Fla. Admin. Code Ann. R. 1S-2.015 - Minimum Security Procedures for Voting Systems

(1) PURPOSE. To establish minimum security standards for voting systems pursuant to Section 101.015(4), F.S.

(2) DEFINITIONS. The following words and phrases shall be construed as follows when used in this rule:

(a) "Accumulation" means the act of combining tabulated votes from different sources for the same candidate or ballot measure. For example, accumulation of counted votes for a specific candidate occurs when the early voting and vote-by-mail ballot groups are combined with Election Day votes for the candidate. Another example is when the combined precinct results for a specific candidate on Election Day are totaled.

(b) "Ballot" when used in reference to:

1. "Marksense ballot" means that printed sheet of paper, used in conjunction with an electronic or electromechanical vote tabulation voting system, containing the names of candidates, or a statement of proposed constitutional amendments or other questions or propositions submitted to the electorate at any election, on which sheet of paper an elector casts his or her vote.

2. "Electronic or electromechanical device" means a ballot that is voted by the process of electronically designating, including by touchscreen, or marking with a marking device for tabulation by automatic tabulating equipment or data processing equipment.

(c) "Ballot type" means an early voting, Election Day, or vote-by-mail ballot. Provisional ballots cast in the election may be grouped with early voting, Election Day, or vote-by-mail ballots, as applicable. Overseas vote-by-mail ballots are to be grouped with other vote-by-mail ballots.

(d) "Election Board" has the meaning ascribed in Section 97.021(12), F.S.

(e) "Election definition" means the voting system tabulator's code programmed for a unique election.

(f) "Election management system" means those components of a voting system that defines, develops, and maintains election databases, performs election definitions and setup functions, formats ballots, acquires the tabulation results, consolidates the aggregate election results, produces report results, and maintains its audit trails.

(g) "Election materials" mean those materials provided to poll workers to properly conduct the election to include, but not be limited to, as applicable, legally required affidavits and forms, provisional ballots, voter authority slips, precinct registers, and any electronic devices necessary to activate ballot styles in the voting system.

(h) "Hybrid voting system" means an electronic or electromechanical device by which a voter with disabilities interacts with an electronic visual display to produce a paper output that contains the contest titles and the voter's selections, and may also contain, but not be limited to, a barcode or other machine-readable optical label containing the voter's selections. A hybrid voting system may be designed to read the vote targets or selections or the machine-readable optical label on the paper output.

(i) "Tabulation" means the act of a tabulator (e.g., optical scanner) counting the voter selections for candidates or ballot measures. The tabulator scans the voter selections on a ballot or paper output from a hybrid voting system and determines the vote count for the candidate or ballot measure.

(j) "Voted Ballot" means a ballot as defined above, which has been cast by an elector.

(k) "Voting device" means any apparatus by which votes are registered electronically.

(l) "Voting system" means a method of casting and processing votes that functions wholly or partly by use of electromechanical or electronic apparatus or by use of marksense ballots or paper outputs from a hybrid voting system and includes, but is not limited to, the procedures for casting and processing votes and the programs, operating manuals, supplies, printouts, and other software necessary for the system's operation.

(3) FILING OF SECURITY PROCEDURES.

(a) Within 45 days of the effective date of this rule, each supervisor of elections shall certify the date of the most current version of the county's minimum security procedures on file with the Division of Elections or submit the most current version accompanied by a cover letter and the date the procedures were last revised.

(b) For any subsequent revision to the security procedures, the supervisor of elections must submit the revision no later than 45 days prior to the early voting period in the election in which the revision will first take effect. The supervisor shall include a statement describing which part of the procedures previously filed have been revised.

(c) In the event of an emergency situation or other unforeseen circumstance in which a supervisor of elections has to make a change to the security procedures within the 45-day period before the early voting period for an upcoming election, the supervisor of elections shall submit the change to the Division of Elections no later than 5 days after the change is made. The supervisor shall document any changes to include the reasons why such changes were necessary.

(4) REVIEW OF SECURITY PROCEDURES.

The Division of Elections shall conduct a review of any submitted or revised security procedures to determine if they meet the minimum requirements set forth in subsection (5) this rule.

(a)

1. Except as provided in paragraph (b), the Division of Elections shall complete its review of the security procedures or revisions thereto within 30 days of receipt and notify the supervisor of elections as to the results of the review within 5 days thereafter as to whether the procedures or revisions comply with subsection (5).

