Dear Serverless working group members,
Here are the notes from the meeting the working group had on the 15th of July.
Regarding work on the
'NIST controls for Serverless FaaS focusing in Security and Compliance (Control families based on NIST 800 - 53, rev.5)' document:
- Reviewers were assigned to cross-check the sub-controls of each control family
- Missing control families that have no author: AT - Awareness and Training
- Control Family that has no sub-controls matched is that of SA: System and Services Acquisition assigned to @Rajiv Gunja
- Discussed that Data Management (mTLS, data encryption at rest, etc.) in the context of Serverless is an overall entity level control.
Action points:
- Marina to contact Rajiv @Rajiv Gunja and see if he's available to finalize his category of RA - Risk Assessment and SA - System and Services Acquisition.
- Brynna @Brynna Nery to finalize columns G (Implementation Details for Serverless) and H (Why is it Relevant for Serverless) for her control category 'AC: Access control'.
- Eric Peeters to finalize column G for his control category 'AU: Audit and Accountability'
- Vishwas @Vishwas Manral to fill out columns G and H for his control category 'CA: Assessment, Authorization, and Monitoring'
- Vani @Vani Murthy to finalize column H of her control category 'IA: Identification and Authentication'. Lines 88,89,90,91, 93, 96, 97,98 are missing.
- Rajiv @Rajiv Gunja to fill out columns columns G and H for his control category 'RA: Risk Assessment' and to identify the sub-controls for the 'SA: System and Services Acquisition' control category.
- Vishwas @Vishwas Manral to fill out columns columns G and H for his control category 'SC: System and Communications Protection'.
- Eric Peeters to finalize column H for his control category 'SI: System and Information Integrity' and fill out column G.
Assigned
reviewers that will cross check the identified sub-controls as well the justification in columns G and H:
Reviewer
|
Control Category
|
Joseph Arcelo
|
1. Access Control
|
|
2. Awareness and Training
|
|
3. Audit and Accountability
|
Vrettos Moulos
|
4. Assessment, Authorization, and Monitoring
|
Vrettos Moulos
|
5. Configuration Management
|
Tom Koval
|
6. Identification and Authentication
|
|
7. Risk Assessment
|
|
8. System and Services Acquisition
|
|
9. System and Communications Protection
|
Aradhna Chetal
|
10. System and Information Integrity
|
Next working group call:
Friday, 29th of July, at 09:00 a.m. PST / 12:00 p.m. EST / 17:00 GMT / 18:00 CET
url: https://zoom.us/j/98681420926 (Meeting ID: 986 8142 0926)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------