Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Voting Systems Risk Assessment

Solicitation Number: EAC-RDV08-R-001
Agency: U.S. Election Assistance Commission
Office: U.S. Election Assistance Commission
Location: U.S. Election Assistance Commission
  • Print


There have been modifications to this notice. You are currently viewing the original synopsis. To view the most recent modification/amendment, click here
Combined Synopsis/Solicitation
Added: Aug 15, 2008 12:06 pm

August 15, 2008

RE: Request for Proposal, Solicitation Number EAC-RDV08-R-001


The Government intends to procure contractor services for a scientifically founded voting system risk assessment to facilitate making informed decisions relative to voting system standards for the US Election Assistance Commission.

The US Election Assistance Commission is requesting submission of a proposal by September 5, 2008 at 3:00 pm EDT.

This solicitation is open to all and is based on full and open competition.

As a result of this solicitation, the Government intends to issue a time and materials contract based on the evaluation of proposals as cited in the evaluation factors.

A completed copy of your most recent representations and certifications is required with your offer, as is completion of your representations and certifications in the ORCA on-line database system. (Go to to complete. Completion requires an active Central Contractor Registration account and a valid Marketing Partner Identification Number-MPIN. See for more information on creating and entering your MPIN.)

Your proposal shall constitute the cost for the life of the contract awarded as a result of this solicitation. The prices must include all costs for requirements identified in the statement of work. Any surcharges or usage fees must be included with a separate price proposal.

Questions concerning the statement of work must be submitted in writing in accordance with the Instructions to Offerors.

If you have any questions regarding the above, please contact me via email at Phone calls will not be accepted. Deadline for questions is August 25, 2008.


Ritchie Vinson

Contracting Officer



1. Background. The Help America Vote Act of 2002 (HAVA) established the U.S. Election Assistance Commission (EAC) to serve as a national clearinghouse and resource for the compilation of information and review of procedures with respect to the administration of Federal elections. Part 3 of HAVA describes the duties of the EAC in relation to the adoption of voluntary voting system guidelines. Section 222(b)(1) requires the Executive Director to take into consideration the recommendations of the Technical Guidelines Development Committee (TGDC) when developing or modifying these guidelines.

In August 2007, the TGDC delivered a set of recommendations for the next version of the Voluntary Voting System Guidelines (VVSG) to the EAC. These recommendations considerably expand the number of security requirements for voting systems. They also introduce several new concepts to be applied in system design and testing. The EAC must decide how to utilize these recommendations as they create the next iteration of the EAC voting system standards. This requires answering the question of how to specify a sufficient level of security protection without requiring disproportionate tradeoffs against other desirable attributes such as ease of use, efficiency of operation, and reasonable cost. At present there is no federal analysis of the security threats to voting systems and the potential resulting harms. Thus there is an insufficient basis for determining what constitutes an acceptable level of risk. Without such a benchmark, it is impossible to make an informed and valid decision on what constitutes a sufficient level of security protection.

To gather input for its deliberations, EAC convened a roundtable of computer scientists to discuss voting system security. The group concluded that no definitive risk assessment model for voting systems currently exists, but one is needed to provide a framework for specifying security requirements. This is consistent with federal information security policy as well as IT industry security practice.

The Federal Information Security Management Act of 2002 (FISMA) (P.L. 107-347) Section 3543 requires all federal agencies to provide information security protections commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification or destruction of information or information systems. These concerns are not unique to federal systems. They apply equally to other computer-based systems supporting sensitive processes such as voting.

FISMA states that this is to be accomplished by first assessing the risk and magnitude of harm and thereby determining the level of information security appropriate to protect the system. Then policies and procedures can be developed to cost-effectively reduce the information security risks to an acceptable level. As stated in NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems: The risk assessment validates the security control set and determines if any additional controls are needed to protect the system. The resulting set of security controls establishes the level of “security due diligence.” The final determination of the appropriate set of controls necessary to provide adequate security for an information system is a function of the assessment of risk and what is required to sufficiently mitigate the risk.

