Download:
pdf |
pdfUnited States
Election Assistance
Commission
1225 New York Avenue. N.W.
Ste.1100
Washington, DC 20005
202-566-3100
Testing and Certification
Program Manual
Version 1.0 - Effective January 1, 2007
www.eac.gov
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
The reporting requirements in this manual have been approved under the Paperwork Reduction
Act of 1995, Office of Management and Budget Control (OMB) Number 3265-0004, expiring
March 31, 2007. Persons are not required to respond to this collection of information unless it
displays a currently valid OMB number. Information gathered pursuant to this document and its
forms will be used solely to administer the EAC Testing and Certification Program. This
program is voluntary. Individuals who wish to participate in the program, however, must meet
its requirements. The estimated total annual hourly burden on the voting system manufacturing
industry and election officials is 114 hours. This estimate includes the time required for
reviewing the instructions, gathering information, and completing the prescribed forms. Send
comments regarding this burden estimate or any other aspect of this collection, including
suggestions for reducing this burden, to the U.S. Election Assistance Commission, Voting System
Testing and Certification Program, Office of the Program Director, 1225 New York Avenue,
NW, Suite 1100, Washington, D.C. 20005.
i
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Table of Contents
1.
Introduction .............................................................................................................. 1
2.
Manufacturer Registration...................................................................................... 11
3.
When Voting Systems Must Be Submitted for Testing and Certification ................ 17
4.
Certification Testing and Technical Review ........................................................... 25
5.
Grant of Certification .............................................................................................. 32
6.
Denial of Certification ............................................................................................. 39
7.
Decertification ........................................................................................................ 45
8.
Quality Monitoring Program ................................................................................... 56
9.
Requests for Interpretations ................................................................................... 60
10. Release of Certification Program Information ........................................................ 64
Appendix A. Manufacturer Registration Application Form ............................................. 69
Appendix B. Application for Voting System Testing Form ............................................. 70
Appendix C. Voting System Anomaly Reporting Form .................................................. 71
ii
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.
Introduction
1.1. Background. The Federal Election Commission (FEC) adopted the first formal set of
voluntary Federal standards for computer-based voting systems in January 1990. At that time,
no national program or organization existed to test and certify such systems to the standards.
The National Association of State Election Directors (NASED) stepped up to fill this void in
1994. NASED is an independent, nongovernmental organization of State election officials. The
organization formed the Nation’s first national program to test and qualify voting systems to
the new Federal standards. The organization worked for more than a decade, on a strictly
voluntary basis, to help ensure the reliability, consistency, and accuracy of voting systems
fielded in the United States. In late 2002, Congress passed the Help America Vote Act of 2002
(HAVA). HAVA created the U.S. Election Assistance Commission (EAC) and assigned to the
EAC the responsibility for both setting voting system standards and providing for the testing
and certification of voting systems. This mandate represented the first time the Federal
government provided for the voluntary testing, certification, and decertification of voting
systems nationwide. In response to this HAVA requirement, the EAC has developed the
Voting System Testing and Certification Program (Certification Program).
1.2. Authority. HAVA requires that the EAC certify and decertify voting systems. Section
231(a)(1) of HAVA specifically requires the EAC to “… provide for the testing, certification,
decertification and recertification of voting system hardware and software by accredited
laboratories.” The EAC has the sole authority to grant certification or withdraw certification at
the Federal level, including the authority to grant, maintain, extend, suspend, and withdraw the
right to retain or use any certificates, marks, or other indicators of certification.
1.3. Scope. This Manual provides the procedural requirements of the EAC Voting System Testing
and Certification Program. Although participation in the program is voluntary, adherence to the
program’s procedural requirements is mandatory for participants. The procedural requirements
of this Manual supersede any prior voting system certification requirements issued by the
EAC.
1.4. Purpose. The primary purpose of the EAC Certification Program Manual is to provide clear
procedures to Manufacturers for the testing and certification of voting systems to specified
Federal standards consistent with the requirements of HAVA Section 231(a)(1). The program,
however, also serves to do the following:
1.4.1. Support State certification programs.
1.4.2. Support local election officials in the areas of acceptance testing and pre-election
system verification.
1.4.3. Increase quality control in voting system manufacturing.
1.4.4. Increase voter confidence in the use of voting systems.
1
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.5. Manual. This Manual is a comprehensive presentation of the EAC Voting System Testing and
Certification Program. It is intended to establish all of the program’s administrative
requirements.
1.5.1. Contents. The contents of the Manual serve as an overview of the program itself. The
Manual contains the following chapters:
1.5.1.1. Manufacturer Registration. Under the program, a Manufacturer is required to
register with the EAC prior to participation. This registration provides the
EAC with needed information and requires the Manufacturer to agree to the
requirements of the Certification Program. This chapter sets out the
requirements and procedures for registration.
1.5.1.2. When Voting Systems Must Be Submitted for Testing and Certification. All
voting systems must be submitted consistent with this Manual before they
may receive a certification from the EAC. This chapter discusses the various
circumstances that require submission to obtain or maintain a certification.
1.5.1.3. Certification Testing and Review. Under this program, the testing and review
process requires the completion of an application, employment of an EACaccredited laboratory for system testing, and technical analysis of the
laboratory test report by the EAC. The result of this process is an Initial
Decision on Certification. This chapter discusses the required steps for voting
system testing and review.
1.5.1.4. Grant of Certification. If an Initial Decision to grant certification is made, the
Manufacturer must take additional steps before the Manufacturer may be
issued a certification. These steps require the Manufacturer to document the
performance of a trusted build (see definition at Section 1.16), the deposit of
software into a repository, and the creation of system identification tools. This
chapter outlines the action that a Manufacturer must take to receive a
certification and the Manufacturer’s post-certification responsibilities.
1.5.1.5. Denial of Certification. If an Initial Decision to deny certification is made, the
Manufacturer has certain rights and responsibilities under the program. This
chapter contains procedures for requesting reconsideration, opportunity to
cure defects, and appeal.
1.5.1.6. Decertification. Decertification is the process by which the EAC revokes a
certification it previously granted to a voting system. It is an important part of
the Certification Program because it serves to ensure that the requirements of
the program are followed and that certified voting systems fielded for use in
Federal elections maintain the same level of quality as those presented for
testing. This chapter sets procedures for Decertification and explains the
Manufacturer’s rights and responsibilities during that process.
2
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.5.1.7. Quality Monitoring Program. Under the Certification Program, EAC will
implement a quality monitoring process that will help ensure that voting
systems certified by the EAC are the same systems sold by Manufacturers.
The quality monitoring process is a mandatory part of the program and
includes elements such as fielded voting system review, anomaly reporting,
and manufacturing site visits. This chapter sets forth the requirements of the
Quality Monitoring Program.
1.5.1.8. Requests for Interpretations. An Interpretation is a means by which a
registered Manufacturer or Voting System Test Laboratory (VSTL) may seek
clarification on a specific Voluntary Voting System Guidelines (VVSG)
standard. This chapter outlines the policy, requirements, and procedures for
requesting an Interpretation.
1.5.1.9. Release of Certification Program Information. Federal law protects certain
types of information individuals provided the government from release. This
chapter outlines the program’s policies, sets procedures, and discusses
responsibilities associated with the public release of potential protected
commercial information.
1.5.2. Maintenance and Revision. This Manual, which sets the procedural requirements for a
new Federal program, is expected to be improved and expanded as experience and
circumstances dictate. The Manual will be reviewed periodically and updated to meet
the needs of the EAC, Manufacturers, VSTLs, election officials, and public policy. The
EAC is responsible for revising this document. All revisions will be made consistent
with Federal law. Substantive input from stakeholders and the public will be sought
whenever possible, at the discretion of the agency. Changes in policy requiring
immediate implementation will be noticed via policy memoranda and will be issued to
each registered Manufacturer. Changes, addendums, or updated versions will also be
posted to the EAC Web site at www.eac.gov.
1.6. Program Methodology. EAC’s Voting System Testing and Certification Program is but one
part of the overall conformity assessment process that includes companion efforts at the State
and local levels.
1.6.1. Federal and State Roles. The process to ensure that voting equipment meets the
technical requirements is a distributed, cooperative effort of Federal, State, and local
officials in the United States. Working with voting equipment Manufacturers, these
officials each have unique responsibility for ensuring that the equipment a voter uses on
Election Day meets specific requirements.
1.6.1.1. The EAC Program has primary responsibility for ensuring that voting systems
submitted under this program meet Federal standards established for voting
systems.
3
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.6.1.2. State officials have responsibility for testing voting systems to ensure that
they will support the specific requirements of each individual State. States
may use EAC VSTLs to perform testing of voting systems to unique State
requirements while the systems are being tested to Federal standards. The
EAC will not, however, certify voting systems to State requirements.
1.6.1.3. State or local officials are responsible for making the final purchase choice.
They are responsible for deciding which system offers the best fit and total
value for their specific State or local jurisdiction.
1.6.1.4. State or local officials are also responsible for acceptance testing to ensure
that the equipment delivered is identical to the equipment certified on the
Federal and State levels, is fully operational, and meets the contractual
requirements of the purchase.
1.6.1.5. State or local officials should perform pre-election logic and accuracy testing
to confirm that equipment is operating properly and is unmodified from its
certified state.
1.6.2. Conformity Assessment, Generally. Conformity assessment is a system established to
ensure that a product or service meets the requirements that apply to it. Many
conformity assessment systems exist to protect the quality and ensure compliance with
requirements of products and services. All conformity assessment systems attempt to
answer a variety of questions:
1.6.2.1. What specifications are required of an acceptable system? For voting systems,
the EAC voting system standards (VVSG and Voting System Standards
[VSS]) address this issue. States and local jurisdictions also have
supplementing standards.
1.6.2.2. How are systems tested against required specifications? The EAC Voting
System Testing and Certification Program is a central element of the larger
conformity assessment system. The program, as set forth in this Manual,
provides for the testing and certification of voting systems to identified
versions of the VVSG. The Testing and Certification Program’s purpose is to
ensure that State and local jurisdictions receive voting systems that meet the
requirements of the VVSG.
1.6.2.3. Are the testing authorities qualified to make an accurate evaluation? The
EAC accredits VSTLs, after the National Institute of Standards and
Technology (NIST) National Voluntary Lab Accreditation Program (NVLAP)
has reviewed their technical competence and lab practices, to ensure these test
authorities are fully qualified. Furthermore, EAC technical experts review all
test reports from accredited laboratories to ensure an accurate and complete
evaluation. Many States provide similar reviews of laboratory reports.
4
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.6.2.4. Will Manufacturers deliver units within manufacturing tolerances to those
tested? The VVSG and this Manual require that vendors have appropriate
change management and quality control processes to control the quality and
configuration of their products. The Certification Program provides
mechanisms for the EAC to verify Manufacturer quality processes through
field system testing and manufacturing site visits. States have implemented
policies for acceptance of delivered units.
1.7. Program Personnel. All EAC personnel and contractors associated with this program will be
held to the highest ethical standards. All agents of the EAC involved in the Certification
Program will be subject to conflict-of-interest reporting and review, consistent with Federal
law and regulation.
1.8. Program Records. The EAC Program Director is responsible for maintaining accurate records
to demonstrate that the testing and certification program procedures have been effectively
fulfilled and to ensure the traceability, repeatability, and reproducibility of testing and test
report review. All records will be maintained, managed, secured, stored, archived, and
disposed of in accordance with Federal law, Federal regulations, and procedures of the EAC.
1.9. Submission of Documents. Any documents submitted pursuant to the requirements of this
Manual shall be submitted:
1.9.1. If sent electronically, via secure e-mail or physical delivery of a compact disk, unless
otherwise specified.
1.9.2. In a Microsoft Word or Adobe PDF file, formatted to protect the document from
alteration.
1.9.3. With a proper signature when required by this Manual. Documents that require an
authorized signature may be signed with an electronic representation or image of the
signature of an authorized management representative and must meet any and all
subsequent requirements established by the Program Director regarding security.
1.9.4. If sent via physical delivery, by Certified Mail™ (or similar means that allowes
tracking) to the following address:
Testing and Certification Program Director
U.S. Election Assistance Commission
1225 New York Avenue, NW, Suite 1100
Washington, D.C. 20005
1.10. Receipt of Documents—Manufacturer. For purposes of this Manual, a document, notice, or
other communication is considered received by a Manufacturer upon one of the following:
1.10.1. The actual, documented date the correspondence was received (either electronically or
physically) at the Manufacturer’s place of business, or
5
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.10.2. If no documentation of the actual delivery date exists, the date of constructive receipt of
the communication. For electronic correspondence, documents will be constructively
received the day after the date sent. For mail correspondence, the document will be
constructively received 3 days after the date sent.
1.10.3. The term “receipt” shall mean the date a document or correspondence arrives (either
electronically or physically) at the Manufacturer’s place of business. Arrival does not
require that an agent of the Manufacturer open, read, or review the correspondence.
1.11. Receipt of Documents—EAC. For purposes of this Manual, a document, notice, or other
communication is considered received by the EAC upon its physical or electronic arrival at the
agency. All documents received by the agency will be physically or electronically date
stamped. This stamp shall serve as the date of receipt. Documents received after the regular
business day (5:00 PM Eastern Standard Time), will be treated as if received on the next
business day.
1.12. EAC Response Timeframes. In recognition of the responsibilities and challenges facing
Manufacturers as they work to meet the requirements imposed by this program, State
certification programs, customers, State law and production schedules, the EAC will provide
timeframes for its response to significant program elements. This shall be done by providing
current metrics on EAC’s Web site regarding the actual average EAC response time for (1)
approving Test Plans, (2) issuing Initial Decisions, and (3) issuing Certificates of
Conformance.
1.13. Records Retention—Manufacturers. The Manufacturer is responsible for ensuring that all
documents submitted to the EAC or that otherwise serve as the basis for the certification of a
voting system are retained. A copy of all such records shall be retained as long as a voting
system is offered for sale or supported by a Manufacturer and for 5 years thereafter.
1.14. Record Retention—EAC. The EAC shall retain all records associated with the certification of
a voting system as long as such system is fielded in a State or local election jurisdiction for use
in Federal elections. The records shall otherwise be retained or disposed of consistent with
Federal statutes and regulations.
1.15. Publication and Release of Documents. The EAC will release documents consistent with the
requirements of Federal law. It is EAC policy to make the certification process as open and
public as possible. Any documents (or portions thereof) submitted under this program will be
made available to the public unless specifically protected from release by law. The primary
means for making this information available is through the EAC Web site.
6
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
1.16. Definitions. For purposes of this Manual, the terms listed below have the following
definitions.
Appeal. A formal process by which the EAC is petitioned to reconsider an Agency Decision.
Appeal Authority. The individual or individuals appointed to serve as the determination
authority on appeal.
Build Environment. The disk or other media that holds the source code, compiler, linker,
integrated development environments (IDE), and/or other necessary files for the compilation
and on which the compiler will store the resulting executable code.
Certificate of Conformance. The certificate issued by the EAC when a system has been found
to meet the requirements of the VVSG. The document conveys certification of a system.
Commission. The U.S. Election Assistance Commission, as an agency.
Commissioners. The serving commissioners of the U.S. Election Assistance Commission.
Component. A discrete and identifiable element of hardware or software within a larger voting
system.
Compiler. A computer program that translates programs expressed in a high-level language
into machine language equivalents.
Days. Calendar days, unless otherwise noted. When counting days, for the purpose of
submitting or receiving a document, the count shall begin on the first full calendar day after the
date the document was received.
Disk Image. An exact copy of the entire contents of a computer disk.
Election Official. A State or local government employee who has as one of his or her primary
duties the management or administration of a Federal election.
Federal Election. Any primary, general, runoff, or special Election in which a candidate for
Federal office (President, Senator, or Representative) appears on the ballot.
Fielded Voting System. A voting system purchased or leased by a State or local government
that is being use in a Federal election.
File Signature. A signature of a file or set of files produced using a HASH algorithm. A file
signature, sometimes called a HASH value, creates a value that is computationally infeasible of
being produced by two similar but different files. File signatures are used to verify that files are
unmodified from their original versions.
7
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
HASH Algorithm. An algorithm that maps a bit string of arbitrary length to a shorter, fixedlength bit string. (A HASH uniquely identifies a file similar to the way a fingerprint identifies
an individual. Likewise, as an individual cannot be recreated from his or her fingerprint, a file
cannot be recreated from a HASH. The HASH algorithm used primarily in the NIST (National
Software Reference Library), and this program is the Secure HASH Algorithm (SHA-1)
specified in Federal Information Processing Standard (FIPS) 180-1.)
