Cyber Security Public Working Group

Table of ContentsUseful Links


The new VVSG is a nimble set of high level principles that will be supplemented by accompanying requirements for how systems can meet the new guidelines and obtain certification. The supplemental requirements will also detail test assertions for how the accredited test laboratories will validate that the system complies with those requirements.

The new VVSG structure is anticipated to be:

  • Principles: High level system design goals;
  • Guidelines: Broad description of the functions that make up a voting system;
  • Requirements: Technical details necessary for manufacturers to design devices that meet the principles and guidelines of a voting system;
  • Test Assertions: Technical specifications required for laboratories to test a voting system against the requirements.
The NIST Voting System CyberSecurity Working Group is for the discussion and development of guidance for voting system cybersecurity-related issues, including various aspects of security controls and auditing capabilities. The guidance will inform the development of requirements for the Election Assistance Commission (EAC) Voluntary Voting System Guidelines (VVSG).


  • Identifying Security Objectives and Principles

    Main Topic: SecurityObjectives

    Identify critical high-level voting system security objectives to structure our work. Examine related requirements from the VVSG 1.1, the draft VVSG 2.0, and other general computer security guidelines to help us develop the list of objectives.

  • Investigate Priority Election Use Cases (Complete)

    Main Topic: UseCasesSecurity

    Initial topics include:
    • Electronic Pollbooks
    • Ballot Delivery
    • Ballot-on-Demand
    • Ballot Marking
    • Auditing
    • Election Night Reporting

  • Collect/Develop Best Practices

    Main Topic: SecurityBestPractices

    Provide election officials with security best practices tailored for voting systems, identifying actionable security controls and procedures that can be implemented by jurisdictions.

  • Identifying and Prioritizing Risks

    Collect, discuss and analyze information on risks in voting systems in order to identify and prioritize issues that should be addressed in the next VVSG.

VVSG 2.0 Draft Requirements

The following are draft requirements under development, organized by VVSG 2.0 Prinicples & Guidelines.

Prinicple 2 - High Quality Implementation

Principle 9 - Auditable Principle 10 - Ballot Secrecy Principle 11 - Access Control Principle 12 - Physical Security Principle 13 - Data Protection Principle 14 - System Integrity Principle 15 - Detection & Monitoring

VVSG 2.0 DRAFT Testing Strategies

We will develop testing guidance for the VVSG 2.0 security requirements.

Methodology document for developing testing guidance.

PA VOTING SYSTEM SECURITY STANDARD: This document is Attachment E to the Directive for electronic voting systems by Pennsylvania's Department of State. It includes test specifications for testing and analysis of Pennsylvania's voting systems.

Analysis of the 2007 VVSG DRAFT Recommendations

Copies of draft and final gap analysis documents are located here.

Auditability Ballot Secrecy System Event Logs Communication Security Physical Security Cryptography Setup Inspection Software Installation Access Control System Integrity Management

Potential Areas for Voluntary Best Practices for Security

In no particular order:

  • Electronic signature verification

  • Provisional ballot and qualification in question handling
  • Use of public telecom
  • Indicators of compromise for voting systems
  • Compliance audits
  • Risk limiting audits
  • Cryptographic key and password management


Enter meeting logistics and related information here.

Meeting Information:

The regular meeting time for the Voting System Cybersecurity Working Group is 14:00 Eastern every other Friday. The meetings are held via telecon and Webex.

Audio Connection:

Meeting Number: 191 222 349

The rough schedule for the Working Group is:

October 6 Finalize the 2007 Review: Access Control & System Integrity requirements, Begin SI discussions
October 20 Software Independence - Paper
November 3 Software Independence - Fully Electronic
November 17 Support for audits, small batch, variable size, and images
December 1 Efficient audits
December 15 Audits & Physical Security
January 5 Ballot Secrecy
January 19 Ballot Secrecy & Access Control
February 2 Access Control
February 16 System Integrity
March 2 System Integrity / Detection & Monitoring
March 30 Detection & Monitoring / Data Protection
April 13 Data Protection / Ballot Secrecy
April 27 Discuss Open Problem Areas
May 11 Discuss Open Problem Areas
May 25 Finish Draft Requirements
(Schedule updated 01/18/2018)

The first NIST Voting System CyberSecurity Working Group teleconference was on August 11th, 2016 from 11:00AM-12:00PM Eastern Time.



