Chapter 3: Technical Data Package (manufacturer)

The manufacturer SHALL submit to the test lab documentation necessary for the identification of the full system configuration submitted for evaluation and for the development of an appropriate test plan by the test lab.

The manufacturer SHALL provide a list of all documents submitted controlling the design, construction, operation, and maintenance of the system.

At minimum, the TDP SHALL contain the following documentation:

1. Implementation statement;
2. The voting equipment user documentation (Part 2: Chapter 4: “Voting Equipment User Documentation (manufacturer)”);
   
3. System hardware specification;
   
4. Application logic design and specification;
   
5. System security specifications;
   
6. System test specification;
   
7. Configuration management plan;
   
8. Quality assurance program;
   
9. System change notes; and
   
10. Configuration for testing.

For systems seeking reassessment, manufacturers SHALL submit system change notes as described in Part 2: 3.7 “System Change Notes”, as well as current versions of all documents that have been updated to reflect system changes.

The TDP SHALL include a detailed table of contents for the required documents, an abstract of each document, and a listing of each of the informational sections and appendices presented.

A cross-index SHALL be provided indicating the portions of the documents that are responsive to documentation requirements enumerated in Requirement Part 2: 3.1.1.1-C.

The manufacturer SHALL identify all documents, or portions of documents, containing proprietary information that is not releasable to the public.

The manufacturer SHOULD consolidate proprietary information to facilitate its removal from the Public Information Package.

The TDP SHALL include an implementation statement as defined in Part 1: 2.4 “Implementation Statement”.

The manufacturer SHALL expand on the system overview included in the user documentation by providing detailed specifications of the hardware components of the system, including specifications of hardware used to support the telecommunications capabilities of the system, if applicable.

The manufacturer SHALL provide a detailed discussion of the characteristics of the system, indicating how the hardware meets individual requirements defined in Part 1, including:

1. Performance characteristics:  Basic system performance attributes and operational scenarios that describe the manner in which system functions are invoked, describe environmental capabilities, describe life expectancy, and describe any other essential aspects of system performance;
2. Physical characteristics:  Suitability for intended use, requirements for transportation and storage, health and safety criteria, security criteria, and vulnerability to adverse environmental factors;
   
3. Reliability:  System and component reliability stated in terms of the system's operating functions, and identification of items that require special handling or operation to sustain system reliability;
   
4. Maintainability:  Ease with which maintenance actions can be performed based on the design characteristics of equipment and software and the processes the manufacturer and election officials have in place for preventing failures and for reacting to failures.  Maintainability includes the ability of equipment and software to self-diagnose problems and make non-technical election workers aware of a problem.  Maintainability also addresses a range of scheduled and unscheduled events; and
   
5. Environmental conditions:  Ability of the system to withstand natural environments, and operational constraints in normal and test environments, including all requirements and restrictions regarding electrical service, telecommunications services, environmental protection, and any additional facilities or resources required to install and operate the system.

The manufacturer SHALL provide sufficient data, or references to data, to identify unequivocally the details of the system configuration submitted for testing.

The manufacturer SHALL provide photographs of the exterior and interior of devices included in the system to identify the hardware of the system configuration submitted for testing.

The manufacturer SHALL provide a list of materials and components used in the system and a description of their assembly into major system components and the system as a whole.

Text and diagrams SHALL be provided that describe:

1. Materials, processes, and parts used in the system, their assembly, and the configuration control measures to ensure compliance with the system specification;
2. Electromagnetic environment generated by the system;
   
3. Operator and voter safety considerations, and any constraints on system operations or the use environment; and
   
4. Human factors considerations, including provisions for access by disabled voters.

For each non-COTS hardware component (e.g., an Application-Specific Integrated Circuit or a manufacturer-specific integration of smaller components), the manufacturer SHALL provide complete design and logic specifications, such as Computer Aided Design and Hardware Description Language files.

For each Programmable Logic Device (PLD), Field-Programmable Gate Array (FPGA), or Peripheral Interface Controller (PIC) that is programmed with non-COTS logic, the manufacturer SHALL provide complete logic specifications, such as Hardware Description Language files or source code.

The manufacturer SHALL expand on the system overview included in the user documentation by providing detailed specifications of the application logic components of the system, including those used to support the telecommunications capabilities of the system, if applicable.

