1 / 20

Review of VVSG 1.1

Review of VVSG 1.1. Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL http://vote.nist.gov. Background. VVSG 1.1 incorporated requirements from VVSG 2.0 that are not controversial and will not require hardware changes to voting systems

gyda
Download Presentation

Review of VVSG 1.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL http://vote.nist.gov

  2. Background VVSG 1.1 incorporated requirements from VVSG 2.0 that are not controversial and will not require hardware changes to voting systems After the initial VVSG 1.1 public comment period, the EAC requested additional requirements be included Based on request for interpretations (RFIs) Needs of their testing and certification program This presentation describes specific requirements now included in VVSG 1.1

  3. Usability and Accessibility Poll worker and end-to-end accessibility requirements that require user-based testing were included Integrated EAC RFI responses RFI 2009-01: Features to support accessible review of paper records RFI 2009-02: Intrinsic support for all alternate languages RFI 2009-5: T-Coil mode applies to audio ballot RFI 2010-6: Accessibility requirements apply to Electronic Ballot Marker (EBM)

  4. Usability and Accessibility (Cont’d) Simplified color/contrast requirements based on NIST research Changed section headings to reflect system characteristics and interfaces Perceptual issues -> Visual display characteristics Low vision -> Enhanced visual interfaces Blindness -> Audio-tactile interfaces Dexterity -> Alternative input and control characteristics Page 4

  5. Usability and Accessibility (Cont’d) EAC policy decisions resulted in modifications to the following requirements Audio/video synchronization – scope clarification Voter verification accessibility – clarification Input jack requirement for personal assistive technology – new requirement Sample requirement The Acc-VS shall provide a 3.5 mm industry standard jack used to connect a personal assistive technology switch to the Acc-VS Page 5

  6. Usability and Accessibility (Cont’d) Added requirement specifying minimum size of optical scan ballot voting target area Software used to format optical scan ballots shall constrain the size and contrast of all target areas to conform to the following requirements: The target shall be no less than 3 mm across in any direction The contrast ratio between the target area boundaries and the surrounding space shall be no less than 10:1 Page 6

  7. Core functionality Quality assurance and configuration management requirements were rewritten based on VVSG 2.0 and combined into a single chapter Improved scoping of requirements to electronic ballot markers (EBMs) and hybrid devices Integrate EAC RFI responses 2010-01 Update electrostatic discharge test 2009-03, 2008-06 Battery back-up for central count 2008-10 Update electrical fast transient test 2008-07 Opening polls with nonzero totals 2007-06 Reporting undervotes

  8. Operating Humidity An operating humidity requirement was added based on VVSG 2.0 Category 3K3 of IEC 60721-3-3: Classification of environmental conditions – Part 3-3: Classification of groups of environmental parameters and their severities – Stationary use at weatherprotected locations Sample requirements Voting systems shall be capable of operation in temperatures ranging from 41 °F to 104 °F (5 °C to 40 °C) and relative humidity from 5% to 85%, non-condensing If the system documentation states that the system can operate in humidity higher or lower than the required range, the system shall be tested to the level of humidity asserted in the documentation

  9. Software workmanship Requirements revised in response to public review comments Clarified applicability to Commercial Off The Shelf (COTS) software Sample requirements Application logic shall adhere to a published, credible set of coding rules, conventions or standards (herein simply called the “coding standard”) that enhance the workmanship, security, integrity, testability, and maintainability of applications

  10. Reliability New benchmarks derived from the use case specified in VVSG 2.0 Voting devices shall satisfy the following limits on the probabilities of failures (per election)… Precinct tabulator Probability of critical failure: ≤ 10−6 Probability of critical or non-user-serviceable failure: ≤ 0.002452 Probability of failure: ≤ 0.01374 Requires manufacturers to use reliability engineering best practices and standards The manufacturer shall assure the reliability of the voting system by applying best reliability engineering practices and standard reliability analysis methods such as failure modes and effects analysis (FMEA)