Name: David Wagner


Affiliation: Univ. of California, Berkeley

Agency Lead

Name: Gema Howell


Affiliation: NIST


Participation in this Working Group is open to all interested parties. There are no membership fees.

List of regular telecon participants include, but are not limited to:

  • Gema Howell, NIST
  • Ryan Macias, EAC
  • Jessica Bowers, Dominion Voting Systems
  • Lynn Garland
  • Steven Blachman, Hart
  • Aaron Wilson, Clearballot
  • Neal McBurnett, ElectionAudits
  • Lauren Massa Lochridge
  • Trevor Timmons, Colorado Secretary of Stateís Office
  • Paul Hain, Election Systems & Software
  • Susan Greenhalgh, Verified Voting
  • John Dziurlaj, Hilton Roscoe
  • John McCarthy, Verified Voting
  • Marc Schneider, MITRE


Wiki URL:

Email List

Email List Name: vvsg-cybersecurity

To join the list or find more information about list policies and related procedures, please visit the VVSG Working Group Lists page.

Meeting Archive

Notes from past meetings are available on the CybersecurityMeetingArchives page.

Relevant Documents

Reference relevant documents here.

Ballot Casting Assurance: Ben Adida & C. Andrew Neff

Public Evidence from Secret Ballots: Matthew Bernhard, Josh Benaloh, J. Alex Halderman, Ronald L. Rivest, Peter Y. A. Ryan, Philip B. Stark, Vanessa Teague, Poorvi L. Vora, & Dan S. Wallach

DEFCON Voting Machine Hacking Village Report: Matt Blaze, Jake Braun, Harri Hursti, Joseph Lorenzo Hall, Margaret MacAlpine, & Jeff Moss

In-depth Discussion on 17 Functions from February 2017 TGDC Meeting: Brian Hancock & Ryan Macias

Voluntary Voting System Guidelines (VVSG) Recommendations to the Election Assistance Commission - 2007: Prepared at the Direction of the TGDC

Evidence-Based Elections: P.B. Stark & D.A. Wagner

On the Notion of Software Idependence: Ronald L. Rivest & John P. Wack

A Gentle Introduction to Risk-limiting Audits: Mark Lindeman & Philip B. Stark

Machine-Assisted Election Auditing: Joseph A. Calandrino, J. Alex Halderman, & Edward W. Felten

Risks of E-Voting: Matt Bishop & David Wagner

Election Operations Assessment - Threat Trees and Matrices: University of South Alabama / EAC

Voting: What Has Changed, What Hasnít, & Why - Research Bibliography: CALTECH/MIT Voting Technology Project

Voluntary Voting System Guidelines (VVSG) 1.1 - 2015

Voluntary Voting System Guidelines Recommendations to the Election Assistance Commission (Informally VVSG 2.0)

