1 Introduction

1.1 Objectives and Usage of the Voting System Standards

State and local officials today are confronted with increasingly complex voting system technology and an increased risk of voting system failure. Responding to calls for assistance from the states, the United States Congress authorized the Federal Election Commission (FEC) to develop voluntary national voting systems standards for computer-based systems. The resulting FEC Voting System Standards (“the Standards”) seek to aid state and local election officials in ensuring that new voting systems are designed to function accurately and reliably, thus ensuring the system’s integrity. States are free to adopt the Standards in whole or in part. States may also choose to enact stricter performance requirements for systems used in their jurisdictions.

The Standards specify minimum functional requirements, performance characteristics, documentation requirements, and test evaluation criteria. The Standards address what a voting system should reliably do, not how the system should meet these requirements. It is not the intent of the Standards to impede the design and development of new, innovative equipment by vendors. Furthermore, the Standards should not force vendors to price their voting systems out of the range of local jurisdictions.

The Standards are not intended to define appropriate election administration practices. However, the total integrity of the election process can only be ensured if implementation of the Standards is coupled with effective election administration practices.

The Standards are intended for use by multiple audiences to support their respective roles in the development, testing, and acquisition of voting systems:

¨ Authorities responsible for the analysis and testing of such systems in support of qualification and/or certification of systems for purchase within a designated jurisdiction;

¨ State or local agencies evaluating voting systems to be procured within their jurisdiction; and

¨ Designers and manufacturers of voting systems.

1.2 Development History for Initial Standards

Much of the groundwork for the Standards’ development was laid by a national study conducted in 1975 by the National Bureau of Standards, now known as the National Institute of Standards and Technology (NIST). This study was requested by the FEC's Office of Election Administrator’s predecessor, the Office of Federal Elections of the General Accounting Office. The report, “Effective Use of Computing Technology in Vote-Tallying,” made a number of recommendations bearing directly on the Standards project. After analyzing computer-related election problems encountered in the past, the report concluded that one of the basic causes for these difficulties was the lack of appropriate technical skill at the state and local level for developing or implementing sophisticated and complex standards against which voting system hardware and software could be tested.

Following the release of this report, Congress mandated that the FEC, with the cooperation and assistance of the National Bureau of Standards, study and report on the feasibility of developing “voluntary engineering and procedural performance standards for voting systems used in the United States.” (2 U.S.C. §431 Note) The resulting 1983 study cited a substantial number of technical and managerial problems that affected the integrity of the vote counting process. It also asserted the need for a federal agency to develop national performance standards that could be used as a tool by state and local election officials in the testing, certification, and procurement of computer-based voting systems. In 1984, Congress approved initial funding for the Standards.

The FEC held a series of public hearings in developing the initial Standards. State and local election officials, election system vendors, technical consultants, and others reviewed drafts of the proposed criteria. The FEC considered their many comments and made appropriate revisions. Before final issuance, the FEC publicly announced the availability of the latest draft of the Standards in the Federal Register and requested that all interested parties submit final comments. The FEC meticulously reviewed all responses to the notice and incorporated corrections and suitable suggestions. Ultimately, the final product was the result of considerable deliberation, close consultation with election officials, and careful consideration of comments from all interested persons.

In January 1990, the FEC issued the performance standards and testing procedures for punchcard, marksense, and direct recording electronic (DRE) voting systems. The Standards did not cover paper ballot and mechanical lever systems because paper ballots are sufficiently self-explanatory not to require technical standards and mechanical lever systems are no longer manufactured or sold in the United States. The FEC also did not incorporate requirements for mainframe computer hardware because it was reasonable to assume that sufficient engineering and performance criteria already governed the operation of mainframe computers. However, vote tally software installed on mainframes is covered by the Standards.

1.3 Update of the Standards

Today, over two-thirds of the States have adopted the Standards in whole or in part. As a result, the voting systems now marketed are greatly improved. Election officials are better assured that the voting systems they procure will work accurately and reliably. Voting system failures are declining, and now tend to involve pre-Standard equipment, untested equipment configurations, or the mismanagement of tested equipment. Overall, systems integrity and the election process has improved markedly.

