1S-2.015: Minimum Security Procedures for Voting Systems
PURPOSE AND EFFECT: The purpose of this rule amendment is to provide comprehensive security procedures to ensure the highest level of voting system protection. The substance of these amendments is primarily based on a technical advisory issued on March 3, 2006, that pertained to enhancements to voting system security procedures, prompted in part by the outcome of recent tests of voting systems in local jurisdictions and a review of the State of California’s Voting Systems Technology Assessment Advisory Board’s (VSTAAB) Security Analysis of the Diebold AccuBasic Interpreter and Ciber Laboratory’s Source Code Review and Functional Testing reports. The Division of Elections recognizes that as technology evolves, the operations and access to certified voting systems ought to be evaluated so as to determine whether a system and a county’s overall security plan and procedures need to be modified or enhanced in order to ensure the integrity of the voting system and the electoral process.
SUBJECT AREA TO BE ADDRESSED: Security Procedures for Voting Systems.
SPECIFIC AUTHORITY: 20.10, 97.012(1), 101.015 FS.
LAW IMPLEMENTED: 101.015 FS.
A RULE DEVELOPMENT WORKSHOP WILL BE HELD AT THE DATE, TIME AND PLACE SHOWN BELOW:
TIME AND DATE: June 12, 2006, 1:30 p.m.
PLACE: Florida Heritage Hall, Plaza Level, R.A. Gray Building, Tallahassee, Florida
NOTICE UNDER THE AMERICANS WITH DISABILITIES ACT: Any person needing special accommodations to participate in this proposed rule development workshop should contact the Department of State at 1(850)245-6536 no later than three business days before the date of the workshop. Any person who is hearing or speech impaired may contact the Department by using the Florida Relay Service with the following toll free numbers: 1(800)955-8770 (voice) or 1(800)955-8771.
THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE DEVELOPMENT AND A COPY OF THE PRELIMINARY DRAFT, IF AVAILABLE, IS: Maria I. Matthews, Assistant General Counsel, Office of the General Counsel, Division of Elections, Department of State, 500 S. Bronough Street, Tallahassee, Florida 32399-0250, (850)245-6500
THE PRELIMINARY TEXT OF THE PROPOSED RULE DEVELOPMENT IS:
1S-2.015 Minimum Security Procedures for Voting Systems.
(1) PURPOSE. To establish minimum security standards for voting systems pursuant to Section 101.015(4), F.S.
(2) DEFINITIONS. The following words and phrases shall be construed as follows when used in this rule:
(a) A “Ballot” when used in reference to:
1. “Marksense Paper ballot” means that printed sheet of paper, used in conjunction with an electronic or electromechanical vote tabulation voting system, containing the names of candidates, or a statement of proposed constitutional amendments or other questions or propositions submitted to the electorate at any election, on which sheet of paper an elector casts his or her vote.
2. “Electronic or electromechanical device” means a ballot that is voted by the process of electronically designating, including by touchscreen, or marking with a marking device for tabulation by automatic tabulating equipment or data processing equipment.
(b) “Election Materials” means those materials provided to poll workers to properly conduct the election and shall include, but not be limited to: legally required affidavits and forms, provisional ballots, voter authority slips, precinct registers, and any electronic devices necessary to activate ballot styles in the voting system.
(c) A “Voted Ballot” means a ballot as defined above, which has been cast by an elector.
(d)(c) “Voting System” means a method of casting and processing votes that functions wholly or partly by use of electromechanical or electronic apparatus or by use of marksense paper ballots and includes, but is not limited to, the procedures for casting and processing votes and the programs, operating manuals, supplies, tabulating cards, printouts, and other software necessary for the system’s operation.
(e)(d) “Voting Device” means any apparatus by which votes are registered electronically.
(e) “Election Materials” means those materials provided to poll workers to properly conduct the election and shall include, but not be limited to: legally required affidavits and forms, provisional ballots, voter authority slips, precinct registers, and any electronic devices necessary to activate ballot styles in the voting system.
(3) FILING OF SECURITY PROCEDURES.
