United States Election Assistance Comittee

Register to Vote!

Use the National Mail Voter Registration Form to register to vote, update your registration information with a new name or address, or register with a political party.

Note: If you wish to vote absentee and are a uniformed service member or family member or a citizen living outside the U.S., contact the Federal Voting Assistance Program to register to vote.

EAC Newsletters
and Updates

Sign up to receive information about EAC activities including public meetings, webcasts, reports and grants.

Give Us Your Feedback

Share your feedback on EAC policy proposalsElection Resource Library materials, and OpenEAC activities. Give feedback on general issues, including the Web site, through our Contact Us page.

Military and Overseas Voters

EAC has several projects under way to assist states in serving military and overseas citizens who register and vote absentee under the Uniformed and Overseas Citizens Absentee Voting Act. Learn more

Chapter 4: Voting Equipment User Documentation

This section contains requirements on the content of the documentation that manufacturers supply to jurisdictions that use their systems. In this context, "user" refers to election officials. The user documentation is also included in the TDP given to test labs.

It is not the intent of these requirements to prescribe an outline for user documentation. Manufacturers are encouraged to innovate in the quality and clarity of their user documentation. The intent of these requirements is to ensure that certain information that is of interest to end users and test labs alike will be included somewhere in the user documentation. To speed the test lab review, manufacturers should provide test labs with a short index that points out which sections of the user documentation are responsive to which sections of these requirements.

5 Comments

Comment by Diane Gray (Voting System Test Laboratory)

References are to Government Paper Specifications: which are applicable to voting systems paper?

Comment by Premier Election Solutions (Manufacturer)

The whole user documentation requirements should be seriously reviewed. The amount of information and the detail that is being requested will overwhelm almost all election administrators. There is a need to provide clear concise information about how the system works, how to set it up, how to keep it secure, and how to audit it without providing such an overwhelming amount of information that users of the system cannot find the important information.

Comment by E Smith/P Terwilliger (Manufacturer)

4.3.3-G.1. This section is written with the assumption of a PC-like architecture, which is inappropriate. 4.3.3-I. Please clarify that this section requires the vendor ship hardware devices that are inoperable. 4.3.3-J. This is imparctical due to the rapidly changing COTS world, versus the very long lead times embodied in the VVSG certification process. It is virtually guaranteed that by the time a product makes it through certification, any COTS software will obsolete - a newer version will be shipping. Depending on the policies of the COTS vendors, procuring obsoleted versions may not be possible. 4.3.5-A. What is a "model setup inspection process"? 4.3.6. Subsections are using the terms "secure, transparent, workable and accurate". Both singly and together these are undefined, at best vague, and wholly untestable. Subsections also use "fully specify", which is similarly undefined and untestable. 4.3.6-A. The requirement title says "pollbook audit". What is that? 4.3.6-B. "hand audit" is not defined or explained. 4.3.6-E. If all VVPR records are required to be machine readable via OCR, why is such a requirement not included in part 1?

Comment by Cem Kaner (Academic)

The auditor should be considered a "user" of the system and user documentation should be supplied to support the performance of the auditor, including detailed recommendations for auditing the accuracy of election results on this particular type of system. .......... (Affiliation Note: IEEE representative to TGDC)

Comment by Cem Kaner (Academic)

The user documentation shall be a public record. .......... (Affiliation Note: IEEE representative to TGDC)

4.1 System Overview

4.1-A User documentation, system overview

In the system overview, the manufacturer SHALL provide information that enables the user to identify the functional and physical components of the system, how the components are structured, and the interfaces between them.

Applies To: Voting system

Source: [VSS2002] II.2.2

4.1-A.1 User documentation, system overview functional diagram

The system overview SHALL include a high-level functional diagram of the voting system that includes all of its components. The diagram SHALL portray how the various components relate and interact.

Applies To: Voting system

Source: [EAC06] 4.3.2.3

4.1.1 System description

4.1.1-A User documentation, system description

The system description SHALL include written descriptions, drawings and diagrams that present:

  1. A description of the functional components (or subsystems) as defined by the manufacturer (e.g., environment, election management and control, vote recording, vote conversion, reporting, and their logical relationships);
  2. A description of the operational environment of the system that provides an overview of the hardware, firmware, software, and communications structure;
  3. A concept of operations that explains each system function and how the function is achieved in the design;
  4. Descriptions of the functional and physical interfaces between subsystems and components;
  5. Identification of all COTS products (both hardware and software) included in the system and/or used as part of the system's operation, identifying the name, manufacturer, and version used for each such component;
  6. Communications (dial-up, network) software;
  7. Interfaces among internal components and interfaces with external systems. For components that interface with other components for which multiple products may be used, the manufacturer SHALL identify file specifications, data objects, or other means used for information exchange, and the public standard used for such file specifications, data objects, or other means; and
  8. Benchmark directory listings for all software and firmware and associated documentation included in the manufacturer's release in the order in which each piece of software or firmware would normally be installed upon system setup and installation.

Applies To: Voting system

Source: [VSS2002] II.2.2.1

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement seems more like a functional specification and is probably far more detail than any election administrator needs or wants to know. Therefore, this section conflicts with the desire for an easy to understand document. There does need to be a high level description of the system and how to use it as well as a basic description of interfacing with other products. Proposed Change: Please modify this requirement to provide the level of detail in a document that an actual user would understand and use.
4.1.1-B User documentation, identify software and firmware by origin

The system description SHALL include the identification of all software and firmware items, indicating items that were:

  1. Written in-house;
  2. Written by a subcontractor;
  3. Procured as COTS; and
  4. Procured and modified, including descriptions of the modifications to the software or firmware and to the default configuration options.

