NIST HAVA-Related Work: Status and Plans June 16, 2005 National Institute of Standards and Technology

6/10/ page 2 Voluntary Voting System Guidelines (VVSG) Implementation Strategy Develop best long-term voting systems guidelines possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Reorganize for clarity and testability Provide guidance to states in time for 2006 election cycle Implied need to minimize changes to 2000 to VSS while filling in 2002 VSS gaps Implied need to require only what is possible by 2006 Thus, two guidelines developed: VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline

6/10/ page 3 Overview of NIST Work NIST worked with Technical Guidelines Development Committee (TGDC) to augment 2002 VSS NIST/TGDC developed augmented version of Voluntary Voting System Guidelines (VVSG Version 1) in open process, Sep ’04 – May ’05 NIST delivered VVSG Version 1 to EAC on May 9 NIST now vetting outline for VVSG Version 2 with TGDC NIST will work with TGDC subcommittees on VVSG Version 2 development, plan future meetings (next is Sep ’05)

6/10/ page 4 VVSG Version 1 Overview Two volumes Volume I, the performance provisions of the guidelines Volume II, how conformance is to be tested Improves the 2002 VSS by addressing Human Factors VVPAT (Voter Verified Paper Audit Trails) Wireless Software Distribution and Setup Validation Conformance, Glossary, Error Rates Sets stage for VVSG Version 2 (under development) Expanded Human Factors Independent Dual Verification

6/10/ page 5 VVSG Version 2 A comprehensive standards guideline A complete rewrite of 2002 VSS with updated and expanded material 4 Volumes: Product requirements Terminology Requirements for data from vendor to be provided to testing lab Testing requirements Will draw from VSS, IEEE P1583, Federal and other standards Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05

6/10/ page 6 VVSG Version 1 and 2 Current Status VVSG Version 1 delivered to EAC May 9, 2005 NIST will monitor public comments on VVSG Version 1 while working on VVSG Version 2 VVSG Version 2 outline has been developed; NIST and TGDC working to create final version of outline Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis development Preliminary requirements development

6/10/ page 7 Detailed Presentation Outline NIST HAVA Responsibilities Current status of voting work at NIST Overview of Voluntary Voting Systems Guidelines Version 1 (VVSG Version 1) Plans for VVSG Version 2 Comments/Questions

6/10/ page 8 NIST HAVA Responsibilities Chair the Technical guidelines development committee (TGDC) Provide technical support to the TGDC in the development of Voluntary Voting System Guidelines (VVSG) including: Security Methods to detect and prevent fraud Human factors, including technologies for individuals with disabilities Deliver initial VVSG to EAC 9 months after TGDC appointments (May 9, 2005)

6/10/ page 9 Voluntary Voting System Guidelines (VVSG) Implementation Strategy Develop best long-term voting systems guidelines possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Reorganize for clarity and testability Provide guidance to states in time for 2006 election cycle Implied need to minimize changes to 2000 to VSS while filling in 2002 VSS gaps Implied need to require only what is possible by 2006 Thus, two guidelines developed: VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline

6/10/ page 10 NIST/TGDC Activities - 1 July 2004: 1 st TGDC meeting Organizational, divided into 3 subcommittees: Human factors and privacy Core requirements and testing Security and transparency Sep 2004: information gathering meeting for the TGDC Heard public input from voting officials, vendors October 2004: posted voting software hashes For use by state and local officials Used NIST national software reference library

6/10/ page 11 NIST/TGDC Activities - 2 January 2005: VVSG Version 1 organization Discussed, adopted 35 resolutions affecting development of VVSG Version 1 and VVSG Version 2 EAC requests NIST develop VVPAT requirements March 2005: VVSG Version 1 preliminary drafts Commented on presentations, materials from NIST staff EAC requests additional security material for VVSG Version 1 April 2005: final draft and VVSG Version 1 adoption Commented on final materials from NIST staff NIST directed to make final edits and deliver to EAC May 9, 2005: VVSG Version 1 delivered to EAC

6/10/ page 12 Current Status NIST presented the VVSG Version 1 to the TGDC during April meetings NIST updated VVSG Version 1 with TGDC edits, delivered to EAC on May 9 NIST now vetting outline for VVSG Version 2 with TGDC NIST will work with TGDC subcommittees on VVSG Version 2 development, plan future meetings (next is Sep’05) NIST planning to monitor public comments on VVSG Version 1 while writing VVSG Version 2

6/10/ page 13 VVSG Version 1 Overview Two volumes Volume I, the performance provisions of the guidelines Volume II, the testing specification Improves the 2002 VSS by addressing Human Factors VVPAT Wireless Software Distribution and Setup Validation Conformance, Glossary, Error Rates Sets stage for new version under development Expanded Human Factors Independent Dual Verification

6/10/ page 14 Major Organizational Changes in VVSG Version 1 1. Best Practices for Voting Officials 2. Voting Process 3. Structure of Requirements