Installation Device. A device containing program files, software, and installation instructions
for installing an application (program) onto a computer. Examples of such devices include
installation disks, flash memory cards, and PCMCIA cards.
Integration Testing. The end-to-end testing of a full system configured for use in an election to
assure that all legitimate configurations meet applicable standards.
Linker. A computer program that takes one or more objects generated by compilers and
assembles them into a single executable program.
Manufacturer. The entity with ownership and control over a voting system submitted for
certification.
Mark of Conformance. A uniform notice permanently posted on a voting system that signifies
that it has been certified by the EAC.
Memorandum for the Record. A written statement drafted to document an event or finding,
without a specific addressee other than the pertinent file.
Proprietary Information. Commercial information or trade secrets protected from release under
the Freedom of Information Act (FOIA) and the Trade Secrets Act.
System Identification Tools. Tools created by a Manufacturer of voting systems that allow
elections officials to verify that the hardware and software of systems purchased are identical
to the systems certified by the EAC.
Technical Reviewers. Technical experts in the areas of voting system technology and
conformity assessment appointed by the EAC to provide expert guidance.
Testing and Certification Decision Authority. The EAC Executive Director or Acting
Executive Director.
Testing and Certification Program Director. The individual appointed by the EAC Executive
Director to administer and manage the Testing and Certification Program.
Trusted Build. A witnessed software build where source code is converted to machinereadable binary instructions (executable code) in a manner providing security measures that
help ensure that the executable code is a verifiable and faithful representation of the source
code.
8
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Voting System. The total combination of mechanical, electromechanical, and electronic
equipment (including the software, firmware, and documentation required to program, control,
and support the equipment) that is used to define ballots, cast and count votes, report or display
election results, connect the voting system to the voter registration system, and maintain and
produce any audit trail information.
Voting System Standards. Voluntary voting system standards developed by the FEC. Voting
System Standards have been published twice: once in 1990 and again in 2002. The Help
America Vote Act made the 2002 Voting System Standards EAC guidance. All new voting
system standards are issued by the EAC as Voluntary Voting System Guidelines.
Voting System Test Laboratories. Laboratories accredited by the EAC to test voting systems to
EAC approved voting system standards. Each Voting System Test Laboratory (VSTL) must
be accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and
recommended by the National Institute of Standards Technology (NIST) before it may receive
an EAC accreditation. NVLAP provides third party accreditation to testing and calibration
laboratories. NVLAP is in full conformance with the standards of the International
Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC), including ISO/IEC Guide 17025 and 17011.
Voluntary Voting System Guidelines. Voluntary voting system standards developed, adopted,
and published by the EAC. The guidelines are identified by version number and date.
1.17. Acronyms and Abbreviations. For purposes of this Manual, the acronyms and abbreviations
listed below represent the following terms.
Certification Program. The EAC Voting System Testing and Certification Program
Decision Authority. Testing and Certification Decision Authority
EAC. United States Election Assistance Commission
FEC. Federal Election Commission
HAVA. Help America Vote Act of 2002 (42 U.S.C. §15301 et seq.)
Labs or Laboratories. Voting System Test Laboratories
NASED. National Association of State Election Directors
NIST. National Institute of Standards and Technology
NVLAP. National Voluntary Laboratory Accreditation Program
Program Director. Director of the EAC Testing and Certification Program
9
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
VSS. Voting System Standards
VSTL. Voting System Test Laboratory
VVSG. Voluntary Voting System Guidelines
10
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
2.
Manufacturer Registration
2.1. Overview. Manufacturer Registration is the process by which voting system Manufacturers
make initial contact with the EAC and provide information essential to participate in the EAC
Voting System Testing and Certification Program. Before a Manufacturer of a voting system
can submit an application to have a voting system certified by the EAC, the Manufacturer must
be registered. This process requires the Manufacturer to provide certain contact information
and agree to certain requirements of the Certification Program. After successfully registering,
the Manufacturer will receive an identification code.
2.2. Registration Required. To submit a voting system for certification or otherwise participate in
the EAC voluntary Voting System Testing and Certification Program, a Manufacturer must
register with the EAC. Registration does not constitute an EAC endorsement of the
Manufacturer or its products. Registration of a Manufacturer is not a certification of that
Manufacturer’s products.
2.3. Registration Requirements. The registration process will require the voting system
Manufacturer to provide certain information to the EAC. This information is necessary to
enable the EAC to administer the Certification Program and communicate effectively with the
Manufacturer. The registration process also requires the Manufacturer to agree to certain
Certification Program requirements. These requirements relate to the Manufacturer’s duties
and responsibilities under the program. For this program to succeed, it is vital that a
Manufacturer know and assent to these duties at the outset of the program.
2.3.1. Information. Manufacturers are required to provide the following information.
2.3.1.1. The Manufacturer’s organizational information:
2.3.1.1.1. The official name of the Manufacturer.
2.3.1.1.2. The address of the Manufacturer’s official place of business.
2.3.1.1.3. A description of how the Manufacturer is organized (i.e., type of
corporation or partnership).
2.3.1.1.4. Names of officers and/or members of the board of directors.
2.3.1.1.5. Names of all partners and members (if organized as a partnership
or limited liability corporation).
2.3.1.1.6. Identification of any individual, organization, or entity with a
controlling ownership interest in the Manufacturer.
11
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
2.3.1.2. The identity of an individual authorized to represent and make binding
commitments and management determinations for the Manufacturer
(management representative). The following information is required for the
management representative:
2.3.1.2.1. Name and title.
2.3.1.2.2. Mailing and physical addresses.
2.3.1.2.3. Telephone number, fax number, and e-mail address.
2.3.1.3. The identity of an individual authorized to provide technical information on
behalf of the Manufacturer (technical representative). The following
information is required for the technical representative:
2.3.1.3.1. Name and title.
2.3.1.3.2. Mailing and physical addresses.
2.3.1.3.3. Telephone number, fax number, and e-mail address.
2.3.1.4. The Manufacturer’s written policies regarding its quality assurance system.
This policy must be consistent with guidance provided in the VVSG and this
Manual.
2.3.1.5. The Manufacturer’s written polices regarding internal procedures for
controlling and managing changes to and versions of its voting systems. Such
polices shall be consistent with this Manual and guidance provided in the
VVSG.
2.3.1.6. The Manufacturer’s written polices on document retention. Such policies must
be consistent with the requirements of this Manual.
2.3.1.7. A list of all manufacturing and/or assembly facilities used by the
Manufacturer and the name and contact information of a person at each
facility. The following information is required for a person at each facility:
2.3.1.7.1. Name and title.
2.3.1.7.2. Mailing and physical addresses.
2.3.1.7.3. Telephone number, fax number, and e-mail address.
12
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
2.3.2. Agreements. Manufacturers are required to take or abstain from certain actions to
protect the integrity of the Certification Program and promote quality assurance.
Manufacturers are required to agree to the following program requirements:
2.3.2.1. Represent a voting system as certified only when it is authorized by the EAC
and is consistent with the procedures and requirements of this Manual.
2.3.2.2. Produce and affix an EAC certification label to all production units of the
certified system. Such labels must meet the requirements set forth in Chapter
5 of this Manual.
2.3.2.3. Notify the EAC of changes to any system previously certified by the EAC
pursuant to the requirements of this Manual (see Chapter 3). Such systems
shall be submitted for testing and additional certification when required.
2.3.2.4. Permit an EAC representative to verify the Manufacturer’s quality control
procedures by cooperating with EAC efforts to test and review fielded voting
systems consistent with Section 8.6 of this Manual.
2.3.2.5. Permit an EAC representative to verify the Manufacturer’s quality control
procedures by conducting periodic inspections of manufacturing facilities
consistent with Chapter 8 of this Manual.
2.3.2.6. Cooperate with any EAC inquiries and investigations into a certified system’s
compliance with VVSG standards or the procedural requirements of this
Manual consistent with Chapter 7.
2.3.2.7. Report to the Program Director any known malfunction of a voting system
holding an EAC Certification. A malfunction is a failure of a voting system,
not caused solely by operator or administrative error, which causes the system
to cease operation during a Federal election or otherwise results in data loss.
Malfunction notifications should be consolidated into one report. This report
should identify the location, nature, date, impact, and resolution (if any) of the
malfunction and be filed within 60 days of any Federal election.
2.3.2.8. Certify that the entity is not barred or otherwise prohibited by statute,
regulation, or ruling from doing business in the United States.
2.3.2.9. Adhere to all procedural requirements of this Manual.
2.4. Registration Process. Generally, registration is accomplished through use of an EAC
registration form. After the EAC has received a registration form and other required
registration documents, the agency reviews the information for completeness before approval.
2.4.1. Application Process. To become a registered voting system Manufacturer, one must
apply by submitting a Manufacturer Registration Application Form (Appendix A). This
13
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
form will be used as the means for the Manufacturer to provide the information and
agree to the responsibilities required in Section 2.3, above.
2.4.1.1. Application Form. In order for the EAC to accept and process the registration
form, the applicant must adhere to the following requirements:
2.4.1.1.1. All fields must be completed by the Manufacturer.
2.4.1.1.2. All required attachments prescribed by the form and this Manual
must be identified, completed, and forwarded in a timely manner to
the EAC (e.g., Manufacturer’s quality control and system change
policies).
2.4.1.1.3. The application form must be affixed with the handwritten
signature (including a digital representation of the handwritten
signature) of the authorized representative of the vendor.
2.4.1.2. Availability and Use of the Form. The Manufacturer Registration Application
Form may be accessed through the EAC Web site at www.eac.gov.
Instructions for completing and submitting the form are included on the Web
site. The Web site will also provide contact information regarding questions
about the form or the application process.
2.4.2. EAC Review Process. The EAC will review all registration applications.
2.4.2.1. After the application form and required attachments have been submitted, the
applicant will receive an acknowledgment that the EAC has received the
submission and that the application will be processed.
2.4.2.2. If an incomplete form is submitted or an attachment is not provided, the EAC
will notify the Manufacturer and request the information. Registration
applications will not be processed until they are complete.
2.4.2.3. Upon receipt of the completed registration form and accompanying
documentation, the EAC will review the information for sufficiency. If the
EAC requires clarification or additional information, the EAC will contact the
Manufacturer and request the needed information.
2.4.2.4. Upon satisfactory completion of a registration application’s sufficiency
review, the EAC will notify the Manufacturer that it has been registered.
2.5. Registered Manufacturers. After a Manufacturer has received notice that it is registered, it
will receive an identification code and will be eligible to participate in the voluntary voting
system Certification Program.
14
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
2.5.1. Manufacturer Code. Registered Manufacturers will be issued a unique, three-letter
identification code. This code will be used to identify the Manufacturer and its
products.
2.5.2. Continuing Responsibility To Report. Registered Manufacturers are required to keep all
registration information up to date. Manufacturers must submit a revised application
form to the EAC within 30 days of any changes to the information required on the
application form. Manufacturers will remain registered participants in the program
during this update process.
2.5.3. Program Information Updates. Registered Manufacturers will be automatically
provided timely information relevant to the Certification Program.
2.5.4. Web site Postings. The EAC will add the Manufacturer to the EAC listing of registered
voting system Manufacturers publicly available at www.eac.gov.
2.6. Suspension of Registration. Manufacturers are required to establish policies and operate
within the EAC Certification Program consistent with the procedural requirements presented in
this Manual. When Manufacturers engage in management activities that are inconsistent with
this Manual or fail to cooperate with the EAC in violation the Certification Program’s
requirements, their registration may be suspended until such time as the problem is remedied.
2.6.1. Procedures. When a Manufacturer’s activities violate the procedural requirements of
this Manual, the Manufacturer will be notified of the violations, given an opportunity to
respond, and provided the steps required to bring itself into compliance.
2.6.1.1. Notice. Manufacturers shall be provided written notice that they have taken
action inconsistent with or acted in violation of the requirements of this
Manual. The notice will state the violations and the specific steps required to
cure them. The notice will also provide Manufacturers with 30 days (or a
greater period of time as stated by the Program Director) to (1) respond to the
notice and/or (2) cure the defect.
2.6.1.2. Manufacturer Action. The Manufacturer is required to either respond in a
timely manner to the notice (demonstrating that it was not in violation of
program requirements) or cure the violations identified in a timely manner. In
any case, the Manufacturer’s action must be approved by the Program
Director to prevent suspension.
15
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
2.6.1.3. Non-Compliance. If the Manufacturer fails to respond in a timely manner, is
unable to provide a cure or response that is acceptable to the Program
Director, or otherwise refuses to cooperate, the Program Director may suspend
the Manufacturer’s registration. The Program Director shall issue a notice of
his or her intent to suspend the registration and provide the Manufacturer five
(5) business days to object to the action and submit information in support of
the objection.
2.6.1.4. Suspension. After notice and opportunity to be heard (consistent with the
above), the Program Director may suspend a Manufacturer’s registration. The
suspension shall be noticed in writing. The notice must inform the
Manufacturer of the steps that can be taken to remedy the violations and lift
the suspension.
2.6.2. Effect of Suspension. A suspended Manufacturer may not submit a voting system for
certification under this program. This prohibition includes a ban on the submission of
modifications and changes to certified system. A suspension shall remain in effect until
lifted. Suspended Manufacturers will have their registration status reflected on the
EAC Web site. Manufacturers have the right to remedy a non-compliance issue at any
time and lift a suspension consistent with EAC guidance. Failure of a Manufacturer to
follow the requirements of this section may also result in Decertification of voting
systems consistent with Chapter 7 of this Manual.
16
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.
When Voting Systems Must Be Submitted for Testing and Certification
3.1. Overview. An EAC certification signifies that a voting system has been successfully tested to
identified voting system standards adopted by the EAC. Only the EAC can issue a Federal
certification. Ultimately, systems must be submitted for testing and certification under this
program to receive this certification. Systems will usually be submitted when (1) they are new
to the marketplace, (2) they have never before received an EAC certification, (3) they are
modified, or (4) the Manufacturer wishes to test a previously certified system to a different
(newer) standard. This chapter also discusses the submission of de minimis changes, which
may not require additional testing and certification, as well as provisional, pre-election
emergency modifications, which provide for pre-election, emergency waivers.
3.2. What Is an EAC Certification? Certification is the process by which the EAC, through
testing and evaluation conducted by an accredited Voting System Test Laboratory, validates
that a voting system meets the requirements set forth in existing voting system testing
standards (Voting System Standards [VSS] or VVSG), and performs according to the
Manufacturer’s specifications for the system. An EAC certification may be issued only by the
EAC in accordance with the procedures presented in this Manual. Certifications issued by
other bodies (e.g., the National Association of State Election Directors and State certification
programs) are not EAC certifications.
3.2.1. Types of Voting Systems Certified. The EAC Certification Program is designed to test
and certify electromechanical and electronic voting systems. The EAC will not accept
for certification review voting systems that do not contain any electronic components.
Ultimately, the determination of whether a voting system may be submitted for testing
and certification under this program is solely at the discretion of the EAC.
3.2.2. Voting System Standards. Voting systems certified under this program are tested to a
set of voluntary standards providing requirements that voting systems must meet to
receive a Federal certification. Currently, these standards are referred to as Voluntary
Voting System Guidelines (in the past they were called Voting System Standards).
3.2.2.1. Versions—Availability and Identification. Voluntary Voting System
Guidelines (or applicable Voting System Standards) are published by the EAC
and are available on the EAC Web site (www.eac.gov). The standards will be
routinely updated. Versions will be identified by version number and/or
release date.
3.2.2.2. Versions—Basis for Certification. The EAC will promulgate which version or
versions of the standards it will accept as the basis for testing and certification.
This effort may be accomplished through the setting of an implementation
date for a particular version’s applicability, the setting of a date by which
testing to a particular version is mandatory, or the setting of a date by which
the EAC will no longer test to a particular standard. The EAC will certify
only those voting systems tested to standards that the EAC has identified
as valid for certification.
17
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.2.2.2.1. End date. When a version’s status as the basis of an EAC
certification is set to expire on a certain date, the submission of the
system’s test report will be the controlling event (see Chapter 4).
This requirement means the system’s test report must be received
by the EAC on or before the end date to be certified to the
terminating standard.
