Introduction

States and localities choose the voting systems used in elections in the United States. They decide which systems to use and contract with vendors as necessary to acquire and maintain them.

The federal government plays a role, though, in shaping the systems available for states and localities to choose from. First, federal law sets some mandatory standards voting systems must meet, including standards for their functionality and their accessibility to individuals with disabilities, older individuals, and members of language minority groups.¹

Second, federal law provides for a program, overseen by the U.S. Election Assistance Commission (EAC), to develop and update voluntary federal guidelines for voting systems and test and certify systems to the guidelines. The federal voting system testing and certification program was designed as a service to states and localities, and use of systems that conform to the EAC's Voluntary Voting System Guidelines (VVSG) is voluntary under federal law.² However, widespread adoption of the program by states under their own state laws means that the VVSG have significant influence in practice,³ shaping the kinds of voting systems vendors develop and market.⁴

This report provides an overview of the federal standards and guidelines that shape the voting systems used in U.S. elections. It starts by describing how those federal standards and guidelines fit into a broader system of checks on voting systems, then summarizes the current standards and guidelines and related legislative activity. The report closes by introducing some considerations that may be of interest to Members who are considering whether or how to engage with federal voting system policy.

Scope of the Report

This report focuses on federal standards and guidelines for systems that are used for in-person voting on Election Day and covered by the definition of "voting system" in the Help America Vote Act of 2002 (HAVA; P.L. 107-252; 52 U.S.C. §§20901-21145) or VVSG 2.0, the current version of the VVSG (for details of those definitions, see Table 1). Specifically, it focuses on (1) mandatory federal standards for features of the equipment and materials used in those systems, including features and practices of the private-sector vendors and laboratories that produce and test them, and (2) the VVSG and the federal voting system testing and certification program.

With the exception of some of the discussion of proposals to expand the scope of current federal standards and guidelines in the "Legislative Activity" and "Potential Considerations for Congress" sections, this report does not generally aim to address (1) election administration processes, such as chain of custody procedures and poll worker training;⁵ (2) voluntary federal guidance other than the VVSG, such as the best practices for securing voting systems issued by the U.S. Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Agency (CISA);⁶ (3) election systems other than voting systems, such as voter registration databases and election management software; or (4) voting methods other than in-person Election Day voting, such as early and mail voting. For more on some of those topics, see CRS In Focus IF11285, Election Security: Voter Registration System Policy Issues, by Sarah J. Eckman; and CRS In Focus IF11477, Early Voting and Mail Voting: Overview & Issues for Congress, by Sarah J. Eckman and Karen L. Shanton.

Background

Policymaking about voting systems includes choices about

• how voting systems are intended to function, and
• how to check that they function as intended.

Federal voting system standards and guidelines fall into the first of those categories, and testing and certification of systems to the guidelines falls into the second. Both types of federal involvement primarily play a role early in the lifecycle of voting systems, helping shape the types of systems vendors develop and market.

Other public- and private-sector stakeholders play roles throughout the voting system lifecycle and each election cycle. First, states and localities may set their own standards for how the voting systems they use are intended to function, in addition to the mandatory federal standards and any voluntary federal guidelines they choose to follow.

Second, states, localities, and voting system vendors take various steps to check that their voting systems function as intended. Depending on the system and jurisdiction, those steps might include

• Vendor testing. Voting system vendors typically conduct internal tests of their systems during development and before submitting them for state and federal certification or use by states and localities.⁷ Vendors may also take advantage of voluntary technical assistance offered by federal agencies, such as the open-ended vulnerability assessments available under CISA's Critical Product Evaluation program.⁸
• State testing and certification. State-level testing and certification works similarly to federal testing and certification. It typically involves checking sample voting systems for conformance to state-specific requirements.
• Acceptance testing. Acceptance testing is conducted on the actual equipment that will be used in elections when it is initially delivered to a jurisdiction by the vendor or returned to the jurisdiction after leaving election officials' control, such as for servicing. It is intended to check that the equipment works correctly and meets all the conditions in the jurisdiction's contract with the vendor.⁹
• Logic and accuracy (L&A) testing. L&A testing is carried out before an election, after the election, or both. It is designed to ensure that the equipment used in the election works correctly and has been configured with the right information for the election, such as the correct candidate names, precinct boundaries, and ballot counting logic. It typically involves casting a known pattern of test votes and confirming that the results reported by the voting system match the expected outcomes.¹⁰
• Parallel testing. Parallel testing, which is conducted during an election, involves testing randomly selected equipment in conditions that are as similar as possible to the conditions in the polling place. It is intended to help catch problems that might not be identified by checking the equipment in test mode or before or after an election, such as malicious code that is programmed to run only when the polls are open.¹¹
• Post-election audits. Post-election audits, which typically involve checking a sample of paper records of votes against the election outcomes reported by the voting system, are intended to check whether the equipment accurately captured and counted voters' selections. Some types of post-election audits, such as risk-limiting audits, offer a specific degree of confidence that the outcomes reported by the voting system are the outcomes officials would get if they counted all of the paper records by hand.¹²