Topic attachments
I Attachment History Action Size Date WhoSorted ascending Comment
PDFpdf 2007-VVSG-SecurityRequirementsMapping-1.pdf r1 manage 89.8 K 2017-08-24 - 18:09 GemaHowell  
PDFpdf 2007VVSGCommunicationSecurityRequirements.pdf r1 manage 123.6 K 2017-06-27 - 20:41 GemaHowell 2007 VVSG Communication Security Requirements
PDFpdf 2007VVSGPhysicalSecurityRequirements.pdf r1 manage 109.3 K 2017-06-27 - 20:42 GemaHowell 2007 VVS Physical Security Requirements
PDFpdf BallotSecrecy-GapAnalysis-06062017-1.pdf r1 manage 368.7 K 2017-06-20 - 19:46 GemaHowell Ballot Secrecy Gap Analsys
PDFpdf BallotSecrecyReqs-06122017-1.pdf r1 manage 311.2 K 2017-06-20 - 19:45 GemaHowell Ballot Secrecy Requirements
PDFpdf BallotSecrecyRequirements-20180103.pdf r1 manage 384.4 K 2018-01-04 - 14:30 GemaHowell  
PDFpdf BallotSecrecyRequirements-20180105.pdf r1 manage 384.0 K 2018-01-16 - 21:20 GemaHowell  
PDFpdf CryptographyRequirements-20170712.pdf r1 manage 307.5 K 2017-07-13 - 02:45 GemaHowell VVSG 2007 Cryptography Requirements
PDFpdf Final-MappingVVSG2007AccessControlRequirements-20171206.pdf r1 manage 1360.9 K 2017-12-07 - 20:58 GemaHowell  
PDFpdf Final-MappingVVSG2007AuditabilityRequirements-1.pdf r1 manage 673.3 K 2017-06-20 - 19:27 GemaHowell Auditability Requirements - 20170612
PDFpdf Final-MappingVVSG2007BallotSecrecyRequirements.pdf r1 manage 642.9 K 2017-06-22 - 03:02 GemaHowell 2007 VVSG Ballot Secrecy Requirements
PDFpdf Final-MappingVVSG2007PhysicalSecurityRequirements.pdf r1 manage 99.6 K 2017-07-13 - 02:46 GemaHowell Final Mapping of VVSG 2007 Physical Security Requirements
PDFpdf Final-MappingVVSG2007SetupInspectionRequirements.pdf r1 manage 405.9 K 2017-10-20 - 13:52 GemaHowell  
PDFpdf Final-MappingVVSG2007SoftwareInstallationRequirements.pdf r1 manage 518.2 K 2017-10-20 - 13:52 GemaHowell  
PDFpdf Final-MappingVVSG2007SystemEventLoggingRequirements.pdf r1 manage 750.5 K 2017-07-13 - 02:47 GemaHowell Final Mapping of VVSG 2007 System Event Logging Requirements
PDFpdf Final-TGDC-VVSG-08312007.pdf r1 manage 4967.7 K 2017-04-05 - 16:21 GemaHowell VVSG 2007 Recommendations to the EAC
PDFpdf FinalMapping2007CommSecurityReqs.pdf r1 manage 530.0 K 2017-10-11 - 21:24 GemaHowell  
PDFpdf FinalMappingVVSG2007CryptographyRequirements.pdf r1 manage 439.4 K 2017-10-11 - 21:24 GemaHowell  
PDFpdf GapsInAuditRequirements.pdf r1 manage 46.5 K 2017-06-05 - 12:56 GemaHowell  
PDFpdf GapsInCommSecurityRequirements.pdf r1 manage 126.0 K 2017-07-12 - 12:13 GemaHowell Communication Security Gap Analysis
PDFpdf GapsInCryptographyRequirements-20170712.pdf r1 manage 205.3 K 2017-07-13 - 02:46 GemaHowell Cryptography Gap Analysis
PDFpdf GapsInPhysicalSecurityRequirements.pdf r1 manage 119.5 K 2017-06-27 - 20:43 GemaHowell Physical Security Gap Analysis
PDFpdf Principle12-Requirements-DRAFT-20180105.pdf r1 manage 388.3 K 2018-01-16 - 20:51 GemaHowell  
PDFpdf SetupInspection-GapAnalysis-20170807.pdf.pdf r1 manage 463.4 K 2017-08-11 - 13:57 GemaHowell Setup Inspection Gap Analysis
PDFpdf SetupInspectionRequirements-20170807.pdf r1 manage 391.9 K 2017-08-11 - 14:01 GemaHowell VVSG 2007 Setup Inspection Requirements
