Assessor Accreditation#

Purpose: This document provides the process and requirements for attaining and maintaining status as an accredited assessor organization under the RABET-V program.

Eligibility#

Organizations that may apply to become accredited assessor organizations under the RABET-V program include but are not limited to: private companies and corporations, non- and not-for-profit organizations, universities and other academic institutions, and government entities. For the purposes of this section, all such entities will be referred to as an organization and must meet the requirements described in this document.

Basic Eligibility#

Basic eligibility requirements include:

  1. Declaration of any ownerships or parent companies from outside of the United States. Eligibility based on any such ownership will be made on a case-by-case basis at the sole discretion of the RABET-V administrator

  2. The organization is based in the United States and has operations on United States soil

  3. All individuals performing work under the assessments are U.S. citizens unless specifically agreed to in writing by the RABET-V administrator

  4. All work under the assessments is performed on U.S. soil, including virtual and cloud resources, unless explicitly approved by the RABET-V program

  5. The organization and its employees having satisfactorily passed a background check within the previous year and having no known impediments that would prevent successfully completing a background check

  6. The organization carries insurance as specified in the assessor agreement

  7. There is no financial interest in any RABET-V registered technology provider

  8. The organization is not actively developing non-voting election technology for commericial use that may be considered as part of the RABET-V program, including designing, writing documentation, or building, coding, or implementing such a non-voting technology

  9. The organization is not an EAC registered manufacturer

Requirements for Maintaining Eligibility#

Once accredited, organizations MUST report any change in the following to RABET-V as soon as practicable and within 30 days:

  1. Any change in ownership or parent companies that include entities either from outside of the United States, greater than 10% of total ownership, or both, or otherwise violates the eligibility requirements

  2. Any significant changes relevant to its accreditation, in any aspect of its status or operation relating to:

    • legal, commercial, organizational, or ownership status

    • organization, top management, or key personnel, including authorized pepresentative, approved signatories, and any individuals with software licenses related to the RABET-V program

    • resources and location, including equipment, facilities, and working environment, where significant

    • scope of accreditation, or other matters that may affect the assessor’s ability to comply with RABET-V requirements

Preventing Conflicts of Interest and Impropriety#

The organization MUST:

  1. Prohibit and prevent conflicts of interest or the appearance of conflicts of interest for the organization and all of its employees

  2. Refrain from soliciting or receiving gifts from any producer of election technology in conformance with federal employee rules for gifts from outside sources, set forth at 5 CFR 2635 sections 201-205 and 301-304

  3. Abide by the policies and procedures set forth within this Program Manual

Tailored Use Eligibility#

At times, some states or localities may request that additional requirements be applied only to those technology providers seeking to operate in their respective jurisdiction(s). One potential example of this is a university that conducts assessments for its home state.

In those cases, an election office may request a tailored use phase of the RABET-V assessment, which will be managed on a case-by-case basis. Organizations that are not accredited through the RABET-V accreditation program may be specified for assessments under such a tailored use policy, but their activities will be limited to those defined under that specific tailored Use policy. Organizations specified to conducted assessments under a tailored use policy that are accredited through RABET-V have no such restrictions and are treated like any other accredited assessor.

The RABET-V administrator discourages tailored use as they can slow reviews and add additional cost, but supports them when needed, particularly early in transitions to relying on the RABET-V program while we work to incorporate state and locality needs into RABET-V.

Curing of Lapses in Eligibility#

An accredited organization that is found to no longer meet the requirements in this document will generally have 30 days to cure any issues. More time may be granted in the event of demonstrated progress.

At its discretion, the RABET-V administrator may limit the organization’s assessments while in the cure process, to include pausing or canceling current assessments and not assigning new assessments. If an assessment is paused or canceled due to eligibility issues, the assessor may be liable for any costs incurred to retest and/or complete assessments.