Federal standards, guidelines, testing, and certification are, therefore, part of a broader system of checks on voting systems.

Origins and Overview of Federal Standards and Guidelines

Voting in the early 20^th century was a relatively low-tech process. Voters marked their selections by hand on paper ballots that were counted by hand, for example, or by pulling levers on a machine that advanced a physical counter for each selection.¹³

The second half of the century, however, saw the introduction of computerized voting systems. Computers were first used—as part of the punch card and optical scan voting systems introduced in the 1960s—to count votes marked on paper ballots. Direct-recording electronic (DRE) voting machines, which debuted the following decade, record voter selections directly into computer memory.¹⁴ For more on the main types of voting systems that have been used for in-person voting in federal elections since the early 20^th century, see Table 2.

Concerns about reports of problems with computerized systems prompted a 1975 study of computerized vote tallying by the National Bureau of Standards (NBS; now known as the National Institute of Standards and Technology, or NIST). Among other recommendations, the study proposed establishing federal guidelines to help states and localities ensure the accuracy and security of their systems.¹⁵

Congress followed up on that recommendation by first directing the Federal Election Commission (FEC) and NBS to study voluntary guidelines for voting systems and then providing the FEC funding to develop such guidelines.¹⁶ The FEC issued the first voluntary federal guidelines for voting systems in 1990, with an update in 2002.¹⁷ The National Association of State Election Directors (NASED), a professional association for state election officials, launched a program in 1994 to test and certify systems to the guidelines.¹⁸

The 1975 NBS report and 1990 FEC guidelines focused primarily on the basic functionality of voting systems—whether they were secured against errors and interference, accurately and reliably capturing and counting voters' selections—and public confidence in their functionality. The period from 1975 to 1990 also saw federal interest in access to voting systems. Federal legislation enacted during that period aimed to ensure that voting systems were accessible to members of language minority groups and to individuals with disabilities and older individuals.

Both functionality and accessibility also featured in the most recent major federal statute on this topic, HAVA. A decade after the federal government had first issued voluntary guidelines for voting systems, problems with voting systems contributed to controversy over the 2000 presidential election. Congress responded to those problems, in part, by revisiting federal involvement in voting system standards and guidelines. Its primary legislative response to the problems with the administration of the 2000 elections, HAVA, specified mandatory federal standards for voting system functionality and accessibility and established new federal processes for developing voluntary voting system guidelines and testing and certifying systems to them.¹⁹

Mandatory Standards

Some voters voted in the 2000 elections on punch card voting systems, punching out pieces of card known as "chads" that corresponded to their selections. Accidental marks or incomplete punches resulted in some ballots with chads that were dimpled or partially removed instead of fully detached. Difficulty discerning voter intent from those "pregnant" and "hanging" chads contributed to disputes over the Florida vote count that delayed resolution of the 2000 presidential election for weeks.²⁰

The layout of the ballots in Florida's Palm Beach County added further complications in 2000. In an effort to make ballots more readable for older voters, the county's clerk increased the font size and spread the presidential candidates' names across two pages with a column of punch holes in the middle. Some county voters, confused by the "butterfly" layout of the ballot, marked their ballots for a different presidential candidate than the one they intended to support.²¹

The problems with Florida's punch card systems were the highest-profile problems with voting systems in 2000, but post-election investigations also flagged others. Lever machines and DREs without a voter verifiable paper audit trail (VVPAT) could jam or malfunction, for example, and did not produce paper records that could be used to reconstruct votes cast on a jammed or malfunctioning machine. Some types of voting systems registered higher rates of uncounted ballots, overvotes (more selections for a given contest than permitted), and undervotes (fewer selections for a given contest than permitted) than others.²²

