Notice of Proposed Rule

DEPARTMENT OF STATE
Division of Elections
RULE NO.: RULE TITLE:
1S-2.004: Voting Machine Equipment Regulation/Purchase, Use and Sale
PURPOSE AND EFFECT: The rule has not been updated since 1986 to reflect current local and state-level procurement practices. Additionally, the current rule provides no guidance to other appropriate uses of the systems that would promote training, education and technological advances on or with certified voting systems. For example, the proposed revision establishes procedures or protocols for assessing a voting system during a routine test or system audit and for identifying potential or actual problems that require immediate resolution and assessing potential vulnerabilities to the integrity of voting systems. The rule revision reflects input from rule workshops conducted in 2004, 2006 and 2009 to elicit feedback in a substantial rewrite of the rule.
SUMMARY: Provides the procedures for the procurement, and various other uses including training and assessment of voting systems.
SUMMARY OF STATEMENT OF ESTIMATED REGULATORY COSTS AND LEGISLATIVE RATIFICATION:
The Agency has determined that this will not have an adverse impact on small business or likely increase directly or indirectly regulatory costs in excess of $200,000 in the aggregate within one year after the implementation of the rule. A SERC has not been prepared by the agency.
The Agency has determined that the proposed rule is not expected to require legislative ratification based on the statement of estimated regulatory costs or if no SERC is required, the information expressly relied upon and described herein: 1) no requirement for SERC was triggered under Section 120.541(1), F.S. and 2) based on past experiences with election-related activities and rules of this nature, the adverse impact or regulatory cost, if any, do not exceed nor would be expected to exceed any one of the economic analysis criteria set forth in Section 120.541(2)(a), F.S.
Any person who wishes to provide information regarding a statement of estimated regulatory costs, or provide a proposal for a lower cost regulatory alternative must do so in writing within 21 days of this notice.
RULEMAKING AUTHORITY: 20.10(3), 97.012(1) 101.293, 101.294 FS.
LAW IMPLEMENTED: 97.012(5), 101.015(7), 101.017, 101.292, 101.293, 101.294, 101.295, 101.5604, 101.5605(3)(b), 101.5605(4), 101.5607(1)(c), 101.58 FS.
IF REQUESTED WITHIN 21 DAYS OF THE DATE OF THIS NOTICE, A HEARING WILL BE HELD AT THE DATE, TIME AND PLACE SHOWN BELOW:
DATE AND TIME: October 17, 2011, 2:00 p.m.
PLACE: Room 307, R.A. Gray Building, Florida Department of State, Tallahassee, Florida 32309
Pursuant to the provisions of the Americans with Disabilities Act, any person requiring special accommodations to participate in this workshop/meeting is asked to advise the agency at least 5 days before the workshop/meeting by contacting: Eddie Phillips, elphillips@dos.state.fl.us, Administrative Assistant, Office of General Counsel, Department of State, R.A. Gray Building, 500 S. Bronough Street, Tallahassee, Florida 32399-0250, telephone: (850)245-6536. If you are hearing or speech impaired, please contact the agency using the Florida Relay Service, 1(800)955-8771 (TDD) or 1(800)955-8770 (Voice).
THE PERSON TO BE CONTACTED REGARDING THE PROPOSED RULE IS: Maria Matthews, Assistant General Counsel, Office of General Counsel, (850)245-6536, mimatthews@dos.myflorida.com or Dr. Gisela Salas, Director, Division of Elections, Gisela.salas@dos.myflorida.com, (850)245-6200, Florida Department of State, R.A. Gray Building, 500 S. Bronough Street, Tallahassee, Florida 32399-0250

THE FULL TEXT OF THE PROPOSED RULE IS:

(Substantial rewording of Rule 1S-2.004 follows. See Florida Administrative Code for present text.)

1S-2.004 Purchase, Sale, and Uses of Voting Equipment and Systems.

(1) Purpose. This rule provides uniform policies, procedures and best practices for the purchase, sale, and use of voting equipment or system including assessments of certified voting systems and beta testing of pre-certified modifications to certified voting systems.

(2) Definitions. The terms herein have the following meaning:

(a) “Beta Test” means any activity that assesses a change or modification to a county’s certified voting equipment or system in preparation for the state’s formal certification or approval process.

(b) “Division” means the Division of the Florida Department of State.

(c) “Governing body” is defined as set forth in Section 101.292(1), F.S.

(d) “Purchase” refers to a contract to buy, lease, rent, or acquire voting equipment or system.

(e) “Sale” refers to a contract to sell or otherwise dispose of voting equipment or system in return for a valuable consideration.

(f) “Voting equipment” is defined as set forth in Section 101.292(2), F.S.

(g) “Voting system” is defined as set forth in Section 97.021(43), F.S.

(3) Regulations for Purchase.

(a) Competitive Solicitation Process.

1. When the individual or combined total purchase or sale price of voting equipment or system exceeds the threshold amount for Category Two purchases under Section 287.017, F.S., the governing body shall follow the applicable local procurement policies, procedures and rules for competitive solicitation to the extent not otherwise addressed in this subsection.