The EAC requires a scientifically founded voting systems risk assessment to facilitate making informed decisions relative to voting system standards. This assessment must encompass the complete range of voting system technologies – paper ballots, optical scan, DREs, web-based, etc. Two products will result from this effort. The first is a recommendation of an appropriate level of assurance for voting systems based on the analysis of threats and risks. The second is documentation of the methodology and models developed so the EAC and other stakeholders can utilize these tools independently without the assistance of specialized experts. These products will assist the EAC and the election community in fostering a broadly-based consensus on a prudent and acceptable degree of risk for voting systems by evaluating trade-offs, running sensitivity analyses, and performing cost-benefit analyses of proposed voting system security requirements.

2. Objective. The objective of this contract is to procure the services of a well-qualified and broadly-based interdisciplinary team to perform a comprehensive voting systems risk assessment. In addition to creating reusable models and assessment tools, this effort will make a recommendation regarding what constitutes an acceptable level of impact for voting systems. The working hypothesis is that a “moderate” level of impact as defined by NIST SP 800-53 provides an appropriate level of protection. The risk analysis will provide data for examining this hypothesis and supplying the basis for either supporting it or recommending a different level.

This effort is laid out in three phases. Each phase concludes with review and approval of the work product by the EAC and its Standards Board and Board of Advisors. The first phase will create two sets of reference models:1) election process models to define the operational context in which voting systems are used, and 2) voting system models by generic technology type (e.g., paper ballots, optical scan, DRE, telephone) to identify the variations in threats and potential impacts across the range of voting technologies.

In the second phase these models will be analyzed to identify the threats associated with each voting technology and to perform risk assessments of the potential harms and possible mitigations for these threats. The end product will be a set of risk assessments for the range of voting technology approaches. The intention of this analysis is not to rate one technology as better as or worse than another or to identify the “best” system, but rather to identify the security requirements necessary for all types of systems to achieve a specified level of confidentiality, integrity, and availability. Theoretically, with the appropriate mix of technical and procedural safeguards, every technology solution can provide an acceptable level of security. But achieving the appropriate mix for some technologies may be technically more difficult and/or expensive and/or entail undesirable tradeoffs against other important design considerations such as usability.

In the third phase the Contractor shall present a recommendation for an acceptable impact level for voting systems with supporting rationale. The EAC will decide whether to use this recommendation as the basis for developing security requirements in future iterations of the VVSG. State and local election officials may choose to adopt this recommendation for performing assessments of the adequacy of security practices at the local level. Manufacturers and test labs can use this recommendation as a reference point for system design and testing purposes.

Also in the final phase, the Contractor will document the models developed and analyses performed in a manner that will facilitate their use by the EAC, election officials, and other stakeholders such as advocacy groups and academics. As noted above, the goal of this activity is to enable the EAC and others to understand and use these tools independently without the assistance of specialized experts. To further this end, it is preferred that the Contractor employ widely accepted IT industry structured analysis tools such as Data Flow Diagrams and Unified Modeling Language rather than proprietary methodologies.

3.0 Scope. The Contractor shall be responsible for performing all the tasks described in Section 4.0 below. It is mandatory that the Contractor team be interdisciplinary and broadly based in terms of knowledge and experience, both theoretical and applied. This should include academic researchers as well as security engineers, software engineers and others with direct experience in designing, developing, and implementing voting systems and other high security IT systems. It is essential that the team include personnel with hands-on election administration experience with a variety of voting technologies and administrative practices (e.g., central count/precinct count, early voting, vote centers).

A substantial amount of risk assessment work has been done for voting systems. The Contractor is expected to review this work and utilize it as appropriate. In addition the Contractor is expected to be cognizant of commonly used risk assessment methods for secure IT systems. The tasks described below are based on the process described in NIST SP 800-30, “Risk Management Guide for Information Technology Systems,” July 2002. It is required that offerors have experience with the application of this risk management methodology.