Post-2000 election investigations also highlighted problems with voting system accessibility. Federal statutes and regulations had established some accessibility standards for voting systems before the 2000 elections. A 1975 amendment (P.L. 94-73) to the Voting Rights Act of 1965 (VRA; P.L. 89-110) introduced requirements for certain states and localities to provide voting materials in the languages of applicable language minority groups.²³ The Voting Accessibility for the Elderly and Handicapped Act of 1984 (VAEHA; P.L. 98-435; 52 U.S.C. §§20101-20107) required states to make voting aids like large print instructions and telecommunications devices available for federal elections.²⁴ The Americans with Disabilities Act of 1990 (ADA; P.L. 101-336; 42 U.S.C. §§12101-12213) included a broad prohibition on excluding individuals with disabilities from public services that had various implications for voting systems.²⁵

However, representatives of those groups reported encountering continued obstacles to voting in 2000. Some voting systems were inaccessible to individuals with disabilities, for example, leaving them unable to cast a secret ballot or, in some cases, any ballot at all.²⁶ The bilingual voting materials mandated by the VRA were not always available.²⁷

Congress responded to the reports of problems with the administration of the 2000 elections, in part, with mandatory federal standards for voting systems. Title III of HAVA requires states to specify what counts as a vote for each type of voting system they use in federal elections and election officials to post certain federal election materials, such as voting instructions and sample ballots, at the polls.²⁸ Title III also requires voting systems used in federal elections to

• offer voters the opportunity to check and correct their ballots before they are cast and counted,
• notify voters about overvoting,
• produce a manually auditable permanent paper record,
• provide for accessibility for individuals with disabilities,
• provide for accessibility for members of language minority groups as required by Section 203 of the VRA, and
• comply with the error rate standards specified by the FEC guidelines that were in effect when the act was enacted.²⁹

HAVA reserved discretion about exactly how to meet its Title III requirements to the states but directed the EAC to issue guidance for implementing them and provided for enforcement through state-based administrative complaint procedures and civil action by the U.S. Department of Justice (DOJ).³⁰

Voluntary Guidelines

Congress helped fund development of the FEC's voluntary voting system guidelines, but it did not explicitly assign the agency authority for developing or maintaining them.³¹ It also did not charge the FEC—or any other federal agency—with overseeing testing or certification of systems to the guidelines. That responsibility was undertaken, instead, by NASED.³²

Investigations into the problems with voting systems in 2000 prompted proposals to revisit the federal role in voting system guidance. A 2001 report from the U.S. General Accounting Office (GAO; now known as the U.S. Government Accountability Office) found that the FEC guidelines were not sufficiently comprehensive or current, for example, and suggested assigning federal agencies explicit responsibility for voting system guidelines, testing, and certification.³³ A commission led by former Presidents Gerald Ford and Jimmy Carter endorsed similar federal authorities in a report released the same year, with specific recommendations to consult with state and local officials and reserve a role for NIST.³⁴

Congress took up those recommendations in HAVA. HAVA created a new federal agency dedicated to election administration, the EAC, and authorized it to (1) develop and maintain the VVSG, and (2) oversee testing and certification of voting systems to the guidelines. The act provided for consultation on those processes with state and local officials—as well as a range of other elections stakeholders—and technical assistance from NIST with carrying them out.

Development and Maintenance

The EAC consists of an appointed commission, a professional staff led by an executive director and general counsel, an Office of Inspector General (OIG), an agency-created Local Leadership Council (LLC), and three statutory advisory bodies: the Technical Guidelines Development Committee (TGDC), the Board of Advisors, and the Standards Board. For details of the memberships of these three statutory advisory bodies, see Table 3.³⁵

The TGDC is charged by HAVA with helping the executive director of the EAC develop draft VVSG (for an illustration of the process for developing the VVSG and an overview of federal responsibilities for the process, see Figure 1 and Table 4, respectively). The act directs NIST to provide technical support for that work on request, including through research on topics such as voting system security, fraud prevention and detection, voter privacy protections, human factors, and remote access voting.³⁶