Applies To: Voting system

Source: [VSS2002] II.2.5.3.c

2 Comments

Comment by Brian V. Jarvis (Local Election Official)

Recommend that there be a requirement that each software and firmware unit be assigned a unique identifier. (A software/firmware unit is an element in the design of a computer software configuratitem (CSCI); for example, a major subdivision of a CSCI, a component of that subdivision, a class, object, module, function, routine, or database. Software/firmware units may occur at different levels of a hierarchy and may consist of other software/firmware units. Software/firmware units in the design may or may not have a one-to-one relationship with the code and data entities (routines, procedures, databases, data files, etc.) that implement them or with the computer files containing those entities. A database may be treated as a CSCI or as a software/firmware unit. The documentation may refer to software/firmware units by any name(s) consistent with the design methodology being used.)

Comment by Premier Election Solutions (Manufacturer)

Not certain that users really care about this type of information. Please clarify why users would find this information useful.
4.1.1-C User documentation, traceability of procured software

The system description SHALL include a declaration that procured software items were obtained directly from the manufacturer or a licensed dealer or distributor.

Applies To: Voting system

DISCUSSION

For most noncommercial software, this would mean a declaration that the software was downloaded from the canonical site or a trustworthy mirror. It is generally accepted practice for the core contributors to major open-source software packages to digitally sign the distributions. Verifying these signatures provides greater assurance that the package has not been modified.

Source: [VSS2002] II.2.5.3

2 Comments

Comment by Brian V. Jarvis (Local Election Official)

Recommend that requirements be established indicating that no matter the declaration and no matter the source, that the voting machine manufacturer shall still be responsible for the quality of all products procured or acquired from suppliers. (There have been attempts by manufacturers to interpret "procured" as meaning only software that was purchased.) The manufacturer should still be held responsible for the quality of software that was acquired at "no cost."

Comment by Premier Election Solutions (Manufacturer)

This requirement is somewhat irrelavant since the installation files are to be hashed by the VSTL during certification and the hash values stored with the EAC or its designated repository. Proposed Change: Remove this requirement.

4.1.2 System performance

4.1.2-A User documentation, system performance

The manufacturer SHALL provide system performance information including:

  1. Device capacities and limits that were stated in the implementation statement (see Part 1: 2.4 "Software Independence");
  2. If not already covered in the implementation statement, performance characteristics of each operating mode and function in terms of expected and maximum speed, throughput capacity, maximum volume (maximum number of voting positions and maximum number of ballot styles supported), and processing frequency;
  3. Quality attributes such as reliability, maintainability, availability, usability, and portability;
  4. Provisions for safety, security, privacy, and continuity of operation; and
  5. Design constraints, applicable standards, and compatibility requirements.

Applies To: Voting system

Source: [VSS2002] II.2.2.2

1 Comment

Comment by Premier Election Solutions (Manufacturer)

Design constraints do not belong in user documentation. Proposed Change: Remove the item (e) referring to "design constraints."
4.1.2-A.1 User documentation, central tabulator maximum tabulation rate

The maximum tabulation rate for a central tabulator SHALL be documented by the manufacturer. This documentation SHALL include the maximum tabulation rate for individual components that impact the overall maximum tabulation rate.

Applies To: Central tabulator

DISCUSSION

The capacity to convert the marks on individual ballots into signals is uniquely important to central count systems.

Source: [VSS2002] I.3.2.5.1.1

2 Comments

Comment by Carolyn Coggins (Voting System Test Laboratory)

There are a number of factors that influence maximum tabulation rate. This requirement should contain the benchmark conditions under which the maximum rate is identified.

Comment by Diane Gray (Voting System Test Laboratory)

The 2002 VSS requirement cited applies to paper-based conversion requirements. Is the intent in Part 2, Chapter 4.1.2-A.1 to apply to all voting systems?
4.1.2-A.2 User documentation, reliably detectable marks

For an optical scanner, the manufacturer SHALL document what constitutes a reliably detectable mark versus a marginal mark.

Applies To: Optical scanner

DISCUSSION

See Part 1: 7.7.5.1 "Marginal marks". The specification may be parameterized by configuration values and should state the uncertainty.

Source: New requirement

4.2 System Functionality Description

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

Isn't the definition of reliability the role of the standard? If there are different levels of acceptable reliable reading shouldn't the standard define what they are and identify the benchmarks?
4.2-A User documentation, system functionality description

The manufacturer SHALL provide a listing of the system's functional processing capabilities, encompassing capabilities required by the VVSG, and any additional capabilities provided by the system, with a description of each capability.

  1. The manufacturer SHALL explain, in a manner that is understandable to users, the capabilities of the system that were declared in the implementation statement;
  2. Additional capabilities (extensions) SHALL be clearly indicated;
  3. Required capabilities that may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated;
  4. Additional capabilities that function only when activated during installation or operation by the user SHALL be clearly indicated; and
  5. Additional capabilities that normally are active but may be bypassed or deactivated during installation or operation by the user SHALL be clearly indicated.

Applies To: Voting system

Source: [VSS2002] II.2.3

3 Comments

Comment by Brian V. Jarvis (Local Election Official)

Recommend that any "dead code" should also be clearly indicated (and will result in immediate de-certification of the voting machine). There is a distinction between dead code and bypassed/deactivated code. Deactivated code is executable software that will not be executed during runtime operations of a particular software version within a particular application; however, the code may be executed during maintenance or special operations or be executed within a different or future version of the software within a different configuration or application. Unlike dead code, there is no problem with deactivated code being left in the source baseline (as long as it is clearly identified). Dead code, however, is executable software that will never be executed during runtime operations. Requirements for voting machines should not allow for the presence of dead code: it must be removed. Dead code does not trace to any software requirements, hence does not perform any required functionality.

Comment by Carolyn Coggins (Voting System Test Laboratory)

b.d. & e It would be helpful to the test labs if the manufacturer's were required to explicitly stipulate if systems did not have additional capabilities that …

Comment by Carolyn Coggins (Voting System Test Laboratory)

a. "A manner that is understandable to users" is not testable.

4.3 System Security Specification

4.3.1 Access control

4.3.1-A User documentation, access control implementation, configuration, and management

Manufacturers SHALL provide user documentation containing guidelines and usage instructions on implementing, configuring, and managing access control capabilities.

Applies To: Voting system

Source: [VVSG2005] I.7.2.1.2

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

Note that this comment addresses multiple subsections of Part 2:4.3; the online comment interface did not provide an option to comment at the top level of Part 2:4.3. The requirements in this section (access controls: 2:4.3.1; system event logs: 2:4.3.2; physical security: 2:4.3.4; records necessary to audit the system: 2:4.3.6; and requirements for high-level descriptions of a voting system's security: 2:3.5.1-B and Table 3-1) are important for documenting elements of election administration that are critical to maintaining the security of voting systems and should be adopted. However, this section should require manufacturers to provide an audit plan as part of their documentation; this would help support software independence. A high-level, schematic audit plan would be the best way to provide guidance to states, given their widely varying audit laws.
4.3.1-B User documentation, access control policy template

Manufacturers SHALL provide, within the user documentation, an access control policy template or instructions to facilitate the implementation of the access control policy and associated access controls on the voting system.

Applies To: Voting system

DISCUSSION

Access control policy requirements include the minimum baseline policy definitions necessary for testing and implementation of the voting system. The policies may be pre-defined within the voting system or provided as guidelines in the documentation.

Source: [VVSG2005] I.7.2.1

4.3.1-C User documentation, model access control policy

Manufacturers SHALL provide, within the user documentation, a model access control policy under which the voting system was designed to operate and a description of the hazards of deviating from this policy.

Applies To: Voting system

DISCUSSION

The model access control policy includes the assumptions that were made when the system was designed, the justification for the policy, and the hazards of deviating from the policy.

Source: [VVSG2005] I.7.2.1

4.3.1-D User documentation, privileged account

The manufacturer SHALL disclose and document information on all privileged accounts included on the voting system.

Applies To: Voting system

DISCUSSION

Information on privileged accounts include the name of the account, purpose, capabilities and permissions, and how to disable the account in the user documentation.

Source: [VVSG2005] I.7.2.1.2

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

Define a privileged account.

4.3.2 System event logging

4.3.2-A User documentation, system event logging

Manufacturers SHALL provide user documentation that describes system event logging capabilities and usage.

Applies To: Voting system

Source: [VVSG2005] I.5.4

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

See ACCURATE's comment to Part 2:4.3.1.
4.3.2-B User documentation, log format

Manufacturers SHALL publicly publish fully documented log format information.

Applies To: Voting system

DISCUSSION

The log format and the meaning of all possible types of log entries must be fully documented in sufficient detail to allow independent manufacturers to implement utilities to parse the log file. This documentation must be publicly available, free of charge, and not just in the TDP. The documentation may be housed by the EAC or the test lab.

Source: [VVSG2005] I.5.4

2 Comments

Comment by Diane Gray (Voting System Test Laboratory)

Requirement is for manufacturers to publish fully document log format information. The Discussion states the documentation may be housed by the EAC or test lab. If this information is available to the public, then the EAC should be responsible for retaining it. The test labs do not dispense voting system documentation to the public.

Comment by Carolyn Coggins (Voting System Test Laboratory)

Isn't stipulation of publishing of log format information outside the scope of the VVSG? This would appear to be to be an EAC responsibility.

4.3.3 Software installation

4.3.3-A User documentation, software list

The manufacturer SHALL provide a list of all software to be installed on the programmed devices of the voting system and installation software used to install the software in the user documentation.

Applies To: Programmed device

DISCUSSION

Software to be installed on programmed devices of the voting system includes executable code, configuration files, data files, and election specific software.

4.3.3-B User documentation, software information

The manufacturer SHALL provide at a minimum in the user documentation the following information for each piece of software to be installed or used to install software on programmed devices of the voting system: software product name, software version number, software manufacturer name, software manufacturer contact information, type of software (application logic, border logic, third party logic, COTS software, or installation software), list of software documentation, component identifier(s) (such filename(s)) of the software, type of software component (executable code, source code, or data).

Applies To: Programmed device

1 Comment

Comment by Brian V. Jarvis (Local Election Official)

Recommend also including: (1) software dates, (2) release numbers (in addition to the version numbers), (3) list of all changes incorporated into the software version since the previous version, (4) problem reports, change proposals, and change notices associated with each change and the effects, if any, of each change on system operation and on interfaces with other hardware and software, and (5) any possible problems or known errors with the software version at the time of release.
4.3.3-C User documentation, software location information

The manufacturer SHALL provide in the user documentation the location (such as full path name or memory address) and storage device (such as type and part number of storage device) where each piece of software is installed on programmed devices of the voting system.

Applies To: Programmed device

DISCUSSION

This requirement applies to software installed on programmed devices of the voting system. The full directory path is the final destination of the software when installed on non-volatile storage with a file system.

4.3.3-D User documentation, election specific software identification

The manufacturer SHALL identify election specific software in the user documentation.

Applies To: Programmed device

4.3.3-E User documentation, installation software and hardware

The manufacturer SHALL provide a list of software and hardware required to install software on programmed devices of the voting system in the user documentation.

Applies To: Programmed device

1 Comment

Comment by Diane Gray (Voting System Test Laboratory)

Source cited is VVSG 2005 Volume III Section 2.2.3.a. Should be Volume I.
4.3.3-F User documentation, software installation procedure

The manufacturer SHALL document the software installation procedures used to install software on programmed devices of the voting system in user documentation.

Applies To: Programmed device

Source: [VVSG2005] Volume III, Section 2.2.3(a)

4.3.3-G User documentation, compiler installation prohibited

The software installation procedures used to install software on programmed devices of the voting system SHALL result in no compilers being installed on the programmed device.