2. If the Division finds that the procedures are incomplete and do not otherwise comply with subsection (5), the Division shall notify the supervisor in writing and include in the notice to the supervisor the specific provisions that were found to be incomplete or otherwise did not comply with subsection (5). No later than 30 days from the date of notice, the supervisor shall provide the required information and documentation to bring the procedures into compliance. Within 10 days from receiving the required information from the supervisor or from the end of the 30-day period, whichever occurs first, the Division shall issue a notice of compliance or continued noncompliance, whichever is applicable.

3. If the Division is unable to complete its review within the 30-day time frame, the Division shall temporarily approve the procedures or revisions until such time as the review is completed. The Division shall notify the supervisor of elections of the temporary approval.

(b)

1. Within the first quarter of an odd-numbered year during which the Division of Elections conducts biennial review of supervisors of elections' county security procedures pursuant to Section 101.015(4)(b), F.S., the Division shall notify each supervisor of elections that the Division will begin its review based on the version certified last by the supervisor, or the last revision on file, whichever occurred last.

2. No later than 15 days of such notice, the supervisor shall recertify the version on file as the most current version to be reviewed or submit and certify any update or replacement as the latest revision or replacement, respectively to the procedures on file.

3. The Division shall complete its review no later than 90 days of beginning the review of a supervisor's county security procedures. Within 5 days of completing its review the Division shall notify the supervisor as to whether its county security procedures comply with subsection (5).

4. If the Division finds that the procedures are incomplete and do not otherwise comply with subsection (5), the Division shall also list in the notice to the supervisor the specific provisions that were found to be incomplete or otherwise did not comply with subsection (5). No later than 30 days from the date of notice, the supervisor shall provide the required information and documentation to bring the procedures into compliance. If the supervisor is unable to do so within the 30 days, the supervisor shall provide within that same timeframe, a status report and a plan including timeline for completing or bringing the procedures into compliance. No later than 10 days from the receipt of the supervisor's response, the Division shall issue a notice of compliance or continued noncompliance, whichever is applicable.

(c) Upon approval of the security procedures by the Division, the supervisor shall submit to the Division a copy of the approved version of the procedures that has all confidential and exempt information redacted from the procedures, along with the statutory citations for each redaction contained in the document. The supervisor shall submit the redacted copy within 15 days of notification by the Division of the approval.

(5) STANDARDS FOR SECURITY PROCEDURES.

(a) Staffing and facilities' security. The security procedures shall have a description of the supervisor of elections' organization and physical facilities' security. The security procedures shall address chain of custody procedures and security measures to protect at all times the integrity of the voting systems, election materials, and ballots.

(b) Election schedule template. The security procedures shall include one or more schedule templates for each type of election. A schedule template need not be prepared for a municipal election. The supervisor shall provide the template to the Division of Elections at least 90 days prior to each regularly scheduled election and within 20 days of the date a special election is scheduled. The supervisor is not required to provide a previously submitted schedule template before an election unless changes have been made since the prior submission; however, any changes to a schedule template must be submitted in a revised security procedure within the time period specified in paragraph (3)(b). The election schedule template shall contain the following:

1. A list of all tasks necessary to conduct the election; and,

2. The legal deadline, where applicable, or tentative date each task is to be completed.

(c) Ballot preparation. The security procedures shall describe the steps necessary to ensure that the ballot contains the proper races, candidates and issues for each ballot variation and that the ballots can be successfully tabulated. The ballot preparation procedures shall, at a minimum, contain the following:

1. Assignment of unique marks or other coding necessary for identifying ballot variations or precincts;

2. Verification that unique marks or other coding necessary for tabulation are correct; and,

3. Description of method to verify that all ballots and ballot variations are accurately prepared and printed.

(d) Filing of election information. The supervisor of elections shall file with the Division of Elections a copy of the information used within the election management system to define the tabulation and reporting instructions for each election regardless of filings for prior elections. The filing shall, at a minimum, include the following:

1. A copy of the election database used to define the election; and,

2. If the election definition is created by an individual who is not an employee of the supervisor of elections, the information shall include a statement by the person who created the election database and definition. The person coding the election shall sign the election coding statement using Form DS-DE 132.

(e) Preparation and configuration of tabulation system.

1. The procedures relating to the preparation and configuration of the tabulation system shall, at a minimum, include the following:

a. Description of tests for all electronic or electromechanical voting systems after conclusion of maintenance and programming, including Americans with Disabilities Act (ADA) voting devices, early voting devices, precinct voting devices, and vote-by-mail voting devices, and the procedures for verification of correctness; and,

b. Description of securing the tabulation systems.