6/10/ page 15 Best Practices for Voting Officials VSS 2002 contained requirements for voting systems and testing entities Requirements in VVSG Version 1 for wireless, VVPAT, human factors, etc. depend on voting officials developing and carrying out appropriate procedures VVSG Version 1 contains best practices for voting officials These are not testable and conformance can not be determined Best Practices for Voting Officials are contained in Appendix C of Volume I

6/10/ page 16 Voting Process VSS 2002 defined three major stages of voting Pre-voting Voting Post-voting New sections designate which stage the requirements pertain to VVSG Version 2 will contain a more detailed voting process model

6/10/ page 17 Structure of Requirements New sections of the VVSG Version 1 contain a more structured approach Each requirement is numbered according to a hierarchical scheme Higher level requirements are supported by lower level requirements Higher level requirements may not be directly testable but can be “indirectly” tested via their lower level requirements

6/10/ page 18 New Material in VVSG Version 1 1. Conformance Clause 2. Human Factors 3. Security Overview – IDV Systems 4. VVPAT 5. Wireless 6. Software Distribution/Setup Validation 7. Glossary 8. Error Rates

6/10/ page 19 Conformance Clause VSS-2002 did not include a conformance clause Conformance: the fulfillment by a product, process, or service of requirements as specified in a standard or specification The conformance clause of a standard specification is a high-level description of what is required of implementers and developers Refers to other parts of the standard Specifies minimal requirements for certain functions and implementation-dependent values Specifies the permissibility of extensions, options, and alternative approaches and how they are to be handled

6/10/ page 20 Human Factors The VSS-2002, Volume 1 Section 2.2.7, addressed Accessibility; Section addressed Human Engineering—Controls and Displays; Appendix C addressed Usability VVSG Version 1 replaces these items with a new Section that addresses Human Factors including accessibility, usability, and limited English proficiency Incorporates the two NASED Technical Guides (Guide #1 and Guide #2) VVSG Version 2 will contain performance-based requirements (specifies how voting systems must perform)

6/10/ page 21 Human Factors 4 Areas: Accessibility Usability Limited English Proficiency Privacy Based on current state of the art Require more advanced accessibility but still in industry state of the art Synchronized audio and video Performance measures for usability

6/10/ page 22 Security Overview New security Section 6.0, with 4 parts: Overview of Independent Dual Verification (IDV) voting systems (informative only, not required for 2006) VVPAT Requirements Wireless Requirements Software Distribution/Setup Validation Requirements

6/10/ page 23 Independent Dual Verification Requires voting systems to produce 2 nd record of votes for ballot record integrity and auditability Required as part of standard computerized record- keeping practices Current approaches include Split process systems Witness systems – recently marketed Cryptographic-based systems – available today VVPAT, modified Op Scan – available today New Appendix D contains in-depth IDV discussion IDV systems expected to evolve significantly in VVSG Version 2

6/10/ page 24 VVPAT The VSS-2002 contained no requirements for voter verified paper audit trails (VVPAT) Vendors, most States in need of consistent, common guidance TGDC directed by EAC to produce VVPAT guidance for States requiring VVPAT VVPAT a form of IDV VVSG does not require or endorse VVPAT Methods other than VVPAT can provide ways to achieve IDV, as explained in Security Overview NIST used CA State, IEEE standards, and enacted State legislation as initial basis

6/10/ page 25 Wireless Technology TGDC concluded that use of wireless technology introduces risk and should be approached with caution VVSG Version 1 includes new section on wireless that augments the general telecommunications requirements in Volume 1, Section 5 Requires that wireless transmissions be encrypted to protect against a variety of security problems Requires wireless to be turned on/off under controlled conditions Requires backup procedures in case wireless fails

6/10/ page 26 Software Distribution Helps to ensure correct version of voting software is used Helps to ensure voting software is set up correctly Uses NIST’s National Software Reference Library at This section of VVSG Version 1 builds on the VSS-2002 to include use of this repository and other validation mechanisms

6/10/ page 27 Glossary Common terminology forms basis for understanding requirements and for discussing improvements This glossary contains terms from the VSS-2002 and additional terms needed to understand voting and related areas, e.g., security, human factors, testing Terms in glossary include a definition and its source, and an association as to the domain for which the term applies Also available in a web-based on-line version at

6/10/ page 28 VVSG Version 2 A comprehensive standards guideline, a complete rewrite of 2002 VSS with updated and expanded material Will draw from VSS, IEEE P1583, Federal and other standards Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05

6/10/ page 29 Major Goals for VVSG Version 2 Provide complete and comprehensive guideline for vendors and test labs Provide clear, usable requirements discussion with associated test methods Address security and human factors developments since 2002 VSS Respond to all TGDC Jan’05 resolutions

6/10/ page 30 VVSG Version 2 Overview 4 major sections: A product standard, containing general and voting- activity related requirements (e.g., setup, cast, count, …) A terminology standard (NIST glossary) A standard on data to be provided by testing authorities or the vendor A testing standard including all test methods, testing requirements, evaluation guidelines, test cases, etc.

6/10/ page 31 VVSG Version 2 Current Status Detailed outline has been developed; NIST and TGDC working to create final version of outline Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis under development Preliminary requirements development underway

6/10/ page 32 Comments/Questions