nist hava-related work: status and plans june 16, 2005 national institute of standards and...
TRANSCRIPT
NIST HAVA-Related Work:Status and Plans
June 16, 2005National Institute of Standards and
Technologyhttp://vote.nist.gov
6/10/2005 - page 2
Voluntary Voting System Guidelines (VVSG)
Implementation Strategy Develop best long-term voting systems guidelines
possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Reorganize for clarity and testability
Provide guidance to states in time for 2006 election cycle
Implied need to minimize changes to 2000 to VSS while filling in 2002 VSS gaps
Implied need to require only what is possible by 2006 Thus, two guidelines developed:
VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline
6/10/2005 - page 3
Overview of NIST Work NIST worked with Technical Guidelines
Development Committee (TGDC) to augment 2002 VSS
NIST/TGDC developed augmented version of Voluntary Voting System Guidelines (VVSG Version 1) in open process, Sep ’04 – May ’05
NIST delivered VVSG Version 1 to EAC on May 9 NIST now vetting outline for VVSG Version 2
with TGDC NIST will work with TGDC subcommittees on
VVSG Version 2 development, plan future meetings (next is Sep ’05)
6/10/2005 - page 4
VVSG Version 1 Overview Two volumes
Volume I, the performance provisions of the guidelines Volume II, how conformance is to be tested
Improves the 2002 VSS by addressing Human Factors VVPAT (Voter Verified Paper Audit Trails) Wireless Software Distribution and Setup Validation Conformance, Glossary, Error Rates
Sets stage for VVSG Version 2 (under development)
Expanded Human Factors Independent Dual Verification
6/10/2005 - page 5
VVSG Version 2 A comprehensive standards guideline A complete rewrite of 2002 VSS with updated and
expanded material 4 Volumes:
Product requirements Terminology Requirements for data from vendor to be provided to
testing lab Testing requirements
Will draw from VSS, IEEE P1583, Federal and other standards
Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05
6/10/2005 - page 6
VVSG Version 1 and 2 Current Status
VVSG Version 1 delivered to EAC May 9, 2005 NIST will monitor public comments on VVSG
Version 1 while working on VVSG Version 2 VVSG Version 2 outline has been developed;
NIST and TGDC working to create final version of outline
Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis development Preliminary requirements development
6/10/2005 - page 7
Detailed Presentation Outline
NIST HAVA Responsibilities Current status of voting work at NIST Overview of Voluntary Voting Systems
Guidelines Version 1 (VVSG Version 1) Plans for VVSG Version 2 Comments/Questions
6/10/2005 - page 8
NIST HAVA Responsibilities Chair the Technical guidelines development
committee (TGDC) Provide technical support to the TGDC in the
development of Voluntary Voting System Guidelines (VVSG) including:
Security Methods to detect and prevent fraud Human factors, including technologies for individuals
with disabilities Deliver initial VVSG to EAC 9 months after
TGDC appointments (May 9, 2005)
6/10/2005 - page 9
Voluntary Voting System Guidelines (VVSG)
Implementation Strategy Develop best long-term voting systems guidelines
possible Build on strengths of 2002 VSS Significantly enhance areas needing improvement Reorganize for clarity and testability
Provide guidance to states in time for 2006 election cycle
Implied need to minimize changes to 2000 to VSS while filling in 2002 VSS gaps
Implied need to require only what is possible by 2006 Thus, two guidelines developed:
VVSG Version 1 – augmented 2002 VSS for 2006 VVSG Version 2 – new, redesigned guideline
6/10/2005 - page 10
NIST/TGDC Activities - 1 July 2004: 1st TGDC meeting
Organizational, divided into 3 subcommittees: Human factors and privacy Core requirements and testing Security and transparency
Sep 2004: information gathering meeting for the TGDC
Heard public input from voting officials, vendors October 2004: posted voting software hashes
For use by state and local officials Used NIST national software reference library
http://www.nsrl.nist.gov
6/10/2005 - page 11
NIST/TGDC Activities - 2 January 2005: VVSG Version 1 organization
Discussed, adopted 35 resolutions affecting development of VVSG Version 1 and VVSG Version 2
EAC requests NIST develop VVPAT requirements March 2005: VVSG Version 1 preliminary drafts
Commented on presentations, materials from NIST staff EAC requests additional security material for VVSG
Version 1 April 2005: final draft and VVSG Version 1
adoption Commented on final materials from NIST staff NIST directed to make final edits and deliver to EAC
May 9, 2005: VVSG Version 1 delivered to EAC
6/10/2005 - page 12
Current Status NIST presented the VVSG Version 1 to the
TGDC during April 20-21 meetings NIST updated VVSG Version 1 with TGDC edits,
delivered to EAC on May 9 NIST now vetting outline for VVSG Version 2
with TGDC NIST will work with TGDC subcommittees on
VVSG Version 2 development, plan future meetings (next is Sep’05)
NIST planning to monitor public comments on VVSG Version 1 while writing VVSG Version 2
6/10/2005 - page 13
VVSG Version 1 Overview Two volumes
Volume I, the performance provisions of the guidelines
Volume II, the testing specification Improves the 2002 VSS by addressing
Human Factors VVPAT Wireless Software Distribution and Setup Validation Conformance, Glossary, Error Rates
Sets stage for new version under development Expanded Human Factors Independent Dual Verification
6/10/2005 - page 14
Major Organizational Changes in VVSG Version 1
1. Best Practices for Voting Officials
2. Voting Process3. Structure of Requirements
6/10/2005 - page 15
Best Practices for Voting Officials
VSS 2002 contained requirements for voting systems and testing entities
Requirements in VVSG Version 1 for wireless, VVPAT, human factors, etc. depend on voting officials developing and carrying out appropriate procedures
VVSG Version 1 contains best practices for voting officials
These are not testable and conformance can not be determined
Best Practices for Voting Officials are contained in Appendix C of Volume I