Once developed by the TGDC, the draft VVSG are shared with the Board of Advisors, the Standards Board and its Executive Board, and the general public for review and comment before they are submitted to the EAC's commissioners for a vote on adoption. HAVA specifically mandates opportunities for public comment and a public hearing on the VVSG, as well as publication in the Federal Register of the TGDC's recommendations, notice of proposed guidelines, and the final guidelines.³⁷ Adoption of the VVSG requires approval by a three-vote quorum of the EAC's four-member commission.³⁸

The EAC's commission adopted the first version of the VVSG, VVSG 1.0, in December 2005.⁵² The departures of commissioners in 2009 and 2010 and resulting loss of numbers for a quorum contributed to delaying—and scaling back the agency's ambitions for—an update to those initial guidelines.⁵³ VVSG 1.1, which was a relatively minor modification of VVSG 1.0, was adopted in March 2015.⁵⁴

The delay in updating the VVSG introduced challenges for states, localities, and voting system vendors. Some reported that the delay made it more difficult for them to address emerging security threats and vulnerabilities, for example, or limited their capacity or incentive to take advantage of new technological innovations.⁵⁵

Those challenges prompted exploration of a different approach to the next update. VVSG 1.0 and VVSG 1.1 were lengthy documents that were intended to provide enough technical detail to enable vendors to build voting systems to the guidelines. The project charter the TGDC released for VVSG 2.0 in 2016 proposed replacing that detailed technical guidance with a set of high-level principles and guidelines.⁵⁶ Under the proposal, the EAC would still produce detailed technical requirements to help guide manufacture of systems to the principles and guidelines, but those requirements would not officially be part of the VVSG or subject to approval by the agency's commissioners.⁵⁷ As a result, updates to the high-level principles and guidelines would require a commission vote, but the more technical requirements could be maintained by the agency's professional staff.⁵⁸

That proposed division of responsibilities between the EAC's commission and its professional staff was ultimately not implemented, following an internal legal opinion questioning its permissibility under HAVA.⁵⁹ The EAC did, however, retain the structure proposed by the TGDC. VVSG 2.0, which the commissioners adopted in February 2021, is divided into high-level principles and guidelines and more detailed technical requirements (for the list of high-level principles and guidelines, see the Appendix).⁶⁰

Figure 1. Process for Developing the Voluntary Voting System Guidelines (as specified by the Help America Vote Act of 2002)

Sources: CRS, based on review of the U.S. Code. Note: The process presented in this figure is as specified in statute.

The EAC also developed a lifecycle policy that agency leadership has described as intended to help promote more regular updating of the VVSG.⁶¹ The policy, which was adopted by the commissioners in April 2022 and updated in October 2022, establishes a 12-month review cycle that includes opportunities for the EAC's statutory advisory bodies and the public to propose changes to the VVSG and culminates in a decision by the agency's executive director about whether to initiate an update.⁶²

Testing and Certification

The EAC's new lifecycle policy also aims to address another concern some have raised about the VVSG. Although an update to VVSG 1.0 was adopted in 2015, vendors could continue to submit voting system modifications for testing to the first version of the guidelines, and they generally opted to do so; no voting systems were ever certified to VVSG 1.1.⁶³ Under the new policy, by contrast, most testing to previous iterations of the VVSG is supposed to be discontinued 12 months after the first voting system test laboratory (VSTL) is accredited to test systems to a new version.⁶⁴

The first VSTL was accredited to test systems to the current iteration of the VVSG, VVSG 2.0, in November 2022.⁶⁵ As with adoption of the VVSG, accreditation of labs to test voting systems to the guidelines—and revocation of accreditation, if necessary—requires approval by a three-vote majority of the EAC's commissioners.⁶⁶

Also as with the VVSG, HAVA assigns NIST a technical support role in lab accreditation. The act directs NIST to make accreditation recommendations to the EAC's commission and, in cooperation with the commission and consultation with the Board of Advisors and Standards Board, to monitor and review VSTL performance (for an overview of federal responsibilities for voting system testing and certification, see Table 4).⁶⁷

