U.S. ELECTION ASSISTANCE COMMISSION
1335 East West Highway Suite 4300
Silver Spring, MD 20910

 

SENT VIA EMAIL AND POST

July 16,2018

Senator Ron Wyden

United States Senate

221 Dirksen Senate Office Building
Washington, DC 20510

Dear Senator Wyden,

This letter provides additional information in response to your June 11, 2018,
correspondence to us and following the July 11, 2018, Senate Rules and Administration
Committee meeting that featured testimony from you and from each of us. While the
hearing served as a forum to address many of the items in your letter, we wanted to
provide background to our ?led testimony, which we have attached. Additionally, we
have encouraged our staff to meet with your staff, if you would like, to further discuss
these and other election security items.

As the 2018 midterm election approaches, the hearing demonstrated that we all share the
common goal of ensuring voter confidence in our nation?s election process. We
appreciate the opportunity to provide details about the work of the US. Election
Assistance Commission (EAC) to support state and local election administrators as they
seek to provide Americans with secure, accessible, and efficient elections.

Under the Help America Vote Act of 2002 (HAVA), the EAC was charged with adopting
voluntary system guidelines, accrediting testing laboratories and certifying voting
systems, administering and auditing HAVA funds, and serving as a national
clearinghouse of information on election administration. You touched on each of these
aSpects of our work in your letter, and this response seeks to both clarify the
commission?s roles and responsibilities, as well as detail some of our current efforts.

With regard to the Voluntary Voting System Guidelines (VVSG), since the ?rst standards
were adopted in 2005, our great nation has faced both new challenges and remarkable
Opportunities rooted in technological advancements. Recognizing this new Operating
environment, the EAC has also tine?tuned its own approach to the creation of the VVSG,
an effort that now seeks advice from an ever-expanding breadth of experts.

Senator Ron Wyden
July 16, 201 8
Page 2

Once the EAC attained a Commissioner quorum in late 2014, much attention was quickly
given to the VVSG. We worked with the National Institute of Standards and Technology
(NIST) and members of the Technical Guidelines Development Committee (TGDC) to
quickly and responsibly update the 2005 standards to increase security, improve
accessibility, and keep pace with the dynamic changes made possible by groundbreaking
research and development.

A new version of the VVSG, in fact, was approved in March 2015 and became the new
testing guidelines in mid-2016. This version, VVSG 1.1, will serve as the voluntary
voting guidelines until the version under development, 2.0, is adopted.

Towards creation of WSG 2.0, the EAC sought to broaden the number of Americans
outside of the TGDC who could provide useful perspectives and advice during the
development of the next generation of guidelines. The new guidelines have earned the
support of the advisory committees, and development of requirements consistent
with these guidelines is underway by NIST. Beyond overall involvement, the
EAC has relied heavily on input from other TGDC experts, including security experts,
members from accessibility advocacy organizations, private industry representatives, and
state and local election leaders. Members of the Department of Homeland Security
(DHS) delivered presentations at three TGDC meetings as the VVSG 2.0 were being
considered and adopted. Beyond the voting membership of the committee, the VVSG 2.0
has also been shaped by input from dozens, if not hundreds, of Americans who choose to
participate in the committee?s working groups or provide comments. While we are not
mandated to implement every suggestion from outside of the TGDC or to heed each piece
of advice, nor would the law permit that in some instances, we are grateful to have such
robust participation in this process. We have taken great care to translate all input into
standards that can ensure every state and jurisdiction has access to certi?ed, secure voting
systems their voters can trust.

The mandate under HAVA requires that it use the VVSG as the basis for testing
and certifying voting systems. These tests take place in accredited labs that are regularly
assessed using the National Voluntary Laboratory Accreditation Program and the
own accreditation standards. The labs that meet the standards for accreditation are
regularly assessed for continued compliance. These labs use federally prescribed tests to
determine whether submitted election systems meet the physical and security
requirements found in the VVSG 1.1, the most current standards adopted by the 
commissioners. Regarding cybersecurity, machines are tested and assessed against
requirements for things such as passwords, user roles, access controls, audit logs,
vulnerabilities, and source code. The test labs also review system documentation to
examine all aspects of the voting system submitted for certi?cation testing. This includes
all ?mctional models, settings, and user manuals.

