Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Test Assertions for VVSG 1.0 Section 7.9.4, August 2015

Requirement 7.9.4

VVSG 1.0 Requirement 7.9.4:

a.      The voting machine shall provide a standard, publicly documented printer port (or the equivalent) using a standard communication protocol.

Discussion:

Using a standard, publicly documented printer protocol assists in security evaluations of system software.

b.     Tamper-evident seals or physical security measures shall protect the connection between the printer and the voting machine.

c.      If the connection between the voting machine and the printer has been broken, the voting machine shall detect this event and record it in the DRE internal audit log.

d. The paper path between the printing, viewing and storage of the paper record shall be protected and sealed from access except by authorized election officials.

e. The printer shall not be permitted to communicate with any system or machine other than the voting machine to which it is connected.

f. The printer shall only be able to function as a printer; it shall not contain any other services (e.g., provide copier or fax functions) or network capability.

g.     The voting machine shall detect errors and malfunctions such as paper jams or low supplies of consumables such as paper and ink that may prevent paper records from being correctly displayed, printed or stored.

Discussion:

This could be accomplished in a variety of different ways; for example, a printer that is out of paper or jammed could issue a different audible alarm for each condition.

h. If an error or malfunction occurs, the voting machine shall suspend voting operations and should present a clear indication to the voter and election officials of the malfunction.

i.       The voting machine shall not record votes if an error or malfunction occurs.

j.       Printing devices should contain sufficient supplies of paper and ink to avoid reloading or opening equipment covers or enclosures and thus potential circumvention of security features; or be able to reload paper and ink with minimal disruption to voting and without circumvention of security features such as seals.

k. Vendor documentation shall include procedures for investigating and resolving printer malfunctions including, but not limited to; printer operations, misreporting of votes, unreadable paper records, and power failures.

l.       Vendor documentation shall include printer reliability specifications including Mean Time Between Failure estimates, and shall include recommendations for appropriate quantities of backup printers and supplies.

m.Protective coverings intended to be transparent on voting equipment shall be maintainable via a predefined cleaning process. If the coverings become damaged such that they obscure the paper record, they shall be replaceable.

n. The paper record shall be sturdy, clean, and of sufficient durability to be used for verifications, reconciliations, and recounts conducted manually or by automated processing.

Test Assertions

TA794a-1: The VVPAT printer SHALL be physically connected via a standard port.

TA794a-2: The VVPAT printer SHALL be physically connected via a publicly documented port.

TA794a-3: The VVPAT printer SHALL use a standard communication protocol.

TA794b-1: The connection between the printer and the VVPAT voting machine SHALL be protected by using EITHER 1) Tamper-evident seals OR 2) tamper-resistant measures.

TA794c-1: IF the connection between the VVPAT voting machine and the printer has been broken, THEN the VVPAT voting machine SHALL detect this break in the connection.

TA794c-2: IF the connection between the VVPAT voting machine and the printer has been broken, THEN the VVPAT voting machine SHALL record this break in the connection in the DRE internal audit log.

TA794d-1: The paper path between the printing, viewing and storage of the paper record SHALL be protected from access from anyone who is not an authorized election official.

TA794d-2: The paper path between the printing, viewing and storage of the paper record SHALL be sealed from access from anyone who is not an authorized election official.

TA794e-1: The printer SHALL ONLY have the capability to communicate with the VVPAT voting machine to which it is connected.

TA794e-1-1: The printer SHALL NOT be networked or shared with other voting machines.

TA794f-1: The printer SHALL ONLY have the capability of functioning as a printer.

TA794f-2: The printer SHALL NOT contain any other services besides printer services, including, but not limited to, providing copier functions, or providing fax functions.

TA794f-3: The printer SHALL NOT contain any network capability.

TA794g-1: The VVPATvoting machine SHALL detect errors or malfunctions including, but not limited to, paper jams or low supplies of consumables such as paper and ink that may prevent paper records from being correctly displayed, printed or stored.

TA794g-1-1: Different errors or malfunctions SHALL have separate auditable alarms.

TA794h-1: IF an error or malfunction occurs, THEN the VVPAT voting machine SHALL suspend voting operations.

TA794h-1-1: The VVPAT voting machine SHALL present a clear indication to the voter of the error or malfunction. (from 1.1 794e)

TA794h-1-2: The VVPAT voting machine SHALL present a clear indication to the election officials of the error or malfunction.

TA794h-1-2-1: This indication SHALL indicate clearly whether the current voter's vote has been EITHER cast, discarded, OR is waiting to be completed.

TA794h-1-3: The VVPAT voting machine SHALL suspend voting operations until the problem is resolved.

TA794h-1-4: The VVPAT voting machine SHALL allow the current voter's electronic ballot image to be cancelled by election officials in the case of an unrecoverable error or malfunction.

TA794h-1-5: The VVPAT voting machine SHALL protect the privacy of the voter while the error or malfunction is being resolved.

TA794i-1: IF an error or malfunction occurs THEN the VVPAT voting machine SHALL NOT record votes.

TA794j-1: Printing devices SHOULD be capable of AT LEAST one of the following: 1) containing sufficient supplies of paper and ink to avoid reloading or opening equipment covers or enclosures; 2) reloading paper and reloading ink with minimal disruption to voting AND reloading paper and reloading ink without circumvention of security features, including, but not limited to, seals.

TA794k-1: Vendor documentation SHALL include procedures for investigating printer errors or malfunctions including, but not limited to, printer operations, misreporting of votes, unreadable paper records, and power failures.

TA794k-2: Vendor documentation SHALL include procedures for resolving printer errors or malfunctions including, but not limited to, printer operations, misreporting of votes, unreadable paper records, and power failures.

TA794l-1: Vendor documentation SHALL include printer reliability specifications including, but not limited to, Mean Time Between Failure estimates.

TA794l-2: Vendor documentation SHALL include recommendations for appropriate quantities of backup printers and supplies.

TA794m-1: IF a protective covering is intended to be transparent on voting equipment THEN it SHALL be maintainable via a predefined cleaning process.

TA794m-1-1: The covering SHALL be replaceable in the event the covering becomes damaged such that it obscures the paper record.

TA794n-1: The paper record SHALL be sturdy to be used for verifications, reconciliations, and recounts conducted manually or by automated processing.

TA794n-2: The paper record SHALL be clean to be used for verifications, reconciliations, and recounts conducted manually or by automated processing.

TA794n-3: The paper record SHALL be of sufficient durability, to remain unchanged for minimally 22 months, to be used for verifications, reconciliations, and recounts conducted manually or byautomated processing.

 

Created August 28, 2015, Updated August 25, 2016