TGDC Meeting, December 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL

TGDC Meeting, December 2011Page 2 Background VVSG 1.1 incorporated requirements from VVSG 2.0 that are not controversial and will not require hardware changes to voting systems After the initial VVSG 1.1 public comment period, the EAC requested additional requirements be included Based on request for interpretations (RFIs) Needs of their testing and certification program This presentation describes specific requirements now included in VVSG 1.1

TGDC Meeting, December 2011Page 3 Usability and Accessibility Poll worker and end-to-end accessibility requirements that require user-based testing were included Integrated EAC RFI responses RFI : Features to support accessible review of paper records RFI : Intrinsic support for all alternate languages RFI : T-Coil mode applies to audio ballot RFI : Accessibility requirements apply to Electronic Ballot Marker (EBM)

TGDC Meeting, December 2011Page 4 Usability and Accessibility (Contd) Simplified color/contrast requirements based on NIST research Changed section headings to reflect system characteristics and interfaces Perceptual issues -> Visual display characteristics Low vision -> Enhanced visual interfaces Blindness -> Audio-tactile interfaces Dexterity -> Alternative input and control characteristics

TGDC Meeting, December 2011Page 5 Usability and Accessibility (Contd) EAC policy decisions resulted in modifications to the following requirements Audio/video synchronization – scope clarification Voter verification accessibility – clarification Input jack requirement for personal assistive technology – new requirement Sample requirement The Acc-VS shall provide a 3.5 mm industry standard jack used to connect a personal assistive technology switch to the Acc-VS

TGDC Meeting, December 2011Page 6 Usability and Accessibility (Contd) Added requirement specifying minimum size of optical scan ballot voting target area Software used to format optical scan ballots shall constrain the size and contrast of all target areas to conform to the following requirements: The target shall be no less than 3 mm across in any direction The contrast ratio between the target area boundaries and the surrounding space shall be no less than 10:1

TGDC Meeting, December 2011Page 7 Core functionality Quality assurance and configuration management requirements were rewritten based on VVSG 2.0 and combined into a single chapter Improved scoping of requirements to electronic ballot markers (EBMs) and hybrid devices Integrate EAC RFI responses Update electrostatic discharge test , Battery back-up for central count Update electrical fast transient test Opening polls with nonzero totals Reporting undervotes

TGDC Meeting, December 2011Page 8 Operating Humidity An operating humidity requirement was added based on VVSG 2.0 Category 3K3 of IEC : Classification of environmental conditions – Part 3-3: Classification of groups of environmental parameters and their severities – Stationary use at weatherprotected locations Sample requirements Voting systems shall be capable of operation in temperatures ranging from 41 °F to 104 °F (5 °C to 40 °C) and relative humidity from 5% to 85%, non-condensing If the system documentation states that the system can operate in humidity higher or lower than the required range, the system shall be tested to the level of humidity asserted in the documentation

TGDC Meeting, December 2011Page 9 Software workmanship Requirements revised in response to public review comments Clarified applicability to Commercial Off The Shelf (COTS) software Sample requirements Application logic shall adhere to a published, credible set of coding rules, conventions or standards (herein simply called the coding standard) that enhance the workmanship, security, integrity, testability, and maintainability of applications

TGDC Meeting, December 2011Page 10 Reliability New benchmarks derived from the use case specified in VVSG 2.0 Voting devices shall satisfy the following limits on the probabilities of failures (per election)… Precinct tabulator Probability of critical failure: 10 6 Probability of critical or non-user-serviceable failure: Probability of failure: Requires manufacturers to use reliability engineering best practices and standards The manufacturer shall assure the reliability of the voting system by applying best reliability engineering practices and standard reliability analysis methods such as failure modes and effects analysis (FMEA)

TGDC Meeting, December 2011Page 11 Accuracy New benchmark was derived from the VVSG 1.0 conformity benchmark and back ported VVSG 2.0 demonstration requirement All systems shall achieve a report total error rate of no more than one in 125,000 (8×10 –6 ) Did not include California-style volume test/mock election as specified in VVSG 2.0 Evaluates system accuracy based on performance over the course of the entire test campaign (minus exceptions) When operational testing is complete, the VSTL shall calculate the report total error and report total volume accumulated across all pertinent tests

