VVSG Update: Possible Next Steps by the Election Assistance Commission
Last week the Board of Advisors of the Election Assistance Commission (EAC) met over two days to discuss pending and new business. While this meeting (and most meetings of the EAC and its boards) covered many topics, the items having to do with the Voluntary Voting System Guidelines (VVSG) are worth passing along.
The staff at the National Institute of Standards and Technology was asked to investigate several technical questions related to the VVSG. They are:
Alternatives to Software Independence (SI)
Standards for Ballot-on-Demand systems
Impact of VVSG on vote-by-phone
Consequences of separately testing and certifying election system components
Impact of VVSG on early voting and vote centers
Alternatives to goal level requirements in the VVSG (requirements that state a goal but are not easily testable – if testable at all)
The alternatives to SI studied by NIST included end-to-end encryption, independent dual verification, and a secure audit port. Removing SI from the Innovation Class was also mentioned (it could be replaced by a focus on auditability and trustworthiness). The preliminary results described by the NIST staff indicated that each of these alternatives have their own issues in terms of complying with the VVSG, and more research is necessary to see if they would be viable. The NIST staff will submit their final research on these areas in September.
EAC staff reported on the progress in the VVSG and steps that remain in the process. Approximately 2600 comments were received in the first comment period. After the Commission’s initial review, they noted 3 major areas needing further research and/or revision: SI, the Innovation Class, and open-ended vulnerability testing. Another area that needs work is a risk assessment for voting systems, which is EAC staff outlined some possible scenarios for the process going forward:
Prepare a second round of comments, without incorporating the further research currently underway at NIST.
Wait until after September, and the NIST research is completed, before preparing for a second round of comments.
Approve in stages, with material not needing further research incorporated into the VVSG .
At the moment, none of the presentations are currently online. They should be added as part of the minutes once those have been approved. Check this page for updates.