Ga. Comp. R. & Regs. 590-8-1-.01

Current through Rules and Regulations filed through November 22, 2024
Rule 590-8-1-.01 - Certification of Voting Systems
(a)Purpose.
1. These Rules establish performance requirements and characteristics for voting systems and their components used in the State of Georgia and identify performance characteristics of these systems and components.
2. Compliance with the requirements of these Rules shall be assessed by means of code analysis, formal tests, and documentation review.
3. The intent of these Rules is to assure that hardware, firmware, and software have been shown to be reliable, accurate, and capable of secure operation before they are used in elections in the State. Hardware, firmware, and software products with performance proven in commercial applications are deemed inherently acceptable, provided that they are shown to be compatible with the operational and administrative requirements of the voting environment. Products not in wide commercial use, regardless of their performance histories, shall require Qualification, Certification, and Acceptance tests before they can be used.
4. These rules are intended to assist local jurisdictions in identifying products and provide a standardized terminology which shall facilitate the specification and demonstration of system requirements.
(b)Applicability.
1. These Rules are applicable to voting systems first used in the State of Georgia on or after the effective date of these Rules. These Rules are waived for all voting systems in use in the State of Georgia as of the effective date of these Rules. Successful performance during past elections are deemed sufficient evidence of adequate design. These Rules shall apply to systems developed by non-governmental third parties and those developed in-house by a local government.
2. These Rules apply to all equipment and computer programs used in a voting system including, but not limited to, the hardware, firmware, and software required for defining an election, formatting ballots, setting up precincts for voting, recording votes, tallying the results, and producing all reports.
3. These Rules apply to any agency, group, or individual responsible for the analysis, design, manufacture, procurement, or use of voting systems, their subsystems, or their components.
4. Any modification to the hardware, firmware, or software of a voting system which has completed Qualification, Certification, or Acceptance testing in accordance with these Rules shall invalidate the State certification unless it can be shown that the modification does not affect the overall flow of program control or the manner in which the ballots are recorded and the vote data are processed, and the modification falls into one of the following classifications listed below. The Secretary of State shall be the sole judge of whether or not a modification requires additional testing.
(i) The modification is made for the purpose of correcting a defect and procedural and test documentation is provided which verifies that the installation of the hardware change or corrected code does not result in any consequence other than the elimination of the defect.
(ii) The modification is made for the purpose of enabling interaction with other general purpose or approved equipment or computer programs and databases, and procedural and test documentation is provided which verifies that such interaction does not involve or adversely affect vote counting and data storage.
5. The addition or alteration of utility software and device handlers which do not interact with vote counting software except through the intended input/output channels in the manner originally intended does not constitute a requirement for a mandatory retest.
(c)Reciprocity. The Secretary of State may accept the results of the Qualification tests and/or Certification tests from another state or testing agency that has performed the tests described in these Rules. This reciprocity does not extend to the Acceptance tests or any portion of the Certification tests, which are considered to be unique to the State of Georgia.
(d)Procedure. This review and approval procedure is limited to those voting systems and equipment that have passed the prototype stage and are in full production and available for immediate installation and use. Qualification tests shall be performed to evaluate the degree to which a system complies with the requirements of the Voting Systems Standards issued by the Election Assistance Commission (EAC). Whenever possible, Qualification tests shall be conducted by Independent Test Agencies (ITA) certified by the EAC. In the event that tests by an ITA are not feasible, these tests shall be conducted by a Georgia Certification Agent designated by the Secretary of State.

Certification tests shall be performed to certify that the voting system complies with the Georgia Election Code, the Rules of the Georgia State Election Board, and the Rules of the Secretary of State. A Georgia Certification Agent designated by the Secretary of State shall conduct certification tests. The Qualification and Certification testing of a voting system for use in the State of Georgia shall proceed in the following steps.

