Voluntary Voting System Guidelines VVSG 2.0 Recommendations for Requirements for the Voluntary Voting System Guidelines 2.0 February 29, 2020 Prepared for the Election Assistance Commission At the direction of the Technical Guidelines Development Committee 1 Requirements for VVSG 2.0 February 29, 2020 Acknowledgements Chair of the TGDC: Dr. Walter G. Copan Director of the National Institute of Standards and Technology (NIST) Gaithersburg, MD Representing the EAC Standards Board: Robert Giles Paul Lux Director Supervisor of Elections New Jersey Division of Elections Okaloosa County Trenton, NJ Crestview, FL Representing the EAC Board of Advisors: Neal Kelley Linda Lamone Registrar of Voters Administrator of Elections Orange County Maryland State Board of Election Orange County, CA Annapolis, MD Representing the Architectural and Transportation Barrier, and Compliance Board (Access Board): Marc Guthrie Sachin Pavithran Public Board Member Public Board Member Newark, OH Logan, UT Representing the American National Standards Institute (ANSI): Mary Saunders Vice President, Government Relations & Public Policy American National Standards Institute Washington, DC 2 Requirements for VVSG 2.0 February 29, 2020 Representing the Institute of Electrical and Electronics Engineers: Dan Wallach Professor, Electrical & Engineering Computer Science Rice University Houston, TX Representing the National Association of State Election Directors (NASED): Lori Augino Judd Choate Washington State Director of Elections State Elections Director Washington Secretary of State Colorado Secretary of State Olympia, WA Denver, CO Individuals with technical and scientific expertise relating to voting systems and equipment: McDermot Coutts Geoff Hale Chief Architect/Director of Technical Computer Security Expert Development Washington, DC Unisyn Voting Solutions Vista, CA Diane Golden David Wagner Program Coordinator Professor, Electrical & Engineering Association of Assistive Technology Act Computer Science Programs University of California-Berkeley Grain Valley, MO Berkeley, CA 3 Requirements for VVSG 2.0 February 29, 2020 Public Working Groups discussed and developed guidance to inform the development of requirements for the VVSG. • The Election Process Working Groups: Pre-Election, Election, and Post-Election Process Working Groups performed a great deal of up-front work to collect locale-specific election process information and, from that, to create coherent process models. • The Interoperability Working Group handled voting system interoperability including common data format (CDF) modeling and schema development. • The Human Factors Working Group handled human factors-related issues including accessibility and usability. • The Cybersecurity Working Group handled voting system cybersecurity-related issues include various aspect of security control and auditing capabilities. • The Testing Working Group handled voting system testing-related issues including what portions of the new VVSG need to be tested and how to test them. 4 Requirements for VVSG 2.0 February 29, 2020 1 Executive Summary 2 The United States Congress passed the Help America Vote Act of 2002 (HAVA) to modernize the 3 administration of federal elections and to establish the U.S. Election Assistance Commission 4 (EAC) to provide guidance to the states in their efforts to comply with the HAVA administrative 5 requirements. Section 202 of HAVA directs the EAC to adopt voluntary voting system 6 guidelines, and to provide for the testing, certification, decertification, and recertification of 7 voting system hardware and software. 8 The purpose of the guidelines is to provide a set of specifications and requirements against 9 which voting systems can be tested to determine if they provide all the basic functionality, 10 accessibility, and security capabilities required of voting systems. This document, the Voluntary 11 Voting System Guidelines Version 2.0 Requirements (referred to herein as the Guidelines or 12 VVSG 2.0), is the fifth iteration of national level voting system standards. The Federal Election 13 Commission published the first two sets of federal standards in 1990 and 2002. The EAC then 14 adopted Version 1.0 of the VVSG on December 13, 2005. In an effort to update and improve 15 version 1.0 of the VVSG, on March 31, 2015, the EAC commissioners unanimously approved 16 VVSG 1.1. 17 The VVSG 2.0 is a departure from past versions in that a set of principles and associated 18 guidelines were first developed to describe how, at a high-level, voting systems should be 19 designed, developed, and how they should operate. The VVSG 2.0 requirements were then 20 derived from those principles and guidelines. The VVSG 2.0 Requirements fits within a 21 framework of documents under the EAC voting system certification program that include: 22 • VVSG 2.0 Principles and Guidelines 23 • VVSG 2.0 Requirements 24 • VVSG 2.0 Testing and Certification Manual 25 The Guidelines were designed to meet the challenges ahead, to replace decade’s old voting 26 machines, to improve the voter experience, and provide necessary safeguards to protect the 27 integrity of the vote. All sections of the prior VVSG have been reviewed, rethought, and 28 updated to meet modern expectations about how voters should interact with the voting system 29 and how voting systems should be designed and developed. The VVSG 2.0 requirements 30 represent the latest in both industry and technology best practices, requiring significant 31 updates in many aspects of voting systems. 32 The Guidelines allow for an improved and consistent voter experience, enabling all voters to 33 vote privately and independently, ensuring votes are marked, verified and cast as intended, and 34 that the final count represents the true will of the voters. Federal accessibility standards, 35 Section 508, and Web Content Accessibility Guidelines are referenced and highlighted. Voter 36 interface requirements have been updated to incorporate recent usability research and 5 37 interactions that result from modern devices and now fully support accessibility throughout the 38 voting process. 39 The cybersecurity of voting systems has never been more important. Indeed, attacks from 40 nation state actors on our elections infrastructure in 2016 led to a critical infrastructure 41 designation. To limit the attack surface on voting systems, the Guidelines require that any 42 election system, such as an e-pollbook or election reporting system, be air-gapped from the 43 voting system. To ensure the integrity of the vote, methods to detect errors through the 44 combined use of an evidence trail and regular audits, including risk-limiting audits (RLAs), 45 compliance audits, and ballot-level audits, are now supported. There is a dedicated section on 46 ballot secrecy, preventing voter information from being carried through to the voting system, 47 and two-factor authentication is now mandated for critical voting operations. Cryptographic 48 protection of data and new system integrity requirements ensure that security protections 49 developed by industry over the past decade are built into the voting system. These include risk 50 assessment and supply chain risk management, secure configurations and system hardening, 51 exploit mitigation, sandboxing and runtime integrity. 52 The VVSG 2.0 requires the voting system to include the capability to use common data formats 53 defined by NIST and public working groups. The common data formats were created to make 54 election data more transparent and interoperable. These formats can be used in addition to any 55 native formats used by the manufacturer. Defensive coding practices, reliability and electrical 56 requirements were reviewed, updated, and streamlined. Finally, guidance relevant to testing 57 and certification has been moved to the EAC’s testing and certification manual. 58 This document was produced by the EAC’s Technical Guidelines Development Committee 59 (TGDC) working in conjunction with the National Institute of Standards and Technology (NIST) 60 to aid in developing guidelines for voting equipment and technologies for making accessible, 61 accurate and secure elections possible. 6 Requirements for VVSG 2.0 February 29, 2020 62 Table of Contents 63 Acknowledgements ............................................................................................................. 2 64 Executive Summary ............................................................................................................. 5 65 Introduction ........................................................................................................................ 9 66 How the VVSG is to be Used ............................................................................................... 9 67 Scope ................................................................................................................................. 10 68 Implications for Networking and Remote Ballot Marking .......................................... 12 69 External Network Connections ......................................................................................... 12 70 Remote Ballot Marking ..................................................................................................... 13 71 Internal Wireless Networks .............................................................................................. 13 72 Major changes from VVSG 1.1 to VVSG 2.0 ............................................................... 14 73 VVSG document