The manufacturer SHALL describe the function or functions that are performed by the application logic comprising the system, including that used to support the telecommunications capabilities of the system, if applicable.

The manufacturer SHALL list all documents controlling the development of application logic and its specifications.

The manufacturer SHALL provide an overview of the application logic.

The overview SHALL include a description of the architecture, the design objectives, and the logic structure and algorithms used to accomplish those objectives.

The overview SHALL include the general design, operational considerations, and constraints influencing the design.

The overview SHALL include the following additional information for each separate software package:

1. Package identification;
2. General description;
   
3. Requirements satisfied by the package;
   
4. Identification of interfaces with other packages that provide data to, or receive data from, the package; and
   
5. Concept of execution for the package.

The manufacturer SHALL provide information on application logic standards and conventions developed internally by the manufacturer as well as published industry standards that have been applied by the manufacturer.

The manufacturer SHALL provide information that addresses the following standards and conventions related to application logic:

1. Development methodology;
2. Design standards, including internal manufacturer procedures;
   
3. Specification standards, including internal manufacturer procedures;
   
4. Coding conventions, including internal manufacturer procedures;
   
5. Testing and verification standards, including internal manufacturer procedures, that can assist in determining the correctness of the logic; and
   
6. Quality assurance standards or other documents that can be used to examine and test the application logic.  These documents include standards for logic diagrams, program documentation, test planning, and test data acquisition and reporting.

The manufacturer SHALL furnish evidence that the selected coding conventions are "published" and "credible" as specified in Requirement Part 1: 6.4.1.3-A.

The manufacturer SHALL describe or make reference to all operating environment factors that influence the design of application logic.

The manufacturer SHALL identify and describe the hardware characteristics that influence the design of the application logic, such as:

1. Logic and arithmetic capability of the processor;
2. Memory read-write characteristics;
   
3. External memory device characteristics;
   
4. Peripheral device interface hardware;
   
5. Data input/output device protocols; and
   
6. Operator controls, indicators, and displays.

The manufacturer SHALL identify the operating system and the specific version thereof, or else clarify how the application logic operates without an operating system.

For systems containing compiled or assembled application logic, the manufacturer SHALL identify the COTS compilers or assemblers used in the generation of executable code, and the specific versions thereof.

For systems containing interpreted application logic, the manufacturer SHALL specify the COTS runtime interpreter that SHALL be used to run this code, and the specific version thereof.

The manufacturer SHALL provide a description of the operating modes of the system and of application logic capabilities to perform specific functions.

The manufacturer SHALL describe all application logic functions and operating modes of the system, such as ballot preparation, election programming, preparation for opening the polls, recording votes and/or counting ballots, closing the polls, and generating reports.

For each application logic function or operating mode, the manufacturer SHALL provide:

1. A definition of the inputs to the function or mode (with characteristics, limits, tolerances or acceptable ranges, as applicable);
2. An explanation of how the inputs are processed; and
   
3. A definition of the outputs produced (again, with characteristics, limits, tolerances, or acceptable ranges, as applicable).

The manufacturer SHALL describe the application logic's capabilities or methods for detecting or handling:

1. Exception conditions;
2. System failures;
   
3. Data input/output errors;
   
4. Error logging for audit record generation;
   
5. Production of statistical ballot data;
   
6. Data quality assessment; and
   
7. Security monitoring and control.

The manufacturer SHALL provide in this section an overview of the application logic's design, its structure, and implementation algorithms and detailed specifications for individual modules.

The programming specifications overview SHALL document the architecture of the application logic.

This overview SHALL include such items as UML diagrams, data flow diagrams, and/or other graphical techniques that facilitate understanding of the programming specifications.

This section SHALL be prepared to facilitate understanding of the internal functioning of the individual modules.

Implementation of the functions SHALL be described in terms of the architecture, algorithms, and data structures.

The programming specifications SHALL describe individual application logic modules and their component units, if applicable.

For each application logic module and callable unit, the manufacturer SHALL document:

1. Significant module and unit design decisions, if any, such as algorithms used;
2. Any constraints, limitations, or unusual features in the design of the module or callable unit; and
   
3. A description of its inputs, outputs, and other data elements as applicable with respect to communication over system interfaces (see Part 2: 3.4.9 “Interfaces”).

