Elections: Action Plans Needed to Fully Address Challenges in Electronic Absentee Voting Initiatives for Military and Overseas Citizens

Highlights

The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) protects the rights of military personnel, their dependents, and overseas citizens to vote by absentee ballot. The Department of Defense (DOD) and others have reported that absentee voting, which relies primarily on mail, can be slow and may, in certain circumstances, serve to disenfranchise these voters. In 2004, Congress required DOD to develop an Internet-based absentee voting demonstration project and required the Election Assistance Commission--which reviews election procedures--to develop guidelines for DOD's project. In 2006, Congress required DOD to report, by May 15, 2007, on plans for expanding its use of electronic voting technologies and required GAO to assess efforts by (1) DOD to facilitate electronic absentee voting and (2) the Commission to develop Internet voting guidelines and DOD to develop an Internet-based demonstration project. GAO also assessed DOD's efforts to develop plans to expand its use of electronic voting technologies. GAO interviewed officials and reviewed and analyzed documents related to these efforts.

Recommendations

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Defense	To improve the security and accuracy of DOD's electronic and Internet initiatives, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to comply with the information security requirements in the DOD Certification and Accreditation Process guidance.	Closed – Not Implemented As of August 2011, DOD had not implemented GAO's recommendation to improve the security of DOD's electronic and Internet voting initiatives by complying with the DOD Certification and Accreditation Process (DIACAP) guidance for information security. Specifically, the Federal Voting Assistance Program (FVAP) has not demonstrated certification or accreditation of the systems used to support their electronic voting initiatives for either the 2008 or the 2010 elections. In written comments on our report, DOD concurred with our recommendation and stated that it would contract for services to comply with the Federal Information Systems Management Act by applying the DIACAP to the Electronic Transmission Service it used for election support. DOD also stated that it had begun the process to obtain the necessary certification and accreditation of security controls. FVAP entered into an agreement with DOD's Washington Headquarters Services (WHS) in June 2008 to test and certify the Electronic Transmission Service using WHS' certification and accreditation contract. However, the contract as awarded did not include the FVAP test and certification requirements. WHS officials believed that there was insufficient time to certify and accredit the service under the contract due to its expiration at the end of 2008. In May 2010, FVAP entered into a Memorandum of Agreement with a new service provider, the Navy's Global Distance Support Center, to provide support for FVAP's Electronic Transmission Service and other systems. However, the memorandum did not include a provision for specifying the information security requirements that the support systems must meet or require certification and accreditation of these systems, and FVAP did not hold any discussions with the new service provider to ensure that the systems would meet specific information security requirements for the 2010 election. Neither FVAP nor the support center were able to demonstrate that the systems used for FVAP's electronic voting initiatives during the 2010 election period had completed certification and accreditation or obtained approvals for the results of these processes from responsible DOD executives. Moreover, significant security risks were identified in one of the election support systems used during the 2010 election period. That system did not receive approval to operate until after the close of the 2010 election, and the approval was interim while the security issues were to be addressed. Taken together, these events and artifacts indicate that DOD has not systematically applied its information security guidance to electronic voting initiatives, and has thus not addressed our recommendation.
Department of Defense	To improve the security and accuracy of DOD's electronic and Internet initiatives, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to incorporate lessons learned into plans for future systems such as those we identified, including adding cautionary statements to future ballot request and receipt systems to warn UOCAVA voters to remove personal data from their computers.	Closed – Implemented In response to our recommendation, DOD updated its Federal Voting Assistance Program website in June 2008 with an automated Voter Registration and Ballot Delivery Tool, which incorporated a cautionary statement on the login page for the new tool. The statement warns the user that the computer may have saved some of the user's personal data and instructs the user to check the browser's help file to determine how to delete any private data that has been stored during the session. The FVAP updated website also includes a disclaimer webpage, which contains an expanded version of the cautionary statement. Specifically, this statement recommends users delete all personal data from the public computers they use before logging off the system.
Department of Defense	To improve the security and accuracy of DOD's electronic and Internet initiatives, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to institutionalize a process to review online UOCAVA guidance to ensure that DOD provides accurate and consistent information to UOCAVA voters.	Closed – Implemented In response to our recommendation, DOD developed an internal checklist which staff use when a change occurs to ensure consistency in online information. The checklist contains steps that staff must take when changes are made to (1) state legislative changes, (2) the Voting Assistance Guide, (3) Voting Assistance Guide addresses, (4) Voting Assistance Officer workshop slides or self-administered training, and (5) any other pages on the website.
