Submission Review Process#
Once the RTP has made a submission, the RABET-V Administrator will review the submitted information and determine which RABET-V activities are necessary for this iteration.
Inputs#
The RTP’s submission package
The RTP’s Process Assessment
Prior reviews, if a Revision Submission
Outputs#
Submission Review Checklist indicating submission type, change type (for a revision submission), and which RABET-V activities should be performed in this iteration
Workflow#
Review package for completion#
See RTP Submission for submission requirements.
Initial submission#
All RABET-V activities are required in order to generate the Testing Rules. Ensure all items on the Submission Review Checklist are included in the submission. For each step, indicate on the Submission Review Checklist if the respective item is present or missing.
Revision submission#
Some RABET-V activities may not be required. Complete the remainder of the steps in this process to determine which activities are required for this submission. For each step, indicate on the Submission Review Checklist if the respective item is present, missing, or not required.
Validate change list#
The approach to validating the change list will vary based on the findings of the prior Process Review:
Reliable: change list validation can be skipped or limited to high-level spot checking
Otherwise: validate the change list by manual or automated means
Record the result in the Submission Review Checklist.
Determine change type#
(For revision submissions only)
Given the validated change list, determine which change types apply to the revision. Change types are listed below:
Change Type Number |
Change Type Description |
|---|---|
1 |
Other major or multiple change(s) to security service component(s) |
2 |
Source code change to security service component(s) |
3 |
Major configuration change to security service component(s) |
4 |
Security patch of security service component(s) |
5 |
Dependency updates for security service component(s) |
6 |
Minor configuration change to security service component(s) |
7 |
Source code change interfacing with security service component(s) |
8 |
Source code change unrelated to security service component(s) |
9 |
3rd party software patch to a non-security service component(s) |
10 |
Operating system patch |
11 |
Other software or configuration change |
Determine if Process Assessment activity is necessary#
The Process Assessment is required when one of the following conditions is true:
The submission is an Initial Submission
The RTP has requested a new Process Assessment in order to generate a new set of Testing Rules or update Software Development Maturity (SDM) scores
It has been more than 18 months since the last Process Assessment was performed
Artifacts provided by the RTP indicate a significant process change has occurred.
Record the result in the Submission Review Checklist.
Determine if Architecture Review activity is necessary#
The Architecture Review is required when one of the following conditions is true:
The submission is an Initial Submission
The RTP has requested a new Architecture Review in order to generate a new set of Testing Rules or update Security Services Architectural Maturity (SSAM) scores
The change list indicates the addition, removal, or modification of major architectural components since the last Architecture Review
Record the result in the Submission Review Checklist.
Determine if Security Claims Validation activity is necessary#
The Security Claims Validation activity is required when one of the following conditions is true:
The submission is an Initial Submission
The RTP has updated the product goals, expected usage, or security claims.
The RTP has requested a new Security Claims Validation in order to generate a new set of Testing Rules or update Security Services Capability Maturity (SSCM) scores
The change list indicates that prior Security Claims Validation findings need to be reviewed
Record the result in the Submission Review Checklist.