3.2.2.2.2. Start date. When a version’s status as the basis of an EAC
certification is set to begin on a certain date, the submission of the
system’s application for certification will be the controlling event
(see Chapter 4). This requirement means the system’s application,
requesting certification to the new standard, will not be accepted
by the EAC until the start date.
3.2.2.3. Version—Manufacturer’s Option. When the EAC has authorized certification
to more than one version of the standards, the Manufacturer must choose
which version it wishes to have its voting system tested against. The voting
system will then be certified to that version of the standards. Manufacturers
must ensure that all applications for certification identify a particular version
of the standards.
3.2.2.4. Emerging Technologies. If a voting system or component thereof is eligible
for a certification under this program (see Section 3.2.1.) and employs
technology that is not addressed by a currently accepted version of the VVSG
or VSS, the relevant technology shall be subjected to full integration testing
and shall be tested to ensure that it operates to the Manufacturer’s
specifications. The remainder of the system will be tested to the applicable
Federal standards. Information on emerging technologies will be forwarded
to the EAC’s Technical Guidelines Development Committee (TGDC).
3.2.3. Significance of an EAC Certification. An EAC certification is an official recognition
that a voting system (in a specific configuration or configurations) has been tested to
and has met an identified set of Federal voting standards. An EAC certification is not
any of the following:
3.2.3.1. An endorsement of a Manufacturer, voting system, or any of the system’s
components.
3.2.3.2. A Federal warranty of the voting system or any of its components.
3.2.3.3. A determination that a voting system, when fielded, will be operated in a
manner that meets all HAVA requirements.
3.2.3.4. A substitute for State or local certification and testing.
18
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.2.3.5. A determination that the system is ready for use in an election.
3.2.3.6. A determination that any particular component of a certified system is itself
certified for use outside the certified configuration.
3.3. Effect of the EAC Certification Program on Other National Certifications. Before the
creation of the EAC Certification Program, national voting system qualification was conducted
by a private membership organization, the National Association of State Election Directors
(NASED). NASED offered a qualification for voting systems for more than a decade, using
standards issued by the Federal government. The EAC Certification Program does not repeal
NASED-issued qualifications. All voting systems previously qualified under the NASED
program retain their NASED qualification consistent with State law; however, a NASEDqualified voting system is not an EAC-certified system and is treated like an uncertified system
for purposes of the EAC Certification Program.
3.4. When Certification Is Required Under the Program. To obtain or maintain an EAC
certification, Manufacturers must submit a voting system for testing and certification under this
program. Such action is usually required for (1) new systems not previously tested to any
standard; (2) existing systems not previously certified by the EAC; (3) previously certified
systems that have been modified; (4) systems or technology specifically identified for retesting
by the EAC; or (5) previously certified systems that the Manufacturer seeks to upgrade to a
higher standard (e.g., a more recent version of the VVSG).
3.4.1. New System Certification. For purposes of this Manual, new systems are defined as
voting systems that have not been previously tested to applicable Federal standards.
New voting systems must be fully tested and submitted to the EAC according to the
requirements of Chapter 4 of this Manual.
3.4.2. System Not Previously EAC Certified. This term describes any voting system not
previously certified by the EAC, including systems previously tested and qualified by
NASED or systems previously tested and denied certification by the EAC. Such
systems must be fully tested and submitted to the EAC according to the requirements of
Chapter 4 of this Manual.
3.4.3. Modification. A modification is any change to a previously EAC-certified voting
system’s hardware, software, or firmware that is not a de minimis change. Any
modification to a voting system will require testing and review by the EAC according
to the requirements of Chapter 4 of this Manual.
3.4.4. EAC Identified Systems. Manufacturers may be required to submit systems previously
certified by the EAC for retesting. This may occur when the EAC determines that the
original tests conducted on the voting system are now insufficient to demonstrate
compliance with Federal standards in light of newly discovered threats or information.
19
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.4.5. Certification Upgrade. This term defines any system previously certified by the EAC
but submitted for additional testing and certification to a higher standard (e.g., to a
newer version of the VVSG). Any such system must be tested to the new standards and
submitted to the EAC per Chapter 4 of this Manual.
3.5. De Minimis Changes. A de minimis change is a change to voting system hardware that is so
minor in nature and effect that it requires no additional testing and certification. Such changes,
however, require VSTL review and endorsement as well as EAC approval. Any proposed
change not accepted as a de minimis change is a modification and shall be submitted for testing
and review consistent with the requirements of this Manual. An approved de minimis change
is not a modification.
3.5.1. De Minimis Change—Defined. A de minimis change is a change to a certified voting
system’s hardware, the nature of which will not materially alter the system’s reliability,
functionality, capability, or operation. Software and firmware modifications are not de
minimis changes. In order for a hardware change to qualify as a de minimis change, it
must not only maintain, unaltered, the reliability, functionality, capability and
operability of a system, it shall also ensure that when hardware is replaced, the original
hardware and the replacement hardware are electronically and mechanically
interchangeable and have identical functionality and tolerances. Under no circumstance
shall a change be considered a de minims change if it has reasonable and identifiable
potential to impact the system’s operation and compliance with applicable voting
system standards.
3.5.2. De Minimis Change—Procedure. Manufacturers who wish to implement a proposed de
minimis change must submit it for VSTL review and endorsement and EAC approval.
A proposed change is not a de minimis change and may not be implemented as such
until it has been approved in writing by the EAC.
3.5.2.1. VSTL Review. Manufacturers must submit any proposed de minimis change
to an EAC VSTL for review and endorsement. The Manufacturer will
provide the VSTL (1) a detailed description of the change; (2) a description of
the facts giving rise to or necessitating the change; (3) the basis for its
determination that the change will not alter the system’s reliability,
functionality, or operation; and (4) upon request of the VSTL, a sample voting
system at issue or any relevant technical information needed to make the
determination. The VSTL will review the proposed de minimis change and
make an independent determination as to whether the change meets the
definition of de minimis change or requires the voting system to go through
additional testing as a system modification. If the VSTL determines that a de
minimis change is appropriate, it shall endorse the proposed change as a de
minimis change. If the VSTL determines that modification testing and
certification should be performed, it shall reject the proposed change.
Endorsed changes shall be forwarded to the EAC Program Director for final
20
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
approval. Rejected changes shall be returned to the Manufacturer for
resubmission as system modifications.
3.5.2.2. VSTL Endorsed Changes. The VSTL shall forward to the EAC any change it
has endorsed as de minimis. The VSTL shall forward its endorsement in a
package that includes:
3.5.2.2.1. The Manufacturer’s initial description of the de minimis change, a
narrative of facts giving rise to or necessitating the change, and the
determination that the change will not alter the system’s reliability,
functionality, or operation.
3.5.2.2.2. The written determination of the VSTL endorsement of the de
minimis change. The endorsement document must explain why
the VSTL, in its engineering judgment, determined that the
proposed de minimis change met the definition in this section and
otherwise does not require additional testing and certification.
3.5.2.3. EAC Action. The EAC will review all proposed de minimis changes endorsed
by the VSTL. The EAC has sole authority to determine whether any VSTL
endorsed change constitutes a de minimis change under this section. The
EAC will inform the Manufacturer and VSTL of its determination in writing.
3.5.2.3.1. EAC approval. If the EAC approves the change as a de minimis
change, it shall provide written notice to the Manufacturer and
VSTL. The EAC will maintain copies of all approved de minimis
changes and otherwise track such changes.
3.5.2.3.2. EAC denial. If the EAC determines that a proposed de minimis
change cannot be approved, it will inform the VSTL and
Manufacturer of its decision. The proposed change will be
considered a modification and require testing and certification
consistent with this Manual.
3.5.3. De Minimis Change—Effect of EAC Approval. EAC approval of a de minimis change
permits the Manufacturer to implement the proposed change (as identified, endorsed,
and approved) without additional modification testing and certification. Fielding an
engineering change not approved by the EAC is a basis for system Decertification.
3.6. Provisional, Pre-Election Emergency Modification. To deal with extraordinary pre-election
emergency situations, the EAC has developed a special provisional modification process. This
process is to be used only for the emergency situations indicated and only when there is a clear
and compelling need for temporary relief until the regular certification process can be
followed.
21
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.6.1. Purpose. The purpose of this section is to allow a mechanism within the EAC
Certification Program for Manufacturers to modify EAC-certified voting systems in
emergency situations immediately before an election. This situation arises when a
modification to a voting system is required and an election deadline is imminent,
preventing the completion of the full certification process (and State and/or local testing
process) in time for Election Day. In such situations the EAC may issue a waiver to the
Manufacturer, granting it leave to make the modification without submission for
modification testing and certification.
3.6.2. General Requirements. A request for an emergency modification waiver may be made
by a Manufacturer only in conjunction with the State election official whose
jurisdiction(s) would be adversely affected if the requested modification were not
implemented before Election Day. Requests must be submitted at least 5 calendar days
before an election. Only systems previously certified are eligible for such a waiver. To
receive a waiver, a Manufacturer must demonstrate the following:
3.6.2.1. The modification is functionally or legally required; that is, the system cannot
be fielded in an election without the change.
3.6.2.2. The voting system requiring modification is needed by State or local election
officials to conduct a pending Federal election.
3.6.2.3. The voting system to be modified has previously been certified by the EAC.
3.6.2.4. The modification cannot be tested by a VSTL and submitted to the EAC for
certification, consistent with the procedural requirements of this Manual, at
least 30 days before the pending Federal election.
3.6.2.5. Relevant State law requires Federal certification of the requested
modification.
3.6.2.6. The Manufacturer has taken steps to ensure that the modification will properly
function as designed, is suitably integrated with the system, and otherwise will
not negatively affect system reliability, functionality, or accuracy.
3.6.2.7. The Manufacturer (through a VSTL) has completed as much of the evaluation
testing as possible for the modification and has provided the results of such
testing to the EAC.
3.6.2.8. The emergency modification is required and otherwise supported by the Chief
State Election Official seeking to field the voting system in an impending
Federal election.
3.6.3. Request for Waiver. A Manufacturer’s request for waiver shall be made in writing to
the Decision Authority and shall include the following elements:
22
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.6.3.1. A signed statement providing sufficient description, background, information,
documentation, and other evidence necessary to demonstrate that the request
for a waiver meets each of the eight requirements stated in Section 3.5.2
above.
3.6.3.2. A signed statement from the Chief State Election Official requiring the
emergency modification. This signed statement shall identify the pending
election creating the emergency situation and attest that (1) the modification is
required to field the system, (2) State law (citation) requires EAC action to
field the system in an election, and (3) normal timelines required under the
EAC Certification Program cannot be met.
3.6.3.3. A signed statement from a VSTL that there is insufficient time to perform
necessary testing and complete the certification process. The statement shall
also state what testing the VSTL has performed on the modification to date,
provide the results of such tests, and state the schedule for completion of
testing.
3.6.3.4. A detailed description of the modification, the need for the modification, how
it was developed, how it addresses the need for which it was designed, its
impact on the voting system, and how the modification will be fielded or
implemented in a timely manner consistent with the Manufacturer’s quality
control program.
3.6.3.5. All documentation of tests performed on the modification by the
Manufacturer, a laboratory, or other third party.
3.6.3.6. A stated agreement signed by the Manufacturer’s representative agreeing to
take the following action:
3.6.3.6.1. Submit for testing and certification, consistent with Chapter 4 of
this Manual, any voting system receiving a waiver under this
section that has not already been submitted. This action shall be
taken immediately.
3.6.3.6.2. Abstain from representing the modified system as EAC certified.
The modified system has not been certified; rather, the originally
certified system has received a waiver providing the Manufacturer
leave to modify it.
3.6.3.6.3. Submit a report to the EAC regarding the performance of the
modified voting system within 60 days of the Federal election that
served as the basis for the waiver. This report shall (at a minimum)
identify and describe any (1) performance failures, (2) technical
failures, (3) security failures, and/or (4) accuracy problems.
23
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
3.6.4. EAC Review. The EAC will review all waiver requests submitted in a timely manner
and make determinations regarding the requests. Incomplete requests will be returned
for resubmission with a written notification regarding its deficiencies.
3.6.5. Letter of Approval. If the EAC approves the modification waiver, the Decision
Authority shall issue a letter granting the temporary waiver within five (5) business
days of receiving a complete request.
3.6.6. Effect of Grant of Waiver. An EAC grant of waiver for an emergency modification is
not an EAC certification of the modification. Waivers under this program grant
Manufacturers leave to only temporarily amend previously certified systems without
testing and certification for the specific election noted in the request. Without such a
waiver, such action would ordinarily result in Decertification of the modified system
(See Chapter 7). Systems receiving a waiver shall satisfy any State requirement that a
system be nationally or federally certified. In addition—
3.6.6.1. All waivers are temporary and expire 60 days after the Federal election for
which the system was modified and the waiver granted.
3.6.6.2. Any system granted a waiver must be submitted for testing and certification.
This shall be accomplished as soon as possible.
3.6.6.3. The grant of a waiver is no indication that the modified system will ultimately
be granted a certification.
3.6.7. Denial of Request for Waiver. A request for waiver may be denied by the EAC if the
request does not meet the requirements noted above, fails to follow the procedure
established by this section or otherwise fails to sufficiently support a conclusion that the
modification at issue is needed, will function properly, and is in the public interest. A
denial of a request for emergency modification by the EAC shall be final and not
subject to appeal. Manufacturers may submit for certification, consistent with Chapter 4
of this Manual, modifications for which emergency waivers were denied.
3.6.8. Publication Notice of Waiver. The EAC will post relevant information relating to the
temporary grant of an emergency waiver on its Web site. This information will be
posted upon grant of the waiver and removed upon the waiver’s expiration. This
posting will include information concerning the limited nature and effect of the waiver.
24
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
4.
Certification Testing and Technical Review
4.1. Overview. This chapter discusses the procedural requirements for submitting a voting system
to the EAC for testing and review. The testing and review process requires an application,
employment of an EAC-accredited testing laboratory, and technical analysis of the laboratory
test report by the EAC. The result of this process is an Initial Decision on Certification by the
Decision Authority.
4.2. Policy. Generally, to receive an initial determination on an EAC certification for a voting
system, a registered Manufacturer must have (1) submitted an EAC-approved application for
certification, (2) had a VSTL submit an EAC-approved test plan, (3) had a VSTL test a voting
system to applicable voting system standards, (4) had a VSTL submit a test report to the EAC
for technical review and approval, and (5) received EAC approval of the report in an Initial
Decision on Certification.
4.3. Certification Application. The first step in submitting a voting system for certification is
submission of an application package. The package contains an application form and a copy of
the voting system’s Implementation Statement (see VVSG 2005—Version 1.0, Vol. I, Section
1.6.4), functional diagram, and System Overview documentation submitted to the VSTL as a
part of the Technical Data Package (see VVSG 2005—Version 1.0, Vol. II, Section 2.2). This
application process initiates the certification process and provides the EAC with needed
information.
4.3.1. Information on Application Form. The application (application form) provides the EAC
certain pieces of information that are essential at the outset of the certification process.
This information includes the following:
4.3.1.1. Manufacturer Information. Identification of the Manufacturer (name and
three-letter identification code).
4.3.1.2. Selection of Accredited Laboratory. Selection and identification of the VSTL
that will perform voting system testing and other prescribed laboratory action
consistent with the requirements of this Manual. Once selected, a
Manufacturer may NOT replace the selected VSTL without the express
written consent of the Program Director. Such permission will be granted
solely at the discretion of the Program Director and only upon demonstration
of good cause.
4.3.1.3. Voting System Standards Information. Identification of the VVSG or VSS,
including the document’s date and version number, to which the Manufacturer
wishes to have the identified voting system tested and certified.
4.3.1.4. Nature of the Submission. Manufacturers must identify the nature of their
submission by selecting one of the following four submission types:
25
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
4.3.1.4.1. New system. For purposes of this Manual, a new system is defined
as a voting system that has not been previously tested to any
applicable Federal standards.
4.3.1.4.2. System not previously EAC certified. This term describes any
voting system not previously certified by the EAC, including
systems previously tested and qualified by NASED or systems
previously tested and denied certification by the EAC.
4.3.1.4.3. Modification. A modification is any change to a previously EACcertified voting system’s hardware, software, or firmware.
4.3.1.4.4. Certification upgrade. This term defines any system previously
certified by the EAC but submitted (without modification) for
additional testing and certification to a higher standard (e.g., to a
newer version of the VVSG).
