EAC certifies first voting system under voluntary guidelines testing program
- By William Jackson
- Feb 10, 2009
The Election Assistance Commission (EAC) has certified the first voting system to complete its voluntary testing and certification program.
The Election Management System 4.0 from MicroVote General Corp. underwent a 17-month evaluation by an independent, accredited laboratory against the EAC’s 2005 voluntary voting system guidelines, a set of specifications for functionality, security and accessibility. The guidelines have been developed with the National Institute of Standards and Technology, which also administers the laboratory accreditation program. The certification program was launched in 2007.
The MicroVote system began the certification process in August 2007 with the iBeta Quality Assurance laboratory. Final testing reports were approved in December 2008, and certification was granted Feb. 6.
The certification program was given to the EAC in the wake of the 2000 presidential election; participation is voluntary. Because national elections are run by the states, the federal government cannot require certification to EAC standards, although most states require some level of certification. Ten states now require certification to the EAC guidelines.
But the Government Accountability Office said last September that the system for accrediting laboratories needs to be better defined and implemented. Four labs have been certified, but at least two of the labs and several voting system manufacturers have run into problems for failing to meet requirements.
GAO concluded that the standards for accrediting the labs have not been adequately defined by NIST and the accrediting process has not been adequately documented. The auditing agency recommended that NIST and EAC retool the program to ensure that accreditations are performed consistently and are verifiable.
EAC also is revamping its voluntary guidelines, and said that the next version will include a formal risk assessment of voting systems that would help identify an acceptable level of risk for all types of systems used in federal elections. The project will apply principles laid out in the Federal Information Security Management Act and will use the procedures and guidelines for FISMA compliance created by the National Institute of Standards and Technology. FISMA requires that government information systems have a level of security appropriate for the risks they face and the seriousness of consequences if data is compromised. These requirements apply only to federal IT systems, not to the state and local governments that administer elections.
Under the current guidelines, MicroVote complied with certification requirements to:
- Create a trusted build of the voting system in the testing lab.
- Provide software identification tools to the EAC so that users can verify authenticity.
- Provide a reference copy of software to the EAC.
EAC monitors voting systems after certification, and manufacturers must report all irregularities that occur in certified systems. Manufacturers also must report modifications to hardware, software or firmware. The EAC is supposed to conduct site visits and reviews of all federally certified systems used in elections.
Eight other voting systems are going through the testing and certification program: The Dominion Voting Democracy Suite; ES&S Unity 220.127.116.11 & Unity 18.104.22.168 w. ATS 1.3, Unity 22.214.171.124, and Unity 4.0; Premier (formerly Diebold) Assure 1.2; Sequoia WinEDS 4.0.34; Unisyn OpenElect Voting System; and Avante Optical Vote-Trakker.
William Jackson is freelance writer and the author of the CyberEye blog.