The manufacturerSHALL submit to the test lab a Technical Data Package conforming to the requirements of Part 2: Chapter 3: ”Technical Data Package (manufacturer)”.

If needed for compliance with Part 3: 2.4.3.4 “Unmodified COTS verification”, the manufacturer SHALL supply the system with the COTS components omitted, for subsequent integration performed by or witnessed by the test lab.

The hardware submitted for conformity assessment SHALL be equivalent, in form and function, to the actual production version of the hardware units specified for use in the TDP.

The firmware and software submitted for conformity assessment SHALL be the exact firmware and software that will be used in production units.

Developmental prototypes SHALL NOT be submitted unless the manufacturer can show that the equipment to be tested is equivalent to standard production units both in performance and construction.

Benchmark directory listings SHALL be submitted for all software/firmware elements (and associated documentation) included in the manufacturer's release as they would normally be installed upon setup and installation.

The test lab SHALL assemble the build environment(s) used to create executable code including application logic, border logic, and third party logic.

At least one representative from the manufacturer SHALL witness the assembly of the build environment.

A representative from the test lab SHALL create a build environment establishment record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location the build environment was established; names, affiliations, and signatures of all people present; copies of the procedures used to assemble the build environment; list of software and hardware used to establish the build environment; and the voting system associated with the build environment.

The test lab SHALL obtain the software and hardware required to establish the build environment.

The test lab SHALL obtain COTS software and hardware required to assemble the build environment from the open market.

The test lab SHALL remove any previously stored information on erasable storage media in preparation for using the media to assemble the build environment.

The test lab SHALL use the procedures found in the TDP to assemble the build environment.

The test lab SHALL document as part of the build environment establishment record the reason for any deviation from assembly procedures found in the TDP.

When digital signatures are associated with software, the test lab SHALL verify digital signatures before using the software for the build environment.

The test lab SHALL record as part of the build environment establishment record the results of digital signature verification including who generated the signature.

The test lab SHALL copy the binary image of the assembled build environment to unalterable storage media.

The test lab SHALL create a digital signature for the binary image of the build environment, and include the digital signature on the unalterable storage media with the binary image.

The test lab SHALL build the executable code including application logic, border logic, and third party logic of the voting system using the established build environment.

At least one representative from the manufacturer SHALL witness the build of executable code including application logic, border logic, and third party logic of the voting system.

A representative from the test lab SHALL create an executable code build record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location of the build; names, affiliations, and signatures of all people present; filenames of the source code and resulting executable code; voting system software version; name and version of the voting system (including certification number, if possible); and copies of the procedures used to build the voting system software executable code.

The test lab SHALL validate manufacturer digital signatures on voting system software source code before placing source code on the build environment.

The results of digital signature validation including who generated the signature SHALL be part of the executable code build record for voting system software.

The test lab SHALL use the procedures found in the TDP to build the voting system software executable code including application logic, border logic, and third party logic.

The test lab SHALL document as part of the executable code build record the reason for any deviation from build procedures found in the TDP.

After voting system software executable code including application logic, border logic, and third party logic has been built, the test lab SHALL copy the binary image of the build environment (including source and executable code) to unalterable storage media.

After voting system software executable code including application logic, border logic, and third party logic has been built, the test lab SHALL create a digital signature for the binary image of the build environment (including source and executable code), and include the digital signature on the unalterable storage media with the binary image.

At least one representative from the manufacturer SHALL witness the establishment of the post build environment associated with the previously built voting system software, and the build of the updated voting system software executable code including application logic, border logic, and third party logic.

The test lab SHALL establish the build environment using the original post build environment binary image associated with the previously built voting system software.

The test lab SHALL remove previously stored information on erasable storage media in preparation for using the media to establish the build environment.

The test lab SHALL verify the digital signature of the original post build binary image associated with the previously built voting system software before using the binary image to establish the build environment.

The result of digital signature verification including who generated the signature SHALL be part of the original post build environment establishment record.

