RABET-V Control Families#

RABET-V defines control families that are used throughout the RABET-V process to help evaluate products. The security control families enumerated below are currently used throughout the RABET-V program, and usability and accessibility control families are currently under development. RABET-V is designed to extend to other areas as needed to support the election community, and may include additional control families in the future.

Security Control Families#

  1. Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system (NIST FIPS 200)

  2. Authorization: The right or a permission that is granted to a system entity to access a system resource (NIST SP 800-82 Rev. 3)

  3. Injection Prevention: The sanitization of data input and output (possibly by rejecting unacceptable inputs or outputs) to ensure malicious executable code is not executed

  4. Key/Secret/Credentials Management: The activities involving the handling of cryptographic keys and other related security parameters (e.g. passwords) during the entire life cycle of the keys, including their generation, storage, establishment, entry and output, and destruction (NIST CNSSI 4009-2015)

  5. User Session Management: The act of establishing, protecting, and, when necessary, demolishing the persistent interaction between a subscriber and an end point (adapted from NIST SP 1800-17b)

  6. Logging/Alerting: The systemic management and monitoring of the events—the discrete interactions that happen within and between systems, applications, and users—occurring within an organization’s systems and networks (adapted from NIST SP 800-92)

  7. Data confidentiality and integrity protection: Assurance that the data has not been altered in an unauthorized manner. Data integrity covers data in storage, during processing, and while in transit. Adapted from NIST SP 800-33, data confidentiality deals with protecting against the disclosure of information by ensuring that the data is limited to those authorized or by representing the data in such a way that its semantics remain accessible only to those who possess some critical information (e.g., a key for decrypting the enciphered data) (NIST SP 800-13)

  8. Boundary protection: Monitoring and control of communications at the external boundary of an information system to prevent and detect malicious and other unauthorized communications, through the use of boundary protection devices (e.g. gateways, routers, firewalls, guards, encrypted tunnels) (NIST SP 800-53 Rev. 5)

  9. System availability protection: The property that data or information is accessible and usable upon demand by an authorized person (NIST SP 800-66 Rev. 1)

  10. System integrity protection: The activities based around protecting the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental (NIST SP 800-27 Rev. A)

Accessibility Control Families.#

Accessibility requirements are grouped into control families based on the Web Content Accessibility Guidlines (WCAG) principles that provide the foundation for Web accessibility. RABET-V adopts the four principles of WCAG, perceivable, operable, understandable, and robust, as control families for accessibility.

There are three levels of WCAG 2.1 conformance: A (lowest), AA, and AAA (highest). RABET-V identifies conformance with each Level in its reports. For instance, if the product meets Level AA, this will be indicated in the product’s final report.

  1. Perceivable: Information and user interface components must be presentable to users in ways they can perceive

  2. Operable: User interface components and navigation must be operable

  3. Understandable: Information and the operation of user interface must be understandable

  4. Robust: Content must be robust enough that it can be interpreted by a wide variety of user agents, including assistive technologies

Usability Control Families#

Guiding controls for usability are based on ISO 9241-210.

  1. Understandable: The design is based upon an explicit understanding of users, tasks, and environments

  2. User Integrated: Users are involved throughout design and development

  3. Evaluative: The design is driven and refined by user-centered evaluation

  4. Holistic: The design addresses the whole user experience