Applies To: Programmed device

4.3.3-G.1 User documentation, programmed device configuration baseline binary image creation

To replicate programmed device configurations, the software installation procedures SHALL create a baseline binary image of the initial programmed device configuration on an unalterable storage media with a digital signature.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement has nothing to do with user documentation and actually nothing to do with software installation. The creation of a digital signature of the software is to be done during the trusted build procedure by the VSTL. Proposed Change: Remove this requirement.
4.3.3-G.2 User documentation, programmed device configuration replication

The software installation procedures SHALL use the baseline binary image of the initial programmed device configuration on an unalterable storage media to replicate the configuration on to other programmed devices.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement has nothing to do with user documentation and actually nothing to do with software installation. The creation of a digital signature of the software is to be done during the trusted build procedure by the VSTL. Proposed Change: Remove this requirement.
4.3.3-H User documentation, software installation record creation

The software installation procedures SHALL specify the creation of a software installation record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location of the software installation; names, affiliations, and signatures of all people present; copies of the procedures used to install the software on the programmed devices of the voting system; the certification number of the voting system; list of the software installed on programmed devices of the voting system; and a unique identifier (such as a serial number) of the vote-capture device or EMS which the software is installed.

Applies To: Programmed device

4.3.3-I User documentation, procurement of voting system software

The software installation procedures SHALL specify that voting system software be obtained from test labs or distribution repositories.

Applies To: Programmed device

DISCUSSION

Distribution repositories provide software they receive to parties approved by the owner of the software.

4.3.3-J User documentation, open market procurement of COTS software

The software installation procedures SHALL specify that COTS software be obtained from the open market.

Applies To: Programmed device

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

It is unrealistic for the standard to assume that out of date COTS software can be obtained from the open market. The standard must make provision for this. This provision must be in a manner that complies with software licensing.
4.3.3-K User documentation, erasable storage media preparation

The software installation procedures SHALL specify how previously stored information on erasable storage media is removed before installing software on the media.

Applies To: Programmed device

DISCUSSION

The purpose of this requirement is to prepare erasable storage media for use by the programmed devices of the voting system. The requirement does not require the prevention of previously stored information leakage or recovery. Simply deleting files from file systems, flashing memory cards, and removing electrical power from volatile memory satisfies this requirement.

4.3.3-L User documentation, installation media unalterable storage media

The software installation procedures SHALL specify that unalterable storage media be used to install software on programmed devices of the voting system.

Applies To: Programmed device

DISCUSSION

Unalterable storage media includes technology such as a CD-R, but not CD-RW.

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement is assuming that all voting devices support un-alterable media for software installation. It woud be worthwhile to only require that the distribution media be un-alterable and that the user may copy the installation files from the un-alterable media to installation media for installation on the device. Proposed Change: Change this requirement to read as follows: 4.3.3-L User documentation, distribution media unalterable storage media The software installation procedures SHALL specify that unalterable storage media be used to distribute software on programmed devices of the voting system.

4.3.4 Physical security

4.3.4-A User documentation, physical security

Manufacturer SHALL provide user documentation explaining the implementation of all physical security controls for the voting device, including model procedures necessary for effective use of countermeasures.

Applies To: Voting device

4.3.5 Setup inspection

4.3.5-A User documentation, model setup inspection process

The manufacturer SHALL provide a model setup inspection process that the voting device was designed to support and description of the risks of deviating from the process in the user documentation.

Applies To: Voting device

DISCUSSION

The model setup inspection process provides a means to inspect various properties of voting devices as needed during the election process.

4.3.5-A.1 User documentation, minimum properties included in a model setup inspection process

A model setup inspection process SHALL at a minimum include the inspection of voting system software, storage locations that hold election information that changes during an election, other voting device properties, and execution of logic and accuracy testing related to readiness of use in an election.

Applies To: Voting device

DISCUSSION

See requirements in Part 1: 5.2 "Setup Inspection".

Source: [VVSG2005] I.7.4.6 (a) and (f)

4.3.5-B User documentation, model setup inspection record generation

The model setup inspection process SHALL describe the records that result from performing the setup inspection process.

Applies To: Voting device

Source: [VVSG2005] I.5.4.2

4.3.5-C User documentation, installed software identification procedure

The manufacturer SHALL provide the procedures to identify all software installed on programmed devices of the voting system in the user documentation.

Applies To: Programmed device

DISCUSSION

This requirement provides the ability to identify if the proper software is installed and that no other software is present on programmed devices of the voting system. This requirement covers software stored on storage media with or without a file system.

Source: [VVSG2005] I.7.4.6 (b)(ii)

4.3.5-D User documentation, software integrity verification procedure

The manufacturer SHALL describe the procedures to verify the integrity of software installed on programmed devices of voting system in the user documentation.

Applies To: Programmed device

Source: [VVSG2005] I.7.4.6 (b)(ii)

4.3.5-E User documentation, election information value

The manufacturer SHALL provide the values of voting device storage locations that hold election information that changes during the election, except for the values set to conduct a specific election in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(ii)

 

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement does not make sense. Election specific information does not necessarily get stored in specific locations. If a file system is used to store the data in a database then the location may change from election to election. Therefore, this requirement needs to be changed to better reflect the information being requested. Please clarify the election information being referenced. If the information referenced is election data that normally is stored dyamically, then remove this requirement.
4.3.5-F User documentation, maximum and minimum values of election information storage locations

The manufacturer SHALL provide the maximum and minimum values voting device storage locations that hold election information changes during an election can store in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(ii)

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement does not make sense. Election specific information does not necessarily get stored in specific locations. If a file system is used to store the data in a database then the location may change from election to election. Therefore, this requirement needs to be changed to better reflect the information being requested. Please clarify the election information being referenced. If the information referenced is election data that normally is stored dyamically, then remove this requirement.
4.3.5-G User documentation, register and variable value inspection procedure

The manufacturer SHALL provide the procedures to inspect the values of voting device storage locations that hold election information that changes for an election in the user documentation.

Applies To: Voting device

Source: [VVSG2005] I.7.4.6 (f)(i)

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement does not make sense. Election specific information does not necessarily get stored in specific locations. If a file system is used to store the data in a database then the location may change from election to election. Therefore, this requirement needs to be changed to better reflect the information being requested. Please clarify the election information being referenced. If the information referenced is election data that normally is stored dyamically, then remove this requirement.
4.3.5-H User documentation, backup power operational range

The manufacturers SHALL provide the nominal operational range for the backup power sources of the voting device in the user documentation.