PDFpdf SoftwareInstallationGapAnalysis-20170807.pdf r1 manage 218.9 K 2017-08-11 - 14:00 GemaHowell Software Installation Gap Analysis
PDFpdf SoftwareInstallationRequirements-20170807.pdf r1 manage 381.4 K 2017-08-11 - 14:00 GemaHowell VVSG 2007 Software Installation Requirements
PDFpdf SystemEventLog-GapAnalysis-0612017-1.pdf r1 manage 414.7 K 2017-06-20 - 19:41 GemaHowell System Event Log Gap Analysis
PDFpdf SystemEventLogReqs-0612017-1.pdf r1 manage 672.0 K 2017-06-20 - 19:40 GemaHowell System Event Log Requirements
PDFpdf TestDevMethodology-20180809.pdf r1 manage 201.6 K 2018-08-17 - 03:37 GemaHowell  
PDFpdf UpdatingandMappingVVSG2007AuditabilityRequirements.pdf r1 manage 282.5 K 2017-06-02 - 20:21 GemaHowell Mapping of audit requirements to the principles/guidelines
PDFpdf 2007-VVSG.pdf r1 manage 4967.7 K 2017-04-06 - 20:39 JoshuaFranklin Voluntary Voting System Guidelines Recommendations to the Election Assistance Commission
PDFpdf 2007_VVSG_Auditing_Requirement_-_20171620.pdf r1 manage 924.2 K 2017-06-20 - 20:31 JoshuaFranklin  
PDFpdf AccessControl20180117.pdf r1 manage 263.0 K 2018-01-23 - 17:29 JoshuaFranklin  
PDFpdf AccessControl20180201.pdf r1 manage 219.1 K 2018-02-02 - 03:30 JoshuaFranklin  
PDFpdf AccessControl20180214.pdf r1 manage 304.1 K 2018-02-15 - 00:04 JoshuaFranklin  
PDFpdf AccessControlGapAnalysis-20170921.pdf r1 manage 677.3 K 2017-09-22 - 03:33 JoshuaFranklin  
PDFpdf AccessControlRequirements-20170921.pdf r1 manage 779.7 K 2017-09-22 - 03:33 JoshuaFranklin  
PDFpdf Audit_Definitions.pdf r1 manage 42.9 K 2018-01-31 - 15:31 JoshuaFranklin  
PDFpdf BallotSecrecyRequirements-20180117.pdf r1 manage 119.3 K 2018-01-19 - 15:11 JoshuaFranklin  
PDFpdf DataProtectionRequirements-20180321.pdf r2 r1 manage 93.4 K 2018-04-03 - 17:34 JoshuaFranklin  
PDFpdf DetectionAndMonitoringRequirements-20180228.pdf r1 manage 1824.4 K 2018-02-28 - 23:07 JoshuaFranklin  
PDFpdf Early-SI-Requirements-20171006.pdf r1 manage 24.4 K 2018-01-18 - 19:43 JoshuaFranklin  
PDFpdf Principle-10-BallotSecrecyRequirements-20180423-Clean.pdf r1 manage 120.6 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-10-BallotSecrecyRequirements-20180423-TrackedChanges.pdf r1 manage 210.4 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-11-AccessControlRequirements20180423-Clean.pdf r1 manage 163.2 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-11-AccessControlRequirements20180423-TrackedChanges.pdf r1 manage 334.6 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-12-PhysicalSecurityRequirements-20180423-Clean.pdf r1 manage 83.9 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-13-DataProtectionRequirements-20180423-Clean.pdf r1 manage 95.0 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-13-DataProtectionRequirements-20180423-TrackedChanges.pdf r1 manage 139.5 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-14-SystemIntegrityRequirements-20180423-Clean.pdf r1 manage 111.1 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-14-SystemIntegrityRequirements-20180423-TrackedChanges.pdf r1 manage 189.4 K 2018-04-23 - 19:58 JoshuaFranklin  
PDFpdf Principle-15-DetectionMonitoringRequirements-20180423-Clean.pdf r1 manage 137.1 K 2018-04-23 - 19:58 JoshuaFranklin  
