Security Principles

These security principles were derived from the requirements found in the VVSG 1.1 ( Vol 1, Vol 2) and the 2007 Recommendations to the TGDC (previously known as the VVSG 2.0).

Principle Name Principle Descriptions & Guidelines
Auditability The voting system is auditable and enables evidence-based elections
  An undetected error or fault in the voting systemís software or hardware is not capable of causing an undetectable change in election results
  The voting system produces records that provide the ability to check whether the election outcome is correct, and to the extent possible, identify the root cause of any irregularities.
  Voting system records are resilient in the presence of intentional forms of tampering and accidental errors.
  The voting system supports efficient audits.
Ballot Secrecy The voting systems protects the secrecy of votersí ballot selections.
  Ballot secrecy is maintained throughout the voting process.
  Records, notifications, and other election artifacs produced by the voting system do not reveal the intent, choices, or selections of any identifiable voter.
Access Control The voting system authenticates administrators, users, devices and services before granting access to sensitive functions.
  The voting system identifies users, roles and/or processes to which access is granted and the specific functions and data to which each entity holds authorized access.
  The voting system supports authentication mechanisms and allows administrators to configure them.
  Default access control policies enforce the principle of least privilege.
Physical Security The voting system prevents or detects attempts to tamper with voting system hardware.
  Any unauthorized physical access to the voting system, ballot box, ballots, or other hardware, leaves physical evidence.
  Voting systems only expose physical ports and access points that are essential to voting operations, testing, or auditing.
Data Protection The voting system protects sensitive data from unauthorized access, modification, or deletion.
  Voting systems prevent unauthorized access to or manipulation of configuration data, cast vote records, transmitted data, or audit records.
  The source and integrity of electronic tabulation reports are verifiable.
  All cryptographic algorithms are public, well-vetted, and standardized.
  Voting systems protect the integrity, authenticity and confidentiality of sensitive data transmitted over all networks.
Software Integrity Voting systems prevent the unauthorized installation or modification of firmware, software, and critical configuration files.
  Only software that is digitally signed by the appropriate authorities is installed on the voting system.
  The authenticity and integrity of software updates must be verified by the voting system prior to installation and authorized by an administrator.
Detection/
Monitoring
The voting system provides mechanisms to detect and remediate anomalous or malicious behavior.
  Voting system equipment records important activities through event logging mechanisms, which are stored in a format suitable for automated processing.
  The voting system generates, stores, and reports to the user or election official, all error messages as they occur.
  Voting systems employ mechanisms to protect against malware.
  If the voting system contains networking capabilities, it employs appropriate modern defenses against network-based attacks.

Comments

We should define "Ballot secrecy" in terms of "unlinkability of votes to voters". See "A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management" (Version v0.34 Aug. 10, 2010) Andreas Pfitzmann Marit Hansen http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf

-- Neal Mc Burnett - 2016-12-02

For software updates, reference "TUF: The Update Framework" https://theupdateframework.github.io/ and/or the principles underlying it, like Survivable Key Compromise, Freshness Guarantees, Configurable Trust Thresholds.

-- Neal Mc Burnett - 2016-12-02

Significantly updated the auditability principles based on feedback from the Cybersecurity Working Group. References to auditability requirements from the '2007 Recommendations to the TGDC' were added where applicable VVSG 1.1 did not exist.

-- Joshua Franklin - 2017-01-23

"...an Administrator" (7.4.6.e) may not be the name of the role in a system or at a jurisdiction. Perhaps a more universal "properly credentialed user" or similar would be better. Thanks -- Ed

-- Ed Smith - 2017-01-30

Updated the principles after the February 10, 2017 Cybersecurity Working Group Call.

-- Joshua Franklin - 2017-02-13

Removed the 2015 VVSG 1.1 mapping column. It was superfluous due to the Cybersecurity WG mapping the principles and guidelines to the 2007 VVSG.

-- Joshua Franklin - 2017-07-14

Updated the second Secrecy guideline to include "notifications, and other election artifacts" and "the intent, choices, or selections of any identifiable voter".

-- Gema Howell - 2017-07-14

Edit | Attach | Watch | Print version | History: r15 < r14 < r13 < r12 < r11 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r15 - 2017-07-14 - GemaHowell
 
This site is powered by the TWiki collaboration platform Powered by PerlPLEASE NOTE: This wiki is a collaborative website. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. All the material on this website is in the public domain, including any text, diagrams, or images, unless indicated explicitly. Don't share anything on this site that you do not want to be public. Do not pass any proprietary documents or put any on the TWiki with implied public disclosure. If you do, it shall be deemed to have been disclosed on a non-confidential basis, without any restrictions on use by anyone, except that no valid copyright or patent right shall be deemed to have been waived by such disclosure. Certain commercial equipment, instruments, materials, systems, software, and trade names may be identified throughout this site in order to specify or identify technologies adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the systems or products identified are necessarily the best available for the purpose. Any data provided on this site is for illustrative purposes only, and does not imply a validation of results by NIST. By selecting external links, you will be leaving NIST webspace. Links to other websites are provided because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose.