited laboratories. The NIST Director will recommend entities to be accredited, and the Commission will vote on accreditation, with criteria scoped to penetration testing competence.
Who It Affects
Election system vendors, accredited testing laboratories, and the bodies that certify voting technology (EAC, NIST). State and local election officials rely on timely testing, patching, and disclosure processes to maintain secure systems.
Why It Matters
Creates a formal, repeatable security testing regime and a formal vulnerability disclosure channel, reducing risk to election infrastructure and improving public trust in election results.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The SECURE IT Act makes two major changes to how the United States tests and protects election technology. First, it requires the Election Assistance Commission to incorporate penetration testing into the standard testing and certification process for voting system hardware and software.
This testing must be performed by accredited laboratories, with accreditation decisions guided by the Director of the National Institute of Standards and Technology. The intent is to ensure that testing is rigorous, technically competent, and consistently applied across jurisdictions.
Second, the bill creates a five-year Independent Security Testing and Coordinated Cybersecurity Vulnerability Disclosure Pilot Program for Election Systems (VDP-E). Under this program, election system vendors may allow cybersecurity researchers to test their systems and disclose vulnerabilities under defined rules.
The program sets out procedures for vetting researchers, defining testing scopes, and requiring timely notification of vulnerabilities to vendors, the Commission, and election officials. It also lays out transition rules for patching vulnerabilities, including expedited review of patches and, in some cases, automatic certification if review is not completed within 90 days.
It specifies safe harbors and limited legal protections for researchers and vendors and clarifies that vulnerabilities disclosed under the program are exempt from certain disclosure requirements.In sum, the SECURE IT Act seeks to institutionalize proactive security testing and responsible disclosure for election systems, tying testing to certification and enabling rapid, coordinated responses to vulnerabilities. It emphasizes accountability, traceable testing competence, and a formal mechanism for researchers to contribute to election security without triggering broad legal risk.
The Five Things You Need to Know
180-day deadline for mandatory penetration testing by EAC-accredited labs.
NIST Director will identify and certify laboratories qualified to conduct penetration testing.
Five-year Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program (VDP-E) established for election systems.
Expedited patch review: patches addressing critical/high vulnerabilities must be processed within 90 days; patches may be deemed certified if review is incomplete.
Researchers receive safe harbor protections and vulnerability disclosures are exempt from FOIA and certain anti-circumvention constraints under the program.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short Title and Citation
This section designates the Act as the SECURE IT Act, establishing its formal name and how it will be cited in law and in agency guidance. It sets the framing for subsequent provisions that modify the Help America Vote Act (HAVA) and related election-security authorities.
Penetration Testing Required for Voting Systems
Section 231 of HAVA is amended to add a new subsection that requires the Election Assistance Commission to provide for penetration testing as part of the testing, certification, decertification, and recertification of voting system hardware and software. The Director of NIST must recommend entities to be accredited to perform this testing, and the Commission must vote on accreditation. Accreditation must be a subset of existing laboratory accreditation requirements and will be based on the entity’s competence to conduct penetration testing. This creates a formal mechanism to ensure testing is technically robust and standardized across jurisdictions.
Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems
This section adds a new Part 7 to Subtitle D of Title II of HAVA, creating the Independent Security Testing and Coordinated Cybersecurity Vulnerability Disclosure (VDP-E) Pilot Program. The program runs for five years and enables vendors to make their election systems available to cybersecurity researchers under defined terms, including vetting researchers and agreeing on testing scope. Researchers must notify vendors, the Commission, and the Secretary of any vulnerabilities and have a 180-day confidentiality window after notification. Vendors must patch critical/high vulnerabilities and notify officials in coordination with researchers; patches that address certified systems receive expedited 90-day review, and if not completed, may be deemed certified. The program provides safe harbor for researchers under CFAA and DMCA exemptions and ensures vulnerabilities discovered there can be exempt from FOIA.
Clerical Amendment to Table of Contents
The bill adds an entry to the table of contents to reflect the new Part 7—Independent Security Testing and Coordinated Cybersecurity Vulnerability Disclosure Program for Election Systems—thereby updating the organizational structure of Subtitle D, Title II of HAVA to accommodate the new program.
This bill is one of many.
Codify tracks hundreds of bills on Elections across all five countries.
Explore Elections in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- State and local election officials gain clearer, faster pathways to test and secure voting systems and to coordinate patching with vendors and researchers.
- Election system vendors benefit from defined testing and disclosure processes that can accelerate vulnerability remediation and reduce ad hoc risk.
- Accredited laboratories gain a new, clearly delineated role in performing penetration testing under a standardized accreditation framework.
- Cybersecurity researchers participating in the VDP-E gain a lawful, safe-harbor channel to test and report vulnerabilities.
- Federal coordination by EAC, DHS/CISA, and NIST improves standardization and visibility into election-system security across jurisdictions.
Who Bears the Cost
- State and local election offices face added operational requirements to deploy patches and coordinate testing timelines across multiple vendors and systems.
- Election system vendors bear costs associated with penetration testing, patch development, and participation in the VDP-E program.
- Accredited labs incur costs to obtain and maintain accreditation and to conduct testing under the new framework.
- Federal agencies incur administrative costs to run the program, vet researchers, and manage data flows and disclosures.
- Researchers may invest time and resources to participate; the program provides legal protections, but operational risk remains for complex, real-world systems.
Key Issues
The Core Tension
The central dilemma is whether a rapid, standardized testing and disclosure regime can be implemented without imposing unsustainable costs on vendors and election offices, while still preserving the flexibility needed for nuanced, real-world elections across 50 states and thousands of local jurisdictions.
The SECURE IT Act introduces powerful security mechanisms, but they rely on there being sufficient funding, clear governance, and precise implementation rules. The 180-day deadline for penetration testing implies a rapid ramp-up for testing capacity and vendor coordination.
Expedited 90-day patch reviews, with automatic certification if not completed, shift timelines and might pressure vendors to deploy patches quickly, potentially at the expense of long-term system stability or compatibility in some environments. The Vulnerability Disclosure Pilot balances researcher access with confidentiality, but the mechanics—180-day disclosure windows, patch logistics, and the scope of tested components—will need careful operational detail to avoid gaps or inconsistent practices across states.
The safe harbor and FOIA exemptions reduce risk for researchers and vendors but could limit transparency if over-applied. Delegating testing oversight to EAC, DHS/CISA, and NIST requires robust interagency coordination and funding to avoid fragmentation across jurisdictions.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.