A representative from the test lab SHALL create an original post build environment establishment record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location the original post build environment was established; names, affiliations, and signatures of all people present; copies of the procedures used to assemble the original post build environment; list of software and hardware used to establish the original post build environment; and the voting system associated with the original post build environment.

The test lab SHALL build the executable code including application logic, border logic, and third party logic of the updated voting system software.

The test lab SHALL validate manufacturer digital signatures on updated voting system software source code before placing the updated source code on the build environment.

The result of digital signature verification including who generated the signature SHALL be part of the updated voting system software build record.

The test lab SHALL use the procedures found in the TDP to build the updated voting system software executable code including application logic, border logic, and third party logic.

A representative from the test lab SHALL create an executable code build record that includes at a minimum: a unique identifier (such as a serial number) for the record; a list of unique identifiers of unalterable storage media associated with the record; the time, date, and location of the build; names, affiliations, and signatures of all people present; filenames of the source code and resulting executable code; voting system software version; name and version of the voting system (including certification number, if possible); and copies of the procedures used to build the updated voting system software executable code.

After updated voting system software executable code including application logic, border logic, and third party logic has been built, the test lab SHALL copy the binary image of the updated build environment (including source and executable code) to unalterable storage media.

After updated voting system software executable code including application logic, border logic, and third party logic has been built, the test lab SHALL create a digital signature for the binary image of the updated build environment (including source and executable code), and include the digital signature on the unalterable storage media with the binary image.

The manufacturer SHALL document the procedures used to assemble and configure unmodified COTS components into the system supplied in Requirement Part 3: 2.4.2.2-A.

Test labs SHALL obtain COTS components identified in Requirement Part 2: 4.4.1-A subitem 5 from open market suppliers of COTS components.

At least one representative from the test lab and manufacturer SHALL witness the assembly and configuration of the COTS components into the voting system.

The test lab SHALL assemble and configure the COTS components into the voting system.

The test lab SHALL document and maintain a record of the COTS assembly and configuration that includes, at a minimum: a unique identifier for each record; the time and date and location of the voting system build; names, affiliations, and signatures of all people present; copies of the procedures used to assemble and configure the COTS components; and identification of the voting system.

The test lab SHALL document deviations from the manufacturer documentation submitted for assembly and configuration of the COTS components.

The accredited test lab SHALL prepare a test plan to define all tests and procedures required to assess conformity to the VVSG, including:

1. Verifying or checking equipment operational status by means of manufacturer operating procedures;
2. Establishing the test environment or the special environment required to perform each test;
3. Initiating and completing operating modes or conditions necessary to evaluate the specific performance characteristics under test;
4. Measuring and recording the value or range of values for the characteristics to be tested, demonstrating expected performance levels;
5. Verifying, as above, that the equipment is still in normal condition and status after all required measurements have been obtained;
6. Confirming that documentation submitted by the manufacturer corresponds to the actual configuration and operation of the system; and
7. Confirming that documented manufacturer practices for quality assurance and configuration management comply with the VVSG.

Preparations for testing, arrangement of equipment, verification of equipment status, and the execution of procedures SHALL be witnessed by at least one independent, qualified observer, who SHALL attest that all test and data acquisition requirements have been satisfied.

When a test is to be performed at "standard" or "ambient" conditions, this SHALL refer to a nominal laboratory or office environment with a temperature in the range of 20.0 °C to 23.9 °C (68 °F to 75 °F) and prevailing atmospheric pressure and relative humidity.

When a test is to be performed at conditions other than "standard" or "ambient," the test SHALL be performed at the required temperature and electrical supply voltage, regulated within the following tolerances:

1. Temperature ± 2.2 °C (± 4 °F)
2. AC electrical supply voltage ± 2 V

Except as provided in Requirement Part 3: 2.5.3-B, the test lab SHALL NOT use simulation devices or software that bypass portions of the voting system that would be exercised in an actual election.

The test lab may bypass the user interface of an interactive device in the case of environmental tests that:

1. Would require subjecting test "voters" to unsafe or unhealthy conditions; or
2. Would be invalidated by the presence of a test "voter."