Senator Ron Wyden
July 16, 2018
Page 3

All testing information, including test plans and test reports, are available on the
commission?s website so that election of?cials, lawmakers, and the
public have access to the information they need to fairly evaluate voting systems. The
website also contains a full listing of certi?ed systems, systems decerti?ed or withdrawn
from the process by the manufacturer, as well as terminated systems. The documentation
associated with each designation can be found under each system?s listing.

Congress?s recent allocation of$3 80 million in HAVA funding for states demonstrates
the clear understanding of the need for more resources to improve election
administration, including items related to security upgrades and the purchase of new
voting equipment. The EAC is pleased to report that 100 percent of these funds have been
requested by all 55 of the 55 eligible states and territories. To assist the states and
territories eligible for funding, the EAC has held a series of live webinars and numerous
conference calls designed to address speci?c questions and to share detailed information
regarding the management of the grant process. We have also answered questions from
the states about the legal guidelines that dictate how they can Spend the funds. In
addition, the EAC has issued FAQs, shared Congressional guidance language, worked
with our fellow Government Coordinating Council members to create recommendations
states can consider, and briefed Congressional Members and staff about the status of the
funds.

The EAC has presented the speci?c language in the 2018 Appropriations Act,
Congressional Intent, federal government grant procedures, and practical industry
guidance to the National Association of Secretaries of State, the National Association of
State Election Directors, the National Association of Counties, and local election of?cials
nationwide. The EAC convened a public forum that was webcast to speci?cally allow
election of?cials to describe and share their approaches to security. The EAC is
extremely proud of the work we?ve done to distribute these funds as required under the
law. We look forward to working with the states as they allocate these funds and
participate in mandated federal audits.

The commission?s work to administer the newly appropriated funds re?ects our
longstanding commitment to assisting state and local election of?cials and the voters they
serve. As the only federal agency focused solely on the administration of federal
elections, the EAC shares best practices and industry trends from around the country,
provides training, and creates easy~to-digest resources for both election of?cials and
voters. We are the federal pipeline that allows support from across the federal
government - including the Department of Homeland Security, US. Postal Service,
Federal Bureau of Investigation, Department of Defense and others - to easily ?ow out to
the states and voters. We ensure that when our federal partners have information that can
improve election administration or security, it is shared expediently and responsibly with
election of?cials. We also work in reverse, ensuring that state and local election

Senator Ron Wyden
July 16, 2018
Page 4

administrators can use the EAC to convey suggestions for how the federal government
can better assist them.

Although our budget is small by federal government standards, the EAC has a track
record of nimbly carrying out the commission?s HAVA mandated mission, and the EAC
has extended that support to provide leadership to the election industry related to
cybersecurity. In fact, it was the EAC that assembled a cyber security working group,
made up of industry leaders, that became the core membership of the General
Coordinating Council, and the EAC was a key driver to the swift implementation of that
council. The EAC has a number of staff members who have received cyber certi?cation
through the FEDVTE certi?cation program and who continue to engage in
training to keep abreast of the latest in cybersecurity approaches and threats. We also
have three full-time employees in the Testing and Certi?cation Program who lead the
commission?s certi?cation process and who are actively reviewing submitted voting
systems.

These employees regularly interface with experts pertinent to the commission?s work.
Our most important partner in the testing, certi?cation, and security efforts is NIST.
HAVA section 221 designates the National Institute of Standards and Technology
(NIST) to provide the EAC with technical support, including, but not limited to, "the
security of computers, computer networks, and computer data storage used in Voting
systems, including the computerized list required under section In fact, $1.5
million of the annual operating budget is transferred to NIST to fund this
cybersecurity expertise NIST provides to the EAC.

