National Institute of Standards and Technology’s Role in Voluntary Voting System Guidelines and Testing

Introduction

Chairman Clay, Ranking Member Turner, and members of the subcommittee, thank you for the opportunity to testify today on “NIST’s Role in Voluntary Voting System Guidelines and Testing.”

I will begin my testimony by reviewing NIST’s role in meeting the requirements of the Help America Vote Act (HAVA) of 2002, specifically in providing technical expertise towards the development of voluntary guidelines for voting systems and providing assistance to the Election Assistance Commission (EAC) with respect to voting system testing laboratories. I will discuss NIST’s role in producing the Voluntary Voting System Guidelines of 2005 (the VVSG 2005). As part of that discussion I will describe the major areas of change between the VVSG 2005 and its precursor, the 2002 Voting Systems Standard (VSS). I will also discuss our current efforts in voting, which center on producing the next iteration of the VVSG and producing an associated set of comprehensive test suites. Lastly, I will discuss the status of our work in assessing potential voting system testing laboratories and recommending them to the EAC for accreditation.

HAVA

NIST plays a significant role in the HAVA of 2002. HAVA provided for the creation of the Technical Guidelines Development Committee (TGDC) and mandated that the TGDC provide its first set of recommendations of voluntary voting system guidelines to the Election Assistance Commission (EAC) not later than nine months after all of its members have been appointed.

HAVA assigned three major items to NIST. First, NIST was tasked with the development of a report to assess the areas of human factors research, which could be applied to voting products and systems design to ensure the usability and accuracy of voting products and systems. Second, NIST was tasked with chairing and providing technical support to the TGDC, in areas including (a) the security of computers, computer networks, and computer data storage used in voting systems, (b) methods to detect and prevent fraud, (c) the protection of voter privacy, and (d) the role of human factors in the design and application of voting systems, including assistive technologies for individuals with disabilities and varying levels of literacy. Third, NIST is to conduct, on an on-going basis, an evaluation of independent, non-Federal laboratories and to submit to the EAC a list of those laboratories that NIST proposes to be accredited.

The first major item assigned by HAVA was the production of a human factors report. This report titled “Improving the Usability and Accessibility of Voting Systems and Products,” was completed by NIST in January 2004. It assesses human factors issues related to the process of a voter casting a ballot as he or she intends. The report recommends developing a set of performance-based usability standards for voting systems. Performance-based standards address results rather than equipment design. Such standards would leave voting machine vendors free to develop a variety of innovative products and not be limited by current or older technologies. The EAC delivered this report to Congress on April 30, 2004.

Second, HAVA assigned NIST the task of providing technical support to the TGDC in the development of voluntary voting system guidelines. These voluntary guidelines contain requirements for vendors when developing voting systems and for laboratories when testing whether the systems conform to, or meet, the requirements of the guidelines. The TGDC provides technical direction to NIST in the form of TGDC resolutions, and reviews and approves research material written by NIST researchers. The TGDC ultimately is responsible for approving the guidelines and submitting them to the EAC.

2005 VVSG and Prior Voting System Standards

I will now discuss NIST’s role in producing the VVSG 2005. As part of that discussion, I will include a brief history of the voting systems standards prior to the VVSG 2005 and will address how the VVSG 2005 differs from those versions.

The VVSG 2005 was built upon the strengths of the previous voting systems standards, which were promulgated by the Federal Election Commission (FEC). In 1984, Congress appropriated funds for the FEC to develop voluntary national standards for computer- based voting systems. This resulted in the production of the first set of voting system standards, which is generally referred to as the 1990 VSS, and a national testing effort for voting systems.

The national testing effort was developed and overseen by the National Association of State Election Director’s (NASED) Voting Systems Board, which was composed of election officials and independent technical advisors. The 1990 VSS was subsequently revised, beginning in 1999, to reflect the then current needs of the election community. This resulted in the 2002 VSS.

HAVA subsequently mandated that a new set of voting system recommendations be written and delivered to the EAC nine months after the final creation of the TGDC. To meet this very aggressive schedule, the TGDC organized into three subcommittees addressing the following areas of voting standards: core requirements and testing, human factors and privacy, and security and transparency. Over nine months, NIST and the TGDC conducted workshops, meetings, and numerous teleconferences to gather input, pass resolutions, and review and approve NIST-authored material. This was done in a fully transparent process, with meetings conducted in public and draft materials available over the web. The resulting document, now known as the VVSG 2005, was delivered on schedule to the EAC in May 2005.