Requirements for filing security procedures with the Division of Elections. Within fifteen days of the effective date of this rule, eEach supervisor of elections shall place on file with the Division of Elections security procedures that which meet the minimum standards set forth in this rule. Any subsequent revision Revisions to procedures on file with the Division of Elections shall be submitted at least 45 days prior to the commencement of early voting for the first election in which they are to take effect and shall be accompanied by a statement describing which part of the procedures previously filed have been revised. The procedures as revised must continue to meet the requirements of this rule. Each supervisor of elections has the authority to make changes to the security procedures within 45 days prior to the commencement of early voting for an election as a result of an emergency situation or other unforeseen circumstance. The supervisor shall document any changes to include the reasons why such changes were necessary. A copy of any changed document changes in security procedures authorized by the supervisor shall be submitted to the Division of Elections within 5 days of the change.
(4) REVIEW OF SECURITY PROCEDURES.
(a) The Division of Elections shall conduct a review of the submitted security procedures to determine if they meet the minimum requirements set forth in subsection (5) in this rule. The Division of Elections shall will notify the supervisor of elections as to the results of the review within 30 days of receipt of the security procedures or revisions thereto the date revisions to the security procedures are received in the office of the Division of Elections. If the Division is unable to complete its review within the 30 days time frame established in this rule, the procedures or revisions shall be temporarily approved until such time as the review is completed and the supervisor of elections will be notified accordingly. The notice shall notification of the results of the review will include an enumeration of specific provisions that which were found to be incomplete or otherwise do not meet the provisions of this rule.
(b) Security procedures on file with the Division of Elections shall be reviewed by the Division of Elections in each odd numbered year, pursuant to Section 101.015(4)(b), F.S.
(5) STANDARDS FOR SECURITY PROCEDURES.
(a) Security procedures shall include copies and deions of the content of each referenced form, schedule, log or checklist or deions of the contents of forms, schedules, logs or checklists that vary from election to election. The procedures must also include measures for ensuring security on election day and during the early voting period including daily overnight storage.
(b) Election Schedule. The security procedures shall require the establishment of an election schedule at least 90 days prior to each regularly scheduled election and within 20 days of the date a special election is scheduled. The election schedule shall contain the following:
1. A list of all tasks necessary to conduct the election;
2. The legal deadline, where applicable, or tentative date each task is to be completed; and
3. The individual (position title), group or organization responsible for completing each task.
(c) Ballot Preparation. The security procedures shall describe the steps necessary to ensure insure that the ballot contains the proper races, candidates and issues for each ballot variation and that the ballots can be successfully tabulated. The ballot preparation procedures shall, at a minimum, contain the following:
1. Method and materials required to determine each type of ballot or ballot variations;
2. Assignment of unique marks or other coding necessary for identifying ballot variations or precincts;
3. Verification that unique marks or other coding necessary for tabulation are correct;
4. Deion of system used to facilitate ballot preparation, if applicable; and
5. Deion of method to verify that all ballots and ballot variations are accurately prepared and printed.
(d) Filing election parameters. The security procedures shall include filing with the Division of Elections a copy of the parameters used within the voting system to define the tabulation and reporting instructions for each election regardless of filings for previous elections. The filing shall, at a minimum, include the following:
1. Copy of the administrative database used to define the election;
2. Copy of all election-specific files generated and used by the system; and
3. If the election definition is created by an individual who is not an employee of the supervisor of elections, then the parameters shall include a statement signed by the person who created the election definition. The statement shall be in substantially the following form:
ELECTION PARAMETER STATEMENT
Pursuant to Section 837.06, F.S., whoever knowingly makes false statement in writing with the intent to mislead a public servant in the performance of his or her official duty, shall be guilty of a misdemeanor of the second degree, punishable as provided in Section 775.082 or 775.083, F.S. The election coding for
Signature of the Person Coding the Election.
(e)(d) Preparation and Configuration of Tabulation System.
1. The procedures relating to the preparation and configuration of the tabulation system shall, at a minimum, include the following:
a. Deion of the ballot definition and verification process;
b. Deion of the steps necessary to program the system; and
c. Deion of the process to install the program and the procedures for verification of correctness.
2. The security procedures shall describe the test materials utilized and the voting system tests performed prior to the conduct of the public logic and accuracy tests.
(f)(e) Logic and Accuracy Test. The security procedures for use with electronic and electromechanical voting systems shall, at a minimum, describe the following aspects of logic and accuracy testing as required by Section 101.5612, F.S.:
1. Deion of Eeach component of the test performed including the test materials utilized.
2. Deion of how The procedures for sealing, securing and retaining the programs, ballots, test results, and other test materials, and records of proceedings are sealed, secured and retained.
(f) Filing election parameters. The security procedures shall include filing with the Division of Elections a copy of the software and parameters used within the voting system to define the tabulation and reporting instructions for each election regardless of filings for previous elections. The filing shall, at a minimum, include the following:
1. Copy of the voting system software;
2. Copy of the administrative database used to define the election;
3. Copy of all election-specific files generated and used by the system;
4. Documentation stating the release level of the precinct tabulation equipment and firmware; and
5. If the election definition is created by an individual who is not an employee of the supervisor of elections, then the parameters shall include a statement signed by the person who created the election definition. The statement shall be in substantially the following form:
ELECTION PARAMETER STATEMENT
Pursuant to Section 837.06, F.S., whoever knowingly makes false statement in writing with the intent to mislead a public servant in the performance of his or her official duty, shall be guilty of a misdemeanor of the second degree, punishable as provided in Section 775.082 or 775.083, F.S. The election coding for
Signature of the Person Coding the Election.
(g) Pre-election Steps for Voting Systems. The security procedures for use with voting devices shall, at a minimum, include a the following:
1. Deion of how the number of voting devices for each precinct is determined;
2. Deion of each component of the public test, including any test materials utilized;
3. dDeion of the process to seal and secure the voting devices including on election day and daily during the early voting period. This deion shall include:
1. The process for permanently identifying electronic media type including but not limited to memory packs, compact flash cards, PC Cards or PCMCIA cards, Personalized Electronic Ballots (PEBs), voter card encoders, supervisor cards, and key cards with a unique identification (e.g., serial number). This activity shall include:
a. The process to create and maintain an inventory of all electronic media.
b. The chain of custody process and procedure for identifying, documenting, handling, and tracking electronic media from the point of collection or transfer from their storage location, through election coding, through the election process, to their final post-election disposition and return to storage. Such process must use two or more individuals to perform any written check and verification checks whenever a transfer of custody takes place. This electronic media must be given the same level of attention that one would give to official ballots.
2. The establishment and maintenance of a secured location for storing the electronic media when not in use, for coding an election, for creating the election media, for transferring and installing the election media into the voting device, and for storing these devices once the election parameters are loaded. This process shall ensure that:
a. No election media is left unattended or in an unsecured location once it has been coded for an election. At least two persons must be in attendance. Where applicable, coded election media must be immediately loaded into the relevant voting device, logged, and made secure or must be placed in a secured and controlled environment and inventoried.
b. Each election media is sealed in its relevant voting device or container utilizing one or more uniquely identified tamper-resistant or tamper-evident seals. A combined master tracking log of the voting device, the election media, and the seal(s) must be created and maintained. For election media that are device independent (for example, PEBs, voter card encoders) these devices must be stored in a secured, sealed container and must also be identified on the master tracking log.
c. A procedure is created and maintained for tracking the custody of these voting devices once these devices are loaded with an election definition. This record shall include the protective count for the voting device, where applicable. The chain of custody must specifically provide for the identifying, documenting, handling, and tracking of such devices from the point of loading to final post-election disposition. A minimum of two persons must be used to perform any written checks and verification checks when a transfer of custody takes place. These voting devices must be given the same level of attention that one would give to official ballots.
3. A recovery plan that is to be followed should there be any indication of a security breach in the accountability and chain of custody procedures. Any indication of a security breach must be confirmed by more than one individual.
4. A training plan for relevant election officials, staff, and temporary workers that addresses these security procedures and the relevant work instructions.
It shall also provide for a record to be kept on which the identification numbers, seal numbers and protective counter numbers for voting devices shall be noted; and
4. Deion of the procedures for retaining the test results and any records of the proceedings.
(h) Ballot Distribution. Where marksense paper ballots (as defined in subparagraph (2)(a)1. of this rule) are used including on election day and during early voting, the security procedures shall, at a minimum, include the following:
1. Deion of how the number and variations of ballots required by each precinct is determined;
2. Deion of the method for securing the ballots; and
3. Deion of the process for distributing the ballots to precincts, to include an accounting of who distributed and who received the ballots, the date, and how they were checked.
