Elections
Federal Program for Certifying Voting Systems Needs to Be Further Defined, Fully Implemented, and Expanded
GAO-08-814, Sep 16, 2008
Additional Materials:
Contact:
The 2002 Help America Vote Act (HAVA) created the Election Assistance Commission (EAC) and, among other things, assigned the commission responsibility for testing and certifying voting systems. In view of concerns about voting systems and the important role EAC plays in certifying them, GAO was asked to determine whether EAC has (1) defined an effective approach to testing and certifying voting systems, (2) followed its defined approach, and (3) developed an effective mechanism to track problems with certified systems and use the results to improve its approach. To accomplish this, GAO compared EAC guidelines and procedures with applicable statutes, guidance, and best practices, and examined the extent to which they have been implemented.
EAC has defined an approach to testing and certifying voting systems that follows a range of relevant practices and statutory requirements associated with a product certification program, including those published by U.S. and international standards organizations, and those reflected in HAVA. EAC, however, has yet to define its approach in sufficient detail to ensure that certification activities are performed thoroughly and consistently. This lack of definition also has caused voting system manufacturers and test laboratories to interpret program requirements differently, and the resultant need to reconcile these differences has contributed to delays in certifying systems that several states were intending to use in the 2008 elections. According to EAC officials, these definitional gaps can be attributed to the program's youth and the commission's limited resources being devoted to other priorities. Nevertheless, they said that they intend to address these gaps, but added that they do not yet have written plans for doing so. EAC has largely followed its defined approach for each of the dozen systems it is in the process of certifying, with one major exception. Specifically, it has not established an effective and efficient repository for certified versions of voting system software, or related procedures and tools, for states and local jurisdictions to use in verifying that their acquired voting systems are identical to what EAC has certified. Further, EAC officials told GAO that they do not have a documented plan or requirements for a permanent solution. As an interim solution, they stated that they will maintain copies of certified versions in file cabinets and mail copies of these versions upon their request by states and local jurisdictions. In GAO's view, this process puts states and local jurisdictions at increased risk of using a version of a system during an election that differs from the certified version. Under its voting system testing and certification program, EAC has broadly described an approach for tracking problems with certified voting systems and using this information to improve its certification program. While this approach is consistent with some aspects of relevant guidance, key elements are either missing or inadequately defined. According to EAC officials, while they intend to address some of these gaps, they do not have documented plans for doing so. In addition, even if EAC defines and implements an effective approach, it would not affect the vast majority of voting systems that are to be used in the 2008 elections. This is because the commission's approach only applies to those voting systems that it has certified, and it is unlikely that any voting systems will be certified in time to be used in the upcoming elections. Moreover, because most states do not currently require EAC certification for their voting systems, it is uncertain if this situation will change relative to future elections. As a result, states and other election jurisdictions are on their own to discover, disclose, and address any shared problems with these noncertified systems.
Status Legend:
Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
- In Process
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To assist EAC in building upon and evolving its voting systems testing and certification program, the Chair of the EAC should direct the commission's Executive Director to ensure that plans are prepared, approved, and implemented for developing and implementing detailed procedures, review criteria, and documentation requirements to ensure that voting system testing and certification review activities are conducted thoroughly, consistently, and verifiably.
Agency Affected: Election Assistance Commission
Status: Open
Comments: EAC has made progress towards implementing this recommendation. For example, EAC drafted new, more detailed procedures and criteria for conducting its certification activities. Specifically, in 2009, the commission drafted new procedures for conducting reviews of voting system companies' manufacturing facilities, as well as for investigating anomalies in fielded versions of certified systems. As of September 2011, these draft procedures had not been finalized. Regarding documentation requirements, the commission revised its Manufacturer Registration and Application for System Testing forms to include, among other things, requirements that manufacturers disclose and describe their document retention policies. We will continue to monitor EAC?s progress on this recommendation.
Recommendation: To assist EAC in building upon and evolving its voting systems testing and certification program, the Chair of the EAC should direct the commission's Executive Director to ensure that plans are prepared, approved, and implemented for developing and implementing an accessible and available software repository for testing laboratories to deposit certified versions of voting system software, as well as procedures and review criteria for evaluating related manufacturer-provided tools to support stakeholders in comparing their systems with this repository.
Agency Affected: Election Assistance Commission
Status: Open
Comments: In its response to our report, EAC did not concur with this recommendation. In July 2011, EAC officials stated that the Commission has no activities planned or underway to address this recommendation. As we originally reported, EAC maintains a physical repository where it stores official copies of software and firmware for certified systems, but EAC has not developed an accessible and available software repository for testing laboratories to deposit certified versions of voting system software, nor have they established procedures and review criteria for evaluating manufacturer-provided tools to support stakeholders in comparing their systems with items stored in this repository. EAC officials said that they cannot justify the expenditure needed to implement GAO's recommendation because they have not received any requests for verification versions of software for certified systems. Nevertheless, without a plan and milestones for developing the procedures, criteria, and tools for using the repository, EAC cannot inform election authorities about when it will be prepared to fully support their verification processes in the event that problems with certified voting systems do arise.
Recommendation: To assist EAC in building upon and evolving its voting systems testing and certification program, the Chair of the EAC should direct the commission's Executive Director to ensure that plans are prepared, approved, and implemented for developing and implementing detailed procedures, review criteria, and documentation requirements to ensure that problems with certified voting systems are effectively tracked and resolved, and that the lessons learned are effectively used to improve the certification program.
Agency Affected: Election Assistance Commission
Status: Open
Comments: EAC has taken some actions to ensure that problems with certified voting systems are effectively tracked and resolved. For example, in 2009, the commission drafted new, more detailed procedures for investigating anomalies in fielded versions of certified systems, along with associated documentation requirements. As of August 2011, these draft procedures had not been finalized. Regarding the use of lessons learned to improve the certification program, EAC has yet to take any action, and has not developed processes or procedures for doing so. Instead, an EAC official reiterated the commission's intention to pass any lessons learned regarding technical problems with certified systems to its Technical Guidelines Development Committee, which is responsible for drafting and updating the Voluntary Voting Systems Guidelines. We will continue to monitor EAC's progress on this recommendation.
Recommendations for Congressional Consideration
Recommendation: To address the potentially longstanding void in centrally facilitated problem identification and resolution for non-EAC-certified voting systems, Congress may wish to expand EAC's role under HAVA such that, consistent with both the commission's nonregulatory mission and the voluntary nature of its voting system standards and certification program, EAC is assigned responsibility for providing resources and services to facilitate understanding and resolution of common voting system problems that are not otherwise covered under EAC's certification program, and providing EAC with the resources needed to accomplish this.
Agency Affected: Congress
Status: Open
Comments: The Congress has not enacted legislation to expand EAC's role.