TWiki> Voting Web>VVSGPrinciplesAndGuidelines (revision 19)EditAttach

VVSG Principles and Guidelines


This document contains high-level principles and guidelines for the following areas:

  • General considerations for specification, implementation and evaluation of election processes and technology
  • Interoperability
  • Human factors
  • Security
Principle Name Principle & Guideline Descriptions
High-Quality Design Election processes are designed accurately, completely, and robustly.
  Voting system design adheres to commonly-accepted election process specifications.
  Voting system design addresses all realistic operating conditions.
  Voting system design supports evaluation methods enabling testers to clearly and easily distinguish systems that correctly implement specified properties from those that do not.
High-Quality Implementation Voting systems and processes are implemented using high-quality best practices.
  Voting systems are implemented using trustworthy materials and methods.
  Voting systems are implemented to ensure system logic is clear, meaningful, and well-structured.
  Voting systems are implemented to ensure the system organization is modular, scalable, and robust to change.
  Voting systems are implemented to the system can support system processes and data with integrity.
  Voting systems are implemented to handle errors robustly and to recover from failure gracefully.
  Voting systems are implemented to perform reliably in intended environments.
  Voting systems are implemented using best practice user-centered design methods, for a wide range of representative voters and poll workers, including those with and without disabilities.    
Transparency The voting system and voting processes are designed to provide transparency.
  The documentation describing the voting system design, operation, accessibility features, security measures, and other aspects of the voting system can be easily read and understood by election officials, testing labs, and independent auditors.
  The processes and transactions, both physical and digital, associated with the voting system are readily available for inspection.
  The operations of the voting systems are easy for the public to understand and verify during pre-election setup and post-election audits.
Interoperability The voting system is designed to support interoperability in its interfaces to external systems, its interfaces to internal components, its data, and its peripherals.
  Voting system data that is imported, exported, or otherwise reported, is in an interoperable format.
  Standard, publicly-available formats for other types of data are used wherever possible.
  Components of voting systems are designed to interoperate with components from other manufacturers.
  Widely used hardware interfaces and communications protocols are used where possible.
  Where possible, commercial-off-the-shelf (COTS) items can be used for peripherals such as printers, portable memory devices, or accessible interfaces.
Equivalent and Consistent Voter Access All voters can access and use the voting system regardless of their abilities, without discrimination.
  Voters have a consistent experience throughout the voting process in all modes of voting.
  Voters receive equivalent information and options in all modes of voting.
Voter Privacy Voters can mark, verify, and cast their ballot privately and independently.
  The voting process preserves the privacy of the voter's interaction with the ballot, modes of voting, and ballot selections.
  Voters can mark, verify and cast their ballot without assistance.
Marked, Verified, and Cast as Intended Ballots are presented in a clear, understandable way and can be marked, verifed, and cast by all voters.
  PERCEIVABLE - The default system settings for displaying the ballot work for the widest range of voters, and voters can adjust settings and preferences to meet their needs.
  OPERABLE - Voters and poll workers are able to use all controls accurately, and voters have direct control of all ballot changes.
  UNDERSTANDABLE - Voters can understand all information as it is presented, including instructions, messages from the system, and error messages.
Robust, Usable, and Accessible The election process and voting system provides a robust, safe, usable, and accessible experience for all users.
  The voting system's hardware and accessories protect voters from harmful conditions.
  The voting system meets currently accepted state and federal standards for accessibility.
  The voting system is measured with a wide range of representative voters and poll workers, including those with and without disabilities, for effectiveness, efficiency, and satisfaction.
Auditability The voting system is auditable and enables evidence-based elections.
  An undetected error or fault in the voting systemís software or hardware is not capable of causing an undetectable change in election results.
  The voting system produces records that provide the ability to check whether the election outcome is correct, and to the extent possible, identify the root cause of any irregularities.
  Voting system records are resilient in the presence of intentional forms of tampering and accidental errors.
  The voting system supports efficient audits.
Ballot Secrecy The voting system protects the secrecy of voter's ballot selections.
  Ballot secrecy is maintained throughout the voting process.
  Records, notifications, and other election artifacts produced by the voting system do not reveal the intent, choices, or selections of any identifiable voter.
  The voting system ensures that ballot selections, interface options, voter identity, and information about voters are not associated with the cast vote record.
Access Control The voting system authenticates administrators, users, devices and services before granting access to sensitive functions.
  The voting system identifies users, roles and/or processes to which access is granted and the specific functions and data to which each entity holds authorized access.
  The voting system supports authentication mechanisms and allows administrators to configure them.
  Default access control policies enforce the principle of least privilege.
Physical Security The voting system prevents or detects attempts to tamper with voting system hardware.
  Any unauthorized physical access to the voting system, ballot box, ballots, or other hardware, leaves physical evidence.
  Voting systems only expose physical ports and access points that are essential to voting operations, testing, or auditing.
Data Protection The voting system protects sensitive data from unauthorized access, modification, or deletion.
  Voting systems prevent unauthorized access to or manipulation of configuration data, cast vote records, transmitted data, or audit records.
  The source and integrity of electronic tabulation reports are verifiable.
  All cryptographic algorithms are public, well-vetted, and standardized.
  Voting systems protect the integrity, authenticity and confidentiality of sensitive data transmitted over all networks.
System Integrity

