Current through Rules and Regulations filed through March 20, 2024
(a)
Purpose.
1. These Rules establish performance
requirements and characteristics for voting systems and their components used
in the State of Georgia and identify performance characteristics of these
systems and components.
2.
Compliance with the requirements of these Rules shall be assessed by means of
code analysis, formal tests, and documentation review.
3. The intent of these Rules is to assure
that hardware, firmware, and software have been shown to be reliable, accurate,
and capable of secure operation before they are used in elections in the State.
Hardware, firmware, and software products with performance proven in commercial
applications are deemed inherently acceptable, provided that they are shown to
be compatible with the operational and administrative requirements of the
voting environment. Products not in wide commercial use, regardless of their
performance histories, shall require Qualification, Certification, and
Acceptance tests before they can be used.
4. These rules are intended to assist local
jurisdictions in identifying products and provide a standardized terminology
which shall facilitate the specification and demonstration of system
requirements.
(b)Applicability.
1. These Rules are applicable to voting
systems first used in the State of Georgia on or after the effective date of
these Rules. These Rules are waived for all voting systems in use in the State
of Georgia as of the effective date of these Rules. Successful performance
during past elections are deemed sufficient evidence of adequate design. These
Rules shall apply to systems developed by non-governmental third parties and
those developed in-house by a local government.
2. These Rules apply to all equipment and
computer programs used in a voting system including, but not limited to, the
hardware, firmware, and software required for defining an election, formatting
ballots, setting up precincts for voting, recording votes, tallying the
results, and producing all reports.
3. These Rules apply to any agency, group, or
individual responsible for the analysis, design, manufacture, procurement, or
use of voting systems, their subsystems, or their components.
4. Any modification to the hardware,
firmware, or software of a voting system which has completed Qualification,
Certification, or Acceptance testing in accordance with these Rules shall
invalidate the State certification unless it can be shown that the modification
does not affect the overall flow of program control or the manner in which the
ballots are recorded and the vote data are processed,
and the
modification falls into one of the following classifications listed below. The
Secretary of State shall be the sole judge of whether or not a modification
requires additional testing.
(i) The
modification is made for the purpose of correcting a defect and procedural and
test documentation is provided which verifies that the installation of the
hardware change or corrected code does not result in any consequence other than
the elimination of the defect.
(ii)
The modification is made for the purpose of enabling interaction with other
general purpose or approved equipment or computer programs and databases, and
procedural and test documentation is provided which verifies that such
interaction does not involve or adversely affect vote counting and data
storage.
5. The addition
or alteration of utility software and device handlers which do not interact
with vote counting software except through the intended input/output channels
in the manner originally intended does not constitute a requirement for a
mandatory retest.
(c)
Reciprocity. The Secretary of State may accept the results of the
Qualification tests and/or Certification tests from another state or testing
agency that has performed the tests described in these Rules. This reciprocity
does not extend to the Acceptance tests or any portion of the Certification
tests, which are considered to be unique to the State of Georgia.
(d)
Procedure. This review and
approval procedure is limited to those voting systems and equipment that have
passed the prototype stage and are in full production and available for
immediate installation and use. Qualification tests shall be performed to
evaluate the degree to which a system complies with the requirements of the
Voting Systems Standards issued by the Election Assistance
Commission (EAC). Whenever possible, Qualification tests shall be conducted by
Independent Test Agencies (ITA) certified by the EAC. In the event that tests
by an ITA are not feasible, these tests shall be conducted by a Georgia
Certification Agent designated by the Secretary of State.
Certification tests shall be performed to certify that the
voting system complies with the Georgia Election Code, the Rules of the Georgia
State Election Board, and the Rules of the Secretary of State. A Georgia
Certification Agent designated by the Secretary of State shall conduct
certification tests. The Qualification and Certification testing of a voting
system for use in the State of Georgia shall proceed in the following
steps.
1.
Qualification.
Prior to submitting a voting system for certification by the State of Georgia,
the proposed voting system's hardware, firmware, and software must have been
issued Qualification Certificates from the EAC. These EAC Qualification
Certificates must indicate that the proposed voting system has successfully
completed the EAC Qualification testing administered by EAC approved ITAs. If
for any reason, this level of testing is not available, the Qualification tests
shall be conducted by an agency designated by the Secretary of State. In either
event, the Qualification tests shall comply with the specifications of the
Voting Systems Standards published by the EAC.
2.
Letter of Request. After the
voting system has completed EAC Qualification testing, the evaluation procedure
to obtain certification for use of the voting system in the State of Georgia
shall be initiated by letter from the vendor of the voting system to the Office
of the Secretary of State requesting certification for a
specific voting system. The Secretary of State or her
representative shall notify the vendor of the earliest date after which the
requested evaluation may begin and provide the vendor with the name and
telephone number of the designated Georgia Certification Agent.
3.
Submission of Complete Technical
Data Package. The vendor shall submit the Technical Data Package
described in section (g) to the Certification Agent designated by the State.
The Certification Agent shall review the submission of the Technical Data
Package and notify the vendor of any deficiencies. Certification of the voting
system shall not proceed until the Technical Data Package is
complete.
4.
