2005 Voluntary Voting System Guidelines, 18824-18924 [06-3100]

Agencies

• Election Assistance Commission 2005
• Election Assistance Commission

[Federal Register Volume 71, Number 70 (Wednesday, April 12, 2006)]
[Notices]
[Pages 18824-18924]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-3100]



[[Page 18823]]

-----------------------------------------------------------------------

Part II





Election Assistance Commission





-----------------------------------------------------------------------



2005 Voluntary Voting System Guidelines; Notice

Federal Register / Vol. 71, No. 70 / Wednesday, April 12, 2006 / 
Notices

[[Page 18824]]


-----------------------------------------------------------------------

ELECTION ASSISTANCE COMMISSION 2005


2005 Voluntary Voting System Guidelines

AGENCY: United States Election Assistance Commission.

ACTION: Notice; publication of final 2005 Voluntary Voting System 
Guidelines.

-----------------------------------------------------------------------

SUMMARY: The Help America Vote Act of 2002 (HAVA) Section 231 directs 
the U.S. Election Assistance Commission (EAC) to provide for the 
testing, certification, decertification and recertification of voting 
systems. HAVA Section 221 mandates the development of voluntary voting 
system guidelines to support this process. In 2004, the EAC formed the 
Technical Guidelines Development Committee (TGDC) to create an initial 
set of recommendations for the guidelines. The Director of the National 
Institute of Standards and Technology (NIST) chairs the TGDC and NIST 
staff provides technical support for the TGDC's work. This committee of 
fifteen experts began their work in July 2004 and submitted their 
recommendations to the EAC in May 2005. EAC reviewed and revised these 
recommendations and published its proposed Voluntary Voting System 
Guidelines in June 2005, 70 FR 37378 (June 29, 2005), beginning the 
ninety-day public comment period. The Commission adopted the 2005 
Voluntary Voting System Guidelines on December 13, 2005. The Guidelines 
published here will be used to test voting systems for national 
certification.

FOR FURTHER INFORMATION CONTACT: Brian Hancock (Election Research 
Specialist), Washington, DC, (202) 566-3100, Fax: (202) 566-3127.

SUPPLEMENTARY INFORMATION:

Public Comment Process

    HAVA requires publication of the proposed guidelines for public 
comment. HAVA further mandates a public hearing about the proposed 
guidelines. In addition, the guidelines must be reviewed by the EAC 
Board of Advisors and the EAC Standards Board.
    EAC posted the proposed guidelines on its Web site and made the 
document available to the public in hardcopy and CD-ROM. Notice of the 
public comment period was published in the Federal Register. Both the 
Federal Register notice and the Web site provided instructions for 
submitting comments on-line, as well as by e-mail, postal mail and 
facsimile. EAC conducted three public hearings in the following 
locations: New York City; Pasadena, California: and Denver, Colorado. 
At these hearings, testimony was received from state and local election 
officials, the vendor community, the testing laboratories, public 
interest groups, academics, voting system experts, and members of the 
general public. All comments received were posted on the EAC Web site. 
The document was distributed to the Board of Advisors and the Standards 
Board. Each board conducted a two-day meeting to formulate 
recommendations.

Discussion of Comments

    The EAC received 6,576 comments on the guidelines. Of this number, 
4,300 were emails requesting that EAC to require voter verifiable audit 
trail capability for all electronic voting systems. The remaining 2,276 
comments covered various sections of the document. Of this set, the 
majority were submitted by individuals--776 comments. The next largest 
number of comments (684) came from system vendors, testing 
laboratories, and other corporate entities. Public interest groups 
submitted 436 comments. Election and other government officials 
submitted 218 comments, and 162 comments were submitted by academics.
    Some comments were of a general nature that did not specifically 
relate to the Guidelines document. The comments from the testing 
laboratories, system vendors and other corporate entities addressed 
voting system functional requirements and independent dual verification 
systems. Public interest groups focused their attention predominantly 
on usability and accessibility requirements for voting systems and for 
voter verifiable paper audit trails. Election officials commented on a 
variety of topics including accessibility, security, wireless 
communications, and voter verifiable paper trails. The academic 
community commented principally on security.
    Volume 1, Voting System Performance Guidelines, received a total of 
1,660 comments. The subject area that received the most comments was 
security (471), followed by the glossary (367), usability and 
accessibility (361), and voting system functional requirements (267). 
Volume 2, National Certification Testing Guidelines, received a total 
of 167 comments on a variety of topics: software testing (31), 
documentation (24), and hardware testing (11).

Consideration of Comments

    The EAC reviewed and considered each comment. In some instances, 
EAC also gathered more information and performed additional research 
regarding the suggestions. There were 404 comments requiring extensive 
research that were forwarded to the TGDC for future consideration.
    Similarly, many comments (73) dealt with election administration 
and procedural matters, which fall outside the scope of the VVSG. These 
comments were forwarded to EAC's Management Guidelines Working Group, 
which is developing a companion document covering these topics.

Changes to VVSG

    The VVSG have been enhanced in response to comments received. The 
document has been reorganized and reformatted. Usability and 
accessibility requirements were removed from the functional 
requirements section and placed in a separate section. The glossary was 
revised to clarify definitions. Information about independent 
verification systems was incorporated into the security section to 
provide context for the voter verifiable paper audit trail 
requirements. Best Practices for Election Officials (Appendix C in the 
proposed guidelines) was removed and forwarded to the Management 
Guidelines Working Group for consideration.
    The substantive changes made to the functional requirements section 
brought the language into conformance with HAVA requirements and 
clarified the technical specifications regarding environmental 
standards. Many comments about this section were carried over for 
future TGDC consideration because they related to complex topics such 
as specific testing protocols and software coding standards.
    The principal substantive changes to security requirements were as 
follows: clarification of language regarding software distribution and 
generation of reference information; clarification of wireless 
communication discussion and requirements language; revision to VVPAT 
requirements related to the topics of ``Approve or Spoil the Paper 
Record,'' ``Equipment Security and Reliability,'' ``Preserve Voter 
Privacy,'' and ``Electronic and Paper Record Structure.''
    The most significant changes overall were on the topics of 
usability and accessibility. These requirements were placed in their 
own section to reflect their importance and in anticipation that they 
will continue to expand over time. Usability requirements were placed 
first in the new section because these requirements apply to all voting 
systems. Alternative language requirements were placed under the

[[Page 18825]]

usability heading because these apply to all voting systems.
    Several requirements regarding system navigation and controls were 
made mandatory for usability, as well as the requirement for vendors to 
conduct and document summative usability testing during system 
development. Requirements for accessible voting systems, including the 
use of personal assistive devices, buttons and controls, speech quality 
for audio ballots, limited dexterity accessibility, and voter 
verifiable paper audit trail accessibility were changed from permissive 
to mandatory. In addition, summative accessibility testing and 
documentation by vendors was made mandatory. A complete discussion of 
how comments to the VVSG were handled can be found on the EAC Web site 
at www.eac.gov.