Participants for review panels specified in Tasks 4.7 and 4.11 shall be identified by the Contractor in consultation with the EAC. The EAC shall be responsible for scheduling and convening reviews by the National Institute of Standards and Technology (NIST), and the EAC Standards Board and Board of Advisors, called for in Tasks 4.8 and 4.12.

4.0 Specific Tasks.

1. Update the project work plan. The Contractor shall update the Project Plan submitted with their proposal and deliver the updated Project Plan no later than ten (10) days after contract award. The plan shall describe how the Contractor will accomplish each of the project tasks, and it shall include a timeline indicating major milestones.

2. Submit monthly progress reports. The Contractor shall submit a monthly progress report within two (2) weeks following the end of each month. This shall provide a brief summary of the activities performed and indicate progress against the timeline. Any issues that could adversely affect schedule or budget should be identified for resolution. Budget status shall also be included. This report shall be submitted both in hardcopy and electronically (via email) to the EAC Project Manager.

3. Conduct periodic briefings for the EAC. Following the delivery of each monthly progress report, the Contractor and EAC Project Manager will discuss the research findings and work progress and address any issues raised in the written report. This review can be conducted by conference call. From time to time the Contractor will be required to meet in person with the EAC Project Manager to discuss work progress, schedule, and budget. The Project Plan should make allowance for this activity. The number and frequency of briefings shall be determined by the Contractor Project Manager and the EAC Project Manager as the work progresses. The Contractor may also be required to periodically brief the Commission and other organizations on their work.

A two day program review will be conducted at the conclusion of Phase I. The purpose of this review is to evaluate work progress to date and validate time and resource estimates for the completion of the remaining tasks. The results of the Phase I tasks should provide an indication of whether the original schedule and resource estimates for the remainder of the work might need adjustment. The Contractor will formally brief the work already performed as well as the workplan for the remaining tasks. Any request to modify the schedule or level of effort for Phases II and III must be accompanied with a compelling rationale for the change. The Government will decide whether to adjust the scope of work so it can be completed with remaining contract resources or to commit additional resources.

PHASE I – Create Reference Models (estimated 4 months)

4. Perform literature search. The Contractor shall perform a literature search and assemble a bibliography of election process models and voting system functional and logical definitions for a comprehensive range of technologies (e.g., optical scan, DRE, paper ballots, telephone, web-based). Existing threat and risk analyses shall also be reviewed. The project team is expected to utilize these materials to the extent feasible as well as perform their own analyses to produce a sound theoretical framework for identifying threats and performing risk assessments.

5. Develop federal election process models. The Contractor shall model the federal primary and general election processes as an information system. The purpose of these election models is to provide the operational framework for analyzing risk. It is anticipated that somewhat different models will be required for central count and precinct count election processes because the vote capture and tabulation functions are distributed differently. Other variations may also be needed. However, since there is considerable commonality between the different methods of organizing and administering elections, the result of this task is anticipated to be a basic election process model with several variations, rather than several divergent models.

The models will illustrate how voting systems fit into the overall election administration process and provide the context for the assessment of risk in relation to the entire process. For example, a small number of voting machine malfunctions does not constitute a significant risk to the successful conduct of an election if there are administrative procedures for timely replacement of machines so voting can continue, and for retrieving votes cast on the malfunctioning machines so no votes are lost. To ensure that models comprehensively reflect actual practices, the performance of this task must involve consultation with election officials representing jurisdictions with varied election management practices. Types of factors to consider in selecting this group include: central/precinct count/by-mail, urban/rural, large/small, alternative language requirements, early voting, vote centers, ‘conventional’ absentee and UOCAVA voting practices, different types of voting systems.

It is preferred that the models be constructed using Data Flow Diagrams, Unified Modeling Language, and other IT structured analysis methodologies, rather than a proprietary methodology. This has the advantage of employing concepts, terminology, and symbology in common use within the IT industry while being relatively easy for a non-technical layperson to understand. It also permits ease of analysis and comparison of characteristics across technical solutions.

