VVSG Training - October 15,2007

BOARD OF ADVISORS & STANDARDS BOARD
VVSG TRAINING WORKSHOP
Alan Goldfine, OCTOBER 15, 2007
NIST BOULDER

VVSG Tutorial Narration*
Voting System Hardware Requirements

[Slide 1]

[NARRATOR:] This is the Next Voluntary Voting System Guidelines Training Module covering Core Requirements for Voting System Hardware. This VVSG Training Module is presented by Dr. Alan Goldfine of the National Institute of Standards and Technology's Information Technology Laboratory. The presentation includes questions and answers from members of the EAC's Board of Advisors and Standards Board.

[Slide 2]

[MR. GOLDFINE:] The three areas that I'm going to be talking about are electromagnetic compatibility, EMC, other environmental requirements, and also quality assurance and configuration management, the last of which is really broader than simply hardware since it involves all of the policies and procedures of vendors and so on, but it's lumped into this category.

[Slide 3]

Now when we were doing our work, we had general goals. I've noticed that most of the other speakers have also talked about the goals that were invoked or looked towards in their work, and there's pretty much a lot of similarity in the lists. What we were thinking about in terms of these areas specifically, that the general goals for the next VVSG were to, well, first of all, reflect the latest available information. You know, things have changed since 2005, 2002, even where the 2005 requirements originated. We want to, of course, reflect the latest available information. This is also particularly important in areas like hardware. What might be a little bit of a stylistic issue, but we think was very important, is that we wanted to have the VVSG reference applicable standards, external standards, rather than repeating or excerpting text from these standards, which was the case in the past. As everybody has said, to try to use more precise and testable wording whenever possible. This isn't to say that the wording was always or necessarily not precise and testable, but that was the specific goal or a very specific goal for the next generation, and also to clearly separate requirements from testing specifications. This sort of had two phases, both of which have been discussed, one of which is the separation into Part 3 of the VVSG of the testing requirements, testing methods, and so on, and the other phase would be to separate entirely from the VVSG, the development of actual or the specification of actual test methods, test scenarios, step-by-step procedures, and so on. There was a little bit of that in previous versions of the voting standards. What we've tried to do, as much as possible, is to factor that out and redo them in the effort that is now beginning, that I think Mark and John talked about, where NIST will be developing draft conformance tests.

[Slide 4]

Now the first area is electromagnetic capability. This is the successor to the electrical, RF, whatever it was called in previous versions, which were pretty much lumped together as simply part of the environmental requirements. Here we've separated them out to a somewhat greater degree into their own sections, also using the currently preferred term in the field, namely electromagnetic compatibility.

What this means is that these EMC requirements go two ways. They control first of all how the environment of a voting system can affect an electronic voting device. This is also called 'immunity' in the specs, and conversely how electronic voting devices can affect their environment. This is the term 'emission limits.' That term is applied to this particular direction.

[Slide 5]

Now within electromagnetic compatibility, there are three areas, but the three areas are conducted compatibility, which basically means, I'm oversimplifying in all of this, but basically that means the interaction between electronic voting devices with the local power supply, you know, the plug in the wall.

Then there's radiated compatibility, which you know has to do with electrostatic discharge, which really talks about sparks, contact with mobile equipment, things bumping into the machines that might cause these types of electrical disturbances.

And also becoming increasingly important, wireless devices, cell phones, other wireless devices, laptops, whatever, that are in the polling place or in the environment of the polling place, close enough to have effect and so on.

The third area, telecommunications compatibility, was given a little bit of lip service in some of the previous versions, 2005 and so on, but the requirements there are basically completely new. This deals with basically the telephone line from the polling place to a central tabulator, what possible interactions, interferences, and so on, could specifically occur within this context.

[Slide 6]

Now, in the 2002, I include these slides as sort of a roadmap for comparison. In 2002, these issues were dealt with in Volume 1, Sections 3.2.2.4 to 3.2.2.12, and in Volume 2, Section 4.8.
In 2005, they were very slightly revised. Some of the numbers changed a little bit, and they were in Volume 1, Sections 4.1.2.4 to 4.1.2.12, and Volume 2, Section 4.8.