Department of Defense	To improve the security and accuracy of DOD's electronic and Internet initiatives, the Secretary of Defense should direct the Under Secretary of Defense for Personnel and Readiness to create an integrated, comprehensive, long-term, results-oriented plan for future electronic voting programs that specifies, among other things, the goals to be achieved along with tasks including identifying safeguards for the security and privacy of all DOD's voting systems--both electronic and Internet. The plan should also specify milestones, time frames, and contingencies; synchronize them with planned development of the Commission's guidelines for Internet voting; and be developed in conjunction with major stakeholders--including state and local election officials, the Election Assistance Commission, overseas voting groups, and each of the armed services. The plan should also include initiatives that will be done well in advance of federal elections, to allow adequate time for training and dissemination of information on the options available to UOCAVA voters.	Closed – Implemented On April 26, 2010, the Election Assistance Commission (EAC), issued a "Report to Congress on EAC's Efforts to Establish Guidelines for Remote Electronic Absentee Voting Systems" which contained a "Roadmap Timeline for the Development of Remote Electronic Absentee Voting Guidelines in Support of the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA)." This Roadmap was developed in conjunction with the National Institute of Standards and Technology (NIST) and the Department of Defense's (DOD) Federal Voting Assistance Program (FVAP) and highlights a number of efforts that the EAC along with NIST and FVAP have or plan to undertake to move towards the development of the remote electronic absentee voting guidelines. For example, the EAC, NIST, and FVAP are in the process of conducting electronic voting pilot projects using existing technology that will be used to help inform the final guidelines development process by providing information regarding the security and logistical challenges of a remote electronic voting system. FVAP stated that the Roadmap serves as its plan for the development of a remote electronic voting system, and that it is not proceeding with an electronic voting demonstration project until the standards for electronic voting from the EAC are in place. In the meantime, the FVAP official stated that FVAP is working with the EAC and NIST to ensure that the standards consider the security parameters necessary to operate.
Election Assistance Commission	To improve the Election Assistance Commission's efforts to comply with the direction from Congress to develop the Internet absentee voting guidelines, the Commission should determine, in conjunction with major stakeholders like DOD, whether the Commission's 2007 Internet voting study and any other Commission efforts related to Internet or electronic voting are applicable to DOD's plans for Internet-based voting, and incorporate them where appropriate.	Closed – Implemented On April 26, 2010, the Election Assistance Commission (EAC) issued a "Report to Congress on EAC's Efforts to Establish Guidelines for Remote Electronic Absentee Voting Systems." The report stated that, to date, the EAC has not established electronic absentee voting guidelines as required under Section 589(e)(2) of the National Defense Authorization Act of 2009. The report did include a "Roadmap Timeline for the Development of Remote Electronic Absentee Voting Guidelines in Support of the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA)". The Roadmap highlights a number of efforts that the EAC along with the National Institute of Standards and Technology (NIST) and the Department of Defense's (DOD) Federal Voting Assistance Program (FVAP) have or plan to undertake to move towards the development of the remote electronic absentee voting guidelines. For example, the EAC, NIST, and FVAP are in the process of conducting a kiosk-based remote voting pilot project that will be used to help inform the final guidelines development process by providing information regarding the security and logistical challenges of a remote electronic voting system.
Election Assistance Commission	To improve the Election Assistance Commission's efforts to comply with the direction from Congress to develop the Internet absentee voting guidelines, the Commission should develop and execute, in conjunction with major stakeholders--including state and local election officials and DOD--a results-oriented action plan that specifies, among other things, goals, tasks, milestones, time frames, and contingencies that appropriately address the risks found in the UOCAVA voting environment--especially risks related to security and privacy.	Closed – Implemented On April 26, 2010, the Election Assistance Commission (EAC) issued a "Report to Congress on EAC's Efforts to Establish Guidelines for Remote Electronic Absentee Voting Systems." The report stated that to date, the EAC has not established electronic absentee voting guidelines as required under Section 589(e)(2) of the National Defense Authorization Act of 2009. The report includes a "Roadmap Timeline for the Development of Remote Electronic Absentee Voting Guidelines in Support of the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA)". The Roadmap highlights a number of efforts that the EAC along with the National Institute of Standards and Technology (NIST) and the Department of Defense's (DOD) Federal Voting Assistance Program (FVAP) have or plan to undertake to move towards the development of the remote electronic absentee voting guidelines. In followup discussions with an EAC official, they stated that the Roadmap was developed to respond to the GAO recommendation for an action plan.