Applies To: Voting device

4.3.5-I User documentation, backup power inspection procedure

The manufacturer SHALL provide the procedures to inspect the remaining charge of the backup power sources of the voting device in the user documentation.

Applies To: Voting device

4.3.5-J User documentation, cabling connectivity inspection procedure

The manufacturer SHALL provide the procedures to inspect the connectivity of the cabling attached to the voting device in the user documentation.

Applies To: Voting device

4.3.5-K User documentation, communications operational status inspection procedure

The manufacturer SHALL provide the procedures to inspect the operational status of the communications capabilities of the voting device in the user documentation.

Applies To: Voting device

4.3.5-L User documentation, communications on/off status inspection procedure

The manufacturer SHALL provide the procedures to inspect the on/off status of the communications capabilities of the voting device in the user documentation.

Applies To: Voting device

4.3.5-M User documentation, consumables quantity of voting equipment

The manufacturer SHALL provide a list of consumables associated with the voting device, including estimated number of usages per quantity of consumable in the user documentation.

Applies To: Voting device

4.3.5-N User documentation, consumable inspection procedure

The manufacturer SHALL provide the procedures to inspect the remaining amount of each consumable of the voting device in the user documentation.

Applies To: Voting device

4.3.5-O User documentation, calibration of voting device components nominal range

The manufacturer SHALL provide a list of components associated with the voting device that require calibration and the nominal operating ranges for each component in the user documentation.

Applies To: Voting device

4.3.5-P User documentation, calibration of voting device components inspection procedure

The manufacturer SHALL provide the procedures to inspect the calibration of each component in the user documentation.

Applies To: Voting device

4.3.5-Q User documentation, calibration of voting device components adjustment procedure

The manufacturer SHALL provide the procedures to adjust the calibration of each component in the user documentation.

Applies To: Voting device

4.3.5-R User documentation, model checklist of properties to be inspected

The manufacturer SHALL provide a model checklist of other properties of the voting device to be inspected, including a description of the risks on not performing a given inspection in the user documentation.

Applies To: Voting device

DISCUSSION

Voting devices may have other properties that need to be inspected that are not covered in Part 1: 5.2 "Setup Inspection". This requirement provides a mechanism for the properties not covered in Part 1 Section 5.2 to be captured.

4.3.5-R.1 User documentation, minimal voting device properties covered by model checklist

The model checklist of other properties of the voting device to be inspected SHALL at a minimum include: the inspection of backup power sources, cabling, communications capabilities, consumables, calibration of voting device components, general physical features of the voting device, and securing external interfaces of the voting device not being used.

Applies To: Voting device

DISCUSSION

Voting device may have other properties that need to be inspected that are not covered in Part 1: 5.2 "Setup Inspection". This requirement provides a mechanism for the properties not covered in Part 1 Section 5.2 to be captured.

4.3.6 Audit

4.3.6-A User documentation, pollbook audit

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the pollbook audit.

Applies To: Voting system

DISCUSSION

In order to fully support the pollbook audit, the voting system documentation must provide enough information for election officials to carry out the auditing step. This includes explaining how to generate all needed reports, how to check the reports against one another for agreement, and how to deal with errors and other unusual problems that come up during the audit step.

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

See ACCURATE's comment to Part 2:4.3.1.
4.3.6-B User documentation, hand audit

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the hand audit.

Applies To: Voting system

DISCUSSION

The user documentation must explain how to produce all necessary reports and reconcile the records by hand-auditing.

4.3.6-C User documentation, ballot count and vote total auditing

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for producing all records necessary from the devices and carrying out the final election tally.

Applies To: Voting system

DISCUSSION

In order to fully support the audit, the voting system documentation must provide enough information for election officials to carry out the auditing step. This includes explaining how to generate all needed reports, how to check the reports against one another for agreement, and how to deal with errors and other unusual problems that come up during the audit step.

4.3.6-D User documentation, observational testing

The voting system’s user documentation SHALL fully specify a secure, transparent, workable and accurate process for observational testing.

Applies To: Voting system

 
4.3.6-E User documentation, machine readability of VVPAT VVPR

The manufacturer SHALL provide documentation for a procedure to scan VVPAT VVPR by optical character recognition.

Applies To: VVPAT

Source: [VVSG2005] I.7.9.3-g

4.4 System Operations Manual

4.4-A User documentation, system operations manual

The system operations manual SHALL provide all information necessary for system use by all personnel who support pre-election and election preparation, polling place activities, and central counting activities, as applicable, with regard to all system functions and operations identified in Part 2: 4.2 "System Functionality Description".

Applies To: Voting system

DISCUSSION

The nature of the instructions for operating personnel will depend upon the overall system design and required skill level of system operations support personnel.

Source: [VSS2002] II.2.8

 
4.4-B Operations manual, support training

The system operations manual SHALL contain all information that is required for the preparation of detailed system operating procedures and for the training of administrators, central election officials, election judges, and poll workers.

Applies To: Voting system

Source: [VSS2002] II.2.8

4.4.1 Introduction

4.4.1-A Operations manual, functions and modes

The manufacturer SHALL provide a summary of system operating functions and modes to permit understanding of the system's capabilities and constraints.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

1 Comment

Comment by Premier Election Solutions (Manufacturer)

This requirement seems like a repeat of 4.1.1. Please ensure that this requirement is not a duplicate of requirement 4.1.1.
4.4.1-B Operations manual, roles

The roles of operating personnel SHALL be identified and related to the operating modes of the system.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

4.4.1-C Operations manual, conditional actions

Decision criteria and conditional operator functions (such as error and failure recovery actions) SHALL be described.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

 
4.4.1-D Operations manual, references

The manufacturer SHALL also list all reference and supporting documents pertaining to the use of the system during election operations.

Applies To: Voting system

Source: [VSS2002] II.2.8.1

 

4.4.2 Operational environment

4.4.2-A Operations manual, operational environment

The manufacturer SHALL describe the system environment and the interface between the election official or voter and the system.

