1 of 44

Procurement and Cybersecurity

Enhancing Confidence

2 of 44

Introductions

Nice to meet everyone

3 of 44

Our consultancy aims to help public and private entities understand how policy impacts their technology (and vice versa) through process modeling, data analysis, and policy research.

4 of 44

Selected works

5 of 44

Our team

President�Jared Marcotte

VP of Operations �Nancy Khuu

Research Lead�Grace Gordon

Operations Research Scientist�Dr. James Houghton

Senior Solutions Architect �John Dziurłaj

Solutions Architect �Brian Guayante

Analyst�Tifawni Haynes�

6 of 44

The state of things

The good and the bad

7 of 44

https://learn.cisecurity.org/NCSR-2022-Summary-Report

8 of 44

https://verizon.com/dbir/

9 of 44

High stakes require high standards

…but how to make sense of it all?

10 of 44

It takes a village

“Procurement teams, IT teams and IT security teams all have a role to play in making successful IT deployments possible.”

11 of 44

Recommendations

States should establish a rigorous third-party (vendor) assessment and accountability system
States should establish a process to regularly monitor security practices of all third parties involved in current state contracts
Thorough market research should be conducted to identify risks, industry trends and solicitation best practices.

12 of 44

No shortage of information

Attestations
Self-assessments
Third-party assessment reports
Continuous monitoring

13 of 44

Center for Internet Security’s RABET-V program

A case study in product verification

14 of 44

2019 Development begins

2020 First pilot

2021 Program development

2022 Second pilot

2023 Program launches

Steering Committee: Representatives from Indiana, Maryland, Ohio, Pennsylvania, Texas, Wisconsin, EAC, CISA, NASED, and FVAP

Technical Advisory Committee: Representatives from CIS, NIST, Carnegie Mellon University, OWASP, Akamai, and the Atlantic Council

https://www.cisecurity.org/elections/rabetv

Elections were declared critical infrastructure on January 6, 2017. While there was a certification program for voting systems, there was no program to verify non-voting systems. Think about how you check into a polling location—possibly with an electronic poll book. Or how you monitor your state election results—an election night results reporting system. Or what stores your voter registration information—a voter registration database.

The steering committee included representatives from Indiana, Maryland, Ohio, Pennsylvania, Texas, and Wisconsin. It also included representatives from the US Election Assistance Commission (EAC), Cybersecurity and Infrastructure Security Agency (CISA), National Association of State Election Directors (NASED), and the US Department of Defense Federal Voting Assistance Program (FVAP).

The Technical Advisory Committee included representatives from the Center for Internet Security (CIS), the National Institute of Standards and Technology, Carnegie Mellon University, the Open Web Application Security Project (OWASP), Akamai, and the Atlantic Council

Conducted two pilots: 2020 and 2022

15 of 44

Understanding RABET-V

Fundamentals and objectives

16 of 44

Testing to meet modern software development

Non-voting election technology differs greatly in use and threat from voting systems
The development cycle demands a nimbler approach
RABET-V: long name, short turnaround

Re-evaluates product versions more quickly and at lower cost for products with higher quality organizational processes and product architectures

17 of 44

How does RABET-V differ from other programs?

Follows industry best practices
Evaluates the product, the organization, and the environment in which it is developed.
Incentivizes continual improvement and incremental changes by simplifying verification and rewarding security maturity

Re-verification is as little as hours, depending on maturity scores and risk of changes

Addresses economic feasibility by lowering cost over time

18 of 44

The RABET-V process

19 of 44

20 of 44

Who tests: independent accredited assessors

A wide variety of organizations and entities
Must meet basic eligibility requirements

Technical qualifications, U.S.-based working on U.S. soil, no conflicts of interest

Currently have 7 accredited assessing organizations

More assessors increases likelihood of availability at the time a tech provider wants to begin the program

21 of 44

Organizational Assessment

Assesses the technology provider’s product development lifecycle processes
Based on the OWASP Software Assurance Maturity Model (SAMM), extended to include usability and accessibility

22 of 44

Architecture Assessment

Assesses the product’s design approach to system, software, security, and data
Measures the reliability of security services, how isolated the services are, use of reputable dependencies, and other architectural best practices
Leverages architectural analysis tools (does not require source code)