NIST's VSTL accreditation work, which is carried out by its National Voluntary Laboratory Accreditation Program (NVLAP), is primarily aimed at ensuring VSTLs have the technical competency to conduct the necessary testing.⁶⁸ Other requirements for EAC accreditation address other aspects of test labs' operations, such as their finances and hiring practices. For example, labs interested in accreditation must provide the EAC with recent annual reports and financial statements and certify that they do not hire staff for roles related to voting system testing who have been convicted of a felony or other criminal offense involving fraud, misrepresentation, or deception.⁶⁹

Vendors who are interested in submitting voting systems for federal certification also must provide information about their operations, such as their organization and ownership, in order to register with the EAC.⁷⁰ Once registered, they can submit voting systems for certification. VSTLs check that the systems that vendors submit are ready for testing, including by conducting penetration testing and a preliminary source code review, and then test them for conformance to the VVSG.⁷¹

Confirmation by an EAC-accredited VSTL that a vendor's voting system conforms to the VVSG is the primary requirement for federal certification. The vendor must also document to the EAC that the system's software has been subjected to a "trusted build" and deposited in an EAC-approved repository and that it can be verified using the vendor's system identification tools.⁷² Decisions about certification are made by the EAC's executive director or the executive director's designee and subject to appeal to an Appeal Authority consisting of two or more EAC commissioners or commission appointees (for an illustration of the certification process, see Figure 2).⁷³

Figure 2. Process for Certifying Voting Systems to the Voluntary Voting System Guidelines

Source: CRS, based on review of EAC, Voting System Testing and Certification Program Manual Version 3.0, November 15, 2022, at https://www.eac.gov/sites/default/files/TestingCertification/Testing%20and%20Certification%20Program%20Manual%20Version%203.0%20(2).pdf.

Vendors with certified systems must also meet program requirements after certification. For example, they must notify the EAC of any malfunctions of their fielded voting systems and participate in the agency's Quality Monitoring Program.⁷⁴ The Quality Monitoring Program, which is intended to supplement but not substitute for vendor quality control, involves EAC review of vendor manufacturing facilities and fielded voting systems, state and local reporting on voting system anomalies, and vendor submission of technical bulletins and product advisories.⁷⁵

Failure to comply with such requirements could potentially lead to decertification of a certified system. The EAC's testing and certification program manual lists the following as grounds for decertification: (1) the voting system does not conform to the applicable VVSG; (2) the system has been modified or changed without following the manual's requirements; and (3) the vendor did not follow the manual's procedural requirements and the quality, configuration, or compliance of the system is in question. Decertifying a voting system can have significant consequences—including for the states, localities, and voters that use it—so the EAC offers vendors opportunities to resolve issues before proceeding with decertification.⁷⁶

Legislative Activity

HAVA established general procedures for developing the VVSG and for testing and certifying voting systems to the guidelines, but, as is often the case with statutory language, it did not specify all the details of how the procedures should work or what they should cover. Those specifics have been filled in by the EAC, its advisory bodies, and NIST, with input from the public. Some Members of Congress have introduced legislation to codify, change, or supplement those choices, offering bills on the VVSG development, testing, and certification processes or the scope of the guidelines.

Some Members have also proposed expanding the scope of mandatory federal standards for voting systems. The VVSG have significant influence in practice, as noted in the "Introduction" to this report, because many states have adopted some or all of the federal voting system testing and certification program. However, there are relatively few actual federal mandates for voting systems. While some Members favor limited involvement by the federal government in this area, others have seen a role for new federal requirements.

VVSG Development, Testing, and Certification Processes

HAVA provided for input by a range of elections stakeholders into VVSG development, testing, and certification by assigning roles in the processes to the EAC's statutory advisory bodies. The TGDC is charged with helping develop draft VVSG, and the Board of Advisors and Standards Board are responsible for reviewing the draft guidelines and consulting on VSTL monitoring and review (see Table 4).

