TITLE 26: ELECTIONS
CHAPTER I: STATE BOARD OF ELECTIONS
PART 410 CERTIFICATION OF COMPUTER-BASED VOTER REGISTRATION SYSTEMS

Section 410.10 General Provisions

Section 410.20 Definitions

Section 410.30 Requirements for the Use of Computer-Based Voter Registration Systems

Section 410.40 Procedure for Certification

Section 410.50 Security of Data in Transit

Section 410.60 Recertification

Section 410.70 Required Notifications to the Board and Procedures Following Security Breach

Section 410.80 Revocation of Access to the Statewide Database; Decertification

Section 410.90 Approval After Decertification and Revocation

Section 410.100 Consolidation of Certification Process

Section 410.110 Contents of Certification Standards

Section 410.120 Blackout Periods


AUTHORITY: Implementing Sections 4-33, 5-43, and 6-79 of the Election Code and authorized by Section 1A-8(9) of the Election Code [10 ILCS 5].


SOURCE: Adopted at 50 Ill. Reg. 159, effective December 17, 2025.

 

Section 410.10  General Provisions

 

This Part implements Sections 4-33, 5-43, and 6-79 of the Election Code [10 ILCS 5] which require that the State Board of Elections shall certify that the system used by the election authority complies with the standards set forth in the respective Section of the Code. [10 ILCS 5/4-33(d); 5-43(d); 6-79(d)] A computer-based voter registration system will not have access to the statewide voter registration system unless it is certified in accordance with this Part.

 

Section 410.20  Definitions 

 

As used in this Part:

 

"Board" means the Illinois State Board of Elections.

 

"Code" means the Election Code [10 ILCS 5].

 

"Computer-Based Voter Registration System" or "system" means a system developed pursuant to Code Section 4-33, 5-43, or 6-79 that is capable of aggregating, storing, or sharing a computer-based voter registration file, including, but not limited to, a system used to transfer, store, or reproduce a registrant's signature image.  "Computer-based voter registration system" does not include a system or vendor-provided service that performs election administration functions for the Board under a contract with the State or federal government.  "Computer-based voter registration system" includes systems that connect to the statewide database, including, but not limited to, voter registration portals and databases, but does not include electronic ballot delivery services, e-pollbooks, election night reporting systems, or other technologies certified under 26 Ill. Adm. Code 204.

 

"Computer-Based Voter Registration System Certification Standards" or "Certification Standards" means the technical and processing requirements for the approval of computer-based voter registration systems that are developed by the staff of the State Board of Elections and published on the Board website.

 

"Security Breach" means unauthorized access, modification, or acquisition of computerized data that compromises the security, confidentiality, or integrity of voter registration data maintained by the election authority or within the computer-based voter registration system.  "Security breach" includes unauthorized access to a system's network of remote servers that store and deliver data, applications, and services over the internet.

 

"Statewide Voter Registration Database" or "statewide database" means the centralized statewide voter registration list created and maintained by the Board in accordance with Code Section 1A-25.

 

"Vendor" means any individual, company, or manufacturer contracting to supply a computer-based or voter registration system, system component, or support of the system.

 

Section 410.30  Requirements for the Use of Computer-Based Voter Registration Systems

 

The Board will not certify a computer-based voter registration system for use under Code Section 4-33, 5-43, or 6-79 unless the system meets the requirements set forth in the applicable Section and:

 

a)         the computer-based voter registration system securely transmits required data in the manner outlined in the certification standards;

 

b)         the computer-based voter registration system is capable of securely connecting to the Illinois Century Network;

 

c)         the computer-based voter registration system meets minimum access and control standards for data security set forth in the certification standards, including, but not limited to, mandated use of multi-factor authentication; and

 

d)         the applicable procedures for approval under this Part have been completed.

