Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
VVSG Principles and Guidelines
READ-ONLY SITE MATERIALS: Historical voting TWiki site (2015-2020) ARCHIVED from https://collaborate.nist.gov/voting/bin/view/Voting
Purpose
This document contains high-level principles and guidelines for the following areas:
- General considerations for specification, implementation and evaluation of election processes and technology
- Interoperability
- Human factors
- Security
| Principle Name | Principle & Guideline Descriptions | |
|---|---|---|
| 1. High Quality Design | The voting system is designed to accurately, completely, and robustly carry out election processes. | |
| 1.1 | The voting system is designed using commonly-accepted election process specifications. | |
| 1.2 | The voting system is designed to function correctly under real-world operating conditions. | |
| 1.3 | Voting system design supports evaluation methods enabling testers to clearly distinguish systems that correctly implement specified properties from those that do not. | |
| 2. High Quality Implementation | The voting system is implemented using high quality best practices. | |
| 2.1 | The voting system and its software are implemented using trustworthy materials and best practices in software development. | |
| 2.2 | The voting system is implemented using best practice user-centered design methods, for a wide range of representative voters, including those with and without disabilities, and election workers. | |
| 2.3 | Voting system logic is clear, meaningful, and well-structured. | |
| 2.4 | Voting system structure is modular, scalable, and robust. | |
| 2.5 | The voting system supports system processes and data with integrity. | |
| 2.6 | The voting system handles errors robustly and gracefully recovers from failure. | |
| 2.7 | The voting system performs reliably in anticipated physical environments. | |
| 3. Transparency | The voting system and voting processes are designed to provide transparency. | |
| 3.1 | The documentation describing the voting system design, operation, accessibility features, security measures, and other aspects of the voting system can be read and understood. |
|
| 3.2 | The processes and transactions, both physical and digital, associated with the voting system are readily available for inspection. | |
| 3.3 | The public can understand and verify the operations of the voting system throughout the entirety of the election. | |
| Interoperable | The voting system is designed to support interoperability in its interfaces to external systems, its interfaces to internal components, its data, and its peripherals. | |
| 4.1 | Voting system data that is imported, exported, or otherwise reported, is in an interoperable format. | |
| 4.2 | Standard, publicly-available formats for other types of data are used, where available. | |
| 4.3 | Widely-used hardware interfaces and communications protocols are used. | |
| 4.4 | Commercial-off-the-shelf (COTS) devices can be used when their usage meets applicable VVSG requirements. | |
| 5. Equivalent and Consistent Voter Access | All voters can access and use the voting system regardless of their abilities, without discrimination. | |
| 5.1 | Voters have a consistent experience throughout the voting process in all modes of voting. | |
| 5.2 | Voters receive equivalent information and options in all modes of voting. | |
| 6. Voter Privacy | Voters can mark, verify, and cast their ballot privately and independently. | |
| 6.1 | The voting process preserves the privacy of the voter's interaction with the ballot, modes of voting, and vote selections | |
| 6.2 | Voters can mark, verify and cast their ballot or other associated cast vote record, without assistance from others. | |
| 7. Marked, Verified, and Cast as Intended | Ballots and vote selections are presented in a perceivable, operable, and understandable way and can be marked, verified, and cast by all voters. | |
| 7.1 | The default voting system settings for displaying the ballot work for the widest range of voters, and voters can adjust settings and preferences to meet their needs. |
|
| 7.2 | Voters and election workers can use all controls accurately, and voters have direct control of all ballot changes. |
|
| 7.3 | Voters can understand all information as it is presented, including instructions, messages from the system, and error messages. | |
| 8. Robust, Safe, Usable, and Accessible | The voting system and voting processes provide a robust, safe, usable, and accessible experience for all users. | |
| 8.1 | The voting system’s hardware and accessories protect users from harmful conditionshe voting system’s hardware and accessories protect users from harmful conditions. | |
| 8.2 | The voting system meets currently accepted federal standards for accessibility. | |
| 8.3 | The voting system is measured with a wide range of representative voters, including those with and without disabilities, for effectiveness, efficiency, and satisfaction. | |
| 8.4 | The voting system is evaluated for usability by election workers. | |
| 9 Auditable | The voting system is auditable and enables evidence-based elections. | |
| 9.1 | An error or fault in the voting system software or hardware cannot cause an undetectable change in election results. | |
| 9.2 | The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities. | |
| 9.3 | Voting system records are resilient in the presence of intentional forms of tampering and accidental errors. | |
| 9.4 | The voting system supports efficient audits. | |
| 10. Ballot Secrecy | The voting system protects the secrecy of voters' ballot selections. | |
| 10.1 | Ballot secrecy is maintained throughout the voting process. | |
| 10.2 | The voting system does not contain nor produce records, notifications, information about the voter or other election artifacts that can be used to associate the voter’s identity with the voter’s intent, choices, or selections. | |