Applies To: Voting system

Source: [VSS2002] II.2.8.2

 
4.4.2-B Operations manual, operational environment details 1

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment operations, including equipment that operates at the:

  1. Polling place;
  2. Central count facility; and
  3. Other locations.

Applies To: Voting system

Source: [VSS2002] II.2.8.2

4.4.2-C Operations manual, operational environment details 2

The user documentation supplied by the manufacturer SHALL include a statement of all requirements and restrictions regarding environmental protection, electrical service, recommended auxiliary power, telecommunications service, and any other facility or resource required for the proper installation and operation of the system.

Applies To: Voting system

Source: [VSS2002] I.3.2.2

4.4.3 System installation and test specification

4.4.3-A Operations manual, readiness testing

The manufacturer SHALL provide specifications for testing of system installation and readiness.

Applies To: Voting system

DISCUSSION

Readiness testing refers to steps that election officials can take after deploying and configuring equipment to establish that it was correctly deployed and configured. Logic and accuracy testing would be part of this.

Source: [VSS2002] II.2.8.3

4.4.3-A.1 Operations manual, readiness test entire system

These specifications SHALL cover testing of all components of the system and all locations of installation (e.g., polling place, central count facility), and SHALL address all elements of system functionality and operations identified in Part 2: 4.2 "System Functionality Description" above, including general capabilities and functions specific to particular voting activities.

Applies To: Voting system

Source: [VSS2002] II.2.8.3

4.4.4 Operational features

4.4.4-A Operations manual, features

The manufacturer SHALL provide documentation of system operating features that includes:

  1. Detailed descriptions of all input, output, control, and display features accessible to the operator or voter;
  2. Examples of simulated interactions to facilitate understanding of the system and its capabilities;
  3. Sample data formats and output reports; and
  4. Illustration and description of all status indicators and information messages.

Applies To: Voting system

Source: [VSS2002] II.2.8.4

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

Clarify what is being requested and what requires special mention of this voting variation, while ignoring other voting variations?
4.4.4-B Operations manual, document straight party override algorithms

For systems that support straight party voting, the manufacturer SHALL document the available algorithms for counting straight party overrides.

Applies To: Straight party voting

DISCUSSION

See Requirement Part 1: 7.7.2-A.12.

Source: New requirement

4.4.4-C Operations manual, document double vote reconciliation algorithms

For systems that support write-in voting, the manufacturer SHALL document the available algorithms for reconciling write-in double votes.

Applies To: Write-ins

DISCUSSION

See Requirement Part 1: 7.7.2-A.9.

Source: New requirement

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

Clarify what is being requested and what requires special mention of this voting variation, while ignoring other voting variations?

4.4.5 Operating procedures

4.4.5-A Operations manual, operating procedures

The manufacturer SHALL provide documentation of system operating procedures that:

  1. Provides a detailed description of procedures required to initiate, control, and verify proper system operation;
  2. Provides procedures that clearly enable the operator to assess the correct flow of system functions (as evidenced by system-generated status and information messages);
  3. Provides procedures that clearly enable the administrator to intervene in system operations to recover from an abnormal system state;
  4. Defines and illustrates the procedures and system prompts for situations where operator intervention is required to load, initialize, and start the system;
  5. Defines and illustrates procedures to enable and control the external interface to the system operating environment if supporting hardware and software are involved. Such information also SHALL be provided for the interaction of the system with other data processing systems or data interchange protocols;
  6. Provides administrative procedures and off-line operator duties (if any) if they relate to the initiation or termination of system operations, to the assessment of system status, or to the development of an audit trail;
  7. Supports successful ballot and program installation and control by central election officials;
  8. Provides a schedule and steps for the software and ballot installation, including a table outlining the key dates, events and deliverables; and
  9. Specifies diagnostic tests that may be employed to identify problems in the system, verify the correction of problems, and isolate and diagnose faults from various system states.

Applies To: Voting system

Source: [VSS2002] I.2.3.3.a and II.2.8.5

4.4.5-B Operations manual, VVPAT printer error recovery guidelines

Manufacturers of VVPATs SHALL provide documentation for procedures to recover from VVPAT printer errors and faults including procedures for how to cancel a vote suspended during an error.

Applies To: VVPAT

DISCUSSION

If the printer irrecoverably locks up, the vote needs to be able to be canceled, so the voter can cast a vote on another device. Alternatively, it would be okay to store the vote as is, if the vote is complete. This requirement restates [VVSG2005] I.7.9.4-k by requiring documentation for recovering from printer errors.

Source: [VVSG2005] I.7.9.4-k

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement will help create more effective documentation for detecting and recovering from VVPAT errors while protecting voter privacy. It should be adopted.
4.4.5-C Operations manual, Paper-roll VVPATs privacy-ensuring procedures

Manufacturers of paper-roll VVPATs SHALL provide documentation describing necessary procedures for handling the paper roll in a way that preserves voter privacy.

Applies To: VVPAT

DISCUSSION

Along with a secure, opaque container designed to accommodate tamper-seals and a lock, the voting system needs to document what must be done to protect voter privacy with the paper rolls. The goal of this requirement is to ensure that the election officials are given guidance on exactly what must be done to protect the privacy of voters.

Source: [VVSG2005] I.7.9.5-b

 

1 Comment

Comment by ACCURATE (Aaron Burstein) (Academic)

This requirement will help create more effective documentation for detecting and recovering from VVPAT errors while protecting voter privacy. It should be adopted.

4.4.6 Documentation for poll workers

Documentation for poll workers is covered under Part 1: 3.2.8 "Usability for poll workers" and 3.3.1 "General".

2 Comments

Comment by Diane Gray (Voting System Test Laboratory)

Chapter 3.3.1 is referenced as containing requirements for poll workers. Chapter 3.3.1 addresses requirements for voters.

Comment by Diane Gray (Voting System Test Laboratory)

Cited source Part 1, Sect. 3.3.1 seems to discuss the voter, not the poll worker.

4.4.7 Operations support

4.4.7-A Operations manual, operations support

The manufacturer SHALL provide documentation of system operating procedures that:

  1. Defines the procedures required to support system acquisition, installation, and readiness testing; and
  2. Describes procedures for providing technical support, system maintenance and correction of defects and for incorporating hardware upgrades and new software releases.

