RABET-V Activities¶
The RABET-V program consists of seven discrete activities from registered technology provider (RTP) registration to reporting. Each activity may be scaled or eliminated based on risks attributed to the product changes and the maturity scores from the previous submission. Risk decisions are informed by the product’s organizational maturity score, architecture maturity score, and product implementation score. Each time the RABET-V process is initiated, it is called a RABET-V iteration.
RABET-V Iteration¶
Throughout the process, assessment activities produce scores that are shared with the RTP after the activity is complete. All scores are tentative until the entire RABET-V process is complete. Each activity draws heavily on the RABET-V security requirements.
RTP Registration: The RTP submits documentation to begin the RABET-V iteration. This submission contains information from the RTP on both its organization and the product under review
Submission Review: The RABET-V administrator reviews the submission for completeness, determines which activities are necessary for the submission type, and assigns assessors to perform the necessary activities
Organizational Assessment: An accredited assessor organization reviews the RTP’s approach to developing software to determine its maturity, which will be used throughout the RABET-V process and subsequent submissions by the RTP. A demonstrably high level of maturity can reduce the burden of review across all activities. One can think of this as assessing the general trustworthiness of an RTP to reliably implement any given product feature or capability. A tentative score is provided to the RTP upon completion of the activity
Architecture Assessment: An accredited assessor organization reviews the product’s architectural approach to determine its maturity with regard to various services. A demonstrably high level of maturity can reduce the burden of review for a specific change. One can think of this as assessing the trustworthiness of the product that changes to one product feature or service will not have unintended implications for other aspects of the product. A tentative score is provided to the RTP upon completion of the activity
Test Plan Determination: The RABET-V administrator produces a test plan based on the outputs from the organizational assessment and the architecture assessment
Product Verification: An accredited assessor organization executes the test plan and produces product verification scores
Reporting: The RABET-V administrator produces detailed reports for RTPs and a statement of the verification status
Timing Flexibility¶
While these activities are presented in a common order, there is flexibility in the timing of the organizational and architecture assessments. For instance:
If an organization has a consistent development process across all of its products and business units, an RTP can complete an organizational assessment before submitting a specific product. The RABET-V administrator encourages this as it can speed the initial iteration for a product
Similarly, if an RTP has a significant process change, it can request a new organizational assessment at any time. This can impact the scores, and thus test scaling, of that RTP’s products
The organizational assessment and architecture assessment activities share some information between each other, but are largely independent and can often occur in parallel
RABET-V Baselines¶
RABET-V uses baseline scoring in organizational, architecture, and product verification to determine whether a product is verified. The baselines in each activity must meet a minimum score and a specific set of requirements. The table below contains the existing miminum score baselines, links to the baselines in each activity that define the additional requirements, and the comparison to past versions.
RABET-V Activity |
2023 Baseline |
2024 Baseline |
2025 Baseline |
|---|---|---|---|
1.20 |
1.20 |
1.20 |
|
1.50 |
1.50 |
1.50 |
|
2.00 |
2.00 |
2.00 |