RABET-V Activities#

The RABET-V program consists of seven discrete activities from registered technology provider (RTP) registration to reporting. Each activity may be scaled or eliminated based on risks attributed to the product changes and the maturity scores from the previous submission. Risk decisions are informed by the product’s organizational maturity score, architecture maturity score, and product implementation score. Each time the RABET-V process is initiated, it is called a RABET-V iteration.

RABET-V Iteration#

Throughout the process, assessment activities produce scores that are shared with the RTP after the activity is complete. All scores are tentative until the entire RABET-V process is complete. Each activity draws heavily on the RABET-V security requirements.

  1. RTP Registration: The RTP submits documentation to begin the RABET-V iteration. This submission contains information from the RTP on both its organization and the product under review

  2. Submission Review: The RABET-V administrator reviews the submission for completeness, determines which activities are necessary for the submission type, and assigns assessors to perform the necessary activities

  3. Organizational Assessment: An accredited assessor organization reviews the RTP’s approach to developing software to determine its maturity, which will be used throughout the RABET-V process and subsequent submissions by the RTP. A demonstrably high level of maturity can reduce the burden of review across all activities. One can think of this as assessing the general trustworthiness of an RTP to reliably implement any given product feature or capability. A tentative score is provided to the RTP upon completion of the activity

  4. Architecture Assessment: An accredited assessor organization reviews the product’s architectural approach to determine its maturity with regard to various services. A demonstrably high level of maturity can reduce the burden of review for a specific change. One can think of this as assessing the trustworthiness of the product that changes to one product feature or service will not have unintended implications for other aspects of the product. A tentative score is provided to the RTP upon completion of the activity

  5. Test Plan Determination: The RABET-V administrator produces a test plan based on the outputs from the organizational assessment and the architecture assessment

  6. Product Verification: An accredited assessor organization executes the test plan and produces product verification scores

  7. Reporting: The RABET-V administrator produces detailed reports for RTPs

Timing Flexibility#

While these activities are presented in a common order, there is flexibility in the timing of the organizational and architecture assessments. For instance:

  • If an organization has a consistent development process across all of its products and business units, an RTP can complete an organizational assessment before submitting a specific product. The RABET-V administrator encourages this as it can speed the initial iteration for a product

  • Similarly, if an RTP has a significant process change, it can request a new organizational assessment at any time. This can impact the scores, and thus test scaling, of that RTP’s products

  • The organizational assessment and architecture assessment activities share some information between each other, but are largely independent and can often occur in parallel