Documents

Voting System Certification Documents

Voting System Certification Documents
Body

This document represents a draft revision of the Election Assistance Commission's (EAC) 2005 Voluntary Voting System Guidelines (VVSG) Version 1.0. It has been prepared by the National Institute of Standards and Technology (NIST) for the EAC, and does not represent a consensus view or recommendation from NIST, nor does it represent any policy positions of NIST.

This document consists of the VVSG Version 1.0, revised with new material mostly from the Technical Guidelines Development Committee (TGDC) VVSG Recommendations to the EAC of August 31, 2007. It also contains changes to the 2005 VVSG material as a result of EAC decisions on Requests for Interpretation (RFI) of requirements in the 2005 VVSG. This document has been highlighted in places where changes have been made, new material has been added, or previous material has been deleted. Typos and formatting issues in the previous material that have been corrected are not highlighted.

Background

The Election Assistance Commission (EAC) requested that NIST investigate whether certain requirements in the 2007 TGDC Recommendations could be integrated with or replace current requirements in the 2005 VVSG in order to improve the overall quality and uniformity of testing for voting systems and to make key improvements in the 2005 VVSG while the TGDC Recommendations is in public review. The EAC requested also that the requirements also be accompanied by tests being developed by NIST as part of its test suites for the TGDC Recommendations. Other criteria used to identify candidate requirements from the TGDC Recommendations included that

• would not require hardware changes to current voting systems,

• would not require complex changes in software to current voting systems, and

• would not substantially change the structure of the VVSG 2005.

The EAC, with initial input from NIST (see http://vote.nist.gov/EACResearchAmendedVVSG-2005-20081030.pdf), selected the requirements from the TGDC Recommendations to include in the 2005 VVSG revision. The EAC and NIST then reviewed comments received from the public review of the TGDC Recommendations (which ended in April, 2008) and revised the TGDC Recommendations requirements accordingly. Using this material, NIST then revised the 2005 VVSG Version 1.0.

Overview of Revisions

The following list identifies the major sections of material in this draft that are revised with updated material from the TGDC Recommendations. Items 10, Cryptography, and 11, External Interface Requirement, identify newly developed material.

1. Hardware and Software Performance Benchmarks and Test Method

• Volume I Section 2.1.2, added a requirement to clarify that the accuracy benchmark is not intended to allow tolerance of software faults that result in systematic miscounting of votes.

• Volume I Section 4.1.1 is replaced by Part 1 Section 6.3.2 (Accuracy) of the TGDC Recommendations.

• Volume I Section 4.1.5.1.e.ii (under Ballot Handling) and 4.1.5.2.f (under Ballot Reading Accuracy) of the 2005 VVSG are replaced by Part 1 Section 6.3.3 (Misfeed Rate) of the TGDC Recommendations. Previous versions of the VVSG specified separate and different benchmarks for multiple feeds and the rejection of ballots that meet all vendor specifications. These separate benchmarks have now been merged into a single "misfeed" benchmark because there is no consequential difference in the impact of these events nor in the recovery behaviors that are required of the voting system. Scanners are not permitted to feed multiple ballots and fail to detect this occurrence (Volume I Req. 4.1.5.1.e).

• Volume I Section 4.3.3 is replaced by new requirements on reliability based on the use case in the TGDC Recommendations, and all requirements on availability and maintainability (I.4.3.4, I.4.3.5, I.6.2.4, I.6.2.5, one paragraph of II.2.4.1, II.4.7.2, and II.4.7.5) are deleted. A conflicting requirement in Volume I Section 4.1.4.3 is also deleted. Harmonizing changes are made in Volume II Sections 1.3.1.2, 1.8.2.6, 2.4.1, and 4.7.2.

• Volume II Sections 1.8.2.3 and 4.5 of the 2005 VVSG are partially harmonized with Part 3 Section 2.5.3 of the TGDC Recommendations to restrict the use of test fixtures that bypass portions of the voting system.

• Volume II Appendix C is replaced by a test method based on Part 3 Section 5.3 of the TGDC Recommendations, which is applicable to the assessment of accuracy and misfeed rate. Volume II Section 4.7.1.1 (accuracy testing information previously included within the specification of the Temperature and Power Variation Tests) is made redundant and deleted.

2. Quality Assurance and Configuration Management

• Requirement I.4.3.4.a is deleted (redundant with added material).

• Volume I Chapter 8 is replaced by Part 1 Section 6.4.2 of the TGDC Recommendations.

• Volume I Chapter 9 is deleted.

• Volume II Section 2.11 is deleted. It is replaced by a new section in Volume II Part 2 Chapter 2 of the TGDC Recommendations.

• Volume II Section 2.12 is replaced by Physical Configuration Audit (PCA) and Functional Configuration Audit (FCA) requirements that were displaced from Volume I Section 9.7.

• Volume II Chapter 7 is replaced by Part 3 Section 4.4 of the TGDC Recommendations.

