Since 2019, The Turnout has been working with the Center for Internet Security (CIS) in the research, creation, deployment, and expansion of the Rapid Architecture Based Election Technology Verification (RABET-V) program.
RABET-V is an innovative approach to verifying non-voting election technology—e.g., electronic pollbooks, voter registration systems, election night reporting solutions—that is cost-effective, reliable, and fast for providers while ensuring solutions are consistently, comprehensively, and robustly tested and verified to the latest available security standards.
While RABET-V is a relatively new program, it is more than just “a nice idea.” It is a well-tested and fully-operational program, and has been piloted with products from ES&S, KNOWiNK, Runbeck, VR Systems, Kopis, and the State of South Carolina. If you are an election official, a state looking to implement a program for the testing and verification of non-voting technology, a provider of non-voting technology solutions, or simply an interested member of the elections community, reach out to email@example.com and let us know how we can help. To learn more, read on.
What is RABET-V, and how can it help states, local election jurisdictions and election technology providers right now?
While there is a mature federal testing and certification program for voting systems administered by the U.S. Election Assistance Commission, there has been no standardized, national-level process for verifying that non-voting technology is secure, accessible, and usable based on the latest available research.
To bridge this gap, CIS and The Turnout created RABET-V. The RABET-V program builds on traditional cybersecurity testing methods by adding concepts from modern software development to deliver feedback on software updates on a regular basis. It does so by providing technology providers with actionable assessments on their product development process, product software architecture, and product performance. The RABET-V assessments are used to rapidly evaluate the impact of changes to a product.
So how does RABET-V do all of this? RABET-V verifies the implemented product in three ways. First, RABET-V assesses the organizational processes of the technology provider to determine the level of maturity of their software development processes. Next, the program evaluates the product software architecture to assess the security and quality of the design of the product and the level of risk presented by changes to the product. Finally, it uses the results from the previous assessments and information about the product to prescribe different levels of testing rigor based on the type of change and the maturity of the product.
RABET-V is compatible with incremental changes due to its iterative, risk-based approach and can dramatically lower costs over time. RABET-V does this in the following ways:
- Evaluates the product in the context of the organization and the environment in which it is developed.
- Scales to accept a variety of change types, from de minimis to full architecture changes.
- Facilitates re-verification in as little as hours depending on the maturity scores and the risk of the change.
- Incentivizes continual improvement and incremental changes by simplifying verification and rewarding security maturity.
- Uses modularity by design and a simple delta-based approach to help meet specific state or local requirements, including homegrown systems.
RABET-V provides a rigorous testing methodology for non-voting technology while still allowing an efficient and risk-based way to rapidly retest products after risk mitigations and other changes are employed.
RABET-V is a cost-effective solution for ensuring verified products, and the most up-to-date versions of those products, are deployed in election environments—all at no-cost to election jurisdictions (NB: one exception to this is in the case where an election jurisdiction has solutions developed in-house that they wish to verify). The RABET-V program lowers overall costs to non-voting technology providers and election offices by standardizing and streamlining testing.
There is a lot of information available regarding the RABET-V program that we attempted to combine and condense in this post. There’s so much more to unpack and it’s worth digging into all the various resources found at CIS’ RABET-V site.
It took years of work to get to this place which makes this an ideal opportunity to thank the past and current members of the team at CIS and our team at The Turnout who have worked on RABET-V and whose efforts have been invaluable and foundational to RABET-V’s operation. I look forward to sharing more on the progress of RABET-V in future posts.