If The Turnout had a middle name, it would be interoperability. In the software world, interoperability means systems speak the same language natively—no "RoboLingo" subscriptions or expensive middleware required. We have long been champions of this cause through our work on the Voting Information Project, EAVS Section B, and the NIST Common Data Formats.

We also administer the RABET-V program, a cost-efficient security testing program for enterprise technology. Because interoperability reduces integration costs for all parties, we have been thinking a lot about how to bring its benefits into the RABET-V program. Compliance programs require a great deal of documentation. RABET-V reduces the volume of manual document preparation through automated introspection methods.

Even so, documentation remains a burden both for technology providers and program administrators. That’s where OSCAL comes into play. The Open Security Controls Assessment Language (OSCAL) is a NIST-sponsored data standard for describing and exchanging assessment documents. It supports the full assessment lifecycle from the development of controls through the processing of assessment results. OSCAL transforms product documentation from an administrative burden that becomes outdated the moment you press “Generate PDF” into a live digital map of a system’s security posture.

This is important because, to test a system, it must first be described. OSCAL consolidates several RABET-V submission documents into a single system security plan, including product goals, expected usage, and security claims, thereby simplifying data collection. Unlike other programs, RABET-V helps technology providers update their architectural documentation, i.e., the descriptions of a system's components, boundaries, and interactions. OSCAL bridges the gap between documentation and automated compliance by making architectural descriptions machine-readable and machine-auditable.

Consider a product that uses Red Hat Enterprise Linux (RHEL) as its operating system. The CIS Benchmark for RHEL is represented in OSCAL as a component definition that describes its capabilities and the controls it implements. The product submitted to RABET-V has a system security plan that references RHEL in its machine-readable definition. Assessors use OSCAL-aware tools to read product verification scripts and execute automated assessments. Assessment results are produced in hours instead of weeks.

Post-assessment, the benefits continue. Certifying bodies and downstream customers can use the same OSCAL documents to perform automated acceptance testing, running automated checks to ensure the product they purchased is the one verified by RABET-V.

An automated assessment is faster, cheaper, and more consistent—the triple crown for RABET-V. Technology providers spend less time on documentation. Program administrators (and states) get machine-readable results they can trust and reuse. Everyone wins with lower costs and higher confidence.

As the velocity of software development increases through the use of artificial intelligence, the need for programs like RABET-V will only increase. By embracing OSCAL, we are building a scalable, automated future for enterprise software security. We’re not just keeping the pace; we’re setting it.

AI Use Statement: Grammarly (editing), Copilot (brainstorming)