 

Section 410.40  Procedure for Certification

 

The Board will certify and allow access to the statewide voter registration database by a computer-based voter registration system in accordance with the following procedures:

 

a)         For a computer-based voter registration system that has never been certified for access to the statewide voter registration database:

 

1)         No later than 180 days before the first election the election authority anticipates using the computer-based voter registration system, the election authority shall inform Board staff in writing of its intent to begin using the computer-based voter registration system and the date the election authority intends to begin using the computer-based voter registration system.

 

2)         After receiving notice from the election authority of its intent to begin using the computer-based voter registration system, Board staff will assess whether the computer-based voter registration system meets the certification standards.

 

3)         As soon as practical, but not later than 60 days after the successful completion of each item of the certification standards verification process, Board staff will report at a regular meeting of the Board that the computer-based voter registration system has successfully demonstrated that it meets the certification standards.

 

4)         No later than one week following the Board meeting at which the report of the successful completion of the certification standards verification process was included on the Board meeting agenda, the computer-based voter registration system will be granted access to the statewide database in accordance with its use by the election authority identified in subsection (a)(1).

 

5)         At the Board meeting before each consolidated, primary, or general election, Board staff will give a report of any outstanding certifications and of any notifications that were received by the Board after the deadline under subsection (a)(1) of 180 days before the election. The report of the Board staff will include information about the progress of the certification standards verification process, and it may include recommendations concerning whether to allow the use of the computer-based voter registration system on a limited basis. After considering the report of the Board staff and any other documentation or statements provided at the meeting, the Board may allow the use of a computer-based voter registration system on a limited basis if, in the totality of the circumstances, doing so would be in the public interest. Any access to the statewide database given under this subsection (a)(5) will be revoked 60 days following the proclamation of the results of the election, unless the procedures outlined in subsection (a)(2) through (a)(4) are met.

 

b)         For a computer-based voter registration system that has been certified by the Board for use by another election authority:

 

1)         The election authority seeking to use a computer-based voter registration system shall inform Board staff in writing of its intent to begin using the computer-based voter registration system and the date of the election authority's intended transition thereto.

 

2)         After receiving notice from the election authority of its intent to use the computer-based voter registration system, Board staff will assess whether the form and type of data submitted to the statewide database through the new computer-based voter registration system conforms with the data previously submitted to the statewide database via the previous system used by the election authority. Board staff will evaluate and confirm the type and form of data submitted through previous data transmissions and will confirm that the type and form of data transferred via the new system will meet requirements of the Code and this Part.  Board staff may recommend processes and procedures to optimize the continuity of services during the transition to the new system.

 

3)         The certification standards verification process need not be completed for a computer-based voter registration system seeking access to the statewide database under this subsection (b) unless there is a change to the signature capture method or storage. In those cases, the vendor of the computer-based voter registration system must complete the portion of the certification standards verification process pertaining to the signature digital application.

 

4)         The election authority may use the computer-based voter registration system to access the statewide database upon receiving notice from the Board that the evaluation required by this subsection (b) has been successfully completed. Board staff will notify the Board at its next regular meeting of the expansion of the use of the previously approved computer-based voter registration system.

 

c)         A computer-based voter registration system in use and/or accessing the statewide database on February 9, 2026 is required to complete the certification standards verification process before July 31, 2026.

 

1)         Board staff will notify each election authority using a computer-based voter registration system of this requirement no later than February 9, 2026.

 

2)         Board staff will proceed to assess whether the computer-based voter registration system meets the requirements of the Code and this Part by completing the certification standards verification process of this Section.

 

3)         At the first regular Board meeting following the 180-day deadline set forth in this subsection (c), Board staff will submit a report that:

 

A)        certifies the computer-based voter registration systems that have successfully completed the certification standards verification process of this Section; and

 

B)        includes a list of computer-based voter registration systems that have not met the requirements of this subsection (c) and the election authorities that use those systems.