In the current draft, the next VVSG, they were totally rewritten from 2005. This doesn't mean that they're totally different. They're not totally different, but they were totally rewritten, and they now constitute Part 1, Sections 6.3.4 to 6.3.6, and Part 3, Sections 5.1.1 to 5.1.3.

[Slide 7]

Now the area of other environmental requirements, general build quality, which has some sort of very general page worth of good practices that we sort of gathered together from the overall content and implications of previous versions.

Durability, and in this case, we're not just talking about durability of equipment, but we added a requirement, I'll get to just a little bit later on, durability of paper, which we got vibes indicating that that was an issue.

Maintainability, which is essentially copied, the maintainability of equipment copied pretty much from 2005. Operating temperature and humidity, a lot of the material in this section, is very similar to, but not quite the same as what was in the 2005 spec.

I guess, by way of explanation, you may be aware, several years ago, I think it was probably even prior to the HAVA legislation or around the same time, the IEEE had a project to develop a parallel set of requirements for electronic voting equipment.

They did a lot of good work, but there were a lot of internal dissentions. They never quite voted their document out of committee, but there was good stuff in there, and we borrowed, stole from them, as we felt we could use their material.

And they made a number of changes in the areas of operating temperature and humidity, like a play on words, the operative word is operating. These are temperature and humidity requirements for voting equipment when the voting equipment is actually being used, as opposed to the final bullet which dealt also to some degree with temperature and humidity and similar issues, but concentrating on equipment transportation and storage.

One thing in the previous bullet, there never was a humidity requirement for operations. There is now, which again was developed by the IEEE.

[Slide 8]

The environmental requirements, well, in the 2002 VSS, Volume 1, Sections 3.2.2, 3.3, 3.4.2, 3.4.4, 3.4.7, and Volume 2, Sections 4.6, 4.7.1, 4.7.2, 4.8.
In 2005, they were unchanged from 2002 Volume 1, Sections 4.1.2, 4.2, 4.3.2, 4.3.4, 4.3.7, Volume 2, Sections 4.6, 4.7.1, 4.7.2, 4.8.

[Slide 9]

And in the next VVSG, which I indicated are enhanced and slightly revised from 2005, we have some new requirements, the general build quality requirements, although those are in spirit extracted from the sense of previous versions.

There's a durability of paper requirement in which we invoked or which we reference GPO, Government Printing Office paper standards in the hope that this will solve the problems, or at least go some way towards solving paper durability problems.

And as I said, there's a new operating humidity requirement developed by the IEEE. These are now Part 1, Sections 6.4.3, 6.4.7, 6.4.3 to 6.4.7, and Part 3, Sections 5.1.4. to 5.1.5

[Slide 10]

The third area is quality assurance and configuration management. These are requirements on manufacturers to do the following things. For quality assurance, to ensure that the vendors, not the manufacturers, adhere to practices during the development, manufacture, and maintenance of voting systems that build quality in through their systems, and for configuration management, to develop activities and associated practices.

Remember, these are on vendors that ensure full knowledge and control of the components of their voting systems.
In the latter bullet, as far as configuration management, most of the requirements that are there have to do with tags on the equipment and logs on the experiences, the happenstances, during the development of systems as a whole and individual products that occurred during manufacture.

[Slide 11]

Now the 2002 and 2005 specifications in these areas had statements of general goals and good practices, but for one thing, they were, for the most part, not specific to voting systems. You know, they were good practices and so on, and all vendors are expected to do the right thing.

In particular, there really weren't any substantive verifiable requirements to allow whether it would be the test lab or the certifying authority or whoever it would be, you know, to actually, in a hard and firm sense, verify whether all of this stuff was being accomplished.

You know, there were procedures for allowable visits to the vendor and questions to be asked, but no hard and fast requirements that could be judged on a pass or fail basis, and also more specifically, there were no external references to generally accepted industry standards. It was all, you know, roll your own type thing.