6/10/2005 - page 16
Voting Process VSS 2002 defined three major stages of
voting Pre-voting Voting Post-voting
New sections designate which stage the requirements pertain to
VVSG Version 2 will contain a more detailed voting process model
6/10/2005 - page 17
Structure of Requirements New sections of the VVSG Version 1 contain
a more structured approach Each requirement is numbered according to a
hierarchical scheme Higher level requirements are supported by
lower level requirements Higher level requirements may not be
directly testable but can be “indirectly” tested via their lower level requirements
6/10/2005 - page 18
New Material in VVSG Version 1
1. Conformance Clause2. Human Factors3. Security Overview – IDV Systems4. VVPAT5. Wireless6. Software Distribution/Setup Validation7. Glossary8. Error Rates
6/10/2005 - page 19
Conformance Clause VSS-2002 did not include a conformance clause Conformance: the fulfillment by a product,
process, or service of requirements as specified in a standard or specification
The conformance clause of a standard specification is a high-level description of what is required of implementers and developers
Refers to other parts of the standard Specifies minimal requirements for certain functions and
implementation-dependent values Specifies the permissibility of extensions, options, and
alternative approaches and how they are to be handled
6/10/2005 - page 20
Human Factors The VSS-2002, Volume 1 Section 2.2.7,
addressed Accessibility; Section 3.4.9 addressed Human Engineering—Controls and Displays; Appendix C addressed Usability
VVSG Version 1 replaces these items with a new Section 2.2.7 that addresses Human Factors including accessibility, usability, and limited English proficiency
Incorporates the two NASED Technical Guides (Guide #1 and Guide #2)
VVSG Version 2 will contain performance-based requirements (specifies how voting systems must perform)
6/10/2005 - page 21
Human Factors 4 Areas:
Accessibility Usability Limited English Proficiency Privacy
Based on current state of the art Require more advanced accessibility but still in
industry state of the art Synchronized audio and video
Performance measures for usability
6/10/2005 - page 22
Security Overview New security Section 6.0, with 4
parts: Overview of Independent Dual Verification
(IDV) voting systems (informative only, not required for 2006)
VVPAT Requirements Wireless Requirements Software Distribution/Setup Validation
Requirements
6/10/2005 - page 23
Independent Dual Verification
Requires voting systems to produce 2nd record of votes for ballot record integrity and auditability
Required as part of standard computerized record-keeping practices
Current approaches include Split process systems Witness systems – recently marketed Cryptographic-based systems – available today VVPAT, modified Op Scan – available today
New Appendix D contains in-depth IDV discussion IDV systems expected to evolve significantly in
VVSG Version 2
6/10/2005 - page 24
VVPAT The VSS-2002 contained no requirements for voter
verified paper audit trails (VVPAT) Vendors, most States in need of consistent,
common guidance TGDC directed by EAC to produce VVPAT guidance
for States requiring VVPAT VVPAT a form of IDV VVSG does not require or endorse VVPAT Methods other than VVPAT can provide ways to
achieve IDV, as explained in Security Overview NIST used CA State, IEEE standards, and enacted
State legislation as initial basis
6/10/2005 - page 25
Wireless Technology TGDC concluded that use of wireless technology
introduces risk and should be approached with caution
VVSG Version 1 includes new section on wireless that augments the general telecommunications requirements in Volume 1, Section 5
Requires that wireless transmissions be encrypted to protect against a variety of security problems
Requires wireless to be turned on/off under controlled conditions
Requires backup procedures in case wireless fails
6/10/2005 - page 26
Software Distribution Helps to ensure correct version of voting
software is used Helps to ensure voting software is set up
correctly Uses NIST’s National Software Reference
Library at http://www.nsrl.nist.gov This section of VVSG Version 1 builds on the
VSS-2002 to include use of this repository and other validation mechanisms
6/10/2005 - page 27
Glossary Common terminology forms basis for
understanding requirements and for discussing improvements
This glossary contains terms from the VSS-2002 and additional terms needed to understand voting and related areas, e.g., security, human factors, testing
Terms in glossary include a definition and its source, and an association as to the domain for which the term applies
Also available in a web-based on-line version at http://www.nist.gov/votingglossary.
6/10/2005 - page 28
VVSG Version 2 A comprehensive standards guideline,
a complete rewrite of 2002 VSS with updated and expanded material
Will draw from VSS, IEEE P1583, Federal and other standards
Will include material from VVSG Version 1 and other material as directed by TGDC resolutions from Jan ’05
6/10/2005 - page 29
Major Goals for VVSG Version 2
Provide complete and comprehensive guideline for vendors and test labs
Provide clear, usable requirements discussion with associated test methods
Address security and human factors developments since 2002 VSS
Respond to all TGDC Jan’05 resolutions
6/10/2005 - page 30
VVSG Version 2 Overview 4 major sections:
A product standard, containing general and voting-activity related requirements (e.g., setup, cast, count, …)
A terminology standard (NIST glossary) A standard on data to be provided by testing
authorities or the vendor A testing standard including all test
methods, testing requirements, evaluation guidelines, test cases, etc.
6/10/2005 - page 31
VVSG Version 2 Current Status
Detailed outline has been developed; NIST and TGDC working to create final version of outline
Research underway: Meetings with vendors Working with usability and accessibility experts Threat analysis under development Preliminary requirements development
underway
6/10/2005 - page 32
Comments/Questions