If an application logic module is written in a programming language other than that generally used within the system, the specification for the module SHALL indicate the programming language used and the reason for the difference.

If a module contains embedded border logic commands for an external library or package (e.g., menu selections in a database management system for defining forms and reports, on-line queries for database access and manipulation, input to a graphical user interface builder for automated code generation, commands to the operating system, or shell scripts), the specification for the module SHALL contain a reference to user manuals or other documents that explain them.

For each callable unit (function, method, operation, subroutine, procedure, etc.) in application logic, border logic, and third-party logic, the manufacturer SHALL supply the source code.

For each callable unit (function, method, operation, subroutine, procedure, etc.) in core logic, the manufacturer SHALL specify:

1. Preconditions and postconditions of the callable unit, formally stated using the terms defined in Part 1: 8.3.1 “Domain of discourse” and possibly other terms defined by the manufacturer, including any assumptions about capacities and limits within which the system is expected to operate; and
2. A sound argument (possibly, but not necessarily, a formal proof) that the preconditions and postconditions of the callable unit accurately represent its behavior, assuming that the preconditions and postconditions of any invoked units are similarly accurate.

The manufacturer SHALL specify a sound argument (possibly, but not necessarily, a formal proof) that the core logic as a whole satisfies each of the constraints indicated in Part 1: 8.3 “Logic Model (normative)” for all cases within the aforementioned capacities and limits, assuming that the preconditions and postconditions of callable units accurately characterize their behaviors.

The manufacturer SHALL specify a sound argument (possibly, but not necessarily, a formal proof) that application logic is free of race conditions, deadlocks, livelocks, and resource starvation.

The manufacturer SHALL justify any callable unit lengths that violate Requirement Part 1: 6.4.1.4-B.1.

The manufacturer SHALL identify and provide a diagram and narrative description of the system's databases and any external files used for data input or output.

For each database or external file, the manufacturer SHALL specify the number of levels of design and the names of those levels (e.g., conceptual, internal, logical, and physical).

For each database or external file, the manufacturer SHALL specify any design conventions and standards (which may be incorporated by reference) needed to understand the design.

For each database or external file, the manufacturer SHALL identify and describe all logical entities and relationships and how these are implemented physically (e.g., tables, files).

The manufacturer SHALL document the details of table, record or file contents (as applicable), individual data elements and their specifications, including:

1. Names/identifiers;
2. Data type (alphanumeric, integer, etc.);
   
3. Size and format (such as length and punctuation of a character string);
   
4. Units of measurement (meters, seconds, etc.);
   
5. Range or enumeration of possible values (0–99, etc.);
   
6. Accuracy (how correct) and precision (number of significant digits);
   
7. Priority, timing, frequency, volume, sequencing, and other constraints, such as whether the data element may be updated and whether business rules apply;
   
8. Security and privacy constraints; and
   
9. Sources (setting/sending entities) and recipients (using/receiving entities).

For external files, manufacturers SHALL document the procedures for file maintenance, management of access privileges, and security.

Using a combination of text and diagrams, the manufacturer SHALL identify and provide a complete description of all major internal and external interfaces.

For each interface identified in the system overview, the manufacturer SHALL:

1. Provide a unique identifier assigned to the interface;
2. Identify the interfacing entities (systems, configuration items, users, etc.) by name, number, version, and documentation references, as applicable; and
   
3. Identify which entities have fixed interface characteristics (and therefore impose interface requirements on interfacing entities) and which are being developed or modified (thus having interface requirements imposed on them).

For each interface identified in the system overview, the manufacturer SHALL describe the type of interface (e.g., real-time data transfer or data storage-and-retrieval) to be implemented.

For each interface identified in the system overview, the manufacturer SHALL describe characteristics of individual data elements that the interfacing entity(ies) will provide, store, send, access, receive, etc., such as:

1. Names/identifiers;
2. Data type (alphanumeric, integer, etc.);
   
3. Size and format (such as length and punctuation of a character string);
   
4. Units of measurement (meters, seconds, etc.);
   
5. Range or enumeration of possible values (0–99, etc.);
   
6. Accuracy (how correct) and precision (number of significant digits);
   
7. Priority, timing, frequency, volume, sequencing, and other constraints, such as whether the data element may be updated and whether business rules apply;
   
