Major Updates of the Voluntary Voting System Guidelines 2.0 NEW


Voluntary Voting System Guidelines (VVSG) are a set of specifications and requirements against which voting systems can be tested to determine if the systems meet required standards. Some factors examined under these tests include basic functionality, accessibility, and security capabilities. HAVA mandates that EAC develop and maintain these requirements. 

On December 13, 2005, the EAC unanimously adopted the 2005 VVSG, which significantly increased security requirements for voting systems and expanded access, including opportunities for individuals with disabilities to vote privately and independently. The guidelines updated and augmented the 2002 Voting System Standards, as required by HAVA, to address advancements in election practices and computer technologies.

After adopting the 2005 VVSG, EAC tasked the Technical Guidelines Development Committee (TGDC) with developing the next iteration of the VVSG. On March 31, 2015, the commissioners unanimously approved the VVSG 1.1, which clarified the guidelines to make them more testable; enabled the National Institute of Standards and Technology (NIST) to create test suites for the proposed revisions; and improved portions of the guidelines without requiring massive programmatic changes.

Almost immediately following the adoption of VVSG 1.1, a public working group process was developed to help inform NIST and EAC on the development of the next iteration of voluntary voting system guidelines, entitled VVSG 2.0. On September 11-12, 2017, the TGDC voted on a recommendation of the VVSG 2.0 Principles and Guidelines. On February 7, 2020, the TGDC voted on a recommendation of the VVSG 2.0 Requirements to the EAC’s Acting Executive Director. NIST delivered the recommended requirements to the EAC’s Acting Executive Director on March 9, 2020. Currently, the VVSG 2.0 draft requirements are being circulated for comment from the public and the EAC’s Standards Board and Board of Advisors.

For a full text of each version of the VVSG, including drafts, and other documents pertinent to VVSG, please see below.

Gantt Chart Timeline with the following text:  "VVSG 2.0 Implementation Tasks and Timelines NIST NVLAP Update (Feb 2021 - Dec 2021)  Updates to manuals Updated assessor checklists Lab preparedness materials and training E2E Evaluation Program (May 2021 - Aug 2021)  Establish a program for evaluating E2E verifiable protocols VVSG Lifecycle Policy (April 2021 - September 2021)  Establish update cadence Create deprecation schedule for older standards Lab Accreditation (Dec 2021 - Ongoing)  NVLAP accreditation EAC accreditation"

 


VVSG 2.0 Next Steps

NIST NVLAP update – National Voluntary Laboratory Accreditation Program

  • The NIST NVLAP program utilizes a handbook titled “NIST HANDBOOK 150-22 2008 Edition National Voluntary Laboratory Accreditation Program VOTING SYSTEM TESTING” for technical requirements and guidance for the accreditation of laboratories under NVLAP.
  • This work is happening concurrently with other VVSG 2.0 tasks mentioned here with a scheduled completion in late 2021. One of the important items in the NVLAP process is determining the competencies required by laboratory personnel to meet the upgraded VVSG 2.0 requirements.
  • There are a few items that might be included as new competencies that are required of the labs however NIST and EAC are still working through the process, so all details have not been determined yet, some items that are being worked out include:
    • Evaluating data schemas for conformance with interoperability requirements
    • Framework for conducting penetration testing
    • Evaluating end-to-end cryptographically verifiable systems for correct protocol implementations
  • In addition to the handbook, NVLAP assessors also utilize checklists containing the technical requirements that VSTLs will be assessed against. These also require updating based on the new VVSG requirements.
  • Other additions to the NVLAP program include assessing test methods utilized by VSTLs for traceability to test assertions and updated requirements (not all requirements contain test assertions).
  • Finally, NIST will work with the EAC to create materials to help VSTLs prepare for accreditation under 2.0. These materials might include items from above such as:
    • New competency criteria
    • Traceability of test methods to test assertions and requirements
    • The contents of updated assessor checklists
    • Important differences between conformance testing in VVSG 2.0 vs. previous versions.

End-to-end verifiable protocol evaluation

  • There are currently a limited number of experts in the type of encryption required of E2E verifiable voting systems under VVSG 2.0. Accordingly, evaluating these protocols requires that the EAC engage with external partners to create the evaluation program mandated in the VVSG 2.0 requirements.
  • This work is happening concurrently with other updates mentioned herein and is scheduled to be completed by Fall 2021. The EAC is currently working with qualified partners to develop the evaluation criteria and methodologies.