4.3.1.5. Identification of the Voting System. Manufacturers must identify the system
submitted for testing by providing its name and applicable version number. If
the system submitted has been previously fielded, but the Manufacturer
wishes to change its name or version number after receipt of EAC
certification, it must provide identification information on both the past name
or names and the new, proposed name. This requirement might occur in
systems submitted for modification, for their first EAC certification, or for a
certification upgrade.
4.3.1.6. Description of the Voting System. Manufacturers must provide a brief
description of the system or modification being submitted for testing and
certification. This description shall include the following information:
4.3.1.6.1. A listing of all components of the system submitted.
4.3.1.6.2. Each component’s version number.
4.3.1.6.3. A complete list of each configuration of the system’s components
that could be fielded as the certified voting system. 1
4.3.1.6.4. Any other information necessary to identify the specific
configuration being submitted for certification.
1
An EAC certification applies to the configuration of components (the voting system) presented for testing. A
voting system may be fielded without using each of the components that formed the system presented, since
voting systems, as certified, may contain optional or redundant components to meet the varying needs of
election officials. Systems may not be fielded with additional components or without sufficient components to
properly prosecute an election, as neither individual components nor separately tested systems may be
combined to create new certified voting systems.
26
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
4.3.1.7. Date Submitted. Manufacturers must note the date the application was
submitted for EAC approval.
4.3.1.8. Signature. The Manufacturer must affix the signature of the authorized
management representative.
4.3.2. Submission of the Application Package. Manufacturers must submit a copy of the
application form described above and copies of the voting system’s (1) Implementation
Statement, (2) functional diagram, and (3) System Overview documentation submitted
to the VSTL as a part of the Technical Data Package
4.3.2.1. Application Form. Application forms will be available on the EAC Web site:
www.eac.gov. The application form submitted to the EAC must be signed;
dated; and fully, accurately, and completely filled out. The EAC will not
accept incomplete or inaccurate applications.
4.3.2.2. Implementation Statement. The Manufacturer must submit with the
application form a copy of the voting system’s Implementation Statement,
which must meet the requirements of the VVSG (VVSG 2005—Version 1.0,
Vol. I, Section 1.6.4). If an existing system is being submitted with a
modification, the Manufacturer must submit a copy of a revised
Implementation Statement.
4.3.2.3. Functional Diagram. The Manufacturer must submit with the application
form a high-level Functional Diagram of the voting system that includes all of
its components. The diagram must portray how the various components relate
and interact.
4.3.2.4. System Overview. The Manufacturer must submit with the application form a
copy of the voting system’s System Overview documentation submitted to the
VSTL as a part of the Technical Data Package. This document must meet the
requirements of the VVSG (VVSG 2005—Version 1.0, Vol. II, Section 2.2).
4.3.2.5. Submission. Applications, with the accompanying documentation, shall be
submitted in Adobe PDF, Microsoft Word, or other electronic formats as
prescribed by the Program Director. Information on how to submit packages
will be posted on the EAC Web site: www.eac.gov.
4.3.3. EAC Review. Upon receipt of a Manufacturer’s application package, the EAC will
review the submission for completeness and accuracy. If the application package is
incomplete, the EAC will return it to the Manufacturer with instructions for
resubmission. If the form submitted is acceptable, the Manufacturer will be notified and
provided a unique application number within five (5) business days of the EAC’s
receipt of the application.
27
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
4.4. Test Plan. The Manufacturer shall authorize the VSTL identified in its application to submit a
test plan directly to the EAC. This plan shall provide for testing of the system sufficient to
ensure it is functional and meets all applicable voting system standards.
4.4.1. Development. An accredited laboratory will develop test plans that use appropriate test
protocols, standards, or test suites developed by the laboratory. Laboratories must use
all applicable protocols, standards, or test suites issued by the EAC.
4.4.2. Required Testing. Test plans shall be developed to ensure that a voting system is
functional and meets all requirements of the applicable, approved voting system
standards. The highest level of care and vigilance is required to ensure that
comprehensive test plans are created. A test plan should ensure that the voting system
meets all applicable standards and that test results and other factual evidence of the
testing are clearly documented. System testing must meet the requirements of the
VVSG. Generally, full testing will be required of any voting system applying for
certification, regardless of previous certification history.
4.4.2.1. New System. A new system shall be subject to full testing of all hardware and
software according to applicable voting system standards.
4.4.2.2. System Not Previously EAC Certified. A system not previously certified by the
EAC shall be fully tested as a new system.
4.4.2.3. Modification. A modification to a previously EAC-certified voting system
shall be tested in a manner necessary to ensure that all changes meet
applicable voting system standards and that the modified system (as a whole)
will properly and reliably function. Any system submitted for modification
shall be subject to full testing of the modifications (delta testing) and those
systems or subsystems altered or impacted by the modification (regression
testing). The system will also be subject to system integration testing to ensure
overall functionality. The modification will be tested to the version or versions
of the VVSG/VSS currently accepted for testing and certification by the EAC.
This requirement, however, does not mean that the full system must be tested
to such standards. If the system has been previously certified to a VVSG/VSS
version deemed acceptable by the EAC (see Section 3.2.2.2), it may retain that
level of certification with only the modification being tested to the present
version(s).
4.4.2.4. EAC Identified Systems. Previously certified systems identified for retesting
by the EAC (see Section 3.4.4) shall be tested as directed by the Program
Director (after consultation with NIST, VSTLs, or other technical experts as
necessary).
4.4.2.5. Certification Upgrade. A previously certified system submitted for testing to a
new voting system standard (without modification) shall be tested in a manner
necessary to ensure that the system meets all requirements of the new
28
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
standards. The VSTL shall create a test plan that identifies the differences
between the new and old standards and, based upon the differences, fully
retest all hardware and software components affected.
4.4.3. Format. Test labs shall issue test plans consistent with the requirements in VVSG,
Vol. II and any applicable EAC guidance.
4.4.4. EAC Approval. All test plans are subject to EAC approval. No test report will be
accepted for technical review unless the test plan on which it is based has been
approved by EAC’s Program Director.
4.4.4.1. Review. All test plans must be reviewed for adequacy by the Program
Director. For each submission, the Program Director will determine whether
the test plan is acceptable or unacceptable. Unacceptable plans will be
returned to the laboratory for further action. Acceptable plans will be
approved. Although Manufacturers may direct test labs to begin testing before
approval of a test plan, the Manufacturer bears the full risk that the test plan
(and thus any tests preformed) will be deemed unacceptable.
4.4.4.2. Unaccepted Plans. If a plan is not accepted, the Program Director will return
the submission to the Manufacturer’s identified VSTL for additional action.
Notice of unacceptability will be provided in writing to the laboratory and
include a description of the problems identified and steps required to remedy
the test plan. A copy of this notice will also be sent to the Manufacturer.
Questions concerning the notice shall be forwarded to the Program Director in
writing. Plans that have not been accepted may be resubmitted for review
after remedial action is taken.
4.4.4.3. Effect of Approval. Approval of a test plan is required before a test report may
be filed. In most cases, approval of a test plan signifies that the tests proposed,
if performed properly, are sufficient to fully test the system. A test plan,
however, is approved based on the information submitted. New or additional
information may require a change in testing requirements at any point in the
certification process.
4.5. Testing. During testing, Manufacturers are responsible for enabling VSTLs to report any
changes to a voting system or an approved test plan directly to the EAC. Manufacturers shall
also enable VSTLs to report all test failures or anomalies directly to the EAC.
4.5.1. Changes. Any changes to a voting system, initiated as a result of the testing process,
will require submission of an updated Implementation Statement, functional diagram,
and System Overview document and, potentially, an updated test plan. Test plans must
be updated whenever a change to a voting system requires deviation from the test plan
originally approved by the EAC. Changes requiring alteration or deviation from the
originally approved test plan must be submitted to the EAC (by the VSTL) for approval
before the completion of testing. The submission shall include an updated
29
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Implementation Statement, functional diagram, and System Overview, as needed.
Changes not affecting the test plan shall be reported in the test report. The submission
shall include an updated Implementation Statement, functional diagram, and System
Overview document, as needed.
4.5.2. Test Anomalies or Failures. Manufacturers shall enable VSTLs to notify the EAC
directly and independently of any test anomalies, or failures during testing. The VSTLs
shall ensure that all anomalies or failures are addressed and resolved before testing is
completed. All test failures, anomalies and actions taken to resolve such failures and
anomalies shall be documented by the VSTL in an appendix to the test report submitted
to the EAC. These matters shall be reported in a matrix, or similar format, that
identifies the failure or anomaly, the applicable voting system standards, and a
description of how the failure or anomaly was resolved. Associated or similar
anomalies/failures may be summarized and reported in a single entry on the report
(matrix) as long as the nature and scope of the anomaly/failure is clearly identified.
4.6. Test Report. Manufacturers shall enable their identified VSTL to submit test reports directly
to the EAC. The VSTL shall submit test reports only if the voting system has been tested and
all tests identified in the test plan have been successfully performed.
4.6.1. Submission. The test reports shall be submitted to the Program Director. The Program
Director shall review the submission for completeness. Any reports showing
incomplete or unsuccessful testing will be returned to the test laboratory for action and
resubmission. Notice of this action will be provided to the Manufacturer. Test reports
shall be submitted in Adobe PDF, Microsoft Word, or other electronic formats as
prescribed by the Program Director. Information on how to submit reports will be
posted on the EAC Web site: www.eac.gov.
4.6.2. Format. Manufacturers shall ensure that test labs submit reports consistent with the
requirements in the VVSG and this Manual.
4.6.3. Technical Review. A technical review of the test report, technical documents, and test
plan will be conducted by EAC technical experts. The EAC may require the submission
of additional information from the VSTL or Manufacturer if deemed necessary to
complete the review. These experts will submit a report outlining their findings to the
Program Director. The report will provide an assessment of the completeness,
appropriateness, and adequacy of the VSTL’s testing as documented in the test report.
4.6.4. Program Director’s Recommendation. The Program Director shall review the report
and take one of the following actions:
4.6.4.1. Recommend certification of the candidate system consistent with the reviewed
test report and forward it to the Decision Authority for action (Initial
Decision); or
30
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
4.6.4.2. Refer the matter back to the technical reviewers for additional specified action
and resubmission.
4.7. Initial Decision on Certification. Upon receipt of the report and recommendation forwarded
by the Program Director, the Decision Authority shall issue an Initial Decision on Certification.
The decision shall be forwarded to the Manufacturer consistent with the requirements of this
Manual.
4.7.1. An Initial Decision granting certification shall be processed consistent with Chapter 5
of this Manual.
4.7.2. An Initial Decision denying certification shall be processed consistent with Chapter 6
of this Manual.
31
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
5.
Grant of Certification
5.1. Overview. The grant of certification is the formal process through which EAC acknowledges
that a voting system has successfully completed conformance testing to an appropriate set of
standards or guidelines. The grant of certification begins with the Initial Decision of the
Decision Authority. This decision becomes final after the Manufacturer confirms that the final
version of the software that was certified and which the Manufacturer will deliver with the
certified system has been subject to a trusted build, placed in an EAC-approved repository, and
can be verified using the Manufacturer’s system identification tools. After a certification is
issued, the Manufacturer is provided a Certificate of Conformance and relevant information
about the system is added to the EAC Web site. Manufacturers with certified voting systems
are responsible for ensuring that each system they produce is properly labeled as certified.
5.2. Applicability of This Chapter. This chapter applies when the Decision Authority makes an
Initial Decision to grant a certification to a voting system based on the materials and
recommendation provided by the Program Director.
5.3. Initial Decision. The Decision Authority shall make a written decision on all voting systems
submitted for certification and issue the decision to a Manufacturer. When such decisions
result in a grant of certification, the decision shall be considered preliminary and referred to as
an Initial Decision pending required action by the Manufacturer. The Initial Decision shall:
5.3.1. State the preliminary determination reached (granting certification).
5.3.2. Inform the Manufacturer of the steps that must be taken to make the determination final
and receive a certification. This action shall include providing the Manufacturer with
specific instructions, guidance, and procedures for confirming and documenting that the
final certified version of the software meets the requirements for:
5.3.2.1. Performing and documenting a trusted build pursuant to Section 5.6 of this
chapter.
5.3.2.2. Depositing software in an approved repository pursuant to Section 5.7 of this
chapter.
5.3.2.3. Creating and making available system verification tools pursuant to Section
5.8 of this chapter.
5.3.3. Certification is not final until the Manufacturer accepts the certification and all
conditions placed on the certification.
5.4. Pre-Certification Requirements. Before an Initial Decision becomes final and a certification
is issued, Manufacturers must ensure certain steps are taken. They must confirm that the final
version of the software that was certified and which the Manufacturer will deliver with the
certified system has been subject to a trusted build (see Section 5.6), has been delivered for
deposit in an EAC-approved repository (see Section 5.7), and can be verified using
32
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Manufacturer-developed identification tools (see Section 5.8). The Manufacturer must provide
the EAC documentation demonstrating compliance with these requirements.
5.5. Trusted Build. A software build (also referred to as a compilation) is the process whereby
source code is converted to machine-readable binary instructions (executable code) for the
computer. A “trusted build” (or trusted compilation) is a build performed with adequate
security measures implemented to give confidence that the executable code is a verifiable and
faithful representation of the source code. A trusted build creates a chain of evidence from the
Technical Data Package and source code submitted to the VSTLs to the actual executable
programs that are run on the system. Specifically, the build will do the following:
5.5.1. Demonstrate that the software was built as described in the Technical Data Package.
5.5.2. Show that the tested and approved source code was actually used to build the
executable code used on the system.
5.5.3. Demonstrate that no elements other than those included in the Technical Data Package
were introduced in the software build.
5.5.4. Document for future reference the configuration of the system certified.
5.6. Trusted Build Procedure. A trusted build is a three-step process: (1) the build environment is
constructed, (2) the source code is loaded onto the build environment, and (3) the executable
code is compiled and the installation device is created. The process may be simplified for
modification to previously certified systems. In each step, a minimum of two witnesses from
different organizations is required to participate. These participants must include a VSTL
representative and vendor representative. Before creating the trusted build, the VSTL must
complete the source code review of the software delivered from the vendor for compliance
with the VVSG and must produce and record file signatures of all source code modules.
5.6.1. Constructing the Build Environment. The VSTL shall construct the build environment
in an isolated environment controlled by the VSTL, as follows:
5.6.1.1. The device that will hold the build environment shall be completely erased by
the VSTL to ensure a total and complete cleaning of it. The VSTL shall use
commercial off-the-shelf software, purchased by the laboratory, for cleaning
the device.
5.6.1.2. The VSTL, with vendor consultation and observation, shall construct the build
environment.
5.6.1.3. After construction of the build environment, the VSTL shall produce and
record a file signature of the build environment.
33
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
5.6.2. Loading Source Code Onto the Build Environment. After successful source code
review, the VSTL shall load source code onto the build environment as follows:
5.6.2.1. The VSTL shall check the file signatures of the source code modules and
build environment to ensure that they are unchanged from their original form.
5.6.2.2. The VSTL shall load the source code onto the build environment and produce
and record the file signature of the resulting combination.
5.6.2.3. The VSTL shall capture a disk image of the combination build environment
and source code modules immediately before performing the build.
5.6.2.4. The VSTL shall deposit the disk image into an authorized archive to ensure
that the build can be reproduced, if necessary, at a later date.
5.6.3. Creating the Executable Code. Upon completion of all the tasks outlined above, the
VSTL shall produce the executable code.
5.6.3.1. The VSTL shall produce and record a file signature of the executable code.
5.6.3.2. The VSTL shall deposit the executable code into an EAC-approved software
repository and create installation disk(s) from the executable code.
5.6.3.3. The VSTL shall produce and record file signatures of the installation disk(s)
in order to provide a mechanism to validate the software before installation on
the voting system in a purchasing jurisdiction.
5.6.3.4. The VSTL shall install the executable code onto the system submitted for
testing and certification before completion of system testing.
5.6.4. Trusted Build for Modifications. The process of building new executable code when a
previously certified system has been modified is somewhat simplified.
5.6.4.1. The build environment used in the original certification is removed from
storage and its file signature verified.
5.6.4.2. After source code review, the modified files are placed onto the verified build
environment and new executable files are produced.
5.6.4.3. If the original build environment is unavailable or its file signatures cannot be
verified against those recorded from the original certification, then the more
labor-intensive process of creating the build environment must be performed.
Further source code review may be required of unmodified files to validate
that they are unmodified from their originally certified versions.
