Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Test Assertions for VVSG 1.1, Volume 1, Section 7.7.5, September 23, 2016

VVSG 1.1, Vol 1, Requirement 7.7.5: Protecting the Voting System

Physical security measures to prevent access to a voting system are not possible when using a wireless communications interface because there is no discrete physical communications path that can be secured.

a.  The security requirements in Subsection 2.1.1 shall be applicable to systems with wireless communications.

b.  The accuracy requirements in Subsection 2.1.2 shall be applicable to systems with wireless communications.

c.  The use of wireless communications that may cause impact to the system accuracy through electromagnetic stresses is prohibited.

d.  The error recovery requirements in Subsection 2.1.3 shall be applicable to systems with wireless communications.

e.  All wireless communications actions shall be logged.

  1. The log shall contain at least the following entries: times when the wireless is activated and deactivated, services accessed, identification of device to which data was transmitted to or received from, identification of authorized user, and successful and unsuccessful attempts to access wireless communications or service.

DISCUSSION:  Other information such as the number of frames or packets transmitted or received at various logical layers may be useful, but is dependent on the wireless technology used.

f.  Device authentication shall occur before any access to, or services from, the voting system are granted through wireless communications.

DISCUSSION:  Authentication is an important element to protect the security of wireless communications. Authentication verifies the identity and legitimacy of users, devices, and services.

  1. User authentication shall be at least level 2 as per NIST Special Publication 800-63-2 Version, Electronic Authentication Guideline.

 

Test Assertions

TA775a-1: IF a Voting System contains wireless communications capabilities THEN it SHALL conform to VVSG 1.1, Section 2.1.1, including subsections a through g.

TA775b-1: IF a Voting System contains wireless communications capabilities THEN it SHALL conform to VVSG 1.1, Subsection 2.1.2, including subsections a through g.

TA775c-1: IF it is possible for a wireless communication to cause impact to the system accuracy through electromagnetic stresses THEN voting systems SHALL NOT use that wireless communication.

TA775d-1: IF a Voting System contains wireless communications capabilities THEN it SHALL conform to VVSG 1.1, Subsection 2.1.3, including subsections a through c.

TA775e-1: IF a Voting System contains wireless communications capabilities THEN all wireless communications actions SHALL be logged.

TA775ei-1: The log SHALL contain, but not be limited to, the following entries:

  • times when the wireless is activated and deactivated
  • services accessed
  • identification of device to which data was transmitted to or device data was received from
  • identification of authorized user
  • successful attempts to access wireless communications or service
  • unsuccessful attempts to access wireless communications or service.

TA775ei-2: The log MAY contain the following entries:

  • the number of frames or packets transmitted at various logical layers
  • the number of frames or packets received at various logical layers

TA775f-1: IF a Voting System contains wireless communications capabilities THEN device authentication SHALL occur before any access to the voting system is granted through wireless communications.

TA775f-2: IF a Voting System contains wireless communications capabilities THEN device authentication SHALL occur before any services from the voting system are granted through wireless communications.

TA775fi-1: User authentication SHALL be at least level 2 as per NIST Special Publication 800-63-2, Electronic Authentication Guideline.

TA775fi-1-1: The password MAY be a randomly generated string consisting of 6 or more digits, a user generated string consisting of 8 or more characters chosen from an alphabet of 90 or more characters, or a secret with equivalent entropy.

TA775fi-1-2: The voting system SHALL implement dictionary or composition rules to constrain user generated passwords.

 

Created September 22, 2016, Updated October 19, 2016