8. Security and privacy constraints; and
   
9. Sources (setting/sending entities) and recipients (using/receiving entities).

For each interface identified in the system overview, the manufacturer SHALL describe characteristics of communication methods that the interfacing entity(ies) will use for the interface, such as:

1. Communication links/bands/frequencies/media and their characteristics;
2. Message formatting;
   
3. Flow control (e.g., sequence numbering and buffer allocation);
   
4. Data transfer rate, whether periodic/aperiodic, and interval between transfers;
   
5. Routing, addressing, and naming conventions;
   
6. Transmission services, including priority and grade; and
   
7. Safety/security/privacy considerations, such as encryption, user authentication, compartmentalization, and auditing.

For each interface identified in the system overview, the manufacturer SHALL describe characteristics of protocols the interfacing entity(ies) will use for the interface, such as:

1. Priority/layer of the protocol;
2. Packeting, including fragmentation and reassembly, routing, and addressing;
   
3. Legality checks, error control, and recovery procedures;
   
4. Synchronization, including connection establishment, maintenance, termination; and
   
5. Status, identification, and any other reporting features.

For each interface identified in the system overview, the manufacturer SHALL describe any other pertinent characteristics, such as physical compatibility of the interfacing entity(ies) (dimensions, tolerances, loads, voltages, plug compatibility, etc.).

Manufacturers SHALL document in the TDP all aspects of system design, development, and proper usage that are relevant to system security.  This includes, but is not limited to the following:

1. System security objectives;
2. All hardware and software security mechanisms;
3. Development procedures employed to ensure absence of malicious code;
4. Initialization, usage, and maintenance procedures necessary to secure operation;
5. All attacks the system is designed to resist or detect; and
6. Any security vulnerabilities known to the manufacturer.

Manufacturers SHALL provide at a minimum the high-level documents listed in Part 2: Table 3-1 as part of the TDP.

Manufacturers SHALL provide user and TDP documentation of access control capabilities of the voting system.

Manufacturers SHALL provide descriptions and specifications of all access control mechanisms of the voting system including management capabilities of authentication, authorization, and passwords in the TDP.

Manufacturers SHALL provide descriptions and specifications of methods to prevent unauthorized access to the access control mechanisms of the voting system in the TDP.

Manufacturers SHALL provide descriptions and specifications of all other voting system mechanisms that are dependent upon, support, and interface with access controls in the TDP.

Manufacturers SHALL provide a list of all of the operations possible on the voting device and list the default roles that have permission to perform each such operation as part of the TDP.

Manufacturers SHALL provide TDP documentation of event logging capabilities of the voting devices.

Manufacturers SHALL provide a technical data package that describes system event logging design and implementation.

The manufacturer SHALL provide a list of all software related to the voting system in the technical data package (TDP).

The manufacturer SHALL provide at a minimum in the TDP the following information for each piece of software related to the voting system: software product name, software version number, software manufacturer name, software manufacturer contact information, type of software (application logic, border logic, third party logic, COTS software, or installation software), list of software documentation, component identifier(s) (such as filename(s)) of the software, type of software component (executable code, source code, or data).

As part of the TDP, the manufacturer SHALL provide the location (such as full path name or memory address) and storage device (such as type and part number of storage device) where each piece of software is installed on programmed devices of the voting system.

As part of the TDP, the manufacturer SHALL document the functionality provided to the voting system by the software installed on programmed devices.

As part of the TDP, the manufacturer SHALL map the dependencies and interactions between software installed on programmed devices of the voting system.

As part of the TDP, the manufacturer SHALL provide a list of all software and hardware required to assemble the build environment used to create voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL document the procedures to assemble the build environment(s) used to create voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL document the procedures used to build the voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL provide the certification number associated with the voting system software to be updated.

As part of the TDP, the manufacturer SHALL document the procedures used to build the updated voting system software including application logic, border logic, and third party logic using the post build environment associated with the previously built voting system software.

As part of the TDP, the manufacturer SHALL provide a list of all software and hardware required to assemble the build environment used to create voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL document the procedures to assemble the build environment(s) used to create voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL document the procedures used to build the voting system software executable code including application logic, border logic, and third party logic.

As part of the TDP, the manufacturer SHALL provide the certification number associated with the voting system software to be updated.

