Analyzing DOJ’s MOU for Voter Registration List Data for FISMA Compliance

FISMA Gap Analysis of the U.S. Department of Justice’s
Collection of State Voter Registration List Data

This document provides an analysis of the U.S. Department of Justice (DOJ)’s compliance with the security requirements of the Federal Information Security Modernization Act of 2014 (FISMA) with respect to its ongoing collection and retention of voter registration list (VRL) data from states. Since May 2025, the DOJ has sought the VRLs of 47 states and Washington, D.C., including sensitive voter information such as Social Security Numbers.[1] While at least ten states have provided their VRLs, 24 states and D.C. have declined the DOJ’s request and now face suit from the DOJ over their refusal to provide their VRLs.

To evaluate the adequacy of security protections in place for voter registration list data obtained (or that may later be obtained) by the DOJ, we—the Electronic Privacy Information Center (EPIC)—apply the baseline controls and security requirements set out by FISMA and related National Institute for Standards and Technology (NIST) privacy and security standards to the DOJ’s publicly available representations about how such VRL data will be protected. We find that the DOJ’s safeguards for VRL data are severely deficient, failing to impose the stringent security controls that FISMA requires due to the data’s volume, sensitivity, and connection to the exercise of fundamental rights.

FISMA and NIST Standards

The Federal Information Security Modernization Act of 2014 (FISMA)[2] requires that agencies identify and provide information security protections for (1) information collected or maintained by or on behalf of an agency, and (2) information systems used or operated by an agency, or by a contractor or some other organization on behalf of the agency. 44 U.S.C. §§ 3554(a)(1)(A)(i)-(ii). These protections must be commensurate with the risk and magnitude of the harm resulting from “unauthorized access, use, disclosure, disruption, modification, or destruction” of the collected information or information system. 44 U.S.C. § 3554(a)(1)(A). To comply with said mandate, federal agencies must adhere to “minimum information security requirements” promulgated by the National Institute for Standards and Technology (NIST). 44 U.S.C. §3554(a)(1)(B)(i); 40 U.S.C. § 11331(b)(2)(A)(i).

Security Objectives

FISMA defines “information security” to include the three objectives of protecting the confidentiality, integrity, and availability of information systems. 44 U.S.C. §§3552(b)(3)(A)-(C). NIST standardizes said objectives into three different security categorizations in FIPS 199.

The first security objective is integrity. A “loss of integrity is the unauthorized modification or disclosure of information.”[3] The integrity security objective incorporates the statutory mandate for “guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity[.]” 44 U.S.C. §3552(b)(3)(A).

The second security objective is confidentiality. A “loss of confidentiality is the unauthorized disclosure of information.”[4] The confidentiality security objective incorporates the statutory mandate for “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information[.]” 44 U.S.C. §3552(b)(3)(B).

The third security objective is availability. A “loss of availability is the disruption of access to or use of information or an information system.”[5] The availability security objective incorporates the statutory mandate for “Ensuring timely and reliable access to and use of information.” 44 U.S.C. §3552(b)(3)(C).

Security Categorizations

To help operationalize these security objectives into “minimum information security requirements,” NIST has established three security categorizations for information and information systems.[6] These categorizations reflect what the potential impact on the statutory objectives of confidentiality, integrity, and availability would be if said information systems were jeopardized. Agencies must use these security categorizations whenever there is a federal requirement to provide such a categorization of information or information system.[7] The three security categorizations are “LOW,” “MODERATE,” and “HIGH.”

The security categorization is “LOW” if the loss of the security objectives would have a “limited adverse effect on organizational operations, organizational assets, or individuals.”[8] The security categorization is “MODERATE” if the loss of the security objectives would have a “serious adverse effect on organizational operations, organizational assets, or individuals.”[9] The security categorization is “HIGH” if the loss of the security objectives would have a “severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.”[10] The minimum security requirements for federal information and information systems depend on what security category the information system is sorted into. For example, moderate-impact information systems must at a minimum adhere to the moderate baseline security controls highlighted in NIST Special Publication (SP) 800-53B. High-impact information systems similarly must at minimum adhere to the high baseline of security controls defined in NIST SP 800-53B.[11]

Security Categorization for Sensitive PII

NIST has two relevant publications that help determine the security categorization of sensitive personally identifiable information (PII) such as a full or partial Social Security Number (SSN) and driver’s license number.  

First, NIST Special Publication 800-60 Volume II Revision 1 provides guidelines for “appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or loss of availability of the information or information system.”[12] These guidelines apply to all information security systems to which FISMA applies. Under 800-60, Personal Identity Information is categorized as MODERATE impact across all security objectives.[13]

Second, NIST Special Publication 800-122 for Personally Identifiable Information creates further standards for PII. Agencies must determine PII disclosure impact levels by looking at factors such as how easily PII can be used to identify specific individuals, the quantity of records in question, the sensitivity of the PII data fields together, the context for which the PII was collected, as well existing obligations to protect confidentiality and the nature of access/storage location of the PII.[14]

            The Applicability of FISMA to the VRL Data Collected by the DOJ

DOJ has sought voter registration lists from 47 states and the District of Columbia. At least ten states have provided their VRLs to the agency, including the sensitive and identifying information of over 37 million registered voters. The DOJ has also brought suit against 25 jurisdictions to obtain their VRLs.

VRL data merits a HIGH security categorization in light of the factors laid out in NIST SP 800-122. Nearly 200 million individuals were registered to vote as of 2024.[15] VRLs include the records of each of these voters, including information such as SSNs and driver’s license numbers which make identifying voters exceedingly easy. Taking all PII data fields together, VRLs are replete with sensitive information.

At minimum, DOJ seeks a voter’s full name, date of birth, residential address, state driver’s license number, or partial SSN. However, VRLs often include other information. In California, for example, DOJ sought (and failed to obtain) voter participation history and political party registration.[16] This information was collected to aid individuals in exercising their right to fundamental right to vote—a right so foundational that it has been recognized by the Supreme Court as a right “preservative of all rights.”[17] Despite the strong potential for abuse and misuse of sensitive information to suppress voting rights and intimidate lawful voters, DOJ is demanding (and in some cases obtaining) complete and unredacted VRL data.

Finally, states bear an obligation to protect the confidentiality of VRL data and the privacy of voters, as does DOJ once it receives and aggregates VRL data into federal information systems.[18] For these reasons, the standard security controls for PII are insufficient to protect VRL data. Instead, VRL data merits HIGH security controls in addition to the baseline controls established in NIST SP 800-53B.[19]

Analysis of the Security Controls DOJ Has Established for VRL Data

Based on our analysis of the DOJ’s representations as to how it will maintain VRL data, we find that the DOJ’s security controls are severely deficient and cast serious doubt on the agency’s compliance with FISMA. We find that DOJ’s publicly available statements fail to specify adequate controls for who may access VRL data and under what conditions; how information systems containing VRL data will be protected and how access to those systems will be audited; and what procedures are in place should those systems be breached.

To conduct our analysis, we compared the NIST and FISMA standards detailed above to the data safeguards described by DOJ in its draft Memorandum of Understanding (MOU) sent to Colorado.[20] The MOU, which Colorado declined to sign, would require the state to deliver its VRL to DOJ and remove registered voters named by DOJ.

The security controls articulated in the MOU are severely deficient. The MOU is littered with generalized recitations of compliance with DOJ’s obligations—far short of the particularized security controls that an agency must establish under FISMA to adequately protect data as sensitive as unredacted voter registration lists.  

Further, the MOU includes expedited timelines for the transfer of VRL data, raising added concern that the security controls in place at the time of transfer will be insufficient or nonexistent. Section IV of the MOU, for example, asks that the Agreement be signed within seven (7) days of the DOJ having presented it. The same Section further presses for Colorado to act as quickly as possible, stating that “no part of this Agreement or execution is intended to, or will, cause delay of the transmission of your state’s VRL” to the DOJ for analysis. These statements cast serious doubt on the DOJ’s commitment to protecting the VRL data it obtains, particularly considered against the backdrop of recent data security violations by federal agencies involving the wrongful disclosure of personal data from thousands of individuals.[21]

In Appendix A of this analysis, we set out in greater detail the crucial security and privacy[22] controls that ought to govern VRL data under FISMA and the NIST Standards; the ways in which the controls set out in the DOJ’s MOU falls short of those requirements; and the potential consequences of these gaps in security protection. As the Appendix makes clear, the controls identified in the MOU are woefully insufficient and suggest numerous ways in which the DOJ has failed to comply with its FISMA obligations with respect to the VRL data it is collecting from states.

Conclusion

Voter registration lists contain vast quantities of sensitive personal information. To the extent that a federal agency may lawfully collect bulk VRL data to begin with, FISMA requires that such data be protected by strict security controls. Based on our analysis of the DOJ’s publicly available representations as to how it will protect the VRL data it obtains, we conclude that the DOJ has failed to establish numerous critical security controls in apparent violation of FISMA.

[citations appear after embedded Appendix A]

[1] Kaylie Martinez-Ochoa, Eileen O’Connor, & Patrick Berry, Tracker of Justice Department Requests for Voter Information, Brennan Ctr. for Justice (last updated Feb. 13, 2026), https://www.brennancenter.org/our-work/research-reports/tracker-justice-department-requests-voter-information.

[2] The Federal Information Security Modernization Act of 2014 (FISMA 2014), Pub. L. No. 113-283, 128 Stat. 3073 (Dec. 18, 2014), largely superseded the Federal Information Security Management Act of 2002(FISMA 2002), Title III of Pub. L. No. 107-347, 116 Stat. 2899, 2946 (Dec. 17, 2002). As used in this analysis, FISMA refers both to FISMA 2014 and those provisions of FISMA 2002 that were either incorporated into FISMA 2014 or were unchanged and continue in full force and effect.

[3] Id.

[4] NIST, Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199, at 2 (Feb. 2004),https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf

[5] Id.

[6] Id. at 1-3.

[7] Id.

[8] Id. at2.

[9] Id.

[10] Id. at 2-3.

[11] NIST SP 800-53B, Control Baselines for Information Systems and Organizations at 6 (Oct. 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf

[12] Volume II: Appendices to Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60 Vol. II Rev. 1, at vi (Aug. 2008), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v2r1.pdf.

[13] Id. at 53.

[14] NIST, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, at 3-3, 3-5 (April 2010), https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf.

[15] United States Census Bureau, Voting and Registration in the Election of November 2024, Table 1, Reported Voting and Registration, by Sex and Singer Years of Age: November 2024 (accessed Feb. 2, 2025), https://www.census.gov/data/tables/time-series/demo/voting-and-registration/p20-587.html.

[16] Order Granting Defendant’s Motion to Dismiss and Intervenor’s Motion to Dismiss at 5, United States v. Shirley Weber, No. 2:25-cv-09149 (C.D. Cal. Jan. 16, 2026), ECF No. 128.

[17] Yick Wo v. Hopkins, 118 U.S. 356, 370 (1886).

[18] While DOJ may not be directly bound by a state‘s law that protect the confidentiality of VRLs, its aggregation of VRL data into federal information systems does violate the confidentiality protections of those state laws. Further, the Privacy Act of 1974 imposes additional obligations on DOJ once it accepts and aggregates VRL data. 5 U.S.C. § 552a (1974).

[19] NIST, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, at 6 (Oct. 2020), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53B.pdf [hereinafter NIST SP 800-53B]. Explanations of the security controls are available at NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5  (Sep. 2020),  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf [hereinafter NIST SP 800-53r5].

[20] Colorado Memorandum of Understanding, (Dec. 1, 2025), https://www.brennancenter.org/media/14806/download/2025-12-01-doj-mou-to-colorado.pdf?inline=1.

[21] See Notice of Corrections to the Record, Am. Fed’n of State, Cnty. And Muns. Emps., AFL-CIO v. Soc. Sec. Admin., No. 1:25-cv-00596 (D. Md. Jan. 16, 2026), ECF no. 197 (admission by government that DOGE employees circumvented agency procedures for data sharing and used unauthorized third-party servers to share Social Security data); See Defendant’s Corrected Notice on Status of Requests for Return Information, Centro de Trabajadores Unidos, et al., v. Bessent, No.. 1:25-cv-00677 (D.D.C. Feb. 11,2026), ECF no. 73 (admission by government that IRS used a faulty automated verification system to improperly share the sensitive information of thousands of taxpayers).  

[22] Although NIST’s Privacy Control Baseline is not directly required by FISMA, it is unlikely that an agency would be able to comply with the confidentiality requirements of FISMA if that agency were not already compliant with the privacy controls.