34
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
5.7. Depositing Software in an Approved Repository. After EAC certification has been granted,
the VSTL project manager, or an appropriate delegate of the project manager, shall deliver for
deposit the following elements in one or more trusted archive(s) (repositories) designated by
the EAC:
5.7.1. Source code used for the trusted build and its file signatures.
5.7.2. Disk image of the pre-build, build environment, and any file signatures to validate that
it is unmodified.
5.7.3. Disk image of the post-build, build environment, and any file signatures to validate that
it is unmodified.
5.7.4. Executable code produced by the trusted build and its file signatures of all files
produced.
5.7.5. Installation device(s) and file signatures.
5.8. System Identification Tools. The Manufacturer shall provide tools through which a fielded
voting system may be identified and demonstrated to be unmodified from the system that was
certified. The purpose of this requirement is to make such tools available to Federal, State, and
local officials to identify and verify that the equipment used in elections is unmodified from its
certified version. Manufacturers may develop and provide these tools as they see fit. The tools,
however, must provide the means to identify and verify hardware and software. The EAC may
review the system identification tools developed by the Manufacturer to ensure compliance.
System identification tools include the following examples:
5.8.1. Hardware is commonly identified by model number and revision number on the unit, its
printed wiring boards (PWBs), and major subunits. Typically, hardware is verified as
unmodified by providing detailed photographs of the PWBs and internal construction of
the unit. These images may be used to compare with the unit being verified.
5.8.2. Software operating on a host computer will typically be verified by providing a selfbooting compact disk (CD) or similar device that verifies the file signatures of the
voting system application files AND the signatures of all nonvolatile files that the
application files access during their operation. Note that the creation of such a CD
requires having a file map of all nonvolatile files that are used by the voting system.
Such a tool must be provided for verification using the file signatures of the original
executable files provided for testing. If during the certification process modifications
are made and new executable files created, then the tool must be updated to reflect the
file signatures of the final files to be distributed for use. For software operating on
devices in which a self-booting CD or similar device cannot be used, a procedure must
be provided to allow identification and verification of the software that is being used on
the device.
5.9. Documentation. Manufacturers shall provide documentation to the Program Director verifying
that the trusted build has been performed, software has been deposited in an approved
repository, and system identification tools are available to election officials. The Manufacturer
35
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
shall submit a letter, signed by both its management representative and a VSTL official, stating
(under penalty of law) that it has (1) performed a trusted build consistent with the requirements
of Section 5.6 of this Manual, (2) deposited software consistent with Section 5.7 of this
Manual, and (3) created and made available system identification tools consistent with Section
5.8 of this Manual. This letter shall also include (as attachments) a copy and description of the
system identification tool developed under Section 5.8 above.
5.10. Agency Decision. Upon receipt of documentation demonstrating the successful completion of
the requirements above and recommendation of the Program Director, the Decision Authority
will issue an Agency Decision granting certification and providing the Manufacturer with a
certification number and Certificate of Conformance.
5.11. Certification Document. A Certificate of Conformance will be provided to Manufacturers for
voting systems that have successfully met the requirements of the EAC Certification Program.
The document will serve as the Manufacturer’s evidence that a particular system is certified to
a particular set of voting system standards. The EAC certification and certificate apply only to
the specific voting system configuration(s) identified, submitted and evaluated under the
Certification Program. Any modification to the system not authorized by the EAC will void the
certificate. The certificate will include the product (voting system) name, the specific model or
version of the product tested, the name of the VSTL conducting the testing, identification of
the standards to which the system was tested, the EAC certification number for the product,
and the signature of the EAC Executive Director. The certificate will also identify each of the
various configurations of the voting system’s components that may be represented as certified.
5.12. Certification Number and Version Control. Each system certified by the EAC will receive a
certification number that is unique to the system and will remain with the system until such
time as the system is decertified, sufficiently modified, or tested and certified to newer
standards. Generally, when a previously certified system is issued a new certification number,
the Manufacturer will be required to change the system’s name or version number.
5.12.1. New Voting Systems and Those Not Previously Certified by the EAC. All systems
receiving their first certification from the EAC will receive a new certification number.
Manufacturers must provide the EAC with the voting system’s name and version
number during the application process (see Chapter 4). Systems previously certified by
another body may retain the previous system name and version number unless the
system was modified before its submission to the EAC. Such modified systems must be
submitted with a new naming convention (i.e., a new version number).
5.12.2. Modifications. Voting systems previously certified by the EAC and submitted for
certification of a modification will generally receive a new voting system certification
number. Such modified systems must be submitted with a new naming convention (i.e.,
a new version number). In rare instances, the EAC may authorize retention of the same
certification and naming convention when the modification is so minor that is does not
represent a substantive change in the voting system. A request for such authorization
must be made and approved by the EAC during the application phase of the program.
36
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
5.12.3. Certification Upgrade. Voting systems previously certified and submitted (without
modification) for testing to a new version of the VVSG will receive a new certification
number. In such cases, however, the Manufacturer will not be required to change the
system name or version.
5.12.4. De Minimis Change. Voting systems previously certified and implementing an
approved de minimis change (per Chapter 3) will not be issued a new certification
number and are not required to implement a new naming convention.
5.13. Publication of EAC Certification. The EAC will publish and maintain on its Web site a list of
all certified voting systems, including copies of all Certificates of Conformance, the supporting
test report, and information about the voting system and Manufacturer. Such information will
be posted immediately following the Manufacturer’s receipt of the EAC Final Decision and
Certificate of Conformance.
5.14. Representation of EAC Certification. Manufacturers may not represent or imply that a
voting system is certified unless it has received a Certificate of Conformance for that system.
Statements regarding EAC certification in brochures, on Web sites, on displays, and in
advertising/sales literature must be made solely in reference to specific systems. Any action by
a Manufacturer to suggest EAC endorsement of its product or organization is strictly prohibited
and may result in a Manufacturer’s suspension or other action pursuant to Federal civil and
criminal law.
5.15. Mark of Certification Requirement. Manufacturers shall post a mark of certification on all
EAC-certified voting systems produced. This mark or label must be securely attached to the
system before sale, lease, or release to third parties. A mark of certification shall be made using
an EAC-mandated template available for download on the EAC Web site: www.eac.gov.
These templates identify the version of the VVSG or VSS to which the system is certified. Use
of this template shall be mandatory. The EAC mark must be displayed as follows:
5.15.1. The Manufacturer may use only the mark of certification that accurately reflects the
certification held by the voting system as a whole. The certification of individual
components or modifications shall not be independently represented by a mark of
certification. In the event a system has components or modifications tested to various
(later) versions of the VVSG, the system shall bear only the mark of certification of the
standard to which the system (as a whole) was tested and certified (i.e. the lesser
standard). Ultimately, a voting system shall only display the mark of certification of
the oldest or least rigorous standard to which any of its components are certified.
5.15.2. The mark shall be placed on the outside of a unit of voting equipment in a place readily
visible to election officials. The mark need not be affixed to each of the voting
system’s components. The mark shall be affixed to either (1) each unit that is used to
cast ballots or (2) each unit that is used to tabulate ballots.
5.15.3. The notice shall be securely affixed to the voting system. The label shall not be a paper
label. “Securely affixed” means that the label is etched, engraved, stamped, silk-
37
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
screened, indelibly printed, or otherwise securely marked on a permanently attached
part of the equipment or on a nameplate of metal, plastic, or other sturdy material
fastened to the equipment by use of welding, riveting, or adhesive.
5.15.4. The label must be designed to last the expected lifetime of the voting system in the
environment in which the system may be operated and must not be readily detachable.
5.16. Information to Election Officials Purchasing Voting Systems. The user’s manual or
instruction manual for a certified voting system shall warn purchasers that changes or
modifications not tested and certified by the EAC will void the EAC certification of the voting
system. In cases in which the manual is provided only in a form other than paper, such as on a
CD or over the Internet, the information required in this section may be included in this
alternative format provided the election official can reasonably be expected to have the
capability to access information in that format.
38
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.
Denial of Certification
6.1. Overview. When the Decision Authority issues an Initial Decision denying certification, the
Manufacturer has certain rights and responsibilities. The Manufacturer may request an
opportunity to cure the defects identified by the Decision Authority. In addition, the
Manufacturer may request that the Decision Authority reconsider the Initial Decision after the
Manufacturer has had the opportunity to review the record and submit supporting written
materials, data, and the rationale for its position. Finally, in the event reconsideration is denied,
the Manufacturer may appeal the decision to the Appeal Authority.
6.2. Applicability of This Chapter. This chapter applies when the Decision Authority makes an
Initial Decision to deny an application for voting system certification based on the materials
and recommendation provided by the Program Director.
6.3. Form of Decisions. All agency determinations shall be made in writing. Moreover, all
materials and recommendations reviewed or used by agency decision makers in arriving at an
official determination shall be in written form.
6.4. Effect of Denial of Certification. Upon receipt of the agency’s decision denying
certification—or in the event of an appeal, subject to the Decision on Appeal—the
Manufacturer’s application for certification is denied. Such systems will not be reviewed again
by the EAC for certification unless the Manufacturer alters the system, retests it, and submits a
new application for system certification.
6.5. The Record. The Program Director shall maintain all documents related to a denial of
certification. Such documents shall constitute the procedural and substantive record of the
decision making process. Records may include the following:
6.5.1. The Program Director’s report and recommendation to the Decision Authority.
6.5.2. The Decision Authority’s Initial Decision and Final Decision.
6.5.3. Any materials gathered by the Decision Authority that served as a basis for a
certification determination.
6.5.4. All relevant and allowable materials submitted by the Manufacturer upon request for
reconsideration or appeal.
6.5.5. All correspondence between the EAC and a Manufacturer after the issuance of an
Initial Decision denying certification.
6.6. Initial Decision. The Decision Authority shall make and issue a written decision on voting
systems submitted for certification. When such decisions result in a denial of certification, the
decision shall be considered preliminary and referred to as an Initial Decision. Initial Decisions
shall be in writing and contain (1) the Decision Authority’s basis and explanation for the
decision and (2) notice of the Manufacturer’s rights in the denial of certification process.
39
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.6.1. Basis and Explanation. The Initial Decision of the Decision Authority shall accomplish
the following:
6.6.1.1. Clearly state the agency’s decision on certification.
6.6.1.2. Explain the basis for the decision, including identifying the following:
6.6.1.2.1. The relevant facts.
6.6.1.2.2. The applicable EAC voting system standards (VVSG or VSS).
6.6.1.2.3. The relevant analysis in the Program Director’s recommendation.
6.6.1.2.4. The reasoning behind the decision.
6.6.1.3. State the actions the Manufacturer must take, if any, to cure all defects in the
voting system and obtain a certification.
6.6.2. Manufacturer’s Rights. The written Initial Decision must also inform the Manufacturer
of its procedural rights under the program, including the following:
6.6.2.1. Right to request reconsideration. The Manufacturer shall be informed of its
right to request a timely reconsideration (see Section 6.9). Such request must
be made within 10 calendar days of the Manufacturer’s receipt of the Initial
Decision.
6.6.2.2. Right to request a copy or otherwise have access to the information that
served as the basis of the Initial Decision (“the record”).
6.6.2.3. Right to cure system defects prior to final Agency Decision (see Section 6.8).
A Manufacturer may request an opportunity to cure within 10 calendar days of
its receipt of the Initial Decision.
6.7. No Manufacturer Action on Initial Decision. If a Manufacturer takes no action (by either
failing to request an opportunity to cure or request reconsideration) within 10 calendar days of
its receipt of the Initial Decision, the Initial Decision shall become the agency’s Final Decision
on Certification. In such cases, the Manufacturer is determined to have foregone its right to
reconsideration, cure, and appeal. The certification application shall be considered finally
denied.
6.8. Opportunity To Cure. Within 10 calendar days of receiving the EAC’s Initial Decision on
Certification, a Manufacturer may request an opportunity to cure the defects identified in the
EAC’s Initial Decision. If the request is approved, a compliance plan must be created,
approved, and followed. If this cure process is successfully completed, a voting system denied
certification in an Initial Decision may receive a certification without resubmission.
40
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.8.1. Manufacturer’s Request To Cure. The Manufacturer must send a request to cure within
10 calendar days of receipt of an Initial Decision. The request must be sent to the
Program Director.
6.8.2. EAC Action on Request. The Decision Authority will review the request and approve
it. The Decision Authority will deny a request to cure only if the proposed plan to cure
is inadequate or does not present a viable way to remedy the identified defects.
Approval or denial of a request to cure shall be provided the Manufacturer in writing. If
the Manufacturer’s request to cure is denied, it shall have 10 calendar days from the
date it received such notice to request reconsideration of the Initial Decision pursuant to
Section 6.6.2.
6.8.3. Manufacturer’s Compliance Plan. Upon approval of the Manufacturer’s request for an
opportunity to cure, it shall submit a compliance plan to the Decision Authority for
approval. This compliance plan must set forth steps to be taken to cure all identified
defects. It shall include the proposed changes to the system, updated technical
information (as required by Section 4.3.2), and a new test plan created and submitted
directly to the EAC by the VSTL (testing the system consistent with Section 4.4.2.3).
The plan shall also provide for the testing of the amended system and submission of a
test report by the VSTL to the EAC for approval. It should provide an estimated date
for receipt of this test report and include a schedule of periodic VSTL progress reports
to the Program Director.
6.8.4. EAC Action on the Compliance Plan. The Decision Authority must review and approve
the compliance plan. The Decision Authority may require the Manufacturer to provide
additional information and modify the plan as required. If the Manufacturer is unable or
unwilling to provide a compliance plan acceptable to the Decision Authority, the
Decision Authority shall provide written notice terminating the “opportunity to cure”
process. The Manufacturer shall have 10 calendar days from the date it receives such
notice to request reconsideration of the Initial Decision pursuant to Section 6.6.2.
6.8.5. Compliance Plan Test Report. The VSTL shall submit the test report created pursuant
to its EAC-approved compliance plan. The EAC shall review the test report, along with
the original test report and other materials originally provided. The report will be
technically reviewed by the EAC consistent with the procedures laid out in Chapter 4 of
this Manual.
6.8.6. EAC Decision on the System. After receipt of the test plan, the Decision Authority
shall issue a decision on a voting system amended pursuant to an approved compliance
plan. This decision shall be issued in the same manner and with the same process and
rights as an Initial Decision on Certification.
41
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.9. Requests for Reconsideration. Manufacturers may request reconsideration of an Initial
Decision.
6.9.1. Submission of Request. A request for reconsideration must be made within 10 calendar
days of the Manufacturer’s receipt of an Initial Decision. The request shall be made and
sent to the Decision Authority.
6.9.2. Acknowledgment of Request. The Decision Authority shall acknowledge receipt of the
Manufacturer’s request for reconsideration. This acknowledgment shall either enclose
all information that served as the basis for the Initial Decision (the record) or provide a
date by which the record will be forwarded to the Manufacturer.
6.9.3. Manufacturer’s Submission. Within 30 calendar days of receipt of the record, a
Manufacturer may submit written materials in support of its position, including the
following:
6.9.3.1. A written argument responding to the conclusions in the Initial Decision.
6.9.3.2. Documentary evidence relevant to the issues raised in the Initial Decision.
6.9.4. Decision Authority’s Review of Request. The Decision Authority shall review and
consider all relevant submissions of the Manufacturer. In making a decision on
reconsideration, the Decision Authority shall also consider all documents that make up
the record and any other documentary information he or she determines relevant.
6.10. Agency Final Decision. The Decision Authority shall issue a written Agency Decision after
review of the Manufacturer’s request for reconsideration. This Decision shall be the decision of
the agency. The following actions are necessary for writing the decision:
6.10.1.1. Clearly state the agency’s determination on the application for certification.
6.10.1.2. Address the issues raised by the Manufacturer in its request for
reconsideration.
6.10.1.3. Identify all facts, evidence, and EAC voting system standards (VVSG or VSS)
that served as the basis for the decision.
6.10.1.4. Provide the reasoning behind the determination.
6.10.1.5. Identify and provide, as an attachment, any additional documentary
information that served as a basis for the decision and that was not part of the
Manufacturer’s submission or the prior record.
6.10.1.6. Provide the Manufacturer notice of its right to appeal.
42
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.11. Appeal of Agency Final Decision. A Manufacturer may, upon receipt of an Agency Final
Decision denying certification, issue a request for appeal.
6.11.1. Requesting Appeal. A Manufacturer may appeal a final decision of the agency by
issuing a written request for appeal.
