Voluntary Voting System Guidelines

The Voluntary Voting System Guidelines (VVSG) are guidelines adopted by the United States Election Assistance Commission (EAC) for the certification of voting systems. The National Institute of Standards and Technology's Technical Guidelines Development Committee (TGDC) drafts the VVSG and gives them to the EAC in draft form for their adoption.

History
The Election Assistance Commission was created by the 2002 Help America Vote Act, itself a response to the punch card ballot and multiple ballot style issues that surrounded the 2000 presidential election. The resulting guidelines were intended to provide consistency in the integrity of voting systems.

Writing in 2013, researchers at Auburn University critiqued the guidelines as needing to be paired with funding for states to participate. They argued that the more sophisticated states participated in the voluntary certification while most adapted parts of the guidelines or opted out altogether.

Timeline

 * 1990: Federal Election Commission adopts the federal government’s first set of voting system standards.
 * The National Association of State Election Directors (NASED) begins testing voting equipment against the 1990 standards; NASED, a non-governmental entity, voluntarily offers the service to the states
 * 2002: FEC updates 1990 Voting System Standards. Federal government does not yet test voting equipment against these standards.
 * NASED begins testing voting systems against the 2002 standards
 * 2002: Help America Vote Act (HAVA) creates the Election Assistance Commission
 * HAVA transfers the responsibility of developing voting system standards from the FEC to the EAC
 * HAVA requires EAC to set up the federal government’s first program to test voting equipment against the federal standards.
 * HAVA also tasked the EAC with establishing the federal government’s first voting system certification program.
 * HAVA renames the voting system standards, listing them as the voluntary voting system guidelines (VVSG)
 * 2005: the Election Assistance Commission unanimously adopted the 2005 Voluntary Voting System Guidelines (VVSG), which significantly increase security requirements for voting systems and expand access, including opportunities to vote privately and independently, for individuals with disabilities.
 * 2006: NASED terminates its voting system testing program
 * 2007: EAC launches full testing and certification program
 * 2015: The VVSG 1.1, an incremental revision to the 2005 VVSG 1.0, were unanimously approved by the Election Assistance Commission on March 31, 2015
 * 2021: VVSG 2.0 adopted on February 10, 2021

Guidelines (2021)
The VVSG 2.0 guidelines were release in 2021. "The Guidelines allow for an improved and consistent voter experience, enabling all voters to vote privately and independently, ensuring votes are marked, verified and cast as intended, and that the final count represents the true will of the voters."

The voting system
"Equipment (including hardware, firmware, and software), materials, and documentation used to enact the following functions of an election:


 * 1) define elections and ballot styles,
 * 2) configure voting equipment,
 * 3) identify and validate voting equipment configurations,
 * 4) perform logic and accuracy tests,
 * 5) activate ballots for voters,
 * 6) record votes cast by voters,
 * 7) count votes,
 * 8) label ballots needing special treatment,
 * 9) generate reports,
 * 10) export election data including election results,
 * 11) archive election data, and
 * 12) produce records in support of audits."

All voting systems must also:
 * 1) Permit the voter to verify (in a private and independent manner) their choices before their ballot is cast and counted.
 * 2) Provide the voter with the opportunity (in a private and independent manner) to change their choices or correct any error before their ballot is cast and counted.
 * 3) Notify the voter if they have selected more than one candidate for a single office, inform the voter of the effect of casting multiple votes for a single office, and provide the voter an opportunity to correct their ballot before it is cast and counted.
 * 4) Be accessible for individuals with disabilities in a manner that provides the same opportunity for access and participation (including privacy and independence) as for all voters.
 * 5) Provide alternative language accessibility pursuant to Section 203 of the Voting Rights Act [VRA65].