The voting system performs its intended function in an unimpaired manner, free from unauthorized manipulation of the

system, whether intentional or accidental.
  The voting system uses multiple layers of controls to provide redundancy against security failures or vulnerabilities.
  To the extent practical, the voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and via other technical controls.
  The voting system maintains and verifies the integrity of software, firmware, and other critical components.
  Voting systems prevent the unauthorized installation or modification of firmware, software, and critical configuration files.
  The authenticity and integrity of software updates are verified by the voting system prior to installation, and authorized by an administrator.
The voting system provides mechanisms to detect and remediate anomalous or malicious behavior.
  Voting system equipment records important activities through event logging mechanisms, which are stored in a format suitable for automated processing.
  The voting system generates, stores, and reports to the user or election official, all error messages as they occur.
  Voting systems employ mechanisms to protect against malware.
  If the voting system contains networking capabilities, it employs appropriate modern defenses against network-based attacks.


On June 21st, 2017, the first Auditability guideline was updated to include "hardware".

-- Gema Howell - 2017-06-28

Updated the second Secrecy guideline to include "notifications, and other election artifacts" and "the intent, choices, or selections of any identifiable voter".

-- Gema Howell - 2017-07-03

Updated the principle description for "marked as intended" due to an error.

-- Joshua Franklin - 2017-07-12

I revised the HF section, added a guideline to the high quality principle and noted some moves and suggested some wording

-- Sharon Laskowski - 2017-08-08

I updated the HF related stuff, Transparency, and added the new system integrity P&G that Josh just sent around.

-- Sharon Laskowski - 2017-08-11

Edit | Attach | Watch | Print version | History: r23 | r21 < r20 < r19 < r18 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r19 - 2017-08-14 - BenjaminLong
This site is powered by the TWiki collaboration platform Powered by PerlPLEASE NOTE: This wiki is a collaborative website. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. All the material on this website is in the public domain, including any text, diagrams, or images, unless indicated explicitly. Don't share anything on this site that you do not want to be public. Do not pass any proprietary documents or put any on the TWiki with implied public disclosure. If you do, it shall be deemed to have been disclosed on a non-confidential basis, without any restrictions on use by anyone, except that no valid copyright or patent right shall be deemed to have been waived by such disclosure. Certain commercial equipment, instruments, materials, systems, software, and trade names may be identified throughout this site in order to specify or identify technologies adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the systems or products identified are necessarily the best available for the purpose. Any data provided on this site is for illustrative purposes only, and does not imply a validation of results by NIST. By selecting external links, you will be leaving NIST webspace. Links to other websites are provided because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose.