Review of VVSG 1 1 Nelson Hastings Ph

Review of VVSG 1. 1 Nelson Hastings, Ph. D. Technical Project Leader for Voting Standards, ITL http: //vote. nist. gov TGDC Meeting, July 2011

Background n n VVSG 1. 1 will incorporate requirements from VVSG 2. 0 draft that are not controversial and do not require hardware changes This presentation will describe the specific key requirements to be included in this revision of VVSG 1. 1 TGDC Meeting, July 2011 Page 2

Technical Areas n n Accessibility and usability Core functionality n n Operational temperature and humidity Software workmanship Reliability and accuracy Security n n n Electronic records Voter verifiable paper audit trail (VVPAT) Security specifications Software validation Access control Event logging TGDC Meeting, July 2011 Page 3

Usability and Accessibility n Background n n n VVSG 1. 1 based on VVSG 2. 0 Usability benchmark testing not included per EAC Poll worker and end-to-end accessibility requirements which require user-based testing were included TGDC Meeting, July 2011 Page 4

Revisions Based on Comments n n n Minor changes based on public comments Simplification to color/contrast requirements based on NIST research Changes based on EAC 9/21/10 policy decisions n n n Clarification of scope of audio/video synchronization Clarification of voter verification accessibility requirements Addition of input jack requirement for personal assistive technology TGDC Meeting, July 2011 Page 5

Additional Revisions Requested n n Add requirement to specify minimum size of optical scan ballot voting target area Add clarifications based on newest EAC responses to requests for interpretation n n RFI 2009 -01: Features to support accessible review of paper records RFI 2009 -02: Intrinsic support for all alternate languages RFI 2009 -5: T-Coil mode applies to audio ballot RFI 2010 -6: Accessibility requirements apply to EBM’s Update VVSG 1. 1 test methods based on all revisions TGDC Meeting, July 2011 Page 6

Core functionality n n n Integrate EAC RFI responses where applicable Harmonize Volume II documentation requirements with EAC manuals Add operating temperature and humidity requirement from the VVSG 2. 0 draft n n Category 3 K 3 of IEC 60721 -3 -3 cited in IEEE P 1583 draft 5. 3. 2 b Add to scope of this revision: Address ballot-marking devices (EBMs) and hybrid devices as best can without a major rewrite TGDC Meeting, July 2011 Page 7

Software workmanship n n n The software workmanship requirements are based on the VVSG 2. 0 draft and revised in response to previous public review comments Prescriptive, language-specific style requirements are removed; published, credible coding standards must be used instead Requirements having an obvious, defensible impact on software integrity are retained and reinforced The Volume II protocol for correcting logic faults was revised This revision to clarify scoping versus commercial-offthe-shelf and related definitions TGDC Meeting, July 2011 Page 8

Reliability and Accuracy n n Accuracy is evaluated based on performance over the course of the entire test campaign (minus exceptions) Reliability was similar in the first public review draft, using benchmarks derived from an election official-supplied use case A California-style volume test/mock election was not included This revision: n n New approach to reliability (to be elaborated in a later presentation) Explicit requirement for software to be 100% accurate TGDC Meeting, July 2011 Page 9

Security n Electronic Records n n VVPAT n n n Back-ported requirements from draft VVSG 2. 0, section 4. 3 Primarily summary count reports from tabulators, DREs and election management systems Includes requirement to digitally sign reports Back-ported requirements from draft VVSG 2. 0, section 4. 4 Very similar to previous VVSG 1. 0 VVPAT requirements Includes more specific requirements on the information that must be printed on VVPRs to support hand auditing Security specifications back-ported from VVSG 2. 0 part II Integrated EAC RFI responses where applicable n Notably, using NIST checklist program as a baseline for secure configurations TGDC Meeting, July 2011 Page 10

Software Validation n Background- External Interface n n Alternative Software Validation Method in VVSG 1. 1 n n n Objective: Verify that only authorized software is present on system Section 7. 4. 6 includes a requirement that systems provide a means to verify software through a trusted external interface NIST received feedback that these requirements were vague and/or difficult to implement Systems must authenticate software updates prior to applying them using digital signatures Updates include software installations, modifications and removals Systems may only implement one mechanisms for updating software Similar guidelines have since been developed for desktop/laptop computer firmware and are expected to be implemented in that industry soon Manufacturers may choose either method- digitally signed updates or the external interface- to be complaint with VVSG 1. 1 TGDC Meeting, July 2011 Page 11

New Security Additions n n After the initial public comment period, the EAC requested additional changes, including updated access control and event logging guidelines Access Control n n VVSG 1. 0 only includes basic requirements for documenting access control mechanisms Plan to back-port some VVSG 2. 0 access control requirements Expected to require moderate software updates to current systems Event Logging n n n VVSG 1. 1 includes basic logging requirements in Section 5. 4 Plan to back-port some VVSG 2. 0 event logging requirements Effort will include protections for the event log and minimal logging requirements TGDC Meeting, July 2011 Page 12

Small Changes n n Clarified cryptography requirements to say systems must use FIPS 140 -2 validated modules and security strengths >= 112 bits Plan to remove most trusted build requirements n n This topic is now covered by the EAC Testing and Certification Program Manual Plan to remove some informative sections n n Section 7. 8 - A description of Independent Verification (IV) Systems without any requirements Appendix C- Descriptions of IV systems and cryptographic voting systems TGDC Meeting, July 2011 Page 13

Discussion/Questions TGDC Meeting, July 2011 Page 14