RABET-V Security Control Families#

RABET-V defines ten Security Control Families that are used throughout the RABET-V process to help evaluate the products.

  1. Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. NIST FIPS 200

  2. Authorization: The right or a permission that is granted to a system entity to access a system resource. NIST SP 800-82 Rev. 2

  3. Injection Prevention: The sanitization of data input and output (possibly by rejecting unacceptable inputs or outputs) to ensure malicious executable code is not executed.

  4. Key/Secret/Credentials Management: The activities involving the handling of cryptographic keys and other related security parameters (e.g. passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction. NIST CNSSI 4009-2015

  5. User Session Management: The act of establishing, protecting, and, when necessary, demolishing the persistent interaction between a subscriber and an end point. Adapted from NIST SP 1800-17b

  6. Logging/Alerting: The systemic management and monitoring of the events—the discrete interactions that happen within and between systems, applications, and users—occurring within an organization’s systems and networks. Adapted from NIST SP 800-92

  7. Data confidentiality and integrity protection: Assurance that the data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. Adapted from NIST SP 800-33 Data Confidentiality deals with protecting against the disclosure of information by ensuring that the data is limited to those authorized or by representing the data in such a way that its semantics remain accessible only to those who possess some critical information (e.g., a key for decrypting the enciphered data). NIST SP 800-13

  8. Boundary protection: Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g. gateways, routers, firewalls, guards, encrypted tunnels). NIST SP 800-53 Rev. 5

  9. System availability protection: The property that data or information is accessible and usable upon demand by an authorized person. NIST SP 800-66 Rev. 1

  10. System integrity protection: The activities based around protecting the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental. NIST SP 800-27 Rev. A