Organizational Competency#

To achieve and maintain accreditation, the relevant organizational unit conducting assessments must meet organizational competency requirements as described in this section. These include demonstrating competency through a minimum information security posture, technical capabilities for resources employed in assessments, and specific capabilities related to RABET-V assessments.

Organizations MUST maintain a modern cybersecurity posture throughout their enterprise. This includes all enterprise assets, networks, and personnel. To provide evidence of their organizational competence and cybersecurity posture, assessors must provide the RABET-V administrator documentation confirming that at least one of the following has been met:

  1. Leveraging the CIS Controls Self Assessment Tool (CIS CSAT). This tool helps enterprises assess, track, and prioritize their implementation of CIS Controls v7.1 and v8. Assessors must obtain a minimum of Implementation Group 1 and provide evidence via a CIS CSAT report.

  2. Obtaining an external, third-party assessment of organizatonal cybersecurity controls in accordance with at least one of the major following security frameworks:

    • CIS Controls. Conformance will be determined by the RABET-V administrator based on a minimum of achieving implementation group one

    • ISO/IEC 27001. Enterprises must achieve the certification. There are a family of standards surrounding ISO 27001. Achieving certification with any of the recognized national variants of ISO/IEC 27001 is equivalent for certification to ISO/IEC 27001

    • Control Objectives for Information Technology (COBIT)

    • Payment Card Industry (PCI) Data Security Standard

  3. Obtaining compliance or accreditation to any of the following. Achieving this will require submission to the RABET-V program of associated policies against which the organization was assessed to ensure appropriate information security measures have been implemented

    • National Voluntary Laboratory Accreditation Program (NVLAP) Voting System Testing accreditation (NVLAP 150-22). NVLAP accreditation signifies that a laboratory has demonstrated that it operates in accordance with NVLAP management and technical requirements pertaining to quality systems; personnel; accommodation and environment; test and calibration methods; equipment; measurement tractability; sampling; handling of test and calibration items; and test and calibration reports

    • ISO 9001 compliance. Compliance with this standard ensures that an enterprise is leveraging a set of policies, procedures, and processes that guide an organization’s activities and operations to meet the needs and expectations of its customers and stakeholders

    • Conformance with another, related framework or control set as determined at the discretion of the RABET-V administrator. If an assessor requests and is granted acceptance via a framework that is not listed here, that framework will be added to the next version of this manual. This promotes flexibility as new frameworks emerge

Technical Capabilities#

All organizations MUST demonstrate that they can provide a team composed of employees or contractors with the following:

  1. Skills commensurate with the scope of work, such as a technical degree (e.g., a degree in computer science, computer engineering, electrical engineering, human factors, software engineering, etc.), similar technical discipline, or equivalent experience (e.g., professional certification, etc.)

  2. Knowledge of test methods applicable to the RABET-V program

  3. Knowledge of relevant standards affecting their area of expertise

In addition to the organizational requirements listed above:

Organizational Assessors Require One (or more) of the Following:#

  1. Designation as a SAMM practitioner

  2. Expertise in organizational maturity models such as Software Assurance Maturity Model (SAMM) or Building Security in Maturity Model (BSIMM) or ISO 27001

  3. Experience assessing or building and managing software application security or secure development

Architecture Assessors Require:#

  1. Knowledge of and experience developing in two or more popular languages used by election technology vendors (e.g. .NET/C#, Java, Python, Objective-C/Swift) including popular third party security service libraries and mitigation approaches

  2. Knowledge of common web application security vulnerabilities (OWASP Top 10, SANS 25, etc.)

  3. Ability to identify and confirm the proper use of design patterns, including object-oriented and gang of four (GOF) (e.g. Façade, Proxy, IoC, etc.)