As part of the TDP, the manufacturer SHALL document the procedures used to build the updated voting system software including application logic, border logic, and third party logic using the post build environment associated with the previously built voting system software.

The manufacturer SHALL provide a list of all voting device components to which access must be restricted and a description of the function of each said component.

As part of the TDP, the manufacturer SHALL provide a listing of all ports and access points.

For each lock used on a voting device, manufacturer SHALL document whether the lock was installed to secure an access point.

Manufacturer SHALL provide a list of all physical security countermeasures that require power supplies.

Manufacturer SHALL provide a technical data package that documents the design and implementation of all physical security controls for the voting device and its components.

As part of the TDP, manufacturers SHALL provide a list of the binaries that are required to be executed on the electronic device for each voting system mode.

The manufacturer SHALL provide the technical specifications of how programmed devices of voting systems identifies installed software in the TDP.

The manufacturer SHALL provide a technical specification of how the integrity of software installed on programmed devices of the voting system is verified as part of the TDP.

Software integrity verification techniques SHALL prevent the modification of software installed on programmed devices of the voting system.

The manufacturer SHALL provide a technical specification of how the inspection of all the voting device registers and variables is implemented by the voting device in the TDP.

The manufacturers SHALL provide a technical specification of how the inspection of the remaining charge of the backup power sources is implemented by the voting device in the TDP.

The manufacturers SHALL provide a technical specification of how the inspection of the connectivity of cabling attached to a voting device is implemented by the voting device in the TDP.

The manufacturers SHALL provide a technical specification of how the inspection of the operational status of the communications capability is implemented by the voting device in the TDP.

The manufacturer SHALL provide a technical specification of how the inspection of the on/off status of the communications capability is implemented by the voting device in the TDP.

The manufacturer SHALL provide a technical specification of how the inspection of the remaining amount of each consumable is implemented by the voting device in the TDP.

The manufacturer SHALL provide a technical specification of how the inspection of the calibration for each component is implemented by the voting device in the TDP.

The manufacturers SHALL provide a technical specification of how the adjustment to the calibration of each component is implemented by the voting device in the TDP.

The manufacturer documentation SHALL include a precise definition of the fields in the Device Certificate, Election Certificate, the naming supported in certificates, the algorithms supported, and the format of the Election Closeout Record in the TDP.

The manufacturer SHALL provide test specifications for:

1. Development test specifications; and
2. System test specifications.

The manufacturer SHALL describe the plans, procedures, and data used during development and system integration to verify system logic correctness, data quality, and security.  This description shall include:

1. Test identification and design, including test structure, test sequence or progression, and test conditions;
2. Standard test procedures, including any assumptions or constraints;
   
3. Special purpose test procedures including any assumptions or constraints;
   
4. Test data, including the data source, whether it is real or simulated, and how test data are controlled;
   
5. Expected test results; and
   
6. Criteria for evaluating test results.

The manufacturer SHALL provide specifications for verification and validation of overall system performance.  These specifications shall cover:

1. Control and data input/output;
2. Processing accuracy;
   
3. Data quality assessment and maintenance;
   
4. Ballot interpretation logic;
   
5. Exception handling;
   
6. Security;
   
7. Production of audit trails and statistical data;
   
8. Expected test results; and
   
9. Criteria for evaluating test results.

The specifications SHALL identify procedures for assessing and demonstrating the suitability of the system for election use.

Manufacturers submitting modifications for a system that has been tested previously SHALL submit system change notes.

The system change notes SHALL include the following information:

1. Summary description of the nature and scope of the changes, and reasons for each change;
2. Listing of the specific changes made, citing the specific system configuration items changed, and providing detailed references to the documentation sections changed;
   
3. Specific sections of the documentation that are changed (or completely revised documents, if more suitable to address a large number of changes); and
   
4. Documentation of the test plan and procedures executed by the manufacturer for testing the individual changes and the system as a whole, and records of test results.

The manufacturer SHALL provide photographs illustrating the proper set-up of the voting system hardware.

The manufacturer SHALL provide a record of all user selections that must be made during software/firmware installation for the voting system to meet the requirements of the VVSG.

The manufacturer SHALL also submit a record of all configuration changes that must be made to the software/firmware following its installation for the voting system to meet the requirements of the VVSG.

The manufacturer SHALL submit all configuration data needed to set up and operate the voting system.