[Federal Register: December 20, 2006 (Volume 71, Number 244)]
[Notices]
[Page 76281-76305]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr20de06-59]
=======================================================================
-----------------------------------------------------------------------
ELECTION ASSISTANCE COMMISSION
Procedural Manual for the Election Assistance Commission's Voting
System Testing and Certification Program
AGENCY: United States Election Assistance Commission (EAC).
ACTION: Notice; publication of Voting System Testing and Certification
Manual.
-----------------------------------------------------------------------
SUMMARY: The U.S. Election Assistance Commission (EAC) is publishing a
procedural manual for its Voting System Testing and Certification
Program. This program sets the administrative procedures for obtaining
an EAC Certification for voting systems. Participation in the program
is strictly voluntary. The program is mandated by the Help America Vote
Act (HAVA) at 42 U.S.C. 15371.
FOR FURTHER INFORMATION CONTACT: Brian Hancock, Director, Voting System
Certification, Washington, DC, (202) 566-3100, Fax: (202) 566-1392.
SUPPLEMENTARY INFORMATION:
Background. HAVA requires that the EAC certify and decertify voting
systems. Section 231(a)(1) of HAVA (42 U.S.C. 15371) specifically
requires the EAC to ``... provide for the testing, certification,
decertification and recertification of voting system hardware and
software by accredited laboratories.'' To meet this obligation, the EAC
has created a voluntary program to test voting systems to Federal
voting system standards. The Voting System Testing and Certification
Manual, published below, will set the procedures for this program.
In creating the Certification Manual the EAC sought input from
experts and stakeholders. Specifically, the EAC conducted meetings with
representatives from the voting system test laboratory and voting
system manufacturing community. The Commission also held a public
hearing in which it received testimony from State election officials,
the National Institute of Standards and Technology, academics,
electronic voting system experts and public interest groups. Finally,
the EAC sought input from the public. A draft version of the EAC Voting
System Testing and Certification Program Manual was published with a
request for public comment on October 2, 2006. (71 FR 57934). The pubic
comment period was open until 5 p.m. e.d.t. on October 31, 2006. While
this publication and public comment period were not required under the
rulemaking, adjudicative or licensing provisions of the Administrative
Procedures Act, all comments received were considered in the drafting
of this final administrative manual.
Discussion of Comments. The EAC received over 400 comments from the
public. The majority of these comments came from voting system test
laboratories, voting system manufacturers, and public interest groups.
The EAC also received a number of comments from State and local
officials and private individuals.
The majority of comments received by the Commission raised concerns
or questioned the meaning or application of various provisions of the
manual. These comments were requests for clarification. Another
significant block of comments were less specific and focused on the
fundamental purpose behind the program or its basic methodology.
Comments in this category included individuals who noted that
electronic voting machines should not be used in Federal elections and
those who disagreed with the program's fundamental structure which
utilizes EAC accredited laboratories to test voting systems through
direct contracting with the system's manufacturer. Finally, there were
a range of specific recommendations on a wide variety of topics.
Examples include: (1) Comments from manufacturers and interest groups
requesting the EAC to provide specific timeframes or response times for
various program elements or activities; (2) recommendations that the
EAC Mark of,
[[Page 76282]]
Certification requirements be abolished or that the mark not be
``permanently'' affixed to voting machines to allow for its removal in
the event of a voting system upgrade or decertification; (3)
recommendations from test laboratories and public interest groups that
the EAC clarify the role of its Voting System Test Labortories,
emphasizing that test plans, test reports and other information
submitted under this program be submitted directly and independently by
the test labs; (4) Comments from test laboratories recommending that
the program provide a means for dealing with de minimis hardware
changes; (5) recommendations from interest groups that the EAC utilize
a third party group of technical advisors for all of its determinations
under the program; (6) recommendations from interest groups urging the
commission to make Certification Program documents available to the
public; and (7) recommendations from State officials that the EAC
contact and work with the Chief State Election Official when reviewing
fielded voting systems, providing emergency modification waivers or
reviewing anomaly reports.
The EAC reviewed and considered each of the comments presented. In
doing so, it also gathered additional information and performed
research regarding the suggestions. The EAC's commitment to public
participation is evident in the final version of the Certification
Manual. The Manual has been enhanced in a number of areas in response
to conscientious public comment. A total of six pages have been added
to the Manual. Throughout the entire Manual the EAC added or amended
language to clarify its procedures consistent with the comments it
received. For example, to further clarify terminology used throughout
the Manual almost a dozen terms were newly defined or ``Significantly
clarified in the definition section of Chapter 1. Additionally, the EAC
made changes to clarify the independent role of Voting System Test Labs
in the program, require the EAC to publish its average response
timeframes, and increase its coordination on State Election Officials.
Examples of larger changes made in the document include an added
section to Chapter 3 of the Manual, providing procedures for de minimis
changes. This was put in place to deal with the numerous engineering
change orders the Commission expects will be submitted to test
laboratories under the program. Similarly, the EAC re-titled and re-
wrote a major portion of Chapter 10 of the Mannal (Release of
Certification Program Information) to more clearly and affirmatively
state EAC's policy on the release of Certification Program information.
Thomas R. Wilkey,
Executive Director, U.S. Election Assistance Commission.
BILLING CODE 6820-KF-M
[[Page 76283]]
[GRAPHIC] [TIFF OMITTED] TN20DE06.000
BILLING CODE 6820-KF-C
[[Page 76284]]
The reporting requirements in this manual have been approved under
the Paperwork Reduction Act of 1995, Office of Management and Budget
Control (OMB) Number 3265-0004, expiring March 31, 2007. Persons are
not required to respond to this collection of information unless it
displays a currently valid OMB number. Information gathered pursuant to
this document and its forms will be used solely to administer the EAC
Testing and Certification Program. This program is voluntary.
Individuals who wish to participate in the program, however, must meet
its requirements. The estimated total annual hourly burden on the
voting system manufacturing industry and election officials is 114
hours. This estimate includes the time required for reviewing the
instructions, gathering information, and completing the prescribed
forms. Send comments regarding this burden estimate or any other aspect
of this collection, including suggestions for reducing this burden, to
the U.S. Election Assistance Commission, Voting System Testing and
Certification Program, Office of the Program Director, 1225 New York
Avenue, NW., Suite 1100, Washington, DC 20005.
Table of Contents
1. Introduction
2. Manufacturer Registration
3. When Voting Systems Must Be Submitted for Testing and
Certification
4. Certification Testing and Technical Review
5. Grant of Certification
6. Denial of Certification
7. Decertification
8. Quality Monitoring Program
9. Requests for Interpretations
10. Release of Certification Program Information
Appendix A. Manufacturer Registration Application Form
Appendix B. Application for Voting System Testing Form
Appendix C. Voting System Anomaly Reporting Form
Introduction
1.1. Background. The Federal Election Commission (FEC) adopted
the first formal set of voluntary Federal standards for computer-
based voting systems in January 1990. At that time, no national
program or organization existed to test and certify such systems to
the standards. The National Association of State Election Directors
(NASED) stepped up to fill this void in 1994. NASED is an
independent, nongovernmental organization of State election
officials. The organization formed the Nation's first national
program to test and qualify voting systems to the new Federal
standards. The organization worked for more than a decade, on a
strictly voluntary basis, to help ensure the reliability,
consistency, and accuracy of voting systems fielded in the United
States. In late 2002, Congress passed the Help America Vote Act of
2002 (HAVA). HAVA created the U.S. Election Assistance Commission
(EAC) and assigned to the EAC the responsibility for both setting
voting system standards and providing for the testing and
certification of voting systems. This mandate represented the first
time the Federal government provided for the voluntary testing,
certification, and decertification of voting systems nationwide. In
response to this HAVA requirement, the EAC has developed the Voting
System Testing and Certification Program (Certification Program).
1.2. Authority. HAVA requires that the EAC certify and decertify
voting systems. Section 231(a)(1) of HAVA specifically requires the
EAC to ``* * * provide for the testing, certification,
decertification and recertification of voting system hardware and
software by accredited laboratories.'' The EAC has the sole
authority to grant certification or withdraw certification at the
Federal level, including the authority to grant, maintain, extend,
suspend, and withdraw the right to retain or use any certificates,
marks, or other indicators of certification.
1.3. Scope. This Manual provides the procedural requirements of
the EAC Voting System Testing and Certification Program. Although
participation in the program is voluntary, adherence to the
program's procedural requirements is mandatory for participants. The
procedural requirements of this Manual supersede any prior voting
system certification requirements issued by the EAC.
1.4. Purpose. The primary purpose of the EAC Certification
Program Manual is to provide clear procedures to Manufacturers for
the testing and certification of voting systems to specified Federal
standards consistent with the requirements of HAVA Section
231(a)(1). The program, however, also serves to do the following:
1.4.1. Support State certification programs.
1.4.2. Support local election officials in the areas of
acceptance testing and pre-election system verification.
1.4.3. Increase quality control in voting system manufacturing.
1.4.4. Increase voter confidence in the use of voting systems.
1.5. Manual. This Manual is a comprehensive presentation of the
EAC Voting System Testing and Certification Program. It is intended
to establish all of the program's administrative requirements.
1.5.1. Contents. The contents of the Manual serve as an overview
of the program itself. The Manual contains the following chapters:
1.5.1.1. Manufacturer Registration. Under the program, a
Manufacturer is required to register with the EAC prior to
participation. This registration provides the EAC with needed
information and requires the Manufacturer to agree to the
requirements of the Certification Program. This chapter sets out the
requirements and procedures for registration.
1.5.1.2. When Voting Systems Must Be Submitted for Testing and
Certification. All voting systems must be submitted consistent with
this Manual before they may receive a certification from the EAC.
This chapter discusses the various circumstances that require
submission to obtain or maintain a certification.
1.5.1.3. Certification Testing and Review. Under this program,
the testing and review process requires the completion of an
application, employment of an EAC-accredited laboratory for system
testing, and technical analysis of the laboratory test report by the
EAC. The result of this process is an Initial Decision on
Certification. This chapter discusses the required steps for voting
system testing and review.
1.5.1.4. Grant of Certification. If an Initial Decision to grant
certification is made, the Manufacturer must take additional steps
before the Manufacturer may be issued a certification. These steps
require the Manufacturer to document the performance of a trusted
build (see definition at Section 1.16), the deposit of software into
a repository, and the creation of system identification tools. This
chapter outlines the action that a Manufacturer must take to receive
a certification and the Manufacturer's post-certification
responsibilities.
1.5.1.5. Denial of Certification. If an Initial Decision to deny
certification is made, the Manufacturer has certain rights and
responsibilities under the program. This chapter contains procedures
for requesting reconsideration, opportunity to cure defects, and
appeal.
1.5.1.6. Decertification. Decertification is the process by
which the EAC revokes a certification it previously granted to a
voting system. It is an important part of the Certification Program
because it serves to ensure that the requirements of the program are
followed and that certified voting systems fielded for use in
Federal elections maintain the same level of quality as those
presented for testing. This chapter sets procedures for
Decertification and explains the Manufacturer's rights and
responsibilities during that process.
1.5.1.7. Quality Monitoring Program. Under the Certification
Program, EAC will implement a quality monitoring process that will
help ensure that voting systems certified by the EAC are the same
systems sold by Manufacturers. The quality monitoring process is a
mandatory part of the program and includes elements such as fielded
voting system review, anomaly reporting, and manufacturing site
visits. This chapter sets forth the requirements of the Quality
Monitoring Program.
1.5.1.8. Requests for Interpretations. An Interpretation is a
means by which a registered Manufacturer or Voting System Test
Laboratory (VSTL) may seek. clarification on a specific Voluntary
Voting System Guidelines (VVSG) standard. This chapter outlines the
policy, requirements, and procedures for requesting an
Interpretation.
1.5.1.9. Release of Certification Program Information. Federal
law protects certain types of information individuals provided the
government from release. This chapter outlines the program's
policies, sets procedures, and discusses responsibilities associated
with the public release of potential protected commercial
information.
1.5.2. Maintenance and Revision. This Manual, which sets the
procedural
[[Page 76285]]
requirements for a new Federal program, is expected to be improved
and expanded as experience and circumstances dictate. The Manual
will be reviewed periodically and updated to meet the needs of the
EAC, Manufacturers, VSTLs, election officials, and public policy.
The EAC is responsible for revising this document. All revisions
will be made consistent with Federal law. Substantive input from
stakeholders and the public will be sought whenever possible, at the
discretion of the agency. Changes in policy requiring immediate
implementation will be noticed via policy memoranda and will be
issued to each registered Manufacturer. Changes, addendums, or
updated versions will also be posted to the EAC Web site at http://www.eac.gov
.
1.6. Program Methodology. EAC's Voting System Testing and
Certification Program is but one part of the overall conformity
assessment process that includes companion efforts at the State and
local levels.
1.6.1. Federal and State Roles. The process to ensure that
voting equipment meets the technical requirements is a distributed,
cooperative effort of Federal, State, and local officials in the
United States. Working with voting equipment Manufacturers, these
officials each have unique responsibility for ensuring that the
equipment a voter uses on Election Day meets specific requirements.
1.6.1.1. The EAC Program has primary responsibility for ensuring
that voting systems submitted under this program meet Federal
standards established for voting systems.
1.6.1.2. State officials have responsibility for testing voting
systems to ensure that they will support the specific requirements
of each individual State. States may use EAC VSTLs to perform
testing of voting systems to unique State requirements while the
systems are being tested to Federal standards. The EAC will not,
however, certify voting systems to State requirements.
1.6.1.3. State or local officials are responsible for making the
final purchase choice. They are responsible for deciding which
system offers the best fit and total value for their specific State
or local jurisdiction.
1.6.1.4. State or local officials are also responsible for
acceptance testing to ensure that the equipment delivered is
identical to the equipment certified on the Federal and State
levels, is fully operational, and meets the contractual requirements
of the purchase.
1.6.1.5. State or local officials should perform pre-election
logic and accuracy testing to confirm that equipment is operating
properly and is unmodified from its certified state.
1.6.2. Conformity Assessment Generally. Conformity assessment is
a system established to ensure that a product or service meets the
requirements that apply to it. Many conformity assessment systems
exist to protect the quality and ensure compliance with requirements
of products and services. All conformity assessment systems attempt
to answer a variety of questions:
1.6.2.1. What specifications are required of an acceptable
system? For voting systems, the EAC voting system standards (VVSG
and Voting System Standards [VSS]) address this issue. States and
local jurisdictions also have supplementing standards.
1.6.2.2. How are systems tested against required specifications?
The EAC Voting System Testing and Certification Program is a central
element of the larger conformity assessment system. The program, as
set forth in this Manual, provides for the testing and certification
of voting systems to identified versions of the VVSG. The Testing
and Certification Program's purpose is to ensure that State and
local jurisdictions receive voting systems that meet the
requirements of the VVSG.
1.6.2.3. Are the testing authorities qualified to make an
accurate evaluation? The EAC accredits VSTLs, after the National
Institute of Standards and Technology (NIST) National Voluntary Lab
Accreditation Program (NVLAP) has reviewed their technical
competence and lab practices, to ensure these test authorities are
fully qualified. Furthermore, EAC technical experts review all test
reports from accredited laboratories to ensure an accurate and
complete evaluation. Many States provide similar reviews of
laboratory reports.
1.6.2.4. Will Manufacturers deliver units within manufacturing
tolerances to those tested? The VVSG and this Manual require that
vendors have appropriate change management and quality control
processes to control the quality and configuration of their
products. The Certification Program provides mechanisms for the EAC
to verify Manufacturer quality processes through field system
testing and manufacturing site visits. States have implemented
policies for acceptance of delivered units.
1.7. Program Personnel. All EAC personnel and contractors
associated with this program will be held to the highest ethical
standards. All agents of the EAC involved in the Certification
Program will be subject to conflict-of-interest reporting and
review, consistent with Federal law and regulation.
1.8. Program Records. The EAC Program Director is responsible
for maintaining accurate records to demonstrate that the testing and
certification program procedures have been effectively fulfilled and
to ensure the traceability, repeatability, and reproducibility of
testing and test report review. All records will be maintained,
managed, secured, stored, archived, and disposed of in accordance
with Federal law, Federal regulations, and procedures of the EAC.
1.9. Submission of Documents. Any documents submitted pursuant
to the requirements of this Manual shall be submitted:
1.9.1. If sent electronically, via secure e-mail or physical
delivery of a compact disk, unless otherwise specified.
1.9.2. In a Microsoft Word or Adobe PDF file, formatted to
protect the document from alteration.
1.9.3. With a proper signature when required by this Manual.
Documents that require an authorized signature may be signed with an
electronic representation or image of the signature of an authorized
management representative and must meet any and all subsequent
requirements established by the Program Director regarding security.
1.9.4. If sent via physical delivery, by Certified Mail\TM\ (or
similar means that allows tracking) to the following address:
Testing and Certification Program Director, U.S. Election Assistance
Commission, 1225 New York Avenue, NW., Suite 1100, Washington, DC
20005.