Applies To: Voting system

Source: [VSS2002] II.2.8.6

4.4.8 Transportation and storage

4.4.8-A Operations manual, transportation

The manufacturer SHALL include any special instructions for preparing voting devices for shipment.

Applies To: Voting system

Source: New requirement

4.4.8-B Operations manual, storage

The manufacturer SHALL include any special storage instructions for voting devices.

Applies To: Voting system

Source: [VSS2002] I.3.2.2.1

4.4.8-C Operations manual, procedures to ensure archivalness

The manufacturer SHALL detail the care and handling precautions necessary for removable media and records to satisfy Requirement Part 1: 6.5.1-A.

Applies To: Voting system

Source: New requirement

4.4.9 Appendices

The manufacturer may provide descriptive material and data supplementing the various sections of the body of the system operations manual. The content and arrangement of appendices are at the discretion of the manufacturer. Topics recommended for discussion include:

  • Glossary: A listing and brief definition of all terms that may be unfamiliar to persons not trained in either voting systems or computer operations;
  • References: A list of references to all manufacturer documents and to other sources related to operation of the system;
  • Detailed Examples: Detailed scenarios that outline correct system responses to faulty operator input. Alternative procedures may be specified depending on the system state; and
  • Manufacturer's Recommended Security Procedures: Security procedures that are to be executed by the system operator.

1 Comment

Comment by Brian V. Jarvis (Local Election Official)

Recommend that this requirement be enhanced to include (1) any general information that aids in understanding the manual(s) and (2) an alphabetical listing of all acronyms, abbreviations, and their meanings as used in the manual(s). Also, recommend that each appendix shall be referenced in the main body of the manual(s) where the data would normally have been provided.

4.5 System Maintenance Manual

4.5-A User documentation, system maintenance manual

The system maintenance manual SHALL provide information to support election workers, information systems personnel, or maintenance personnel in the adjustment or removal and replacement of components or modules in the field.

Applies To: Voting system

DISCUSSION

Technical documentation needed solely to support the repair of defective components or modules ordinarily done by the manufacturer or software developer is not required.

Source: [VSS2002] II.2.9

4.5-B Maintenance manual, general contents

The manufacturer SHALL describe service actions recommended to correct malfunctions or problems; personnel and expertise required to repair and maintain the system, equipment, and materials; and facilities needed for proper maintenance.

Applies To: Voting system

Source: [VSS2002] II.2.9

 

4.5.1 Introduction

4.5.1-A Maintenance manual, equipment overview, maintenance viewpoint

The manufacturer SHALL describe the structure and function of the hardware, firmware and software for election preparation, programming, vote recording, tabulation, and reporting in sufficient detail to provide an overview of the system for maintenance and for identification of faulty hardware or software.

Applies To: Voting system

Source: [VSS2002] II.2.9.1

4.5.1-A.1 Maintenance manual, equipment overview details

The description SHALL include a concept of operations that fully describes such items as:

  1. Electrical and mechanical functions of the equipment;
  2. How the processes of ballot handling and reading are performed (paper-based systems);
  3. For electronic vote-capture devices, how vote selection and casting of the ballot are performed;
  4. How transmission of data over a network is performed (if applicable);
  5. How data are handled in the processor and memory units;
  6. How data output is initiated and controlled;
  7. How power is converted or conditioned; and
  8. How test and diagnostic information is acquired and used.

Applies To: Voting system

Source: [VSS2002] II.2.9.1

1 Comment

Comment by Premier Election Solutions (Manufacturer)

A number of the items listed in this requirement are beyond the scope or interest of service personal and therefore should not be required to be part of the Service manual.

4.5.2 Maintenance procedures

4.5.2-A Maintenance manual, maintenance procedures

The manufacturer SHALL describe preventive and corrective maintenance procedures for hardware, firmware and software.

Applies To: Voting system

Source: [VSS2002] II.2.9.2

4.5.2.1 Preventive maintenance procedures

4.5.2.1-A Maintenance manual, preventive maintenance procedures

The manufacturer SHALL identify and describe:

  1. All required and recommended preventive maintenance tasks, including software and data backup, database performance analysis, and database tuning;
  2. Number and skill levels of personnel required for each task;
  3. Parts, supplies, special maintenance equipment, software tools, or other resources needed for maintenance; and
  4. Any maintenance tasks that must be coordinated with the manufacturer or a third party (such as coordination that may be needed for COTS used in the system).

Applies To: Voting system

Source: [VSS2002] II.2.9.2.1

4.5.2.2 Corrective maintenance procedures

4.5.2.2-A Maintenance manual, troubleshooting procedures

The manufacturer SHALL provide fault detection, fault isolation, correction procedures, and logic diagrams for all operational abnormalities identified by design analysis and operating experience.

Applies To: Voting system

Source: [VSS2002] II.2.9.2.2

4.5.2.2-B Maintenance manual, troubleshooting procedures details

The manufacturer SHALL identify specific procedures to be used in diagnosing and correcting problems in the system hardware, firmware and software. Descriptions shall include:

  1. Steps to replace failed or deficient equipment;
  2. Steps to correct deficiencies or faulty operations in software or firmware;
  3. Modifications that are necessary to coordinate any modified or upgraded software or firmware with other modules;
  4. Number and skill levels of personnel needed to accomplish each procedure;
  5. Special maintenance equipment, parts, supplies, or other resources needed to accomplish each procedure; and
  6. Any coordination required with the manufacturer, or other party, for COTS.

Applies To: Voting system

Source: [VSS2002] II.2.9.2.2

4.5.3 Maintenance equipment

4.5.3-A Maintenance manual, special equipment

The manufacturer SHALL identify and describe any special purpose test or maintenance equipment recommended for fault isolation and diagnostic purposes.

Applies To: Voting system

Source: [VSS2002] II.2.9.3

4.5.4 Parts and materials

4.5.4-A Maintenance manual, parts and materials

Manufacturers SHALL provide detailed documentation of parts and materials needed to operate and maintain the system.