  4. Experience with secure coding practices, such as input validation, error handling, and encryption

  5. Experience with static and dynamic code analysis and related tooling

  6. Experience working with vulnerability management, software composition analysis (SCA) and software bill of materials (SBOM) analysis tooling

  7. Experience with conducting system architecture reviews of traditional monolith and modern cloud-based architecture

  8. Experience with conducting threat modeling and diagraming of different types of architecture patterns

Product Verification Assessors Require:#

  1. A minimum of 3 years of experience in penetration testing or a related cybersecurity role, with specific experience in election technology security preferred

  2. Experience with various types of product testing, including hardware, software, web applications, and embedded systems;

  3. Knowledge of cloud infrastructure and testing

  4. The ability to write test cases based on the documented requirements and the system to be tested, and complete the test cases

  5. Familiarity with various programming languages (e.g., Python, Ruby, Java, C/C++, and JavaScript) and operating systems (e.g., Windows, Linux, macOS)

  6. Proficiency in using popular penetration testing tools and frameworks, such as Metasploit, Burp Suite, Nmap, and Wireshark

  7. Knowledge of secure coding practices, common vulnerabilities, and industry standards, such as the OWASP top ten

  8. Relevant certifications, such as Offensive Security Certified Professional (OSCP), Certified Ethical Hacker (CEH), or Global Information Assurance Certification (GIAC), are encouraged

  9. Excellent analytical, problem-solving, and communication skills, with the ability to clearly articulate complex security issues to both technical and non-technical audiences

Confidentiality and Work Products#

All organizations must exhibit proper management of the sensitive data that is part of the RABET- V program. Further details will be provided in the accreditation and assessment agreements but, in general, organizations MUST:

  1. Maintain strict data separation and confidentiality regarding information from different assessments

  2. Adhere to any non-disclosure agreements that may be part of the accreditation program and each assessment

  3. Adhere strictly to terms regarding data retention, protection, destruction, and sharing

  4. Acknowledge that organizations conducting assessments will be operating under the direction of the RABET-V administrator creating works for hire and assignment

    • As such, organizations are expected to produce high level test plans that will be the property of CIS. These plans include: description of system; analysis of which requirements applied; description of tests run to fulfill requirements

    • Organizations are expected to produce assessment reports that meet the requirements of the RABET-V administrator that will be the property of CIS

  5. Organizations are not prohibited from performing election technology testing outside of the RABET-V program so long as such activities do not conflict or appear to conflict with RABET-V assessments

Application Process#

Accreditation is a two-step process. To appy for accreditation an organization MUST:

  1. Meet all the eligibility and organizational competency requirements and have staff or contractors on the team who meet the technical requirements listed above

  2. Maintain key personnel that meet the requirements for one or more of the following: organizational assessments, architecture assessments, or product verifications

An accredited organization may choose to accredit assessors and conduct just one of the RABET-V assessments, or several.

As part of the accreditation application, assessing organizations MUST agree to:

  1. Participate in an initial review that ensures the organization and individual assessors meet the requirements outlined above, which may include documentation review, interviews with relevant staff and contractors, and assessments of individual assessor competencies

  2. Participate in a training program crafted for the assessments the organization would like to conduct

  3. Participate in proficiency testing as required

    • During an initial probationary period of three RABET-V engagements, the Administrator will continually review work product to it meets expectations, and that training was adequate

    • Accredited assessors are required to complete an annual attestation that the information contained in the original application is still valid

    • In addition, every two years the RABET-V program will conduct an audit that includes a verification of work product and individuals that contributed to any reports or assessments on behalf of the accredited assessor

Approval for accredited organizations and assessors is at the discretion of the RABET-V Administrator.

Quality Monitoring#

The program adminstrator, CIS, will perform regular monitoring of assessor’s output. This may include on-site visits, reviews of test methods, test protocols, interview questions, and documentation. In order to support this, CIS will randomly review assessment outputs from assessors for quality, efficiency, and sufficiency using a variety of methods to include manual inspection and statistical review. The goal of this monitoring is to:

  1. Maintain a high level of quality throughout the program

  2. Ensure that that the procedures of this manual are followed

  3. Maintain a reasonable level of consistency of testing between assessors