Election security and resilience demands preparedness, and that includes understanding your responsibilities during an incident and taking action with confidence. Having an Incident Response Plan that defines those roles and steps can significantly limit the damage of and improve your recovery from a cyber, operational, or physical incident.
The incident response process boils down to four phases:
- Preparation — Have a plan in place. Define who is in charge, and identify roles and responsibilities. No one can build an effective response plan in the middle of an emergency.
- Detection and Analysis – Determine if an incident has occurred and what type (cyber, operational, or physical), and assess its ability to impact your operations.
- Containment, Eradication, and Recovery — Stop the effects to prevent further damage, understand what caused the incident, clean up the cause, and then restore functions. While incredibly important for cyber events, this can apply to operational and physical events as well.
- Post-Incident Activity – Improve security with a lessons-learned review after full recovery from an incident.
In the coming weeks, we’ll break down these phases into manageable, easy-to-understand steps. Today is the first step:
Rethink your approach to incident response planning.
Your plan should explain how to handle any kind of emergency, no matter what causes it. However, instead of being overwhelmed with creating a different set of steps for every possible incident, take the all-hazards approach. It prepares you to deal with a wide range of threats – cyber, operational, or physical – using one plan and relies on the following core principles:
- Unified Planning – Build a flexible emergency response plan that can be adapted to various incidents.
- Capability-Based – Focus on developing core response capabilities (e.g., communication, coordination, resource management) that apply across scenarios.
- Efficiency and Resilience – Promote resource-sharing, cross-training, and partner engagement to strengthen overall preparedness.
- Scalability – Enable response efforts to expand or contract based on the severity and nature of the event.
In future editions, we’ll cover the incident response steps above and offer scenarios that can help you rethink your approach. While every incident is different, an Incident Response Plan that includes basic steps that apply everywhere, along with some detailed thinking about the most likely or most damaging incidents, should help you respond successfully when a security problem comes up.
All jurisdictions should regularly revisit their incident response plan with their core team and security partners who will assist in the actual response and recovery. (Think Election Security Working Group!) Encourage your team and partners to subscribe to this newsletter to assist in identifying good practices for your jurisdiction as you update your incident response plan in advance of the 2026 general election.
The Planning Desk is a running timeline of key election security tasks. You can find prior editions in the newsletter archive.