(i) Distribution of Precinct Equipment. The security procedures shall describe the steps necessary for distributing voting system equipment to the precincts.
(j) Election Board Duties.
1. The security procedures when marksense paper ballots, including provisional ballots are used shall, at a minimum, include the following Election Board duties including on election day and during early voting:
a. Verification that the correct number of ballots were received, and that they are the proper ballots for that precinct;
b. Checking the operability or readiness of the voting devices;
c. Checking and sealing the ballot box;
d. Deion of how spoiled ballots are handled;
e. Deion of how write-in and provisional ballots are handled; and
f. Accounting for all ballots after the polls close.
2. The security procedures for use with voting devices shall, at a minimum, include the following Election Board duties:
a. Verification of the identification numbers, seal numbers, and protective counter numbers of precinct tabulation and/or voting devices;
b. Checking the operability or readiness of the voting device;
c. Verification that all counters except protective counters are set at zero on each voting device;
d. Securing a printed record from each voting device, if applicable;
e. Checking the correctness of the ballot;
f. Preparing voting devices for voting;
g. Verification that the correct number of voter authorization slips were received;
h. Checking and sealing the voter authorization slips container(s);
i. Handling write-in ballots;
j. Handling voting system malfunctions;
k. Securing voting machines at the close of the polls to prevent further voting;
l. Accounting for all voter authorization slips received; and
m. Recording and verifying the votes cast.
(k) Transport of Ballots and/or Election Materials. The security procedures shall describe the steps necessary to ensure a complete written record of the chain of custody of ballots and/or election materials including on election day and daily during the early voting period and shall include:
1. A deion of the method and equipment used to transport all ballots and/or election materials;
3. A method of recording the time the individuals who transport the ballots and/or election materials arrived at the receiving site and the name of the individual at the receiving site who accepted the ballots and/or election materials.2. A method of recording the names of the individuals who transport the ballots and/or election materials from one site to another and the time they left the sending site;
4. A deion of the process to create and maintain a secured location for storing and transporting voting devices once the election parameters are loaded. This shall include procedures that are to be used at locations outside the direct control of the supervisor of elections, such as overnight storage at a polling location or early voting site. This deion shall include:
a. A process for creating and maintaining an inventory of these items for each storage location, for each election. These voting devices must be given the same level of attention that one would give to official ballots.
b. A chain of custody process that specifically provides for the identifying, documenting, handling, and tracking of such voting devices from the point of storage to transfer to final disposition or when the voting devices have been left unattended for any length of time. A minimum of two persons must be used to perform any written checks and verification checks when a transfer of custody takes place. Particular attention must be given to the integrity of the tamper-resistant or tamper-evident seals. These voting devices must be given the same level of attention that one would give to official ballots.
5. A recovery plan that is to be followed should there be any indication of a security breach in the accountability and chain of custody procedures. The plan must address inadvertent damage to any seals or accountability/chain of custody documentation errors. These plans must be developed in a manner that enhances public confidence in the security and integrity of the election. Any indication of a security breach, documentation errors, or seal damage must be confirmed by more than one individual.
6. A training plan for relevant election officials, staff, and temporary workers that address these security procedures and the relevant work instructions.
(l) Receiving and Preparing the Ballots for Central and Regional Counting. The security procedures shall describe the process of receiving and preparing voted ballots, including provisional ballots, election data and/or memory devices for counting to include, at a minimum, the following:
1. Verification that all of the ballot containers are properly secured and accounted for and that the seal numbers are correct;
2. Verification that the ballot container(s) for each precinct contain voted ballots including provisional ballots, unused ballots, spoiled ballots and write-in ballots as shown to exist on the forms completed by each election board for that purpose;
3. Inspection of the marksense paper ballots to identify those that must be duplicated or upon which voter intent is unclear, thus requiring a determination by the Canvassing Board. A record shall be kept of which marksense paper ballots are submitted to the Canvassing Board and the disposition of those marksense paper ballots; and
4. Deion of the process for duplicating and recording the voted marksense paper ballots which are damaged or defective.
(m) Tabulation of Vote.