How the VVSG 2005 Differs from the 2002 VSS

The VVSG 2005 enhanced areas of the 2002 VSS that needed improvement and included new material. The new material added more formalism and precision to the requirements using constructs and language commonly used in rigorous, well-specified standards. This included rules for determining conformance to the standard and a glossary for clarifying terms, which is very important when one considers that each voting jurisdiction may define terms differently.

The new material in the VVSG 2005 focused primarily on usability, accessibility, and security. The usability section included requirements on voting system controls, displays, font sizes, lighting, and response times. It also required voting systems to alert voters who make errors such as overvoting so as to reduce the overall number of spoiled ballots. The accessibility section was greatly expanded from the previous material and included requirements for voters with limited vision and other disabilities. It also addressed the privacy of voters who require assistive technology or alternative languages on ballots.

The VVSG 2005 included the first Federal standard for Voter Verified Paper Audit Trails (VVPAT). As you know, a majority of states (28) now require that their voting systems include a voter verified paper trail. The VVSG 2005 took no position regarding the implementation of VVPAT and neither required nor endorsed it. Thus, if states choose to implement VVPAT, the VVSG 2005’s requirements help to ensure that their VVPAT systems are usable, accessible, reliable and secure. The VVSG 2005 also contained requirements to make the paper record useful to election officials for audits of voting equipment.

The new security section also contained requirements for addressing how voting system software is to be distributed. This helps ensure that states and localities receive the correct version of the tested and certified voting system. Moreover, the section also included requirements for validating the voting system setup. This enables inspection of the voting system software after it has been loaded onto the voting system – again to ensure that the software running on the voting system is indeed the tested and certified software. Lastly, there are requirements governing how wireless communications are to be secured. The TGDC concluded then that the use of wireless technology should be approached with extreme caution but should still be permitted in the VVSG 2005 if security measures and contingency procedures are in effect. The TGDC has subsequently concluded that, for the next iteration of the VVSG, radio frequency (RF) wireless should be prohibited entirely.

The TGDC-approved version of the VVSG 2005 was sent to the EAC in May 2005. Following that, the EAC conducted a 90-day public review and received thousands of comments; NIST provided technical assistance to the EAC in addressing these comments. The version approved by the EAC includes changes that the EAC made after receiving and considering public comment.

Next Iteration of the VVSG

Immediately after completing its work on the VVSG 2005, NIST and the TGDC began working on the next iteration, which is currently planned for delivery to the EAC in July 2007.

This new VVSG builds upon the VVSG 2005 but takes a fresh look at many of the requirements. The new VVSG will be a larger, more comprehensive standard, with more thorough treatments of security areas and requirements for equipment integrity and reliability. The new VVSG will include updated requirements for accessibility and requirements for usability based on performance benchmarks. It will include updated requirements for data and documentation for testing laboratories. It will include a number of updated requirements dealing with voting equipment reliability, and will include many new requirements for improved security. As noted, it will prohibit radio frequency wireless communications, which includes the use of wireless local area networks. The requirements will be structured so as to improve their clarity to vendors and their testability by testing labs.

In December 2006, the TGDC approved a resolution to include requirements in the new VVSG only for those voting systems that are “software independent.” A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. This means essentially that the system can be audited through the use of voter-verified paper records (VVPR) so that election fraud and errors that would result in changes to election outcomes can be reliably detected. The voting systems today that meet the requirements for software independence include optical scan and VVPAT.

However, the TGDC has recognized that innovations in voting systems that could produce more usable, accessible, and reliable designs need to be encouraged. Some innovations could result in secure voting systems that do not rely on VVPR, or that use VVPR in ways that are more convenient and simple for voters and election officials to handle. To that end, the TGDC will be including an Innovation Class in the new VVSG to assist in the eventual conformance of potential innovative voting system submissions.