  11. Accuracy New benchmark was derived from the VVSG 1.0 conformity benchmark and back ported VVSG 2.0 demonstration requirement All systems shall achieve a report total error rate of no more than one in 125,000 (8×10–6) Did not include California-style volume test/mock election as specified in VVSG 2.0 Evaluates system accuracy based on performance over the course of the entire test campaign (minus exceptions) When operational testing is complete, the VSTL shall calculate the report total error and report total volume accumulated across all pertinent tests

  12. Accuracy (Cont’d) The error rate of “one in 125,000” is intended to allow tolerance for unpreventable hardware-related errors that occur rarely and randomly as a result of physical phenomena affecting optical scanning sensors Not intended to allow tolerance of software faults that result in systematic miscounting of votes So an additional requirement was included In all systems, voting system software, firmware, and hardwired logic shall maintain absolute correctness (introduce no errors) in the recording, tabulating, and reporting of votes.

  13. Security Clarified cryptography requirements to require systems to use FIPS 140-2 validated modules and security strengths >= 112 bits Trusted build requirements were moved to the EAC Testing and Certification Program Manual Removed two informative sections that did not contain requirements Section 7.8- A description of Independent Verification (IV) Systems Appendix C- Descriptions of IV systems and cryptographic voting systems

  14. Security (Cont’d) Security specifications from VVSG 2.0 part II were added for: Design and interface specification Security architecture Development environment specification Security threat analysis Security testing and vulnerability analysis documentation Integrated EAC RFI 2008-03 related to operating system configuration and called out the NIST National Checklist Program Repository as a baseline for secure configurations

  15. Electronic Records Back-ported requirements from VVSG 2.0, section 4.3 Specifies information contained in summary count reports from tabulators, DREs and election management systems; and requires electronic reports to be digitally signed Sample requirement: Voting systems shall digitally sign electronic reports using NIST approved algorithms with a security strength of at least 112 bits implemented within a FIPS 140-2 level 1 or higher validated cryptographic module operating in FIPS mode

  16. Voter Verifiable Paper Audit Trail (VVPAT) Back-ported requirements from VVSG 2.0, section 4.4 Includes more specific requirements on the information that must be printed on voter verifiable paper records to support hand auditing Sample requirement: Paper-roll VVPAT voting systems shall mark paper rolls with the following: Machine ID; Reporting context, such as precinct or election district; Date of election or date record printed; If multiple paper rolls were produced during this election on this device, the number of the paper roll (e.g., Roll #2);

  17. Software Validation Goal: Verify that only authorized software is present on system VVSG 1.0 section 7.4.6 requires that systems provide a means to verify software through a trusted external interface NIST received feedback that these requirements were vague and/or difficult to implement Added an alternative software validation method in section 7.4.6 Based on guidelines developed for desktop/laptop computer firmware Systems must authenticate software updates prior to applying them using digital signatures Updates include software installations, modifications and removals VVSG 1.1 provides two approaches allowing manufacturers to choose the most appropriate one for their systems

  18. Access Control Rewrote VVSG 1.0 section 7.2 to reflect the access control requirements found in VVSG 2.0 section 5.4 Sample requirements: Voting system equipment that implement role-based access control shall support the recommendations for Core RBAC in the ANSI INCITS 359-2004 American National Standard for Information Technology- Role Based Access Control document Voting systems shall provide a means to automatically expire passwords in accordance with the voting jurisdiction’s policies

  19. Event Logging Rewrote section 2.1.5.1 of VVSG 1.0 based on the event logging requirements found in VVSG 2.0 section 5.7 but retained VVSG 1.0 error message requirements Did not specify the events to be logged Sample requirements: The voting system equipment shall log at a minimum the following data characteristics for each type of event: 1) system ID; 2) unique event ID and/or type; 3) timestamp; 4) success or failure of event, if applicable; 5) User ID trigger the event, if applicable; 6) Resources requested, if applicable Voting system equipment shall protect event log information from unauthorized access, modification and deletion

  20. Discussion/Questions Page 20

More Related