TGDC Meeting, December 2011Page 12 Accuracy (Contd) The error rate of one in 125,000 is intended to allow tolerance for unpreventable hardware-related errors that occur rarely and randomly as a result of physical phenomena affecting optical scanning sensors Not intended to allow tolerance of software faults that result in systematic miscounting of votes So an additional requirement was included In all systems, voting system software, firmware, and hardwired logic shall maintain absolute correctness (introduce no errors) in the recording, tabulating, and reporting of votes.

TGDC Meeting, December 2011Page 13 Security Clarified cryptography requirements to require systems to use FIPS validated modules and security strengths >= 112 bits Trusted build requirements were moved to the EAC Testing and Certification Program Manual Removed two informative sections that did not contain requirements Section 7.8- A description of Independent Verification (IV) Systems Appendix C- Descriptions of IV systems and cryptographic voting systems

TGDC Meeting, December 2011Page 14 Security (Contd) Security specifications from VVSG 2.0 part II were added for: Design and interface specification Security architecture Development environment specification Security threat analysis Security testing and vulnerability analysis documentation Integrated EAC RFI related to operating system configuration and called out the NIST National Checklist Program Repository as a baseline for secure configurations

TGDC Meeting, December 2011Page 15 Electronic Records Back-ported requirements from VVSG 2.0, section 4.3 Specifies information contained in summary count reports from tabulators, DREs and election management systems; and requires electronic reports to be digitally signed Sample requirement: Voting systems shall digitally sign electronic reports using NIST approved algorithms with a security strength of at least 112 bits implemented within a FIPS level 1 or higher validated cryptographic module operating in FIPS mode

TGDC Meeting, December 2011Page 16 Voter Verifiable Paper Audit Trail (VVPAT) Back-ported requirements from VVSG 2.0, section 4.4 Includes more specific requirements on the information that must be printed on voter verifiable paper records to support hand auditing Sample requirement: Paper-roll VVPAT voting systems shall mark paper rolls with the following: Machine ID; Reporting context, such as precinct or election district; Date of election or date record printed; If multiple paper rolls were produced during this election on this device, the number of the paper roll (e.g., Roll #2);

TGDC Meeting, December 2011Page 17 Software Validation Goal: Verify that only authorized software is present on system VVSG 1.0 section requires that systems provide a means to verify software through a trusted external interface NIST received feedback that these requirements were vague and/or difficult to implement Added an alternative software validation method in section Based on guidelines developed for desktop/laptop computer firmware Systems must authenticate software updates prior to applying them using digital signatures Updates include software installations, modifications and removals VVSG 1.1 provides two approaches allowing manufacturers to choose the most appropriate one for their systems

TGDC Meeting, December 2011Page 18 Access Control Rewrote VVSG 1.0 section 7.2 to reflect the access control requirements found in VVSG 2.0 section 5.4 Sample requirements: Voting system equipment that implement role-based access control shall support the recommendations for Core RBAC in the ANSI INCITS American National Standard for Information Technology- Role Based Access Control document Voting systems shall provide a means to automatically expire passwords in accordance with the voting jurisdictions policies

TGDC Meeting, December 2011Page 19 Event Logging Rewrote section of VVSG 1.0 based on the event logging requirements found in VVSG 2.0 section 5.7 but retained VVSG 1.0 error message requirements Did not specify the events to be logged Sample requirements: The voting system equipment shall log at a minimum the following data characteristics for each type of event: 1) system ID; 2) unique event ID and/or type; 3) timestamp; 4) success or failure of event, if applicable; 5) User ID trigger the event, if applicable; 6) Resources requested, if applicable Voting system equipment shall protect event log information from unauthorized access, modification and deletion

TGDC Meeting, December 2011 Discussion/Questions Page 20