Summary of Changes and Public Comments

Summary of and Response to Comments on the U.S. Election Assistance
Commission’s Voting System Test Laboratory Accreditation Program
Manual

The EAC did not receive any comments regarding the Paperwork Reduction Act (PRA)
requirements of this information collection. In accordance with PRA, the information
collection was published on the Federal Register on February 2, 2008 (73 FR 6494) and
on August 25, 2008 (73 FR 50140). However, in addition to the PRA notices, the EAC
requested substantive comments on the Voting System Test Laboratory Accreditation
Program Manual on February 2, 2008 (73 FR 6495). The EAC received thirty-eight
substantive comments from the public. The majority of these comments came from
voting system test laboratories, with the remainder coming from the general public. As
such, the comments are described below along with a summary of changes made to the
information collection since it was first published on the Federal Register.

The majority of comments received by the Commission raised concerns or questioned the
meaning or application of various provisions of the manual. Another block of comments
were less specific and focused on the fundamental purpose behind the program or its
basic methodology. Comments in this category included concerns regarding the level of
allowable participation by manufacturers in the testing process and the responsibilities of
Voting System Test Laboratories regarding third party testing. Finally, there were a
range of specific recommendations on a wide variety of topics. Examples include: (1)
changing the scope of core and non-core testing; (2) clarifying who is responsible for the

validation of test methods; (3) allowing hardware mitigation by the manufacturer; (4)
clarifying the scope of the use of prior testing in a testing campaign; (5) clarifying the
restriction on testing at manufacturer owned or controlled facilities and the allowance of
such activity in conjunction with the witness or trusted build; and (6) placing the
responsibility for the proper identification of proprietary information on the manufacturer
and not on the testing laboratory.

The EAC reviewed and considered each of the comments presented. In doing so, it also
gathered additional information and performed research regarding the suggestions. The
EAC’s commitment to public participation is evident in the final version of the
Laboratory Manual. The Manual has been enhanced in a number of areas in response to
public comment. A total of about five pages have been added to the Manual.
Throughout the entire Manual the EAC added or amended language to clarify its
procedures consistent with the comments it received. For example, to further clarify
terminology used throughout the Manual eight terms were newly defined or significantly
clarified in the definition section of Chapter 1. Additionally, the EAC made changes to
clarify the independent role of Voting System Test Labs in the program, enhance the
supervision requirements of EAC accredited laboratories over third party contracted
laboratories, and further defined the level of detail required by the EAC on test plans, test
cases, and test reports. Finally, the EAC clarified financial stability documentation
requirements for laboratories seeking accreditation.

Significant Changes to Manual by Chapter

Chapter 1
⎯ Added definitions for Lead Voting System Test Laboratory and ISO/IEC.
Chapter 2
⎯ Added the parent corporation to the entities covered by the prohibited practices
restrictions.
⎯ 2.5.2. Added a restriction limited the laboratory, Parent Corporation, or laboratory
employee from participating in the development of a voting system.
⎯ 2.5.2.1.3 Added a section allowing the manufacturer to conduct hardware
mitigation at the laboratories facility given certain conditions defined in 2.5.2.1.3.1. –
2.5.2.1.3.5.
⎯ 2.5.3.1.1. and 2.5.3.2.1. Required annual collection of conflict of interest
documentation.
⎯ 2.5.3.3.1.1. Added that the collection of any information from third party
laboratories for the purposes of conflict of interest shall be done prior to the execution
of a contract and annually from that point on.
⎯ 2.5.3.3.2. Added clarifying language regarding VSTL direct supervision of third
party testing in lieu of collecting information regarding conflict of interest. The
VSTL may now directly supervise the third party laboratory with an employee who is
properly informed regarding the conflict of interest provisions, is competent to
supervise the testing being performed, and has no financial interest in the third party
laboratory they are supervising.
⎯ 2.5.4.4. Added a requirement for the EAC’s program director to publish all waiver
denials regarding prohibited practices and conflict of interests.
⎯ 2.10.2. Added a section requiring the submission of test cases by the VSTL for
EAC review.
⎯ 2.10.3. Added a section regarding the level of testing expected by the EAC
including ISO and NIST practices.
⎯ 2.10.4.1. Removed cryptographic testing from the definition of Core Testing.
⎯ 2.10.4.2. Added a section allowing for the use of non-accredited laboratories for
non-core testing provided (1) there is no recognized laboratory available to do the
testing and (2) the VSTL has conducted a thorough assessment of the labs
capabilities.
⎯ Added footnote #4 defining non-core cryptographic testing.
⎯ 2.10.6. Removed the presumption of validity of previously performed tests by a
VSTL. Instead VSTL’s may choose to use previously performed tests if certain
conditions are met.
⎯ 2.10.6.4. Created a requirement for the VSTL to review all prior testing before
use and confirm that there are no errors or omissions in the testing. All errors or
omissions shall be reported to the EAC.
⎯ 2.11.1. Defined participation in testing by a manufacturer to include but not be
limited to the observation of testing by the manufacturer.
⎯ Added footnote #6 limiting the definition of testing activities to not include
trusted or witness builds.

⎯ 2.11.5. Defined and provided examples of “substantive discussions” between the
manufacturer and the VSTL that must be documented.
⎯ 2.14.1-2.14.2. Defined standards of documentation for VSTL financial stability in
the areas of solvency and insurance coverage.
⎯ Added footnote #7 allowing VSTLs to go to the manufacturers facilities for the
creation of witness and trusted builds.
Chapter 3
⎯ 3.4.1.9. Added a requirement for the laboratories to provide documentation of
their commercial general liability.
Chapter 4
No Changes
Chapter 5
⎯ 5.7. Added section requiring a VSTL who has had its accreditation revoked prior
to the completion of testing to provide all required information contained in section
2.10.7. of the manual. Also, added a reference to section 4.3.1.2. of the EAC’s
Voting System Testing and Certification Program Manual allowing manufacturers
to request a replacement VSTL in certain circumstances.
Chapter 6
No Changes
Chapter 7
⎯ Added footnote #9 allowing the VSTLs to ask the manufacturer’s help in
identifying any information it believes to be a trade secret or confidential
commercial information, provided all communications are made in writing.
Appendix A
No Changes
Appendix B
No Changes
Appendix C
⎯ Added the certification of laboratory conditions and practices letter that must be
submitted by the VSTL before it can be accredited.

Appendix D
No Changes