2. If the governing body determines that an exception as provided in Section 287.057(3), F.S., exists, the chair of the governing body shall certify such exception to the Division within 10 days of the governing body’s approval to acquire the equipment or system outside the competitive solicitation process and any requirements in this subsection. The certification shall detail the circumstances and conditions requiring the exception. Should any other conditions arise wherein the potential benefits of competitive solicitation are outweighed by the detrimental effects of a delay in the acquisition of such equipment or system outweigh the potential benefits of competitive solicitation, the chair shall certify in writing the conditions and circumstances to the Division for its review and approval.

3. The governing body shall enter all bids, tabulations of bids, and responses related to bids in a permanent record and maintain the record for public inspection upon request, subject to exemptions or restrictions under applicable public records and copyright laws.

(b) Notice of Bid. The governing body shall provide notice to the Division of all invitations to bid for the purchase of new or used voting equipment or system subject to this subsection.

(c) Content of Competitive Bid. All bid invitations shall specify at a minimum, the following information:

1. Name and address of governing body.

2. Date of issuance.

3. Required time, place and terms of delivery and any other delivery conditions.

4. Date, hour and place of opening bids.

5. Surety requirements, if any.

6. Quantity of voting equipment or system to be furnished under each item.

7. Any specifications or other description establishing the capability of such voting equipment or system including its compliance with Section 101.5606, F.S.

8. A statement that the voting equipment or system must be certified under the Florida Election Code prior to its acquisition or purchase.

9. A statement that the governing body reserves the right to reject any and all bids.

10. A statement that the bidder must indicate any cash discounts or terms of discounts provided if the bid is accepted.

11. A statement that the bidder must include all costs for delivery, storage, freight and packing to the address on the bid invitation unless otherwise specified.

12. Any other general conditions or special provisions that the bidder must meet or that are otherwise required by the governing body.

(d) Deliveries. All deliveries of purchased equipment shall be subject to inspection at time of delivery and require written certification by the vendor of proper delivery.

(e) Acceptance. The Supervisor of Elections shall forward to the Division a copy of the vendor certification required by Section 101.294, F.S.

(f) Notice of Rejection. A governing body or supervisor of elections may reject a voting equipment or system that fails in any respect to meet the standards for certification under state law, that fails to meet the specifications upon which the award was based or representations of the vendor, or that is defective. Notice of any rejection, based on defects that would be disclosed at the time of delivery or by ordinary methods of inspection, will be given to the supplier and the carrier within 10 days after delivery of the item(s). Notice of latent defects that would make the items unfit for the purpose intended may be given by the governing body or Supervisor of Elections any time after acceptance.

(4) Sale of Voting Equipment and Voting System.

Each governing body or Supervisor of Elections shall certify in writing to the Division the anticipated terms of the sale of voting equipment or system and that the sale will not adversely affect the Supervisor of Elections or the governing body’s duties under federal or state law to comply with or perform as pertains to elections.

(5) Uses of voting equipment or system.

(a) Routine use. No equipment or software may used with a voting system unless listed within the voting system’s current certification or earlier version, or a configuration defined within the voting system’s documentation. Critical elements of the voting system may be replicated to serve as a backup system. Critical elements include the software and database modules that comprise the election management system. Unmodified commercial-off-the-shelf (COTS) items may be replaced with like-kind items upon written concurrence from the voting system vendor and the Division. A vendor’s uniquely qualified COTS that must comply with the vendor’s Florida certification may not be replaced with like-kind items.

(b) Improvement to the election process. A certified system may be used in any manner approved by the vendor in an effort to improve the election process. However, any deviation from the documented procedures or manual for use and operation of the voting system must be approved in writing by the Division and notice provided to the vendor. Such documentation may be in the form of user notes, technical bulletins, or other suitable format.

(c) Training and education. A voting system may be used for training or educational purposes, provided security procedures include backup and sufficient safeguards to protect the database(s) and software from inadvertent or intentional corruption.

(d) Assessment. A Supervisor of Elections or a governing body may use a certified voting system in an assessment to examine or evaluate the system’s security procedures, access control, system reliability and accuracy. The Supervisor of Elections shall implement appropriate procedures. A duplicate or backup voting system in lieu of a live system shall be used in any assessment whenever practicable.

1. An assessment may be conducted as a routine test, a system audit or an examination of the functionality of the software and firmware, including penetration testing. An assessment may also be conducted to identify or detect or to further examine any identified or detected potential or actual deficiency, problem, vulnerability or flaw in a certified voting system that relates to its hardware, software, design, operation, vote tabulation, access control, system reliability and accuracy, or security including the potential for unauthorized manipulation and fraud. If a potential or actual deficiency, problem, vulnerability is identified or detected, the Supervisor of Elections must notify the Division and the affected vendor in writing no later than 10 days regardless of whether an assessment is conducted. The notice must include a description of the actual or proposed process to replicate, correct or mitigate the deficiency, problem, vulnerability or flaw.

2. Although the Supervisor of Elections is responsible for the conduct of an assessment, he or she may use the services of an independent professional person or entity. The services of an appropriate skill assessment team who are educated and experienced in assessments and whose credentials have been approved by the governing body may be used.