Effective Date

    The guidelines will take effect in December 2007 (24 months), at 
which time voting systems will no longer be tested against the 2002 
Voting System Standards (VSS) developed by the Federal Election 
Commission (FEC). However, states may decide to adopt these guidelines 
before the effective date and EAC anticipates being prepared to certify 
voting systems before the effective date. The effective date was 
adopted to provide testing laboratories time to prepare to test to the 
VVSG, give states time to change their respective laws and statutes 
reflecting EAC's role in the certification process and in recognition 
of efforts to develop voting systems that will meet the requirements of 
the VVSG.

Thomas R. Wilkey,
Executive Director, U.S. Election Assistance Commission.

Voluntary Voting System Guidelines

Table of Contents

Volume I Voting System Performance Guidelines

Overview Voluntary Voting System Guidelines Overview
Section 1 Introduction
Section 2 Functional Requirements
Section 3 Usability and Accessibility Requirements
Section 4 Hardware Requirements
Section 5 Software Requirements
Section 6 Telecommunications Requirements
Section 7 Security Requirements
Section 8 Quality Assurance Requirements
Section Configuration Management Requirements
Appendix A Glossary
Appendix B References
Appendix C Independent Verification Systems
Appendix D Technical Guidance for Color, Contrast, and Text Size

Volume II National Certification Testing Guidelines

Overview Voluntary Voting System Guidelines Overview
Section 1 Introduction
Section 2 Description of the Technical Data Package
Section 3 Functionality Testing
Section 4 Hardware Testing
Section 5 Software Testing
Section 6 System Integration Testing
Section 7 Quality Assurance Testing
Appendix A National Certification Test Plan
Appendix B National Certification Test Report
Appendix C National Certification Test Design Criteria

Voluntary Voting System Guidelines

Volume I

Voting System Performance Guidelines

Voluntary Voting System Guidelines Overview

Table of Contents

Voluntary Voting System Guidelines Overview
Purpose and Scope of the Guidelines
Effective Date
Summary of Changes
Volume I: Voting System Performance Guidelines Summary
Volume II: National Certification Testing Guidelines Summary
Guide to Section Locations

Voluntary Voting System Guidelines Overview

    The United States Congress passed the Help America Vote Act of 2002 
(HAVA) to modernize the administration of federal elections, marking 
the first time in our nation's history that the federal government has 
funded an election reform effort. HAVA provides federal funding to help 
the states meet the law's uniform and non-discretionary administrative 
requirements, which include the following new programs and procedures: 
(1) Provisional voting, (2) voting information, (3) statewide voter 
registration lists and identification requirements for first-time 
registrants, (4) administrative complaint procedures, and (5) updated 
and upgraded voting equipment.
    HAVA also established the U.S. Election Assistance Commission (EAC) 
to administer the federal funding and to provide guidance to the states 
in their efforts to comply with the HAVA administrative requirements. 
Section 202 directs the EAC to adopt voluntary voting system 
guidelines, and to provide for the testing, certification, 
decertification, and recertification of voting system hardware and 
software. The purpose of the guidelines is to provide a set of 
specifications and requirements against which voting systems can be 
tested to determine if they provide all the basic functionality, 
accessibility, and security capabilities required of voting systems.
    This document, the Voluntary Voting System Guidelines (referred to 
herein as the Guidelines and/or VVSG), is the third iteration of 
national level voting system standards that has been developed. The 
Federal Election Commission published the Performance and Test 
Standards for Punchcard, Marksense and Direct Recording Electronic 
Voting Systems in 1990. This was followed by the Voting Systems 
Standards in 2002.
    As required by HAVA, the EAC formed the Technical Guidelines 
Development Committee (TGDC) to develop an initial set of 
recommendations for the Guidelines. This committee of 15 experts began 
their work in July 2004 and submitted their recommendations to the EAC 
in the 9-month timeline prescribed by HAVA. The TGDC was provided with 
technical support by the National Institute for Standards and 
Technology (NIST), which was given nearly $3 million dollars by the EAC 
to complete this work.
    The EAC reviewed and revised the TGDC recommendations and, as 
required by HAVA, published the proposed Guidelines for a 90 day public 
comment period. The document was also provided to both the Board of 
Advisors and the Standards Board for their review and comment. During 
the comment period the EAC conducted 3 public hearings on the 
Guidelines in New York City, Pasadena and Denver. Over 6000 comments 
were received from the public and the Boards. Each of these comments 
was reviewed and considered by the EAC in consultation with NIST in the 
development of this final version.

Purpose and Scope of the Guidelines

    The purpose of the Voluntary Voting System Guidelines is to provide 
a set of specifications and requirements against which voting systems 
can be tested to determine if they provide all the basic functionality, 
accessibility and security capabilities required to ensure the 
integrity of voting systems. The VVSG specifies the functional 
requirements, performance characteristics, documentation requirements, 
and test evaluation criteria for the national certification of voting 
systems. The VVSG is composed of two volumes: Volume I, Voting System 
Performance Guidelines and Volume II, National Certification Testing 
Guidelines.

[[Page 18826]]

Effective Date

    The 2005 Voluntary Voting System Guidelines will take effect 24 
months after their final adoption in December 2005 by the EAC. At that 
time, all new systems submitted for national certification will be 
tested for conformance with these guidelines. In addition, if a 
modification to a system qualified or certified to a previous standard 
is submitted for national certification after this date, every 
component of the modified system will be tested against the 2005 VVSG. 
All previous versions of national standards will become obsolete at 
this time. This effective date provision does not have any impact on 
the mandatory January 1, 2006, deadline for states to comply with the 
HAVA Section 301 requirements.

