North Carolina Regulations § 04.0401 STANDARDS FOR CERTIFICATION OF ELECTRONIC POLL BOOKS
Regulation Text
(a)
As used in this Chapter, an "electronic poll book" is a system (including hardware, software, and firmware) used to check the registration of voters who appear to vote in person, to assign voters their correct ballots, and to record the voters' check-in and acceptance of ballots. An electronic poll book shall, to qualify for certification by the State Board for use in any election in North Carolina, fulfill the following requirements:
(1)
It shall record all information a voter is required by law to provide when presenting to vote and be equipped so that voters and election workers can complete the steps required by law for checking a voter's registration and the distribution of ballots to checked-in voters.
(2)
It shall be equipped for use on any day the polls are open for in-person voting and shall contain the list of registered voters eligible to vote in the election.
(3)
It shall verify a voter's eligibility to receive a ballot, confirm a voter has not previously voted in the election based on available records, and record a voter's check-in and receipt of a ballot.
(4)
It shall log all user activity and that log shall be secured from unauthorized alteration and be available only to authorized users. It shall require the use of individual user accounts assigned to individual authorized users and not allow shared accounts for access to the electronic poll book. As used in this Chapter, an "authorized user" is an individual designated by the State Board or a purchasing county board of elections to operate and maintain the electronic poll book.
(5)
It shall secure the data of the electronic poll book such that the data is stored in a manner that an unauthorized party will not be able to access the data.
(6)
It shall secure the data contained within the electronic poll book such that the data is not transmitted or transported for any purpose except for official use in the conduct of an election or as otherwise authorized by law.
(7)
It shall ensure that the voter data contained within the electronic poll book is not deleted without prompting by an authorized user, so that county elections personnel can comply with all applicable laws pertaining to records retention.
(8)
It shall not allow access to confidential voter data, except for official use by authorized users.
(9)
It shall meet applicable federal requirements for electronic poll books.
(10)
It shall be reviewed by an independent testing authority accredited by or partnered with a federal agency for compliance with applicable state law.
(11)
It shall be simple for election workers to set up and use, and any hardware shall be transportable to voting locations.
(12)
It shall be compatible with systems, equipment, and software utilized by the State Board and county boards of elections for storing and processing voter registration and voting data.
(13)
It shall allow for a wired connection to peripherals approved by the State Board, when certifying an electronic poll book pursuant to Rule .0402 of this Chapter, that are required for the operation of the electronic poll book and, as minimally required for functionality, allow for a secure network connection for the secure transmission of data with the state's electronic information management system, provided that the connection to the network is not automatically enabled by default upon powering on or opening the electronic poll book. All other forms of connectivity are prohibited.
(b)
A vendor applying for certification by the State Board of Elections of an electronic poll book shall, as part of the certification application, fulfill the following requirements:
(1)
The vendor shall submit the electronic poll book for examination, testing, and evaluation by the State Board. The vendor shall initiate the certification process by submitting a letter of application directed to the Executive Director of the State Board. A corporate officer or designee of the vendor shall sign the letter, and the letter shall include:
(A)
The name and contact information of the company and the name and title of the corporate officer signing the application and all corporate information requested by the State Board.
(B)
The vendor's corporate information. Corporate information shall include a history and description of the business, year established, products and services offered, areas served, branch office locations, and subsidiary or parent companies; a list of owners or shareholders with a five percent or greater interest or share in each of the vendor's company, subsidiary companies, and parent company; a description of management and staff organization, number of full-time employees by category, number of part-time employees by category, and resumes of employees to be tasked with assisting purchasing counties; documentation demonstrating that the vendor meets the same level of security compliance required for vendors connected to the State Network, as that term is defined in G.S. 143B-1370(a)(5)g.; a report showing the results of an independent audit of the business for its most current fiscal year; a comfort letter from the vendor's primary bank; and a description of the vendor's financial history including a financial statement for the past three fiscal years. If the vendor is not the manufacturer of the equipment for which application is made, the vendor shall include the vendor's financial statement for the past three fiscal years.
(C)
The name and version number of the electronic poll book to be certified, and a list of all jurisdictions that have certified, have used, or are currently using the electronic poll book.
(D)
An attestation that the corporate officer signing the application has reviewed and confirmed that the electronic poll book meets all legal requirements of electronic poll book systems under state and federal law.
(2)
The vendor shall provide a listing of all software, hardware, and consumables necessary for operation of the electronic poll book, a technical data package, an accounting of any prior submission of the electronic poll book to another jurisdiction for certification, an accounting of any decertification of the vendor's electronic poll book or other voting product, and a demonstration of the system. The vendor shall provide access to the information required to be placed in escrow by a vendor pursuant to G.S. 163-165.9A.
(3)
The vendor shall submit documentation of any review of the electronic poll book by an independent testing authority for compliance with federal or state standards, requirements, or guidance applicable to electronic poll books.
(4)
The vendor shall provide a copy of its standard purchase contract and shall quote a statewide uniform price for each unit of the electronic poll book, including peripherals, consumables, and software required for operation of the electronic poll book.
(5)
The vendor shall post a bond or letter of credit to cover damages resulting from defects in the electronic poll book, sufficient to cover any costs of conducting a new statewide election attributable to those defects. The State Board shall survey the county boards of elections in April of every odd-numbered year following an election held at the time prescribed in G.S. 163- 1(c) to determine each county's costs for conducting its most recent general election, and the State Board shall aggregate those amounts to arrive at the cost of conducting a new statewide election. That aggregate amount shall determine the bond or letter of credit requirement, and it shall be effective June 1 of the year the survey is conducted and remain in effect until an amount is likewise calculated in a subsequent odd-numbered year following an election held at the time prescribed in G.S. 163- 1(c) and is made effective.
(6)
The vendor shall bear all of its costs associated with certification.
(c)
The State Board shall terminate a pending certification process if:
(1)
The vendor fails to respond to a State Board request for information or other resources required to be provided under Paragraph (b) of this Rule for the certification process.
(2)
The State Board identifies the lack of a necessary quality or element in the electronic poll book system, vendor, or certification application that cannot be remedied by the vendor and is required for certification under this Rule.
(3)
The vendor withdraws from the certification process.
(d)
A vendor, to maintain certification by the State Board of Elections of the vendor's electronic poll book, shall fulfill the following requirements for the duration of the electronic poll book's certification and use in North Carolina:
(1)
The vendor shall conduct a presentation to demonstrate for a county board of elections, as part of that county board's procurement and acceptance of a certified electronic poll book, the system's ability to execute its designed functionality as presented and tested during State-level certification and the vendor's ability to fulfill the duties required by G.S. 163-165.9A.
(2)
The vendor shall submit to the State Board any escrow-related affidavits and other information required by G.S. 163-165.9A.
(3)
The vendor's contract with each purchasing county shall include the agreement required by G.S. 163-165.7(c)(4) and the following training and support:
(A)
Operational training for a purchasing county's elections personnel;
(B)
Operational support prior to and during any election in which the certified electronic poll book will be in use; and
(C)
End-of-life and end-of-service-life planning for the certified electronic poll book system, including guaranteed support until the system has reached the vendor's stated end-of-life date, optional extended support until the system has reached the end-of-service-life date, and sanitization of the electronic poll book once it has reached its end-of-service-life. End-of-life shall mean the point in time in which the vendor will no longer sell or market the electronic poll book. End-of-service-life shall mean the point in time in which the vendor will no longer provide maintenance or support for the electronic poll book.
(4)
The vendor shall provide, upon request by the State Board or a purchasing county, memory devices or USB drives, sufficient in number to support the operation of the certified electronic poll book in an election setting, that meet industry standards for sanitization and security requirements for cryptographic modules, use cryptographic hashing algorithms of Secure Hash Algorithm 256-bit (SHA-256) or higher, and meet all applicable North Carolina Department of Information Technology information security standards. The standard for sanitization shall be as prescribed in National Institute of Standards and Technology (NIST) SP 800-88 Guidelines for Media Sanitization, including subsequent amendments and editions. A copy of the SP 800-88 Guidelines are available for inspection in the offices of the State Board of Elections and may also be obtained at no cost by accessing the NIST website at
https://csrc.nist.gov/pubs/sp/800/88/r1/final
. The security requirements for cryptographic modules shall be as prescribed in the National Institute of Standards and Technology's Federal Information Processing Standards 140-3 (FIPS 140-3), including subsequent amendments and editions. A copy of the FIPS 140-3 is available for inspection in the offices of the State Board of Elections and may also be obtained at no cost by accessing the NIST website at
https://csrc.nist.gov/pubs/fips/140-3/final
.
(5)
The vendor shall allow the State Board to examine the certified electronic poll book at any time to ensure compliance with state and federal election laws and certification standards. To facilitate this requirement, the vendor shall make available to the State Board, upon request and at no cost to the agency, a certified electronic poll book model. The vendor shall, upon request, assist in the State Board's examination and submit requested changes to the electronic poll book to the State Board to ensure continued compliance with state and federal law.
(6)
The vendor shall submit documentation to the State Board identifying and describing a proposed change to a certified electronic poll book in use in North Carolina. The vendor shall, upon request, assist in the State Board's review of proposed changes. No vendor shall provide a county board of elections any software, firmware, hardware, or instruction that will change a certified electronic poll book unless that change has first been approved in accordance with Rule .0402(b) of this Chapter.
(7)
The vendor shall provide electronic notice to the State Board of another United States jurisdiction's decision to decertify or halt the use of its electronic poll book or other voting product within 24 hours of the jurisdiction's decision. The vendor shall provide electronic notice to the State Board of any incident, anomaly, or defect in the same system known to have occurred anywhere, and of any relevant defect known to have occurred in similar systems, within 24 hours of knowledge of the incident, anomaly, or defect.
(8)
The vendor shall maintain the required bond or letter of credit on a continuous basis, without interruption.
(9)
The vendor shall, on a quarterly basis, provide the State Board a quote for a statewide uniform price for each unit of the electronic poll book. The vendor shall, on a quarterly basis, furnish the State Board with an accounting of purchases of certified electronic poll books by a jurisdiction within North Carolina.
(e)
In accordance with G.S. 163-165.7, compliance with this Rule shall not be required of an electronic poll book which is developed or maintained by the State Board of Elections for that electronic poll book to be used in an election in North Carolina.
History
Authority G.S. 163-22; 163-165.7; 163-165.9A; 163-166.7;