Established Fact
The Cyber Ninjas audit documented as an established fact that neither the EMS operating system nor its antivirus software had been patched or updated since August 2019 – the date of Dominion’s software installation – meaning Maricopa ran a presidential election on a system with 15+ months of unaddressed CVEs. Maricopa County contended that patching would have “invalidated EAC certification.” EAC Notice of Clarification 19.01 expressly contradicted this: security patches qualify for de minimis approval, and CISA has explicitly recommended such patching. The county’s defense was therefore factually false, while the unpatched system remained exposed to documented critical vulnerabilities.
Citations
Cyber Ninjas Response to Maricopa County: https://www.scribd.com/document/534037094/Cyber-Ninjas-Response-Maricopa-County-Analysis-of-Senate-Report-2 | Scribd
Ben Cotton Testimony July 15 2021: https://www.rev.com/transcripts/arizona-state-senate-hearing-on-the-2020-election-audit-in-maricopa-county-july-15 | Rev.com
EAC De Minimis Changes NOC 19-01: https://www.eac.gov/sites/default/files/voting_equipment/NOC19.01_SoftwareDeMinimisChanges_11-15-2019.pdf | EAC.gov