This collaboration is relevant with regard to your question about independent testing of
voting systems. While the EAC is not charged with carrying out services such as
vulnerability scans, penetration testing, red teaming or other open-ended vulnerability
testing, the commission is aware of these available resources from the DHS and does
share that information with states. Because elections are run by state and local election
administrators, it is up to the officials in each jurisdiction to determine how best to use
the resources provided by the EAC and those offered by our federal partners. We work
hard to maintain the vital trust between our federal commission and those who run
elections.

Our advisory boards also bring a broad spectrum of expertise and perspectives, including
on issues such as cybersecurity and law enforcement. We actively engage these boards
regarding some of the most pressing issues facing election of?cials today, and we value
the important role they play under the guidelines of HAVA. We are also fortunate to have
a unique convening power that brings together experts for issue-speci?c summits, live-
streamed webcasts, public forums, closed meetings, and other opportunities for lively and
informative conversations related to our work.

Senator Ron Wyden
July 16, 2018
Page 5

It is our responsibility to seek out and consider a variety of perspectives about the issues
we face and to use that information to form our own policies. We proudly do our job with
that in mind, and we thank you for your interest in our work.

Respectfully,
Thomas Hicks Christy McCormick
Chair of the EAC Vice Chair of the EAC

Attachment

Senate Rules and Administration Committee Hearing:
?Election Security Preparations: Federal and Vendor Perspectives?
July 11, 2018
Submitted Testimony
Commissioner Thomas Hicks, Chair, and Commissioner Christy McCormick, Vice Chair,
United States Election Assistance Commission (EAC)

Good morning, Chairman Blunt, Ranking Member Klobuchar, and members of the committee.
We are pleased to appear before you today to offer testimony that supplements the written
testimony the Election Assistance Commission (EAC) previously submitted for the record ahead
of this committee?s June 20, 2018, election security hearing.

The EAC takes very seriously its responsibility to support state and local election leaders in their
efforts to conduct ef?cient, accessible, and secure elections. The EAC also is dedicated to
providing voters the vital resources and assistance they need to register to vote and to cast their
ballots, and continually equipping our partners in Congress, state and local government, private
industry, advocacy organizations, other federal agencies, academia, and others in the elections
industry with the information they require and rely on through our national clearinghouse.

As emphasized by one of the witnesses in the June 20 hearing, the EAC focuses solely on
elections, and this focus is of great value to election administrators. Today, you will also hear
from some of our federal partners who specialize in technology and cyber security. The EAC
works with these and other federal entities?including the Department of Defense, the
Department of Justice, and United States Postal Service, among others?to help bridge the
expertise of those organizations into the context of the broad array of responsibilities facing
election administrators.

The topic of today?s hearing, election security, is not new to the state and local of?cials who run
elections or the tens of thousands of election administration staff members and election workers
who support and work with themthe EAC. The EAC has attached a diagram
at the end of this testimony to demonstrate the many different components that require election
administrator awareness and attention. The EAC works on each of those identi?ed areas,
including on election security, coordinating with our federal partners for additional support. It is
worth noting that some of the witnesses for today?s hearing have election components that fall
under the statutory oversight of the EAC, particularly in the role of of implementing
voluntary voting system guidelines, and federal testing and certi?cation of the voting systems.

In this 2018 election year, providing election security tools and resources to state and local
of?cials is one of the most important responsibilities of the EAC. Much is riding on the
shoulders of local election of?cials. These of?cials, and their state colleagues, work endlessly
and tirelessly?often with very modest pay compared to their government peers?to deliver upon
the high expectations our country has of them. As the only federal agency focused solely on
election administration, the EAC Commissioners and staff are privileged to have the opportunity
to support these faithful and conscientious public servants, who are perpetually focused on
ensuring that the nation has secure elections.