The test lab may bypass the user interface of an interactive device in the case of environmental tests that:

A test log of the procedure SHALL be maintained. This log SHALL identify the system and equipment by model and serial number.

Test environment conditions SHALL be recorded.

All operating steps, the identity and quantity of simulated ballots, annotations of output reports, the elapsed time for each procedure step, observations of equipment performance, and, in the case of non-operating hardware tests, the condition of the equipment SHALL be recorded.

The accredited test lab SHALL conduct the examinations and tests defined in the test plan to determine compliance with the voting system requirements described in Part 1 and Part 2.

If any failure, malfunction or data error is detected, its occurrence and the duration of operating time preceding it SHALL be recorded for inclusion in the analysis of data obtained from the test.

If a logic defect is responsible for the incorrect recording, tabulation, or reporting of a vote, the test campaign SHALL be terminated and the system SHALL be rejected.

If a logic defect is found that is not responsible for the incorrect recording, tabulation, or reporting of a vote, the test campaign SHALL be suspended and the system returned to the manufacturer for correction and quality assurance.

If the anomaly is other than a logic defect, and if corrective action is taken to restore the equipment to a fully operational condition within eight hours, then the test campaign may be resumed at the point of suspension.

If the test campaign is suspended for an extended period of time, the accredited test lab SHALL maintain a record of the procedures that have been satisfactorily completed. When testing is resumed at a later date, repetition of the successfully completed procedures may be waived provided that no design or manufacturing change has been made that would invalidate the earlier test results.

The test campaign may resume after a deficiency is found if:

1. The manufacturer submits a design, manufacturing, or packaging change notice to correct the deficiency, together with test data to verify the adequacy of the change;
2. The examiner of the equipment agrees that the proposed change is responsive to the full scope of the deficiency;
3. Any previously failed tests are passed by the revised system; and
4. The manufacturer attests that the change will be incorporated into all existing and future production units.

The test lab SHALL include voting system software executable code including application logic, border logic, and third party logic resulting from either an initial or final test lab build as part of the specific voting system recommended for certification.

When no updates or modifications to the voting system software executable code including application logic, border logic, and third party logic has occurred since the initial test lab build, the test lab SHALL submit the executable code from the initial test lab build as part of the specific voting system recommended for certification.

When updates or modifications to the voting system software executable code including application logic, border logic, and third party logic has occurred since the initial test lab build, the test lab SHALL submit the executable code from a final test lab build as part of the specific voting system recommended for certification.

When required by Requirement Part 3: 2.6.1.1-A.2, the test lab SHALL use the requirements found in Part 3: 2.4.3 “Initial system build by test lab” to create a final test lab build of voting system software executable code including application logic, border logic, and third party logic

Test labs, manufacturers, and repositories SHALL establish software distribution package master copies from which copies are created and distributed.

A master copy creation record SHALL be created that includes at a minimum: the unique identifier of the record; the unique identifier of the master copy; the type of unalterable storage media containing the master copy; time, date, and location the master copy was created; name(s), affiliation(s), and signature(s) of the people present during the creation of the master copy; name and version of the software distribution package; the name, version and certification number (if certified) of the voting system; identifiers of the software components (such as filename(s)) in the software distribution package; location of software components in the software distribution package; and the digital signature algorithm used to sign the contents of the software distribution package.

A software distribution package master copy SHALL be stored on unalterable storage media.

A copy creation record SHALL be created that includes at a minimum: the unique identifier of the master copy; the distribute mechanism for the copy; time, date, and location the copy was created; name(s), affiliation(s) and signature(s) of the people present during the creation of the copy; and the contact information (title, organization, address, phone number, email address, etc.) for the organizations or people to whom copies were distributed.

The master copy and copy creation records SHALL be made on unalterable storage media.

Test labs manufacturers and repositories, including the National Software Reference Library (NSRL), SHALL retain the master copy of software distribution packages and associated records until notified by the national certification authority that they can be archived.