However, advances in voting technology, legislative changes, and the proliferation of electronic voting systems make an update of the Standards necessary. The industry has been marked by widespread integration of personal computer technology and non-mainframe servers into DRE voting systems.

In addition, voting systems now need to be responsive to the Americans with Disabilities Act (ADA) of 1990 and guidelines developed to assist in implementing the ADA.

1.4 Accessibility for Individuals with Disabilities

Voters and election officials who use voting systems represent a broad spectrum of the population, and include individuals with disabilities who may have difficulty using traditional voting systems. In developing accessibility provisions for the Standards, the FEC requested assistance from the Access Board, the federal agency in the forefront of promulgating accessibility provisions. The Access Board submitted technical standards designed to meet the diverse needs of voters with a broad range of disabilities. The FEC has adopted the entirety of the Access Board’s recommendations and incorporated them into the Standards. These recommendations comprise the bulk of the accessibility provisions found in Section 2.2.7.

The FEC anticipates that during the lifetime of this version of the Standards, increased obligations will be placed upon election officials at every jurisdictional level to provide voting equipment tailored to meet the needs of voters with disabilities. To facilitate jurisdictions in meeting accessibility needs, the Standards mandate that every voting system that incorporates a DRE component meet specific technological requirements in order to receive certification. To do so, it is anticipated that a system’s vendor will have to either configure all of its machines to meet the accessibility specifications or will have to design a unique machine that conforms to the accessibility requirements.

Under no circumstances should compliance with requirements for accessibility be viewed as mutually exclusive from compliance with any other provision of the Standards. If a voting system contains a machine uniquely designed to meet the accessibility requirements, such a machine will be tested for compliance with the accessibility requirements, as well as for compliance with all of the DRE standards, in order to ensure that an accessible machine does not unintentionally abrogate the mandates of the Standards

1.5 Definitions

The Standards contain terms describing function, design, documentation, and testing attributes of equipment and computer programs. Unless otherwise specified, the intended sense of technical terms is that which is commonly used by the information technology industry. In some cases terminology is specific to elections or voting systems, and a glossary of those terms is contained in Appendix A. Non-technical terms not listed in Appendix A shall be interpreted according to their standard dictionary definitions.

Additionally, the following terms are defined below:

¨ Voting system;

¨ Paper-based voting system;

¨ Direct record electronic (DRE) voting system;

¨ Public network direct record electronic (DRE) voting systems;

¨ Precinct count voting system; and

¨ Central count voting system.

1.5.1 Voting System

A voting system is a combination of mechanical, electromechanical, or electronic equipment. It includes the software required to program, control, and support the equipment that is used to define ballots; to cast and count votes; to report and/or display election results; and to maintain and produce all audit trail information. A voting system may also include the transmission of results over telecommunication networks.

Additionally, a voting system includes the associated documentation used to operate the system, maintain the system, identify system components and their versions, test the system during its development and maintenance, maintain records of system errors and defects, and determine specific changes made after system qualification. By definition, this includes all documentation required in Section 9.4.

Traditionally, a voting system has been defined by the mechanism the system uses to cast votes and further categorized by the location where the system tabulates ballots. However, the Standards recognize that as the industry develops unique solutions to various challenges and as voting systems become more responsive to the needs of election officials and voters, the rigid dichotomies between voting system types may be blurred. Innovations that use a fluid understanding of system types can greatly improve the voting system industry, but only if controls are in place to integrity through the proper evaluation of the system brought for qualification. As such, a system that integrates components from more than one traditional system type will be subject to the appropriate requirements for all germane system types.

1.5.2 Paper-Based Voting System

A Paper-Based Voting System, (referred to in the initial Standards as a Punchcard and Marksense [P&M] Voting System) records votes, counts votes, and produces a tabulation of the vote count from votes cast on paper cards or sheets. A punchcard voting system allows a voter to record votes by means of holes punched in designated voting response locations; a marksense voting system allows a voter to record votes by means of marks made in voting response locations.

1.5.3 Direct Record Electronic (DRE) Voting System

A Direct Record Electronic (DRE) Voting System records votes by means of a ballot display provided with mechanical or electro-optical components that can be activated by the voter; that processes data by means of a computer program; and that records voting data and ballot images in memory components. It produces a tabulation of the voting data stored in a removable memory component and as printed copy. The system may also provide a means for transmitting individual ballots or vote totals to a central location for consolidating and reporting results from precincts at the central location.