Applies To: Voting system

Source: [VSS2002] II.2.9.4

4.5.4.1 Common standards

4.5.4.1-A Maintenance manual, approved parts list

The manufacturer SHALL provide a complete list of approved parts and materials needed for maintenance. This list SHALL contain sufficient descriptive information to identify all parts by:

  1. Type;
  2. Size;
  3. Value or range;
  4. Manufacturer's designation;
  5. Individual quantities needed; and
  6. Sources from which they may be obtained.

Applies To: Voting system

Source: [VSS2002] I.3.4.1.b, II.2.9.4.1

 

4.5.4.2 Paper-based systems

4.5.4.2-A Maintenance manual, parts and materials, marking devices

The manufacturer SHALL identify specific marking devices that, if used to make the prescribed form of mark, produce readable marked ballots so that the system meets the performance requirements for accuracy.

Applies To: Optical scanner

DISCUSSION

Includes pens and pencils for MCOS or the appropriate EBM for ECOS.

Source: Simplified from [VSS2002] I.3.2.4.2.3

4.5.4.2-A.1 Maintenance manual, marking devices, approved manufacturers

For marking devices manufactured by multiple external sources, the manufacturer SHALL specify a listing of sources and model numbers that satisfy these requirements.

Applies To: Voting system

Source: [VSS2002] I.3.2.4.2.3.c and II.2.9.4.2

4.5.4.2-B Maintenance manual, ballot stock specification

The manufacturer SHALL specify the required paper stock, weight, size, shape, opacity, color, watermarks, field layout, orientation, size and style of printing, size and location of vote response fields and to identify unique ballot styles, placement of alignment marks, ink for printing, and folding and bleed-through limitations for preparation of ballots that are compatible with the system.

Applies To: Paper-based device

Source: [VSS2002] I.2.3.1.3.1.c, I.3.2.4.2.1.c, II.2.9.4.2

4.5.4.2-C Maintenance manual, ballot stock specification criteria

User documentation for optical scanners SHALL include specifications for ballot materials to ensure that votes are read from only a single ballot at a time, without bleed-through or transferal of marks from one ballot to another.

Applies To: Optical scanner

Source: [VSS2002] I.2.3.1.3.2, revised

4.5.4.2-D Maintenance manual, printer paper specification

User documentation for voting systems that include printers SHALL include specifications of the paper necessary to ensure correct operation, minimize jamming, and satisfy Requirement Part 1: 6.4.4-B and Requirement Part 1: 6.5.1-A.

Applies To: Voting system

DISCUSSION

This requirement covers all printers, either stand-alone or integrated with another device, regardless whether they are used for reporting, for logging, for VVPR, etc.

Source: New requirement

4.5.5 Maintenance facilities and support

4.5.5-A Maintenance manual, maintenance environment

The manufacturer SHALL identify all facilities, furnishings, fixtures, and utilities that will be required for equipment maintenance.

Applies To: Voting system

Source: [VSS2002] II.2.9.5

4.5.5-B Maintenance manual, maintenance support and spares

Manufacturers SHALL specify:

  1. Recommended number and locations of spare devices or components to be kept on hand for repair purposes during periods of system operation;
  2. Recommended number and locations of qualified maintenance personnel who need to be available to support repair calls during system operation; and
  3. Organizational affiliation (e.g., jurisdiction, manufacturer) of qualified maintenance personnel.

Applies To: Voting system

Source: [VSS2002] I.3.4.5, II.2.9.5

4.5.6 Appendices

The manufacturer may provide descriptive material and data supplementing the various sections of the body of the system maintenance manual. The content and arrangement of appendices are at the discretion of the manufacturer. Topics recommended for amplification or treatment in appendix include:

  • Glossary: A listing and brief definition of all terms that may be unfamiliar to persons not trained in either voting systems or computer maintenance;
  • References: A list of references to all manufacturer documents and other sources related to maintenance of the system;
  • Detailed Examples: Detailed scenarios that outline correct system responses to every conceivable faulty operator input; alternative procedures may be specified depending on the system state; and
  • Maintenance and Security Procedures: Technical illustrations and schematic representations of electronic circuits unique to the system.

1 Comment

Comment by Brian V. Jarvis (Local Election Official)

Recommend that this requirement be enhanced to include (1) any general information that aids in understanding the manual(s) and (2) an alphabetical listing of all acronyms, abbreviations, and their meanings as used in the manual(s). Also, recommend that each appendix shall be referenced in the main body of the manual(s) where the data would normally have been provided.

4.6 Personnel Deployment and Training Requirements

4.6-A User documentation, training manual

The manufacturer SHALL describe the personnel resources and training required for a jurisdiction to operate and maintain the system.

Applies To: Voting system

Source: [VSS2002] II.2.10

4.6.1 Personnel

4.6.1-A Training manual, personnel

The manufacturer SHALL specify the number of personnel and skill levels required to perform each of the following functions:

  1. Pre-election or election preparation functions (e.g., entering an election, contest and candidate information; designing a ballot; generating pre-election reports);
  2. System operations for voting system functions performed at the polling place;
  3. System operations for voting system functions performed at the central count facility;
  4. Preventive maintenance tasks;
  5. Diagnosis of faulty hardware, firmware, or software;
  6. Corrective maintenance tasks; and
  7. Testing to verify the correction of problems.

Applies To: Voting system

Source: [VSS2002] II.2.10.1

4.6.1-B Training manual, user functions versus manufacturer functions

The manufacturer SHALL distinguish which functions may be carried out by user personnel and which must be performed by manufacturer personnel.

Applies To: Voting system

Source: [VSS2002] II.2.10.1

4.6.2 Training

4.6.2-A Training manual, training requirements

The manufacturer SHALL specify requirements for the orientation and training of administrators, central election officials, election judges, and poll workers.

Applies To: Voting system

Source: [VSS2002] II.2.10.2

1 Comment

Comment by Carolyn Coggins (Voting System Test Laboratory)

Clarify is this requirement to identify the type of training, the content of training or both.