 

4)         At the meeting at which the report under subsection (c)(3) was made, the Board, after listening to oral statements and considering written documentation submitted and determining that the totality of the circumstances warrant an extension, will extend the 180-day deadline for an additional 60 days.  At the first regular Board meeting following this extension, Board staff will submit a report that:

 

A)        certifies the computer-based voter registration systems that have successfully completed the certification standards verification process of this Section within the extension window; and

 

B)        includes a list of computer-based voter registration systems that have not met the requirements of this subsection (c) within the extended timeframe and the election authorities that use those systems.

 

5)         No later than one week following the Board meeting at which the report required by subsection (c)(3), or subsection (c)(4) if an extension is granted, was presented, Board staff will revoke access to the statewide database for each computer-based voter registration system that has not successfully completed the certification standards verification process as required.

 

6)         Board staff will immediately restore any access revoked under this subsection (c) upon the successful completion of the certification standards verification process of this Section. Board staff will report any restoration under this subsection (c)(6) at the next regular meeting of the Board.

 

Section 410.50  Security of Data in Transit

 

The Board will ensure that data is protected in transit between the computer-based voter registration system and the statewide database. Election authorities are responsible for securing data while it is within their local systems and while it is in transit to and from and otherwise held by entities other than the Board.

 

Section 410.60  Recertification

 

a)         To continue to be certified for use under Code Section 4-33, 5-43, or 6-79, a computer-based voter registration system must successfully be found by Board staff and reported at a meeting of the Board that the system meets the certification standards:

 

1)         before December 31, 2027, and before December 31 of every odd-numbered year thereafter; and

 

2)         within 90 days after a material change to the functionality, capability, reliability, or operation of the computer-based voter registration system that would impact the requirements noted in the certification standards.

 

b)         The Board may stay any deadlines provided in subsection (a) that fall within 45 days of an election until 60 days after the proclamation of the results of the election, if doing so would be in the public interest.

 

c)         At the first regular Board meeting following the deadlines set forth in this Section, Board staff will submit a report that:

 

1)         certifies the computer-based voter registration systems that have successfully completed the certification standards verification process; and

 

2)         includes a list of computer-based voter registration systems that have not met the requirements of this Part.

 

d)         At the meeting at which the report under subsection (c) is made, the Board, after hearing statements and reviewing any documentation submitted and determining that the totality of the circumstances warrant an extension, may extend the deadline an additional 60 days. At the first regular Board meeting following this extension, Board staff will submit a report that:

 

1)         certifies the computer-based voter registration systems that have successfully completed the certification standards verification process within the extension window; and

 

2)         includes a list of computer-based voter registration systems that have not met the requirements of this Part within the extended timeframe and the election authorities that use those systems.

 

e)         No later than one week following the Board meeting at which the report required by subsection (c) or subsection (d) was presented, Board staff will revoke access to the statewide database for each computer-based voter registration system that has not successfully completed the certification standards verification process as required by this Section.

 

f)          Board staff will immediately restore any access revoked under subsection (e) upon the successful completion of the certification standards verification process required by this Section. Board staff will report any restoration under this subsection (f) at the next regular meeting of the Board.

 

Section 410.70  Required Notifications to the Board and Procedures Following Security Breach

 

a)         Notwithstanding any other provision of law, every election authority and vendor is required to notify the Board:

 

1)         as soon as practicable, but in no case more than 5 business days, following the discovery of any security breach in the computer-based voter registration system that subjects voter registration data to unlawful access; or

 

2)         as soon as practicable, but in no case more than 30 days, following the implementation of a material change to the functionality, capability, reliability, or operation of the computer-based voter registration system.

 

b)         A notification of a security breach under subsection (a)(1) may be made jointly by the election authority and vendor but must be accompanied by:

 

1)         a complete timeline of events including when the security breach began, when the security breach was discovered, and the steps taken to address it; and

 

2)         detailed documentation that identifies the systems and data affected and allows for identification of the root causes of the security breach.