1.10. Receipt of Documents--Manufacturer. For purposes of this
Manual, a document, notice, or other communication is considered
received by a Manufacturer upon one of the following:
1.10.1. The actual, documented date the correspondence was
received (either electronically or physically) at the Manufacturer's
place of business, or
1.10.2. If no documentation of the actual delivery date exists,
the date of constructive receipt of the communication. For
electronic correspondence, documents will be constructively received
the day after the date sent. For mail correspondence, the document
will be constructively received 3 days after the date sent.
1.10.3. The term ``receipt'' shall mean the date a document or
correspondence arrives (either electronically or physically) at the
Manufacturer's place of business. Arrival does not require that an
agent of the Manufacturer open, read, or review the correspondence.
1.11. Receipt of Documents--EAC. For purposes of this Manual, a
document, notice, or other communication is considered received by
the EAC upon its physical or electronic arrival at the agency. All
documents received by the agency will be physically or
electronically date stamped. This stamp shall serve as the date of
receipt. Documents received after the regular business day (5 p.m.
Eastern Standard Time), will be treated as if received on the next
business day.
1.12. EAC Response Timeframes. In recognition of the
responsibilities and challenges facing Manufacturers as they work to
meet the requirements imposed by this program, State certification
programs, customers, State law and production schedules, the EAC
will provide timeframes for its response to significant program
elements. This shall be done by providing current metrics on EAC's
Web site regarding the actual average EAC response time for (1)
approving Test Plans, (2) issuing Initial Decisions, and (3) issuing
Certificates of Conformance.
1.13. Records Retention--Manufacturers. The Manufacturer is
responsible for ensuring that all documents submitted to the EAC or
that otherwise serve as the basis for the certification of a voting
system are retained. A copy of all such records shall be retained as
long as a voting system is offered for sale or supported by a
Manufacturer and for 5 years thereafter.
1.14. Record Retention--EAC. The EAC shall retain all records
associated with the certification of a voting system as long as such
system is fielded in a State or local election jurisdiction for use
in Federal elections. The records shall otherwise be retained or
disposed of consistent with Federal statutes and regulations.
1.15. Publication and Release of Documents. The EAC will release
documents
[[Page 76286]]
consistent with the requirements of Federal law. It is EAC policy to
make the certification process as open and public as possible. Any
documents (or portions thereof) submitted under this program will be
made available to the public unless specifically protected from
release by law. The primary means for making this information
available is through the EAC Web site.
1.16. Definitions. For purposes of this Manual, the terms listed
below have the following definitions.
Appeal. A formal process by which the EAC is petitioned to
reconsider an Agency Decision.
Appeal Authority. The individual or individuals appointed to
serve as the determination authority on appeal.
Build Environment. The disk or other media that holds the source
code, compiler, linker, integrated development environments (IDE),
and/or other necessary files for the compilation and on which the
compiler will store the resulting executable code.
Certificate of Conformance. The certificate issued by the EAC
when a system has been found to meet the requirements of the VVSG.
The document conveys certification of a system.
Commission. The U.S. Election Assistance Commission, as an
agency.
Commissioners. The serving commissioners of the U.S. Election
Assistance Commission.
Component. A discrete and identifiable element of hardware or
software within a larger voting system.
Compiler. A computer program that translates programs expressed
in a high-level language into machine language equivalents.
Days. Calendar days, unless otherwise noted. When counting days,
for the purpose of submitting or receiving a document, the count
shall begin on the first full calendar day after the date the
document was received.
Disk Image. An exact copy of the entire contents of a computer
disk.
Election Official. A State or local government employee who has
as one of his or her primary duties the management or administration
of a Federal election.
Federal Election. Any primary, general, runoff, or special
Election in which a candidate for Federal office (President,
Senator, or Representative) appears on the ballot.
Fielded Voting System. A voting system purchased or leased by a
State or local government that is being used in a Federal election.
File Signature. A signature of a file or set of files produced
using a HASH algorithm. A file signature, sometimes called a HASH
value, creates a value that is computationally infeasible of being
produced by two similar but different files. File signatures are
used to verify that files are unmodified from their original
versions.
HASH Algorithm. An algorithm that maps a bit string of arbitrary
length to a shorter, fixed-length bit string. (A HASH uniquely
identifies a file similar to the way a fingerprint identifies an
individual. Likewise, as an individual cannot be recreated from his
or her fingerprint, a file cannot be recreated from a HASH. The HASH
algorithm used primarily in the NIST (National Software Reference
Library), and this program is the Secure HASH Algorithm (SHA-1)
specified in Federal Information Processing Standard (FIPS) 180-1.)
Installation Device. A device containing program files,
software, and installation instructions for installing an
application (program) onto a computer. Examples of such devices
include installation disks, flash memory cards, and PCMCIA cards.
Integration Testing. The end-to-end testing of a full system
configured for use in an election to assure that all legitimate
configurations meet applicable standards.
Linker. A computer program that takes one or more objects
generated by compilers and assembles them into a single executable
program.
Manufacturer. The entity with ownership and control over a
voting system submitted for certification.
Mark of Conformance. A uniform notice permanently posted on a
voting system that signifies that it has been certified by the EAC.
Memorandum for the Record. A written statement drafted to
document an event or finding, without a specific addressee other
than the pertinent file.
Proprietary Information. Commercial information or trade secrets
protected from release under the Freedom of Information Act (FOIA)
and the Trade Secrets Act.
System Identification Tools. Tools created by a Manufacturer of
voting systems that allow elections officials to verify that the
hardware and software of systems purchased are identical to the
systems certified by the EAC.
Technical Reviewers. Technical experts in the areas of voting
system technology and conformity assessment appointed by the EAC to
provide expert guidance.
Testing and Certification Decision Authority. The EAC Executive
Director or Acting Executive Director.
Testing and Certification Program Director. The individual
appointed by the EAC Executive Director to administer and manage the
Testing and Certification Program.
Trusted Build. A witnessed software build where source code is
converted to machine-readable binary instructions (executable code)
in a manner providing security measures that help ensure that the
executable code is a verifiable and faithful representation of the
source code.
Voting System. The total combination of mechanical,
electromechanical, and electronic equipment (including the software,
firmware, and documentation required to program, control, and
support the equipment) that is used to define ballots, cast and
count votes, report or display election results, connect the voting
system to the voter registration system, and maintain and produce
any audit trail information.
Voting System Standards. Voluntary voting system standards
developed by the FEC. Voting System Standards have been published
twice: once in 1990 and again in 2002. The Help America Vote Act
made the 2002 Voting System Standards EAC guidance. All new voting
system standards are issued by the EAC as Voluntary Voting System
Guidelines.
Voting System Test Laboratories. Laboratories accredited by the
EAC to test voting systems to EAC approved voting system standards.
Each Voting System Test Laboratory (VSTL) must be accredited by the
National Voluntary Laboratory Accreditation Program (NVLAP) and
recommended by the National Institute of Standards Technology (NIST)
before it may receive an EAC accreditation. NVLAP provides third
party accreditation to testing and calibration laboratories. NVLAP
is in full conformance with the standards of the International
Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC), including ISO/IEC Guide 17025 and
17011.
Voluntary Voting System Guidelines. Voluntary voting system
standards developed, adopted, and published by the EAC. The
guidelines are identified by version number and date.
1.17. Acronyms and Abbreviations. For purposes of this Manual,
the acronyms and abbreviations listed below represent the following
terms.
Certification Program. The EAC Voting System Testing and
Certification Program
Decision Authority. Testing and Certification Decision Authority
EAC. United States Election Assistance Commission
FEC. Federal Election Commission
HAVA. Help America Vote Act of 2002 (42 U.S.C. 15301 et seq.)
Labs or Laboratories. Voting System Test Laboratories
NASED. National Association of State Election Directors
NIST. National Institute of Standards and Technology
NVLAP. National Voluntary Laboratory Accreditation Program
Program Director. Director of the EAC Testing and Certification
Program
VSS. Voting System Standards
VSTL. Voting System Test Laboratory
VVSG. Voluntary Voting System Guidelines
2. Manufacturer Registration
2.1. Overview. Manufacturer Registration is the process by which
voting system Manufacturers make initial contact with the EAC and
provide information essential to participate in the EAC Voting
System Testing and Certification Program. Before a Manufacturer of a
voting system can submit an application to have a voting system
certified by the EAC, the Manufacturer must be registered. This
process requires the Manufacturer to provide certain contact
information and agree to certain requirements of the Certification
Program. After successfully registering, the Manufacturer will
receive an identification code.
2.2. Registration Required. To submit a voting system for
certification or otherwise participate in the EAC voluntary Voting
System Testing and Certification Program, a Manufacturer must
register with the EAC. Registration does not constitute an EAC
endorsement of the Manufacturer or its products. Registration of a
Manufacturer is not a certification of that Manufacturer's products.
[[Page 76287]]
2.3. Registration Requirements. The registration process will
require the voting system Manufacturer to provide certain
information to the EAC. This information is necessary to enable the
EAC to administer the Certification Program and communicate
effectively with the Manufacturer. The registration process also
requires the Manufacturer to agree to certain Certification Program
requirements. These requirements relate to the Manufacturer's duties
and responsibilities under the program. For this program to succeed,
it is vital that a Manufacturer know and assent to these duties at
the outset of the program.
2.3.1. Information. Manufacturers are required to provide the
following information.
2.3.1.1. The Manufacturer's organizational information:
2.3.1.1.1. The official name of the Manufacturer.
2.3.1.1.2. The address of the Manufacturer's official place of
business.
2.3.1.1.3. A description of how the Manufacturer is organized
(i.e., type of corporation or partnership).
2.3.1.1.4. Names of officers and/or members of the board of
directors.
2.3.1.1.5. Names of all partners and members (if organized as a
partnership or limited liability corporation).
2.3.1.1.6. Identification of any individual, organization, or
entity with a controlling ownership interest in the Manufacturer.
2.3.1.2. The identity of an individual authorized to represent
and make binding commitments and management determinations for the
Manufacturer (management representative). The following information
is required for the management representative:
2.3.1.2.1. Name and title.
2.3.1.2.2. Mailing and physical addresses.
2.3.1.2.3. Telephone number, fax number, and e-mail address.
2.3.1.3. The identity of an individual authorized to provide
technical information on behalf of the Manufacturer (technical
representative). The following information is required for the
technical representative:
2.3.1.3.1. Name and title.
2.3.1.3.2. Mailing and physical addresses.
2.3.1.3.3. Telephone number, fax number, and e-mail address.
2.3.1.4. The Manufacturer's written policies regarding its
quality assurance system. This policy must be consistent with
guidance provided in the VVSG and this Manual.
2.3.1.5. The Manufacturer's written polices regarding internal
procedures for controlling and managing changes to and versions of
its voting systems. Such polices shall be consistent with this
Manual and guidance provided in the VVSG.
2.3.1.6. The Manufacturer's written polices on document
retention. Such policies must be consistent with the requirements of
this Manual.
2.3.1.7. A list of all manufacturing and/or assembly facilities
used by the Manufacturer and the name and contact information of a
person at each facility. The following information is required for a
person at each facility:
2.3.1.7.1. Name and title.
2.3.1.7.2. Mailing and physical addresses.
2.3.1.7.3. Telephone number, fax number, and e-mail address.
2.3.2. Agreements. Manufacturers are required to take or abstain
from certain actions to protect the integrity of the Certification
Program and promote quality assurance. Manufacturers are required to
agree to the following program requirements:
2.3.2.1. Represent a voting system as certified only when it is
authorized by the EAC and is consistent with the procedures and
requirements of this Manual.
2.3.2.2. Produce and affix an EAC certification label to all
production units of the certified system. Such labels must meet the
requirements set forth in Chapter 5 of this Manual.
2.3.2.3. Notify the EAC of changes to any system previously
certified by the EAC pursuant to the requirements of this Manual
(see Chapter 3). Such systems shall be submitted for testing and
additional certification when required.
2.3.2.4. Permit an EAC representative to verify the
Manufacturer's quality control procedures by cooperating with EAC
efforts to test and review fielded voting systems consistent with
Section 8.6 of this Manual.
2.3.2.5. Permit an EAC representative to verify the
Manufacturer's quality control procedures by conducting periodic
inspections of manufacturing facilities consistent with Chapter 8 of
this Manual.
2.3.2.6. Cooperate with any EAC inquiries and investigations
into a certified system's compliance with VVSG standards or the
procedural requirements of this Manual consistent with Chapter 7.
2.3.2.7. Report to the Program Director any known malfunction of
a voting system holding an EAC Certification. A malfunction is a
failure of a voting system, not caused solely by operator or
administrative error, which causes the system to cease operation
during a Federal election or otherwise results in data loss.
Malfunction notifications should be consolidated into one report.
This report should identify the location, nature, date, impact, and
resolution (if any) of the malfunction and be filed within 60 days
of any Federal election.
2.3.2.8. Certify that the entity is not barred or otherwise
prohibited by statute, regulation, or ruling from doing business in
the United States.
2.3.2.9. Adhere to all procedural requirements of this Manual.
2.4. Registration Process. Generally, registration is
accomplished through use of an EAC registration form. After the EAC
has received a registration form and other required registration
documents, the agency reviews the information for completeness
before approval.
2.4.1. Application Process. To become a registered voting system
Manufacturer, one must apply by submitting a Manufacturer
Registration Application Form (Appendix A). This form will be used
as the means for the Manufacturer to provide the information and
agree to the responsibilities required in Section 2.3, above.
2.4.1.1. Application Form. In order for the EAC to accept and
process the registration form, the applicant must adhere to the
following requirements:
2.4.1.1.1. All fields must be completed by the Manufacturer.
2.4.1.1.2. All required attachments prescribed by the form and
this Manual must be identified, completed, and forwarded in a timely
manner to the EAC (e.g., Manufacturer's quality control and system
change policies ).
2.4.1.1.3. The application form must be affixed with the
handwritten signature (including a digital representation of the
handwritten signature) of the authorized representative of the
vendor.
2.4.1.2. Availability and Use of the Form. The Manufacturer
Registration Application Form may be accessed through the EAC Web
site at http://www.eac.gov. Instructions for completing and
submitting the form are included on the Web site. The Web site will
also provide contact information regarding questions about the form
or the application process.
2.4.2. EAC Review Process. The EAC will review all registration
applications.
2.4.2.1. After the application form and required attachments
have been submitted, the applicant will receive an acknowledgment
that the EAC has received the submission and that the application
will be processed.
2.4.2.2. If an incomplete form is submitted or an attachment is
not provided, the EAC will notify the Manufacturer and request the
information. Registration applications will not be processed until
they are complete.
2.4.2.3. Upon receipt of the completed registration form and
accompanying documentation, the EAC will review the information for
sufficiency. If the EAC requires clarification or additional
information, the EAC will contact the Manufacturer and request the
needed information.
2.4.2.4. Upon satisfactory completion of a registration
application's sufficiency review, the EAC will notify the
Manufacturer that it has been registered.
2.5. Registered Manufacturers. After a Manufacturer has received
notice that it is registered, it will receive an identification code
and will be eligible to participate in the voluntary voting system
Certification Program.
2.5.1. Manufacturer Code. Registered Manufacturers will be
issued a unique, three-letter identification code. This code will be
used to identify the Manufacturer and its products.
2.5.2. Continuing Responsibility To Report. Registered
Manufacturers are required to keep all registration information up
to date. Manufacturers must submit a revised application form to the
EAC within 30 days of any changes to the information required on the
application form. Manufacturers will remain registered participants
in the program during this update process.
2.5.3. Program Information Updates. Registered Manufacturers
will be automatically provided timely information relevant to the
Certification Program.
2.5.4. Web site Postings. The EAC will add the Manufacturer to
the EAC listing of registered voting system Manufacturers publicly
available at http://www.eac.gov.
[[Page 76288]]
2.6. Suspension of Registration. Manufacturers are required to
establish policies and operate within the EAC Certification Program
consistent with the procedural requirements presented in this
Manual. When Manufacturers engage in management activities that are
inconsistent with this Manual or fail to cooperate with the EAC in
violation the Certification Program's requirements, their
registration may be suspended until such time as the problem is
remedied.
2.6.1. Procedures. When a Manufacturer's activities violate the
procedural requirements of this Manual, the Manufacturer will be
notified of the violations, given an opportunity to respond, and
provided the steps required to bring itself into compliance.
2.6.1.1. Notice. Manufacturers shall be provided written notice
that they have taken action inconsistent with or acted in violation
of the requirements of this Manual. The notice will state the
violations and the specific steps required to cure them. The notice
will also provide Manufacturers with 30 days (or a greater period of
time as stated by the Program Director) to (1) respond to the notice
and/or (2) cure the defect.
2.6.1.2. Manufacturer Action. The Manufacturer is required to
either respond in a timely manner to the notice (demonstrating that
it was not in violation of program requirements) or cure the
violations identified in a timely manner. In any case, the
Manufacturer's action must be approved by the Program Director to
prevent suspension.
2.6.1.3. Non-Compliance. If the Manufacturer fails to respond in
a timely manner, is unable to provide a cure or response that is
acceptable to the Program Director, or otherwise refuses to
cooperate, the Program Director may suspend the Manufacturer's
registration. The Program Director shall issue a notice of his or
her intent to suspend the registration and provide the Manufacturer
five (5) business days to object to the action and submit
information in support of the objection.
