Voluntary Voting System Guidelines VVSG 2.0 Recommendations for Requirements for the Voluntary Voting System Guidelines 2.0 February 29, 2020 Prepared for the Election Assistance Commission At the direction of the Technical Guidelines Development Committee 1 Acknowledgements Chair of the TGDC: Dr. Walter G. Copan Director of the National Institute of Standards and Technology (NIST) Gaithersburg, MD Representing the EAC Standards Board: Robert Giles Paul Lux Director Supervisor of Elections New Jersey Division of Elections Okaloosa County Trenton, NJ Crestview, FL Representing the EAC Board of Advisors: Neal Kelley Linda Lamone Registrar of Voters Administrator of Elections Orange County Maryland State Board of Election Orange County, CA Annapolis, MD Representing the Architectural and Transportation Barrier, and Compliance Board (Access Board): Marc Guthrie Sachin Pavithran Public Board Member Public Board Member Newark, OH Logan, UT Representing the American National Standards Institute (ANSI): Mary Saunders Vice President, Government Relations & Public Policy American National Standards Institute Washington, DC 2 Requirements for VVSG 2.0 February 29, 2020 Representing the Institute of Electrical and Electronics Engineers: Dan Wallach Professor, Electrical & Engineering Computer Science Rice University Houston, TX Representing the National Association of State Election Directors (NASED): Lori Augino Judd Choate Washington State Director of Elections State Elections Director Washington Secretary of State Colorado Secretary of State Olympia, WA Denver, CO Individuals with technical and scientific expertise relating to voting systems and equipment: McDermot Coutts Geoff Hale Chief Architect/Director of Technical Computer Security Expert Development Washington, DC Unisyn Voting Solutions Vista, CA Diane Golden David Wagner Program Coordinator Professor, Electrical & Engineering Association of Assistive Technology Act Computer Science Programs University of California-Berkeley Grain Valley, MO Berkeley, CA 3 Requirements for VVSG 2.0 February 29, 2020 Public Working Groups discussed and developed guidance to inform the development of requirements for the VVSG. The Election Process Working Groups: Pre-Election, Election, and Post-Election Process Working Groups performed a great deal of up-front work to collect locale-specific election process information and, from that, to create coherent process models. The Interoperability Working Group handled voting system interoperability including common data format (CDF) modeling and schema development. The Human Factors Working Group handled human factors-related issues including accessibility and usability. The Cybersecurity Working Group handled voting system cybersecurity-related issues include various aspect of security control and auditing capabilities. The Testing Working Group handled voting system testing-related issues including what portions of the new VVSG need to be tested and how to test them. 4 Requirements for VVSG 2.0 February 29, 2020 Executive Summary The United States Congress passed the Help America Vote Act of 2002 (HAVA) to modernize the administration of federal elections and to establish the U.S. Election Assistance Commission (EAC) to provide guidance to the states in their efforts to comply with the HAVA administrative requirements. Section 202 of HAVA directs the EAC to adopt voluntary voting system guidelines, and to provide for the testing, certification, decertification, and recertification of voting system hardware and software. The purpose of the guidelines is to provide a set of specifications and requirements against which voting systems can be tested to determine if they provide all the basic functionality, accessibility, and security capabilities required of voting systems. This document, the Voluntary Voting System Guidelines Version 2.0 Requirements (referred to herein as the Guidelines or VVSG 2.0), is the fifth iteration of national level voting system standards. The Federal Election Commission published the first two sets of federal standards in 1990 and 2002. The EAC then adopted Version 1.0 of the VVSG on December 13, 2005. In an effort to update and improve version 1.0 of the VVSG, on March 31, 2015, the EAC commissioners unanimously approved VVSG 1.1. The VVSG 2.0 is a departure from past versions in that a set of principles and associated guidelines were first developed to describe how, at a high-level, voting systems should be designed, developed, and how they should operate. The VVSG 2.0 requirements were then derived from those principles and guidelines. The VVSG 2.0 Requirements fits within a framework of documents under the EAC voting system certification program that include: VVSG 2.0 Principles and Guidelines VVSG 2.0 Requirements VVSG 2.0 Testing and Certification Manual The Guidelines were designed to meet the challenges ahead, to replace decade’s old voting machines, to improve the voter experience, and provide necessary safeguards to protect the integrity of the vote. All sections of the prior VVSG have been reviewed, rethought, and updated to meet modern expectations about how voters should interact with the voting system and how voting systems should be designed and developed. The VVSG 2.0 requirements represent the latest in both industry and technology best practices, requiring significant updates in many aspects of voting systems. The Guidelines allow for an improved and consistent voter experience, enabling all voters to vote privately and independently, ensuring votes are marked, verified and cast as intended, and that the final count represents the true will of the voters. Federal accessibility standards, Section 508, and Web Content Accessibility Guidelines are referenced and highlighted. Voter interface requirements have been updated to incorporate recent usability research and 5 Requirements for VVSG 2.0 February 29, 2020 interactions that result from modern devices and now fully support accessibility throughout the voting process. The cybersecurity of voting systems has never been more important. Indeed, attacks from nation state actors on our elections infrastructure in 2016 led to a critical infrastructure designation. To limit the attack surface on voting systems, the Guidelines require that any election system, such as an e-pollbook or election reporting system, be air-gapped from the voting system. To ensure the integrity of the vote, methods to detect errors through the combined use of an evidence trail and regular audits, including risk-limiting audits (RLAs), compliance audits, and ballot-level audits, are now supported. There is a dedicated section on ballot secrecy, preventing voter information from being carried through to the voting system, and two-factor authentication is now mandated for critical voting operations. Cryptographic protection of data and new system integrity requirements ensure that security protections developed by industry over the past decade are built into the voting system. These include risk assessment and supply chain risk management, secure configurations and system hardening, exploit mitigation, sandboxing and runtime integrity. The VVSG 2.0 requires the voting system to include the capability to use common data formats defined by NIST and public working groups. The common data formats were created to make election data more transparent and interoperable. These formats can be used in addition to any native formats used by the manufacturer. Defensive coding practices, reliability and electrical requirements were reviewed, updated, and streamlined. Finally, guidance relevant to testing and certification has been moved to the EAC’s testing and certification manual. This document was produced by the EAC’s Technical Guidelines Development Committee (TGDC) working in conjunction with the National Institute of Standards and Technology (NIST) to aid in developing guidelines for voting equipment and technologies for making accessible, accurate and secure elections possible. 6 Requirements for VVSG 2.0 February 29, 2020 Table of Contents Acknowledgements ............................................................................................................. 2 Executive Summary ............................................................................................................. 5 Introduction ........................................................................................................................ 9 How the VVSG is to be Used ............................................................................................... 9 Scope ................................................................................................................................. 10 Implications for Networking and Remote Ballot Marking .......................................... 12 External Network Connections ......................................................................................... 12 Remote Ballot Marking ..................................................................................................... 13 Internal Wireless Networks .............................................................................................. 13 Major changes from VVSG 1.1 to VVSG 2.0 ............................................................... 14 VVSG document structure ........................................................................................ 17 Conformance Information ...............................................................................................