1.Qualification. Prior to submitting a voting system for certification by the State of Georgia, the proposed voting system's hardware, firmware, and software must have been issued Qualification Certificates from the EAC. These EAC Qualification Certificates must indicate that the proposed voting system has successfully completed the EAC Qualification testing administered by EAC approved ITAs. If for any reason, this level of testing is not available, the Qualification tests shall be conducted by an agency designated by the Secretary of State. In either event, the Qualification tests shall comply with the specifications of the Voting Systems Standards published by the EAC.
2.Letter of Request. After the voting system has completed EAC Qualification testing, the evaluation procedure to obtain certification for use of the voting system in the State of Georgia shall be initiated by letter from the vendor of the voting system to the Office of the Secretary of State requesting certification for a specific voting system. The Secretary of State or her representative shall notify the vendor of the earliest date after which the requested evaluation may begin and provide the vendor with the name and telephone number of the designated Georgia Certification Agent.
3.Submission of Complete Technical Data Package. The vendor shall submit the Technical Data Package described in section (g) to the Certification Agent designated by the State. The Certification Agent shall review the submission of the Technical Data Package and notify the vendor of any deficiencies. Certification of the voting system shall not proceed until the Technical Data Package is complete.
4.Preliminary Review. The Georgia Certification Agent shall conduct a preliminary analysis of the Technical Data Package and prepare an Evaluation Proposal containing the following information:
(i) Components of the voting system requiring evaluation.
(ii) Identification of any hardware or software components requiring additional testing by the EAC ITAs.
(iii) Description of the activities required to complete that portion of the evaluation which is to be performed by the Georgia Certification Agent.
(iv) Estimate of time required to complete the portion of the evaluation, which is to be performed by the Georgia Certification Agent.
(v) Estimate of cost of tests which are to be performed by the Georgia Certification Agent.
5.Authorization to Proceed. The vendor shall review the Evaluation Proposal and notify the Secretary of State, in writing, of the desire to continue or terminate the evaluation process. The evaluation of the system shall not begin until the manufacturer or vendor notifies the Secretary of State to proceed. A copy of this notification shall be sent to the Georgia Certification Agent. A decision to continue shall obligate the vendor to the cost of the evaluation contained in the Evaluation Proposal.
6.Evaluation. The vendor shall arrange with the EAC ITAs for any additional required ITA testing identified in the Evaluation Proposal. After any required ITA tests have been successfully completed, the Georgia Certification Agent shall conduct the tests described in the Evaluation Proposal and submit a report of the findings to the Secretary of State.
7.Certification. Based on the information contained in the report from the Georgia Certification Agent, and any other information in her possession, the Secretary of State shall determine whether the proposed voting system shall be certified for use in the State of Georgia and so notify the vendor.
8.Local Jurisdiction Acceptance. After a voting system is delivered to a local jurisdiction, acceptance tests shall be performed in the user's environment to demonstrate that the voting system as delivered and installed is identical to the system that was certified by the State and satisfies the requirements specified in the procurement documents.
(e)Proprietary Information. The State of Georgia shall make every effort to protect the proprietary nature of information provided to the State or its agents during the course of these evaluations in accordance to Georgia law for protecting proprietary information. Any proposed non-disclosure agreements shall be of the type and form in common commercial usage appropriate to similar situations and shall be subject to review and approval by the Georgia Attorney General.
(f)Audit and Validation of Certification.
1. It shall be the responsibility of the vendor to ensure that any voting system or component of a voting system that it markets or supplies for use in the State of Georgia has been certified by the Secretary of State. It is also the responsibility of the vendor to submit any modifications to a previously certified system or component to the Secretary of State for re-certification and to update the Technical Data Package on file in the Office of the Secretary of State to accurately reflect the modifications.
2. If any question arises involving the certification of a voting system or a component of a voting system in use in the State, the Technical Data Package and Certification documentationon file in the Office of the Secretary of State shall be used to verify that the system or component in question is identical to the system or component that was submitted for certification.
(g)Technical Data Package. Before evaluation can begin, the vendor must submit to the Georgia Certification Agent the Technical Data Package required to complete the evaluation of the proposed voting system. Each item in the Technical Data Package must be clearly identified. If the Technical Data Package is incomplete or the items in the package are not clearly identified, the entire package may be returned to the vendor and the evaluation of the voting system rescheduled. In most cases, the Technical Data Package submitted to the ITAs shall be sufficient for State certification.

The Technical Data Package shall contain the following items in hard copy and in electronic form when available.

(i)Customer Maintenance Documentation. Documentation describing any maintenance that the vendor recommends that can be performed by a customer with minimal knowledge of the system.
(ii)Operations Manual. Operations documentation that is normally supplied to the customer for use by the person(s) who shall operate the equipment.
(iii)Software Source Code. Source code of all software and firmware in the voting system. The source code shall be supplied in the form of a listing and in a machine-readable form on media that is acceptable to the Georgia Certification Agent. If there is any chance of ambiguity, the required compiler(s) and/or development environment must be specified.
(iv)Software System Design. Documentation describing the logical design of the software. This documentation should clearly indicate the various modules of the software, their functions, and their interrelationships. The minimum acceptable documentation is a system flowchart. Deviation of the source code from the system design may be cause for rejection of the voting system.
(v)Customer Documentation. A complete set of all documentation which is available to the purchaser/user of the voting system. Clearly identify that documentation which is included in the cost of the system and that documentation which is available for an additional charge.
(vi)ITA Qualification Reports. Copies of the ITA reports for the hardware and software qualification of the voting system. These reports must be sent directly from the ITA to the Georgia Certification Agent.
(vii)Formal Complaints and Decertification Notices. Copies of any formal complaints and/or decertification notices that have been filed against the proposed system. This documentation must clearly identify the jurisdiction filing the complaint or decertification notice and give the details of the resolution.
(viii)Test Data/Software (Optional). Any available test data, ballot decks, and/or software that can be used to demonstrate the various functions of the voting system. Although optional, these items can significantly reduce the effort, and hence the time and cost, involved in the evaluation of the system.

Ga. Comp. R. & Regs. R. 590-8-1-.01

O.C.G.A. Secs. 21-2-1, 21-2-50, 21-2-253, 21-2-368, 21-2-379.2.

Original Rule entitled "Certification of Voting Equipment" adopted. F. Jan. 21, 1988; eff. Feb. 10, 1988.
Repealed: New Rule entitled "Certification of Voting Systems" adopted. F. Mar. 28, 2005; eff. Apr. 17, 2005.