TGDC Meeting, July 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL

TGDC Meeting, July 2011Page 2 Background VVSG 1.1 will incorporate requirements from VVSG 2.0 draft that are not controversial and do not require hardware changes This presentation will describe the specific key requirements to be included in this revision of VVSG 1.1

TGDC Meeting, July 2011Page 3 Technical Areas Accessibility and usability Core functionality Operational temperature and humidity Software workmanship Reliability and accuracy Security Electronic records Voter verifiable paper audit trail (VVPAT) Security specifications Software validation Access control Event logging

TGDC Meeting, July 2011Page 4 Usability and Accessibility Background VVSG 1.1 based on VVSG 2.0 Usability benchmark testing not included per EAC Poll worker and end-to-end accessibility requirements which require user-based testing were included

TGDC Meeting, July 2011Page 5 Revisions Based on Comments Minor changes based on public comments Simplification to color/contrast requirements based on NIST research Changes based on EAC 9/21/10 policy decisions Clarification of scope of audio/video synchronization Clarification of voter verification accessibility requirements Addition of input jack requirement for personal assistive technology

TGDC Meeting, July 2011Page 6 Additional Revisions Requested Add requirement to specify minimum size of optical scan ballot voting target area Add clarifications based on newest EAC responses to requests for interpretation RFI : Features to support accessible review of paper records RFI : Intrinsic support for all alternate languages RFI : T-Coil mode applies to audio ballot RFI : Accessibility requirements apply to EBM’s Update VVSG 1.1 test methods based on all revisions

TGDC Meeting, July 2011Page 7 Core functionality Integrate EAC RFI responses where applicable Harmonize Volume II documentation requirements with EAC manuals Add operating temperature and humidity requirement from the VVSG 2.0 draft Category 3K3 of IEC cited in IEEE P1583 draft 5.3.2b Add to scope of this revision: Address ballot-marking devices (EBMs) and hybrid devices as best can without a major rewrite

TGDC Meeting, July 2011Page 8 Software workmanship The software workmanship requirements are based on the VVSG 2.0 draft and revised in response to previous public review comments Prescriptive, language-specific style requirements are removed; published, credible coding standards must be used instead Requirements having an obvious, defensible impact on software integrity are retained and reinforced The Volume II protocol for correcting logic faults was revised This revision to clarify scoping versus commercial-off- the-shelf and related definitions

TGDC Meeting, July 2011Page 9 Reliability and Accuracy Accuracy is evaluated based on performance over the course of the entire test campaign (minus exceptions) Reliability was similar in the first public review draft, using benchmarks derived from an election official-supplied use case A California-style volume test/mock election was not included This revision: New approach to reliability (to be elaborated in a later presentation) Explicit requirement for software to be 100% accurate

TGDC Meeting, July 2011Page 10 Security Electronic Records Back-ported requirements from draft VVSG 2.0, section 4.3 Primarily summary count reports from tabulators, DREs and election management systems Includes requirement to digitally sign reports VVPAT Back-ported requirements from draft VVSG 2.0, section 4.4 Very similar to previous VVSG 1.0 VVPAT requirements Includes more specific requirements on the information that must be printed on VVPRs to support hand auditing Security specifications back-ported from VVSG 2.0 part II Integrated EAC RFI responses where applicable Notably, using NIST checklist program as a baseline for secure configurations

TGDC Meeting, July 2011Page 11 Software Validation Background- External Interface Objective: Verify that only authorized software is present on system Section includes a requirement that systems provide a means to verify software through a trusted external interface NIST received feedback that these requirements were vague and/or difficult to implement Alternative Software Validation Method in VVSG 1.1 Systems must authenticate software updates prior to applying them using digital signatures Updates include software installations, modifications and removals Systems may only implement one mechanisms for updating software Similar guidelines have since been developed for desktop/laptop computer firmware and are expected to be implemented in that industry soon Manufacturers may choose either method- digitally signed updates or the external interface- to be complaint with VVSG 1.1

TGDC Meeting, July 2011Page 12 New Security Additions After the initial public comment period, the EAC requested additional changes, including updated access control and event logging guidelines Access Control VVSG 1.0 only includes basic requirements for documenting access control mechanisms Plan to back-port some VVSG 2.0 access control requirements Expected to require moderate software updates to current systems Event Logging VVSG 1.1 includes basic logging requirements in Section 5.4 Plan to back-port some VVSG 2.0 event logging requirements Effort will include protections for the event log and minimal logging requirements

TGDC Meeting, July 2011Page 13 Small Changes Clarified cryptography requirements to say systems must use FIPS validated modules and security strengths >= 112 bits Plan to remove most trusted build requirements This topic is now covered by the EAC Testing and Certification Program Manual Plan to remove some informative sections Section 7.8- A description of Independent Verification (IV) Systems without any requirements Appendix C- Descriptions of IV systems and cryptographic voting systems

TGDC Meeting, July 2011 Discussion/Questions Page 14