2. The security procedures shall describe the test materials utilized and the voting system tests performed prior to the conduct of the public logic and accuracy tests.

(f) Public logic and accuracy test. The security procedures for use with electronic and electromechanical voting systems shall, at a minimum, describe the following aspects of logic and accuracy testing of all automatic tabulating equipment publicly tested as required by Section 101.5612, F.S.:

1. Each component of the test performed including the test materials utilized for early voting devices, precinct voting devices, and vote-by-mail voting devices.

2. Ballot test decks and their preaudited results.

3. The procedures for sealing, securing, and retaining the programs, ballots, test results, other test materials, and records of proceedings.

(g) Pre-election steps for voting systems. The security procedures for use with voting devices shall include a description of the process to seal and secure the voting devices on Election Day and daily during the early voting period. This description shall include:

1. The process for identifying electronic media type such as memory packs, compact flash cards, PC Cards or PCMCIA cards, and any instrument used to activate a voting machine. This activity shall include:

a. The process to create and maintain an inventory of all electronic media.

b. The chain of custody process and procedure for identifying, documenting, handling, and tracking electronic media from the point of collection or transfer from their storage location, through election coding, through the election process, to their final post-election disposition and return to storage. This electronic media must be given the same level of attention that one would give to official ballots.

2. The establishment and maintenance of a secured location for storing the electronic media when not in use, for coding an election, for creating the election media, for transferring and installing the election media into the voting device, and for storing these devices once the election parameters are loaded. This process shall ensure that:

a. No election media is left unattended or in an unsecured location once it has been coded for an election. Where applicable, coded election media must be immediately loaded into the relevant voting device, logged, and made secure or must be placed in a secured and controlled environment and inventoried.

b. Each election media is sealed in its relevant voting device or container utilizing one or more uniquely identified tamper-resistant or tamper-evident seals. A combined master tracking log of the voting device, the election media, and the seal(s) must be created and maintained. For election media that are device independent (for example, voter card encoders) these devices must be stored in a secured, sealed container and must also be identified on the master tracking log.

c. A procedure is created and maintained for tracking the custody of these voting devices once these devices are loaded with an election definition. The chain of custody must specifically provide for the identifying, documenting, handling, and tracking of such devices from the point of loading to final post-election disposition. These voting devices must be given the same level of attention that one would give to official ballots.

3. A recovery plan that is to be followed should there be any indication of a security breach in the accountability and chain of custody procedures. Any indication of a security breach must be confirmed by more than one individual.

4. A training plan for relevant election officials, staff, and temporary workers that addresses these security procedures and the relevant work instructions.

(h) Ballot distribution. Where marksense ballots or paper outputs from a hybrid voting system are used, including on Election Day and during the early voting period, the security procedures shall, at a minimum, include the following:

1. Description of how the number and variations of ballots required by each precinct is determined;

2. Description of the method for securing the ballots; and,

3. Description of the process for distributing the ballots to precincts, to include an accounting of who distributed and who received the ballots, the date, and how they were checked.

(i) Distribution of precinct equipment. The security procedures shall describe the steps necessary for distributing voting system equipment to the precincts.

(j) Election Board duties.

1. The security procedures when marksense ballots or paper outputs from a hybrid voting system, including provisional ballots are used shall, at a minimum, include the following Election Board duties on Election Day and during the early voting period:

a. Verification that the correct number of ballots were received, and that they are the proper ballots for that precinct;

b. Checking the operability or readiness of the voting devices;

c. Checking and sealing the ballot box;

d. Description of how unscanned and spoiled ballots are handled;

e. Description of how write-in and provisional ballots are handled; and,

f. Accounting for all ballots and paper outputs from a hybrid voting system after the polls close.

2. The security procedures for use with voting devices shall, at a minimum, include the following Election Board duties:

a. Verification of the identification numbers, seal numbers, and protective counter numbers, if available, of precinct tabulation and/or voting devices;

b. Checking the operability or readiness of the voting device;

c. Verification that all counters except protective counters are set at zero on each voting device;

d. Securing a printed record from each voting device, if applicable;

e. Checking the correctness of the ballot;

f. Preparing voting devices for voting;

g. Verification when other than electronic or other means are used to track a voter during the voting process that the correct number of voter authorization slips were received;

h. Checking and sealing the voter authorization slips container(s) if voter authorizations slips were used;

i. Handling write-in ballots;

j. Handling voting system malfunctions;

k. Securing voting machines at the close of the polls (including the close of each early voting day) to prevent further voting;

l. Accounting for all voter authorization slips received if voter authorization slips were used; and,

m. Recording and verifying the votes cast.

