State election officials with whom GAO spoke were generally satisfied with CISA's support to secure their election infrastructure. Specifically, officials from seven of the eight states GAO contacted said that they were very satisfied with CISA's election-related work. Also, officials from each of the eight states spoke positively about the information that they received from the EI-ISAC. Further, officials from five states told GAO that their relationship with CISA had improved markedly since 2017 and spoke highly of CISA's expertise and availability.
To guide its support to states and local election jurisdictions for the 2020 elections, CISA reported that it is developing strategic and operations plans. CISA intended to finalize them by January 2020, but has faced challenges in its planning efforts due to a reorganization within CISA, among other things. In the absence of completed plans, CISA is not well-positioned to execute a nationwide strategy for securing election infrastructure prior to the start of the 2020 election cycle. Further, CISA's operations plan may not fully address all aspects outlined in its strategic plan, when finalized. Specifically, according to CISA officials, the operations plan is expected to identify organizational functions, processes, and resources for certain elements of two of the four strategic plan's lines of effort — protecting election infrastructure, and sharing intelligence and identifying threats. CISA officials stated that CISA was unlikely to develop additional operations plans for the other two lines of effort — providing security assistance to political campaigns, and raising public awareness on foreign influence threats and building resilience.
Moreover, CISA has not developed plans for how it will address challenges, such as concerns about incident response, identified in two reviews — one conducted by CISA and the other done by an external entity under contract — of the agency's 2018 election security assistance. Challenges that the reviews identified include:
inadequate tailoring of services, which could have made it more difficult for CISA to meet the resource and time constraints of customers such as local election jurisdictions;
not always providing actionable recommendations in DHS classified threat briefings or making unclassified versions of the briefings available, which may have hindered election officials' ability to effectively communicate with information technology and other personnel in their agencies who did not have clearances;
the inability of CISA personnel supporting election security operations to access social media websites from situational awareness rooms, which hindered their collection and analysis of threat information;
few capabilities that CISA field staff could quickly provide on Election Day, which could limit the agency's timeliness in responding to an incident; and
a lack of clarity regarding CISA's incident response capabilities in the event of a compromise that exhausts state and local resources, which may limit knowledge about agency capabilities that are available.
Although CISA officials said that the challenges identified in the reviews have informed their strategic and operational planning, without finalized plans it is unknown whether CISA will address these challenges.