3. Software Workmanship

• Volume I Section 5.2 of the 2005 VVSG is replaced by Part 1 Sections 6.4.1 through 6.4.1.8 of the TGDC Recommendations, and redundant material is removed from Volume I Section 5.1.

• Volume II Section 5.4 of the 2005 VVSG is replaced by Part 3 Section 4.5.1 of the TGDC Recommendations.

• Volume II Section 1.8.2.6 (Certification Test Practices) of the 2005 VVSG is harmonized with Part 3 Section 2.5.5 of the TGDC Recommendations to clarify the handling of logic defects.

• Volume II Sections 1.3.1.3, 1.7.1.2 and 5.2 are harmonized with the changes to Volume I Chapter 5.

4. Test Plan and Test Report - Appendices A and B of Volume II of the 2005 VVSG are harmonized with the current EAC manuals and NOC 09-001.

5. TDP and Voting Equipment User Documentation – Volume II Section 2.1.1.1 of the 2005 VVSG is revised to include an outline of the TDP and the Voting Equipment User Documentation that is based on the TGDC Recommendations. Miscellaneous TDP requirements are added or modified to correct problems.

6. (Non-EMC) Environmental Hardware

• Volume I Section 4.1.2.13 (Environmental Control – Operating Environment) of the 2005 VVSG is revised with an operational temperature and humidity test requirement, with temperatures ranging from 41 °F to 104 °F (5 °C to 40 °C) and relative humidity from 5% to 85%, non-condensing.

• Volume II Section 4.7.1 (Temperature and Power Variation Tests) is replaced with requirements for testing according to appropriate procedures of MIL-STD- 810D. Most of the previous text in this section was devoted to test materials, including detailed test scenarios, which will be included in the test materials for the final version of the VVSG 1.1.

7. Human Factors Requirements – The usability and accessibility requirements in Volume I Section 3 of the 2005 VVSG are replaced with requirements from Part 1 Chapter 3 of the TGDC Recommendations, with the exception of Chapter 3’s performance benchmark requirements. Part 1 Chapter 3 of the TGDC Recommendations is primarily a maintenance level upgrade to the 2005 VVSG with minor modifications, clarifications, and a few additions including performance and poll worker usability requirements. (The 2005 VVSG Section 3 was mostly new material based on research, best practices, and standards relating to human factors and the design of user interfaces as they apply to voting systems.)

8. System Security Documentation Requirements - Security documentation requirements in Volume II Section 2.6 (Security Documentation) of the 2005 VVSG are revised with requirements from Part 2 Section 3.5 (System Security Specification) of the TGDC Recommendations. The new requirements include high-level security descriptions of the voting system and specific areas including

• Access control,

• Software installation security,

• System event logging,

• Physical security,

• Setup inspection, and

• Cryptography.

9. Electronic Records - Section 2.4.4 (Electronic Records) has been added to Volume I Section 2 (Functional Requirements) of the 2005 VVSG; it contains requirements from Part 1 Chapter 4.3 (Electronic Records) of the TGDC Recommendations. These requirements cover the electronic reports generated by the voting system, including specific reports for tabulators and Election Management Systems (EMS).

10. Voter Verified Paper Audit Trails (VVPAT) - VVPAT requirements in Volume I Sections 7.9.1 through 7.9.4 (Voter Verifiable Paper Audit Trail Requirements) are replaced with requirements from Part 1 Chapter 4.4.2 (VVPAT) of the TGDC Recommendations.

11. Cryptography - Cryptography requirements in the 2005 VVSG are revised with requirements from Part 1 Section 5.1 (Cryptography) of the TGDC Recommendations. When cryptography is used in a voting system, the requirements call for the use of a level 1 FIPS 140 validated cryptographic module (which allows software as well as hardware implementations, whereas the TGDC Recommendations allowed only hardware implementations). In addition, the new requirements require the use of NIST approved cryptographic algorithms at the 112-bit security strength or higher.

12. External Interface Requirement - Volume I Section 7.4.6 (Software Setup Validation) of the 2005 VVSG are revised with newly developed requirements to allow an alternative method to validate software on voting systems. The requirements state that voting systems must support one of the two verification methods specified in the requirements. The current software verification method allows software to be verified after software has been installed. The alternative software verification method verifies software as it is being installed on the voting system and requires voting systems to have mechanisms to protect the software once installed.

13. EAC Requests for Interpretation (RFI) decisions - Requirements and discussion throughout the 2005 VVSG are revised based on the current set of EAC RFI decisions, from 2007-01 through 2010-08, located at /testing_and_certification/request_for_interpretations1.

14. Electronically-assisted ballot markers (EBMs) and hybrid devices – Volume I Sections 1.5.1.3, 2.3.2, 2.3.3.3, and Chapter 3 are adjusted to clarify how the requirements of the VVSG apply to EBMs and other new kinds of voting devices.

15. Minor clarifications and corrections resulting from public comments and experience in the certification program are integrated throughout the document.