(k) Transport of ballots and/or election materials. The security procedures shall describe the steps necessary to ensure a complete written record of the chain of custody of ballots, paper outputs from a hybrid voting system, and election materials on Election Day and during the early voting period and shall include:

1. A description of the method and equipment used to transport all ballots, paper outputs from a hybrid voting system, and/or election materials.

2. A method of recording the names of the individuals who transport the ballots and/or election materials from one site to another and the time they left the sending site.

3. A method of recording the time the individuals who transport the ballots, paper outputs from a hybrid voting system, and/or election materials arrived at the receiving site and the name of the individual at the receiving site who accepted the ballots, paper outputs from a hybrid voting system, and/or election materials.

4. A description of the process to create and maintain a secured location for storing and transporting voting devices once the election definitions are loaded. This description shall include procedures that are to be used at locations outside the direct control of the supervisor of elections, such as overnight storage at a polling location or early voting site. This description shall include:

a. A process for creating and maintaining an inventory of these items for each storage location, for each election. These voting devices must be given the same level of attention that one would give to official ballots.

b. A chain of custody process that specifically provides for the identifying, documenting, handling, and tracking of such voting devices from the point of storage to transfer to final disposition or when the voting devices have been left unattended for any length of time. Particular attention must be given to the integrity of the tamper-resistant or tamper-evident seals. These voting devices must be given the same level of attention that one would give to official ballots.

5. A recovery plan that is to be followed should there be any indication of a security breach in the accountability and chain of custody procedures. The plan must address inadvertent damage to any seals or accountability/chain of custody documentation errors. These plans must be developed in a manner that enhances public confidence in the security and integrity of the election. Any indication of a security breach, documentation errors, or seal damage must be confirmed by more than one individual.

6. A training plan for relevant election officials, staff, and temporary workers that address these security procedures and the relevant work instructions.

(l) Receiving and preparing voted ballots. The security procedures shall describe the process of receiving and preparing paper outputs from a hybrid voting system and voted ballots, including provisional ballots, election data and memory devices to include, at a minimum, the following:

1. Verification that all of the ballot containers are properly secured and accounted for and that the seal numbers are correct;

2. Verification that the ballot container(s) for each precinct contain paper outputs from a hybrid voting system, unused ballots, and voted ballots including provisional ballots, unscanned ballots, spoiled ballots and write-in ballots as shown to exist on the forms completed by each election board for that purpose;

3. Inspection of the marksense ballots or paper outputs from a hybrid voting system to identify those that must be duplicated or upon which voter intent is unclear, thus requiring a determination by the Canvassing Board. A record shall be kept of which marksense ballots or paper outputs from a hybrid voting system are submitted to the Canvassing Board and the disposition of those marksense ballots or paper outputs; and,

4. Description of the process for duplicating and recording the voted marksense ballots or paper outputs from a hybrid voting system which are damaged or defective.

(m) Tabulation of vote.

1. The security procedures for use with polling locations and central sites shall describe each step of a ballot tabulation, including on Election Day and daily during the early voting period and shall include, at a minimum, the following:

a. Counting and reconciliation of voted marksense ballots or paper outputs from a hybrid voting system;

b. Processing, tabulation and accumulation of voted ballots and election data;

c. Processing and recording of all write-in and provisional ballots;

d. The process for handling unreadable ballots;

e. Backup and recovery of tabulated results and voting system programs for electronic or electromechanical voting systems; and,

f. The procedure for public viewing of the accumulation process and access to results.

2. Security procedures shall describe each step of ballot tabulation during the early voting period.

3. The security procedures for use in the precincts on Election Day shall include procedures that describe each step of ballot tabulation to include, at a minimum, the following:

a. Printing of precinct results and results from individual tabulating devices;

b. Processing and recording of write-in votes;

c. Endorsing the precinct results by the Election Board;

d. Posting a copy of precinct results;

e. Transport of precinct results to central or regional site;

f. Consolidation of precinct and provisional ballot results; and,

g. The process for public viewing of the accumulation process and access to results.

4. The procedures for resolving discrepancies between the counted ballots and voted ballots and any other discrepancies found during the accumulation process shall be described.