Now whether or not this had anything to do with it, and again I was struggling to come up with the right words here, because what I'm saying is that there have been reports, rumors, stories, what have you, complaints in general that over the years, delivered systems, you know, delivered at the states and jurisdictions, were sometimes not of the highest quality and again, whether or not- you know, I have no quantifiable information, no cause and effect reasoning or anything like that, but yet we kept hearing this all the time.
So the feeling, finally, I guess, became predominant, so much so that we of the TGDC decided to give the alternate approach to the quality assurance a try rather than what had been done in previous standards.

[Slide 12]

Now that alternate approach is to invoke the generally accepted external industry-accepted standard, which is the ISO-9000, 9001 family of quality assurance standards, and also the ISO-10007 standard for configuration management, to provide the framework for the requirements.

It was decided not to rigidly invoke all of the traditional infrastructure that very often goes along with ISO-9000 in terms of timing and third-party evaluation or evaluation of a vendor's procedures by a third party, you know ANSI-certified third party. I mean, this could be done, but the EAC would be the one to establish all of these procedures.

What was decided is that the overriding framework for the specification of requirements in this area would, in fact, follow the generally accepted ISO-9000, 9001 approach.
In particular, the way this works out is that the manufacturer must deliver a well-defined quality manual detailing how the processes and procedures required by the VVSG are being implemented.

When I say well-defined, there are quite a few pages worth of specific requirements as to what this quality manual must contain, and quite a bit to, sort of, sink your teeth into in terms of evaluating a manufacturer's quality assurance procedures.

Of course, you know, all this sort of comes out- you know, the devil is in the details, and a lot of this comes out in terms of how the policies are implemented by the certifying authority, but you know the stuff is there to hang the certifying authority's hat on as it wishes.

[Slide 13]

In 2002, this was covered in Volume 1, Section 7, which was Quality Assurance, and Section 8, Configuration Management, and in Volume 2, Section 7. In the 2005 VVSG, which was unchanged from 2002, it was in Volume 1, Section 7, Quality Assurance, and Section 8, Configuration Management, and Volume 2, Section 7.

[Slide 14]

In the next VVSG, and here this was totally rewritten from 2005, you can find this material in Part 1, Section 6.4.2, Part 2, Section 2. This is where that quality manual, which was considered part of the vendor documentation, so it's in Part 2, the contents are specified. And Part 3, Section 4.4.

[Slide 15]

Any questions? Yes.

[QUESTIONER:] In configuration management, there are some systems in use right now where the vendor doesn't necessarily need or want to, for example, sell hardware with their systems. A good example is the Hart System that some counties are using for central count. It can be used with a variety of different scanners and peripherals. And counties can go out and buy the hardware on their own. The vendor doesn't care what hardware they use. How is that going to be handled by the vendor when they explain the configuration management of a system like that? It gets back into the subject we were talking about earlier where if you change-

[MR. GOLDFINE:] The COTS?

[QUESTIONER:] If you change the COTs, you need to go back in for recertification.

[MR. GOLDFINE:] The question is, how do you handle or how does this area handle components of a system that are actually not supplied and integrated by the vendor, but are acquired by the jurisdiction for use with the vendor-produced- when the vendor product arrives. I guess that's what you were saying.

I think it's a quite different situation from COTS, because COTS is something explicitly integrated by the vendor, and at that point, the vendor has the full responsibility for the COTS software. Now almost as if he had developed it himself, he's responsible for it.

Here, basically, in the configuration management area, which is what you brought up, the way it's structured is that the vendor begins the production of the various components, the logs, and the tags, and what have you, and with some requirements to make it easy for the jurisdiction to continue the configuration management.

He has some instruction, whatever, after the jurisdiction takes control, so I guess that would fit in or the process would fit into that, that if, in fact, the jurisdiction is now adding a separately acquired component, it would add the records concerning that component to the delivered records of the overall system that the vendor delivered.

[Slide 16]

[NARRATOR:] Additional explanatory presentations on the Voluntary Voting System Guidelines can be accessed from the Web site: vote.nist.gov.

* Certain commercial entities, equipment, or materials may be identified in this presentation in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

Page Created: November 28, 2007
Last Updated: July 10, 2008

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department