6.11.1.1. Submission. Requests must be submitted in writing to the Program Director,
addressed to the Chair of the U.S. Election Assistance Commission.
6.11.1.2. Timing of Appeal. The Manufacturer may request an appeal within 20
calendar days of receipt of the Agency Final Decision. Late requests will not
be considered.
6.11.1.3. Contents of Request.
6.11.1.3.1. The request must clearly state the specific conclusions of the Final
Decision the Manufacturer wishes to appeal.
6.11.1.3.2. The request may include additional written argument.
6.11.1.3.3. The request may not reference or include any factual material not
in the record.
6.11.2. Consideration of Appeal. All timely appeals will be considered by the Appeal
Authority.
6.11.2.1. The Appeal Authority shall be two or more EAC Commissioners or other
individuals appointed by the Commissioners who have not previously served
as the initial or reconsideration authority on the matter.
6.11.2.2. All decisions on appeal shall be based on the record.
6.11.2.3. The determination of the Decision Authority shall be given deference by the
Appeal Authority. Although it is unlikely that the scientific certification
process will produce factual disputes, in such cases, the burden of proof shall
belong to the Manufacturer to demonstrate by clear and convincing evidence
that its voting system met all substantive and procedural requirements for
certification. In other words, the determination of the Decision Authority will
be overturned only when the Appeal Authority finds the ultimate facts in
controversy highly probable.
43
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
6.12. Decision on Appeal. The Appeal Authority shall make a written, final Decision on Appeal and
shall provide it to the Manufacturer.
6.12.1. Contents. The following actions are necessary to write the Decision on Appeal:
6.12.1.1. State the final determination of the agency.
6.12.1.2. Address the matters raised by the Manufacturer on appeal.
6.12.1.3. Provide the reasoning behind the decisions.
6.12.1.4. State that the Decision on Appeal is final.
6.12.2. Determinations. The Appeal Authority may make one of two determinations:
6.12.2.1. Grant of Appeal. If the Appeal Authority determines that the conclusions of
the Decision Authority shall be overturned in full, the appeal shall be granted.
In such cases, certification will be approved subject to the requirements of
Chapter 5.
6.12.2.2. Denial of Appeal. If the Appeal Authority determines that any part of the
Decision Authority’s determination shall be upheld, the appeal shall be
denied. In such cases, the application for appeal is finally denied.
6.12.3. Effect. All Decisions on Appeal shall be final and binding on the Manufacturer. No
additional appeal shall be granted.
44
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.
Decertification
7.1. Overview. Decertification is the process by which the EAC revokes a certification previously
granted to a voting system. It is an important part of the Certification Program because it serves
to ensure that the requirements of the program are followed and that certified voting systems
fielded for use in Federal elections maintain the same level of quality as those presented for
testing. Decertification is a serious matter. Its use will significantly affect Manufacturers, State
and local governments, the public, and the administration of elections. As such, the process for
Decertification is complex. It is initiated when the EAC receives information that a voting
system may not be in compliance with the applicable voting system standard or the procedural
requirements of this Manual. Upon receipt of such information, the Program Director may
initiate an Informal Inquiry to determine the credibility of the information. If the information is
credible and suggests the system is non-compliant, a Formal Investigation will be initiated. If
the results of the Formal Investigation demonstrate non-compliance, the Manufacturer will be
provided a Notice of Non-Compliance. Before a Final Decision on Decertification is made, the
Manufacturer will have the opportunity to remedy any defects identified in the voting system
and present information for consideration by the Decertification Authority. A Decertification
of a voting system may be appealed in a timely manner.
7.2. Decertification Policy. Voting systems certified by the EAC are subject to Decertification.
Systems shall be decertified if (1) they are shown not to meet applicable voting system
standard, (2) they have been modified or changed without following the requirements of this
Manual, or (3) the Manufacturer has otherwise failed to follow the procedures outlined in this
Manual so that the quality, configuration, or compliance of the system is in question.
Decertification of a voting system is a serious matter. Systems will be decertified only after
completion of the process outlined in this chapter.
7.3. Informal inquiry. An Informal Inquiry is the first step taken when information is presented to
the EAC that suggests a voting system may not be in compliance with the applicable voting
system standard or the procedural requirements of this Manual.
7.3.1. Informal Inquiry Authority. The authority to conduct an Informal Inquiry shall rest with
the Program Director.
7.3.2. Purpose. The sole purpose of the Informal Inquiry is to determine whether a Formal
Investigation is warranted. The outcome of an Informal Inquiry is limited to a decision
on referral for investigation.
7.3.3. Procedure. Informal Inquiries do not follow a formal process.
7.3.3.1. Initiation. Informal Inquiries are initiated at the discretion of the Program
Director. They may be initiated any time the Program Director receives
attributable, relevant information that suggests a certified voting system may
require Decertification. The information shall come from a source that has
directly observed or witnessed the reported occurrence. Such information may
be a product of the Certification Quality Monitoring Program (see Chapter 8).
45
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Information may also come from State and local election officials, voters, or
others who have used or tested a given voting system. The Program Director
may notify a Manufacturer that an Informal Inquiry has been initiated, but
such notification is not required. Initiation of an inquiry shall be documented
through the creation of a Memorandum for the Record.
7.3.3.2. Inquiry. The Informal Inquiry process is limited to that inquiry necessary to
determine whether a Formal Investigation is required. In other words, the
Program Director shall conduct such inquiry necessary to determine (1) that
the information obtained is credible and (2) that the information, if true, would
serve as a basis for Decertification. The nature and extent of the inquiry
process will vary depending on the source of the information. For example, an
Informal Inquiry initiated as a result of action taken under the Certification
Quality Monitoring Program will often require the Program Director merely to
read the report issued as a result of the Quality Monitoring action. On the
other hand, information provided by election officials or by voters who have
used a voting system may require the Program Director (or assigned technical
experts) to perform an in-person inspection or make inquiries of the
Manufacturer.
7.3.3.3. Conclusion. An Informal Inquiry shall be concluded after the Program
Director is in a position to determine the credibility of the information that
initiated the inquiry and whether that information, if true, would require
Decertification. The Program Director may make only two conclusions: (1)
refer the matter for a Formal Investigation or (2) close the matter without
additional action or referral.
7.3.4. Closing the Matter Without Referral. If the Program Director determines, after Informal
Inquiry, that a matter does not require a Formal Investigation, the Program Director
shall close the inquiry by filing a Memorandum for the Record. This document shall
state the focus of the inquiry, the findings of the inquiry and the reasons a Formal
Investigation was not warranted.
7.3.5. Referral. If the Program Director determines, after Informal Inquiry, that a matter
requires a Formal Investigation, the Program Director shall refer the matter in writing
to the Decision Authority. In preparing this referral, the Program Director shall do the
following:
7.3.5.1. State the facts that served as the basis for the referral.
7.3.5.2. State the findings of the Program Director.
7.3.5.3. Attach all documentary evidence that served as the basis for the conclusion.
7.3.5.4. Recommend a Formal Investigation, specifically stating the system to be
investigated and the scope and focus of the proposed investigation.
46
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.4. Formal Investigation. A Formal Investigation is an official investigation to determine whether
a voting system requires Decertification. The end result of a Formal Investigation is a Report
of Investigation.
7.4.1. Formal Investigation Authority. The Decision Authority shall have the authority to
initiate and conclude a Formal Investigation by the EAC.
7.4.2. Purpose. The purpose of a Formal Investigation is to gather and document relevant
information sufficient to make a determination on whether an EAC-certified voting
system requires Decertification consistent with the policy put forth in Section 7.2
above.
7.4.3. Initiation of Investigation. The Decision Authority shall authorize the initiation of an
EAC Formal Investigation.
7.4.3.1. Scope. The Decision Authority shall clearly set the scope of the investigation
by identifying (in writing) the voting system (or systems) and specific
procedural or operational non-conformance to be investigated. The nonconformance or non-conformances to be investigated shall be set forth in the
form of numbered allegations.
7.4.3.2. Investigator. The Program Director shall be responsible for conducting the
investigation unless the Decision Authority appoints another individual to
conduct the investigation. The Program Director (or Decision Authority
appointee) may assign staff or technical experts, as required, to investigate the
matter.
7.4.4. Notice of Formal Investigation. Upon initiation of a Formal Investigation, notice shall
be given the Manufacturer of the scope of the investigation. The following actions are
necessary to prepare this notice:
7.4.4.1. Identify the voting system and specific procedural or operation nonconformance being investigated (scope of investigation).
7.4.4.2. Provide the Manufacturer an opportunity to provide relevant information in
writing.
7.4.4.3. Provide an estimated timeline for the investigation.
7.4.5. Investigation. Because voting systems play a vital role in our democratic process,
investigations shall be conducted impartially, diligently, promptly, and confidentially.
Investigators shall use techniques to gather necessary information that meet these
requirements.
47
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.4.5.1. Fair and Impartial Investigation. All Formal Investigations shall be conducted
in a fair and impartial manner. All individuals assigned to an investigation
must be free from any financial conflicts of interest.
7.4.5.2. Diligent Collection of Information. All investigations shall be conducted in a
meticulous and thorough manner. Investigations shall gather all relevant
information and documentation that is reasonably available. The diligent
collection of information is vital for informed decision making.
7.4.5.3. Prompt Collection of Information. Determinations that may affect the
administration of Federal elections must be made with all reasonable speed.
EAC determinations on Decertification will affect the actions of State and
local election officials conducting elections. As such, all investigations
regarding Decertification must proceed with an appropriate sense of urgency.
7.4.5.4. Confidential Collection of Information. Consistent with Federal law,
information pertaining to a Formal Investigation should not be made public
until the Report of Investigation is complete. The release of incomplete and
unsubstantiated information or predecisional opinions that may be contrary or
inconsistent with the final determination of the EAC could cause public
confusion or could unnecessarily negatively affect public confidence in active
voting systems. Such actions could serve to impermissibly affect election
administration and voter turnout. All predecisional investigative materials
must be appropriately safeguarded.
7.4.5.5. Methodologies. Investigators shall gather information by means consistent
with the four principles noted above. Investigative tools include (but are not
limited to) the following:
7.4.5.5.1. Interviews. Investigators may interview individuals (such as State
and local election officials, voters, or representatives of the
Manufacturer) with relevant information. All interviews shall be
reduced to written form; each interview should be summarized in a
statement that is reviewed, approved, and signed by the subject.
7.4.5.5.2. Field audits.
7.4.5.5.3. Manufacturer site audits.
7.4.5.5.4. Written interrogatories. Investigators may pose specific, written
questions to the Manufacturer for the purpose of gathering
information relevant to the investigation. The Manufacturer shall
respond to the queries within a reasonable timeframe (as specified
in the request).
48
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.4.5.5.5. System testing. Testing may be performed in an attempt to
reproduce a condition or failure that has been reported. This
testing will be conducted at a VSTL under contract with the EAC.
7.4.5.6. Report of Investigation. The end result of a Formal Investigation is a Report of
Investigation.
7.4.6. Report of Investigation. The Report of Investigation serves, primarily, to document (1)
all relevant and reliable information gathered in the course of the investigation, and (2)
the conclusion reached by the Decision Authority.
7.4.6.1. When Complete. The report is complete and final when certified and signed by
the Decision Authority.
7.4.6.2. Contents of the Report of Investigation. The following actions are necessary to
prepare the written report:
7.4.6.2.1. Restate the scope of the investigation, identifying the voting
system and specific matter investigated.
7.4.6.2.2. Briefly describe the investigative process employed.
7.4.6.2.3. Summarize the relevant and reliable facts and information gathered
in the course of the investigation.
7.4.6.2.4. Attach all relevant and reliable evidence collected in the course of
the investigation that documents the facts. All facts shall be
documented in written form.
7.4.6.2.5. Analyze the information gathered.
7.4.6.2.6. Clearly state the findings of the investigation.
7.4.7. Findings, Report of Investigation. The Report of Investigation shall state one of two
conclusions. After gathering and reviewing all applicable facts, the report shall find
each allegation investigated to be either (1) substantiated, or (2) unsubstantiated.
7.4.7.1. Substantiated Allegation. An allegation is substantiated if a preponderance of
the relevant and reliable information gathered requires that the voting system
at issue be decertified (consistent with the policy set out in Section 7.2). If any
allegation is substantiated, a Notice of Non-Compliance must be issued.
7.4.7.2. Unsubstantiated Allegation. An allegation is unsubstantiated if the
preponderance of the relevant and reliable information gathered does not
require Decertification (see Section 7.2). If all allegations are unsubstantiated,
49
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
the matter shall be closed and a copy of the report forwarded to the
Manufacturer.
7.4.8. Publication of Report. The report shall not be made public nor released to the public
until final.
7.5. Effect of Informal Inquiry or Formal Investigation on Certification. A voting system’s
EAC certification is not affected by the initiation or conclusion of an Informal Inquiry or
Formal Investigation. Systems under investigation remain certified until a final Decision on
Decertification is issued by the EAC.
7.6. Notice of Non-Compliance. If an allegation in a Formal Investigation is substantiated, the
Decision Authority shall send the Manufacturer a Notice of Non-Compliance. The Notice of
Non-Compliance is not, itself, a Decertification of the voting system. The purpose of the notice
is to (1) notify the Manufacturer of the non-compliance and the EAC’s intent to Decertify the
system and (2) inform the Manufacturer of its procedural rights so that it may be heard prior to
Decertification.
7.6.1. Non-Compliance Information. The following actions are necessary for preparing a
Notice of Non-Compliance:
7.6.1.1. Provide a copy of the Report of Investigation to the Manufacturer.
7.6.1.2. Identify the non-compliance, consistent with the Report of Investigation.
7.6.1.3. Inform the Manufacturer that if the voting system is not made compliant, the
voting system will be decertified.
7.6.1.4. State the actions the Manufacturer must take, if any, to bring the voting
system into compliance and avoid Decertification.
7.6.2. Manufacturer’s Rights. The written Notice of Non-Compliance must also inform the
Manufacturer of its procedural rights under the program, which include the following:
7.6.2.1. Right to Present Information Prior to Decertification Decision. The
Manufacturer shall be informed of its right to present information to the
Decision Authority prior to a determination of Decertification.
7.6.2.2. Right to Have Access to the Information That Will Serve as the Basis of the
Decertification Decision. The Manufacturer shall be provided the Report of
Investigation and any other materials that will serve as the basis of an Agency
Decision on Decertification.
7.6.2.3. Right to Cure System Defects Prior to the Decertification Decision. A
Manufacturer may request an opportunity to cure within 20 calendar days of
its receipt of the Notice of Non-Compliance.
50
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.7. Procedure for Decision on Decertification. The Decision Authority shall make and issue a
written Decision on Decertification whenever a Notice of Non-Compliance is issued. The
Decision Authority will not take such action until the Manufacturer has had a reasonable
opportunity to cure the non-compliance and submit information for consideration.
7.7.1. Opportunity to Cure. The Manufacturer shall have an opportunity to cure a nonconforming voting system in a timely manner prior to Decertification. A cure is timely
when the cure process can be completed before the next Federal election, meaning that
any proposed cure must be in place before any individual jurisdiction fielding the
system holds a Federal election. The Manufacturer must request the opportunity to
cure. If the request is approved, a compliance plan must be created, approved, and
followed. If this cure process is successfully completed, a Manufacturer may modify a
non-compliant voting system, remedy procedural discrepancies, or otherwise bring its
system into compliance without resubmission or Decertification.
7.7.1.1. Manufacturer’s Request to Cure. Within 10 calendar days of receiving the
EAC’s Notice of Non-Compliance, a Manufacturer may request an
opportunity to cure all defects identified in the Notice of Non-Compliance in a
timely manner. The request must be sent to the Decision Authority and outline
how the Manufacturer would modify the system, update the technical
information (as required by Section 4.3.2), have the VSTL create a test plan
and test the system, and obtain EAC approval before the next election for
Federal office.
7.7.1.2. EAC Action on Request. The Decision Authority will review the request and
approve it if the defects identified in the Notice of Non-Compliance may
reasonably be cured before the next election for Federal office.
7.7.1.3. Manufacturer’s Compliance Plan. Upon approval of the Manufacturer’s
request for an opportunity to cure, the Manufacturer shall submit a compliance
plan to the Decision Authority for approval. This compliance plan must set
forth the steps to be taken (including time frames) to cure all identified defects
in a timely manner. The plan shall describe the proposed changes to the
system, provide for modification of the system, update the technical
information required by Section 4.3.2, include a test plan delivered to the
EAC by the VSTL (testing the system consistent with Section 4.4.2.3), and
provide for the VSTL’s testing of the system and submission of the test report
to the EAC for approval (assume at least 20 working days). The plan shall
also include a schedule of periodic progress reports to the Program Director 2 .
