Dear members,
Below you can find the meeting minutes from our working group call held on the 26th of January.
Close to finalizing the
NIST controls implementation to FaaS initiative we have been working on.
Finalized are control categories:
AT- Awareness and Training
AU - Audit and Accountability
CM - Configuration Management
CA - Assessment, Authorization and Monitoring
RA - Risk Assessment
Pending control categories:
AC - Access Control
IA - Identification and Authentication
SA - System and Services Acquisition
SC - System and Communications Protection
SI - System and Information Integrity
Previous action items:
- Robert: AC - 10 (columns G, H, I), AC-12. - PENDING
- Robert: AC-20, AC-21, column H. For AC-22 please fill in the context for which this sub-control becomes applicable to FaaS, as discussed on the call on the 12th of January. (Columns G, H, I). AC-23, column H: Why it is NOT relevant to FaaS. AC-25 - column H. - PENDING
- Vani: IA-Identification and Authentication control category: Column I needs to be filled with the deployment components as listed in the 'Deployment Definition' tab in the document. IA-5 (4), please check comment. IA-9 Implementation details, Line 91:what is the sub-control number? Is it still relevant to FaaS? IA-2 (13) comment. - DONE
- Robert: to review and vote on SA-4, SA-9 (4), SA-10. - DONE
- Vishwas: to check comment in SC-4 X, column H, made by Christopher. SC-18 X, SC-19 X, SC-40 X, SC-41 X, SC-49 X, SC-51 X, please fill in column H. Need to Justify why are not relevant to FaaS. Partially PENDING.
- SC-25X needs a reviewer and vote. - DONE
- Aradhna: to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. SI- 2 (3), SI-2 (4), SI-2 (6) Out of Scope?, SI-4 (9), SI-4 (14), SI-4 (20) to SI-4 (22), SI-5, SI-6, SI-17. - Partially PENDING.
- Eric Peeters to discuss with Aradhna or the working group on SI-3, SI-4 (2), SI-4 (5), SI-4 (7), SI-10 (1) to SI-10 (4), SI-11. SI-4(1), SI-4 (15) Justify 'Why is it Out of Scope for FaaS'. - Partially PENDING
New action items:
- Robert ( @Robert Ficcaglia): AC - 10 (columns G, H, I), AC-12.
- Robert ( @Robert Ficcaglia): AC-20, AC-21, column H. For AC-22 please fill in the context for which this sub-control becomes applicable to FaaS, as discussed on the call on the 12th of January. (Columns G, H, I). AC-23, column H: Why it is NOT relevant to FaaS. AC-25 - column H.
- Robert ( @Robert Ficcaglia) to please fill in column J for the SI category and review column I for the same.
- Vani ( @Vani Murthy): IA-Identification and Authentication control category: To include non-relevant controls as well and justify their non-relevance in the H column, as it is done for the other categories too.
- Karthik and Arvin ( @Karthik Kaligotla and @Arvin Reddy Jakkamreddy) to fill in the responsibility part in Column J for the SA category.
- Vishwas ( @Vishwas Manral): SC-18 X, SC-19 X, please fill in column H. Need to Justify why are not relevant to FaaS.
- Aradhna ( @Aradhna Chetal): to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. SI-4 (20) to SI-4 (22), SI-5, SI-6, SI-17.
- Eric ( @Eric Peeters) to discuss with Aradhna or the working group on SI-10 (1) to SI-10 (4), SI-11. For SI-4(1) please specify 'Why is it Out of Scope for FaaS'.
Next working group call: Thursday, 9 of February.
Time: 09:00 a.m. PST / 12:00 p.m. EST / 17:00 GMT / 19:00 EET
URL: https://zoom.us/j/98681420926 (Meeting ID: 986 8142 0926)
Warm regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------