Technical Guidelines Development Committee (TGDC)
Teleconference for
Security and Transparency Subcommittee*
May 8, 2007, 10:30 a.m.
Draft Minutes

Draft Agenda

1) Administrative Updates
2) Report on EAC Cost of Testing Summit
3) Finalize outstanding issues related to Access Control requirements
4) Discussion of path forward for open ended vulnerability testing (OEVT)
5) Discussion of requirements from Volume 3, 11.6 "Interoperability" and Volume 4, "Interface description" including EML
6) Other items
7) Next call Thursday, May 10, 2007 at 11:45AM

Attendees: Allan Eustis, Angela Orbaugh, Barbara Guttman, Bill Burr, David Flater, David Wagner, Helen Purcell, John Wack, Mat Masterson (EAC), Nelson Hastings, Patrick Gannon, Quynh Dang, Rene Peralta, Ron Rivest, Santosh Chokani, Sharon Laskowski, Thelma Allen, Wendy Havens

Administrative Updates:

  • David Wagner and Mark Skall testified at a House Oversight Committee hearing yesterday (5/7/07). David's testimony available at: Mark's is posted at: (David W: The main topic of discussion was the certification process; standards were also discussed as well as the state of New York's problems.)
  • We have a draft agenda for the plenary meeting that will go out today. The agenda is fluid, but schedules have been set for subcommittee presentations. It will be posted on line <> with other meeting material. This is an important plenary meeting - probably last one before report becomes final.
  • John Wack is trying to arrange a subcommittee chair meeting. Will send out information soon.
  • Patrick Gannon requested that item 5 on the STS agenda be moved up on the agenda today.

Discussion of Requirements from VVSG Volumes 3 and 4 (Patrick Gannon):

Interoperability: Patrick Gannon wanted to discuss his concerns with requirements in Volume 3 regarding interoperability and Volume 4 regarding interface description. Current requirement in Volume 3: "All systems shall maximize interoperability and integratability with other systems and/or devices of other systems." And "Interoperability through open export -- The interoperability and integratability requirement may be met by providing the capability to export data in a royalty-free, published, open format." Patrick Gannon proposed adding the word "commonly agreed upon" to the requirement.

This was discussed in detail. Mr. Gannon wanted to know what to goal of the requirement was, if it was to produce interoperability as it currently says, then we need to write requirements that would support getting a vendor to that by requiring a commonly agreed upon format. Several members agreed that interoperability is a goal for future systems - right now we are requiring integratability.

This requirement will written in two parts. There will be a shall requirement on integratability. The existing high level requirement will reduce the use of interoperability but say that vendors "should strive for interoperability". There will be a discussion text added that says e.g., "to reduce barriers to interoperability, vendors should strive to use a commonly agreed upon industry standard format".

The ballot image data requirement is only required for DREs, it is not mandated for opscan systems and STS cannot see any security requirements at this time for it to be required for opscan systems. It was discussed if these requirements would be for only new systems, or would other systems have to be retrofitted - we are talking about requirements for new procurements of systems. It is up to the state how they handle older equipment and what is grandfathered.

Electronic Records Requirements: Patrick Gannon wanted to know where this was in the process, and what was the intended use. John Kelsey informed the group that he had sent around a paper for comments. This document is intended to be requirements that address known threats - a set of requirements that address security issues for electronic records. Mr. Gannon wanted to know if this covered requirements for common ballot formats as specified in resolution 2305. The core requirements section covers specifics about electronic record formats including what data needs to be in there. Election definition functionality that the EMS is required to support is in there as well. Additional requirements in regards to reporting abilities appear in the reporting section. Mr. Gannon requested something that would provide a list of all the requirements that responded to resolution 2305 since they appear in different sections of the VVSG. Allan Eustis suggested a link from the glossary under common data format referencing each section that responded to it. Mr. Gannon suggested something easy as a "see also" added to the requirements.

Cost of Testing Summit (Mat Masterson, EAC):

EAC hosted a summit on the cost of testing voting systems. Approximately 40-45 people in attendance from vendors, testing labs, advisory groups, NIST. There were presentations and responses to questions that had been posed by Brian Hancock before the meeting. No minutes were prepared for this meeting.

Couple major points:

1. Group felt that there needed to be a gap analysis done between what the states are required to test and what the Federal government tests - there appears to be duplication. Group felt more testing done by Federal, as to reduce costs on states.

2. Group had concerns over current state of source code review and source code testing. Will requirements change in next iteration of VVSG. Mat believed the VVSG would get a lot of feedback on the sections regarding source codes.
[NOTE: David Flater pointed out that these issues were addressed in new VVSG. It was suggested that there be a cross reference of version 05 to new version. There will be a guide pointed out new items and major changes.]

3. It was suggested that there be cooperative agreements between states for testing to help reduce costs - smaller states working together to conduct their tests. This was discussed at a general level - there may be an upcoming conference to discuss this in better detail.


Access Control Requirements (Nelson Hastings):

This item was deferred to the Thursday May 10 telcon meeting.

OEVT (Santosh Chokani):

Santosh's paper was distributed before the meeting. The purpose of this document is to define the scope of and approach to Open Ended Vulnerability Testing (OEVT) prescribed in VVSG "2007" in light of the software independent verification of cast ballots. The goal of OEVT is to discover architecture, design and implementation flaws that have crept into the system which may not be detected using systematic functional, reliability, and security testing and can be exploited to change the outcome of an election or can otherwise provide erroneous results for an election. This document assumes that the voting systems are not networked. Requirements are listed in sections 3.1, 3.2, and 3.3. Team expert composition is defined in 3.4. There are 16 OEVT steps that are to be carried out for each computer system component such as voting machine, central tabulator, etc.

Input into this process include security documentation from the vendor, access to source code, type of tests conducted, how rigorous were the tests. Ron wanted to know if there was a level of effort in the document. Santosh reported that that had not been included yet. Requirements to the vendor: vendor must supply adequate documentation including threat models, team expertise, level of effort, document describing every security mechanism in the system and what security threat it addresses.

In terms of getting this ready for the VVSG, what needs to be done? The subcommittee needs to review this document and get comments to the STS mailing list or Santosh. This is an important part of the committee's work and needs to be pushed forward.

Next meeting is scheduled for Thursday, May 10, 2007, at 11:45 a.m.

Meeting adjourned at 12:00 p.m.


[* Pursuant to the Help America Vote Act of 2002, the TGDC is charged with directing NIST in performing voting systems research so that the TGDC can fulfill its role of recommending technical standards for voting equipment to the EAC. This teleconference discussion is for the purposes of the STS subcommittee of the TGDC to direct NIST and coordinate its voting-related research relevant to the VVSG 2007. Discussions on this telecon are preliminary and do not necessarily reflect the views of NIST or the TGDC.]

Teleconferences from 2004, 2005, 2006 and upcoming in 2006.


Link to NIST HAVA Page

Last updated: July 25, 2007
Point of Contact

Privacy policy / security notice / accessibility statement
Disclaimer / FOIA
NIST is an agency of the U.S. Commerce Department