2.6.1.4. Suspension. After notice and opportunity to be heard
(consistent with the above), the Program Director may suspend a
Manufacturer's registration. The suspension shall be noticed in
writing. The notice must inform the Manufacturer of the steps that
can be taken to remedy the violations and lift the suspension.
2.6.2. Effect of Suspension. A suspended Manufacturer may not
submit a voting system for certification under this program. This
prohibition includes a ban on the submission of modifications and
changes to certified system. A suspension shall remain in effect
until lifted. Suspended Manufacturers will have their registration
status reflected on the EAC Web site. Manufacturers have the right
to remedy a non-compliance issue at any time and lift a suspension
consistent with EAC guidance. Failure of a Manufacturer to follow
the requirements of this section may also result in Decertification
of voting systems consistent with Chapter 7 of this Manual.
3. When Voting Systems Must Be Submitted for Testing and Certification
3.1. Overview. An EAC certification signifies that a voting
system has been successfully tested to identified voting system
standards adopted by the EAC. Only the EAC can issue a Federal
certification. Ultimately, systems must be submitted for testing and
certification under this program to receive this certification.
Systems will usually be submitted when (1) they are new to the
marketplace, (2) they have never before received an EAC
certification, (3) they are modified, or (4) the Manufacturer wishes
to test a previously certified system to a different (newer)
standard. This chapter also discusses the submission of de minimis
changes, which may not require additional testing and certification,
as well as provisional, pre-election emergency modifications, which
provide for pre-election, emergency waivers.
3.2. What Is an EAC Certification? Certification is the process
by which the EAC, through testing and evaluation conducted by an
accredited Voting System Test Laboratory, validates that a voting
system meets the requirements set forth in existing voting system
testing standards (Voting System Standards [VSS] or VVSG), and
performs according to the Manufacturers specifications for the
system. An EAC certification may be issued only by the EAC in
accordance with the procedures presented in this Manual.
Certifications issued by other bodies (e.g., the National
Association of State Election Directors and State certification
programs) are not EAC certifications.
3.2.1. Type of Voting Systems Certified. The EAC Certification
Program is designed to test and certify electromechanical and
electronic voting systems. The EAC will not accept for certification
review voting systems that do not contain any electronic components.
Ultimately, the determination of whether a voting system may be
submitted for testing and certification under this program is solely
at the discretion of the EAC.
3.2.2. Voting System Standards. Voting systems certified under
this program are tested to a set of voluntary standards providing
requirements that voting systems must meet to receive a Federal
certification. Currently, these standards are referred to as
Voluntary Voting System Guidelines (in the past they were called
Voting System Standards).
3.2.2.1. Versions--Availability and Identification. Voluntary
Voting System Guidelines (or applicable Voting System Standards) are
published by the EAC and are available on the EAC Web site (http://www.eac.gov
). The standards will be routinely updated. Versions will
be identified by version number and/or release date.
3.2.2.2. Versions--Basis for Certification. The EAC will
promulgate which version or versions of the standards it will accept
as the basis for testing and certification.
This effort may be accomplished through the setting of an
implementation date for a particular version's applicability, the
setting of a date by which testing to a particular version is
mandatory, or the setting of a date by which the EAC will no longer
test to a particular standard. The EAC will certify only those
voting systems tested to standards that the EAC has identified as
valid for certification.
3.2.2.2.1. End date. When a version's status as the basis of an
EAC certification is set to expire on a certain date, the submission
of the system's test report will be the controlling event (see
Chapter 4). This requirement means the system's test report must be
received by the EAC on or before the end date to be certified to the
terminating standard.
3.2.2.2.2. Start date. When a version's status as the basis of
an EAC certification is set to begin on a certain date, the
submission of the system's application for certification will be the
controlling event (see Chapter 4). This requirement means the
system's application, requesting certification to the new standard,
will not be accepted by the EAC until the start date.
3.2.2.3. Version--Manufacturer's Option. When the EAC has
authorized certification to more than one version of the standards,
the Manufacturer must choose which version it wishes to have its
voting system tested against. The voting system will then be
certified to that version of the standards. Manufacturers must
ensure that all applications for certification identify a particular
version of the standards.
3.2.2.4. Emerging Technologies. If a voting system or component
thereof is eligible for a certification under this program (see
Section 3.2.1.) and employs technology that is not addressed by a
currently accepted version of the VVSG or VSS, the relevant
technology shall be subjected to full integration testing and shall
be tested to ensure that it operates to the Manufacturer's
specifications. The remainder of the system will be tested to the
applicable Federal standards. Information on emerging technologies
will be forwarded to the EAC's Technical Guidelines Development
Committee (TGDC).
3.2.3. Significance of an EAC Certification. An EAC
certification is an official recognition that a voting system (in a
specific configuration or configurations) has been tested to and has
met an identified set of Federal voting standards. An EAC
certification is not any of the following:
3.2.3.1. An endorsement of a Manufacturer, voting system, or any
of the system's components.
3.2.3.2. A Federal warranty of the voting system or any of its
components.
3.2.3.3. A determination that a voting system, when fielded,
will be operated in a manner that meets all HAVA requirements.
3.2.3.4. A substitute for State or local certification and
testing.
3.2.3.5. A determination that the system is ready for use in an
election.
3.2.3.6. A determination that any particular component of a
certified system is itself certified for use outside the certified
configuration.
3.3. Effect of the EAC Certification Program on Other National
Certifications. Before the creation of the EAC Certification
Program, national voting system qualification was conducted by a
private membership organization, the National Association of
[[Page 76289]]
State Election Directors (NASED). NASED offered a qualification for
voting systems for more than a decade, using standards issued by the
Federal government. The EAC Certification Program does not repeal
NASED-issued qualifications. All voting systems previously qualified
under the NASED program retain their NASED qualification consistent
with State law; however, a NASED-qualified voting system is not an
EAC-certified system and is treated like an uncertified system for
purposes of the EAC Certification Program.
3.4. When Certification Is Required Under the Program. To obtain
or maintain an EAC certification, Manufacturers must submit a voting
system for testing and certification under this program. Such action
is usually required for (1) new systems not previously tested to any
standard; (2) existing systems not previously certified by the EAC;
(3) previously certified systems that have been modified; (4)
systems or technology specifically identified for retesting by the
EAC; or (5) previously certified systems that the Manufacturer seeks
to upgrade to a higher standard (e.g., a more recent version of the
VVSG).
3.4.1. New System Certification. For purposes of this Manual,
new systems are defined as voting systems that have not been
previously tested to applicable Federal standards. New voting
systems must be fully tested and submitted to the EAC according to
the requirements of Chapter 4 of this Manual.
3.4.2. System Not Previously EAC Certified. This term describes
any voting system not previously certified by the EAC, including
systems previously tested and qualified by NASED or systems
previously tested and denied certification by the EAC. Such systems
must be fully tested and submitted to the EAC according to the
requirements of Chapter 4 of this Manual.
3.4.3. Modification. A modification is any change to a
previously EAC-certified voting system's hardware, software, or
firmware that is not a de minimis change. Any modification to a
voting system will require testing and review by the EAC according
to the requirements of Chapter 4 of this Manual.
3.4.4. EAC Identified Systems. Manufacturers may be required to
submit systems previously certified by the EAC for retesting. This
may occur when the EAC determines that the original tests conducted
on the voting system are now insufficient to demonstrate compliance
with Federal standards in light of newly discovered threats or
information.
3.4.5. Certification Upgrade. This term defines any system
previously certified by the EAC but submitted for additional testing
and certification to a higher standard (e.g., to a newer version of
the VVSG). Any such system must be tested to the new standards and
submitted to the EAC per Chapter 4 of this Manual.
3.5. De Minimis Changes. A de minimis change is a change to
voting system hardware that is so minor in nature and effect that it
requires no additional testing and certification. Such changes,
however, require VSTL review and endorsement as well as EAC
approval. Any proposed change not accepted as a de minimis change is
a modification and shall be submitted for testing and review
consistent with the requirements of this Manual. An approved de
minimis change is not a modification.
3.5.1. De Minimis Change--Defined. A de minimis change is a
change to a certified voting system's hardware, the nature of which
will not materially alter the system's reliability, functionality,
capability, or operation. Software and firmware modifications are
not de minimis changes. In order for a hardware change to qualify as
a de minimis change, it must not only maintain, unaltered, the
reliability, functionality, capability and operability of a system,
it shall also ensure that when hardware is replaced, the original
hardware and the replacement hardware are electronically and
mechanically interchangeable and have identical functionality and
tolerances. Under no circumstance shall a change be considered a de
minimis change if it has reasonable and identifiable potential to
impact the system's operation and compliance with applicable voting
system standards.
3.5.2. De Minimis Change--Procedure. Manufacturers who wish to
implement a proposed de minimis change must submit it for VSTL
review and endorsement and EAC approval. A proposed change is not a
de minimis change and may not be implemented as such until it has
been approved in writing by the EAC.
3.5.2.1. VSTL Review. Manufacturers must submit any proposed de
minimis change to an EAC VSTL for review and endorsement. The
Manufacturer will provide the VSTL (1) a detailed description of the
change; (2) a description of the facts giving rise to or
necessitating the change; (3) the basis for its determination that
the change will not alter the system's reliability, functionality,
or operation; and (4) upon request of the VSTL, a sample voting
system at issue or any relevant technical information needed to make
the determination. The VSTL will review the proposed de minimis
change and make an independent determination as to whether the
change meets the definition of de minimis change or requires the
voting system to go through additional testing as a system
modification. If the VSTL determines that a de minimis change is
appropriate, it shall endorse the proposed change as a de minimis
change. If the VSTL determines that modification testing and
certification should be performed, it shall reject the proposed
change. Endorsed changes shall be forwarded to the EAC Program
Director for final approval. Rejected changes shall be returned to
the Manufacturer for resubmission as system modifications.
3.5.2.2. VSTL Endorsed Changes. The VSTL shall forward to the
EAC any change it has endorsed as de minimis. The VSTL shall forward
its endorsement in a package that includes:
3.5.2.2.1. The Manufacturer's initial description of the de
minimis change, a narrative of facts giving rise to or necessitating
the change, and the determination that the change will not alter the
system's reliability, functionality, or operation.
3.5.2.2.2. The written determination of the VSTL endorsement of
the de minimis change. The endorsement document must explain why the
VSTL, in its engineering judgment, determined that the proposed de
minimis change met the definition in this section and otherwise does
not require additional testing and certification.
3.5.2.3. EAC Action. The EAC will review all proposed de minimis
changes endorsed by the VSTL. The EAC has sole authority to
determine whether any VSTL endorsed change constitutes a de minimis
change under this section. The EAC will inform the Manufacturer and
VSTL of its determination in writing.
3.5.2.3.1. EAC approval. If the EAC approves the change as a de
minimis change, it shall provide written notice to the Manufacturer
and VSTL. The EAC will maintain copies of all approved de minimis
changes and otherwise track such changes.
3.5.2.3.2. EAC denial. If the EAC determines that a proposed de
minimis change cannot be approved, it will inform the VSTL and
Manufacturer of its decision. The proposed change will be considered
a modification and require testing and certification consistent with
this Manual.
3.5.3. De Minimis Change--Effect of EAC Approval. EAC approval
of a de minimis change permits the Manufacturer to implement the
proposed change (as identified, endorsed, and approved) without
additional modification testing and certification. Fielding an
engineering change not approved by the EAC is a basis for system
Decertification.
3.6. Provisional, Pre-Election Emergency Modification. To deal
with extraordinary pre-election emergency situations, the EAC has
developed a special provisional modification process. This process
is to be used only for the emergency situations indicated and only
when there is a clear and compelling need for temporary relief until
the regular certification process can be followed.
3.6.1. Purpose. The purpose of this section is to allow a
mechanism within the EAC Certification Program for Manufacturers to
modify EAC-certified voting systems in emergency situations
immediately before an election. This situation arises when a
modification to a voting system is required and an election deadline
is imminent, preventing the completion of the full certification
process (and State and/or local testing process) in time for
Election Day. In such situations the EAC may issue a waiver to the
Manufacturer, granting it leave to make the modification without
submission for modification testing and certification.
3.6.2. General Requirements. A request for an emergency
modification waiver may be made by a Manufacturer only in
conjunction with the State election official whose jurisdiction(s)
would be adversely affected if the requested modification were not
implemented before Election Day. Requests must be submitted at least
5 calendar days before an election. Only systems previously
certified are eligible for such a waiver. To receive a waiver, a
Manufacturer must demonstrate the following:
3.6.2.1. The modification is functionally or legally required;
that is, the system cannot be fielded in an election without the
change.
3.6.2.2. The voting system requiring modification is needed by
State or local
[[Page 76290]]
election officials to conduct a pending Federal election.
3.6.2.3. The voting system to be modified has previously been
certified by the EAC.
3.6.2.4. The modification cannot be tested by a VSTL and
submitted to the EAC for certification, consistent with the
procedural requirements of this Manual, at least 30 days before the
pending Federal election.
3.6.2.5. Relevant State law requires Federal certification of
the requested modification.
3.6.2.6. The Manufacturer has taken steps to ensure that the
modification will properly function as designed, is suitably
integrated with the system, and otherwise will not negatively affect
system reliability, functionality, or accuracy.
3.6.2.7. The Manufacturer (through a VSTL) has completed as much
of the evaluation testing as possible for the modification and has
provided the results of such testing to the EAC.
3.6.2.8. The emergency modification is required and otherwise
supported by the Chief State Election Official seeking to field the
voting system in an impending Federal election.
3.6.3. Request for Waiver. A Manufacturer's request for waiver
shall be made in writing to the Decision Authority and shall include
the following elements:
3.6.3.1. A signed statement providing sufficient description,
background, information, documentation, and other evidence necessary
to demonstrate that the request for a waiver meets each of the eight
requirements stated in Section 3.5.2 above.
3.6.3.2. A signed statement from the Chief State Election
Official requiring the emergency modification. This signed statement
shall identify the pending election creating the emergency situation
and attest that (1) the modification is required to field the
system, (2) State law (citation) requires EAC action to field the
system in an election, and (3) normal timelines required under the
EAC Certification Program cannot be met.
3.6.3.3. A signed statement from a VSTL that there is
insufficient time to perform necessary testing and complete the
certification process. The statement shall also state what testing
the VSTL has performed on the modification to date, provide the
results of such tests, and state the schedule for completion of
testing.
3.6.3.4. A detailed description of the modification, the need
for the modification, how it was developed, how it addresses the
need for which it was designed, its impact on the voting system, and
how the modification will be fielded or implemented in a timely
manner consistent with the Manufacturer's quality control program.
3.6.3.5. All documentation of tests performed on the
modification by the Manufacturer, a laboratory, or other third
party.
3.6.3.6. A stated agreement signed by the Manufacturer's
representative agreeing to take the following action:
3.6.3.6.1. Submit for testing and certification, consistent with
Chapter 4 of this Manual, any voting system receiving a waiver under
this section that has not already been submitted. This action shall
be taken immediately.
3.6.3.6.2. Abstain from representing the modified system as EAC
certified. The modified system has not been certified; rather, the
originally certified system has received a waiver providing the
Manufacturer leave to modify it.
3.6.3.6.3. Submit a report to the EAC regarding the performance
of the modified voting system within 60 days of the Federal election
that served as the basis for the waiver. This report shall (at a
minimum) identify and describe any (1) performance failures, (2)
technical failures, (3) security failures, and/or (4) accuracy
problems.
3.6.4. EAC Review. The EAC will review all waiver requests
submitted in a timely manner and make determinations regarding the
requests. Incomplete requests will be returned for resubmission with
a written notification regarding its deficiencies.
3.6.5. Letter of Approval. If the EAC approves the modification
waiver, the Decision Authority shall issue a letter granting the
temporary waiver within five (5) business days of receiving a
complete request.
3.6.6. Effect of Grant of Waiver. An EAC grant of waiver for an
emergency modification is not an EAC certification of the
modification. Waivers under this program grant Manufacturers leave
to only temporarily amend previously certified systems without
testing and certification for the specific election noted in the
request. Without such a waiver, such action would ordinarily result
in Decertification of the modified system (See Chapter 7). Systems
receiving a waiver shall satisfy any State requirement that a system
be nationally or federally certified. In addition--
3.6.6.1. All waivers are temporary and expire 60 days after the
Federal election for which the system was modified and the waiver
granted.
3.6.6.2. Any system granted a waiver must be submitted for
testing and certification. This shall be accomplished as soon as
possible.
3.6.6.3. The grant of a waiver is no indication that the
modified system will ultimately be granted a certification.
3.6.7. Denial of Request for Waiver. A request for waiver may be
denied by the EAC if the request does not meet the requirements
noted above, fails to follow the procedure established by this
section or otherwise fails to sufficiently support a conclusion that
the modification at issue is needed, will function properly, and is
in the public interest. A denial of a request for emergency
modification by the EAC shall be final and not subject to appeal.
Manufacturers may submit for certification, consistent with Chapter
4 of this Manual, modifications for which emergency waivers were
denied.
3.6.8. Publication Notice of Waiver. The EAC will post relevant
information relating to the temporary grant of an emergency waiver
on its Web site. This information will be posted upon grant of the
waiver and removed upon the waiver's expiration. This posting will
include information concerning the limited nature and effect of the
waiver.
