Certificate 3: Penetration Testing & Cyber Verification of Election Systems
This certificate provides practical understanding of adversarial testing and how to evaluate cybersecurity verification results.
ESAVA Educator
You'll be notified when this class opens for registration.
Program Features
- Online
- Interactive LMS Content
- Blockchain-based Certificate
Program Features
- Online
- Interactive LMS Content
- Blockchain-based Certificate
Description
This certificate provides practical understanding of adversarial testing and how to evaluate cybersecurity verification results.
Who It’s For
- Cybersecurity practitioners
- Certification staff
- Election security leads
- Oversight professionals reviewing test results
Core Modules
- Penetration testing fundamentals
- Red team vs blue team models in election systems
- Scoping and rules of engagement
- Pre-certification vs pre-election testing
- Reading and interpreting penetration test reports
- Vulnerability severity, remediation, and retesting
Federal Grant Eligibility
This certificate supports compliance with NDAA FY2025 §6805, which amends the Help America Vote Act of 2002 (HAVA) to require penetration testing as part of federal voting-system certification. Tuition is an allowable use of HAVA Election Security Grant funds (Title I §101) when the learner is an election official, election IT staff member, auditor, or contractor supporting the certification or operation of voting systems.
Individual and group enrollment receipts include the line items, learner roster, and completion record most state EAC sub-grant offices require for reimbursement. State Homeland Security Grant Program (SHSGP) election-security set-asides and state-level election security grants are also commonly used to fund ESAVA enrollment.
Directly maps to §6805's penetration-testing mandate. Eligible for any §6805-specific implementation funds your state has earmarked, in addition to the HAVA §101 base eligibility.
Need help routing payment through your state's HAVA pipeline? Use Request Grant-Funded Enrollment and we will provide a justification memo, scope-of-training letter, and W-9 sized to your state's reimbursement form.
Program Syllabus
Syllabus / Topics Covered
Module 1 – Penetration Testing Fundamentals
- Engagement scoping and rules of engagement for election systems
- Threat-led versus compliance-led testing
- Legal authorities and researcher safe harbor
- Reporting expectations under EAC acceptance criteria
Module 2 – Hardware and Firmware Testing
- Tamper-evidence and physical attack vectors
- Firmware extraction, reverse engineering, and analysis
- Bus-level and JTAG/UART access testing
- Supply-chain implant detection
Module 3 – Network and Software Attack Paths
- Election management system (EMS) attack surface
- Pollbook synchronization and central-count interfaces
- Web, API, and protocol-level testing
- Cryptographic implementation review
Module 4 – Source Code Review (White Box)
- Static analysis and code-level vulnerability classes
- Voting-system-specific anti-patterns
- Code-to-binary verification
- Reproducibility and chain-of-custody for code review
Module 5 – Red Team / Blue Team Operations
- Adversarial assessment versus pure pen testing
- Detection and response exercises
- Procedural-control attacks (chain-of-custody, observer access)
- Deconfliction with election operations
Module 6 – Findings, Evidence, and Reporting
- Severity scoring with election-impact context
- Evidence integrity: hashing, signing, and sealed chain of custody
- Reporting formats aligned to EAC submission
- Re-test verification and remediation tracking