The act explicitly designated seats on one or more of the advisory bodies for representatives of various types of interests and expertise (see Table 3 for details), but not all potential stakeholders are guaranteed a seat. For example, none of the EAC's advisory bodies is required by HAVA to include representatives of voting system vendors or new stakeholders that have emerged since the act's enactment, such as DHS.⁷⁷

Some of those stakeholders have been added to the advisory bodies in practice through appointment in other capacities. Representatives of voting system vendors and DHS have each been appointed to the TGDC in their capacities as technical experts, for example.⁷⁸ However, some legislation would formalize their participation. Some Members have proposed adding the Secretary of Homeland Security or the Secretary's designee to the Board of Advisors, for example, or adding representatives of CISA or the voting system manufacturing industry and voting system usability and accessibility sector to the TGDC.⁷⁹

The bills described above focus on the participants in VVSG-related processes. Other legislative proposals would address the processes themselves. First, Members have introduced legislation related to development of the guidelines. The technical support function HAVA assigned NIST is a central part of the VVSG development process. NIST's research can inform choices about what to include in the guidelines, for example, and help develop technologies or methodologies that make them easier to implement.⁸⁰ Some bills would direct the agency to conduct research on particular topics related to voting systems, such as E2E-V systems and post-election audits, or to provide for voting system research, such as by administering a voting system research grant program or establishing a center of excellence in election systems.⁸¹

Second, Members have offered legislation related to voting system testing and certification. Some of those bills have focused on the technical side of testing and certification, specifying certain types or timing of testing. For example, some Members have proposed codifying inclusion of penetration testing in the testing and certification process or requiring retesting of federally certified systems for conformance to the VVSG before each regular federal general election.⁸²

Other bills have addressed procedural aspects of testing and certification, such as conflicts of interest and transparency. Vendors currently choose and pay VSTLs for testing to the VVSG. Concerns about potential conflicts of interest have prompted some to propose a different funding arrangement, in which vendors would pay into a revolving fund or escrow account that would be used to fund testing, or codification of conflict-of-interest requirements for vendors or VSTLs.⁸³ Some Members have also proposed codifying access to information about voting system testing and certification. For example, they have introduced measures that would require VSTLs to allow the EAC to observe testing or require the EAC to disclose certain information about testing and certification to election officials or the general public.⁸⁴

Scope of the VVSG

The VVSG cover voting systems as defined by the EAC, its advisory bodies, and NIST (for details of the definition of "voting system" used to set the scope of VVSG 2.0, see Table 1).⁸⁵ That means many of the systems used to administer elections—from the databases that store voter registration information to electronic poll books (e-poll books) used for voter check-in—are not addressed by the guidelines or subject to federal testing and certification.⁸⁶

Problems with those systems can have significant consequences. For example, inaccurate or incomplete voter registration information could discourage or prevent eligible voters from casting ballots.⁸⁷ Reports of crashing or freezing e-poll books could be used to spread misinformation, undermining voter confidence.⁸⁸

Much as problems with voting systems spurred support for federal voting system guidelines, concerns about such potential consequences have prompted some to propose federal guidance for other election systems.⁸⁹ Federal agencies have taken some action on such proposals under their existing authorities. For example, various agencies have issued best practices for nonvoting election systems,⁹⁰ and the EAC has launched pilot programs to test and develop guidelines for them.⁹¹

Some Members have also introduced bills to expand the scope of federal testing and certification to include new systems. For example, they have offered legislation that would extend the VVSG and federal testing and certification to e-poll books and remote ballot-marking systems.⁹²

In addition to expanding the scope of the systems covered by the VVSG, some Members have proposed codifying or expanding the scope of the guidelines' subject matter. HAVA does not explicitly say what the VVSG should cover. Floor proceedings on the act and the issues it lists as possible subjects of research by NIST might offer a sense of the kinds of topics Congress had in mind,⁹³ but the text of HAVA leaves open choices about exactly what to address.⁹⁴

Some legislative proposals would codify or add some specifics. Some Members have introduced legislation to require the VVSG to include guidelines for securing data transmitted electronically to or from voting systems, for example, or to direct the TGDC to issue election cybersecurity guidelines and the EAC to provide for testing and certification to them.⁹⁵

Scope of Mandatory Standards

Congress has used mandatory standards for voting systems to try to advance general objectives for the administration of elections, such as in VAEHA and the VRA. It has also set requirements for voting systems in response to developments in particular election cycles. HAVA's voting system standards, for example, were largely a response to problems highlighted by the 2000 elections.

Similar considerations have prompted proposals to add new standards. Some Members have proposed setting new requirements for voting systems as part of attempts to advance long-standing elections objectives, such as accurately capturing and counting voters' selections, and in response to developments in specific cycles, such as foreign efforts to interfere in the 2016 elections.

