COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY
an implementation plan requiring that all new voting systems be tested against the VVSG 1.1 beginning in July 2017. VVSG 1.1 has since been succeeded by version 2.0, which was released for a 90-day public comment period on February 15, 2019. The EAC will compile the feedback for Commissioners to review shortly thereafter.[1] VVSG 2.0 includes the following minimum security guidelines:
- (U) An error or fault in the voting system software or hardware cannot cause an undetectable change in election results. (9.1)
- (U) The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities. (9.2)
- (U) Voting system records are resilient in the presence of intentional forms of tampering and accidental errors. (9.3)
- (U) The voting system supports strong, configurable authentication mechanisms to verify the identities of authorized users and includes multi-factor authentication mechanisms for critical operations. (11.3)
- (U) The voting system prevents unauthorized access to or manipulation of configuration data, cast vote records, transmitted data, or audit records. (13.1)
- (U) The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and by using other technical controls. (14.2)
- (U) The voting system employs mechanisms to protect against malware. (15.3)
- (U) A voting system with networking capabilities employs appropriate, well-vetted modern defenses against network-based attacks, commensurate with current best practice. (15.4)
- ↑ (U) EAC Commissioners Unanimously Vole to Publish VVSG 2.0 Principles and Guidelines for Public Comment: https://www.eac.gov/news/2019/02/15/eac-commissioners-unanimously-vote-to-publish-vvsg-20-principles-and-guidelines-for-public-comment/; February 15, 2019.
- ↑ (U) SSCI Transcript of the Open Hearing on Election Security, held on March 21, 2018, p. 47.
45
COMMITTEE SENSITIVE—RUSSIA INVESTIGATION ONLY