Summary of Changes

    Volume I of the Guidelines, entitled Voting System Performance 
Guidelines, includes new requirements for usability, accessibility, 
voting system software distribution, generation of software reference 
information, validation of software during voting system setup, and the 
use of wireless communications. System functional requirements have 
been revised to comply with HAVA Section 301 requirements. 
Environmental criteria have been updated. This volume also includes 
requirements for a voter verifiable paper audit trail component for 
direct-recording electronic voting systems for use by states that 
require this feature. In addition, this volume includes an updated 
glossary and a conformance clause.
    Volume II of the Guidelines, entitled National Certification 
Testing Guidelines, has been revised to reflect the new EAC process for 
national certification of voting systems. This process was initiated in 
2005 and replaces the voting system qualification process conducted by 
the National Association of State Election Directors (NASED) since 
1994. In addition, revisions have been made to the testing procedures 
to reflect new requirements for the conduct of usability and 
accessibility testing. Volume II also includes an updated appendix on 
procedures for testing system error rates. Terminology in both volumes 
has been revised to reflect new terminology introduced by HAVA.

Volume I: Voting System Performance Guidelines Summary

    Volume I, the Voting System Performance Guidelines, describes the 
requirements for the electronic components of voting systems. It is 
intended for use by the broadest audience, including voting system 
developers, manufacturers and suppliers; voting system testing labs; 
state organizations that certify systems prior to procurement; state 
and local election officials who procure and deploy voting systems; and 
public interest organizations that have an interest in voting systems 
and voting system standards. It contains the following sections:
    Section I describes the purpose and scope of the Voting System 
Performance Guidelines.
    Section 2 describes the functional capabilities required of voting 
systems. This section has been revised to reflect HAVA Section 301 
requirements.
    Section 3 describes new standards that make voting systems more 
usable and accessible for as many eligible citizens as possible, 
whatever their physical abilities, language skills, or experience with 
technology. This section reflects the HAVA 301 (a)(3) accessibility 
requirements.
    Sections 4 through 6 describe specific performance standards for 
election system hardware, software, telecommunications, and security. 
Environmental criteria have been updated in Section 4.
    Section 7 describes voting system security requirements and 
includes new requirements for voting system software distribution, 
generation of software reference information, validation of software 
during system setup, and the use of wireless. It also includes 
requirements for voter verifiable paper audit trail components for 
direct-recording electronic voting systems.
    Sections 8 and 9 describe requirements for vendor quality assurance 
and configuration management practices and the documentation about 
these practices required for the EAC certification process.
    Appendix A contains a glossary of terms.
    Appendix B provides a list of related standards documents 
incorporated into the Guidelines by reference, documents used in the 
preparation of the Guidelines, and referenced legislation.
    Appendix C presents an introductory discussion of independent 
verification systems as a potential concept for future voting system 
security design.
    Appendix D contains technical guidance on color, contrast and text 
size adjustment for individuals with low vision or color blindness.

Volume II: National Certification Testing Guidelines Summary

    Volume II, the National Certification Testing Guidelines, is a 
complementary document to Volume I. Volume II provides an overview and 
specific detail of the national certification testing process, which is 
performed by independent voting system test labs accredited by the EAC. 
It is intended principally for use by vendors: test labs: and election 
officials who certify, procure, and accept voting systems. This volume 
contains the following sections:
    Section 1 describes the purpose of the National Certification 
Testing Guidelines.
    Section 2 provides a description of the Technical Data Package that 
vendors are required to submit with their system for certification 
testing.
    Section 3 describes the basic functionality testing requirements.
    Sections 4 through 6 define the requirements for hardware, software 
and system integration testing. Section 6 has been revised to reflect 
new requirements for usability and accessibility testing.
    Section 7 describes the required examination of vendor quality 
assurance and configuration management practices.
    Appendix A provides the requirements for the National Certification 
Test Plan that is prepared by the voting system test lab and provided 
to the EAC for review.
    Appendix B describes the scope and content of the National 
Certification Test Report which is prepared by the test lab and 
delivered to the EAC along with a recommendation for certification.
    Appendix C describes the guiding principles used to design the 
voting system certification testing process. It also contains a revised 
section on testing system error rates.

Volume I: Voting System Performance Guidelines

Guide to Section Locations

Section 1: Introduction
Section 2: Functional Requirements
Section 3: Usability and Accessibility Requirements
Section 4: Hardware Requirements
Section 5: Software Requirements
Section 6: Telecommunications Requirements
Section 7: Security Requirements
Section 8: Quality Assurance Requirements
Section 9: Configuration Management Requirements
Appendix A: Glossary
Appendix B: References
Appendix C: Independent Verification Systems
Appendix D: Technical Guidance for Color, Contrast, and Text Size

[[Page 18827]]

1 Introduction

Table of Contents

1 Introduction

1.1 Purpose and Scope of the Voluntary Voting System Guidelines
1.2 Use of the Voluntary Voting System Guidelines
1.3 Evolution of Voting System Standards
    1.3.1 Federal Election Commission
    1.3.2 Election Assistance Commisson
1.4 Overview of Voting System Testing
    1.4.1 The National Certification Program for Voting Systems
    1.4.2 State Certification Testing
    1.4.3 Acceptance Testing
1.5 Definitions, References, and Types of Voting Systems
    1.5.1 Definitions and References
    1.5.2 Types of Voting Systems
    1.5.2.1 Paper-Based Voting System
    1.5.2.2 Direct-Recording Electronic Voting System
    1.5.2.3 Public Network Direct-Recording Electronic Voting System
    1.5.2.4 Precinct Count Voting System
    1.5.2.5 Central Count Voting System
1.6 Conformance Clause
    1.6.1 Scope and Applicability
    1.6.2 Conformance Framework
    1.6.2.1 Applicable Entities
    1.6.2.2 Relationships Among Entities
    1.6.3 Structure of Requirements
    1.6.3.1 Conformance Language
    1.6.3.2 Categorizing Requirements
    1.6.3.3 Extensions
    1.6.4 Implementation Statement
1.7 Effective Date