1.5.4 Public Network Direct Record Electronic (DRE) Voting System

A Public Network Direct Record Electronic (DRE) Voting System is an election system that uses electronic ballots and transmits official vote data from the polling place to another location over a public network as defined in Section 5.1.2. Official vote data may be transmitted as individual ballots as they are cast, periodically as batches of ballots throughout the election day, or as one batch at the close of voting. For purposes of the Standards, Public Network DRE Voting Systems are considered a form of DRE Voting System and are subject to the standards applicable to DRE Voting Systems. However, because transmitting official vote data over public networks relies on equipment beyond the control of the election authority, the system is subject to additional threats to system integrity and availability. Therefore, additional requirements discussed in Section 5 and 6 apply.

The use of public networks for transmitting official vote data must provide the same level of integrity as other forms of voting systems, and must be accomplished in a manner that precludes three risks to the election process: automated casting of fraudulent votes, automated manipulation of vote counts, and disruption of the voting process such that the system is unavailable to voters during the time period authorized for system use.

1.5.5 Precinct Count Voting System

A Precinct Count Voting System is a voting system that tabulates ballots at the polling place. These systems typically tabulate ballots as they are cast, and print the results after the close of polling. For DREs, and for some paper-based systems, these systems provide electronic storage of the vote count, or for transmitting results to a central location over public telecommunication networks.

1.5.6 Central Count Voting System

A Central Count Voting System is a voting system that tabulates ballots from multiple precincts at a central location. Voted ballots are typically placed into secure storage at the polling place. Stored ballots are transported or transmitted to a central counting place. The systems produce a printed report of the vote count, and may produce a report stored on electronic media.

1.6 Application of the Standards and Test Specifications

The Standards apply to all system hardware, software, telecommunications, and documentation intended for use to:

¨ Prepare the voting system for use in an election;

¨ Produce the appropriate ballot formats;

¨ Test that the voting system and ballot materials have been properly prepared and are ready for use;

¨ Record and count votes;

¨ Consolidate and report results;

¨ Display results on-site or remotely; and

¨ Maintain and produce all audit trail information.

In general, the Standards define functional requirements and performance characteristics that can be assessed by a series of quantitative tests and qualitative examination to determine system suitability for election use. Standards are mandatory requirements and are designated by use of the term “shall.”

Some voting systems use one or more readily available commercial off-the-shelf (COTS) devices (such as card readers, printers, or personal computers) or software products (such as operating systems, programming language compilers, or database management systems). COTS devices and software are exempted from certain portions of the qualification testing process as defined herein, as long as such products are not modified for use in a voting system.

Generally, voting systems are subject to the following three testing phases prior to being purchased or leased:

¨ Qualification tests;

¨ State certification tests; and

¨ State and/or local acceptance tests.

1.6.1 Qualification Tests

Qualification tests validate that a voting system meets the requirements of the Standards and performs according to the vendor’s specifications for the system. Such tests encompass the examination of software; the inspection and evaluation of system documentation; tests of hardware under conditions simulating the intended storage, operation, transportation, and maintenance environments; operational tests to validate system performance and function under normal and abnormal conditions; and examination of the vendor’s system development, testing, quality assurance, and configuration management practices. Qualification tests address individual system components or elements, as well as the integrated system as a whole.

Qualification tests for voting systems are performed by Independent Test Authorities (ITAs) certified by the National Association of State Election Directors (NASED). NASED certifies an ITA for either the full scope of qualification testing or a distinct subset of the total scope of testing. To date, ITAs have been certified only for distinct subsets of testing. Upon the successful completion of testing by an ITA, the ITA issues a Qualification Test Report to the vendor and NASED. The qualification test report remains valid for as long as the voting system remains unchanged.

Upon receipt of test reports that address the full scope of testing, NASED issues a Qualification Number that indicates the system has been tested by certified ITAs for compliance with the Standards and qualifies for the certification process of states that have adopted the Standards. The Qualification Number applies to the system as a whole, and does not apply to individual system components.

After a system has completed qualification testing, further examination of a system is required if modifications are made to hardware, software, or telecommunications, including the installation of software on different hardware. Vendors request review of modifications by the appropriate ITA based on the nature and scope of changes made and the scope of the ITA’s NASED qualification. The ITA will determine the extent to which the modified system should be resubmitted for qualification testing and the extent of testing to be conducted.

Generally, a voting system remains qualified as long as no modifications not approved by an ITA are made to the system. However, if a new threat to a particular voting system is discovered, it is the prerogative of NASED to determine which qualified voting systems are vulnerable, whether those systems need to be retested, and the specific tests to be conducted.

Among other things, qualification testing complements and evaluates the vendor's developmental testing. The ITA is expected to evaluate the completeness of the vendor's developmental test program, including the sufficiency of vendor tests conducted to demonstrate compliance with the Standards as well as the systems performance specifications. The ITA undertakes sample testing of the vendor's test modules and also design independent system-level tests to supplement and check those designed by the vendor. Although some of the qualification tests are based on those prescribed in the Military Standards, in most cases the test conditions are less stringent, reflecting commercial, rather than military, practice.

1.6.2 Certification Tests

Certification tests are performed by individual states, with or without the assistance of outside consultants, to:

¨ Confirm that the voting system presented is the same as the one qualified through the Standards;

¨ Test for the proper implementation of state-specific requirements;

¨ Establish a baseline for future evaluations or tests of the system, such as acceptance testing or state review after modifications have been made; and

¨ Define acceptance tests.

Precise certification test scripts are not included in the Standards, as they must be defined by the state, with its laws, election practices, and specific environment in mind. However, it is recommended that they not duplicate qualification tests, but instead focus on functional tests and qualitative assessment to ensure that the system operates in a manner that is acceptable under state law. If a voting system is modified after state certification, it is recommended that States reevaluate the system to determine if further certification testing is warranted.

Certification tests performed by individual states typically rely on information contained in documentation provided by the vendor for system design, installation, operations, required facilities and supplies, personnel support and other aspects of the voting system. States and jurisdictions may define information and documentation requirements additional to those defined in the Standards. By design, the Standards, and qualification testing of voting systems for compliance with the Standards, do not address these additional requirements. However, qualification testing addresses all capabilities of a voting system stated by the vendor in the system documentation submitted to an ITA, including additional capabilities that are not required by the Standards.

1.6.3 Acceptance Tests

Acceptance tests are performed at the state or local jurisdiction level upon system delivery by the vendor to:

¨ Confirm that the system delivered is the specific system qualified by NASED and, when applicable, certified by the state;

¨ Evaluate the degree to which delivered units conform to both the system characteristics specified in the procurement documentation, and those demonstrated in the qualification and certification tests; and

¨ Establish a baseline for any future required audits of the system.

Some of the operational tests conducted during qualification may be repeated during acceptance testing.

1.7 Outline of Contents

The organization of the Standards has been simplified to facilitate its use. Volume I, Voting System Performance Standards, is intended for use by the broadest audience, including voting system developers, equipment manufacturers and suppliers, independent test authorities, local agencies that purchase and deploy voting systems, state organizations that certify a system prior to procurement by a local jurisdiction, and public interest organizations that have an interest in voting systems and voting systems standards.

¨ Section 2 describes the functional capabilities required of voting systems.

¨ Sections 3 through 6 describe specific performance standards for election system hardware, software, telecommunications and security, respectively.

¨ Sections 7 and 8 describe practices for quality assurance and configuration management, respectively, to be used by vendors, and required information about vendor practices that will be reviewed in concert with system qualification and certification test processes and system purchase decisions.

¨ Section 9 provides an overview of the test and measurement process used by test authorities for qualification and re-qualification of voting systems.

¨ Appendix A provides a glossary of important terms used in Volume I.

¨ Appendix B lists the publications that were used for guidance in the preparation of the Standards. These publications contain information that is useful in interpreting and complying with the requirements of the Standards.

Volume II, Voting System Qualification Testing Standards describes the standards for the technical information submitted by the vendor to support testing; the development of test plans by the ITA for initial system testing and testing of system modifications; the conduct of system qualification tests by the ITA; and the test reports generated by the ITA. This volume complements the content of Volume I and it is intended primarily for use by ITAs, state organizations that certify a system, and vendors.