VVSG lifecycle policy

VVSG lifecycle policy conversation draft

  • The EAC is creating a draft lifecycle policy for all versions: past, present, and future that will establish the following:
    • Update cadence for the VVSG going forward
    • Deprecation of older versions of the standard and what will be allowed in terms of continued certification under these standards
    • Configuration management for handling system certifications as we transition between standards
  • This work is happening concurrently with the other updates mentioned here and is forecast to be completed by late Fall, 2021. We are in early stages of drafting of this policy and are currently engaging key stakeholders including election officials, VSTLs, and voting system manufacturers to try to resolve the following challenges:
    • Updating the VVSG on a regular basis (yearly, every 18 months, etc.) to ensure that the standard remains agile and responsive to the needs of acquiring jurisdictions and an ever-changing security, accessibility, and legal environment.
      • The EAC is aware that their may be implications for states who specify a particular version of VVSG in their certification rules or specify that the “latest version” be utilized for certification.
        • We would like to know if it would be better for these states if we called future versions “VVSG 2.0 Revision 1, 2, 3, etc.” of VVSG 2.1, 2.2, 2.3, etc.
      • The goal is that updates to the VVSG during this regular cycle would incorporate things like requests for interpretation, notices of clarification, errata, and other administrative changes. Additionally, various items could be added to such as additional common data formats to support more voting system functions and increase interoperability. Similarly, security requirements may be added or adjusted as new technologies emerge or standards change (such as FIPS 140-2 transitioning to 140-3).
        • All 2.x version of the standard (2.0, 2.1, 2.2, etc.) would be “backward compatible” meaning changes to the requirements would not require new hardware or major changes to a system’s architecture. If we need to make a change that might break this “compatibility”, that is when we would move to a new major version (e.g. VVSG 3.0).
        • Minor updates to the VVSG would not require a new lab accreditation – only moves to new major versions (e.g. VVSG 3.0)
        • The EAC also hopes that a regular update cycle will reduce the overhead involved in proposing, reviewing, and approving minor changes to the VVSG. The overall number of changes should be smaller and should not generate as many comments.
    • Deprecation of older versions of the standard
      • VVSG 1.0 has been in effect since 2005 and is very outdated (predates technology such as smart phones). VVSG 1.1 has been implemented since 2015 and none of our currently registered manufacturers has submitted a system for certification under 1.1. We do not want to run into the same issue with 2.0 and future versions of the VVSG.
      • The EAC’s Testing and Certification program needs a way to bridge manufacturers to the new version of the standard while not stranding current customers with systems that no longer receive updates.
        • Manufacturers without fielded systems are at somewhat of a disadvantage right now as they need to submit systems to the latest standard where existing manufacturers continue to modify systems to the older but much better understood standard. This is an issue in terms of barriers to entry.
        • We’re reviewing all options from a “hard sunset” of VVSG 1.0 and VVSG 1.1 to something more akin to a “soft sunset” where we allow modifications to VVSG 1.0 systems in perpetuity but disallow the marketing of these systems as “EAC certified” to new customers past a certain date.
        • We would also like to establish a regular deprecation cycle for future versions of the VVSG, minor or major.
      • The T&C program needs to update the way it handles and publishes configuration information to allow for systems with components from mixed standards (some VVSG 2.0 components within an overall VVSG 1.0 system, for example). This may also apply to any future component testing.
      • Updates to program manuals and other program policy documents will not necessarily follow the same trajectory. For instance, there may be a minor update in the next few months to the program manual to address a couple of issues that have come up recently (patent disclosures during requirement drafts and a more constrained voting system manufacturer registration).

VSTL Accreditation (Lab accreditation)

  • Following the update of NIST NVLAP materials for 2.0, both NIST and the EAC will be prepared to accredit VSTLs to VVSG 2.0. This will be an interim accreditation to add 2.0 to their existing accreditation.
  • Whether or not to apply for accreditation is a business decision for each VSTL. So far, they have indicated a willingness to apply when the program is able to accredit but the reality is that they may need to conduct additional training, adjust their test methods and other program elements, or hire specialized personnel in order to obtain accreditation.
  • The EAC is ready to help ease the process with the VSTLs by sharing information with them on a regular basis as we move through the updates to the NVLAP manual and checklists or make changes to how the EAC will conduct accreditation assessments.

Approved Guidelines

Voluntary Voting System Guidelines Version 2.0

Voluntary Voting System Guidelines Version 1.1

Voluntary Voting System Guidelines Version 1.0 (2005)

2002 Voting System Standards

Prior to the passage of HAVA, voting systems were assessed and qualified by the National Association of State Election Directors (NASED), a nonpartisan association consisting of state level election directors nationwide. These voting systems were tested against the 1990 and 2002 voting system standards developed by the Federal Election Commission (FEC). With HAVA's enactment, the responsibility for developing voting system standards was transferred from the FEC to the U.S. Election Assistance Commission (EAC) and their new iterations are now the EAC Voluntary Voting System Guidelines.

1990 FEC Standards


Transitioning Standards

When migrating from one set of standards to another a well-defined and thought out implementation plan should be developed. Considerations for migration need to include the time it will take for manufacturers to develop to the new standards, as well as the procedural changes that need to be amended within the program to allow all stakeholders to be ready for full migration. Below are documents that the EAC has developed during the transition of standards.


Drafts

Voluntary Voting System Guidelines Version 2.0 (Drafts)

These documents are undergoing a non-substantive review which includes verifying font types, spacing, identifying misspellings, and grammatical errors.

At the September 2016 TGDC Meeting, the Committee, through the Project Charter, adopted the name VVSG 2.0 for the next iteration of guidelines. Also, the Project Charter laid out the proposed structure of the document, as well as a proposed timeline. At the February 2017 TGDC Meeting, the scope of the document was unanimously decided and a draft of the guidelines was presented. 

Voluntary Voting System Guidelines Version 1.1 (Drafts)

The VVSG 1.1 was originally offered for public comment during the summer of 2009. The revisions to VVSG 1.1 were taken almost exclusively from the 2007 TGDC Recommended Guidelines. Additional changes were made to VVSG 1.1 after the initial 120-day public comment period. Then the EAC reopened the guidelines for an additional 130-day public comment period. The VVSG 1.1 was adopted on March 31, 2015.

2007 TGDC Recommended Guidelines (Drafts)

After adopting the 2005 VVSG, EAC tasked the Technical Guidelines Development Committee (TGDC) with developing the next iteration of the VVSG. The TGDC delivered its draft recommendations to the EAC in August of 2007. After receiving the TGDC's recommendations, the EAC put them out for public comment. The public comment period ended in May 2008 with the EAC receiving more than 3000 comments. Based on those comments and input from a variety of stakeholders, EAC decided to issue proposed revisions to the 2005 VVSG.

Election Operations Assessment

The goal of the Election Operations Assessment is to produce a scientifically-founded risk assessment tool that will facilitate informed decision making by EAC and its Technical Guidelines Development Committee (TGDC) when developing voluntary voting system guidelines. 

Miscellaneous Information