The model development process will begin with the definition of a set of election process functions and the data flows associated with these functions. The following list is provided only for the purpose of illustrating what is meant by ‘election process function’ and is expected to be refined and expanded based on the Contractor’s analysis:

1. verification of voter identity and eligibility

2. assignment of correct ballot style

3. election definition

4. election set up and validation

5. presentation of ballot to voter

6. vote selection

7. vote verification

8. vote storage

9. tabulation

10. reporting

11. election auditing

12. certifying results

13. storage and maintenance of equipment and software

14. poll worker recruiting and training

6. Develop generic voting system models. The Contractor shall develop generic voting system models for a comprehensive range of voting system technologies: e.g., paper ballots, optical scan, DRE, web-based, telephone. The Contractor shall present a list of technologies proposed to be examined for EAC Project Manager approval at the initiation of this task. These models shall include such elements as 1) a system flow chart describing data flows, entry and exit points, and the relationship of programs, device drivers, data files, and other program components, and 2) a system schematic and description of all major subsystem interfaces between the election management system, voter interface devices, the absentee ballot subsystem, the results accumulation subsystem, and the results reporting subsystem.

Integration of the system models with the election process model(s) will create a set of technology specific instantiations of the election process. To take function 5, presentation of ballot to voter, as a relatively simple example: this will be portrayed variously as a paper ballot, an optical scan card, an electronic ballot image, an audio recording, or other mechanism. Figure 1 provides an illustration of a Level 0 Data Flow Diagram for a model of ballot data flow in a DRE system where the data store ‘ballot definition image’ roughly equates to the presentation of the ballot to the voter.

7. Validate voting system models. The Contractor shall validate the voting system models with panel(s) comprised of representatives of the vendor community, system certification testers, election administrators, and other relevant disciplines.

8. Support review by EAC Boards and NIST. Following the model validation activity, the Contractor shall provide documentation and briefings as required to support the review of Phase I results by the EAC Standards Board and Board of Advisors, and NIST. Phase I products will be revised as appropriate to reflect input from these groups. For schedule and cost estimation purposes, the Contractor should assume these reviews will be conducted concurrently and last for 2 days.

PHASE II – Develop Threat Matrices and Perform Risk Assessments (estimated 4 months)

9. Develop threat matrices. The Contractor shall develop a threat matrix associated with each voting system technology model. This must include an analysis of the system vulnerabilities, the identification of the threat, the description of the attack to realize the threat, and the degree of difficulty to execute an attack (e.g., skill level required, special access, number of people).

10. Develop risk assessments. Concurrently with Task 4.9, the Contractor shall develop risk assessments for each voting system technology model. This would include such elements as identifying potential mitigations and their degree of effectiveness, assessing the ability to detect a threat occurrence, and the ability to recover from such occurrence. The end result will be qualitative and quantitative assessments of risk for each voting system model.

11. Refine and validate threat/risk assessments. The Contractor shall refine and validate the threat/risk assessments. The Facilitated Risk Analysis Procedure or other appropriate methodology shall be used for engaging a panel of subject matter experts to assign comparative rankings to the risks with an explanatory rationale. Mathematical modeling techniques will be utilized to the extent possible.

12. Support review by EAC Boards and NIST. Upon completion of Task 4.11, the Contractor shall provide documentation and briefings as required to support review of the Phase II results by the EAC Boards and NIST. Phase II products will be revised as appropriate to reflect the input of these groups. For schedule and cost estimation purposes, the Contractor should assume these reviews will be conducted concurrently and last for 2 days.

Phase III – Assurance Level Recommendation, Methodology Documentation, and Update Process (estimated 2 months)

4.13 Recommend voting system impact level. Using the NIST SP 800-53 methodology, the Contractor shall recommend an information assurance level for voting systems. The working hypothesis is that the “moderate” level of impact provides an appropriate level of protection for this critical function. Based on the Phase II work and other analyses as required, the Contractor shall confirm this protection level or make an alternative recommendation with supporting rationale.

