N.Y. Comp. Codes R. & Regs. tit. 9, § 6209.6
(d) All laboratory testing shall be conducted or verified by independent testing authorities appropriately certified by the National Association of State Election Directors, the EAC or approved by the commissioners of the State Board.
(2) Functional configuration audit. A functional configuration audit shall be performed to verify that the software complies with the software specification (as defined in paragraph [f][3] of this section) and applicable laws and regulations. Federal qualification test data may be used in partial fulfillment of this requirement; however, the State Board or its designee shall perform or supervise the performance of additional tests, or order additional laboratory testing, to verify system performance in all operating modes, including but not limited to disability access and alternate language modes and to validate the vendor's test data reports. The functional configuration audit shall be performed in a facility selected by the State Board.
(ii) Technical data. The vendor shall provide the following technical data:
(3) Physical configuration audit. The physical configuration audit is an examination of the software configuration against its technical documentation to establish a configuration baseline for approval. The physical configuration audit shall include an audit of all drawings, specifications, technical data and test data associated with the system hardware and this audit shall establish the system hardware baseline associated with the software baseline. All subsequent changes to the software or hardware shall be subject to re-examination.
(ii) Technical data. The vendor shall provide the following technical data:
(iii) Audit procedure. Required data items include draft and formal documentation of the vendor's software development program which are relevant to the design and conduct of qualification tests. The vendor shall identify all documents, or portions of documents, which the vendor asserts contain proprietary information not approved for public release. The State Board or its designee shall agree to use any proprietary information contained therein solely for the purpose of analyzing and testing the software and shall refrain from disclosing proprietary information to any other person or agency without the prior written consent of the vendor or a court order. The State Board or its designee shall review the vendor's source code and documentation to verify that the software conforms to the documentation, and that the documentation is sufficient to enable the user to install, validate, operate and maintain the voting system. The review shall also include an inspection of all records of the baseline version against the vendor's release control system to establish that the configuration, being qualified, conforms to the engineering and test data.
(e) Functional tests, security tests and simulated voting.
Prior to certifying a voting system, the State Board shall designate an independent expert to review, all source code made available by the vendor pursuant to this section and certify only those voting systems compliant with this Part. At a minimum, such review shall include a review of security, application vulnerability, application code, wireless security, security policy and processes, security/privacy program management, technology infrastructure and security controls, security organization and governance, and operational effectiveness, as applicable to that voting system.
(5) Functional tests for the following types of equipment shall be required:
(ii) Production models of special purpose data processing equipment (scanners, bar code readers, etc.) having successfully performed in elections use and having been shown to be compatible with the voting system.
(f) Software, hardware, operating and support documentation.
(3) Software specification. The software specification shall contain and describe the vendor's design standards and conventions, environment and interface specifications, functional specifications, programming architecture specifications, and test and verification specifications. Vendor must also provide document identification, an abstract of the specification, configuration control status and a table of contents. The body of the specification shall contain the following material:
(viii) Hardware constraints. The vendor shall identify and describe the hardware characteristics which influence the design of the software, such as:
(xix) Appendices. The vendor shall provide descriptive material and data supplementing the various sections of the body of the software specification. The content and arrangement of appendices shall be at the discretion of the vendor. Topics recommended for amplification and treatment in appendix form include:
(5) Maintenance information.
(7) Maintenance training and supply.
(9) Voter demonstration test.
(10) Certification.