4. Certification Testing and Technical Review
4.1. Overview. This chapter discusses the procedural
requirements for submitting a voting system to the EAC for testing
and review. The testing and review process requires an application,
employment of an EAC-accredited testing laboratory, and technical
analysis of the laboratory test report by the EAC. The result of
this process is an Initial Decision on Certification by the Decision
Authority.
4.2. Policy. Generally, to receive an initial determination on
an EAC certification for a voting system, a registered Manufacturer
must have (1) submitted an EAC-approved application for
certification, (2) had a VSTL submit an EAC-approved test plan, (3)
had a VSTL test a voting system to applicable voting system
standards, (4) had a VSTL submit a test report to the EAC for
technical review and approval, and (5) received EAC approval of the
report in an Initial Decision on Certification.
4.3. Certification Application. The first step in submitting a
voting system for certification is submission of an application
package. The package contains an application form and a copy of the
voting system's Implementation Statement (see VVSG 2005-Version 1.0,
Vol. I, Section 1.6.4), functional diagram, and System Overview
documentation submitted to the VSTL as a part of the Technical Data
Package (see VVSG 2005--Version 1.0, Vol. II, Section 2.2). This
application process initiates the certification process and provides
the EAC with needed information.
4.3.1. Information on Application Form. The application
(application form) provides the EAC certain pieces of information
that are essential at the outset of the certification process. This
information includes the following:
4.3.1.1. Manufacturer Information. Identification of the
Manufacturer (name and three-letter identification code).
4.3.1.2. Selection of Accredited Laboratory. Selection and
identification of the VSTL that will perform voting system testing
and other prescribed laboratory action consistent with the
requirements of this Manual. Once selected, a Manufacturer may NOT
replace the selected VSTL without the express written consent of the
Program Director. Such permission will be granted solely at the
discretion of the Program Director and only upon demonstration of
good cause.
4.3.1.3. Voting System Standards Information. Identification of
the VVSG or VSS, including the document's date and version number,
to which the Manufacturer wishes to have the identified voting
system tested and certified.
4.3.1.4. Nature of the Submission. Manufacturers must identify
the nature of their submission by selecting one of the following
four submission types:
4.3.1.4.1. New system. For purposes of this Manual, a new system
is defined as a voting system that has not been previously tested to
any applicable Federal standards.
4.3.1.4.2. System not previously EAC certified. This term
describes any voting system not previously certified by the EAC,
including systems previously tested and
[[Page 76291]]
qualified by NASED or systems previously tested and denied
certification by the EAC.
4.3.1.4.3. Modification. A modification is any change to a
previously EACcertified voting system's hardware, software, or
firmware.
4.3.1.4.4. Certification upgrade. This term defines any system
previously certified by the EAC but submitted (without modification)
for additional testing and certification to a higher standard (e.g.,
to a newer version of the VVSG).
4.3.1.5. Identification of the Voting System. Manufacturers must
identify the system submitted for testing by providing its name and
applicable version number. If the system submitted has been
previously fielded, but the Manufacturer wishes to change its name
or version number after receipt of EAC certification, it must
provide identification information on both the past name or names
and the new, proposed name. This requirement might occur in systems
submitted for modification, for their first EAC certification, or
for a certification upgrade.
4.3.1.6. Description of the Voting System. Manufacturers must
provide a brief description of the system or modification being
submitted for testing and certification. This description shall
include the following information:
4.3.1.6.1. A listing of all components of the system submitted.
4.3.1.6.2. Each component's version number.
4.3.1.6.3. A complete list of each configuration of the system's
components that could be fielded as the certified voting system.\1\
---------------------------------------------------------------------------
\1\ An EAC certification applies to the configuration of
components (the voting system) presented for testing. A voting
system may be fielded without using each of the components that
formed the system presented, since voting systems, as certified, may
contain optional or redundant components to meet the varying needs
of election officials. Systems may not be fielded with additional
components or without sufficient components to properly prosecute an
election, as neither individual components nor separately tested
systems may be combined to create new certified voting systems.
---------------------------------------------------------------------------
4.3.1.6.4. Any other information necessary to identify the
specific configuration being submitted for certification.
4.3.1.7. Date Submitted. Manufacturers must note the date the
application was submitted for EAC approval.
4.3.1.8. Signature. The Manufacturer must affix the signature of
the authorized management representative.
4.3.2. Submission of the Application Package. Manufacturers must
submit a copy of the application form described above and copies of
the voting system's (1) Implementation Statement, (2) functional
diagram, and (3) System Overview documentation submitted to the VSTL
as a part of the Technical Data Package.
4.3.2.1. Application Form. Application forms will be available
on the EAC Web site: http://www.eac.gov. The application form
submitted to the EAC must be signed; dated; and fully, accurately,
and completely filled out. The EAC will not accept incomplete or
inaccurate applications.
4.3.2.2. Implementation Statement. The Manufacturer must submit
with the application form a copy of the voting system's
Implementation Statement, which must meet the requirements of the
VVSG (VVSG 2005--Version 1.0, Vol. I, Section 1.6.4). If an existing
system is being submitted with a modification, the Manufacturer must
submit a copy of a revised Implementation Statement.
4.3.2.3. Functional Diagram. The Manufacturer must submit with
the application form a high-level Functional Diagram of the voting
system that includes all of its components. The diagram must portray
how the various components relate and interact.
4.3.2.4. System Overview. The Manufacturer must submit with the
application form a copy of the voting system's System Overview
documentation submitted to the VSTL as a part of the Technical Data
Package. This document must meet the requirements of the VVSG (VVSG
2005--Version 1.0, Vol. II, Section 2.2).
4.3.2.5. Submission. Applications, with the accompanying
documentation, shall be submitted in Adobe PDF, Microsoft Word, or
other electronic formats as prescribed by the Program Director.
Information on how to submit packages will be posted on the EAC Web
site: http://www.eac.gov.
4.3.3. EAC Review. Upon receipt of a Manufacturer's application
package, the EAC will review the submission for completeness and
accuracy. If the application package is incomplete, the EAC will
return it to the Manufacturer with instructions for resubmission. If
the form submitted is acceptable, the Manufacturer will be notified
and provided a unique application number within five (5) business
days of the EAC's receipt of the application.
4.4. Test Plan. The Manufacturer shall authorize the VSTL
identified in its application to submit a test plan directly to the
EAC. This plan shall provide for testing of the system sufficient to
ensure it is functional and meets all applicable voting system
standards.
4.4.1. Development. An accredited laboratory will develop test
plans that use appropriate test protocols, standards, or test suites
developed by the laboratory. Laboratories must use all applicable
protocols, standards, or test suites issued by the EAC.
4.4.2. Required Testing. Test plans shall be developed to ensure
that a voting system is functional and meets all requirements of the
applicable, approved voting system standards. The highest level of
care and vigilance is required to ensure that comprehensive test
plans are created. A test plan should ensure that the voting system
meets all applicable standards and that test results and other
factual evidence of the testing are clearly documented. System
testing must meet the requirements of the VVSG. Generally, full
testing will be required of any voting system applying for
certification, regardless of previous certification history.
4.4.2.1. New System. A new system shall be subject to full
testing of all hardware and software according to applicable voting
system standards.
4.4.2.2. System Not Previously EAC Certified. A system not
previously certified by the EAC shall be fully tested as a new
system.
4.4.2.3. Modification. A modification to a previously EAC-
certified voting system shall be tested in a manner necessary to
ensure that all changes meet applicable voting system standards and
that the modified system (as a whole) will properly and reliably
function. Any system submitted for modification shall be subject to
full testing of the modifications (delta testing) and those systems
or subsystems altered or impacted by the modification (regression
testing). The system will also be subject to system integration
testing to ensure overall functionality. The modification will be
tested to the version or versions of the VVSG/VSS currently accepted
for testing and certification by the EAC. This requirement, however,
does not mean that the full system must be tested to such standards.
If the system has been previously certified to a VVSG/VSS version
deemed acceptable by the EAC (see Section 3.2.2.2), it may retain
that level of certification with only the modification being tested
to the present version(s).
4.4.2.4. EAC Identified Systems. Previously certified systems
identified for retesting by the EAC (see Section 3.4.4) shall be
tested as directed by the Program Director (after consultation with
NIST, VSTLs, or other technical experts as necessary).
4.4.2.5. Certification Upgrade. A previously certified system
submitted for testing to a new voting system standard (without
modification) shall be tested in a manner necessary to ensure that
the system meets all requirements of the new standards. The VSTL
shall create a test plan that identifies the differences between the
new and old standards and, based upon the differences, fully retest
all hardware and software components affected.
4.4.3. Format. Test labs shall issue test plans consistent with
the requirements in VVSG, Vol. II and any applicable EAC guidance.
4.4.4. EAC Approval. All test plans are subject to EAC approval.
No test report will be accepted for technical review unless the test
plan on which it is based has been approved by EAC' s Program
Director.
4.4.4.1. Review. All test plans must be reviewed for adequacy by
the Program Director. For each submission, the Program Director will
determine whether the test plan is acceptable or unacceptable.
Unacceptable plans will be returned to the laboratory for further
action. Acceptable plans will be. approved. Although Manufacturers
may direct test labs to begin testing before approval of a test
plan, the Manufacturer bears the full risk that the test plan (and
thus any tests preformed) will be deemed unacceptable.
4.4.4.2. Unaccepted Plans. If a plan is not accepted, the
Program Director will return the submission to the Manufacturer's
identified VSTL for additional action. Notice of unacceptability
will be provided in writing to the laboratory and include a
description of the problems identified and steps required to remedy
the test plan. A copy of this notice
[[Page 76292]]
will also be sent to the Manufacturer. Questions concerning the
notice shall be forwarded to the Program Director in writing. Plans
that have not been accepted may be resubmitted for review after
remedial action is taken.
4.4.4.3. Effect of Approval. Approval of a test plan is required
before a test report may be filed. In most cases, approval of a test
plan signifies that the tests proposed, if performed properly, are
sufficient to fully test the system. A test plan, however, is
approved based on the information submitted. New or additional
information may require a change in testing requirements at any
point in the certification process.
4.5. Testing. During testing, Manufacturers are responsible for
enabling VSTLs to report any changes to a voting system or an
approved test plan directly to the EAC. Manufacturers shall also
enable VSTLs to report all test failures or anomalies directly to
the EAC.
4.5.1. Changes. Any changes to a voting system, initiated as a
result of the testing process, will require submission of an updated
Implementation Statement, functional diagram, and System Overview
document and, potentially, an updated test plan. Test plans must be
updated whenever a change to a voting system requires deviation from
the test plan originally approved by the EAC. Changes requiring
alteration or deviation from the originally approved test plan must
be submitted to the EAC (by the VSTL) for approval before the
completion of testing. The submission shall include an updated
Implementation Statement, functional diagram, and System Overview,
as needed. Changes not affecting the test plan shall be reported in
the test report. The submission shall include an updated
Implementation Statement, functional diagram, and System Overview
document, as needed.
4.5.2. Test Anomalies or Failures. Manufacturers shall enable
VSTLs to notify the EAC directly and independently of any test
anomalies, or failures during testing. The VSTLs shall ensure that
all anomalies or failures are addressed and resolved before testing
is completed. All test failures, anomalies and actions taken to
resolve such failures and anomalies shall be documented by the VSTL
in an appendix to the test report submitted to the EAC. These
matters shall be reported in a matrix, or similar format, that
identifies the failure or anomaly, the applicable voting system
standards, and a description of how the failure or anomaly was
resolved. Associated or similar anomalies/failures may be summarized
and reported in a single entry on the report (matrix) as long as the
nature and scope of the anomaly/failure is clearly identified.
4.6. Test Report. Manufacturers shall enable their identified
VSTL to submit test reports directly to the EAC. The VSTL shall
submit test reports only if the voting system has been tested and
all tests identified in the test plan have been successfully
performed.
4.6.1. Submission. The test reports shall be submitted to the
Program Director. The Program Director shall review the submission
for completeness. Any reports showing incomplete or unsuccessful
testing will be returned to the test laboratory for action and
resubmission. Notice of this action will be provided to the
Manufacturer. Test reports shall be submitted in Adobe PDF,
Microsoft Word, or other electronic formats as prescribed by the
Program Director. Information on how to submit reports will be
posted on the EAC Web site: http://www.eac.gov.
4.6.2. Format. Manufacturers shall ensure that test labs submit
reports consistent with the requirements in the VVSG and this
Manual.
4.6.3. Technical Review. A technical review of the test report,
technical documents, and test plan will be conducted by EAC
technical experts. The EAC may require the submission of additional
information from the VSTL or Manufacturer if deemed necessary to
complete the review. These experts will submit a report outlining
their findings to the Program Director. The report will provide an
assessment of the completeness, appropriateness, and adequacy of the
VSTL's testing as documented in the test report.
4.6.4. Program Director's Recommendation. The Program Director
shall review the report and take one of the following actions:
4.6.4.1. Recommend certification of the candidate system
consistent with the reviewed test report and forward it to the
Decision Authority for action (Initial Decision); or
4.6.4.2. Refer the matter back to the technical reviewers for
additional specified action and resubmission.
4.7. Initial Decision on Certification. Upon receipt of the
report and recommendation forwarded by the Program Director, the
Decision Authority shall issue an Initial Decision on Certification.
The decision shall be forwarded to the Manufacturer consistent with
the requirements of this Manual.
4.7.1. An Initial Decision granting certification shall be
processed consistent with Chapter 5 of this Manual.
4.7.2. An Initial Decision denying certification shall be
processed consistent with Chapter 6 of this Manual.
5. Grant of Certification
5.1. Overview. The grant of certification is the formal process
through which EAC acknowledges that a voting system has successfully
completed conformance testing to an appropriate set of standards or
guidelines. The grant of certification begins with the Initial
Decision of the Decision Authority. This decision becomes final
after the Manufacturer confirms that the final version of the
software that was certified and which the Manufacturer will deliver
with the certified system has been subject to a trusted build,
placed in an EAC-approved repository, and can be verified using the
Manufacturer's system identification tools. After a certification is
issued, the Manufacturer is provided a Certificate of Conformance
and relevant information about the system is added to the EAC Web
site. Manufacturers with certified voting systems are responsible
for ensuring that each system they produce is properly labeled as
certified.
5.2. Applicability of This Chapter. This chapter applies when
the Decision Authority makes an Initial Decision to grant a
certification to a voting system based on the materials and
recommendation provided by the Program Director.
5.3. Initial Decision. The Decision Authority shall make a
written decision on all voting systems submitted for certification
and issue the decision to a Manufacturer. When such decisions result
in a grant of certification, the decision shall be considered
preliminary and referred to as an Initial Decision pending required
action by the Manufacturer. The Initial Decision shall:
5.3.1. State the preliminary determination reached (granting
certification).
5.3.2. Inform the Manufacturer of the steps that must be taken
to make the determination final and receive a certification. This
action shall include providing the Manufacturer with specific
instructions, guidance, and procedures for confirming and
documenting that the final certified version of the software meets
the requirements for:
5.3.2.1. Performing and documenting a trusted build pursuant to
Section 5.6 of this chapter.
5.3.2.2. Depositing software in an approved repository pursuant
to Section 5.7 of this chapter.
5.3.2.3. Creating and making available system verification tools
pursuant to Section 5.8 of this chapter.
5.3.3. Certification is not final until the Manufacturer accepts
the certification and all conditions placed on the certification.
5.4. Pre-Certification Requirements. Before an Initial Decision
becomes final and a certification is issued, Manufacturers must
ensure certain steps are taken. They must confirm that the final
version of the software that was certified and which the
Manufacturer will deliver with the certified system has been subject
to a trusted build (see Section 5.6), has been delivered for deposit
in an EAC-approved repository (see Section 5.7), and can be verified
using Manufacturer-developed identification tools (see Section 5.8).
The Manufacturer must provide the EAC documentation demonstrating
compliance with these requirements.
5.5. Trusted Build. A software build (also referred to as a
compilation) is the process whereby source code is converted to
machine-readable binary instructions (executable code) for the
computer. A ``trusted build'' (or trusted compilation) is a build
performed with adequate security measures implemented to give
confidence that the executable code is a verifiable and faithful
representation of the source code. A trusted build creates a chain
of evidence from the Technical Data Package and source code
submitted to the VSTLs to the actual executable programs that are
run on the system. Specifically, the build will do the following:
5.5.1. Demonstrate that the software was built as described in
the Technical Data Package.
5.5.2. Show that the tested and approved source code was
actually used to build the executable code used on the system.
5.5.3. Demonstrate that no elements other than those included in
the Technical Data Package were introduced in the software build.
[[Page 76293]]
5.5.4. Document for future reference the configuration of the
system certified.
5.6. Trusted Build Procedure. A trusted build is a three-step
process: (1) The build environment is constructed, (2) the source
code is loaded onto the build environment, and (3) the executable
code is compiled and the installation device is created. The process
may be simplified for modification to previously certified systems.
In each step, a minimum of two witnesses from different
organizations is required to participate. These participants must
include a VSTL representative and vendor representative. Before
creating the trusted build, the VSTL must complete the source code
review of the software delivered from the vendor for compliance with
the VVSG and must produce and record file signatures of all source
code modules.
