Submission Review Process

Once the RTP has made a submission, the RABET-V Administrator will review the submitted information and determine which RABET-V activities are necessary for this iteration.

Inputs

  • The RTP’s submission package

  • The RTP’s Process Assessment

  • Prior reviews, if a Revision Submission

Outputs

  • Submission Review Checklist indicating submission type, change type (for a revision submission), and which RABET-V activities should be performed in this iteration

Workflow

Review package for completion

See Provider Submission for submission requirements.

Initial submission

All RABET-V activities are required in order to generate the Testing Rules. Ensure all items on the Submission Review Checklist are included in the submission. For each step, indicate on the Submission Review Checklist if the respective item is present or missing.

Revision submission

Some RABET-V activities may not be required. Complete the remainder of the steps in this process to determine which activities are required for this submission. For each step, indicate on the Submission Review Checklist if the respective item is present, missing, or not required.

Validate change list

The approach to validating the change list will vary based on the findings of the prior Process Review:

  1. Reliable: change list validation can be skipped or limited to high-level spot checking

  2. Otherwise: validate the change list by manual or automated means

Record the result in the Submission Review Checklist.

Determine change type

(For revision submissions only)

Given the validated change list, determine which change types apply to the revision. Change types are listed below:

Change Type Number Change Type Description
1 Other major or multiple change(s) to security service component(s)
2 Source code change to security service component(s)
3 Major configuration change to security service component(s)
4 Security patch of security service component(s)
5 Dependency updates for security service component(s)
6 Minor configuration change to security service component(s)
7 Source code change interfacing with security service component(s)
8 Source code change unrelated to security service component(s)
9 3rd party software patch to a non-security service component(s)
10 Operating system patch
11 Other software or configuration change

Determine if Process Assessment activity is necessary

The Process Assessment is required when one of the following conditions is true:

  1. The submission is an Initial Submission

  2. The RTP has requested a new Process Assessment in order to generate a new set of Testing Rules or update Software Development Maturity (SDM) scores

  3. It has been more than 18 months since the last Process Assessment was performed

  4. Artifacts provided by the RTP indicate a significant process change has occurred.

Record the result in the Submission Review Checklist.

Determine if Architecture Review activity is necessary

The Architecture Review is required when one of the following conditions is true:

  1. The submission is an Initial Submission

  2. The RTP has requested a new Architecture Review in order to generate a new set of Testing Rules or update Security Services Architectural Maturity (SSAM) scores

  3. The change list indicates the addition, removal, or modification of major architectural components since the last Architecture Review

Record the result in the Submission Review Checklist.

Determine if Security Claims Validation activity is necessary

The Security Claims Validation activity is required when one of the following conditions is true:

  1. The submission is an Initial Submission

  2. The RTP has updated the product goals, expected usage, or security claims.

  3. The RTP has requested a new Security Claims Validation in order to generate a new set of Testing Rules or update Security Services Capability Maturity (SSCM) scores

  4. The change list indicates that prior Security Claims Validation findings need to be reviewed

Record the result in the Submission Review Checklist.