Election security, indeed, is an integral component of the support. In just the last 12
months, the EAC has been expeditiously distributing the newly appropriated Help America Vote
Act (HAVA) funds to the states, assisting our federal partners in establishing and managing the
critical infrastructure operational ?amework, continuing to test and certify voting systems, and
highlighting and distributing important best practices in election administration as we all look
ahead to the 2018 midterm election and beyond. This document brie?y touches on some of
those elements.

Distributing ewly Appropriated HAVA Funds

In the Consolidated Appropriations Act of 201 8, Congress appropriated $380 million dollars in
HAVA funds to the states and eligible territories for projects and programs to improve the
administration of federal elections. In just over 3 months, the EAC has received disbursement
requests for 91% of the funds from 48 of the 55 states/territories, a remarkable percentage that
continues to grow daily, and 100% of the funds are available for the eligible states and territories
to draw down.

The EAC issued Notice of Grant Award letters to each state less than two weeks after the bill
was signed into law by President Trump. Within three weeks of the signing, Missouri, the ?rst
state to do so, had requested its funds. In the subsequent 10 weeks, the EAC conducted a
webcasted public forum to explain how the funding would proceed, worked directly with the
National Association of Secretaries of State (NASS) and the National Association of State
Election Directors (NASED) to share information, conducted multiple webinars to further
discuss how the funds may be used, consulted with members of the disability community to hear
their views on use of the funds, and had frequent contact with each state in an effort to move the
?mds quickly.

The EAC website provides access to a set of Frequently Asked Questions regarding the funds,
and this information has been updated on a near-daily basis since the law was enacted. The
attached map, also on the EAC website gov), shows the amount of ?mds appropriated
to each state and indicates the states that have submitted disbursement requests as of July 5,
2018. The EAC has ful?lled its promise to get the funds to the states as quickly as possible, and
the EAC is proactively consulting with each of the states and territories regarding the proper use
of the funds.

Several administrative issues have arisen in the funds disbursement process and the 
grants department is endeavoring to help the states navigate those issues so they may receive the
?mds in advance of the coming elections. One roadblock was the ongoing government-wide
issue with System for Awards Management (SAM) accounts; the grants department is
working alongside our federal partners at the Government Services Administration (GSA) to
provide additional support to the SAM account holders in order to get the funds properly
distributed.

The funds are being disbursed with agreement by the states to provide a short narrative
describing plans for how the ?mds will be used, and details from these documents will be shared
with the entire election community and on the EAC website, as robust information sharing is an
essential component of the approach to use of these HAVA funds. It is essential that the
states and territories have access to the wealth of ideas and innovative approaches contained in
other states? individualized planned activities as they plan their own use of the funds. As we

continue to work closely with the state and local leaders charged with spending these funds, the
staff will continue to compile the information we receive so that the election community
and others will have access to particulars on how the states and territories are expending their
funds to further update and secure their election systems.

Critical Infrastructure Activities

The distribution of HAVA ?Jnds is only the latest example of the work related to election
security. The EAC has been serving as a central partner with the Department of Homeland
Security (DHS) in ensuring the success of this national security effort well before the 2017
Critical Infrastructure designation by former Secretary eh Johnson. The DHS has stated that the
election sector?s Government Coordinating Council (GCC) was formed faster than any other
similar critical infrastructure sector council to date. The EAC took an early leadership role in
working toward this accomplishment, and we recognize it as an exemplary proof-point of how
local, state, and federal governments can effectively work together toward the shared goal of
protecting our nation?s election in?astructure.

Building on that success, the EAC also convened discussions between election system vendors
and the DHS for the formation of the Sector Coordinating Council (SCC). Thanks to the swift
establishment of the GCC and the well-established relationships between the EAC and election
equipment vendors, work on the SCC began in the summer of 2017 and its of?cial formation
meeting took place before the end of last year. Both councils were functioning before the 2018
election year and less than one year from the Critical Infrastructure designation by the DHS.