Some of those proposals would establish or codify standards for the vendors who manufacture and maintain voting systems used in federal elections. For example, some Members have proposed limiting foreign ownership or control of voting system vendors and requiring vendors to build their systems in the United States, use only domestically sourced parts, or disclose any foreign sourcing.⁹⁶ They have proposed requiring vendors to report certain security incidents; ensure that their information technology infrastructure meets certain cybersecurity standards; and share information about their voting system software, such as by depositing a copy of the software in an approved repository, disclosing its source code, or reporting certain information about the staff involved in developing it.⁹⁷

Other bills would set standards for the voting systems themselves. One such proposal, which has been introduced in similar form in each Congress since HAVA's enactment in the 107^th Congress, would require voting systems used in federal elections to produce individual paper records that can be verified by voters and manually audited by election officials.⁹⁸ Other examples include proposals to set mandatory standards for voting system cybersecurity and accessibility, require voting systems to support instant runoff voting, prohibit wireless components or internet connectivity, and mandate compliance with interoperability and auditability provisions of the VVSG.⁹⁹

Potential Considerations for Congress

Policymaking about voting systems comes with some complexities. First, voting systems are expected to achieve many different objectives. They are expected to capture and count votes accurately and reliably, for example, and to offer the public confidence that they do so. They have to be accessible to individuals with disabilities and usable by voters and election workers, protect voter privacy and ballot secrecy, and facilitate timely reporting of election results.

Standards or guidelines that are intended to advance one of those objectives could introduce challenges for achieving others. For example, requirements aimed at increasing the security of voting systems could affect their usability or accessibility.¹⁰⁰ Efforts to expedite results reporting could make it more difficult to ensure—or assure the public—that voting systems are secure.¹⁰¹

Second, implementation of voting systems is subject to some practical constraints. With a few exceptions, voting systems are financed by states and localities and compete for limited state and local funds with other priorities like potholes and policing.¹⁰² Implementing voting systems involves various, often cost- and time-intensive processes—from the checks described in the "Background" section of this report to state and local procurement processes to voter education and poll worker training—and is bound by state limits on preelection changes and the firm deadline of Election Day.¹⁰³

Those practical constraints help shape the dynamics of the voting system market. States and localities tend not to replace their voting systems often and to be price sensitive when they do.¹⁰⁴ The limited demand for new systems, combined with barriers to entry like the high upfront costs of testing and certification and potential reputational risks of misinformation or missteps, means that the market is relatively small with limited capacity to influence its suppliers.¹⁰⁵ The irregularity of the demand means that much of vendors' revenue comes from license and support fees rather than new equipment sales or leases, limiting the incentive to invest in innovation.¹⁰⁶

New voting system standards or guidelines have the potential to interact with those practical constraints and market dynamics in ways Members might not intend. Some requirements might be at odds with the practical realities of producing and implementing voting systems, making it difficult or impossible for vendors or states and localities to meet them.¹⁰⁷ For example, voting system vendors testified at a 2020 hearing that they would not be able to comply with a requirement to source all of their components domestically because some of the parts they need are not manufactured in the United States and they do not have the market power to change their suppliers' practices.¹⁰⁸ Some state and local officials reported in discussions of a bill introduced in the 110^th Congress that they would not be able to implement the proposed changes to their voting systems on the timeline laid out in the bill.¹⁰⁹

Increased costs or practical challenges of meeting new standards or guidelines could also prompt voting system vendors to exit or opt against entering the space, further consolidating the market and potentially limiting state and local access to technical support for existing systems.¹¹⁰ Financial or practical hurdles could lead some states to opt out of federal testing and certification,¹¹¹ limiting the influence of the VVSG not only in those states but also in general.¹¹²

The complexities of voting system policymaking might prompt Congress to keep the federal status quo on voting systems in place. Congress might choose to leave changes to voting system policy, if any, to states and localities.

Alternatively, Members might choose to consider whether or how to account for the complexities when designing standards and guidelines, balancing their overarching priorities for voting systems against other objectives and practical constraints. For example, they might set deadlines in consultation with election officials or offer flexibility about how standards and guidelines are implemented, specifying what voting systems should do rather than exactly how they should do it.¹¹³

Another possible option for Members interested in engaging with voting system policy might be to explore avenues other than standards and guidelines. Some have proposed using other legislative tools to advance voting system priorities, such as

• Funding. Congress can use federal funding to facilitate or incentivize choices about voting systems, including by limiting use of funding to systems with certain features or to systems or services from vendors who meet certain criteria. For example, multiple bills in the 117^th Congress, including the Election Security Act of 2022 (S. 5332) and the For the People Act of 2021 (H.R. 1/S. 1/S. 2093), would have authorized funding for voting systems that met certain conditions or goods and services from "qualified election infrastructure vendors" who complied with certain requirements.
  