5.6.1. Constructing the Build Environment. The VSTL shall
construct the build environment in an isolated environment
controlled by the VSTL, as follows:
5.6.1.1. The device that will hold the build environment shall
be completely erased by the VSTL to ensure a total and complete
cleaning of it. The VSTL shall use commercial off-the-shelf
software, purchased by the laboratory, for cleaning the device.
5.6.1.2. The VSTL, with vendor consultation and observation,
shall construct the build environment.
5.6.1.3. After construction of the build environment, the VSTL
shall produce and record a file signature of the build environment.
5.6.2. Loading Source Code Onto the Build Environment. After
successful source code review, the VSTL shall load source code onto
the build environment as follows:
5.6.2.1. The VSTL shall check the file signatures of the source
code modules and build environment to ensure that they are unchanged
from their original form.
5.6.2.2. The VSTL shall load the source code onto the build
environment and produce and record the file signature of the
resulting combination.
5.6.2.3. The VSTL shall capture a disk image of the combination
build environment and source code modules immediately before
performing the build.
5.6.2.4. The VSTL shall deposit the disk image into an
authorized archive to ensure that the build can be reproduced, if
necessary, at a later date.
5.6.3. Creating the Executable Code. Upon completion of all the
tasks outlined above, the VSTL shall produce the executable code.
5.6.3.1. The VSTL shall produce and record a file signature of
the executable code.
5.6.3.2. The VSTL shall deposit the executable code into an EAC-
approved software repository and create installation disk(s) from
the executable code.
5.6.3.3. The VSTL shall produce and record file signatures of
the installation disk(s) in order to provide a mechanism to validate
the software before installation on the voting system in a
purchasing jurisdiction.
5.6.3.4. The VSTL shall install the executable code onto the
system submitted for testing and certification before completion of
system testing.
5.6.4. Trusted Build for Modifications. The process of building
new executable code when a previously certified system has been
modified is somewhat simplified.
5.6.4.1. The build environment used in the original
certification is removed from storage and its file signature
verified.
5.6.4.2. After source code review, the modified files are placed
onto the verified build environment and new executable files are
produced.
5.6.4.3. If the original build environment is unavailable or its
file signatures cannot be verified against those recorded from the
original certification, then the more labor-intensive process of
creating the build environment must be performed. Further source
code review may be required of unmodified files to validate that
they are unmodified from their originally certified versions.
5.7. Depositing Software in an Approved Repository. After EAC
certification has been granted, the VSTL project manager, or an
appropriate delegate of the project manager, shall deliver for
deposit the following elements in one or more trusted archive(s)
(repositories) designated by the EAC:
5.7.1. Source code used for the trusted build and its file
signatures.
5.7.2. Disk image of the pre-build, build environment, and any
file signatures to validate that it is unmodified.
5.7.3. Disk image of the post-build, build environment, and any
file signatures to validate that it is unmodified.
5.7.4. Executable code produced by the trusted build and its
file signatures of all files produced.
5.7.5. Installation device(s) and file signatures.
5.8. System Identification Tools. The Manufacturer shall provide
tools through which a fielded voting system may be identified and
demonstrated to be unmodified from the system that was certified.
The purpose of this requirement is to make such tools available to
Federal, State, and local officials to identify and verify that the
equipment used in elections is unmodified from its certified
version. Manufacturers may develop and provide these tools as they
see fit. The tools, however, must provide the means to identify and
verify hardware and software. The EAC may review the system
identification tools developed by the Manufacturer to ensure
compliance. System identification tools include the following
examples:
5.8.1. Hardware is commonly identified by model number and
revision number on the unit, its printed wiring boards (PWBs), and
major subunits. Typically, hardware is verified as unmodified by
providing detailed photographs of the PWBs and internal construction
of the unit. These images may be used to compare with the unit being
verified.
5.8.2. Software operating on a host computer will typically be
verified by providing a selfbooting compact disk (CD) or similar
device that verifies the file signatures of the voting system
application files AND the signatures of all nonvolatile files that
the application files access during their operation. Note that the
creation of such a CD requires having a file map of all nonvolatile
files that are used by the voting system. Such a tool must be
provided for verification using the file signatures of the original
executable files provided for testing. If during the certification
process modifications are made and new executable files created,
then the tool must be updated to reflect the file signatures of the
final files to be distributed for use. For software operating on
devices in which a self-booting CD or similar device cannot be used,
a procedure must be provided to allow identification and
verification of the software that is being used on the device.
5.9. Documentation. Manufacturers shall provide documentation to
the Program Director verifying that the trusted build has been
performed, software has been deposited in an approved repository,
and system identification tools are available to election officials.
The Manufacturer shall submit a letter, signed by both its
management representative and a VSTL official, stating (under
penalty of law) that it has (1) performed a trusted build consistent
with the requirements of Section 5.6 of this Manual, (2) deposited
software consistent with Section 5.7 of this Manual, and (3) created
and made available system identification tools consistent with
Section 5.8 of this Manual. This letter shall also include (as
attachments) a copy and description of the system identification
tool developed under Section 5.8 above.
5.10. Agency Decision. Upon receipt of documentation
demonstrating the successful completion of the requirements above
and recommendation of the Program Director, the Decision Authority
will issue an Agency Decision granting certification and providing
the Manufacturer with a certification number and Certificate of
Conformance.
5.11. Certification Document. A Certificate of Conformance will
be provided to Manufacturers for voting systems that have
successfully met the requirements of the EAC Certification Program.
The document will serve as the Manufacturer's evidence that a
particular system is certified to a particular set of voting system
standards. The EAC certification and certificate apply only to the
specific voting system configuration(s) identified, submitted and
evaluated under the Certification Program. Any modification to the
system not authorized by the EAC will void the certificate. The
certificate will include the product (voting system) name, the
specific model or version of the product tested, the name of the
VSTL conducting the testing, identification of the standards to
which the system was tested, the EAC certification number for the
product, and the signature of the EAC Executive Director. The
certificate will also identify each of the various configurations of
the voting system's components that may be represented as certified.
5.12. Certification Number and Version Control. Each system
certified by the EAC will receive a certification number that is
unique to the system and will remain with the system until such time
as the system is decertified, sufficiently modified, or tested and
certified to newer standards. Generally, when a previously certified
system is issued
[[Page 76294]]
a new certification number, the Manufacturer will be required to
change the system's name or version number.
5.12.1. New Voting Systems and Those Not Previously Certified by
the EAC. All systems receiving their first certification from the
EAC will receive a new certification number. Manufacturers must
provide the EAC with the voting system's name and version number
during the application process (see Chapter 4). Systems previously
certified by another body may retain the previous system name and
version number unless the system was modified before its submission
to the EAC. Such modified systems must be submitted with a new
naming convention (i.e., a new version number).
5.12.2. Modifications. Voting systems previously certified by
the EAC and submitted for certification of a modification will
generally receive a new voting system certification number. Such
modified systems must be submitted with a new naming convention
(i.e., a new version number). In rare instances, the EAC may
authorize retention of the same certification and naming convention
when the modification is so minor that is does not represent a
substantive change in the voting system. A request for such
authorization must be made and approved by the EAC during the
application phase of the program.
5.12.3. Certification Upgrade. Voting systems previously
certified and submitted (without modification) for testing to a new
version of the VVSG will receive a new certification number. In such
cases, however, the Manufacturer will not be required to change the
system name or version.
5.12.4. De Minimis Change. Voting systems previously certified
and implementing an approved de minimis change (per Chapter 3) will
not be issued a new certification number and are not required to
implement a new naming convention.
5.13. Publication of EAC Certification. The EAC will publish and
maintain on its Web site a list of all certified voting systems,
including copies of all Certificates of Conformance, the supporting
test report, and information about the voting system and
Manufacturer. Such information will be posted immediately following
the Manufacturer's receipt of the EAC Final Decision and Certificate
of Conformance.
5.14. Representation of EAC Certification. Manufacturers may not
represent or imply that a voting system is certified unless it has
received a Certificate of Conformance for that system. Statements
regarding EAC certification in brochures, on Web sites, on displays,
and in advertising/sales literature must be made solely in reference
to specific systems. Any action by a Manufacturer to suggest EAC
endorsement of its product or organization is strictly prohibited
and may result in a Manufacturer's suspension or other action
pursuant to Federal civil and criminal law.
5.15. Mark of Certification Requirement. Manufacturers shall
post a mark of certification on all EAC-certified voting systems
produced. This mark or label must be securely attached to the system
before sale, lease, or release to third parties. A mark of
certification shall be made using an EAC-mandated template available
for download on the EAC Web site: http://www.eac.gov. These
templates identify the version of the VVSG or VSS to which the
system is certified. Use of this template shall be mandatory. The
EAC mark must be displayed as follows:
5.15.1. The Manufacturer may use only the mark of certification
that accurately reflects the certification held by the voting system
as a whole. The certification of individual components or
modifications shall not be independently represented by a mark of
certification. In the event a system has components or modifications
tested to various (later) versions of the VVSG, the system shall
bear only the mark of certification of the standard to which the
system (as a whole) was tested and certified (i.e. the lesser
standard). Ultimately, a voting system shall only display the mark
of certification of the oldest or least rigorous standard to which
any of its components are certified.
5.15.2. The mark shall be placed on the outside of a unit of
voting equipment in a place readily visible to election officials.
The mark need not be affixed to each of the voting system's
components. The mark shall be affixed to either (1) each unit that
is used to cast ballots or (2) each unit that is used to tabulate
ballots.
5.15.3. The notice shall be securely affixed to the voting
system. The label shall not be a paper label. ``Securely affixed''
means that the label is etched, engraved, stamped, silk-screened,
indelibly printed, or otherwise securely marked on a permanently
attached part of the equipment or on a nameplate of metal, plastic,
or other sturdy material fastened to the equipment by use of
welding, riveting, or adhesive.
5.15.4. The label must be designed to last the expected lifetime
of the voting system in the environment in which the system may be
operated and must not be readily detachable.
5.16. Information to Election Officials Purchasing Voting
Systems. The user's manual or instruction manual for a certified
voting system shall warn purchasers that changes or modifications
not tested and certified by the EAC will void the EAC certification
of the voting system. In cases in which the manual is provided only
in a form other than paper, such as on a CD or over the Internet,
the information required in this section may be included in this
alternative format provided the election official can reasonably be
expected to have the capability to access information in that
format.
6. Denial of Certification
6.1. Overview. When the Decision Authority issues an Initial
Decision denying certification, the Manufacturer has certain rights
and responsibilities. The Manufacturer may request an opportunity to
cure the defects identified by the Decision Authority. In addition,
the Manufacturer may request that the Decision Authority reconsider
the Initial Decision after the Manufacturer has had the opportunity
to review the record and submit supporting written materials, data,
and the rationale for its position. Finally, in the event
reconsideration is denied, the Manufacturer may appeal the decision
to the Appeal Authority.
6.2. Applicability of This Chapter. This chapter applies when
the Decision Authority makes an Initial Decision to deny an
application for voting system certification based on the materials
and recommendation provided by the Program Director.
6.3. Form of Decisions. All agency determinations shall be made
in writing. Moreover, all materials and recommendations reviewed or
used by agency decision makers in arriving at an official
determination shall be in written form.
6.4. Effect of Denial of Certification. Upon receipt of the
agency's decision denying certification--or in the event of an
appeal, subject to the Decision on Appeal--the Manufacturer's
application for certification is denied. Such systems will not be
reviewed again by the EAC for certification unless the Manufacturer
alters the system, retests it, and submits a new application for
system certification.
6.5. The Record. The Program Director shall maintain all
documents related to a denial of certification. Such documents shall
constitute the procedural and substantive record of the decision
making process. Records may include the following:
6.5.1. The Program Director's report and recommendation to the
Decision Authority.
6.5.2. The Decision Authority's Initial Decision and Final
Decision.
6.5.3. Any materials gathered by the Decision Authority that
served as a basis for a certification determination.
6.5.4. All relevant and allowable materials submitted by the
Manufacturer upon request for reconsideration or appeal.
6.5.5. All correspondence between the EAC and a Manufacturer
after the issuance of an Initial Decision denying certification.
6.6. Initial Decision. The Decision Authority shall make and
issue a written decision on voting systems submitted for
certification. When such decisions result in a denial of
certification, the decision shall be considered preliminary and
referred to as an Initial Decision. Initial Decisions shall be in
writing and contain (1) the Decision Authority's basis and
explanation for the decision and (2) notice of the Manufacturer's
rights in the denial of certification process.
6.6.1. Basis and Explanation. The Initial Decision of the
Decision Authority shall accomplish the following:
6.6.1.1. Clearly state the agency's decision on certification.
6.6.1.2. Explain the basis for the decision, including
identifying the following:
6.6.1.2.1. The relevant facts.
6.6.1.2.2. The applicable EAC voting system standards (VVSG or
VSS).
6.6.1.2.3. The relevant analysis in the Program Director's
recommendation.
6.6.1.2.4. The reasoning behind the decision.
6.6.1.3. State the actions the Manufacturer must take, if any,
to cure all defects in the voting system and obtain a certification.
6.6.2. Manufacturer's Rights. The written Initial Decision must
also inform the Manufacturer of its procedural rights under the
program, including the following:
6.6.2.1. Right to request reconsideration. The Manufacturer
shall be informed of its
[[Page 76295]]
right to request a timely reconsideration (see Section 6.9). Such
request must be made within 10 calendar days of the Manufacturer's
receipt of the Initial Decision.
6.6.2.2. Right to request a copy or otherwise have access to the
information that served as the basis of the Initial Decision (``the
record'').
6.6.2.3. Right to cure system defects prior to final Agency
Decision (see Section 6.8). A Manufacturer may request an
opportunity to cure within 10 calendar days of its receipt of the
Initial Decision.
6.7. No Manufacturer Action on Initial Decision. If a
Manufacturer takes no action (by either failing to request an
opportunity to cure or request reconsideration) within 10 calendar
days of its receipt of the Initial Decision, the Initial Decision
shall become the agency's Final Decision on Certification. In such
cases, the Manufacturer is determined to have foregone its right to
reconsideration, cure, and appeal. The certification application
shall be considered finally denied.
6.8. Opportunity To Cure. Within 10 calendar days of receiving
the EAC's Initial Decision on Certification, a Manufacturer may
request an opportunity to cure the defects identified in the EAC's
Initial Decision. If the request is approved, a compliance plan must
be created, approved, and followed. If this cure process is
successfully completed, a voting system denied certification in an
Initial Decision may receive a certification without resubmission.
6.8.1. Manufacturer's Request To Cure. The Manufacturer must
send a request to cure within 10 calendar days of receipt of an
Initial Decision. The request must be sent to the Program Director.
6.8.2. EAC Action on Request. The Decision Authority will review
the request and approve it. The Decision Authority will deny a
request to cure only if the proposed plan to cure is inadequate or
does not present a viable way to remedy the identified defects.
Approval or denial of a request to cure shall be provided the
Manufacturer in writing. If the Manufacturer's request to cure is
denied, it shall have 10 calendar days from the date it received
such notice to request reconsideration of the Initial Decision
pursuant to Section 6.6.2.
6.8.3. Manufacturer's Compliance Plan. Upon approval of the
Manufacturer's request for an opportunity to cure, it shall submit a
compliance plan to the Decision Authority for approval. This
compliance plan must set forth steps to be taken to cure all
identified defects. It shall include the proposed changes to the
system, updated technical information (as required by Section
4.3.2), and a new test plan created and submitted directly to the
EAC by the VSTL (testing the system consistent with Section
4.4.2.3). The plan shall also provide for the testing of the amended
system and submission of a test report by the VSTL to the EAC for
approval. It should provide an estimated date for receipt of this
test report and include a schedule of periodic VSTL progress reports
to the Program Director.
6.8.4. EAC Action on the Compliance Plan. The Decision Authority
must review and approve the compliance plan. The Decision Authority
may require the Manufacturer to provide additional information and
modify the plan as required. If the Manufacturer is unable or
unwilling to provide a compliance plan acceptable to the Decision
Authority, the Decision Authority shall provide written notice
terminating the ``opportunity to cure'' process. The Manufacturer
shall have 10 calendar days from the date it receives such notice to
request reconsideration of the Initial Decision pursuant to Section
6.6.2.
6.8.5. Compliance Plan Test Report. The VSTL shall submit the
test report created pursuant to its EAC-approved compliance plan.
The EAC shall review the test report, along with the original test
report and other materials originally provided. The report will be
technically reviewed by the EAC consistent with the procedures laid
out in Chapter 4 of this Manual.
6.8.6. EAC Decision on the System. After receipt of the test
plan, the Decision Authority shall issue a decision on a voting
system amended pursuant to an approved compliance plan. This
decision shall be issued in the same manner and with the same
process and rights as an Initial Decision on Certification.
6.9. Requests for Reconsideration. Manufacturers may request
reconsideration of an Initial Decision.
6.9.1. Submission of Request. A request for reconsideration must
be made within 10 calendar days of the Manufacturer's receipt of an
Initial Decision. The request shall be made and sent to the Decision
Authority.