During the 2016 election cycle, the EAC was a key player in federal efforts to share vital security
information with the states and educate our federal partners about ways to best serve the needs of
election administrators. For example, the EAC:

0 Distributed urgent security alerts and threat indicators from the DHS and the Federal
Bureau of Investigation (FBI) to states and territories to help protect election systems
from speci?c cybersecurity threats.

0 Met on multiple occasions with staff from the DHS, the FBI, and the White House to
discuss speci?c and nonspeci?c threats, state and local election system security and
protocols, and the dynamics of the election system and its 8,000 plus jurisdictions
nationwide.

Served as the federal govemment?s primary communication channel to provide real-time
cybersecurity information to election of?cials around the country. This information
included current data on cyber threats, tactics for protecting election systems against
these threats, and the availability and value of DHS resources for protecting cyber-assets.

Participated in and convened conference calls with federal of?cials, Secretaries of State
and other State Chief Election Officials, state and local election administration of?cials,
federal law enforcement, and federal agency personnel to discuss the prospect of
designating elections as part of the nation?s critical infrastructure. These discussions

focused on topics such as coordinating security ?ashes from the FBI, the implications of
a critical infrastructure designation, education on the nation?s election system, and the
dynamics of success?illy communicating information to every level of election of?cials
responsible for running the nation?s election system.

0 Provided DHS with perspective, information, and data related to the election system,
introductions to of?cials in the election community, and information that assisted the
agency with shaping communications in a manner that would be use?il to the states and
local election of?cials.

0 Published a white paper entitled Election Systems as Critical Infrastructure? that
provided a basic understanding of critical infrastructure for election of?cials.

0 Contributed to multiple foundational DHS documents used to structure the Elections
Systems Critical Infrastructure designation and sector.

The EAC Chair serves on the GCC Executive Committee and all EAC Commissioners were
established as members of the GCC. Like many members of the GCC, the EAC is seeking
security clearances through the DHS and has been assured that the department will be addressing
those security requests soon.

Tactically in 2018, the EAC has focused on steps our commission could take to further serve
election officials operating in this new threat environment. The EAC gathered election of?cials,
security of?cials, academics, and federal government partners for an Election 2018 kick-off
summit at the National Press Club in January. This event raised awareness of the security
preparations election of?cials had underway and the resources available to the states and
localities to help with this critical work. In April, the EAC held a live?streamed public forum
expressly comprised of election of?cials to facilitate the sharing of security best practices among
election colleagues

While talking about election security at forums is important, the EAC also knows the importance
of training. EAC staff was intricately involved in the establishment of Harvard University?s
Belfer Center Table Top Exercises, which have since been conducted across the country. During
the past year, EAC staff has also developed and presented its ?Election Of?cial as IT Manager?
training to of?cials representing hundreds of election jurisdictions across the country, and we are
working with the DHS to put this training online through the platform so that many
more election of?cials can easily access it.

The EAC also produced a video and supporting meeting materials to help local election of?cials
explain the many levels of election security at their jurisdiction. The video was designed to be
viewed at civic group meetings and election worker trainings. It can also be customized by
jurisdictions, and some states are tailoring the video to their voters and processes. We plan
?irther work in this regard. In addition, the EAC Commissioners continuously meet with state
and local election of?cials at regional conferences across the country. These visits allow the
Commissioners to apprise of?cials of best practices, promote resources available from the EAC

and our federal partners in agencies such as the United States Postal Service, the Federal Voting
Assistance Program (FVAP) within the Department of Defense, the Department of Justice, and
the DHS, and hear about and discuss current concerns and topics in election administration, such
as contingency planning, accessibility, voter registration, and technology management.