2
Manufacturers should also be cognizant of State certification procedures and local pre-election logic and
accuracy testing. Systems that meet EAC guidelines will also be impacted by independent State and local
requirements. These requirements may also prevent a system from being fielded, irrespective of EAC
Certification.
51
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.7.1.4. EAC Action on the Compliance Plan. The Decision Authority must review
and approve the compliance plan. The Decision Authority may require the
Manufacturer to provide additional information and modify the plan as
required. If the Manufacturer is unable or unwilling to provide a Compliance
Plan acceptable to the Decision Authority, the Decision Authority shall
provide written notice terminating the “opportunity to cure” process.
7.7.1.5. VSTL’s Submission of the Compliance Plan Test Report. The VSTL shall
submit the test report created pursuant to the Manufacturer’s EAC-approved
Compliance Plan. The EAC shall review the test report and any other
necessary or relevant materials. The report will be technically reviewed by the
EAC in a manner similar to the procedures described in Chapter 4 of this
Manual.
7.7.1.6. EAC Decision on the System. After receipt of the VSTL’s test report, the
Decision Authority shall issue a decision on a voting system amended
pursuant to an approved Compliance Plan. For the purpose of planning, the
Manufacturer should allow at least 20 working days for this process.
7.7.2. Opportunity to Be Heard. The Manufacturer may submit written materials in response
to the Notice of Non-Compliance and Report of Investigation. These documents shall
be considered by the Decision Authority when making a determination on
Decertification. The Manufacturer shall ordinarily have 20 calendar days from the date
it received the Notice of Non-Compliance (or in the case of a failed effort to cure, the
termination of that process) to deliver its submissions to the Decision Authority. When
warranted by public interest (because a delay in making a determination on
Decertification would affect the timely, fair, and effective administration of a Federal
election), however, the Decision Authority may provide a Manufacturer less time to
submit information. This alternative period (and the basis for it) must be stated in the
Notice of Non-Compliance. The alternative time period must allow the Manufacturer a
reasonable amount of time to gather its submissions. Submissions may include the
following materials:
7.7.2.1. A written argument responding to the conclusions in the Notice of NonCompliance or Report of Investigation.
7.7.2.2. Documentary evidence relevant to the allegations or conclusions in the Notice
of Non-Compliance.
7.7.3. Decision on Decertification. The Decision Authority shall make an agency
determination on Decertification.
7.7.3.1. Timing. The Decision Authority shall promptly make a decision on
Decertification. The Decision Authority may not issue such a decision,
however, until the Manufacturer has provided all of its written materials for
52
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
consideration or the time allotted for submission (usually 20 calendar days)
has run out.
7.7.3.2. Considered Materials. The Decision Authority shall review and consider all
relevant submissions of the Manufacturer. In making a Decision on
Decertification, the Decision Authority shall also consider all documents that
make up the record and any other documentary information he or she
determines relevant.
7.7.3.3. Agency Decision. The Decision Authority shall issue a written Agency
Decision after review of applicable materials. This decision shall be the final
decision of the agency. The following actions are necessary to write the
decision:
7.7.3.3.1. Clearly state the agency’s determination on the Decertification,
specifically addressing the areas of non-compliance investigated.
7.7.3.3.2. Address the issues raised by the Manufacturer in the materials it
submitted for consideration.
7.7.3.3.3. Identify all facts, evidence, procedural requirements, and/or voting
system standards (VVSG or VSS) that served as the basis for the
decision.
7.7.3.3.4. Provide the reasoning behind the decision.
7.7.3.3.5. Identify, and provide as an attachment, any additional documentary
information that served as a basis for the decision and that was not
part of the Manufacturer’s submission or the Report of
Investigation.
7.7.3.3.6. Provide the Manufacturer notice of its right to appeal.
7.8. Effect of Decision Authority’s Decision on Decertification. The Decision Authority’s
Decision on Decertification is the determination of the agency. A Decertification is effective
upon the EAC’s publication or Manufacturer’s receipt of the decision (whichever is earlier). A
Manufacturer that has had a voting system decertified may appeal that decision.
7.9. Appeal of Decertification. A Manufacturer may, upon receipt of an Agency Final Decision on
Decertification, request an appeal in a timely manner.
7.9.1. Requesting Appeal.
7.9.1.1. Submission. Requests must be submitted by the Manufacturer in writing to the
Chair of the U.S. Election Assistance Commission.
53
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.9.1.2. Timing of Appeal. The Manufacturer may request an appeal within 20
calendar days of receipt of the Agency Final Decision on Decertification. Late
requests will not be considered.
7.9.1.3. Contents of Request. The following actions are necessary for the Manufacturer
to write and submit a request for appeal:
7.9.1.3.1. Clearly state the specific conclusions of the Final Decision the
Manufacturer wishes to appeal.
7.9.1.3.2. Include additional written argument, if any.
7.9.1.3.3. Do not reference or include any factual material not previously
considered or submitted to the EAC.
7.9.1.4. Effect of Appeal on Decertification. The initiation of an appeal does not affect
the decertified status of a voting system. Systems are decertified upon notice
of Decertification in the agency’s Decision on Decertification (see Section
7.8).
7.9.2. Consideration of Appeal. All timely appeals will be considered by the Appeal
Authority.
7.9.2.1. The Appeal Authority shall be two or more EAC Commissioners or other
individual or individuals appointed by the Commissioners who have not
previously served as investigators, advisors, or decision makers in the
Decertification process.
7.9.2.2. All decisions on appeal shall be based on the record.
7.9.2.3. The decision of the Decision Authority shall be given deference by the Appeal
Authority. Although it is unlikely that the scientific certification process will
produce factual disputes, in such cases the burden of proof shall belong to the
Manufacturer to demonstrate by clear and convincing evidence that its voting
system met all substantive and procedural requirements for certification. In
other words, the determination of the Decision Authority will be overturned
only when the Appeal Authority finds the ultimate facts in controversy to be
highly probable.
7.9.3. Decision on Appeal. The Appeal Authority shall make a written, final Decision on
Appeal that it shall provide to the Manufacturer. Each Decision on Appeal shall be final
and binding on the Manufacturer. No additional appeal shall be granted. The following
actions are necessary to write a Decision on Appeal:
7.9.3.1. State the final determination of the agency.
54
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
7.9.3.2. Address the matters raised by the Manufacturer on appeal.
7.9.3.3. Provide the reasoning behind the decision.
7.9.3.4. State that the Decision on Appeal is final.
7.9.4. Effect of Appeal.
7.9.4.1. Grant of Appeal. If a Manufacturer’s appeal is granted in whole, the decision
of the Decision Authority is reversed. The voting system shall have its
certification reinstated. For purposes of this program, the system shall be
treated as though it was never decertified.
7.9.4.2. Denial of Appeal. If a Manufacturer’s appeal is denied in whole or in part, the
decision of the Decision Authority is upheld. The voting system remains
decertified and no additional appeal is available.
7.10. Effect of Decertification. A voting system that has been decertified no longer holds an EAC
certification under the Certification Program. For purposes of this Manual and the program, a
decertified system will be treated as any other uncertified voting system. As such, the effects of
Decertification are as follows:
7.10.1. The Manufacturer may not represent the voting system as certified.
7.10.2. The voting system may not be labeled with a mark of certification.
7.10.3. The voting system will be removed from the EAC list of certified systems.
7.10.4. The EAC will notify State and local election officials of the Decertification.
7.11. Recertification. A decertified system may be resubmitted for certification. Such systems shall
be treated as any other system seeking certification. The Manufacturer shall present an
application for certification consistent with the instructions of this Manual.
55
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
8.
Quality Monitoring Program
8.1. Overview. The quality of any product, including a voting system, depends on two specific
elements: (1) the design of the product or system and (2) the care and consistency of the
manufacturing process. The EAC testing and certification process focuses on voting system
design by ensuring that a representative sample of a system meets the technical specifications
of the applicable EAC voting system standards. This process, commonly called “type
acceptance,” determines whether the representative sample submitted for testing meets the
requirements. What type acceptance does not do is explore whether variations in
manufacturing may allow production of non-compliant systems. Generally, the quality of the
manufacturing is the responsibility of the Manufacturer. After a system is certified, the vendor
assumes primary responsibility for compliance of the products produced. This level of
compliance is accomplished by the Manufacturer’s configuration management and quality
control processes. The EAC’s Quality Monitoring Program, as outlined in this chapter,
however, provides an additional layer of quality control by allowing the EAC to perform
manufacturing site reviews, carry out fielded system reviews, and gather information on voting
system anomalies from election officials. These additional tools help ensure that voting
systems continue to meet the requirements of EAC’s voting system standards as the systems
are manufactured, delivered, and used in Federal elections. These aspects of the program
enable the EAC to independently monitor the continued compliance of fielded voting systems.
8.2. Purpose. The purpose of the Quality Monitoring Program is to ensure that EAC-certified
voting systems are identical to those fielded in election jurisdictions. This level of quality
control is accomplished primarily by identifying (1) potential quality problems in
manufacturing, (2) uncertified voting system configurations, and (3) field performance issues
with certified systems.
8.3. Manufacturer’s Quality Control. EAC’s Quality Monitoring Program is not a substitute for
the Manufacturer’s quality control program. As stated in Chapter 2 of this Manual, all
Manufacturers must have an acceptable quality control program in place before they may be
registered. The EAC’s program serves as an independent and complementary process of
quality control that works in tandem with the Manufacturer’s efforts.
8.4. Quality Monitoring Methodology. This chapter provides the EAC with three primary tools
for assessing the level of effectiveness of the certification process and the compliance of
fielded voting systems. These tools include (1) manufacturing site reviews, (2) fielded system
reviews, and (3) a means for receiving anomaly reports from the field.
8.5. Manufacturing Site Review. Facilities that produce certified voting systems will be reviewed
periodically, at the discretion of the EAC, to verify that the system being manufactured,
shipped, and sold is the same as the sample submitted for certification testing. All registered
Manufacturers must cooperate with such audits as a condition of program participation.
8.5.1. Notice. The site review may be scheduled or unscheduled, at the discretion of the EAC.
Unscheduled reviews will be performed with at least 24 hours notice. Scheduling and
56
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
notice of site reviews will be coordinated with and provided to both the manufacturing
facility’s representative and the Manufacturer’s representative.
8.5.2. Frequency. At a minimum, at least one manufacturing facility of a registered
Manufacturer shall be subject to a site review at least once every 4 years.
8.5.3. The Review. The production facility and production test records must be made
available for review. When requested, production schedules must be provided to the
EAC. Production or production testing may be witnessed by EAC representatives. If
equipment is not being produced during the inspection, the review may be limited to
production records. During the inspection, the Manufacturer must make available to the
EAC representative the Manufacturer’s quality manual and other documentation
sufficient to enable the inspector to evaluate the following factors of the facility’s
production:
8.5.3.1. Manufacturing quality controls.
8.5.3.2. Final inspection and testing.
8.5.3.3. History of deficiencies or anomalies and corrective actions taken.
8.5.3.4. Equipment calibration and maintenance.
8.5.3.5. Corrective action program.
8.5.3.6. Policies on product labeling and the application of the EAC mark of
certification.
8.5.4. Exit Briefing. Site reviewers will provide the manufacturing facility representative a
verbal exit briefing regarding the preliminary observations of the review.
8.5.5. Written Report. A written report documenting the review will be drafted by the EAC
representative and provided to the Manufacturer. The report will detail the findings of
the review and identify actions that are required to correct any deficiencies.
8.6. Fielded System Review and Testing. Upon invitation or with the permission of a State or
local election authority, the EAC may, at its discretion, conduct a review of fielded voting
systems. Such reviews will be done to ensure that a fielded system is in the same configuration
as that certified by the EAC and that it has the proper mark of certification. This review may
include the testing of a fielded system, if deemed necessary. Any anomalies found during this
review and testing will be provided to the election jurisdiction and the Manufacturer.
8.7. Field Anomaly Reporting. As another means of gathering field data, the EAC will collect
information from election officials who field EAC-certified voting systems. Information on
actual voting system field performance is a basic means for assessing the effectiveness of the
Certification Program and the manufacturing quality and version control. The EAC will
57
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
provide a mechanism for election officials to provide real-world input on voting system
anomalies.
8.7.1. Anomaly Report. Election officials may use the Voting System Anomaly Reporting
Form to report voting system anomalies to the EAC. The form and instructions for its
completion are available as Appendix C in this Manual or on the EAC Web site,
www.eac.gov. The form may be filed with the EAC on line, by mail or by facsimile.
Use of the form is required.
8.7.2. Who May Report? State or local election officials who have experienced voting system
anomalies in their jurisdiction may file anomaly reports. The individuals reporting must
identify themselves and have firsthand knowledge of or official responsibility over the
anomaly being reported. Anonymous or hearsay reporting will not be accepted.
8.7.3. What Is Reported? Election officials shall report voting system anomalies. An anomaly
is defined as an irregular or inconsistent action or response from the voting system or
system component resulting in some disruption to the election process. Incidents
resulting from administrator error or procedural deficiencies are not considered
anomalies for purposes of this chapter. The report must include the following
information:
8.7.3.1. The official’s name, title, contact information, and jurisdiction.
8.7.3.2. A description of the voting system at issue.
8.7.3.3. The date and location of the reported occurrence.
8.7.3.4. The type of election.
8.7.3.5. A description of the anomaly witnessed.
8.7.4. Distribution of Credible Reports. Credible reports will be distributed to State and local
election jurisdictions who field similar systems, the Manufacturer of the voting system
at issue, and the VSTLs. Reports are reviewed by EAC staff in coordination with
relevant State officials. Credible reports:
8.7.4.1. Meet the definition of anomaly under Section 8.7.3,
8.7.4.2. Constitute a complete report per the requirements of Sections 8.7.3.1 through
8.7.3.5,
8.7.4.3. Have had alleged facts confirmed by contacting filer and/or others present at
the time of the incident, and
8.7.4.4. Have been verified by the relevant State’s chief election official.
58
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
8.8. Use of Quality Monitoring Information. Ultimately, the information the EAC gathers from
manufacturing site reviews, fielded system reviews, and field anomaly reports will be used to
improve the program and ensure the quality of voting systems. The Quality Monitoring
Program is not designed to be punitive but to be focused on improving the process. Information
gathered will be used to accomplish the following:
8.8.1. Identify areas for improvement in the EAC Testing and Certification Program.
8.8.2. Improve manufacturing quality and change control processes.
8.8.3. Increase voter confidence in voting technology.
8.8.4. Inform Manufacturers, election officials, and the EAC of issues associated with voting
systems in a real-world environment.
8.8.5. Share information among jurisdictions that use similar voting systems.
8.8.6. Resolve problems associated with voting technology or manufacturing in a timely
manner by involving Manufacturers, election officials, and the EAC.
8.8.7. Provide feedback to the EAC and the Technical Guidelines Development Committee
(TGDC) regarding issues that may need to be addressed through a revision to the
Voluntary Voting System Guidelines.
8.8.8. Initiate an investigation when information suggests that Decertification is warranted
(see Chapter 7).
59
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
9.
Requests for Interpretations
9.1. Overview. A Request for Interpretation is a means by which a registered Manufacturer or
VSTL may seek clarification on a specific EAC voting system standard (VVSG or VSS). An
Interpretation is a clarification of the voting system standards and guidance on how to properly
evaluate conformance to it. Suggestions or requests for modifications to the standards are
provided by other processes. This chapter outlines the policy, requirements, and procedures for
submitting a Request for Interpretation.
9.2. Policy. Registered Manufacturers or VSTLs may request that the EAC provide a definitive
Interpretation of EAC-accepted voting system standards (VVSG or VSS) when, in the course
of developing or testing a voting system, facts arise that make the meaning of a particular
standard ambiguous or unclear. The EAC may self-initiate such a request when its agents
identify a need for interpretation within the program. An Interpretation issued by the EAC will
serve to clarify what a given standard requires and how to properly evaluate compliance.
Ultimately, an Interpretation does not amend voting system standards, but serves only to clarify
existing standards.
9.3. Requirements for Submitting a Request for Interpretation. An EAC Interpretation is
limited in scope. The purpose of the Interpretation process is to provide Manufacturers or
VSTLs who are in the process of developing or testing a voting system a means for resolving
the meaning of a voting system standard in light of a specific voting system technology without
having to present a finished product to EAC for certification. To submit a Request for
Interpretation, one must (1) be a proper requester, (2) request interpretation of an applicable
voting system standard, (3) present an actual controversy, and (4) seek clarification on a matter
of unsettled ambiguity.
9.3.1. Proper Requestor. A Request for Interpretation may be submitted only by a registered
Manufacturer or a VSTL. Requests for Interpretation will not be accepted from any
other parties.
9.3.2. Applicable Standard. A Request for Interpretation is limited to queries on EAC voting
system standards (i.e., VVSG or VSS). Moreover, a Manufacturer or VSTL may submit
a Request for Interpretation only on a version of EAC voting system standards to which
the EAC currently offers certification.
9.3.3. Existing Factual Controversy. To submit a Request for Interpretation, a Manufacturer
or VSTL must present a question relative to a specific voting system or technology
proposed for use in a voting system. A Request for Interpretation on hypothetical issues
will not be addressed by the EAC. To submit a Request for Interpretation, the need for
clarification must have arisen from the development or testing of a voting system. A
factual controversy exists when an attempt to apply a specific section of the VVSG or
VSS to a specific system or piece of technology creates ambiguity.
60
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
9.3.4. Unsettled, Ambiguous Matter. Requests for Interpretation must involve actual
controversies that have not been previously settled. This requirement mandates that
interpretations contain actual ambiguities not previously clarified.
9.3.4.1. Actual Ambiguity. A proper Request for Interpretation must contain an actual
ambiguity. The interpretation process is not a means for challenging a clear
EAC voting system standard. Recommended changes to voting system
standards are welcome and may be forwarded to the EAC, but they are not
part of this program. An ambiguity arises (in applying a voting system
standard to a specific technology) when one of the following occurs:
9.3.4.1.1. The language of the standard is unclear on its face.
9.3.4.1.2. One section of the standard seems to contradict another, relevant
section.
9.3.4.1.3. The language of the standard, though clear on its face, lacks
sufficient detail or breadth to determine its proper application to a
particular technology.
9.3.4.1.4. The language of a particular standard, when applied to a specific
technology, clearly conflicts with the established purpose or intent
of the standard.
9.3.4.1.5. The language of the standard is clear, but the proper means to
assess compliance is unclear.
9.3.4.2. Not Previously Clarified. The EAC will not accept a Request for
Interpretation when the issue has previously been clarified.
9.4. Procedure for Submitting a Request for Interpretation. A Request for Interpretation shall
be made in writing to the Program Director. All requests should be complete and as detailed as
possible because Interpretations issued by the EAC are based on, and limited to, the facts
presented. Failure to provide complete information may result in an Interpretation that is off
point and ultimately immaterial to the issue at hand. The following steps must be taken when
writing a Request for Interpretation:
9.4.1. Establish Standing To Make the Request. To make a request, one must meet the
requirements identified in Section 9.3 above. Thus, the written request must provide
sufficient information for the Program Director to conclude that the requestor is (1) a
proper requester, (2) requesting an Interpretation of an applicable voting system
standard, (3) presenting an actual factual controversy, and (4) seeking clarification on a
matter of unsettled ambiguity.
9.4.2. Identify the EAC Voting System Standard To Be Clarified. The request must identify
the specific standard or standards to which the requestor seeks clarification. The request
61
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
must state the version of the voting system standards at issue (if applicable) and quote
and correctly cite the applicable standards.
9.4.3. State the Facts Giving Rise to the Ambiguity. The request must provide the facts
associated with the voting system technology that gave rise to the ambiguity in the
identified standard. The requestor must be careful to provide all necessary information
in a clear, concise manner. Any Interpretation issued by the EAC will be based on the
facts provided.
9.4.4.
Identify the Ambiguity. The request must identify the ambiguity it seeks to resolve.
The ambiguity shall be identified by stating a concise question that meets the following
requirements:
9.4.4.1. Shall be clearly stated.
9.4.4.2. Shall be related to and reference the voting system standard and voting system
technology information provided.
9.4.4.3. Shall be limited to a single issue. Each question or issue arising from an
ambiguous standard must be stated separately. Compound questions are
unacceptable. If multiple issues exist, they should be presented as individual,
numbered questions.
9.4.4.4. Shall be stated in a way that can ultimately be answered yes or no.
9.4.5. Provide a Proposed Interpretation. A Request for Interpretation should propose an
answer to the question posed. The answer should interpret the voting system standard in
the context of the facts presented. It should also provide the basis and reasoning behind
the proposal.
9.5. EAC Action on a Request for Interpretation. Upon receipt of a Request for Interpretation,
the EAC shall take the following action:
9.5.1. Review the Request. The Program Director shall review the request to ensure it is
complete, is clear, and meets the requirements of Section 9.3. Upon review, the
Program Director may take the following action:
9.5.1.1. Request Clarification. If the Request for Interpretation is incomplete or
additional information is otherwise required, the Program Director may
request that the Manufacturer or VSTL clarify its Request for Interpretation
and identify any additional information required.
9.5.1.2. Reject the Request for Interpretation. If the Request for Interpretation does not
meet the requirements of Section 9.3, the Program Director may reject it. Such
rejection must be provided in writing to the Manufacturer or VSTL and must
state the basis for the rejection.
62
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
9.5.1.3. Notify Acceptance of the Request. If the Request for Interpretation is
acceptable, the Program Director will notify the Manufacturer or VSTL in
writing and provide it with an estimated date of completion. A Request for
Interpretation may be accepted in whole or in part. A notice of acceptance
shall state the issues accepted for interpretation.
9.5.2. Consideration of the Request. After a Request for Interpretation has been accepted, the
matter shall be investigated and researched. Such action may require the EAC to
employ technical experts. It may also require the EAC to request additional information
from the Manufacturer or VSTL. The Manufacturer or VSTL shall respond promptly to
such requests.
9.5.3. Interpretation. The Decision Authority shall be responsible for making determinations
on a Request for Interpretation. After this determination has been made, a written
Interpretation shall be sent to the Manufacturer or VSTL. The following actions are
necessary to prepare this written Interpretation:
9.5.3.1. State the question or questions investigated.
9.5.3.2. Outline the relevant facts that served as the basis of the Interpretation.
9.5.3.3. Identify the voting system standards interpreted.
9.5.3.4. State the conclusion reached.
9.5.3.5. Inform the Manufacturer or VSTL of the effect of an Interpretation (see
Section 9.6).
9.6. Effect of Interpretation. Interpretations are fact specific and case specific. They are not tools
of policy, but specific, fact-based guidance useful for resolving a particular problem.
Ultimately, an Interpretation is determinative and conclusive only with regard to the case
presented. Nevertheless, Interpretations do have some value as precedent. Interpretations
published by the EAC shall serve as reliable guidance and authority over identical or similar
questions of interpretation. These Interpretations will help users understand and apply the
provisions of EAC voting system standards.
9.7. Library of Interpretations. To better serve Manufacturers, VSTLs, and those interested in the
EAC voting system standards, the Program Director shall publish EAC Interpretations. All
proprietary information contained in an Interpretation will be redacted before publication
consistent with Chapter 10 of this Manual. The library of published opinions is posted on the
EAC Web site: www.eac.gov.
63
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
10. Release of Certification Program Information
10.1. Overview. Manufacturers participating in the Certification Program will be required to provide
the EAC a variety of documents. In general, these documents will be releasable to the public.
Moreover, in many cases, the information provided will be affirmatively published by the
EAC. In limited cases, however, documents may not be released if they include trade secrets,
confidential commercial information, or personal information. While the EAC is ultimately
responsible for determining which documents Federal law protects from release, Manufacturers
must identify the information they believe is protected and ultimately provide substantiation
and a legal basis for withholding. This chapter discusses EAC’s general policy on the release
of information and provides Manufacturers with standards, procedures, and requirements for
identifying documents as trade secrets or confidential commercial information.
10.2. EAC Policy on the Release of Certification Program Information. The EAC seeks to make
its Voting System Testing and Certification Program as transparent as possible. The agency
believes that such action benefits the program by increasing public confidence in the process
and creating a more informed and involved public. As such, it is the policy of the EAC to
make all documents, or severable portions thereof, available to the public consistent with
Federal law (e.g. Freedom of Information Act (FOIA) and the Trade Secrets Act).
10.2.1. Requests for information. As in any Federal program, members of the public may
request access to Certification Program documents under FOIA (5 U.S.C. §552). The
EAC will promptly process such requests per the requirements of that Act.
10.2.2. Publication of documents. Beyond the requirements of FOIA, the EAC intends to
affirmatively publish program documents (or portions of documents) it believes will be
of interest to the public. This publication will be accomplished through the use of the
EAC Web site (www.eac.gov). The published documents will cover the full spectrum
of the program, including information pertaining to:
10.2.2.1. Registered Manufacturers;
10.2.2.2. VSTL test plans;
10.2.2.3. VSTL test reports;
10.2.2.4. Agency decisions;
10.2.2.5. Denials of Certification;
10.2.2.6. Issuance of Certifications;
10.2.2.7. Information on a certified voting system’s operation, components, features or
capabilities;
10.2.2.8. Appeals;
64
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
10.2.2.9. Reports of investigation and Notice of Non-compliance;
10.2.2.10.
Decertification actions;
10.2.2.11.
Manufacturing facility review reports;
10.2.2.12.
Official Interpretations (VVSG or VSS); and
10.2.2.13.
Other topics as determined by the EAC.
10.2.3. Trade Secret and Confidential Commercial Information. Federal law places a number
of restrictions on a Federal agency’s authority to release information to the public. Two
such restrictions are particularly relevant to the Certification program: (1) trade secrets
information and (2) privileged or confidential commercial information. Both types of
information are explicitly prohibited from release by the FOIA and the Trade Secrets
Act (18 U.S.C. §1905).
10.3. Trade Secrets. A trade secret is a secret, commercially valuable plan, process, or device that is
used for the making or processing of a product and that is the end result of either innovation or
substantial effort. It relates to the productive process itself, describing how a product is made.
It does not relate to information describing end product capabilities, features, or performance.
10.3.1. The following examples illustrate productive processes that may be trade secrets:
10.3.1.1. Plans, schematics, and other drawings useful in production.
10.3.1.2. Specifications of materials used in production.
10.3.1.3. Voting system source code used to develop or manufacture software where
release would reveal actual programming.
10.3.1.4. Technical descriptions of manufacturing processes and other secret
information relating directly to the production process.
10.3.2. The following examples are likely not trade secrets:
10.3.2.1. Information pertaining to a finished product’s capabilities or features.
10.3.2.2. Information pertaining to a finished product’s performance.
10.3.2.3. Information regarding product components that would not reveal any
commercially valuable information regarding production.
65
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
10.4. Privileged or Confidential Commercial Information. Privileged or confidential commercial
information is that information submitted by a Manufacturer that is commercial or financial in
nature and privileged or confidential.
10.4.1. Commercial or Financial Information. The terms commercial and financial should be
given their ordinary meanings. They include records in which a submitting
Manufacturer has any commercial interest.
10.4.2. Privileged or Confidential Information. Commercial or financial information is
privileged or confidential if its disclosure would likely cause substantial harm to the
competitive position of the submitter. The concept of harm to one’s competitive
position focuses on harm flowing from a competitor’s affirmative use of the proprietary
information. It does not include incidental harm associated with upset customers or
employees.
10.5. EAC’s Responsibilities. The EAC is ultimately responsible for determining whether or not a
document (in whole or in part) may be released pursuant to Federal law. In doing so, however,
the EAC will require information and input from the Manufacturer submitting the documents.
This requirement is essential for the EAC to identify, track, and make determinations on the
large volume of documentation it receives. The EAC has the following responsibilities:
10.5.1. Managing Documentation and Information. The EAC will control the documentation it
receives by ensuring that documents are secure and released to third parties only after
the appropriate review and determination.
10.5.2. Contacting Manufacturer on Proposed Release of Potentially Protected Documents. In
the event a member of the public submits a FOIA request for documents provided by a
Manufacturer or the EAC otherwise proposes the release of such documents, the EAC
will take the following actions:
10.5.2.1. Review the documents to determine if they are potentially protected from
release as trade secrets or confidential commercial information. The
documents at issue may have been previously identified as protected by the
Manufacturer when submitted (see Section 10.7.1 below) or identified by the
EAC on review.
10.5.2.2. Grant the submitting Manufacturer an opportunity to provide input. In the
event the information has been identified as potentially protected from release
as a trade secret or confidential commercial information, the EAC will notify
the submitter and allow it an opportunity to submit its position on the issue
prior to release of the information. The submitter shall respond consistent with
Section 10.7.1 below.
10.5.3. Final Determination on Release. After providing the submitter of the information an
opportunity to be heard, the EAC will make a final decision on release. The EAC will
inform the submitter of this decision.
66
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
10.6. Manufacturer’s Responsibilities. Although the EAC is ultimately responsible for determining
if a document, or any portion thereof, is protected from release as a trade secret or confidential
commercial information, the Manufacturer shall be responsible for identifying documents, or
portions of documents, it believes warrant such protection. Moreover, the Manufacturer will
be responsible for providing the legal basis and substantiation for its determination regarding
the withholding of a document. This responsibility arises in two situations: (1) upon the initial
submission of information, and (2) upon notification by the EAC that it is considering the
release of potentially protected information.
10.6.1. Initial Submission of Information. When a Manufacturer is submitting documents to the
EAC as required by the Certification Program, it is responsible for identifying any
document or portion of a document that it believes is protected from release by Federal
law. Manufacturers shall identify protected information by taking the following action:
10.6.1.1. Submitting a Notice of Protected Information. This notice shall identify the
document, document page, or portion of a page that the Manufacturer believes
should be protected from release. This identification must be done with
specificity. For each piece of information identified, the Manufacturer must
state the legal basis for its protected status.
10.6.1.1.1. Cite the applicable law that exempts the information from release.
10.6.1.1.2. Clearly discuss why that legal authority applies and why the
document must be protected from release.
10.6.1.1.3. If necessary, provide additional documentation or information. For
example, if the Manufacturer claims a document contains
confidential commercial information, it would also have to provide
evidence and analysis of the competitive harm that would result
upon release.
10.6.1.2. Label Submissions. Label all submissions identified in the notice as
“Proprietary Commercial Information.” Label only those submissions
identified as protected. Attempts to indiscriminately label all materials as
proprietary will render the markings moot.
10.6.2. Notification of Potential Release. In the event a Manufacturer is notified that the EAC
is considering the release of information that may be protected, the Manufacturer shall
take the following action:
10.6.2.1. Respond to the notice within 15 calendar days. If additional time is needed,
the Manufacturer must promptly notify the Program Director. Requests for
additional time will be granted only for good cause and must be made before
the 15-day deadline. Manufacturers that do not respond in a timely manner
will be viewed as not objecting to release.
67
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
10.6.2.2. Clearly state one of the following in the response:
10.6.2.2.1. There is no objection to release, or
10.6.2.2.2. The Manufacturer objects to release. In this case, the response
must clearly state which portions of the document the
Manufacturer believes should be protected from release. The
Manufacturer shall follow the procedures discussed in Section
10.7.1 above.
10.7. Personal Information. Certain personal information is protected from release under FOIA and
the Privacy Act (5 U.S.C. §552a). This information includes private information about a person
that, if released, would cause the individual embarrassment or constitute an unwarranted
invasion of personal privacy. Generally, the EAC will not require the submission of private
information about individuals. The incidental submission of such information should be
avoided. If a Manufacturer believes it is required to submit such information, it should contact
the Program Director. If the information will be submitted, it must be properly identified.
Examples of such information include the following:
10.7.1. Social Security Number.
10.7.2. Bank account numbers.
10.7.3. Home address.
10.7.4. Home phone number.
68
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Appendix A
Manufacturer Registration Application Form
Available in electronic format at www.eac.gov
69
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Appendix B
Application for Voting System Testing Form
Available in electronic format at www.eac.gov
70
OMB Control Number 3265-0004
EAC Voting System Testing and Certification Program Manual, Version 1.0
Appendix C
Voting System Anomaly Reporting Form
Available in electronic format at www.eac.gov
71
OMB Control Number 3265-0004
File Type | application/pdf |
Author | BrianHancock |
File Modified | 2006-12-08 |
File Created | 2006-12-08 |