| 11. Access Control | The voting system authenticates administrators, users, devices and services before granting access to sensitive functions. | |
| 11.1 | Access privileges, accounts, activities, and authorizations are logged, monitored, and reviewed periodically and modified as needed. | |
| 11.2 | The voting system limits the access of users, roles, and processes to the specific functions and data to which each entity holds authorized access. | |
| 11.3 | The voting system supports strong, configurable authentication mechanisms to verify the identities of authorized users and includes multi-factor authentication mechanisms for critical operations. | |
| 11.4 | Default access control policies enforce the principles of least privilege and separation of duties. | |
| 11.5 | Logical access to voting system assets are revoked when no longer required. | |
| 12. Physical Security | The voting system prevents or detects attempts to tamper with voting system hardware. | |
| 12.1 | The voting system supports mechanisms to detect unauthorized physical access. | |
| 12.2 | The voting system only exposes physical ports and access points that are essential to voting operations. | |
| 13. Data Protection | The voting system protects sensitive data from unauthorized access, modification, or deletion. | |
| 13.1 | The voting system prevents unauthorized access to or manipulation of configuration data, cast vote records, transmitted data, or audit records. | |
| 13.2 | The source and integrity of electronic tabulation reports are verifiable. | |
| 13.3 | All cryptographic algorithms are public, well-vetted, and standardized. | |
| 13.4 | The voting system protects the integrity, authenticity, and confidentiality of sensitive data transmitted over all networks. | |
| 14. System Integrity |
The voting system performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. |
|
| 14.1 | The voting system uses multiple layers of controls to provide redundancy against security failures or vulnerabilities. | |
| 14.2 | The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports and by using other technical controls. | |
| 14.3 | The voting system maintains and verifies the integrity of software, firmware, and other critical components. | |
| 14.4 | Software updates are authorized by an administrator prior to installation. | |
| 15. Detection & Monitoring |
The voting system provides mechanisms to detect and remediate anomalous or malicious behavior. | |
| 15.1 | Voting system equipment records important activities through event logging mechanisms, which are stored in a format suitable for automated processing. | |
| 15.2 | The voting system generates, stores, and reports all error messages as they occur. | |
| 15.3 | The voting system employs mechanisms to protect against malware. | |
| 15.4 | A voting system with networking capabilities employs appropriate, well-vetted modern defenses against network-based attacks, commensurate with current best practice. | |
Associated Documents:
|
2017-06-16 - 18:08 |
|
Voting TWiki Archive (2015-2020): read-only, archived wiki site, National Institute of Standards and Technology (NIST)
ARCHIVE SITE DESCRIPTION AND DISCLAIMER
This page, and related pages, represent archived materials (pages, documents, links, and content) that were produced and/or provided by members of public working groups engaged in collaborative activities to support the development of the Voluntary Voting System Guidelines (VVSG) 2.0. These TWiki activities began in 2015 and continued until early 2020. During that time period, this content was hosted on a Voting TWiki site. That TWiki site was decommissioned in 2020 due to technology migration needs. The TWiki activities that generated this content ceased to operate actively through the TWiki at the time the draft VVSG 2.0 was released, in February of 2020. The historical pages and documents produced there have been archived now in read-only, static form.
- The archived materials of this TWiki (including pages, documents, links, content) are provided for historical purposes only.
- They are not actively maintained.
- They are provided "as is" as a public service.
- They represent the "work in progress" efforts of a community of volunteer members of public working groups collaborating from late 2015 to February of 2020.
- These archived materials do not necessarily represent official or peer-reviewed NIST documents nor do they necessarily represent official views or statements of NIST.
- Unless otherwise stated these materials should be treated as historical, pre-decisional, artifacts of public working group activities only.
- NIST MAKES NO WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT AND DATA ACCURACY.
- NIST does not warrant or make any representations regarding the correctness, accuracy, reliability or usefulness of the archived materials.
ARCHIVED VOTING TWIKI SITE MATERIALS
This wiki was a collaborative website. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these archived TWiki materials. Further, NIST does not endorse any commercial products that may be mentioned in these materials. Archived material on this TWiki site is made available to interested parties for informational and research purposes. Materials were contributed by Participants with the understanding that all contributed material would be publicly available. Contributions were made by Participants with the understanding that that no copyright or patent right shall be deemed to have been waived by such contribution or disclosure. Any data or information provided is for illustrative purposes only, and does not imply a validation of results by NIST. By selecting external links, users of these materials will be leaving NIST webspace. Links to other websites were provided because they may have information that would be of interest to readers of this TWiki. No inferences should be drawn on account of other sites being referenced, or not referenced, from this page or these materials. There may be other websites or references that are more appropriate for a particular reader's purpose.