Requirement 7.4.5
VVSG 1.0 Requirement 7.4.5: The NSRL or other repository designated by a state election office shall generate reference information using the binary images of the (a) certified voting system software received on unalterable storage media from testing labs and (b) election- specific software received on unalterable storage media from jurisdictions.
a. The NSRL or other designated repository shall generate reference information in at least one of the following forms: (a) complete binary images, (b) cryptographic hash values or (c) digital signatures of the software.
Discussion: Although binary images, cryptographic hashes, and digital signatures can detect a modification or alteration in the software, they cannot determine if the change to the software was accidental or intentional.
b. The NSRL or other designated repository shall create a record of the creation of reference information that includes: a unique identifier (such as a serial number) for the record; the file names of software and associated unique identifier(s) of the unalterable storage media from which reference information is generated; the time, date and name of people who generated reference information; the type of reference information created; the certification number of the voting system; the voting system software version; the product name; and the vendor name
c. The NSRL or other designated repository shall retain the unalterable storage media used to generate the reference information until notified by the EAC that it can be archived.
Test Assertions
TA745-1: A state election official MAY designate a repository that would ensure that the software used during elections is the tested, certified software.
TA745-2: NIST's National Software Reference Library OR the repository designated by the state election official SHALL generate reference information using the binary images of the certified voting system software that was received on unalterable storage media from Testing Laboratories.
TA745-3: Testing Laboratories MAY submit whole disks OR storage media of the certified voting system, instead of binary images, to NIST's National Software Reference Library OR the repository designated by the state election official.
TA745-4: IF election-specific software is received on unalterable media from jurisdictions, THEN NIST's National Software Reference Library OR the repository designated by the state election official SHALL generate reference information using the binary images of the election- specific software.
TA745a-1: NIST's National Software Reference Library OR the repository designated by the state election official SHALL generate reference information as a) complete binary images, OR as b) cryptographic hash values, OR as c) digital signatures of the software.
TA745a-1-1: NIST's National Software Reference Library OR the repository designated by the state election official MAY generate reference information in more than one of the above forms.
TA745b-1: NIST's National Software Reference Library OR the repository designated by the state election official SHALL create a record of the creation of reference information.
TA745b-1-1: The record of the creation of reference information SHALL include a unique identifier for the record.
TA745b-1-1-1: The unique identifier MAY be a serial number.
TA745b-1-2: The record of the creation of reference information SHALL include the file names of software of the unalterable storage media from which reference information is generated.
TA745b-1-3: The record of the creation of reference information SHALL include associated unique identifier(s) of the unalterable storage media from which reference information is generated.
TA745b-1-4: The record of the creation of reference information SHALL include the time of people who generated reference information.
TA745b-1-5: The record of the creation of reference information SHALL include the date of people who generated reference information.
TA745b-1-6: The record of the creation of reference information SHALL include the name of people who generated reference information.
TA745b-1-7: The record of the creation of reference information SHALL include the type of reference information created.
TA745b-1-8: The record of the creation of reference information SHALL include the certification number of the voting system.
TA745b-1-9: The record of the creation of reference information SHALL include the voting system software version.
TA745b-1-10: The record of the creation of reference information SHALL include the product name.
TA745b-1-11: The record of the creation of reference information SHALL include the vendor name.
TA745c-1: NIST's National Software Reference Library OR the repository designated by the state election official SHALL retain the unalterable storage media used to generate the reference information.
TA745c-1-1: NIST's National Software Reference Library OR the repository designated by the state election official SHALL archive the unalterable storage media used to generate the reference information after notification, by the EAC, that it may be archived.
TA745c-1-2: NIST's National Software Reference Library OR the repository designated by the state election official MAY discontinue retaining, the unalterable storage media used to generate the reference information after notification, by the EAC, that it may be archived.