  Funding might also be used to shape the voting system market itself. Some bills, such as the Freedom to Vote Act (S. 2747) and the Freedom to Vote: John R. Lewis Act (H.R. 5746) in the 117^th Congress and the Sustaining Our Democracy Act (S. 630) in the 118^th Congress, would provide for ongoing funding states could use to upgrade their voting systems. Such a consistent stream of federal funding might shift dynamics of the current voting system market that are shaped by the limited and irregular demand for new equipment.¹¹⁴
• Research. Federal agency research, or agency-funded research, can help identify both general improvements to voting systems and solutions to specific voting system-related problems. For example, HAVA authorized a pair of election technology research grant programs at the EAC that have been used for Accessible Voting Technology, Military Heroes, and Pre-Election Logic and Accuracy Testing and Post-Election Audit initiatives, and NIST led development of common formats for elections data.¹¹⁵ The Defense Advanced Research Projects Agency (DARPA) has also contributed to advancing development of a secure, open-source voting system, and the National Science Foundation (NSF) has awarded grants for voting technology research.¹¹⁶
  
  Some Members have introduced bills that would provide for other voting system research or research grant programs. Those bills include the NIST research proposals described in the "VVSG Development, Testing, and Certification Processes" section of this report, as well as the proposals to assign voting system research or research grant programs to other agencies in legislation like the 115^th Congress's Protecting the American Process for Election Results (PAPER) Act (H.R. 3751) and Election Infrastructure and Security Promotion Act of 2017 (H.R. 1907); the 116^th Congress's Election Security Assistance Act (H.R. 3412) and Election Technology Research Act of 2020 (H.R. 4990); and the 117^th Congress's Accessible Voting Act of 2021 (H.R. 2941/S. 1470), Securing America's Elections Act of 2021 (H.R. 4384), and Election Security Act of 2022 (S. 5332).¹¹⁷
• Technical assistance. Technical assistance from federal agencies can help states, localities, and vendors carry out work on their voting systems that they might not choose to do—or lack the technical or financial capacity to do—on their own. For example, the EAC has initiated a Field Services Program to help states and localities monitor the quality of their voting systems and provided assistance with implementing risk-limiting audits.¹¹⁸ CISA has offered states, localities, and vendors a range of election security services, such as risk and vulnerability assessments, cyber hygiene scans, and the open-ended vulnerability assessments available under its Critical Product Evaluation Program.¹¹⁹
  
  Some Members have proposed codifying some of the assistance federal agencies currently offer or establishing new kinds of agency support. The 116^th Congress's Election Security Act of 2019 (H.R. 2660/S. 1540) and the 117^th Congress's For the People Act of 2021 (H.R. 1/S. 1/S. 2093) would have codified CISA's risk and vulnerability assessments, for example, and the 117^th Congress's American Confidence in Elections (ACE) Act (H.R. 8528) would have provided for voluntary cybersecurity vulnerability testing by CISA and the EAC. The 116^th Congress's Election Security Assistance Act (H.R. 3412) would have established an Election Cyber Assistance Unit at the EAC, and the 117^th Congress's Accessible Voting Act of 2021 (H.R. 2941/S. 1470) would have created an EAC Office of Accessibility and National Resource Center on Accessible Voting.

Members might also choose to consider acting on other congressional authorities, such as oversight or appointment authorities, instead of or in addition to pursuing legislation. For example, as noted in the "Voluntary Guidelines" section of this report, updates to the VVSG and accreditation of labs to test systems to the guidelines require approval by a three-vote majority of the EAC's commissioners, and lack of a quorum has sometimes delayed that work. HAVA assigns Congress roles in recommending and confirming candidates for the commission, and some Members might choose to focus on ensuring the continued availability of a quorum.

Appendix. Principles and Guidelines of Voluntary Voting System Guidelines 2.0 (VVSG 2.0)