 

c)         Following a security breach in the computer-based voter registration system, Board staff will analyze the circumstances surrounding the security breach and make recommendations to the election authority and to the computer-based voter registration system vendor for the mitigation of future risk, including, but not limited to, bringing the computer-based voter registration system into compliance with any additional requirements of the certification standards verification process that have been added since the most recent certification of the computer-based voter registration system.

 

Section 410.80  Revocation of Access to the Statewide Database; Decertification

 

a)         In the case of an immediate threat to the security of voter data, Board staff may immediately revoke access to the statewide database without notice. The Board will give notice of the revocation to an affected election authority as soon as practicable and will restore access to the statewide database as quickly as feasible following a revocation under this subsection (a). 

 

b)         Board staff will immediately revoke the access granted to the statewide database on a limited basis under Section 410.40(a)(5) if the procedures outlined in Section 410.40(a)(2) through (a)(4) are not met within 60 days following the proclamation of the results of the applicable election under Section 410.40(a)(5). Access to the statewide database will be restored upon the successful completion of the certification procedures outlined in Section 410.40(a)(2) through (a)(4).

 

c)         A computer-based voter registration may be decertified under this Part and access to the statewide database by the decertified computer-based voter registration system may be revoked by Board staff if:

 

1)         the election authority or computer-based voter registration system vendor fails to implement the risk mitigation recommendations made under Section 410.70(c) within 90 days of being sent notice of the risk mitigation recommendations;  

 

2)         the election authority or computer-based voter registration system vendor makes a material misrepresentation to the Board concerning the system or during the certification standards verification process; or

 

3)         the election authority or computer-based voter registration system vendor fails to provide notification to the Board as required by Section 410.70 (a) or impedes the ability of Board staff to analyze the circumstances surrounding a security breach and make recommendations for the mitigation of future risk as set forth in Section 410.70(c). 

 

d)         The Board will follow the below procedure before access to the statewide database is revoked for a reason listed in subsection (c):

 

1)         The Board will send notice of its intent to consider a revocation of access to the statewide database to each affected election authority and to the computer-based voter registration system via first-class mail and email, if an email address is available, at least 30 days prior to the Board meeting to consider the revocation. 

 

2)         At the Board meeting at which revocation under this subsection (d) is considered, the Board will consider any statements or documentation it deems relevant. The Board will vote to revoke access, allow continued access, or continue the matter until the next regular Board meeting. 

 

3)         If the Board votes to revoke access under subsection (d)(2) or does not vote to allow continued access at its next regular meeting following a continuance granted under that subsection, within 7 days after the Board meeting, Board staff will revoke access to the statewide database for the computer-based voter registration system.

 

Section 410.90  Approval After Decertification and Revocation

 

a)         Following revocation of access to the statewide database under Section 410.80(d), a computer-based voter registration system will not be granted access to the statewide database again until the applicable procedures under Section 410.40(a) are completed.

 

b)         The Board, if it determines that the totality of the circumstances warrant such action after considering presented statements or documentation, or both, may waive individual components of the certification standards verification process at the time it votes to revoke access to the statewide database or at a meeting following the revocation of access.

 

Section 410.100  Consolidation of Certification Process

 

If more than one election authority uses or seeks to use a computer-based voter registration system, Board staff will consolidate, with respect to the system vendor, any certification standards verification processes required by this Part.

 

Section 410.110  Contents of Certification Standards

 

The computer-based voter registration system certification standards will be developed by SBE in consultation with federal recommendations, election and cybersecurity industry standards, and statutory requirements. The certification standards will reflect the requirements of Code Sections 4-33, 5-43, and 6-79 and set forth, at a minimum, the following:

 

a)         minimum data storage/retention standards;

 

b)         minimum security standards surrounding data access and dissemination;

 

c)         requirements concerning connectivity to the statewide database; and

 

d)         data format requirements.

 

Section 410.120  Blackout Periods

 

Board staff may identify blackout periods throughout the year during which the Board will not engage in certification standards verification processes absent extraordinary circumstances. Any blackout periods will be published on the Board website.