4.14 Document risk assessment model and methodology. The Contractor shall document the various models and threat/risk assessment methodology in a manner accessible to the sizable community of interest. This encompasses federal, state, and local officials; voting system manufacturers; testing laboratories; and public interest groups. Any mathematical modeling employed shall be described in such a manner that non-experts can understand the logical structure and how to exercise the models.

If deemed necessary by the EAC Project Manager, a tutorial will be developed to assist users. If a determination is made that this product is needed, a contract modification will be issued to add this work.

4.15 Recommend an update process. The Contractor shall recommend a process for periodic updating and exercising of the models and assessments as technology evolves and the threat environment changes. This shall include a process for collecting the results of any utilization of the models by election officials, public interest groups, academics, and others, that may be of general interest to the election community.

5.0 Contract Type. The contract type is Time and Materials.

6.0 Place of Performance. The principal place of performance will be the Contractor’s place of business. Meetings and occasional work efforts may be conducted at the EAC offices from time to time. The Task 4.7 and Task 4.11 panels, if convened in person, may be held at the Contractor’s location of choice. The Task 4.8 and Task 4.12 EAC Board reviews will be public meetings and may be held at locations other than Washington, DC. For cost estimating purposes, assume one meeting on the West Coast and one on the East Coast.

7.0 Period of Performance. The period of performance is 10 months from date of award

8.0 References

o Federal Information Security Management Act (FISMA) of 2002


o Federal Information Processing Standards Publication (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems


Federal Information Processing Standards Publication (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems


o National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems


o NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems


o NIST SP 800-34, Contingency Planning Guide for Information Technology Systems


o NIST SP 800-30, Risk Management Guide for Information Technology Systems


o NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems


Line Item Description Qty Unit Maximum Price

0001 Phase I 1 Job $____________

0002 Phase II 1 Job $____________

0003 Phase III 1 Job $____________

TOTAL MAXIMUM CONTRACT PRICE………………...$__________________



This is a Time and Materials type contract that provides for the acquisition of services as set forth in the Statement of Work included herein.

Instructions, Conditions, and Notices to Offerors or Quoters


(1) A proposal submitted in response to this solicitation must consist of two (2) Volumes.

-Volume I shall contain the Introduction of Company, Past Performance, Contractor Experience, Contractor’s approach to tasks, Key staff and resumes.

-Volume II shall contain the Price Proposal.

(2) The content of proposal volumes must be internally consistent with the organizational structure described herein. Those not adhering to this structure may be considered unacceptable.

Submissions in response to this Request for Proposal (RFP) must be clear and in writing. The Technical and Price Proposals shall be separate and complete so that evaluation of one may be accomplished independently of the other.

One original and five hard-copies of both the Technical (Volume I) and Price (Volume II) proposals must be submitted. In addition, one formatted CD containing the Technical (Volume I) and one formatted CD containing Price (Volume II) must be delivered to the Commission in their native electronic format. All files shall be compatible with Microsoft office product(s).


The US Election Assistance Commission recommends that all proposals be sent via overnight carrier or hand carried to the Commission.

All U.S. Postal Service deliveries are x-rayed, radiated, and scanned, which could delay or damage packaged materials.

Please send all proposals to the following address:

US Election Assistance Commission

Attn: Ritchie Vinson (Suite 1100)

1225 New York Avenue, NW

Washington, DC 20005

Electronic proposals, in addition to Technical and Price Volumes required, should be sent to the following email address:

(4) An offeror’s Technical Proposal will be evaluated in accordance with those factors set forth in the Evaluation Factors for Award.

(5) FAXed proposals will not be accepted.

(6) Any data previously submitted in response to another solicitation will be assumed unavailable to the Contracting Officer; and this data must not be incorporated into the technical proposal by reference.

(7) Clarity and completeness of the proposal are of the utmost importance. The proposal must be written in a practical, clear and concise manner. It must use quantitative terms whenever possible and must avoid qualitative adjectives to the maximum extent possible.