PDFpdf Principle-9-AuditabilityRequirements-20180423-Clean.pdf r1 manage 137.0 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle-9-AuditabilityRequirements-20180423-TrackedChanges.pdf r1 manage 379.8 K 2018-04-23 - 19:28 JoshuaFranklin  
PDFpdf Principle12-Requirements-DRAFT-20171215.pdf r1 manage 86.3 K 2018-01-25 - 19:22 JoshuaFranklin  
PDFpdf Principle9-Requirements-DRAFT-20171201.pdf r1 manage 101.0 K 2018-01-23 - 20:46 JoshuaFranklin  
PDFpdf Principle9-Requirements-DRAFT-20171215.pdf r1 manage 205.2 K 2018-01-23 - 18:00 JoshuaFranklin  
PDFpdf Principles-Update-20170119.pdf r1 manage 331.6 K 2017-02-01 - 20:32 JoshuaFranklin  
PDFpdf Principles-Update-20170131.pdf r1 manage 331.8 K 2017-02-01 - 20:31 JoshuaFranklin Cybersecurity Principles & Updates - 20170131
PDFpdf RLARequirements-20171117.pdf r1 manage 29.2 K 2018-01-23 - 19:01 JoshuaFranklin  
PDFpdf SI-Requirements-20171020.pdf r1 manage 40.5 K 2018-01-25 - 19:18 JoshuaFranklin  
PDFpdf SoftwareRequirements-20180509.pdf r1 manage 163.6 K 2018-05-23 - 20:08 JoshuaFranklin  
PDFpdf SoftwareRequirements-20180524.pdf r1 manage 245.0 K 2018-06-15 - 18:02 JoshuaFranklin  
PDFpdf SystemIntegrityComments-20180213.pdf r1 manage 69.2 K 2018-02-13 - 21:18 JoshuaFranklin  
PDFpdf SystemIntegrityManagementGapAnalysis-20170921.pdf r1 manage 579.6 K 2017-09-22 - 03:33 JoshuaFranklin  
PDFpdf SystemIntegrityManagementRequirements-20170921.pdf r1 manage 492.1 K 2017-09-22 - 03:33 JoshuaFranklin  
PDFpdf SystemIntegrityRequirements-20180129.pdf r1 manage 99.4 K 2018-01-30 - 18:01 JoshuaFranklin  
PDFpdf SystemIntegrityRequirements-20180213.pdf r1 manage 153.1 K 2018-02-15 - 00:07 JoshuaFranklin  
PDFpdf Voting_System_Requirements_for_Ballot-Level_Auditing.pdf r1 manage 55.3 K 2018-01-31 - 15:31 JoshuaFranklin  
Edit | Attach | Watch | Print version | History: r126 | r90 < r89 < r88 < r87 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r88 - 2018-08-17 - GemaHowell
This site is powered by the TWiki collaboration platform Powered by PerlPLEASE NOTE: This wiki is a collaborative website. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. All the material on this website is in the public domain, including any text, diagrams, or images, unless indicated explicitly. Don't share anything on this site that you do not want to be public. Do not pass any proprietary documents or put any on the TWiki with implied public disclosure. If you do, it shall be deemed to have been disclosed on a non-confidential basis, without any restrictions on use by anyone, except that no valid copyright or patent right shall be deemed to have been waived by such disclosure. Certain commercial equipment, instruments, materials, systems, software, and trade names may be identified throughout this site in order to specify or identify technologies adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the systems or products identified are necessarily the best available for the purpose. Any data provided on this site is for illustrative purposes only, and does not imply a validation of results by NIST. By selecting external links, you will be leaving NIST webspace. Links to other websites are provided because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose.