Guidelines Development Committee (TGDC)
Attendees: Allan Eustis, Angela Orbaugh, Barbara Guttman, Bill Burr, David Flater, David Wagner, Helen Purcell, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokani, Sharon Laskowski, Thelma Allen, Wendy Havens
Discussion of Requirements from VVSG Volumes 3 and 4 (Patrick Gannon):
Interoperability: Patrick Gannon wanted to discuss his concerns with requirements in Volume 3 regarding interoperability and Volume 4 regarding interface description. Current requirement in Volume 3: "All systems shall maximize interoperability and integratability with other systems and/or devices of other systems." And "Interoperability through open export -- The interoperability and integratability requirement may be met by providing the capability to export data in a royalty-free, published, open format." Patrick Gannon proposed adding the word "commonly agreed upon" to the requirement.
This was discussed in detail. Mr. Gannon wanted to know what to goal of the requirement was, if it was to produce interoperability as it currently says, then we need to write requirements that would support getting a vendor to that by requiring a commonly agreed upon format. Several members agreed that interoperability is a goal for future systems - right now we are requiring integratability.
This requirement will written in two parts. There will be a shall requirement on integratability. The existing high level requirement will reduce the use of interoperability but say that vendors "should strive for interoperability". There will be a discussion text added that says e.g., "to reduce barriers to interoperability, vendors should strive to use a commonly agreed upon industry standard format".
The ballot image data requirement is only required for DREs, it is not mandated for opscan systems and STS cannot see any security requirements at this time for it to be required for opscan systems. It was discussed if these requirements would be for only new systems, or would other systems have to be retrofitted - we are talking about requirements for new procurements of systems. It is up to the state how they handle older equipment and what is grandfathered.
Records Requirements: Patrick Gannon wanted to know where this was
in the process, and what was the intended use. John Kelsey informed
the group that he had sent around a paper for comments. This document
is intended to be requirements that address known threats - a set of
requirements that address security issues for electronic records. Mr.
Gannon wanted to know if this covered requirements for common ballot
formats as specified in resolution 2305. The core requirements section
covers specifics about electronic record formats including what data
needs to be in there. Election definition functionality that the EMS
is required to support is in there as well. Additional requirements
in regards to reporting abilities appear in the reporting section. Mr.
Gannon requested something that would provide a list of all the requirements
that responded to resolution 2305 since they appear in different sections
of the VVSG. Allan Eustis suggested a link from the glossary under common
data format referencing each section that responded to it. Mr. Gannon
suggested something easy as a "see also" added to the requirements.
Cost of Testing Summit (Mat Masterson, EAC):
EAC hosted a summit on the cost of testing voting systems. Approximately 40-45 people in attendance from vendors, testing labs, advisory groups, NIST. There were presentations and responses to questions that had been posed by Brian Hancock before the meeting. No minutes were prepared for this meeting.
Couple major points:
Access Control Requirements (Nelson Hastings):
This item was deferred to the Thursday May 10 telcon meeting.
OEVT (Santosh Chokani):
Santosh's paper was distributed before the meeting. The purpose of this document is to define the scope of and approach to Open Ended Vulnerability Testing (OEVT) prescribed in VVSG "2007" in light of the software independent verification of cast ballots. The goal of OEVT is to discover architecture, design and implementation flaws that have crept into the system which may not be detected using systematic functional, reliability, and security testing and can be exploited to change the outcome of an election or can otherwise provide erroneous results for an election. This document assumes that the voting systems are not networked. Requirements are listed in sections 3.1, 3.2, and 3.3. Team expert composition is defined in 3.4. There are 16 OEVT steps that are to be carried out for each computer system component such as voting machine, central tabulator, etc.
Input into this process include security documentation from the vendor, access to source code, type of tests conducted, how rigorous were the tests. Ron wanted to know if there was a level of effort in the document. Santosh reported that that had not been included yet. Requirements to the vendor: vendor must supply adequate documentation including threat models, team expertise, level of effort, document describing every security mechanism in the system and what security threat it addresses.
In terms of getting this ready for the VVSG, what needs to be done? The subcommittee needs to review this document and get comments to the STS mailing list or Santosh. This is an important part of the committee's work and needs to be pushed forward.
Next meeting is scheduled for Thursday, May 10, 2007, at 11:45 a.m.
adjourned at 12:00 p.m.
[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion is for the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]
policy / security notice / accessibility statement