Serverless

Meeting Minutes 18th November 2022

  • 1.  Meeting Minutes 18th November 2022

    Posted Nov 28, 2022 10:28:00 AM
    Dear members,

    Hope you had a wonderful Thanksgiving holiday!

    Below you can find the details from our 18th November working group call:

    Regarding the 'NIST 800-53 controls implementation to FaaS' document progress:
    • We are in the final line for finishing this work.
    • The CM-Configuration Management control category has been covered and cross checked. That makes it finalized.
    • Same for the AU: Audit and Accountability category.
    • 7 more categories to finalize after filling few missing entries and reviewers' voting.
    • Working group decide SA-2, line 120 is out of scope.

    Previous Action items:

    • Joseph to justify why the CM-11 sub-control is not relevant to FaaS. - DONE
    • Christopher to review and vote on remaining sub-controls: SC-3X, SC-46X,  of the SC category. *Christopher Wall has no more bandwidth so Rajiv is taking over this action item.- PENDING
    • Vishwas to review and vote the CM category. Lines 75-88. DONE
    • Aradhna to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. SI- 2 (3), SI-4 (9), SI-4 (11) to SI-4 (13), SI-4 (15) to SI-4 (25), SI-5 (1), SI7, SI-8, SI-10, SI-10 (5), SI-10 (6), SI-12 (1) to SI-14 (3), SI-17, SI-18 (2), SI-18 (4), SI-19, SI-19 (1), SI-19 (5) to SI-23.- Partially Pending
    • Eric, to update the SI - 2 (6) sub-control accordingly to Aradhna's comment if he agrees.- DONE
    • Eric as above for SI-3, SI-4, SI-4 (1) to SI-4 (3), SI-4 (5), SI-4 (7), SI-4 (10), SI-4 (14), SI-5, SI-6, SI-10 (1) to SI-10 (4), SI-11. Partially Pending
    • Brynna to update sub-control AC-10, line 15 and turn it from N/A to FaaS relevant. - PENDING (assigned to Robert Ficcaglia)
    • Brynna to update column G, for all N/A sub-controls in the AC category.-  PENDING (assigned to Robert Ficcaglia)
    • Karthik and Arvin to check Robert's comments in the SA category and update accordingly or discuss further in the slack channel. Please update SA-4 - Implementation details for FaaS, SA-9 to Out of Scope as discussed on the previous call. SA-9 (4): Please specify the geographical considerations so that to support this is in scope, SA-9(7) please check comment from Robert, SA-9(8) justify why it is out of scope. - Partially Pending.
    Next Action items:
    • Rajiv ( @Rajiv Gunja) to review and vote SC-3X, SC-25X and SC-46X,  of the SC category.
    • Rajiv ( @Rajiv Gunja) to check Miguel's comment on RA-02, line 107, RA-05 (5) line 111.
    • Rajiv ( @Rajiv Gunja) to review and vote on sub-controls from RA-06 to RA-10.
    • Aradhna ( @Aradhna Chetal) to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. SI- 2 (3), SI-2 (4), SI-2 (6) Out of Scope?, SI-4 (9), SI-4 (14), SI-4 (20) to SI-4 (22), SI-5, SI-6, SI-17.
    • Eric Peeters ( @Eric Peeters) to discuss with Aradhna or the working group on SI-3, SI-4 (2), SI-4 (5), SI-4 (7), SI-10 (1) to SI-10 (4), SI-11. SI-4(1), SI-4 (15) Justify 'Why is it Out of Scope for FaaS'.
    • Robert ( @Robert Ficcaglia) to update AC-10 (line 15) as it is relevant to FaaS from the tenant's perspective. Update columns G, H, I.
    • Robert ( @Robert Ficcaglia) to update sub-control AC-22 and turn it to Applicable for FaaS. Same for AC-24, line 26.
    • Robert ( @Robert Ficcaglia) to update column H- 'Why it is not applicable to FaaS if so, for the N/A sub-controls in the AC category: AC-7 to AC 9 (line 12-14), AC-11 to AC-12 (line 16-17), AC-17 to AC-21 and AC-23 (line 25) and AC-25 (line 27).
    • Robert ( @Robert Ficcaglia) to check the update on SA-4, and SA-10 done by Karthik and Arvin.
    • Joseph ( @Joseph Arcelo) to review and vote on AC-12, line 17.
    • Karthik ( @Karthik Kaligotla) and Arvin ( @Arvin Reddy Jakkamreddy) to check Robert's comments in the SA category and update accordingly or discuss further in the slack channel. SA-9 to Out of Scope as discussed on the previous call. SA-9 (4): Please specify the geographical considerations so that to support this is in scope, SA-9(7) please check comment from Robert, SA-9(8) justify why it is out of scope.
    • Wayne ( @Wayne Anderson) to justify the Out of Scope of SA-02, line 120, column H, as discussed on the call.
    • Group on SA-9 (4), SA-9 (7), SA-10.
    ​​​​​​​​​​Next working group call:

    Date: Thursday 1st December
    Time: 09:00 a.m. PST / 12:00 p.m. EST / 17:00 GMT
    URL: https://zoom.us/j/98681420926  (Meeting ID: 986 8142 0926)

    Warm regards,
    Marina

    ​​

    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------