Submission Review Process#
Once the RTP has made a submission, the RABET-V administrator will review the submitted information, determine which RABET-V activities are necessary for this iteration, and assign an {term}`accredited assessor organization
Inputs#
The RTP’s submission package
The RTP’s organizational assessment, if applicable
Prior reviews, if applicable
Outputs#
Submission review checklist indicating submission type, change type (for a product revision submission), and which RABET-V activities should be performed in this iteration
Workflow#
Review package for completion#
See RTP submission for submission requirements.
Initial product submission#
All RABET-V activities are required. Ensure all items on the submission review checklist are included in the submission. For each step, indicate on the submission review checklist if the respective item is present or missing.
Product revision submission#
Some RABET-V activities may not be required. Complete the remainder of the steps in this process to determine which activities are required for this submission. For each step, indicate on the submission review checklist if the respective item is present, missing, or not required.
Validate Claims#
The submitted control claims must cover the minimum benchmark for controls to be testable. If the claims do not cover the minimum number of controls, the RTP will need to update the claims submission to cover the minimum benchmark.
Validate change list#
The approach to validating the change list will vary based on the findings for the change list artifact in the previous organizational assessment:
Reliable: change list validation can be skipped or limited to high-level spot checking
Otherwise: validate the change list by manual or automated means
Record the result in the submission review checklist.
Determine change type#
(For product revision submissions only)
Given the validated change list, determine which change types apply to the revision. Change types are listed below:
Change Type Number |
Change Type Description |
|---|---|
1 |
Other major or multiple change(s) to in-scope services |
2 |
Source code change to in-scope services |
3 |
Major configuration change to in-scope services |
4 |
Security patch of in-scope services |
5 |
Dependency updates for in-scope services |
6 |
Minor configuration change to in-scope services |
7 |
Source code change interfacing in-scope services |
8 |
Source code change unrelated to in-scope services |
9 |
3rd party software patch to in-scope services |
10 |
Operating system patch |
11 |
Other software or configuration change |
Determine if the organizational assessment is necessary#
The organizational assessment is required when one of the following conditions is true:
The submission is an initial product submission
The RTP has requested a new organizational assessment in order to update organizational maturity scores
It has been more than 3 years since the last organizational assessment was performed
Artifacts provided by the RTP indicate a significant process change has occurred
Record the result in the submission review checklist.
Determine if the architecture assessment is necessary#
The architecture assessment is required when one of the following conditions is true:
The submission is an initial product submission
The RTP has requested a new architecture assessment in order to to update the architecture maturity scores
The change list indicates the addition, removal, or modification of major architecture components since the last architecture assessment
Record the result in the submission review checklist.
Assign Accredited Assessor Organizations#
The RABET-V administrator will assign accredited assessor organizations to perform the required RABET-V activities.