3. The Supervisor of Elections shall notify in writing the Division of its intent to conduct an assessment and include a test plan.

4. No assessment may be conducted within 45 days of a special, primary, general or presidential preference primary election.

5. Subject to minimum security standards for voting systems and the public records and copyright laws, the assessment of the voting system shall be conducted in public, and on location in the county of the respective Supervisor of Elections. The Supervisor of Elections shall publish on his or her official website, 14-day advance notice of the scheduled assessment. The supervisor shall also notify the vendor(s) of the certified voting system or equipment components affected by the test or assessment.

6. The Division may be present at the assessment or have access, in accordance with authority under Section 101.58, F.S.

7. The Supervisor of Elections shall ensure that the process and results of the assessment are documented. A written report shall be submitted to the Division no later than 20 days after the assessment is completed. The report shall include any recommendations for addressing any identified potential or actual deficiency, problem, vulnerability, or flaw. The Supervisor of Elections shall also flag all information in the report that is confidential and exempt under the public records law or otherwise protected under the copyright laws in a separate addendum to the report.

8. A copy of the report shall also be provided to the vendor(s) whose equipment or system was the subject of the assessment. The vendor(s) of the voting equipment or system affected by the assessment has 10 days from receipt of the assessment report to respond in writing to the Supervisor of Elections, the governing body and the Division.

9. The Supervisor of Elections shall develop and implement all available security procedures to correct or mitigate any adverse effect resulting from a deficiency, problem, flaw or vulnerability identified or detected by the assessment report.

10. After review of the report and vendor’s response, the Division shall conduct, as needed, further studies, issue technical advisories to the supervisors of elections and the governing body regarding the results of the assessment, implement revised or new minimum security standards pursuant to Section 101.015(4), F.S., relating to the voting system, and determine if changes to the systems need to be made for subsequent certification.

(e) Beta testing. A Supervisor of Elections may conduct a beta test of non-certified voting equipment or system. A beta test can use a certified system, but the certified system needs to be imaged and reinstalled after the beta test. A system image is a copy of the entire state of a computer system stored in a non-volatile location.

1. The Supervisor of Elections shall provide written notice to the Division of its intent to conduct a beta test and include a test plan. The test plan must include, at a minimum, information about how or whether the new voting equipment or system or a certified voting equipment or system is being altered for purposes of the beta-test. The test plan must also include provisions that comply with the public records and copyright laws.

2. The Division of Election will review the test plan before the beta test is conducted. The Division does not need to approve the test plan if secondary hardware units will be used to conduct the assessment.

3. A beta test may not be performed within 45 days of a special, primary, general or presidential preference primary election.

4. The Supervisor of Elections shall ensure that the process and results of the beta test are documented. After completion of the beta test, a written report must be submitted to the Division and the vendor(s) whose voting equipment or system was beta tested. The test report shall include any recommendations for addressing any identified potential or actual deficiency, problem, vulnerability, or flaw. The Supervisor of Elections shall also flag all information in the test report that is confidential and exempt under the public records law or otherwise protected under the copyright laws in a separate addendum to the report.

(5) Notice of issues.

1. At any time during the purchase, sale, or use of voting equipment or voting system, a Supervisor of Elections or the governing board discovers that the equipment or system fails in any respect to meet the standards for certification under state law or fails to meet the specifications upon which a contract, agreement or other written representation was based, the Division shall be notified in writing.

2. A vendor of a certified voting system shall immediately notify the Division of any condition that may cause the vendor’s product to fail in any respect to meet the standards for certification of voting equipment or system under state law.

3. The Division shall notify Supervisors of Elections when a certified voting equipment or voting system fails in any respect to meet the standards for certification under state law or when it has identified a potential or actual deficiency, problem, vulnerability or flaw identified or detected in a certified voting system that relates to its hardware, software, design, operation, vote tabulation, access control, system reliability and accuracy, or security. Such notice may be in the form of a technical advisory or bulletin, or other suitable format.

(6) Vendor Lists Maintained. The Division shall maintain on its website a current list of vendors for certified voting equipment and systems in the State.

(7) The effective date of this rule is January 1, 2012.

Rulemaking Specific Authority 20.10(3), 97.012(1), 101.293, 101.294 FS. Law Implemented 97.012(5), 101.015(7), 101.017, 101.292, 101.293, 101.294, 101.295, 101.5604, 101.5605(3)(b), 101.5605(4), 101.5607(1)(c), 101.58 FS. History–New 12-20-73, Amended 1-19-74, Repromulgated 1-1-75, Amended 5-20-76, Formerly 1C-7.04, Amended 7-7-86, Formerly 1C-7.004, Amended 1-1-12.


NAME OF PERSON ORIGINATING PROPOSED RULE: Dr. Gisela Salas, Director, Division of Elections
NAME OF AGENCY HEAD WHO APPROVED THE PROPOSED RULE: Kurt S. Browning, Secretary of State
DATE PROPOSED RULE APPROVED BY AGENCY HEAD: August 17, 2011
DATE NOTICE OF PROPOSED RULE DEVELOPMENT PUBLISHED IN FAW: July 8, 2011