The facts about supply chain and manufacturing of voting systems.
ES&S inspects and manages its entire supply chain, taking great care to ensure that every component procured to create voting machines is trusted, tested and verifiable.
Below are some of the most frequently asked questions about our supply chain management and security.
Where is ES&S’s software developed?
All ES&S tabulation software is developed and compiled exclusively in the USA.
Where are your voting machines made? Does ES&S manufacture voting machines overseas?
All final hardware configuration of ES&S voting machines is performed exclusively in the USA. Some components used in our voting machines are made in countries outside the USA. Components are tested and verified before being certified at the state level. These components are then used in the final assembly of the voting machines which occurs in the USA.
Are these manufacturing facilities secure?
ES&S voting machine components are produced in ISO-9001 manufacturing facilities. That means they have been certified as complying with standards set forth by the International Organization for Standardization (ISO) as it pertains to the factory management environment, methods of production and production quality. The entire voting system is managed by a secure engineering change order control process. Any changes to the voting system follow a formal closed-loop process, and must be internally and externally reviewed, verified, tested and approved before they can be incorporated.
The Federal Election Assistance Commission (EAC) has also performed a successful onsite audit of our overseas manufacturing site.
How is supply chain security maintained?
ES&S partners with U.S.-based manufacturing companies who utilize security measures such as Customs Trade Partnership Against Terrorism (CTPAT) and Authorized Economic Operator (AEO) to support supply chain security. These manufacturers also use industry-authorized distributors and qualified suppliers for all materials used in the manufacturing of ES&S products. This applies regardless of country of origin.
Do any voting machine components originate from China?
Some components (such as surface mount capacitors, resistors, inductors and fixed logic devices) are at times sourced from China-based manufacturers.
How does ES&S ensure parts received are tamper-free?
ES&S conducts thorough security reviews of our supply chain including supply chain risk assessments and on-site visits to key our suppliers to ensure that components are trusted, tested and free of malware. Once the hardware components are delivered to Omaha, we perform several important steps including:
- Verification that the firmware on the programmable active components within the hardware is exactly what we expect it to be and not altered in any way
- Final hardware configuration
- Final end-to-end QA test which includes loading of the certified software and firmware
In this era of cyber threats, how do you know voting systems are secure?
ES&S products are EAC-certified and are built in accordance with federal standards, including National Institute of Technology (NIST) security protocols and standards and the Center for Internet Security (CIS) Critical Security Controls. Every unit is individually serialized for complete traceability, and we conduct frequent audits and document proof that we are producing the product-to-design specifications.
ES&S systems are tested by independent, federally accredited, laboratories. In addition, this year ES&S submitted our end-to-end voting system to the Idaho National Labs (INL) for extensive penetration testing. Suggestions the INL makes for improvement will be incorporated into future voting system releases.
As standard practice at ES&S, each hardware and software release undergoes thousands of hours of performance and security testing, which includes running millions of test ballots. Following this extensive internal testing, ES&S provides a complete voting system to the federal testing laboratories for their testing in accordance with a test plan approved by the EAC. We also provide the federal testing laboratories with both hardware and software bill of materials, so they can also test the completeness and accuracy of the components in use.
In addition to these stringent quality controls, ES&S is participating in discussions with the Department of Homeland Security’s National Risk Management Center (NRMC), NIST and CIS regarding the development of guidelines and best practices to ensure that we stay on top of managing new or emerging risks associated with supply chain components.