The Election Assistance Commission was created by the 2002
Help America Vote Act, itself a response to the punch card ballot and multiple ballot style issues that surrounded the 2000 presidential election.[1] The resulting guidelines were intended to provide consistency in the integrity of voting systems.[1]
Writing in 2013, researchers at Auburn University critiqued the guidelines as needing to be paired with funding for states to participate. They argued that the more sophisticated states participated in the voluntary certification while most adapted parts of the guidelines or opted out altogether.[1]
The
National Association of State Election Directors (NASED) begins testing voting equipment against the 1990 standards; NASED, a non-governmental entity, voluntarily offers the service to the states
2002: FEC updates 1990 Voting System Standards. Federal government does not yet test voting equipment against these standards.
NASED begins testing voting systems against the 2002 standards
HAVA transfers the responsibility of developing voting system standards from the FEC to the EAC
HAVA requires EAC to set up the federal government’s first program to test voting equipment against the federal standards.
HAVA also tasked the EAC with establishing the federal government’s first voting system certification program.
HAVA renames the voting system standards, listing them as the voluntary voting system guidelines (VVSG)
2005: the
Election Assistance Commission unanimously adopted the 2005 Voluntary Voting System Guidelines (VVSG), which significantly increase security requirements for voting systems and expand access, including opportunities to vote privately and independently, for individuals with disabilities.
2006: NASED terminates its voting system testing program
2007: EAC launches full testing and certification program
2015: The VVSG 1.1, an incremental revision to the 2005 VVSG 1.0, were unanimously approved by the Election Assistance Commission on March 31, 2015[2]
The VVSG 2.0 guidelines were release in 2021.[4] "The Guidelines allow for an improved and consistent voter experience, enabling all voters to vote privately and independently, ensuring votes are marked, verified and cast as intended, and that the final count represents the true will of the voters."[5]
The voting system
"Equipment (including hardware, firmware, and software), materials, and documentation used to enact the following functions of an election:
define elections and ballot styles,
configure voting equipment,
identify and validate voting equipment configurations,
Permit the voter to verify (in a private and independent manner) their choices before their ballot is cast and counted.
Provide the voter with the opportunity (in a private and independent manner) to change their choices or correct any error before their ballot is cast and counted.
Notify the voter if they have selected more than one candidate for a single office, inform the voter of the effect of casting multiple votes for a single office, and provide the voter an opportunity to correct their ballot before it is cast and counted.
Be accessible for individuals with disabilities in a manner that provides the same opportunity for access and participation (including privacy and independence) as for all voters.
Provide alternative language accessibility pursuant to Section 203 of the Voting Rights Act [VRA65].
Functional equipment requirements are organized as phases of running an election:
Election and Ballot Definition
Pre-election Setup and logic and accuracy (L&A) testing
Opening Polls, Casting Ballots
Closing Polls, Results Reporting
Tabulation, Audit
Storage
Requirements dovetail with cybersecurity in areas including:
Pre-election setup
Audits of barcodes versus readable content for ballot marking devices (BMDs)
Audits of scanned ballot images versus paper ballots
Audits of Cast Vote Record (CVR) creation
Content of various reports
Ability to match a ballot with its corresponding CVR
Guidance relevant to testing and certification has been moved to the EAC testing and certification manuals.
High Quality Implementation
Adds requirement to document and report on user-centered design process by developer to ensure system is designed for a wide range of representative voters, including those with and without disabilities, and election workers
Transparent
Addresses transparency from the point of view of documentation that is necessary and sufficient to understand and perform all operations
Interoperable
Ensures that devices are capable of importing and exporting data in common data formats
Requires manufacturers to provide complete specification of how the format is implemented
Requires that encoded data uses publicly available, no-cost method
Uses common methods (for example, a USB) for all hardware interfaces
Permits commercial-off-the-shelf (COTS) devices as long as relevant requirements are still satisfied
Equivalent and Consistent Voter Access
Applies to all modes of interaction and presentation throughout the voting session, fully supporting accessibility
Voter Privacy
Distinguishes voter privacy from ballot secrecy and ensures privacy for marking, verifying, and casting the ballot
Marked, Verified, and Cast as Intended
Updates voter interface requirements such as font, text size, audio, interaction control and navigation, scrolling, and ballot selections review
Describes requirements that are voting system specific, but derived from federal accessibility law
Robust, Safe, Usable, and Accessible
References, Section 508 Information and Communication Technology (ICT) Final Standards and Guidelines [USAB18] and Web Content Accessibility Guidelines 2.0 (WCAG 2.0) [W3C10]
Updates requirements for reporting developer usability testing with voters and election workers
Auditable
Focuses on machine support for post-election audits
Makes software independence mandatory
Supports paper-based and end-to-end (E2E) verifiable systems
Supports all types of audits, including risk-limiting audits (RLAs), compliance audits, and ballot-level audits
Ballot Secrecy
Includes a dedicated ballot secrecy section
Prevents association of a voter identity to ballot selections
Access Control
Prevents the ability to disable logging
Bases access control on voting stage (pre-voting, activated, suspended, post-voting)
Does not require role-based access control (RBAC)
Requires multi-factor authentication for critical operations:
Software updates to the certified voting system
Aggregating and tabulating
Enabling network functions
Changing device states, including opening and closing the polls
Deleting the audit trail
Modifying authentication mechanisms
Physical Security
Requires using only those exposed physical ports that are essential to voting operations
Ensures that physical ports are able to be logically disabled
Requires that all new connections and disconnections be logged
Data Protection
Clarifies that there are no hardware security requirements (for example, TPM (trusted platform module))
Requires Federal Information Processing Standard (FIPS) 140-2 [NIST01] validated cryptographic modules (except for end-to-end cryptographic functions)
Requires cryptographic protection of various election artifacts
Requires digitally signed cast vote records and ballot images
Ensures transmitted data is encrypted with end-to-end authentication
System Integrity
Requires risk assessment and supply chain risk management strategy
Removes non-essential services
Secures configurations and system hardening
Exploit mitigation (for example, address space layout randomization (ASLR) data execution prevention (DEP) and free of known vulnerabilities
Requires cryptographic boot validation
Requires authenticated updates
Ensure sandboxing and runtime integrity
Detection and Monitoring
Ensures moderately updated list of log types
Detection systems must be updateable
Requires digital signatures or allowlisting for voting systems
Requires malware detection focusing on backend PCs