Preliminary
Review. The Georgia Certification Agent shall conduct a preliminary
analysis of the Technical Data Package and prepare an Evaluation Proposal
containing the following information:
(i)
Components of the voting system requiring evaluation.
(ii) Identification of any hardware or
software components requiring additional testing by the EAC ITAs.
(iii) Description of the activities required
to complete that portion of the evaluation which is to be performed by the
Georgia Certification Agent.
(iv)
Estimate of time required to complete the portion of the evaluation, which is
to be performed by the Georgia Certification Agent.
(v) Estimate of cost of tests which are to be
performed by the Georgia Certification Agent.
5.
Authorization to Proceed. The
vendor shall review the Evaluation Proposal and notify the Secretary of State,
in writing, of the desire to continue or terminate the evaluation process. The
evaluation of the system shall not begin until the manufacturer or vendor
notifies the Secretary of State to proceed. A copy of this notification shall
be sent to the Georgia Certification Agent. A decision to continue shall
obligate the vendor to the cost of the evaluation contained in the Evaluation
Proposal.
6.
Evaluation. The vendor shall arrange with the EAC ITAs for any
additional required ITA testing identified in the Evaluation Proposal. After
any required ITA tests have been successfully completed, the Georgia
Certification Agent shall conduct the tests described in the Evaluation
Proposal and submit a report of the findings to the Secretary of
State.
7.
Certification. Based on the information contained in the report
from the Georgia Certification Agent, and any other information in her
possession, the Secretary of State shall determine whether the proposed voting
system shall be certified for use in the State of Georgia and so notify the
vendor.
8.
Local Jurisdiction
Acceptance. After a voting system is delivered to a local jurisdiction,
acceptance tests shall be performed in the user's environment to demonstrate
that the voting system as delivered and installed is identical to the system
that was certified by the State and satisfies the requirements specified in the
procurement documents.
(e)
Proprietary Information. The
State of Georgia shall make every effort to protect the proprietary nature of
information provided to the State or its agents during the course of these
evaluations in accordance to Georgia law for protecting proprietary
information. Any proposed non-disclosure agreements shall be of the type and
form in common commercial usage appropriate to similar situations and shall be
subject to review and approval by the Georgia Attorney General.
(f)
Audit and Validation of
Certification.
1. It shall be the
responsibility of the vendor to ensure that any voting system or component of a
voting system that it markets or supplies for use in the State of Georgia has
been certified by the Secretary of State. It is also the responsibility of the
vendor to submit any modifications to a previously certified system or
component to the Secretary of State for re-certification and to update the
Technical Data Package on file in the Office of the Secretary of State to
accurately reflect the modifications.
2. If any question arises involving the
certification of a voting system or a component of a voting system in use in
the State, the Technical Data Package and Certification documentationon file in
the Office of the Secretary of State shall be used to verify that the system or
component in question is identical to the system or component
that was submitted for certification.
(g)
Technical Data Package.
Before evaluation can begin, the vendor must submit to the Georgia
Certification Agent the Technical Data Package required to complete the
evaluation of the proposed voting system. Each item in the Technical Data
Package must be clearly identified. If the Technical Data Package is incomplete
or the items in the package are not clearly identified, the entire package may
be returned to the vendor and the evaluation of the voting system rescheduled.
In most cases, the Technical Data Package submitted to the ITAs shall be
sufficient for State certification.
The Technical Data Package shall contain the following items
in hard copy and in electronic form when available.
(i)
Customer Maintenance
Documentation. Documentation describing any maintenance that the
vendor recommends that can be performed by a customer with minimal knowledge of
the system.
(ii)
Operations
Manual. Operations documentation that is normally supplied to the
customer for use by the person(s) who shall operate the equipment.
(iii)
Software Source Code.
Source code of all software and firmware in the voting system. The source code
shall be supplied in the form of a listing and in a
machine-readable form on media that is acceptable to the Georgia Certification
Agent. If there is any chance of ambiguity, the required compiler(s) and/or
development environment must be specified.
(iv)
Software System Design.
Documentation describing the logical design of the software. This documentation
should clearly indicate the various modules of the software, their functions,
and their interrelationships. The minimum acceptable documentation is a system
flowchart. Deviation of the source code from the system design may be cause for
rejection of the voting system.
(v)
Customer Documentation. A complete set of all documentation
which is available to the purchaser/user of the voting system. Clearly identify
that documentation which is included in the cost of the system and that
documentation which is available for an additional charge.
(vi)
ITA Qualification
Reports. Copies of the ITA reports for the hardware and software
qualification of the voting system. These reports must be sent directly from
the ITA to the Georgia Certification Agent.
(vii)
Formal Complaints and
Decertification Notices. Copies of any formal complaints and/or
decertification notices that have been filed against the proposed system. This
documentation must clearly identify the jurisdiction filing the complaint or
decertification notice and give the details of the resolution.
(viii)
Test Data/Software
(Optional). Any available test data, ballot decks, and/or software
that can be used to demonstrate the various functions of the voting system.
Although optional, these items can significantly reduce the effort, and hence
the time and cost, involved in the evaluation of the system.
O.C.G.A. Secs.
21-2-1, 21-2-50, 21-2-253,
21-2-368, 21-2-379.2.