Elections: Federal Programs for Accrediting Laboratories That Test Voting Systems Need to Be Better Defined and Implemented

GAO-08-770 September 9, 2008
Highlights Page (PDF)   Full Report (PDF, 54 pages)   Accessible Text   Recommendations (HTML)

Summary

The 2002 Help America Vote Act (HAVA) created the Election Assistance Commission (EAC) and assigned both it and the National Institute of Standards and Technology (NIST) responsibilities for accrediting laboratories that test voting systems. NIST assesses a laboratory's technical qualifications and makes recommendations to EAC, which makes a final accreditation decision. In view of the continuing concerns about voting systems and the important roles that NIST and EAC play in accrediting the laboratories that test these systems, GAO was asked to determine whether each organization has defined an effective approach for accrediting laboratories that test voting systems and whether each is following its defined approach. To accomplish this, GAO compared NIST and EAC policies, guidelines, and procedures against applicable legislation and guidance, and reviewed both agencies' efforts to implement them.

NIST has largely defined and implemented an approach for accrediting voting system testing laboratories that incorporates many aspects of an effective program. In particular, its approach addresses relevant HAVA requirements and reflects relevant laboratory accreditation guidance, including standards accepted by the international standards community. However, NIST's defined approach does not, for example, cite explicit qualifications for the persons who conduct accreditation technical assessments, as called for in federal accreditation program guidance. Instead, NIST officials said that they rely on individuals who have prior experience in reviewing such laboratories. Further, even though the EAC requires that laboratory accreditation be based on demonstrated capabilities to test against the latest voting system standards, NIST's defined approach has not always cited these current standards. As a result, two of the four laboratories accredited to date were assessed using assessment tools that were not linked to the latest standards. Moreover, available documentation for the four laboratory assessments was not sufficient to determine how the checklists were applied and how decisions were reached. According to NIST officials, the four laboratories were consistently assessed. Moreover, they said that they intend to evolve NIST's accreditation approach to, for example, clearly provide for sufficient documentation of how accreditation reviews are conducted and decisions are reached. However, they had yet to develop specific plans for accomplishing this. EAC recently developed a draft laboratory accreditation program manual, but this draft manual does not adequately define all aspects of an effective approach, and it was not used in the four laboratory accreditations performed to date. Specifically, while this draft manual addresses relevant HAVA requirements, such as the requirement for the commissioners to vote on the accreditation of any laboratory that NIST recommends for accreditation, it does not include a methodology governing how laboratories are to be evaluated or criteria for granting accreditation. Because the manual was not approved at the time EAC accredited four laboratories, these accreditations were governed by a more broadly defined accreditation review process that was described in correspondence sent to each laboratory and a related document receipt checklist. As a result, these accreditations were based on review steps that were not sufficiently defined to permit them to be executed in a repeatable manner. According to EAC officials, including the official who conducted the accreditation reviews for the four laboratories, using the same person to conduct the reviews ensured that the steps performed on the first laboratory were repeated on the other three. However, given that both the steps and the results were not documented, GAO could not verify this. EAC officials stated that they intend to evolve the program manual over time and apply it to future accreditations and reaccreditations. However, they did not have specific plans for accomplishing this. Further, although EAC very recently approved an initial version of its program manual, this did not occur until after EAC provided comments, and GAO had finalized, this report.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
Randolph C. Hite
Government Accountability Office: Information Technology
(202) 512-6256


Recommendations for Executive Action


Recommendation: To help NIST in evolving its Voting System Testing Laboratory (VSTL) accreditation program, the Director of NIST should ensure that the accreditation program manager develops and executes plans that specify tasks, milestones, resources, and performance measures that provide for establishing and implementing transparent requirements for the technical qualifications and training of accreditation assessors.

Agency Affected: Department of Commerce: National Institute of Standards and Technology

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To help NIST in evolving its VSTL accreditation program, the Director of NIST should ensure that the accreditation program manager develops and executes plans that specify tasks, milestones, resources, and performance measures that provide for ensuring that each laboratory accreditation review is fully and consistently documented in accordance with NIST program requirements.

Agency Affected: Department of Commerce: National Institute of Standards and Technology

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To help EAC in evolving its VSTL accreditation program, the Chair of the EAC should ensure that the EAC Executive Director develops and executes plans that specify tasks, milestones, resources, and performance measures that provide for establishing and implementing practices for the VSTL accreditation program consistent with accreditation program management guidance published by NIST and GAO, including (1) documentation of specific accreditation steps and criteria to guide assessors in conducting each laboratory review; (2) transparent requirements for the qualifications of accreditation reviewers; (3) requirements for the adequate maintenance of records related to the VSTL accreditation program; and (4) requirements for determining laboratory financial stability.

Agency Affected: Election Assistance Commission

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.