NIST is developing an open, comprehensive set of test suites so that the requirements in the new VVSG can be tested uniformly and consistently by all of the testing laboratories. NIST’s development of this comprehensive set of test suites is a major undertaking and will add significantly to the confidence that voting systems laboratories are able to test voting systems correctly. Test suite development is planned to continue through 2007 and 2008. NIST plans to release the tests in stages.

Laboratory Accreditation

I will conclude my remarks with a status report on NIST’s third major responsibility under HAVA, laboratory evaluation. NIST has been directed to recommend qualified testing laboratories to the EAC for accreditation so that the laboratories may then test voting systems under the EAC’s Voting System Certification Program. To accomplish this, NIST is utilizing its National Voluntary Laboratory Accreditation Program (NVLAP). NVLAP is a voluntary, fee-supported program to accredit laboratories that are found competent to perform specific sorts of tests or calibrations. NVLAP procedures are codified in the Code of Federal Regulations (CFR, Title 15, Part 285).

Simply stated, NVLAP offers an unbiased third party evaluation and formal recognition that a laboratory is competent to carry out specific tests or calibrations. Expert technical assessors conduct a thorough evaluation of all aspects of laboratory operation that affect the production of test data, using recognized criteria and procedures. General criteria are based on the international standard ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories, which is used for evaluating laboratories throughout the world. Laboratory accreditation bodies use this standard specifically to assess factors relevant to a laboratory’s ability to produce precise, accurate test data, including the technical competence of staff, validity and appropriateness of test methods, testing and quality assurance of test and calibration data.

With regard to voting systems, NIST relies on NVLAP to first accredit voting system testing laboratories according to NVLAP’s criteria, and then recommends them to the EAC. The EAC makes the final decision to accredit laboratories under the Commission’s full voting system testing laboratory accreditation program based upon the information provided by NIST and the Commission’s review of non-technical issues such as conflict- of-interest policies, organizational structure and record-keeping protocols. After the EAC accreditation, voting system vendors can then contract with these laboratories to test voting systems for the EAC’s certification program.

Those laboratories seeking accreditation by NVLAP and subsequent recommendation to the EAC are required to meet the general NVLAP criteria for accreditation and demonstrate that they are competent to test voting systems according to the requirements of the 2002 VSS and the VVSG 2005. Rigorous onsite assessments must be conducted and laboratories undergoing assessment must resolve any identified nonconformities before NIST will recommend a laboratory to the EAC. NVLAP assessments have paid particular attention to determining laboratory competence to test to new material included in the VVSG 2005 on voting system usability, accessibility and security.

To ensure continued compliance with NVLAP requirements, voting system testing laboratories undergo an onsite assessment before initial accreditation, then during the first renewal year, and then every two years thereafter to evaluate their ongoing compliance with specific accreditation criteria.

In January, 2007, NIST informed the EAC that it had completed a comprehensive technical evaluation of the competence of two laboratories to test voting systems to Federal standards and proposed that iBeta Quality Assurance and SysTest Labs be accredited by the EAC under the provisions of HAVA. The letter to the EAC, and its attachment, can be viewed at http://vote.nist.gov/LabRec.htm.

Currently, NVLAP is proceeding with the evaluation of five other applicant laboratories: InfoGard Laboratories, Inc.; Aspect Labs, a division of BKP Security Labs; Wyle Laboratories; Ciber Labs; and atsec information security corporation.

NIST recognizes that transparency is the key to building public trust and confidence in voting systems. To that end, we have posted a document that addresses related questions

on the same website that explains the details of the NVLAP evaluation process for voting system testing laboratories. In addition, for each laboratory NIST has recommended to the EAC, we have publicly posted the assessment report and the laboratory’s detailed response to that report at http://vote.nist.gov/LabRec.htm. These reports contain substantial detail that underlies the basis for NIST’s recommendation.

Conclusion

NIST is pleased to be working on this matter of national importance with our EAC and TGDC partners. NIST has a long history of writing voluntary standards and guidelines and developing test suites to help ensure compliance to these standards and guidelines. NIST is using its expertise to work with our partners to produce precise, testable voting system guidelines and tests that will reduce voting system errors and increase voter confidence, usability, and accessibility.

Thank you for the opportunity to testify. I would be happy to answer any questions the Subcommittee might have.