1 Introduction

1.1 Purpose and Scope of the Voluntary Voting System Guidelines

    The purpose of the Voluntary Voting System Guidelines (VVSG or the 
Guidelines) is to provide a set of specifications and requirements 
against which voting systems can be tested to determine if they provide 
all the basic functionality, accessibility, and security capabilities 
required of voting systems. The VVSG specifies the functional 
requirements, performance characteristics, documentation requirements, 
and test evaluation criteria for the national certification of voting 
systems. To the extent possible, these requirements and specifications 
are described so they can be assessed by a series of defined, objective 
tests. The VVSG is composed of two volumes: Volume 1, Voting System 
Performance Guidelines; and Volume 2, National Certification Testing 
Guidelines.
    The VVSG is one of several inter-related EAC promulgated guidelines 
and programs concerned with maintaining the reliability and security of 
voting systems and the integrity of the overall election process. The 
performance of national certification testing of voting systems is 
restricted to testing labs that have been formally accredited to be 
technically competent to evaluate systems for conformance to the Voting 
System Performance Guidelines. The National Association of State 
Election Directors (NASED) initiated the independent testing authority 
accreditation program for test labs in 1994, applying the standards and 
procedures in NASED Program Handbook 9201 (Revision A). With the 
passage of the Help America Vote Act (HAVA), this responsibility 
transitioned to the Election Assistance Commission (EAC) with support 
from the National Voluntary Laboratory Accreditation Program (NVLAP). 
This program is operated by the National Institute of Standards and 
Technology (NIST), applying the standards and procedures in NIST 
Handbook 150-22, NVLAP Voting System Testing.
    The VVSG and the test lab accreditation process are essential 
components of the EAC National Certification Program for voting 
systems. This program applies the standards and procedures documented 
in the EAC voting system certification manual. HAVA Section 231 charges 
EAC with providing for the certification, decertification and 
recertification of voting systems. Under this program national 
certification is just the first step of the life cycle process of 
maintaining the reliability and security of the voting systems used in 
the nation's elections. To carry out this mandate, the EAC program will 
include monitoring of voting system performance through incident 
reporting by election officials and others. The certification program 
will maintain information on the quality assurance practices associated 
with the development and manufacturing of voting systems. When a system 
has successfully completed the certification process, the EAC program 
requires a copy of the certified voting system software to be provided 
to the National Software Reference Library operated by NIST. This will 
enable election officials to validate that the software received by 
their jurisdictions is the same as the certified version.
    The VVSG notes the need for appropriate procedures to complement 
and supplement the technical requirements for voting system 
performance. It is well known that deficiencies in election management 
and administration procedures can have just as much impact on the 
enfranchisement of voters and the outcome of elections as the 
functioning of the voting machines. The overall integrity of the 
election process depends on both of these elements working together. 
EAC and NASED have instituted a multi-year effort to develop a 
comprehensive set of election management guidelines that will 
complement the technical system guidelines, as well as cover other 
elements of the election process.
    Except as noted below, Volume I of the Guidelines applies to all 
system hardware, software, telecommunications, and documentation 
intended for use to:
     Prepare the voting system for use in an election
     Produce the appropriate ballot formats
     Test that the voting system and ballot materials have been 
properly prepared and are ready for use
     Record and count votes
     Consolidate and report election results
     Display results on-site or remotely
     Produce and maintain comprehensive audit trail data
    Some voting systems use one or more commercial off-the-shelf (COTS) 
devices (such as card readers, printers, and personal computers) or 
software products (such as operating systems, programming language 
compilers, and database management systems). These devices and products 
are exempt from certain portions of system certification testing, as 
long as they are not modified for use in the voting system.
    Volume 2 describes the testing process to provide a documented 
independent verification by an accredited testing laboratory that a 
voting system has been demonstrated to conform to the Volume 1 
requirements and therefore should receive national certification. It 
provides the specific detail about the testing process and 
documentation requirements required to support the national 
certification program.

1.2 Use of the Voluntary Voting System Guidelines

    The Guidelines are intended for use by multiple audiences to 
support their respective roles in the development, testing, and 
acquisition of voting systems:
     The accredited testing laboratories who use this 
information to develop test plans and procedures for the analysis and 
testing of systems in support of the national certification testing 
process
     State and local election officials who are evaluating 
voting systems for potential use in their jurisdictions
     Voting system designers and manufacturers who need to 
ensure that their products fulfill all these requirements so they can 
be certified

[[Page 18828]]

1.3 Evolution of Voting System Standards

1.3.1 Federal Election Commission
    The first voting system standards were issued in January 1990, by 
the Federal Election Commission (FEC). This document included 
performance standards and testing procedures for Punchcard, Marksense, 
and Direct-Recording Electronic (DRE) voting systems. These standards 
did not cover paper ballot and mechanical lever systems because paper 
ballots are sufficiently self-explanatory not to require technical 
standards and mechanical lever systems are no longer manufactured or 
sold in the United States. The FEC also did not incorporate 
requirements for mainframe computer hardware because it was reasonable 
to assume that sufficient engineering and performance criteria already 
governed the operation of mainframe computers. However, vote tally 
software installed on mainframes was covered.
    A national testing effort was initiated by NASED in 1994. As the 
system qualification process matured and qualified systems were used in 
the field, the NASED Voting Systems Board, in consultation with the 
testing labs, identified certain testing issues that needed to be 
resolved. Moreover, rapid advancements in information and personal 
computer technologies introduced new voting system development and 
implementation scenarios not contemplated by the 1990 Standards.
    In 1997, NASED briefed the FEC on the importance of keeping the 
Standards up to date. Following a requirements analysis completed in 
1999, the FEC initiated an effort to revise the 1990 Standards to 
reflect the evolving needs of the elections community. This resulted in 
the 2002 Voting Systems Standards.
    Voters and election officials who use voting systems represent a 
broad spectrum of the population, and include individuals with 
disabilities who may have difficulty using traditional voting systems. 
In developing accessibility provisions for the 2002 Voting System 
Standards, the FEC requested assistance from the Access Board, the 
federal agency in the forefront of promulgating accessibility 
provisions. The Access Board submitted technical standards to meet the 
diverse needs of voters with a broad range of disabilities. The FEC 
adopted the entirety of the Access Board's recommendations and 
incorporated them into the 2002 Voting Systems Standards.
1.3.2 Election Assistance Commission
    In 2002, Congress passed the Help America Vote Act, which 
established the U.S. Election Assistance Commission (EAC). EAC was 
mandated to develop and adopt new voluntary voting system guidelines 
and to provide for the testing, certification, and decertification of 
voting systems. HAVA also established the Technical Guidelines 
Development Committee (TGDC) with the duty of assisting the EAC in the 
development of the new guidelines. The Director of NIST chairs the 
TGDC, and NIST was tasked to provide technical support to their work. 
The TGDC delivered their initial set of recommendations to the EAC in 
May, 2005.
    The TGDC built on the foundation of the 2002 Voting Systems 
Standards and the accessibility provisions of HAVA to expand 
requirements for voting system usability and accessibility. HAVA 
mandates that voting systems shall be accessible for individuals with 
disabilities in a manner that provides the same opportunity for access 
and participation (including privacy and independence) as for other 
voters. To facilitate the ability of jurisdictions to meet these 
requirements, HAVA allows for the use of at least one direct-recording 
electronic or other voting system equipped for individuals with 
disabilities at each polling place. Implementing this provision, 
however, will not entirely eliminate the necessity of accommodating the 
needs of some disabled voters by human assistance, given the 
limitations of current technology.
    The 2005 VVSG is the culmination of sixteen months of effort by the 
TGDC, NIST and the EAC. There is still much to be done to further 
develop the technical guidelines for voting system performance, 
accessibility and usability features, and security. Further work is 
also needed for the specification of comprehensive standard test suites 
for certification testing, to include testing for usability and 
accessibility features and expanded security testing.

1.4 Overview of Voting System Testing

1.4.1 The National Certification Program for Voting Systems
    The purpose of the national certification program is to validate 
and document, through an independent testing process, that voting 
systems meet the requirements set forth in VVSG Volume 1--Voting System 
Performance Guidelines, and perform according to the vendor's 
specifications for the system. Volume 1 specifies the minimum 
functional requirements, performance characteristics, documentation 
requirements, and test evaluation criteria that voting systems must 
meet in order to receive national certification. At the time of VVSG 
2005 publication, 39 states either require national certification or 
utilize the national standards when certifying voting systems.
    National certification testing can only be performed by testing 
labs that have been accredited for demonstrated technical competence to 
test voting systems using these Guidelines. Volume 2 of the VVSG--
National Certification Testing Guidelines--provides guidance on the 
testing process and describes the associated documentation 
requirements. These tests encompass the examination of software; the 
inspection and evaluation of system documentation; tests of hardware 
under conditions simulating the intended storage, operation, 
transportation, and maintenance environments; operational tests to 
validate system performance and function under normal and abnormal 
conditions; and examination of the vendor's system development, 
testing, quality assurance, and configuration management practices. 
Certification tests address individual system components or elements, 
as well as the integrated system as a whole.
    Since 1994, testing of voting systems has been performed by 
Independent Test Authorities (ITAs) certified by NASED. Upon the 
successful completion of testing, the ITA issued a Qualification Test 
Report to the vendor and NASED. The Technical Committee of the NASED 
Voting Systems Board would review the test report and, if satisfactory, 
issue a Qualification Number. The Qualification Number remains valid 
for as long as the voting system remains unchanged.
    HAVA mandated that the certification testing process be transferred 
from NASED to EAC. National certification testing complements and 
evaluates the vendor's developmental testing and beta testing. The test 
lab is expected to evaluate the completeness of the vendor's 
developmental test program, including the sufficiency of vendor tests 
conducted to demonstrate compliance with the Guidelines as well as the 
system's performance specifications. The test lab undertakes sample 
testing of the vendor's test modules and also designs independent 
system-level tests to supplement and check those designed by the 
vendor. Although some of the certification tests are based on those 
prescribed in the Military Standards, in most cases the test conditions 
are less stringent, reflecting commercial, rather than military, 
practice.

[[Page 18829]]

    Upon review of test reports and a determination that satisfactory 
results were achieved that address the full scope of testing, EAC will 
issue a certification number that indicates the system has successfully 
completed testing by an accredited test lab for compliance with the 
Guidelines. The certification number applies to the system as a whole 
and does not apply to individual system components or untested 
configurations.
    After a system has completed initial certification testing, further 
examination of the system is required if modifications are made to 
hardware, software, or telecommunications, including the installation 
of software on different hardware. Vendors request review of 
modifications by the test lab based on the nature and scope of changes 
made. The test lab will assess whether the modified system should be 
resubmitted for certification testing and the extent of testing to be 
conducted, and then it will provide an appropriate recommendation to 
the EAC and the vendor.
    Generally, a voting system remains certified under the standards 
against which it was tested as long as no modifications requiring 
recertification have been made to the system. However, if a new threat 
to a particular voting system is discovered, it is the prerogative of 
EAC to determine which certified voting systems are vulnerable, whether 
those systems need to be retested, and the specific tests to be 
conducted. In addition, when new requirements supersede the 
requirements under which the system was certified, it is the 
prerogative of EAC to determine when systems that were certified under 
the earlier requirements will need to be re-tested to meet current 
guidelines.
1.4.2 State Certification Testing
    State certification tests are performed by individual states, with 
or without the assistance of outside consultants, to:
     Confirm that the voting system presented is the same as 
the one certified under the Guidelines
     Test for the proper implementation of state-specific 
requirements
     Establish a baseline for future evaluations or tests of 
the system, such as acceptance testing or state review after 
modifications have been made
     Define acceptance tests
    State certification test scripts are not included in the 
Guidelines, as they must be defined by the state, with its laws, 
election practices, and needs in mind. However, it is recommended that 
they not duplicate the national certification tests, but instead focus 
on functional tests and qualitative assessment to ensure that the 
system operates in a manner that is acceptable under state law. If a 
voting system is modified after state certification is completed, it is 
recommended that states reevaluate the system to determine if further 
certification testing is warranted.
    Certification tests performed by individual states typically rely 
on information contained in documentation provided by the vendor for 
system design, installation, operations, required facilities and 
supplies, personnel support and other aspects of the voting system. 
States and jurisdictions may define information and documentation 
requirements additional to those defined in the Guidelines. By design, 
the Guidelines do not address these additional requirements. However, 
national certification testing will address all the capabilities of a 
voting system stated by the vendor in the system documentation 
submitted with the testing application to the EAC, including additional 
capabilities that are not required by the states.
1.4.3 Acceptance Testing
    Acceptance tests are performed at the state or local jurisdiction 
level upon system delivery by the vendor to:
     Confirm that the system delivered is the specific system 
certified by EAC and, when applicable, certified by the state
     Evaluate the degree to which delivered units conform to 
both the system characteristics specified in the procurement 
documentation, and those demonstrated in the national and state 
certification tests
     Establish a baseline for any future required audits of the 
system
    Some of the operational tests conducted during certification may be 
repeated during acceptance testing.

1.5 Definitions, References, and Types of Voting Systems

1.5.1 Definitions and References
    The Guidelines contain terms describing function, design, 
documentation, and testing attributes of voting system hardware, 
software and telecommunications. Unless otherwise specified, the 
intended sense of technical terms is that which is commonly used by the 
information technology industry. In some cases terminology is specific 
to elections or voting systems. A glossary of terms is contained in 
Appendix A. Non-technical terms not listed in Appendix A shall be 
interpreted according to their standard dictionary definitions.
    There are a number of technical standards that are incorporated in 
the Guidelines by reference. These are referred to by title in the body 
of the document. The full citations for these publications are provided 
in Appendix B. In addition, this appendix includes other references 
that may be useful for understanding and interpretation.
1.5.2 Types of Voting Systems
    HAVA Section 301 defines a voting system as the total combination 
of mechanical, electromechanical, or electronic equipment (including 
the software, firmware, and documentation required to program, control, 
and support the equipment), that is used to define ballots; to cast and 
count votes; to report or display election results; and to maintain and 
produce any audit trail information. In addition, a voting system 
includes the practices and associated documentation used to identify 
system components and versions of such components; to test the system 
during its development and maintenance; to maintain records of system 
errors and defects; to determine specific system changes made after 
initial certification; and to make available any materials to the voter 
(such as notices, instructions, forms, or paper ballots).
    Traditionally, a voting system has been defined by the mechanism 
the system uses to cast votes and further categorized by the location 
where the system tabulates ballots. In addition to defining a common 
set of requirements that apply to all voting systems, the VVSG states 
requirements specific to a particular type of voting system, where 
appropriate. However, the Guidelines recognize that as the industry 
develops new solutions and the technology continues to evolve, the 
distinctions between voting system types may become blurred. The fact 
that the VVSG refers to specific system types is not intended to stifle 
innovations that may be based on a more fluid understanding of system 
types. However, appropriate procedures must be in place to ensure new 
developments provide the necessary integrity and can be properly 
evaluated in the certification process.
    Consequently, vendors that submit a system that integrates 
components from more than one traditional system type or a system that 
includes components or technology not addressed in the Guidelines shall 
submit the results of all beta tests of the new system when applying 
for national certification. Vendors shall also submit a proposed test 
plan to the EAC for use in national certification testing. The 
Guidelines permit vendors to produce or utilize

[[Page 18830]]

interoperable components of a voting system that are tested within the 
full voting system configuration.
    The listing below summarizes the functional requirements that HAVA 
Section 301 mandates to assist voters. While these requirements may be 
implemented in a different manner for different types of voting 
systems, all types of voting systems must provide these capabilities:
     Permit the voter to verify (in a private and independent 
manner) the vote selected by the voter on the ballot before the ballot 
is cast and counted
     Provide the voter with the opportunity (in a private and 
independent manner) to change the ballot or correct any error before 
the ballot is cast and counted
     Notify the voter if he or she has selected more than one 
candidate for a single office, inform the voter of the effect of 
casting multiple votes for a single office, and provide the voter an 
opportunity to correct the ballot before it is cast and counted
     Be accessible for individuals with disabilities in a 
manner that provides the same opportunity for access and participation 
(including privacy and independence) as for other voters
     Provide alternative language accessibility pursuant to 
Section 203 of the Voting Rights Act 1.5.2.1 Paper-Based Voting System 
A paper-based voting system records votes, counts votes, and produces a 
tabulation of the vote count from votes cast on paper cards or sheets. 
A marksense (also known as optical scan) voting system allows a voter 
to record votes by making marks directly on the ballot, usually in 
voting response locations. Additionally, a paper-based system may allow 
for the voter's selections to be indicated by marks made on a paper 
ballot by an electronic input device, as long as such an input device 
does not independently record, store, or tabulate the voter selections.
1.5.2.2 Direct-Recording Electronic Voting System
    A direct-recording electronic (DRE) voting system records votes by 
means of a ballot display provided with mechanical or electro-optical 
components that can be activated by the voter; that processes data by 
means of a computer program; and that records voting data and ballot 
images in memory components. It produces a tabulation of the voting 
data stored in a removable memory component and as printed copy. The 
system may also provide a means for transmitting individual ballots or 
vote totals to a central location for consolidating and reporting 
results from precincts at the central location.
1.5.2.3 Public Network Direct-Recording Electronic Voting System
    A public network DRE voting system is an election system that uses 
electronic ballots and transmits vote data from the polling place to 
another location over a public network. Vote data may be transmitted as 
individual ballots as they are cast, periodically as batches of ballots 
throughout the election day, or as one batch at the close of voting. 
For purposes of the Guidelines, public network DRE voting systems are 
considered a form of DRE voting system and are subject to the standards 
applicable to DRE voting systems. However, because transmitting vote 
data over public networks relies on equipment beyond the control of the 
election authority, the system is subject to additional threats to 
system integrity and availability. Therefore, additional requirements 
are applied to provide appropriate security for data transmission.
    The use of public networks for transmitting vote data must provide 
the same level of integrity as other forms of voting systems, and must 
be accomplished in a manner that precludes three risks to the election 
process: automated casting of fraudulent votes, automated manipulation 
of vote counts, and disruption of the voting process such that the 
system is unavailable to voters during the time period authorized for 
system use.
1.5.2.4 Precinct Count Voting System
    A precinct count voting system is a voting system that tabulates 
ballots at the polling place. These systems typically tabulate ballots 
as they are cast and print the results after the close of polling. For 
DREs and some paper-based systems these systems provide electronic 
storage of the vote count and may transmit results to a central 
location over public telecommunication networks.
1.5.2.5 Central Count Voting System
    A central count voting system is a voting system that tabulates 
ballots from multiple precincts at a central location. Voted ballots 
are typically placed into secure storage at the polling place. Stored 
ballots are transported or transmitted to a central counting location. 
The system produces a printed report of the vote count, and may produce 
a report stored on electronic media.

1.6 Conformance Clause

1.6.1 Scope and Applicability
    The Voluntary Voting System Guidelines define requirements for 
conformance of voting systems that voting system vendors shall meet. 
The Guidelines also provide the framework, procedures, and requirements 
that testing labs responsible for the certification testing of voting 
systems shall follow. The requirements and procedures in the Guidelines 
may also be used by states to certify voting systems. To ensure that 
correct voting system software has been distributed without 
modification, the Guidelines include requirements for certified voting 
system software to be deposited in a national software repository. This 
provides an independent means for election officials to verify the 
software they purchase.
    The Guidelines define the minimum requirements for voting systems 
and the process of testing voting systems. The guidelines are intended 
for use by:
     Designers and manufacturers of voting systems
     Test labs performing the analysis and testing of voting 
systems in support of the EAC national certification process
     Software repositories designated by EAC or by a state
     Election officials, including ballot designers and 
officials responsible for the installation, operation, and maintenance 
of voting machines
     Test labs and consultants performing the state 
certification of voting systems Minimum requirements specified in these 
guidelines include:
     Functional capabilities
     Performance characteristics, including security
     Documentation
     Test evaluation criteria
1.6.2 Conformance Framework
    This section provides the framework in which conformance is 
defined. It identifies the entities to which these guidelines apply, 
the relationships among the various entities, the structure of the 
requirements, and the terminology used to indicate conformance.
1.6.2.1 Applicable Entities
    The requirements, prohibitions, options, and guidance specified in 
these guidelines apply to voting systems, voting system vendors, test 
labs, and software repositories. In general, requirements for voting 
systems in these guidelines apply to all types of voting systems, 
unless prefaced with explanatory narrative that applicability is 
limited to a specific type of system.

[[Page 18831]]

Other terms in these guidelines shall be construed as synonymous with 
``voting systems.'' They are: ``systems'', ``the system'', ``the voting 
system'', and ``each voting system.''
    The term ``voting system vendor'' imposes documentation or testing 
requirements for the manufacturer or vendor. Other terms in these 
guidelines shall be construed as synonymous with ``voting system 
vendor.'' They are: ``vendors'', ``the vendor'', ``manufacturer or 
vendor'', ``voting system designers'', and ``implementer''.
    The terms used to designate requirements and procedural guidelines 
for national certification testing laboratories are indicated by 
referring to ``testing authorities'', ``test labs'', and ``accredited 
test labs''. The term ``repository'' will be used to designate 
requirements levied on the National Software Reference Library 
repository maintained at NIST or any other designated repository.
1.6.2.2 Relationships Among Entities
    It is the voting system vendor that needs to implement these 
requirements and provide the necessary documentation for the system. In 
order to claim conformance to the Guidelines, the voting system vendor 
shall satisfy the specified requirements, including implementation of 
functionality, prescribed software coding and assurance practices, and 
preparation of the Technical Data Package. The voting system vendor 
shall successfully complete the prescribed test campaign with an EAC 
accredited test lab.
    The accredited test lab shall satisfy the requirements for 
conducting certification testing. The test lab may use an operational 
environment emulating that used by election officials as part of their 
testing to ensure that the voting system can be configured and operated 
in a secure and reliable manner according to the vendor's documentation 
and as specified by the Guidelines. The test lab shall coordinate and 
deliver the requisite documentation and test report to the EAC for 
review. Upon issuance of a certification number by the EAC, the test 
lab shall deposit a copy of the certified voting system software with 
the National Software Reference Library.
    The EAC shall review the test results and associated documentation 
and make a determination that all requirements have been appropriately 
tested and the test results are acceptable. The EAC will issue a 
national certification number that indicates conformance of the 
specified system with these Guidelines.
    The National Software Reference Library (NSRL) shall create a 
digital signature of the voting system software provided by the test 
lab. This information will be posted to a website so election officials 
can compare the digital signature of the software provided to them by 
the voting system vendor with this certified reference. The NSRL shall 
maintain this reference information until notified by the EAC that it 
can be archived.
1.6.3 Structure of Requirements
    Each voting system requirement in Volume I is identified according 
to a hierarchical scheme in which higher-level requirements (such as 
``provide accessibility for visually impaired voters'') are supported 
by lower-level requirements (e.g., ``provide an audio-tactile 
interface''). Thus, requirements are nested. When the nesting hierarchy 
has reached four levels (i.e., 1.1.1.1), further nested requirements 
are designated with lowercase letters, then roman numerals. Therefore, 
all requirements are traceable by a distinct reference.
    Some requirements are directly testable and some are not. The 
latter tend to be higher-level and are included because (1) they are 
testable indirectly insofar as their lower-level requirements are 
testable, and (2) they often provide the structure and rationale for 
the lower-level requirements. Satisfying the lower-level requirements 
will result in satisfying the higher-level requirement.
1.6.3.1 Conformance Language
    The following keywords are used to convey conformance requirements:
     Shall--indicates a mandatory requirement in order to 
conform. Synonymous with ``is required to.''
     Is prohibited--indicates a mandatory requirement that 
indicates something that is not permitted (allowed) in order to 
conform. Synonymous with ``shall not.''
     Should, is encouraged--indicates an optional recommended 
action, one that is particularly suitable, without mentioning or 
excluding others. Synonymous with ``is permitted and recommended.''
     May--indicates an optional, permissible action. Synonymous 
with ``is permitted.''
    Informative parts of this document include examples, extended 
explanations, and other matter that contain information necessary for 
proper understanding of the Guidelines and conformance to it.
1.6.3.2 Categorizing Requirements
    The Guidelines set forth a common set of requirements for national 
certification that apply to all types of electronic voting systems. 
They also provide requirements that are applicable for particular 
circumstances, such as alternative language capability or disability 
accessibility. The requirements implementing the HAVA Section 301(a) 
mandates, except for disability accessibility, must be met by all 
voting systems. The alternative language capability mandated by Section 
301(a)(4) must be met by all systems intended for use in jurisdictions 
subject to Section 203 of the Voting Rights Act. The Section 301(a)(3) 
disability accessibility requirements must be met by all systems 
intended to fulfill the one per polling place disability equipped 
voting system provision of Section 301(a)(3)(B).
    In addition, the Guidelines categorize some requirements into 
related groups of functionality to address equipment type, ballot 
tabulation location, and voting system component (e.g., election 
management system, voting machine). Hence, all of the requirements 
contained in the Guidelines do not apply to all elements of all voting 
systems. For example, requirements categorized as applying to DRE 
systems are not applicable to paper-based voting. The requirements 
implementing disability accessibility are not required of all voting 
systems, only by those systems the vendor designates as accessible 
voting systems.
    Among the categories defined in the VVSG are two types of voting 
systems with respect to mechanisms to cast votes--paper-based voting 
systems and DRE voting systems. Additionally, voting systems are 
further categorized by the locations where ballots are tabulated--
precinct count voting systems, which tabulate ballots at the polling 
place, and central count voting systems, which tabulate ballots from 
multiple precincts at a central location. The Guidelines define 
specific requirements for systems that fall within these four 
categories as well as various combinations of these categories.
1.6.3.3 Extensions
    Extensions are additional functions, features, and/or capabilities 
included in a voting system that are not required by the Guidelines. To 
accommodate the needs of states that may impose additional requirements 
and to accommodate changes in technology, these guidelines allow 
extensions. For example, the requirements for a voter verifiable paper 
audit trail feature will only be applied to those systems designated by 
the vendor as providing this feature. The use of extensions shall not 
contradict nor cause the

[[Page 18832]]

nonconformance of functionality required by the Guidelines.
1.6.4 Implementation Statement
    The voting system implementation statement describes the voting 
system and documents the VVSG Volume 1 requirements that have been 
implemented by the voting system. It can also identify optional 
features and capabilities supported by the voting system, as well as 
any extensions (i.e., additional functionality beyond what is required 
in the guidelines). The implementation statement must include a 
checklist identifying all the requirements for which a claim of 
conformance is made.
    The implementation statement must be submitted with the vendor's 
application to the EAC for national certification testing. It must 
provide a concise summary and narrative description of the voting 
system's capabilities. It shall include identifying information about 
the voting system, including the hardware and software components, 
version number and date.

1.7 Effective Date

    The Voluntary Voting System Guidelines (VVSG) shall become 
effective for national certification testing 24 months after their 
final adoption in December, 2005 by EAC. At that time, all new systems 
submitted for national certification shall be tested for conformance 
with these Guidelines. In addition, if a modification to a system 
certified or qualified to a previous standard is submitted for national 
certification after this date, every component of the modified system 
shall be tested using these Guidelines. All previous versions of 
national voting system standards will become obsolete upon this 
effective date.
    These Guidelines are voluntary in that each of the states can 
decide whether to require the voting systems used in their state to 
have a national certification. States may decide to adopt these 
Guidelines in whole or in part at any time, irrespective of the 
effective date. In addition, states may specify additional requirements 
that voting systems in their jurisdiction must meet. The national 
certification program does not in any way pre-empt the ability of the 
states to have their own system certification process.
    This VVSG effective date provision has no effect on the mandatory 
voting system requirements prescribed in HAVA Section 301(a), which 
states must comply with on or before January 1, 2006. The EAC issued 
Advisory 2005-004 to assist states in determining if a voting system is 
compliant with Section 301(a). This advisory is available on the EAC 
Web site at www.eac.gov.

1 Functional Requirements

Table of Contents

2 Functional Requirements

2.1 Overall System Capabilities
    2.1.1 Security
    2.1.2 Accuracy
    2.1.3 Error Recovery
    2.1.4 Integrity
    2.1.5 System Audit
    2.1.5.1 Operational Requirements
    2.1.5.2 Use of Shared Computing Platforms
    2.1.6 Election Management System
    2.1.7 Vote Tabulating Program
    2.1.7.1 Functions
    2.1.7.2 Voting Variations
    2.1.8 Ballot Counter
    2.1.9 Telecommunications
    2.1.10 Data Retention
2.2 Pre-voting Capabilities
    2.2.1 Ballot Preparation
    2.2.1.1 General Capabilities
    2.2.1.2 Ballot Formatting
    2.2.1.3 Ballot Production
    2.2.2 Election Programming
    2.2.3 Ballot and Program Installation and Control
    2.2.4 Readiness Testing
    2.2.5 Verification at the Polling Place
    2.2.6 Verification at the Central Location
2.3 Voting Capabilities
    2.3.1 Opening the Polls
    2.3.1.1 Precinct Count Systems
    2.3.1.2 Paper-based System Requirements
    2.3.1.3 DRE System Requirements
    2.3.2 Activating the Ballot (DRE Systems)
    2.3.3Casting a Ballot
    2.3.3.1 Common Requirements
    2.3.3.2 Paper-based System Requirements
    2.3.3.3 DRE System Requirements
2.4 Post-Voting Capabilities
    2.4.1 Closing the Polls
    2.4.2 Consolidating Vote Data
    2.4.3 Producing Reports
    2.4.4 Broadcasting Results
2.5 Maintenance, Transportation, and Storage

2 Functional Requirements

    This section contains requirements detailing the functional 
capabilities required of a voting system. This section sets out 
precisely what a voting system is required to do. In addition, it sets 
forth the minimum actions a voting system must be able to perform to be 
eligible for certification.
    For organizational purposes, functional capabilities are 
categorized as follows by the phase of election activity in which they 
are required:
    2.1 Overall System Capabilities: These functional capabilities 
apply throughout the election process. They include security, accuracy, 
integrity, system auditability, election management system, vote 
tabulation, ballot counters, telecommunications, and data retention.
    2.2 Pre-voting Capabilities: These functional capabilities are used 
to prepare the voting system for voting. They include ballot 
preparation, the preparation of election-specific software (including 
firmware), the production of ballots, the installation of ballots and 
ballot counting software (including firmware), and system and equipment 
tests.
    2.3 Voting System Capabilities: These functional capabilities 
include all operations conducted at the polling place by voters and 
officials including the generation of status messages.
    2.4 Post-voting Capabilities: These functional capabilities apply 
after all votes have been cast. They include closing the polling place; 
obtaining reports by voting machine, polling place, and precinct; 
obtaining consolidated reports; and obtaining reports of audit trails.
    2.5 Maintenance, Transportation and Storage Capabilities: These 
capabilities are necessary to maintain, transport, and store voting 
system equipment.
    In recognition of the diversity of voting systems, the Guidelines 
apply specific requirements to specific technologies. Some of the 
guidelines apply only if the system incorporates certain optional 
functions (for example, voting systems employing telecommunications to 
transmit voting data). For each functional capability, common 
requirements are specified. Where necessary, these are followed by 
requirements applicable to specific technologies (i.e., paper-based or 
DRE) or intended use (i.e., central or precinct count).

2.1 Overall System Capabilities

    This section defines required functional capabilities that are 
system-wide in nature and not unique to pre-voting, voting, and post-
voting operations. All voting systems shall provide the following 
functional capabilities, further outlined in this section:

2.1.1 Security
2.1.2 Accuracy
2.1.3 Error Recovery
2.1.4 Integrity
2.1.5 System Audit
2.1.6 Election Management System
2.1.7 Vote Tabulating Program
2.1.8 Ballot Counter
2.1.9 Telecommunications
2.1.10 Data Retention
    Voting systems may also include telecommunications components. 
Technical standards for these capabilities are described in Sections 3 
through 6 of the Voluntary Voting System Guidelines.

[[Page 18833]]

2.1.1 Security
    System security is achieved through a combination of technical 
capabilities and sound administrative practices. To ensure security, 
all systems shall:
    a. Provide security access controls that limit or detect access to 
critical system components to guard against loss of system integrity, 
availability, confidentiality, and accountability
    b. Provide system functions that are executable only in the 
intended manner and ord