=== Principles ===

High Quality Design

 * Functional equipment requirements are organized as phases of running an election:
 * Election and Ballot Definition
 * Pre-election Setup and logic and accuracy (L&A) testing
 * Opening Polls, Casting Ballots
 * Closing Polls, Results Reporting
 * Tabulation, Audit
 * Storage
 * Requirements dovetail with cybersecurity in areas including:
 * Pre-election setup
 * Audits of barcodes versus readable content for ballot marking devices (BMDs)
 * Audits of scanned ballot images versus paper ballots
 * Audits of Cast Vote Record (CVR) creation
 * Content of various reports
 * Ability to match a ballot with its corresponding CVR
 * Guidance relevant to testing and certification has been moved to the EAC testing and certification manuals.

High Quality Implementation

 * Adds requirement to document and report on user-centered design process by developer to ensure system is designed for a wide range of representative voters, including those with and without disabilities, and election workers

Transparent

 * Addresses transparency from the point of view of documentation that is necessary and sufficient to understand and perform all operations

Interoperable

 * Ensures that devices are capable of importing and exporting data in common data formats
 * Requires manufacturers to provide complete specification of how the format is implemented
 * Requires that encoded data uses publicly available, no-cost method
 * Uses common methods (for example, a USB) for all hardware interfaces
 * Permits commercial-off-the-shelf (COTS) devices as long as relevant requirements are still satisfied

Equivalent and Consistent Voter Access

 * Applies to all modes of interaction and presentation throughout the voting session, fully supporting accessibility

Voter Privacy

 * Distinguishes voter privacy from ballot secrecy and ensures privacy for marking, verifying, and casting the ballot

Marked, Verified, and Cast as Intended

 * Updates voter interface requirements such as font, text size, audio, interaction control and navigation, scrolling, and ballot selections review
 * Describes requirements that are voting system specific, but derived from federal accessibility law

Robust, Safe, Usable, and Accessible

 * References, Section 508 Information and Communication Technology (ICT) Final Standards and Guidelines [USAB18] and Web Content Accessibility Guidelines 2.0 (WCAG 2.0) [W3C10]
 * Updates requirements for reporting developer usability testing with voters and election workers

Auditable

 * Focuses on machine support for post-election audits
 * Makes software independence mandatory
 * Supports paper-based and end-to-end (E2E) verifiable systems
 * Supports all types of audits, including risk-limiting audits (RLAs), compliance audits, and ballot-level audits

Ballot Secrecy

 * Includes a dedicated ballot secrecy section
 * Prevents association of a voter identity to ballot selections

Access Control

 * Prevents the ability to disable logging
 * Bases access control on voting stage (pre-voting, activated, suspended, post-voting)
 * Does not require role-based access control (RBAC)
 * Requires multi-factor authentication for critical operations:
 * Software updates to the certified voting system
 * Aggregating and tabulating
 * Enabling network functions
 * Changing device states, including opening and closing the polls
 * Deleting the audit trail
 * Modifying authentication mechanisms

Physical Security

 * Requires using only those exposed physical ports that are essential to voting operations
 * Ensures that physical ports are able to be logically disabled
 * Requires that all new connections and disconnections be logged

Data Protection

 * Clarifies that there are no hardware security requirements (for example, TPM (trusted platform module))
 * Requires Federal Information Processing Standard (FIPS) 140-2 [NIST01] validated cryptographic modules (except for end-to-end cryptographic functions)


 * Requires cryptographic protection of various election artifacts
 * Requires digitally signed cast vote records and ballot images
 * Ensures transmitted data is encrypted with end-to-end authentication

System Integrity

 * Requires risk assessment and supply chain risk management strategy
 * Removes non-essential services
 * Secures configurations and system hardening
 * Exploit mitigation (for example, address space layout randomization (ASLR) data execution prevention (DEP) and free of known vulnerabilities
 * Requires cryptographic boot validation
 * Requires authenticated updates
 * Ensure sandboxing and runtime integrity

Detection and Monitoring

 * Ensures moderately updated list of log types
 * Detection systems must be updateable
 * Requires digital signatures or allowlisting for voting systems
 * Requires malware detection focusing on backend PCs