Testing and Certification/Voluntagy Voting System Guidelines

The EAC is authorized under the Help America Vote Act to administer federal testing and
certi?cation of voting systems. This testing standard is contained in the Voluntary Voting
System Guidelines (VVSG), and vendors may choose to have EAC-accredited and monitored
labs test voting systems against these guidelines for certi?cation. The guidelines contain
requirements for security, as well as other important components?such as accessibility,
usability, and interoperability. In fact, while security is a guiding consideration of certi?cation,
so is accessibility for voters with disabilities and those who have limited English pro?ciency.
These considerations are deliberated and developed in public working groups under the direction
of National Institute of Science and Technology (N IST), the Director and Undersecretary of
Commerce for Standards and Technology of which, Dr. Walter G. Copan, chairs the 
Technical Guidelines Development Committee (TGDC). This committee?s membership is made
up of technical and scienti?c experts from ?elds such as security, accessibility, voting machine
production, and voting machine use. After development and approval by the TGDC, the
voluntary guidelines are submitted to the Executive Director, provided to the two
other statutory Committees, the Standards Board and the Board of Advisors, published for public
comment, and presented to the Commissioners for consideration and approval.

The EAC recently convened its advisory boards to review and comment on the adoption of the
newest version of the voluntary guidelines, WSG 2.0. Both Boards recommended that the EAC
adopt WSG 2.0. The EAC, however, is currently without its minimum number of three
commissioners needed for a quorum to vote on the WSG.

While the EAC has been hard at work on the newest version of the WSG, the EAC has not
stopped its ongoing work to rigorously review, test, and certify voting machines submitted by
vendors. These reviews are referred to as test campaigns, conducted by laboratories certi?ed by
the EAC. Once a system successfully completes a test campaign, the results of the campaign are
transmitted to the Executive Director for certi?cation of the voting system to the standard
against which it was tested. If the Executive Director agrees that the voting system has
conformed with the standard, it is certi?ed as such and assigned a certi?cation number.

In addition to the actual certi?cation of the voting systems, the Testing and Certi?cation
Program continually conducts quality monitoring of all EAC certi?ed systems and audits the
quality of the EAC accredited test labs. Monitoring of the voting systems occurs throughout the
entire span of manufacturing and life of service, including manufacturing facility audits, ?eld
system review and testing, and ?eld anomaly reporting from manufacturers and election
of?cials.

Conclusion

Senators, the mission includes supporting election of?cials across the country with the
administration of federal elections, and we endeavor to provide as much support and assistance

as possible to the state and local election of?cials we serve. The importance of election security
and how the newly appropriated HAVA Funds will assist states with meeting these objectives are
the Commission?s top priority and part of our primary focus. We are honored to support the
important and great work carried out by election administrators each and every day. We
welcome your feedback, and we look forward to answering questions you may have.

 

2018 HAVA Funds

 

 

 

 

 

 

 

 

 

 

 

33.000000 53.000000 MN
$53239? ID 0 0 W10
SD 
9.229.396 ?mm 33.000000 0 
NV I NE 
$4,277,733 UT 53.45.9350 M6085 
$4.1".052 34,383,595 6773:;
. . - TN
- $7.9 - $34.6 million ?2 NM - 03;? AR ?565*"
37.453075 9.699.470 . 34.475015 Ms AL 
m0 $5.2 - $7.8 million 0 0 Wm
. . 
$3.1 million
- $3.0 million 3% 0
State has 0
requested funds GM AS :70
5600.000 5000.000 53. 6.962

Revised onJuly S. 2018 - 2:00 pm

fig:

16' 1.





ME
53.1309

0 NH 33.101253

0 VT 33.000000

0 57.590054

53.000000
0 35,120,554

0 59.353.450

0 DE 53.000000

   

 

{0310: 31.003090

0 33.000000

Election Officials must be experts 

ADA Candidates


Technology Campaign
Finance

Human
Resources

Auditing Provisional
Recounts Ballots

Street File Voter .
Maintenance 

Polling Places Security
Real Estate

Military 3:
Overseas
Voting

Signature
Verification

List Public
Maintenance Relations

Advance Election
Voting Law

Scheduling Finance
Logistics