1. The security procedures for use with central and regional processing sites shall describe each step of a ballot tabulation including on election day and daily during the early voting period and shall to include, at a minimum, the following:
a. Counting and reconciliation of voted marksense paper ballots;
b. Processing, tabulation and accumulation of voted ballots and election data;
c. Processing and recording of all write-in and provisional ballots;
d. The process for handling unreadable ballots and returning any duplicates to tabulation;
e. Backup and recovery of tabulated results and voting system programs for electronic or electromechanical voting systems; and
f. Describe Tthe procedure for public viewing of the tabulation process and access to results.
2. The sSecurity procedures shall describe the steps necessary for vote tabulation in the precincts including on election day and daily during the early voting period.
3. The security procedures for use in the precincts including on election day and daily during the early voting period shall include procedures that describe each step of ballot tabulation to include, at a minimum, the following:
a. Printing of precinct results and results from individual tabulating devices;
b. Processing and recording of write-in votes;
c. Endorsing a copy of the precinct results by the Election Board;
d. Posting of precinct results;
e. Transport of precinct results to central or regional site;
f. Consolidation of precinct and provisional ballot results; and
g. The Describe the process for public viewing of the tabulation process and access to results.
4. The procedures for resolving discrepancies between the counted ballots and voted ballots and any other discrepancies found during the tabulation process shall be described.
(n) Electronic Access to Voting Systems. Security procedures shall identify all methods of electronic access to the vote tabulation system including on election day and daily during the early voting period. The, including procedures for authorizing electronic access and specific functions, and specifying methods for detecting, controlling and reporting access to the vote tabulation system shall be identified, and shall additionally include:
1. A document that defines the procedure that ensures that default or vendor supplied passwords, encryption keys, or other identifier have been changed. This activity must ensure that:
a. Access control keys/passwords are maintained in a secured and controlled environment. The individual(s) with access to these items must be delineated in the relevant position deions.
b. Changes to the encryption keys and passwords are at the discretion of the supervisor of elections. This discretionary authority should not be delegated. The individual(s) that implement a change to the encryption keys and/or passwords must have this "authorization to change" responsibility delineated within their position deion(s).
c. The degree of access is defined within each relevant position deion and maintained at that level within the election management system and/or equipment. This applies where a voting system can limit an individual's access to certain menus, software modules, or other component.
2. A procedure that governs access to any device, election media, or election management system with a requirement to use an encryption key. This process must be witnessed by one or more individuals authorized to use such information and an access log must be created and maintained.
3. A training plan for relevant election officials, staff, and temporary workers that address these security procedures and the relevant work instructions.
(o) Absentee Ballot Handling. The security procedures shall include procedures that describe absentee ballot handling to include, at a minimum, the following:
1. Deion of process for determining and verifying absentee ballot variations;
2. Deion for process to assure voters are issued the proper absentee ballot;
3. Process for precluding voters from voting at the polls and casting an absentee ballot;
4. Process for opening valid absentee ballots in preparation for tabulation;
5. Process for recording the receipt of advance absentee ballots, regular absentee ballots, State write-in ballots and Federal write-in ballots and determining which ones should be counted if more than one per voter is received; and
6. Security measures for storing absentee ballots and related materials prior to and after an election.
(p) Ballot Security. The security procedures shall describe ballot accountability and security beginning with their receipt from a printer or manufacturer until such time as they are destroyed. The procedures for each location including on election day and during the early voting period shall describe physical security, identify who has authorized access and identify who has the authority to permit access.
(q) Voting System Maintenance and Storage. The security procedures shall describe the maintenance and testing performed on all components of the system to assure that it is in proper working order and is within manufacturer’s operating specifications for election day and during the early voting period. Procedures shall also describe storage and nonoperational maintenance of all voting devices.
(6) ACCESS TO TABULATION PROGRAM SOURCE CODE.
(a) No supervisor shall have access to any vote tabulation program source code to be used in an election unless prior approval has been obtained from the Division of Elections. Approval shall be based on the supervisor establishing security procedures which provide for maintaining a secured control copy of the certified release of the tabulation program source code; protecting source code from unauthorized access; and verification that the tabulation program source code used for each election is identical to the certified release.
(b) Any modification to tabulation program source code must be certified by the Division under the provisions of Rule Chapter 1S-5, F.A.C., before use in any election.
Specific Authority 20.10(3), 101.015 FS. Law Implemented 101.015(4) FS. History–New 5-27-85, Formerly 1C-7.15, 1C-7.015, Amended 8-28-93, 11-24-04,_________.