6.9.2. Acknowledgment of Request. The Decision Authority shall
acknowledge receipt of the Manufacturer's request for
reconsideration. This acknowledgment shall either enclose all
information that served as the basis for the Initial Decision (the
record) or provide a date by which the record will be forwarded to
the Manufacturer.
6.9.3. Manufacturer's Submission. Within 30 calendar days of
receipt of the record, a Manufacturer may submit written materials
in support of its position, including the following:
6.9.3.1. A written argument responding to the conclusions in the
Initial Decision.
6.9.3.2. Documentary evidence relevant to the issues raised in
the Initial Decision.
6.9.4. Decision Authority's Review of Request. The Decision
Authority shall review and consider all relevant submissions of the
Manufacturer. In making a decision on reconsideration, the Decision
Authority shall also consider all documents that make up the record
and any other documentary information he or she determines relevant.
6.10. Agency Final Decision. The Decision Authority shall issue
a written Agency Decision after review of the Manufacturer's request
for reconsideration. This Decision shall be the decision of the
agency. The following actions are necessary for writing the
decision:
6.10.1.1. Clearly state the agency's determination on the
application for certification.
6.10.1.2. Address the issues raised by the Manufacturer in its
request for reconsideration.
6.10.1.3. Identify all facts, evidence, and EAC voting system
standards (VVSG or VSS) that served as the basis for the decision.
6.10.1.4. Provide the reasoning behind the determination.
6.10.1.5. Identify and provide, as an attachment, any additional
documentary information that served as a basis for the decision and
that was not part of the Manufacturer's submission or the prior
record.
6.10.1.6. Provide the Manufacturer notice of its right to
appeal.
6.11. Appeal of Agency Final Decision. A Manufacturer may, upon
receipt of an Agency Final Decision denying certification, issue a
request for appeal.
6.11.1. Requesting Appeal. A Manufacturer may appeal a final
decision of the agency by issuing a written request for appeal.
6.11.1.1. Submission. Requests must be submitted in writing to
the Program Director, addressed to the Chair of the U.S. Election
Assistance Commission.
6.11.1.2. Timing of Appeal. The Manufacturer may request an
appeal within 20 calendar days of receipt of the Agency Final
Decision. Late requests will not be considered.
6.11.1.3. Contents of Request.
6.11.1.3.1. The request must clearly state the specific
conclusions of the Final Decision the Manufacturer wishes to appeal.
6.11.1.3.2. The request may include additional written argument.
6.11.1.3.3. The request may not reference or include any factual
material not in the record.
6.11.2. Consideration of Appeal. All timely appeals will be
considered by the Appeal Authority.
6.11.2.1. The Appeal Authority shall be two or more EAC
Commissioners or other individuals appointed by the Commissioners
who have not previously served as the initial or reconsideration
authority on the matter.
6.11.2.2. All decisions on appeal shall be based on the record.
6.11.2.3. The determination of the Decision Authority shall be
given deference by the Appeal Authority. Although it is unlikely
that the scientific certification process will produce factual
disputes, in such cases, the burden of proof shall belong to the
Manufacturer to demonstrate by clear and convincing evidence that
its voting system met all substantive and procedural requirements
for certification. In other words, the determination of the Decision
Authority will be overturned only when the Appeal Authority finds
the ultimate facts in controversy highly probable.
6.12. Decision on Appeal. The Appeal Authority shall make a
written, final Decision on Appeal and shall provide it to the
Manufacturer.
6.12.1. Contents. The following actions are necessary to write
the Decision on Appeal:
6.12.1.1. State the final determination of the agency.
6.12.1.2. Address the matters raised by the Manufacturer on
appeal.
6.12.1.3. Provide the reasoning behind the decisions.
6.12.1.4. State that the Decision on Appeal is final.
[[Page 76296]]
6.12.2. Determinations. The Appeal Authority may make one of two
determinations:
6.12.2.1. Grant of Appeal. If the Appeal Authority determines
that the conclusions of the Decision Authority shall be overturned
in full, the appeal shall be granted. In such cases, certification
will be approved subject to the requirements of Chapter 5.
6.12.2.2. Denial of Appeal. If the Appeal Authority determines
that any part of the Decision Authority's determination shall be
upheld, the appeal shall be denied. In such cases, the application
for appeal is finally denied.
6.12.3. Effect. All Decisions on Appeal shall be final and
binding on the Manufacturer. No additional appeal shall be granted.
7. Decertification
7.1. Overview. Decertification is the process by which the EAC
revokes a certification previously granted to a voting system. It is
an important part of the Certification Program because it serves to
ensure that the requirements of the program are followed and that
certified voting systems fielded for use in Federal elections
maintain the same level of quality as those presented for testing.
Decertification is a serious matter. Its use will significantly
affect Manufacturers, State and local governments, the public, and
the administration of elections. As such, the process for
Decertification is complex. It is initiated when the EAC receives
information that a voting system may not be in compliance with the
applicable voting system standard or the procedural requirements of
this Manual. Upon receipt of such information, the Program Director
may initiate an Informal Inquiry to determine the credibility of the
information. If the information is credible and suggests the system
is non-compliant, a Formal Investigation will be initiated. If the
results of the Formal Investigation demonstrate non-compliance, the
Manufacturer will be provided a Notice of Non-Compliance. Before a
Final Decision on Decertification is made, the Manufacturer will
have the opportunity to remedy any defects identified in the voting
system and present information for consideration by the
Decertification Authority. A Decertification of a voting system may
be appealed in a timely manner.
7.2. Decertification Policy. Voting systems certified by the EAC
are subject to Decertification. Systems shall be decertified if (1)
they are shown not to meet applicable voting system standard, (2)
they have been modified or changed without following the
requirements of this Manual, or (3) the Manufacturer has otherwise
failed to follow the procedures outlined in this Manual so that the
quality, configuration, or compliance of the system is in question.
Decertification of a voting system is a serious matter. Systems will
be decertified only after completion of the process outlined in this
chapter.
7.3. Informal Inquiry. An Informal Inquiry is the first step
taken when information is presented to the EAC that suggests a
voting system may not be in compliance with the applicable voting
system standard or the procedural requirements of this Manual.
7.3.1. Informal Inquiry Authority. The authority to conduct an
Informal Inquiry shall rest with the Program Director.
7.3.2. Purpose. The sole purpose of the Informal Inquiry is to
determine whether a Formal Investigation is warranted. The outcome
of an Informal Inquiry is limited to a decision on referral for
investigation.
7.3.3. Procedure. Informal Inquiries do not follow a formal
process.
7.3.3.1. Initiation. Informal Inquiries are initiated at the
discretion of the Program Director. They may be initiated any time
the Program Director receives attributable, relevant information
that suggests a certified voting system may require Decertification.
The information shall come from a source that has directly observed
or witnessed the reported occurrence. Such information may be a
product of the Certification Quality Monitoring Program (see Chapter
8). Information may also come from State and local election
officials, voters, or others who have used or tested a given voting
system. The Program Director may notify a Manufacturer that an
Informal Inquiry has been initiated, but such notification is not
required. Initiation of an inquiry shall be documented through the
creation of a Memorandum for the Record.
7.3.3.2. Inquiry. The Informal Inquiry process is limited to
that inquiry necessary to determine whether a Formal Investigation
is required. In other words, the Program Director shall conduct such
inquiry necessary to determine (1) that the information obtained is
credible and (2) that the information, if true, would serve as a
basis for Decertification. The nature and extent of the inquiry
process will vary depending on the source of the information. For
example, an Informal Inquiry initiated as a result of action taken
under the Certification Quality Monitoring Program will often
require the Program Director merely to read the report issued as a
result of the Quality Monitoring action. On the other hand,
information provided by election officials or by voters who have
used a voting system may require the Program Director (or assigned
technical experts) to perform an in-person inspection or make
inquiries of the Manufacturer.
7.3.3.3. Conclusion. An Informal Inquiry shall be concluded
after the Program Director is in a position to determine the
credibility of the information that initiated the inquiry and
whether that information, if true, would require Decertification.
The Program Director may make only two conclusions: (1) refer the
matter for a Formal Investigation or (2) close the matter without
additional action or referral.
7.3.4. Closing the Matter Without Referral. If the Program
Director determines, after Informal Inquiry, that a matter does not
require a Formal Investigation, the Program Director shall close the
inquiry by filing a Memorandum for the Record. This document shall
state the focus of the inquiry, the findings of the inquiry and the
reasons a Formal Investigation was not warranted.
7.3.5. Referral. If the Program Director determines, after
Informal Inquiry, that a matter requires a Formal Investigation, the
Program Director shall refer the matter in writing to the Decision
Authority. In preparing this referral, the Program Director shall do
the following:
7.3.5.1. State the facts that served as the basis for the
referral.
7.3.5.2. State the findings of the Program Director.
7.3.5.3. Attach all documentary evidence that served as the
basis for the conclusion.
7.3.5.4. Recommend a Formal Investigation, specifically stating
the system to be investigated and the scope and focus of the
proposed investigation.
7.4. Formal Investigation. A Formal Investigation is an official
investigation to determine whether a voting system requires
Decertification. The end result of a Formal Investigation is a
Report of Investigation.
7.4.1. Formal Investigation Authority. The Decision Authority
shall have the authority to initiate and conclude a Formal
Investigation by the EAC.
7.4.2. Purpose. The purpose of a Formal Investigation is to
gather and document relevant information sufficient to make a
determination on whether an EAC-certified voting system requires
Decertification consistent with the policy put forth in Section 7.2
above.
7.4.3. Initiation of Investigation. The Decision Authority shall
authorize the initiation of an EAC Formal Investigation.
7.4.3.1. Scope. The Decision Authority shall clearly set the
scope of the investigation by identifying (in writing) the voting
system (or systems) and specific procedural or operational non-
conformance to be investigated. The nonconformance or non-
conformances to be investigated shall be set forth in the form of
numbered allegations.
7.4.3.2. Investigator. The Program Director shall be responsible
for conducting the investigation unless the Decision Authority
appoints another individual to conduct the investigation. The
Program Director (or Decision Authority appointee) may assign staff
or technical experts, as required, to investigate the matter.
7.4.4. Notice of Formal Investigation. Upon initiation of a
Formal Investigation, notice shall be given the Manufacturer of the
scope of the investigation. The following actions are necessary to
prepare this notice:
7.4.4.1. Identify the voting system and specific procedural or
operation nonconformance being investigated (scope of
investigation).
7.4.4.2. Provide the Manufacturer an opportunity to provide
relevant information in writing.
7.4.4.3. Provide an estimated timeline for the investigation.
7.4.5. Investigation. Because voting systems play a vital role
in our democratic process, investigations shall be conducted
impartially, diligently, promptly, and confidentially. Investigators
shall use techniques to gather necessary information that meet these
requirements.
7.4.5.1. Fair and Impartial Investigation. All Formal
Investigations shall be conducted in a fair and impartial manner.
All individuals assigned to an investigation must be free from any
financial conflicts of interest.
[[Page 76297]]
7.4.5.2. Diligent Collection of Information. All investigations
shall be conducted in a meticulous and thorough manner.
Investigations shall gather all relevant information and
documentation that is reasonably available. The diligent collection
of information is vital for informed decision making.
7.4.5.3. Prompt Collection of Information. Determinations that
may affect the administration of Federal elections must be made with
all reasonable speed. EAC determinations on Decertification will
affect the actions of State and local election officials conducting
elections. As such, all investigations regarding Decertification
must proceed with an appropriate sense of urgency.
7.4.5.4. Confidential Collection of Information. Consistent with
Federal law, information pertaining to a Formal Investigation should
not be made public until the Report of Investigation is complete.
The release of incomplete and unsubstantiated information or
predecisional opinions that may be contrary or inconsistent with the
final determination of the EAC could cause public confusion or could
unnecessarily negatively affect public confidence in active voting
systems. Such actions could serve to impermissibly affect election
administration and voter turnout. All predecisional investigative
materials must be appropriately safeguarded.
7.4.5.5. Methodologies. Investigators shall gather information
by means consistent with the four principles noted above.
Investigative tools include (but are not limited to) the following:
7.4.5.5.1. Interviews. Investigators may interview individuals
(such as State and local election officials, voters, or
representatives of the Manufacturer) with relevant information. All
interviews shall be reduced to written form; each interview should
be summarized in a statement that is reviewed, approved, and signed
by the subject.
7.4.5.5.2. Field audits.
7.4.5.5.3. Manufacturer site audits.
7.4.5.5.4. Written interrogatories. Investigators may pose
specific, written questions to the Manufacturer for the purpose of
gathering information relevant to the investigation. The
Manufacturer shall respond to the queries within a reasonable
timeframe (as specified in the request).
7.4.5.5.5. System testing. Testing may be performed in an
attempt to reproduce a condition or failure that has been reported.
This testing will be conducted at a VSTL under contract with the
EAC.
7.4.5.6. Report of Investigation. The end result of a Formal
Investigation is a Report of Investigation.
7.4.6. Report of Investigation. The Report of Investigation
serves, primarily, to document (1) all relevant and reliable
information gathered in the course of the investigation, and (2) the
conclusion reached by the Decision Authority.
7.4.6.1. When Complete. The report is complete and final when
certified and signed by the Decision Authority.
7.4.6.2. Contents of the Report of Investigation. The following
actions are necessary to prepare the written report:
7.4.6.2.1. Restate the scope of the investigation, identifying
the voting system and specific matter investigated.
7.4.6.2.2. Briefly describe the investigative process employed.
7.4.6.2.3. Summarize the relevant and reliable facts and
information gathered in the course of the investigation.
7.4.6.2.4. Attach all relevant and reliable evidence collected
in the course of the investigation that documents the facts. All
facts shall be documented in written form.
7.4.6.2.5. Analyze the information gathered.
7.4.6.2.6. Clearly state the findings of the investigation.
7.4.7. Findings, Report of Investigation. The Report of
Investigation shall state one of two conclusions. After gathering
and reviewing all applicable facts, the report shall find each
allegation investigated to be either (1) substantiated, or (2)
unsubstantiated.
7.4.7.1. Substantiated Allegation. An allegation is
substantiated if a preponderance of the relevant and reliable
information gathered requires that the voting system at issue be
decertified (consistent with the policy set out in Section 7.2). If
any allegation is substantiated, a Notice of Non-Compliance must be
issued.
7.4.7.2. Unsubstantiated Allegation. An allegation is
unsubstantiated if the preponderance of the relevant and reliable
information gathered does not require Decertification (see Section
7.2). If all allegations are unsubstantiated, the matter shall be
closed and a copy of the report forwarded to the Manufacturer.
7.4.8. Publication of Report. The report shall not be made
public nor released to the public until final.
7.5. Effect of Informal Inquiry or Formal Investigation on
Certification. A voting system's EAC certification is not affected
by the initiation or conclusion of an Informal Inquiry or Formal
Investigation. Systems under investigation remain certified until a
final Decision on Decertification is issued by the EAC.
7.6. Notice of Non-Compliance. If an allegation in a Formal
Investigation is substantiated, the Decision Authority shall send
the Manufacturer a Notice of Non-Compliance. The Notice of Non-
Compliance is not, itself, a Decertification of the voting system.
The purpose of the notice is to (1) notify the Manufacturer of the
non-compliance and the EAC' s intent to Decertify the system and (2)
inform the Manufacturer of its procedural rights so that it may be
heard prior to Decertification.
7.6.1. Non-Compliance Information. The following actions are
necessary for preparing a Notice of Non-Compliance:
7.6.1.1. Provide a copy of the Report of Investigation to the
Manufacturer.
7.6.1.2. Identify the non-compliance, consistent with the Report
of Investigation.
7.6.1.3. Inform the Manufacturer that if the voting system is
not made compliant, the voting system will be decertified.
7.6.1.4. State the actions the Manufacturer must take, if any,
to bring the voting system into compliance and avoid
Decertification.
7.6.2. Manufacturer's Rights. The written Notice of Non-
Compliance must also inform the Manufacturer of its procedural
rights under the program, which include the following:
7.6.2.1. Right to Present Information Prior to Decertification
Decision. The Manufacturer shall be informed of its right to present
information to the Decision Authority prior to a determination of
Decertification.
7.6.2.2. Right to Have Access to the Information That Will Serve
as the Basis of the Decertification Decision. The Manufacturer shall
be provided the Report of Investigation and any other materials that
will serve as the basis of an Agency Decision on Decertification.
7.6.2.3. Right to Cure System Defects Prior to the
Decertification Decision. A Manufacturer may request an opportunity
to cure within 20 calendar days of its receipt of the Notice of Non-
Compliance.
7.7. Procedure for Decision on Decertification. The Decision
Authority shall make and issue a written Decision on Decertification
whenever a Notice of Non-Compliance is issued. The Decision
Authority will not take such action until the Manufacturer has had a
reasonable opportunity to cure the non-compliance and submit
information for consideration.
7.7.1. Opportunity to Cure. The Manufacturer shall have an
opportunity to cure a nonconforming voting system in a timely manner
prior to Decertification. A cure is timely when the cure process can
be completed before the next Federal election, meaning that any
proposed cure must be in place before any individual jurisdiction
fielding the system holds a Federal election. The Manufacturer must
request the opportunity to cure. If the request is approved, a
compliance plan must be created, approved, and followed. If this
cure process is successfully completed, a Manufacturer may modify a
non-compliant voting system, remedy procedural discrepancies, or
otherwise bring its system into compliance without resubmission or
Decertification.
