Election Systems: Recent Action by the Election Assistance Commission




INSIGHTi

Election Systems: Recent Action by the
Election Assistance Commission

April 3, 2024
The Election Assistance Commission (EAC) was established by the Help America Vote Act in response to
problems with the administration of the 2000 elections. Among other responsibilities, such as
administering grant programs and sharing best practices, it was charged with developing voluntary federal
guidelines for voting systems
and overseeing a program to test and certify systems to the guidelines.
Use of voting systems that conform to the EAC’s Voluntary Voting System Guidelines (VVSG) is
voluntary under federal law, but the VVSG work somewhat differently in practice than typical voluntary
recommendations or best practices. Many states require use of some or all of the EAC’s testing and
certification program under their own state laws—and EAC certification offers the general reassurance of
a federal “stamp of approval” for others—so voting system vendors tend to tailor their systems to the
guidelines.
That means that the VVSG and the EAC’s testing and certification program offer an opportunity for the
federal government to inform how voting systems work. The EAC has acted on that opportunity, as well
as its broader authority to issue election administration guidance, to implement versions of some policy
proposals that have also appeared in recent federal legislation.
Software Independence
Most voting systems in the United States use computers for marking votes, counting them, or both. For
example, even votes marked by hand on paper ballots are typically counted with electronic scanners. A
challenge with using computers is that it is hard to tell just by looking at the software running on a voting
system whether there is something wrong with it, either because of errors in the code or because of
intentional interference.
One way to address that challenge is to ensure that voting systems are software independent, or that “an
(undetected) change or error in [their] software cannot cause an undetectable change or error in an
election outcome.” Software independence has long been a topic of discussion for the EAC advisory
bodies
that draft and review the VVSG, and the most recent version of the guidelines (VVSG 2.0) added
it as a new requirement for federal certification.
Congressional Research Service
https://crsreports.congress.gov
IN12343
CRS INSIGHT
Prepared for Members and
Committees of Congress




Congressional Research Service
2
VVSG 2.0, which was adopted in 2021, allows for two types of approaches to software independence—
(1) paper-based and (2) cryptographic end-to-end verifiable—although only the first is currently available
on the voting system market. Systems that take that approach generate paper records of voters’ selections
that voters can verify before casting their ballots and election officials can check against the outcomes
reported by the voting system through post-election audits.
Some bills introduced in the 118th Congress would mandate certain aspects of that type of system. For
example, the Securing America’s Elections Act of 2023 (H.R. 466) and the Freedom to Vote Act (H.R. 11,
S. 1, S. 2344) would require voting systems used in federal elections to produce paper ballots that voters
could verify, and the latter legislation would require states to audit federal elections.
Guidelines, Testing, and Certification for Nonvoting
Election Systems
The VVSG and the accompanying testing and certification program focus on systems used for voting—
for casting and counting ballots and related activities. However, there are also many other, nonvoting
systems that are used in elections, such as voter registration databases and electronic poll books (e-poll
books).

Problems with those nonvoting systems might not change votes directly, but they could still have
significant consequences. For example, as one witness explained in a 2019 hearing, alterations to voter
registration databases could cause eligible voters to be turned away from the polls or ineligible voters to
be allowed to vote.
Some states have responded to the potential for such problems by establishing their own guidelines,
testing, or certification for nonvoting systems. Variations in states’ capacities to address the problems
themselves and possible cost or efficiency advantages of a national baseline have also prompted calls for
consideration of federal guidelines, testing, and certification.
Those calls are reflected in some recent legislative proposals. For example, the American Confidence in
Elections (ACE) Act (H.R. 8528, H.R. 4563) would direct the EAC to establish voluntary guidelines for
nonvoting election systems, and the Freedom to Vote Act (S. 2747, H.R. 11, S. 1, S. 2344) would direct it
to provide for voluntary guidelines, testing, and certification for e-poll books and remote ballot marking
systems.
The EAC has responded to such proposals by establishing an Election Supporting Technology Evaluation
Program (ESTEP). E
STEP’s first major project was a pilot program for testing e-poll books. As of this
writing, it has started developing that pilot into a formal testing and certification program and launched a
second pilot for the systems used to deliver ballots to some voters with disabilities and military and
overseas voters.

Penetration Testing and Coordinated Vulnerability
Disclosure
The EAC’s testing and certification program is primarily designed to check whether voting systems
satisfy a certain set of criteria, the VVSG. Some election security experts have also recommended a
different kind of check on voting systems, known as penetration testing, that aims to identify
vulnerabilities in a system by simulating attempts to attack it.
The most recent update to the EAC’s testing and certification procedures added penetration testing as part
of a pretesting review that voting system testing labs use to assess whether a system is ready for testing to


Congressional Research Service
3
the VVSG. Vendors seeking federal certification of a voting system are required to attest that they have
addressed any critical vulnerabilities identified by that penetration testing before the system will be
certified by the EAC.
EAC Commissioner Donald Palmer also testified in 2023 that the agency is working with the National
Institute of Standards and Technology
and the Department of Homeland Security’s (DHS’s) Cybersecurity
and Infrastructure Security Agency
to develop a voluntary coordinated vulnerability disclosure (CVD)
program
for election systems. CVD programs offer a way for good-faith researchers to help election
officials and election system vendors identify and address vulnerabilities in their systems.
Legislation has been introduced in the 118th Congress that would codify versions of both of the above
developments. The Strengthening Election Cybersecurity to Uphold Respect for Elections through
Independent Testing (SECURE IT) Act—which has been offered both as stand-alone legislation (H.R.
7447,
S. 1500) and as part of intelligence and defense authorization bills (e.g., S. 2103, S. 2226)—would
direct the EAC to provide for penetration testing as part of its voting system testing and certification
program and to work with DHS on a CVD program for election systems.

Author Information

Karen L. Shanton

Analyst in American National Government




Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

IN12343 · VERSION 1 · NEW