23 of 44

Product Verification

Verifies the product performs as claimed and is free of known vulnerabilities
In updates, this is scaled based on the risk of the change and previous scores

10 Security Control Families

Authentication
Authorization
Injection Prevention
Key/Secret/Credentials Management
User Session Management
Logging/Alerting
Data Integrity Protection
Data Confidentiality Protection
Boundary Protection
System Integrity Protection

24 of 44

Reporting

Technology Providers

Full report with detailed appendices and roadmap for ways to improve
Short report verifying that baseline requirements were met, which can be provided to jurisdictions

Officials

Can request reports from technology providers
We expect this to happen during procurement processes, as part of contract management, or during annual security reviews

Public Listing Site

Contains the company name and website, product and version, a short description, some configuration details, and verified status

25 of 44

Very detailed reports

26 of 44

Very detailed reports

Architectural Maturity

Product Testing Maturity

27 of 44

Streamlined testing of changes

28 of 44

Incorporating RABET-V

Utilizing procurement frameworks

29 of 44

Program benefits

Benefits to jurisdictions

No/low cost
Improves quality of procured non-voting solutions
Allows them to focus on functional testing rather than maintain security requirements

Benefits to tech providers

Rapid testing speed
Streamlined testing program, as the program gets adopted
Iterative approach makes re-testing easy and affordable
Identifies actionable organization/product improvements

30 of 44

State and locality support

Help map requirements and assist in setting new administrative rules
Work with approval authorities to explain RABET-V and how it can fit in their processes
Provide sample reports to assist in determining how incorporate the process
Consider RABET-V adjustments to address needs

31 of 44

Success stories

South Carolina Election Commission

ePollbook providers must provide evidence they’ve gone through RABET-V

North Carolina State Board of Elections

RABET-V is slated to be one of the independent testing authorities in the certification manual

32 of 44

Managing procurement risks

33 of 44

Considerations into existing procurement processes

Certification/approved list

RABET-V-specific or independent testing mandate

Security review

RABET-V-specific or independent testing mandate

RFP scoring process

Internal reviews and testing [5 points]
External reviews and testing of product performance [5 points]
External reviews and testing of organizational performance and product architecture and dependencies [10 points]

34 of 44

Point-in-time testing isn’t enough

The threat environment is evolving, so the testing must evolve
RABET-V is meant to be run continuously and incentivizes repeated testing

35 of 44

Strengthening management

And relationships

36 of 44

Managing supply chain risks

A cybersecurity risk management program to address broad cybersecurity risks, regardless of whether they are supply chain risks.
A targeted supply chain risk mitigation program for identifying and mitigating the most consequential supply chain risks.
A supplier risk management program to reduce the risk from emerging threats and more elusive attacks.

37 of 44

Criteria for assessing vendors

Do they pass the baseline?

RABET-V Module	2024 Baseline	Tested Product	Meets Baseline
Organization	1.20	1.42	Yes
Architecture	1.50	1.90	Yes
Product	2.00�Level 1: 100%, Level 2/3: 50%	2.32�Level 1: 100%, Level 2/3: 74%	Yes

�

Product Verification scoring consists of an overall score, the percentage of Level 1 requirements met—which must be 100%—and percentage of Level 2/3 requirements—which must be greater than 50%.

38 of 44

Building collaborative relationships with vendors for enhanced cybersecurity

If the vendors are in multiple states, find a common program
Use a program that constantly looks for feedback from all stakeholders
Be a part of that program

39 of 44

Enhancing accountability and performance through continuous evaluation

Speed is of the essence

40 of 44

Empowering procurement teams

With knowledge and tools

41 of 44

Next steps

Training teams on the essentials of RABET-V
Building more tools and resources for implementing RABET-V in procurement processes
Creating a culture of cybersecurity awareness within procurement teams

42 of 44

To conclude

43 of 44

Final thoughts

Security is a team sport
Speed and quality are both possible in verification programs
Adopting programs with the potential for a national reach is best for tech providers and procurement teams
Please work with the program administrators to improve them

44 of 44

Thank you

Happy to take questions