7.7.1.1. Manufacturer's Request to Cure. Within 10 calendar days
of receiving the EAC's Notice of Non-Compliance, a Manufacturer may
request an opportunity to cure all defects identified in the Notice
of Non-Compliance in a timely manner. The request must be sent to
the Decision Authority and outline how the Manufacturer would modify
the system, update the technical information (as required by Section
4.3.2), have the VSTL create a test plan and test the system, and
obtain EAC approval before the next election for Federal office.
7.7.1.2. EAC Action on Request. The Decision Authority will
review the request and approve it if the defects identified in the
Notice of Non-Compliance may reasonably be cured before the next
election for Federal office.
7.7.1.3. Manufacturer's Compliance Plan. Upon approval of the
Manufacturer's request for an opportunity to cure, the Manufacturer
shall submit a compliance plan to the Decision Authority for
approval. This compliance plan must set forth the steps to be taken
(including time frames) to cure all identified defects in a timely
manner. The
[[Page 76298]]
plan shall describe the proposed changes to the system, provide for
modification of the system, update the technical information
required by Section 4.3.2, include a test plan delivered to the EAC
by the VSTL (testing the system consistent with Section 4.4.2.3),
and provide for the VSTL's testing of the system and submission of
the test report to the EAC for approval (assume at least 20 working
days). The plan shall also include a schedule of periodic progress
reports to the Program Director.\2\
---------------------------------------------------------------------------
\2\ Manufacturers should also be cognizant of State
certification procedures and local pre-election logic and accuracy
testing. Systems that meet EAC guidelines will also be impacted by
independent State and local requirements. These requirements may
also prevent a system from being fielded, irrespective of EAC
Certification.
---------------------------------------------------------------------------
7.7.1.4. EAC Action on the Compliance Plan. The Decision
Authority must review and approve the compliance plan. The Decision
Authority may require the Manufacturer to provide additional
information and modify the plan as required. If the Manufacturer is
unable or unwilling to provide a Compliance Plan acceptable to the
Decision Authority, the Decision Authority shall provide written
notice terminating the ``opportunity to cure'' process.
7.7.1.5. VSTL's Submission of the Compliance Plan Test Report.
The VSTL shall submit the test report created pursuant to the
Manufacturer's EAC-approved Compliance Plan. The EAC shall review
the test report and any other necessary or relevant materials. The
report will be technically reviewed by the EAC in a manner similar
to the procedures described in Chapter 4 of this Manual.
7.7.1.6. EAC Decision on the System. After receipt of the VSTL's
test report, the Decision Authority shall issue a decision on a
voting system amended pursuant to an approved Compliance Plan. For
the purpose of planning, the Manufacturer should allow at least 20
working days for this process.
7.7.2. Opportunity to Be Heard. The Manufacturer may submit
written materials in response to the Notice of Non-Compliance and
Report of Investigation. These documents shall be considered by the
Decision Authority when making a determination on Decertification.
The Manufacturer shall ordinarily have 20 calendar days from the
date it received the Notice of Non-Compliance (or in the case of a
failed effort to cure, the termination of that process) to deliver
its submissions to the Decision Authority. When warranted by public
interest (because a delay in making a determination on
Decertification would affect the timely, fair, and effective
administration of a Federal election), however, the Decision
Authority may provide a Manufacturer less time to submit
information. This alternative period (and the basis for it) must be
stated in the Notice of Non-Compliance. The alternative time period
must allow the Manufacturer a reasonable amount of time to gather
its submissions. Submissions may include the following materials:
7.7.2.1. A written argument responding to the conclusions in the
Notice of NonCompliance or Report of Investigation.
7.7.2.2. Documentary evidence relevant to the allegations or
conclusions in the Notice of Non-Compliance.
7.7.3. Decision on Decertification. The Decision Authority shall
make an agency determination on Decertification.
7.7.3.1. Timing. The Decision Authority shall promptly make a
decision on Decertification. The Decision Authority may not issue
such a decision, however, until the Manufacturer has provided all of
its written materials for consideration or the time allotted for
submission (usually 20 calendar days) has run out.
7.7.3.2. Considered Materials. The Decision Authority shall
review and consider all relevant submissions of the Manufacturer. In
making a Decision on Decertification, the Decision Authority shall
also consider all documents that make up the record and any other
documentary information he or she determines relevant.
7.7.3.3. Agency Decision. The Decision Authority shall issue a
written Agency Decision after review of applicable materials. This
decision shall be the final decision of the agency. The following
actions are necessary to write the decision:
7.7.3.3.1. Clearly state the agency's determination on the
Decertification, specifically addressing the areas of non-compliance
investigated.
7.7.3.3.2. Address the issues raised by the Manufacturer in the
materials it submitted for consideration.
7.7.3.3.3. Identify all facts, evidence, procedural
requirements, and/or voting system standards (VVSG or VSS) that
served as the basis for the decision.
7.7.3.3.4. Provide the reasoning behind the decision.
7.7.3.3.5. Identify, and provide as an attachment, any
additional documentary information that served as a basis for the
decision and that was not part of the Manufacturer's submission or
the Report of Investigation.
7.7.3.3.6. Provide the Manufacturer notice of its right to
appeal.
7.8. Effect of Decision Authority's Decision on Decertification.
The Decision Authority's Decision on Decertification is the
determination of the agency. A Decertification is effective upon the
EAC's publication or Manufacturer's receipt of the decision
(whichever is earlier). A Manufacturer that has had a voting system
decertified may appeal that decision.
7.9. Appeal of Decertification. A Manufacturer may, upon receipt
of an Agency Final Decision on Decertification, request an appeal in
a timely manner.
7.9.1. Requesting Appeal.
7.9.1.1. Submission. Requests must be submitted by the
Manufacturer in writing to the Chair of the U.S. Election Assistance
Commission.
7.9.1.2. Timing of Appeal. The Manufacturer may request an
appeal within 20 calendar days of receipt of the Agency Final
Decision on Decertification. Late requests will not be considered.
7.9.1.3. Contents of Request. The following actions are
necessary for the Manufacturer to write and submit a request for
appeal:
7.9.1.3.1. Clearly state the specific conclusions of the Final
Decision the Manufacturer wishes to appeal.
7.9.1.3.2. Include additional written argument, if any.
7.9.1.3.3. Do not reference or include any factual material not
previously considered or submitted to the EAC.
7.9.1.4. Effect of Appeal on Decertification. The initiation of
an appeal does not affect the decertified status of a voting system.
Systems are decertified upon notice of Decertification in the
agency's Decision on Decertification (see Section 7.8).
7.9.2. Consideration of Appeal. All timely appeals will be
considered by the Appeal Authority.
7.9.2.1. The Appeal Authority shall be two or more EAC
Commissioners or other individual or individuals appointed by the
Commissioners who have not previously served as investigators,
advisors, or decision makers in the Decertification process.
7.9.2.2. All decisions on appeal shall be based on the record.
7.9.2.3. The decision of the Decision Authority shall be given
deference by the Appeal Authority. Although it is unlikely that the
scientific certification process will produce factual disputes, in
such cases the burden of proof shall belong to the Manufacturer to
demonstrate by clear and convincing evidence that its voting system
met all substantive and procedural requirements for certification.
In other words, the determination of the Decision Authority will be
overturned only when the Appeal Authority finds the ultimate facts
in controversy to be highly probable.
7.9.3. Decision on Appeal. The Appeal Authority shall make a
written, final Decision on Appeal that it shall provide to the
Manufacturer. Each Decision on Appeal shall be final and binding on
the Manufacturer. No additional appeal shall be granted. The
following actions are necessary to write a Decision on Appeal:
7.9.3.1. State the final determination of the agency.
7.9.3.2. Address the matters raised by the Manufacturer on
appeal.
7.9.3.3. Provide the reasoning behind the decision.
7.9.3.4. State that the Decision on Appeal is final.
7.9.4. Effect of Appeal.
7.9.4.1. Grant of Appeal. If a Manufacturer's appeal is granted
in whole, the decision of the Decision Authority is reversed. The
voting system shall have its certification reinstated. For purposes
of this program, the system shall be treated as though it was never
decertified.
7.9.4.2. Denial of Appeal. If a Manufacturer's appeal is denied
in whole or in part, the decision of the Decision Authority is
upheld. The voting system remains decertified and no additional
appeal is available.
7.10. Effect of Decertification. A voting system that has been
decertified no longer holds an EAC certification under the
Certification Program. For purposes of this Manual and the program,
a decertified system will be treated as any other uncertified voting
system. As such, the effects of Decertification are as follows:
[[Page 76299]]
7.10.1. The Manufacturer may not represent the voting system as
certified.
7.10.2. The voting system may not be labeled with a mark of
certification.
7.10.3. The voting system will be removed from the EAC list of
certified systems.
7.10.4. The EAC will notify State and local election officials
of the Decertification.
7.11. Recertification. A decertified system may be resubmitted
for certification. Such systems shall be treated as any other system
seeking certification. The Manufacturer shall present an application
for certification consistent with the instructions of this Manual.
8. Quality Monitoring Program
8.1. Overview. The quality of any product, including a voting
system, depends on two specific elements: (1) the design of the
product or system and (2) the care and consistency of the
manufacturing process. The EAC testing and certification process
focuses on voting system design by ensuring that a representative
sample of a system meets the technical specifications of the
applicable EAC voting system standards. This process, commonly
called ``type acceptance,'' determines whether the representative
sample submitted for testing meets the requirements. What type
acceptance does not do is explore whether variations in
manufacturing may allow production of non-compliant systems.
Generally, the quality of the manufacturing is the responsibility of
the Manufacturer. After a system is certified, the vendor assumes
primary responsibility for compliance of the products produced. This
level of compliance is accomplished by the Manufacturer's
configuration management and quality control processes. The EAC's
Quality Monitoring Program, as outlined in this chapter, however,
provides an additional layer of quality control by allowing the EAC
to perform manufacturing site reviews, carry out fielded system
reviews, and gather information on voting system anomalies from
election officials. These additional tools help ensure that voting
systems continue to meet the requirements of EAC's voting system
standards as the systems are manufactured, delivered, and used in
Federal elections. These aspects of the program enable the EAC to
independently monitor the continued compliance of fielded voting
systems.
8.2. Purpose. The purpose of the Quality Monitoring Program is
to ensure that EAC-certified voting systems are identical to those
fielded in election jurisdictions. This level of quality control is
accomplished primarily by identifying (1) potential quality problems
in manufacturing, (2) uncertified voting system configurations, and
(3) field performance issues with certified systems.
8.3. Manufacturer's Quality Control. EAC's Quality Monitoring
Program is not a substitute for the Manufacturer's quality control
program. As stated in Chapter 2 of this Manual, all Manufacturers
must have an acceptable quality control program in place before they
may be registered. The EAC's program serves as an independent and
complementary process of quality control that works in tandem with
the Manufacturer's efforts.
8.4. Quality Monitoring Methodology. This chapter provides the
EAC with three primary tools for assessing the level of
effectiveness of the certification process and the compliance of
fielded voting systems. These tools include (1) manufacturing site
reviews, (2) fielded system reviews, and (3) a means for receiving
anomaly reports from the field.
8.5. Manufacturing Site Review. Facilities that produce
certified voting systems will be reviewed periodically, at the
discretion of the EAC, to verify that the system being manufactured,
shipped, and sold is the same as the sample submitted for
certification testing. All registered Manufacturers must cooperate
with such audits as a condition of program participation.
8.5.1. Notice. The site review may be scheduled or unscheduled,
at the discretion of the EAC. Unscheduled reviews will be performed
with at least 24 hours notice. Scheduling and notice of site reviews
will be coordinated with and provided to both the manufacturing
facility's representative and the Manufacturer's representative.
8.5.2. Frequency. At a minimum, at least one manufacturing
facility of a registered Manufacturer shall be subject to a site
review at least once every 4 years.
8.5.3. The Review. The production facility and production test
records must be made available for review. When requested,
production schedules must be provided to the EAC. Production or
production testing may be witnessed by EAC representatives. If
equipment is not being produced during the inspection, the review
may be limited to production records. During the inspection, the
Manufacturer must make available to the EAC representative the
Manufacturer's quality manual and other documentation sufficient to
enable the inspector to evaluate the following factors of the
facility's production:
8.5.3.1. Manufacturing quality controls.
8.5.3.2. Final inspection and testing.
8.5.3.3. History of deficiencies or anomalies and corrective
actions taken.
8.5.3.4. Equipment calibration and maintenance.
8.5.3.5. Corrective action program.
8.5.3.6. Policies on product labeling and the application of the
EAC mark of certification.
8.5.4. Exit Briefing. Site reviewers will provide the
manufacturing facility representative a verbal exit briefing
regarding the preliminary observations of the review.
8.5.5. Written Report. A written report documenting the review
will be drafted by the EAC representative and provided to the
Manufacturer. The report will detail the findings of the review and
identify actions that are required to correct any deficiencies.
8.6. Fielded System Review and Testing. Upon invitation or with
the permission of a State or local election authority, the EAC may,
at its discretion, conduct a review of fielded voting systems. Such
reviews will be done to ensure that a fielded system is in the same
configuration as that certified by the EAC and that it has the
proper mark of certification. This review may include the testing of
a fielded system, if deemed necessary. Any anomalies found during
this review and testing will be provided to the election
jurisdiction and the Manufacturer.
8.7. Field Anomaly Reporting. As another means of gathering
field data, the EAC will collect information from election officials
who field EAC-certified voting systems. Information on actual voting
system field performance is a basic means for assessing the
effectiveness of the Certification Program and the manufacturing
quality and version control. The EAC will provide a mechanism for
election officials to provide real-world input on voting system
anomalIes.
8.7.1. Anomaly Report. Election officials may use the Voting
System Anomaly Reporting Form to report voting system anomalies to
the EAC. The form and instructions for its completion are available
as Appendix C in this Manual or on the EAC Web site, http://www.eac.gov.
The form may be filed with the EAC on line, by mail or
by facsimile. Use of the form is required.
8.7.2. Who May Report? State or local election officials who
have experienced voting system anomalies in their jurisdiction may
file anomaly reports. The individuals reporting must identify
themselves and have firsthand knowledge of or official
responsibility over the anomaly being reported. Anonymous or hearsay
reporting will not be accepted.
8.7.3. What Is Reported? Election officials shall report voting
system anomalies. An anomaly is defined as an irregular or
inconsistent action or response from the voting system or system
component resulting in some disruption to the election process.
Incidents resulting from administrator error or procedural
deficiencies are not considered anomalies for purposes of this
chapter. The report must include the following information:
8.7.3.1. The official's name, title, contact information, and
jurisdiction.
8.7.3.2. A description of the voting system at issue.
8.7.3.3. The date and location of the reported occurrence.
8.7.3.4. The type of election.
8.7.3.5. A description of the anomaly witnessed.
8.7.4. Distribution of Credible Reports. Credible reports will
be distributed to State and local election jurisdictions who field
similar systems, the Manufacturer of the voting system at issue, and
the VSTLs. Reports are reviewed by EAC staff in coordination with
relevant State officials. Credible reports:
8.7.4.1. Meet the definition of anomaly under Section 8.7.3,
8.7.4.2. Constitute a complete report per the requirements of
Sections 8.7.3.1 through 8.7.3.5,
8.7.4.3. Have had alleged facts confirmed by contacting filer
and/or others present at the time of the incident, and
8.7.4.4. Have been verified by the relevant State's chief
election official.
8.8. Use of Quality Monitoring Information. Ultimately, the
information the EAC gathers from manufacturing site reviews, fielded
system reviews, and field anomaly reports will be used to improve
the program and ensure the quality of voting systems. The Quality
Monitoring Program is not designed to be punitive but to be focused
on improving the process. Information gathered will be used to
accomplish the following:
[[Page 76300]]
8.8.1. Identify areas for improvement in the EAC Testing and
Certification Program.
8.8.2. Improve manufacturing quality and change control
processes.
8.8.3. Increase voter confidence in voting technology.
8.8.4. Inform Manufacturers, election officials, and the EAC of
issues associated with voting systems in a real-world environment.
8.8.5. Share information among jurisdictions that use similar
voting systems.
8.8.6. Resolve problems associated with voting technology or
manufacturing in a timely manner by involving Manufacturers,
election officials, and the EAC.
8.8.7. Provide feedback to the EAC and the Technical Guidelines
Development Committee (TGDC) regarding issues that may need to be
addressed through a revision to the Voluntary Voting System
Guidelines.
8.8.8. Initiate an investigation when information suggests that
Decertification is warranted (see Chapter 7).
9. Requests for Interpretations
9.1. Overview. A Request for Interpretation is a means by which
a registered Manufacturer or VSTL may seek clarification on a
specific EAC voting system standard (VVSG or VSS). An Interpretation
is a clarification of the voting system standards and guidance on
how to properly evaluate conformance to it. Suggestions or requests
for modifications to the standards are provided by other processes.
