EAC features significant security gaps (US)

The latest VVSG 2.0 standard features the following security gaps:
• System boundary: focuses on the voting device and EMS, not the full enterprise and vendor environments.
• Operational security: limited guidance on continuous monitoring, vulnerability management, and incident response.
• Identity and access: no full RBAC requirement and constrained, fragmented MFA implementation relative to federal best practice.
• Supply chain: high level risk management language without concrete, enforceable controls commensurate with foreign hardware/software risk.
• Enforcement: voluntary, non-retroactive adoption, with no hard deadlines for migrating off weaker, legacy systems.