(n) Electronic access to voting systems. Security procedures shall identify all methods of electronic access to the vote tabulation system including on Election Day and daily during the early voting period. The procedures for authorizing electronic access and specific functions, and specifying methods for detecting, controlling and reporting access to the vote tabulation system shall be identified, and shall additionally include:

1. A document that defines the procedure that ensures that default or vendor supplied passwords, encryption keys, or other identifier have been changed. This activity must ensure that:

a. Access control keys/passwords are maintained in a secured and controlled environment. The individual(s) with access to these items must be delineated.

b. Changes to the encryption keys and passwords are at the discretion of the supervisor of elections. This discretionary authority should not be delegated. The individual(s) that implement a change to the encryption keys and/or passwords must have this "authorization to change" responsibility.

c. The degree of access is maintained within the election management system and/or equipment. This applies where a voting system can limit an individual's access to certain menus, software modules, or other component.

2. A procedure that governs access to any device, election media, or election management system with a requirement to use an encryption key.

3. A training plan for relevant election officials, staff, and temporary workers that address these security procedures and the relevant work instructions.

(o) Vote-by-mail ballot handling. The security procedures shall include procedures that describe vote-by-mail ballot handling to include, at a minimum, the following:

1. Description of process for determining and verifying vote-by-mail ballot variations;

2. Description for process to assure voters are issued the proper vote-by-mail ballot;

3. Description of process for receipt of vote-by-mail ballots by mail or other methods permitted by law and the security measures in place to ensure safekeeping and timely receipt by the supervisor of elections.

4. Process for precluding voters from voting at the polls and casting an vote-by-mail ballot;

5. Process for opening valid vote-by-mail ballots in preparation for tabulation;

6. Process for recording the receipt of all vote-by-mail ballots, to include regular vote-by-mail ballots, State write-in ballots and Federal write-in ballots and determining which ones should be counted if more than one per voter is received; and,

7. Security measures for transporting, collecting, and storing blank and voted vote-by-mail ballots and related materials prior to and after an election, including but not limited to physical security, chain of custody, secured access, and monitoring.

(p) Ballot security. The security procedures shall describe ballot accountability and security beginning with their receipt from a printer or manufacturer until such time as they are destroyed. The procedures for each location including on Election Day and during the early voting period shall describe physical security, identify who has authorized access and identify who has the authority to permit access.

(q) Voting system maintenance and storage.

1. The security procedures shall describe the maintenance and testing performed on all components of the system to assure that it is in proper working order and is within manufacturer's operating specifications including on Election Day and during the early voting period. Procedures shall also describe storage and nonoperational maintenance of all voting devices.

2. If the supervisor of elections has installed any type of antivirus software on the election management system's computing equipment, the security procedures shall provide a description of the software, the timeframe for updating the software, and the method to update the software.

(r) Post-election audit. The security procedures shall include, at a minimum, the following:

1. Description of the method for the random selection of the races and precincts for a manual audit or automated independent audit, or both.

2. Description of the method for the random selection in the event that municipal or other local elections are held on the same day and the Canvassing Board certifies the elections, if applicable.

3. Description of the method to determine the ballot count segregated by ballot type of the random selection.

4. Description of the method to ensure the public does not interfere or otherwise disturb the audit.

5. Description of the method for determining the security of ballots, paper outputs from a hybrid voting system, chain of custody controls, protocols for authorized access, and secure storage of ballots and paper outputs from a hybrid voting system, that may be used in an audit.

(6) FORM. Form DS-DE 132 (eff. 01/16), (https://www.flrules.org/Gateway/reference.asp?No=Ref-06149), entitled "Election Coding Statement, " is hereby incorporated by reference and available from the Division of Elections, R.A. Gray Building, Room 316, 500 South Bronough Street, Tallahassee, Florida 32399-0250, by contact at (850)245-6200, or by download from the Division's webpage at: http://election.myflorida.com/forms/index.shtml.

Notes

Fla. Admin. Code Ann. R. 1S-2.015

Rulemaking Authority 20.10(3), 97.012(1), 101.015 FS. Law Implemented 101.015(4) FS.

New 5-27-85, Formerly 1C-7.15, 1C-7.015, Amended 8-28-93, 11-24-04, Amended by Florida Register Volume 42, Number 002, January 5, 2016 effective 4/1/2016.

New 5-27-85, Formerly 1C-7.15, 1C-7.015, Amended 8-28-93, 11-24-04, 4-1-16.