VVSG and state rules require that jurisdictions deploy exactly the configurations that were tested and certified—same software build, same hardware, same network posture—so that attack surfaces are known and audit trails are reliable. In a critical‑infrastructure context, this is analogous to fielding only the aircraft configuration that passed airworthiness testing, not an ad‑hoc variant assembled under operational pressure.

This subsection reviews findings of configuration changes (e.g., new tabulation databases created during counting, “trusted builds” that deleted logs), which suggest that deployed systems may not have matched their certified blueprints, rendering post‑election audits unreliable.