(8) The two Volumes must be submitted in separate binders, each clearly marked with the solicitation number. The proposal may have a cover letter (Maximum 2 pages). Each Volume and section must have a table of contents. Tables of contents and blank section dividers are not included in the page limitations cited for each section.

(9) Proposals submitted electronically must be submitted via separate emails. The subject line must contain the RFP Number, Company Name, Volume Title and Volume Number. All information for the volume should be contained within an attachment to the email being sent. The contractor must verify receipt of the proposal.


The body of the Contractor Technical Proposal (Volume I) is not to exceed 50 pages. The body of the Price Proposal (Volume II) is not to exceed 25 pages. The page count will not include: resumes, cover pages, table of contents, glossary of terms, and past performance documentation. All pricing information shall be included in the Price Proposal. Proposals must be legible, double spaced (personnel resumes may be single spaced), typewritten (on one side only), in a type size not smaller than 10 point pitch with a one-inch margin on all sides, on paper not larger than eight and a half by eleven inches and not exceeding the page limits established in this solicitation. Pages in excess of the individual limitations shall not be read, and the proposal shall be evaluated as if the excess pages did not exist. Some Foldout charts or diagrams may be used within the aforementioned restrictions/page limitations.


The Technical Proposal should include:

 Introduction of company history and related experience in this area of expertise.

 Professional qualifications of the organization and references from other organizations for which the Contractor has performed similar work. Referenced projects completed should be similar to the work to be performed under this RFQ.

 Detailed description of the contractors experience in meeting the requirements.

 Detailed description of how the Contractor intends to approach all aspects of the tasks.

 Key Staff identification and resumes.

 Any other items asked for in the statement of work.


For all phases, the Offeror shall propose a price. The Offeror shall propose labor categories, a description of the labor category, the labor rates for this labor category, and the proposed rate applying all offered and applicable discounts. The labor categories shall be defined in terms of level of education, number of years of general work experience, number of years of technical or functional experience specific to the tasks to be performed. The labor categories shall also specify the level of expertise to be expected, where the levels are ”entry-level”, ”fully-trained”, ”seasoned professional”, ”manager/mentor” and ”nationally-recognized expert”. This expertise applies to the skill set in which a person would be applied (i.e. we do not expect anyone to be a seasoned professional in all aspects of all elements of a given category in the statement of work).


(a) Protests, as defined in section 31.101 of the Federal Acquisition Regulation, that are filed directly with an agency, and copies of any protests that are filed with the Government Accountability Office (GAO), shall be served on the Contracting Officer (addressed as follows) by obtaining written and dated acknowledgment of receipt from:

Ritchie Vinson

US Election Assistance Commission

1225 New York Ave NW (11th Floor)

Washington, DC 20005

(b) The copy of any protest shall be received in the office designated above within one day of filing a protest with the GAO.


(1) All questions shall be addressed to the Contract Specialist at the following email address:

Ritchie Vinson, Contracting Officer

Please send all questions via email. Questions will not be taken or answered over the phone or by fax. Please include the Request for Proposal (RFP) Number in the subject line. Once questions are compiled they will be answered by an issued amendment to the solicitation.

(2) Questions will be permitted from August 18, 2008 through August 25, 2008. Questions submitted after August 25, 2008 at 4:00 pm EDT shall not be answered.



