Silver Spring, MD –The U.S. Election Assistance Commission (EAC) announced its partnership with the Center for Internet Security, Inc. (CIS®) to pilot a technology verification program focused on non-voting election technology including electronic poll books, election night reporting websites, and electronic ballot delivery systems. The proposed program is entitled “Rapid Architecture-Based Election Technology Verification,” or RABET-V, and it relies on a risk-based approach that allows rapid verification of manufacturers' security claims.
“Congress created the EAC to serve as a national leader on election technology issues. This pilot program is an important part of a broader effort by the EAC to expand our technical program in a direction that will better serve election officials across the country,” said EAC Chairman Ben Hovland. “We are excited to play an integral role in the development of the CIS RABET-V pilot program and contribute our expertise toward its success.”
As the sole federal agency dedicated to the administration of U.S. elections, the EAC is uniquely qualified to assist states and organizations such as CIS in the development of innovative evaluation techniques and processes outside of and separate from federal certification and the Voluntary Voting System Guidelines.
“The EAC joined the project’s steering committee from the start as we see a need for jurisdictions across the U.S. to have a consistent way to evaluate the capabilities and security of manufacturers’ non-voting election technology. This program will inform the EAC on ways to complement the existing testing and certification of voting systems,” remarked EAC Vice-Chairman Don Palmer. “The current ecosystem of non-voting election technology vendors is healthy, diverse, and represents the innovative spirit of small business across our nation,” continued Vice-Chairman Palmer. “Our hope is that this pilot program will identify methods to better reduce vulnerabilities of non-voting technology, and will be a service to state and local election officials as we provide and disclose the results.”
The RABET-V pilot program supports agile software development with a verification process that anticipates and supports rapid product changes. Goals of the pilot program include incentivizing high-quality, modern design of IT systems updated in smaller, more manageable cycles at reduced cost of verification and re-verification with more reliable and consistent outcomes for purchasers of these systems.
"CIS is looking forward to working with the EAC, alongside our state, local, and industry colleagues on this pilot," said Aaron Wilson, CIS Senior Director of Election Security. "RABET-V is a unique approach that relies on each system's architecture and each provider's processes to inform risks and verify security. It is consistent with modern software development, testing, and deployment practices and will allow for changes to be verified rapidly without sacrificing security assurances."
In addition to the EAC, state election leaders from Maryland, Ohio, Wisconsin, Texas, Pennsylvania, Indiana, and the Federal Voting Assistance Program (FVAP) will participate in the pilot program. The program is supported by technical expertise from Carnegie Mellon University, the National Institute of Standards and Technology (NIST), and the Open Web Application Security Project (OWASP). Four non-voting election system manufacturers have already signed up for the pilot: Scytl, VR Systems, KNOWiNK, and VotingWorks. The project forecasts being able to provide a preliminary report to stakeholders this fall.
More information is available from CIS at https://www.cisecurity.org/blog/new-pilot-project-rabet-v-tests-security-of-election-technology/.
# # #
The U.S. Election Assistance Commission (EAC) was established by the Help America Vote Act of 2002 (HAVA). It is an independent, bipartisan commission charged with ensuring secure, accurate and accessible elections by developing guidance to meet HAVA requirements, adopting voluntary voting system guidelines, and serving as a national clearinghouse of information on election administration. EAC also accredits testing laboratories and certifies voting systems, as well as administers the use of HAVA funds. For more information, visit www.eac.gov.
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit www.CISecurity.org or follow us on Twitter: @CISecurity.
CIS Contact: [email protected]