Software distribution packages SHALL contain a separate human readable file that provides at a minimum: the name and version of the software distribution package; the unique identifier of the master copy; the name, version, certification number (if certified) of the voting system; and the algorithm used to create digital signatures for the contents of the software distribution package. (See Requirement Part 3: 2.6.2.1-F).

Software distribution packages SHALL contain a separate human readable file that provides at a minimum the following information for each component within the software distribution package: software component identifier (such as filename), software manufacturer name, software product name, software version, and component location within the software distribution package (such as the full directory path to the file or archive containing the file or memory addresses).

When software distribution packages use archive files to hold multiple software components, the archive files SHALL be generated using algorithms and file formats in common usage.

The full directory path and filename of archive files SHALL be used as the full directory path for the files within the archive.

Software distribution packages SHALL contain digital signatures for each software component contained within the software distribution package.

Software distribution packages SHALL contain, at a minimum, digital signatures generated by the test lab, manufacturer, or repository that created the software distribution package.

Digital signatures SHALL be stored in a non-proprietary standard data format as part of the software distribution package.

Each piece of physical media used for software distribution packages SHALL be labeled on an external surface of the media including at a minimum: the test lab, manufacturer, or repository that created the media; the creation date of the media; unique identifier of the media (such as a serial number); software distribution package name and version; whether the software has been certified or not; and the name, version, and certification number (if certified) of the voting system.

Each piece of physical media used for software distribution packages SHALL contain a digital signature generated by the creating test lab, manufacturer, or repository covering the entire contents of the media.

The repository SHALL publicly document the process used to request copies of the software distribution packages (including associated documentation) from the repository.

The repository SHALL verify the digital signatures associated with software are valid before creating a software distribution package master copy containing the software.

Results of digital signature verifications including the source of the signature SHALL be part of the creation record of software distribution package master copies created by the repository.

Distribution, escrow, and notary repositories SHALL create software distribution package master copies containing software received from test labs, the national certification authority, and jurisdictions.

Notary repositories SHALL create software distribution package master copies containing software reference integrity generated by the repository for software received from test labs, the national certification authority, and jurisdictions.

A distribution or escrow repository SHALL provide copies of the software distribution packages they create to parties that follow the repositories request process (see Requirement Part 3: 2.6.2.2-A).

A notary repository SHALL provide copies of software distribution packages containing software integrity information generated by the repository to parties that follow the repository’s request process (see Requirement Part 3: 2.6.2.2-A).

The test lab SHALL create a software distribution package master copy containing the source and executable code from the test lab build of the voting system software.

The test lab SHALL create a software distribution package master copy containing configuration files, installation programs, and third party software to be installed on programmed devices of the voting system.

The test lab SHALL provide copies of the software distribution packages containing the source and executable code from the test lab build, build environment pre- and post-build binary images, and other software to be installed on programmed devices of the voting system (configuration files, installation programs, and third party software) to the manufacturer, National Software Reference Library (NSRL), and a designated national repository.

The test lab SHALL provide copies of the software distribution packages containing a complete set or subset of the source and executable code from the test lab build, build environment pre- and post-build binary images, and other software to be installed on programmed devices of the voting system (configuration files, installation programs, and third party software) to parties approved by the manufacturer.

The manufacturer SHALL use software distribution packages for voting system software the manufacturer distributes.

The manufacturer SHALL create a software distribution package master copy containing source code of voting system software including application logic, border logic, and third party logic.

The manufacturer SHALL create a software distribution package master copy containing configuration files, installation programs, and third party software to be installed on programmed devices of the voting system.

As part of the TDP, the manufacturer SHALL provide a copy of the software distribution packages from the Requirements Part 3: 2.6.2.4-A.

The accredited test lab SHALL prepare a test report conforming to the requirements of Part 2: Chapter 5: “Test Plan (test lab)”.

Where a system is tested by multiple accredited test labs, the lead accredited test lab SHALL prepare a consolidated test report.