Orientation briefing within 10 days *

Updated project work plan within 10 days

Progress reports (written and conference call) monthly

Project briefings as required

Literature search report within 3 weeks

Election process models (draft) 8 weeks

Voting system models (draft) 12 weeks

Review packets for EAC Boards 13 weeks

EAC Boards review 14 weeks

Election process & voting models (final) 16 weeks

Program Review 17 weeks

Threat matrices and risk assessments (1st draft) 24 weeks

Threat matrices and risk assessments (validated) 28 weeks

Review packets for EAC Boards 29 weeks

EAC Boards review 30 weeks

Threat matrices and risk assessments (final) 32 weeks

Assurance recommendation 34 weeks

Model and methodology documentation (draft) 36 weeks

Update process recommendation 40 weeks

Model and methodology documentation (final) 40 weeks

*Dates given as time after contract award



Management and Technical

1. Provide a Project Management Plan with a Work Breakdown Structure and PERT or Gantt chart showing schedule and major milestones. The plan shall describe the proposed methods for performing each of the SOW tasks, how the work will be managed, and what quality control methods will be used. This description must provide insight into how the work will be performed and not just repeat the SOW task descriptions.

2. Provide up to 3 examples of Contractor experience in applying NIST SP 800-30 risk management methodology and describe how this former experience will contribute to this work. (No more than 5 pages per example.)

3. Provide examples of any Contractor experience in performing threat and risk assessments of voting systems. (No more than 5 pages per example.) Provide a copy of the final report on a CD..

4. Describe proposed method for election official consultation required in Task 4.5.

5. What criteria will be used to formulate panel of experts for Task 4.11?

6. Briefly describe any risks or potential impediments to the successful completion of this work and how you would address them.


1. Provide a brief resume for the Project Manager/Principal Investigator that highlights relevant research experience, publications, and project management experience. (No more than 5 pages.)

2. Provide brief resumes (no more than 3 pages) of other key project personnel, where “key” is as defined by the Contractor.

3. Provide a knowledge/ experience matrix to demonstrate scope and depth of team capabilities. Use the following topics as row headings: election administration, election process models, voting system models, voting system risk assessments, voting system development, voting system testing, SP 800-30 risk management methodology, IT system models, IT risk assessments, IT security engineering, communications security engineering, systems analysis, system modeling, project management. List team personnel as column headings and indicate years of experience in the intersection for each person and applicable topic area.

Past Performance

1. The Offeror shall provide a maximum of three (3) contracts/task orders with the Federal Government and/or commercial customers that demonstrate recent and relevant past performance. Recent is defined as within the last 3 years. Relevant is defined as work similar in complexity and magnitude as the work described in this Statement of Work, and preferably of similar subject matter.

Include the following information:

o Project title

o Description of the project

o Contract number and type of contract (and task order number, if applicable)

o Contract amount

o Government Agency/Organization

o COTR’s name, address, email, and phone number

o Contracting Officer’s name, address, email, and phone number

o Current status, e.g., completed and/or if in progress, start and estimated completion dates

o Highlight individuals who worked on this project who are also proposed for this effort

o A brief narrative (1-2 paragraphs) of why you deem the reference to be relevant to this effort


Management and Technical (100 possible points; at least 70 required for a minimally acceptable proposal)

1. Understanding of the work to be performed, including creativity and thoroughness shown in understanding the objectives of the SOW, and the planned execution of the project. (30 points)

2. Prior experience with modeling of election processes and/or voting systems (20 points)

3. Evidence of competence in applying NIST SP 800-30 risk assessment methodology. (20 points)

4. Prior experience in performing voting system risk assessments. (20 points)

5. Ability to anticipate potential problem areas and creativity and feasibility of proposed solutions. (10 points)

Personnel-(35 possible points)

1. Depth and breadth of personnel experience with regard to subject areas in knowledge/experience matrix as demonstrated in key personnel resumes and the matrix (15 points)

2. Currency, quality and depth of Project Manager/Principal Investigator experience with projects of similar scope, complexity and subject matter (20 points)

Past Performance- will be verified for successful completion of projects, production of quality deliverables, performing on time and within budget.


1. Technical factors are more important than cost. Award will be based on the Government’s assessment of the best overall value.

1225 New York Ave., NW Suite 1100
Washington, District of Columbia 20005
US Election Assistance Commission
1225 New York Avenue, NW

Washington, District of Columbia 20005
United States
Ritchie D. Vinson,
Contracting Officer
Phone: 2025662166
Fax: 2025660957