This chapter outlines the policy, requirements, and procedures for
submitting a Request for Interpretation.
9.2. Policy. Registered Manufacturers or VSTLs may request that
the EAC provide a definitive Interpretation of EAC-accepted voting
system standards (VVSG or VSS) when, in the course of developing or
testing a voting system, facts arise that make the meaning of a
particular standard ambiguous or unclear. The EAC may self-initiate
such a request when its agents identify a need for interpretation
within the program. An Interpretation issued by the EAC will serve
to clarify what a given standard requires and how to properly
evaluate compliance. Ultimately, an Interpretation does not amend
voting system standards, but serves only to clarify existing
standards.
9.3. Requirements for Submitting a Request for Interpretation.
An EAC Interpretation is limited in scope. The purpose of the
Interpretation process is to provide Manufacturers or VSTLs who are
in the process of developing or testing a voting system a means for
resolving the meaning of a voting system standard in light of a
specific voting system technology without having to present a
finished product to EAC for certification. To submit a Request for
Interpretation, one must (1) be a proper requester, (2) request
interpretation of an applicable voting system standard, (3) present
an actual controversy, and (4) seek clarification on a matter of
unsettled ambiguity.
9.3.1. Proper Requestor. A Request for Interpretation may be
submitted only by a registered Manufacturer or a VSTL. Requests for
Interpretation will not be accepted from any other parties.
9.3.2. Applicable Standard. A Request for Interpretation is
limited to queries on EAC voting system standards (i.e., VVSG or
VSS). Moreover, a Manufacturer or VSTL may submit a Request for
Interpretation only on a version of EAC voting system standards to
which the EAC currently offers certification.
9.3.3. Existing Factual Controversy. To submit a Request for
Interpretation, a Manufacturer or VSTL must present a question
relative to a specific voting system or technology proposed for use
in a voting system. A Request for Interpretation on hypothetical
issues will not be addressed by the EAC. To submit a Request for
Interpretation, the need for clarification must have arisen from the
development or testing of a voting system. A factual controversy
exists when an attempt to apply a specific section of the VVSG or
VSS to a specific system or piece of technology creates ambiguity.
9.3.4. Unsettled, Ambiguous Matter. Requests for Interpretation
must involve actual controversies that have not been previously
settled. This requirement mandates that interpretations contain
actual ambiguities not previously clarified.
9.3.4.1. Actual Ambiguity. A proper Request for Interpretation
must contain an actual ambiguity. The interpretation process is not
a means for challenging a clear EAC voting system standard.
Recommended changes to voting system standards are welcome and may
be forwarded to the EAC, but they are not part of this program. An
ambiguity arises (in applying a voting system standard to a specific
technology) when one of the following occurs:
9.3.4.1.1. The language of the standard is unclear on its face.
9.3.4.1.2. One section of the standard seems to contradict
another, relevant section.
9.3.4.1.3. The language of the standard, though clear on its
face, lacks sufficient detail or breadth to determine its proper
application to a particular technology.
9.3.4.1.4. The language of a particular standard, when applied
to a specific technology, clearly conflicts with the established
purpose or intent of the standard.
9.3.4.1.5. The language of the standard is clear, but the proper
means to assess compliance is unclear.
9.3.4.2. Not Previously Clarified. The EAC will not accept a
Request for Interpretation when the issue has previously been
clarified.
9.4. Procedure for Submitting a Request for Interpretation. A
Request for Interpretation shall be made in writing to the Program
Director. All requests should be complete and as detailed as
possible because Interpretations issued by the EAC are based on, and
limited to, the facts presented. Failure to provide complete
information may result in an Interpretation that is off point and
ultimately immaterial to the issue at hand. The following steps must
be taken when writing a Request for Interpretation:
9.4.1. Establish Standing To Make the Request. To make a
request, one must meet the requirements identified in Section 9.3
above. Thus, the written request must provide sufficient information
for the Program Director to conclude that the requestor is (1) a
proper requester, (2) requesting an Interpretation of an applicable
voting system standard, (3) presenting an actual factual
controversy, and (4) seeking clarification on a matter of unsettled
ambiguity.
9.4.2. Identify the EAC Voting System Standard To Be Clarified.
The request must identify the specific standard or standards to
which the requestor seeks clarification. The request must state the
version of the voting system standards at issue (if applicable) and
quote and correctly cite the applicable standards.
9.4.3. State the Facts Giving Rise to the Ambiguity. The request
must provide the facts associated with the voting system technology
that gave rise to the ambiguity in the identified standard. The
requestor must be careful to provide all necessary information in a
clear, concise manner. Any Interpretation issued by the EAC will be
based on the facts provided.
9.4.4. Identify the Ambiguity. The request must identify the
ambiguity it seeks to resolve. The ambiguity shall be identified by
stating a concise question that meets the following requirements:
9.4.4.1. Shall be clearly stated.
9.4.4.2. Shall be related to and reference the voting system
standard and voting system technology information provided.
9.4.4.3. Shall be limited to a single issue. Each question or
issue arising from an ambiguous standard must be stated separately.
Compound questions are unacceptable. If multiple issues exist, they
should be presented as individual, numbered questions.
9.4.4.4. Shall be stated in a way that can ultimately be
answered yes or no.
9.4.5. Provide a Proposed Interpretation. A Request for
Interpretation should propose an answer to the question posed. The
answer should interpret the voting system standard in the context of
the facts presented. It should also provide the basis and reasoning
behind the proposal.
9.5. EAC Action on a Request for Interpretation. Upon receipt of
a Request for Interpretation, the EAC shall take the following
action:
9.5.1. Review the Request. The Program Director shall review the
request to ensure it is complete, is clear, and meets the
requirements of Section 9.3. Upon review, the Program Director may
take the following action:
9.5.1.1. Request Clarification. If the Request for
Interpretation is incomplete or additional information is otherwise
required, the Program Director may request that the Manufacturer or
VSTL clarify its Request for Interpretation and identify any
additional information required.
9.5.1.2. Reject the Request for Interpretation. If the Request
for Interpretation does not meet the requirements of Section 9.3,
the Program Director may reject it. Such rejection must be provided
in writing to the Manufacturer or VSTL and must state the basis for
the rejection.
9.5.1.3. Notify Acceptance of the Request. If the Request for
Interpretation is acceptable, the Program Director will notify the
Manufacturer or VSTL in writing and provide
[[Page 76301]]
it with an estimated date of completion. A Request for
Interpretation may be accepted in whole or in part. A notice of
acceptance shall state the issues accepted for interpretation.
9.5.2. Consideration of the Request. After a Request for
Interpretation has been accepted, the matter shall be investigated
and researched. Such action may require the EAC to employ technical
experts. It may also require the EAC to request additional
information from the Manufacturer or VSTL. The Manufacturer or VSTL
shall respond promptly to such requests.
9.5.3. Interpretation. The Decision Authority shall be
responsible for making determinations on a Request for
Interpretation. After this determination has been made, a written
Interpretation shall be sent to the Manufacturer or VSTL. The
following actions are necessary to prepare this written
Interpretation:
9.5.3.1. State the question or questions investigated.
9.5.3.2. Outline the relevant facts that served as the basis of
the Interpretation.
9.5.3.3. Identify the voting system standards interpreted.
9.5.3.4. State the conclusion reached.
9.5.3.5. Inform the Manufacturer or VSTL of the effect of an
Interpretation (see Section 9.6).
9.6. Effect of Interpretation. Interpretations are fact specific
and case specific. They are not tools of policy, but specific, fact-
based guidance useful for resolving a particular problem.
Ultimately, an Interpretation is determinative and conclusive only
with regard to the case presented. Nevertheless, Interpretations do
have some value as precedent. Interpretations published by the EAC
shall serve as reliable/guidance and authority over identical or
similar questions of interpretation. These Interpretations will help
users understand and apply the provisions of EAC voting system
standards.
9.7. Library of Interpretations. To better serve Manufacturers,
VSTLs, and those interested in the EAC voting system standards, the
Program Director shall publish EAC Interpretations. All proprietary
information contained in an Interpretation will be redacted before
publication consistent with Chapter 10 of this Manual. The library
of published opinions is posted on the EAC Web site: http://www.eac.gov
.
10. Release of Certification Program Information
10.1. Overview. Manufacturers participating in the Certification
Program will be required to provide the EAC a variety of documents.
In general, these documents will be releasable to the public.
Moreover, in many cases, the information provided will be
affirmatively published by the EAC. In limited cases, however,
documents may not be released if they include trade secrets,
confidential commercial information, or personal information. While
the EAC is ultimately responsible for determining which documents
Federal law protects from release, Manufacturers must identify the
information they believe is protected and ultimately provide
substantiation and a legal basis for withholding. This chapter
discusses EAC's general policy on the release of information and
provides Manufacturers with standards, procedures, and requirements
for identifying documents as trade secrets or confidential
commercial information.
10.2. EAC Policy on the Release of Certification Program
Information. The EAC seeks to make its Voting System Testing and
Certification Program as transparent as possible. The agency
believes that such action benefits the program by increasing public
confidence in the process and creating a more informed and involved
public. As such, it is the policy of the EAC to make all documents,
or severable portions thereof, available to the public consistent
with Federal law (e.g. Freedom of Information Act (FOIA) and the
Trade Secrets Act).
10.2.1. Requests for information. As in any Federal program,
members of the public may request access to Certification Program
documents under FOIA (5 U.S.C. Sec. 552). The EAC will promptly
process such requests per the requirements of that Act.
10.2.2. Publication of documents. Beyond the requirements of
FOIA, the EAC intends to affirmatively publish program documents (or
portions of documents) it believes will be of interest to the
public. This publication will be accomplished through the use of the
EAC Web site (http://www.eac.gov). The published documents will
cover the full spectrum of the program, including information
pertaining to:
10.2.2.1. Registered Manufacturers;
10.2.2.2. VSTL test plans;
10.2.2.3. VSTL test reports;
10.2.2.4. Agency decisions;
10.2.2.5. Denials of Certification;
10.2.2.6. Issuance of Certifications;
10.2.2.7. Information on a certified voting system's operation,
components, features or capabilities;
10.2.2.8. Appeals;
10.2.2.9. Reports of investigation and Notice of Non-compliance;
10.2.2.10. Decertification actions;
10.2.2.11. Manufacturing facility review reports;
10.2.2.12. Official Interpretations (VVSG or VSS); and
10.2.2.13. Other topics as determined by the EAC.
10.2.3. Trade Secret and Confidential Commercial Information.
Federal law places a number of restrictions on a Federal agency's
authority to release information to the public. Two such
restrictions are particularly relevant to the Certification program:
(1) trade secrets information and (2) privileged or confidential
commercial information. Both types of information are explicitly
prohibited from release by the FOIA and the Trade Secrets Act (18
U.S.C. 1905).
10.3. Trade Secrets. A trade secret is a secret, commercially
valuable plan, process, or device that is used for the making or
processing of a product and that is the end result of either
innovation or substantial effort. It relates to the productive
process itself, describing how a product is made. It does not relate
to information describing end product capabilities, features, or
performance.
10.3.1. The following examples illustrate productive processes
that may be trade secrets:
10.3.1.1. Plans, schematics, and other drawings useful in
production.
10.3.1.2. Specifications of materials used in production.
10.3.1.3. Voting system source code used to develop or
manufacture software where release would reveal actual programming.
10.3.1.4. Technical descriptions of manufacturing processes and
other secret information relating directly to the production
process.
10.3.2. The following examples are likely not trade secrets:
10.3.2.1. Information pertaining to a finished product's
capabilities or features.
10.3.2.2. Information pertaining to a finished product's
performance.
10.3.2.3. Information regarding product components that would
not reveal any commercially valuable information regarding
production.
10.4. Privileged or Confidential Commercial Information.
Privileged or confidential commercial information is that
information submitted by a Manufacturer that is commercial or
financial in nature and privileged or confidential.
10.4.1. Commercial or Financial Information. The terms
commercial and financial should be given their ordinary meanings.
They include records in which a submitting Manufacturer has any
commercial interest.
10.4.2. Privileged or Confidential Information. Commercial or
financial information is privileged or confidential if its
disclosure would likely cause substantial harm to the competitive
position of the submitter. The concept of harm to one's competitive
position focuses on harm flowing from a competitor's affirmative use
of the proprietary information. It does not include incidental harm
associated with upset customers or employees.
10.5. EAC's Responsibilities. The EAC is ultimately responsible
for determining whether or not a document (in whole or in part) may
be released pursuant to Federal law. In doing so, however, the EAC
will require information and input from the Manufacturer submitting
the documents. This requirement is essential for the EAC to
identify, track, and make determinations on the large volume of
documentation it receives. The EAC has the following
responsibilities:
10.5.1. Managing Documentation and Information. The EAC will
control the documentation it receives by ensuring that documents are
secure and released to third parties only after the appropriate
review and determination.
10.5.2. Contacting Manufacturer on Proposed Release of
Potentially Protected Documents. In the event a member of the public
submits a FOIA request for documents provided by a Manufacturer or
the EAC otherwise proposes the release of such documents, the EAC
will take the following actions:
10.5.2.1. Review the documents to determine if they are
potentially protected from release as trade secrets or confidential
commercial information. The documents at issue may have been
previously identified as protected by the Manufacturer when
[[Page 76302]]
submitted (see Section 10.7.1 below) or identified by the EAC on
review.
10.5.2.2. Grant the submitting Manufacturer an opportunity to
provide input. In the event the information has been identified as
potentially protected from release as a trade secret or confidential
commercial information, the EAC will notify the submitter and allow
it an opportunity to submit its position on the issue prior to
release of the information. The submitter shall respond consistent
with Section 10.7.1 below.
10.5.3. Final Determination on Release. After providing the
submitter of the information an opportunity to be heard, the EAC
will make a final decision on release. The EAC will inform the
submitter of this decision.
10.6. Manufacturer's Responsibilities. Although the EAC is
ultimately responsible for determining if a document, or any portion
thereof, is protected from release as a trade secret or confidential
commercial information, the Manufacturer shall be responsible for
identifying documents, or portions of documents, it believes warrant
such protection. Moreover, the Manufacturer will be responsible for
providing the legal basis and substantiation for its determination
regarding the withholding of a document. This responsibility arises
in two situations: (1) upon the initial submission of information,
and (2) upon notification by the EAC that it is considering the
release of potentially protected information.
10.6.1. Initial Submission of Information. When a Manufacturer
is submitting documents to the EAC as required by the Certification
Program, it is responsible for identifying any document or portion
of a document that it believes is protected from release by Federal
law. Manufacturers shall identify protected information by taking
the following action:
10.6.1.1. Submitting a Notice of Protected Information. This
notice shall identify the document, document page, or portion of a
page that the Manufacturer believes should be protected from
release. This identification must be done with specificity. For each
piece of information identified, the Manufacturer must state the
legal basis for its protected status.
10.6.1.1.1. Cite the applicable law that exempts the information
from release.
10.6.1.1.2. Clearly discuss why that legal authority applies and
why the document must be protected from release.
10.6.1.1.3. If necessary, provide additional documentation or
information. For example, if the Manufacturer claims a document
contains confidential commercial information, it would also have to
provide evidence and analysis of the competitive harm that would
result upon release.
10.6.1.2. Label Submissions. Label all submissions identified in
the notice as ``Proprietary Commercial Information.'' Label only
those submissions identified as protected. Attempts to
indiscriminately label all materials as proprietary will render the
markings moot.
10.6.2. Notification of Potential Release. In the event a
Manufacturer is notified that the EAC is considering the release of
information that may be protected, the Manufacturer shall take the
following action:
10.6.2.1. Respond to the notice within 15 calendar days. If
additional time is needed, the Manufacturer must promptly notify the
Program Director. Requests for additional time will be granted only
for good cause and must be made before the 15-day deadline.
Manufacturers that do not respond in a timely manner will be viewed
as not objecting to release.
10.6.2.2. Clearly state one of the following in the response:
10.6.2.2.1. There is no objection to release, or
10.6.2.2.2. The Manufacturer objects to release. In this case,
the response must clearly state which portions of the document the
Manufacturer believes should be protected from release. The
Manufacturer shall follow the procedures discussed in Section 10.7.1
above.
10.7. Personal Information. Certain personal information is
protected from release under FOIA and the Privacy Act (5 U.S.C.
552a). This information includes private information about a person
that, if released, would cause the individual embarrassment or
constitute an unwarranted invasion of personal privacy. Generally,
the EAC will not require the submission of private information about
individuals. The incidental submission of such information should be
avoided. If a Manufacturer believes it is required to submit such
information, it should contact the Program Director. If the
information will be submitted, it must be properly identified.
Examples of such information include the following:
10.7.1. Social Security Number.
10.7.2. Bank account numbers.
10.7.3. Home address.
10.7.4. Home phone number.
BILLING CODE 6820-KF-M
[[Page 76303]]
[GRAPHIC] [TIFF OMITTED] TN20DE06.001
[[Page 76304]]
[GRAPHIC] [TIFF OMITTED] TN20DE06.002
[[Page 76305]]
[GRAPHIC] [TIFF OMITTED] TN20DE06.003
[FR Doc. 06-9751 Filed 12-19-06; 8:45 am]
BILLING CODE 6820-KF-C