Reporting Process#
The RABET-V administrator creates a report for the RTP containing scores from the architecture assessment, organizational assessment, and product verification, a verification status, and recommendations for improvement. The administrator will send the RTP two versions of this report: a full report with detailed appendices and a roadmap for ways to improve and a short report verifying that the baseline requirements were met. Election officials can request the short report during procurement processes, as part of contract management, or during annual security reviews.
The RABET-V public listing site contains a list of verified products containing the tech provider name, the product version, some configuration details, and verified status. RTPs will have the option to opt out of publicly listing their product if they choose.
Inputs#
Results from all relevant activities
Outputs#
RABET-V product report and appendices
Status of verified, conditionally verified, or returned
Workflow#
Review of Product Verification Results#
An internal review of the product and all relevant activities will result in a verification status. The possible verification statuses are verified, conditionally verified, and returned.
RABET-V has established scoring baselines for each of the three modules to set a minimum bar to achieve a verified status. These baselines will include more stringent requirements over time to address a responsiveness to a changing threat environment and promote continuous improvement in non-voting election technologies.
Verified#
A verified status means that the product is likely to perform as described in the expected usage operating environment. To achieve a verified status, the results from the organizational assessment, architecture assessment, and product verification must meet or exceed the baseline in each area.
Conditionally Verified#
A conditionally verified status means that while the product is likely to perform as described, the RABET-V process identified at least one non-critical issue or deficiency from one or more baselines.
With a conditional verification, the RTP is expected to remediate the issue and re-submit. If no other changes are made to the product, this information is considered part of the same submission and, upon review, can result in the Verification Status being changed to verified.
Issues and deviations are detailed in the product report.
Returned#
A returned status means that the product does not perform as described. It has critical issues or deviations that are unlikely to be addressed through minor fixes. The RABET-V process identified at least one critical issue or deviation, severe enough that additional review will require a new submission.
Issues and deviations are detailed in the product report.
Product Report Generation#
Report Template#
The RABET-V results summary provides scores for organizational maturity, architecture maturity, and product implementation. For revision submissions, it will include any change from the previous submission.
Organizational maturity: quality of the RTP’s product development practices. The organizational assessment maturity result reflects the extent to which this is achieved for each of these areas:
Governance
Design
Implementation
Verification
Operations
Human factors
Architecture maturity: the reliability of the product’s such that changes to one product feature or service will not have unintended implications for other aspects of the product. The architecture assessment maturity result reflects the extent to which this is achieved for each of the control families.
Product implementation maturity: the quality of the product’s capabilities to meet the claims the RTP made about it. The product verification result reflects the extent to which this is achieved for each of the control families.
Product (Revision) Summary: details about the product that were submitted including its description, expected usage (i.e., use cases), version number(s), etc. This includes the change list for product revision submissions.
Verification Methods: a description of how the system was tested to include verification methods used in the testing.
Maturity Trends: a description of what caused a change for any product or process maturity level that changed.
Appendices: as needed.