SEF Control Domains

Defines the overall security strategy, policies, roles, and governance structure that enable all other control domains.

Evaluates and monitors the security posture of vendors, suppliers, and service providers that access or process organizational data.

Maintains a comprehensive inventory of hardware and software assets, tracking ownership, lifecycle, and classification throughout the organization.

Establishes and enforces secure baseline configurations for systems, devices, and applications, controlling changes through formal processes.

Governs the acquisition, deployment, monitoring, and risk management of AI and machine learning systems, including model integrity and output validation.

Controls and regularly reviews permissions to systems, data, and functions, ensuring access remains appropriate and aligned to job responsibilities.

Protects network infrastructure through segmentation, firewall management, encrypted communications, and monitoring of traffic for anomalies.

Protects sensitive data at rest, in transit, and in use through encryption, classification, data loss prevention, and retention controls.

Controls physical access to facilities, equipment, and sensitive areas, and protects against environmental threats such as power loss, fire, and natural disaster.

Ensures the physical and logical integrity of voting equipment, tabulators, and associated devices through tamper controls, chain-of-custody procedures, and pre/post-election testing.

Manages the integrity, version control, and testing of election management systems and voting software, including logic and accuracy testing and hash verification.

Protects the accuracy and traceability of voter data, ballot records, and results reporting, ensuring audit trails support post-election review and certification.

Controls physical access to polling locations, secures ballot materials and equipment against tampering or theft, manages credentialing of election workers and observers, and establishes emergency procedures for election-day incidents.

Secures temporary and permanent network infrastructure deployed at polling sites, including wireless access controls, network isolation of voting systems, encrypted transmission of results, and monitoring for unauthorized devices or connections.

Collects, aggregates, and analyzes security events across systems to detect threats, support investigations, and maintain audit records.

Defines and executes procedures for identifying, containing, eradicating, and recovering from security incidents, including communication and post-incident review.

Continuously identifies, prioritizes, and remediates vulnerabilities in systems and software through scanning, patch management, and risk-based remediation workflows.

Integrates security throughout the software development lifecycle, including secure coding standards, code review, dependency management, and runtime protections.

Validates security controls through penetration testing, red team exercises, security assessments, and compliance audits to identify gaps before adversaries do.

Tracks regulatory obligations, maps controls to frameworks (NIST, CIS, CISA), and maintains a risk register to ensure continuous compliance and executive visibility.