Serverless

Dear members,
Below are the meeting minutes from our working group call on the 9th of September.

Regarding the 'NIST controls for FaaS focusing in Security and Compliance (Control families based on NIST 800 - 53, rev.5)' document, the main points of discussion and action items are as follow:

• Re-mentioned that wherever in the document there appears the word 'serverless' it should be substituted with the word 'FaaS'. If an entry has serverless specific details, then it should be changed into FaaS specific details.
• The discussion this time was focused on the CM control category, where its main author and reviewer discussed their questions they had on the Control Management implementation and FaaS relativity.

Previous action items report:

• Robert Ficcaglia to narrow down the new list for the AT-3 from the applications scope. - DONE.
• Vrettos Moulos to work on column I of the CA: Assessment, Authorization, and Monitoring control category. - PENDING.
• All lead authors to review their respective control categories and wherever they mention Serverless in the implementations details column it should be changed to FaaS. In case the details mentioned are specific to Serverless then they should be made FaaS specific. - (Partially) PENDING.
  
• Joseph Arcelo to go through the CM: Configuration Management control category and review so that it focuses on control mapping for FaaS. - DONE.
• Vrettos Moulos to review the work from Joseph in the CM category. - Cancelled.
• Marina to contact Vani for the I column in the IA: Identification and Authentication control category. - DONE.
• Christopher Wall to fill column G for the SC: System and Communications Protection control category. - Partially DONE.
• Vishwas Manral to fill column I for the SC: System and Communications Protection control category. -  DONE.
• Aradhna Chetal to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. - PENDING.

Action items for next call:

• All lead authors to review their respective control categories and wherever they mention Serverless in the implementations details column it should be changed to FaaS. In case the details mentioned are specific to Serverless then they should be made FaaS specific. -  @Eric Peeters
• Joseph ( @Joseph Arcelo) to finalize: CM-6 to point at CM-2, CM-8 define system components, CM-9, CM-11, CM-13, CM-14.
• Joseph ( @Joseph Arcelo) to review AC-5, AC-6 (1), (5), (9), and AC-14 from the Access Control category.
• Christopher ( @Christopher Wall) to finalize column G for the SC: System and Communications Protection control category.
• Christopher ( @Christopher Wall) to fill in the FaaS Relevance of AC-16 in Access Control category, row 19.
• Christopher ( @Christopher Wall) to fill in column G for SC-3 (X) in row 136 and for SC-8 in row 141 and for SC-13( X), row 146, and SC- 16, SC-17 in row 149, 150 respectively.
• Aradhna ( @Aradhna Chetal) to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters.
• Vrettos ( @Vrettos Moulos) to work on column I of the CA: Assessment, Authorization, and Monitoring control category.
• Reviewer needed for the AT: Awareness and Training control category.
• Shamik ( @Shamik Kacker) to review and vote on AU-3 and AU-3 (1) in rows 35, 36 respectively.
• Vishwas ( @Vishwas Manral) to review and vote on column of the CA: CA: Assessment, Authorization, and Monitoring control category filled in by Vrettos.
• Vishwas ( @Vishwas Manral) to fill in column G for SC-12 in row 145.
• Vrettos ( @Vrettos Moulos) to review column H of the CA: CA: Assessment, Authorization, and Monitoring control category filled in by Vishwas.
• Vani ( @Vani Murthy) to fill in column G and I for the IA-1 sub-control in row 89.
• Crystal ( @Crystal Cuneo @Crystal Cuneo) to fill in columns G, H, I for sub-control RA-01, row 106.

Next working group call: Thursday 22nd of September, ​​​​​​​​​​​​​​​​at 09:00 a.m. PST, 12:00 p.m. EST, 17:00 GMT, 18:00 CET.
url: https://zoom.us/j/98681420926  (Meeting ID: 986 8142 0926)

Kind regards,
Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------

Done.

Thanks

Shamik

------------------------------
Shamik Kacker
Director
Dell Technology
------------------------------

Original Message:
Sent: Sep 20, 2022 08:15:28 AM
From: Marina Bregkou
Subject: Meeting Minutes 9th September 2022

Dear members,
Below are the meeting minutes from our working group call on the 9th of September.

Regarding the 'NIST controls for FaaS focusing in Security and Compliance (Control families based on NIST 800 - 53, rev.5)' document, the main points of discussion and action items are as follow:

• Re-mentioned that wherever in the document there appears the word 'serverless' it should be substituted with the word 'FaaS'. If an entry has serverless specific details, then it should be changed into FaaS specific details.
• The discussion this time was focused on the CM control category, where its main author and reviewer discussed their questions they had on the Control Management implementation and FaaS relativity.

Previous action items report:

• Robert Ficcaglia to narrow down the new list for the AT-3 from the applications scope. - DONE.
• Vrettos Moulos to work on column I of the CA: Assessment, Authorization, and Monitoring control category. - PENDING.
• All lead authors to review their respective control categories and wherever they mention Serverless in the implementations details column it should be changed to FaaS. In case the details mentioned are specific to Serverless then they should be made FaaS specific. - (Partially) PENDING.
  
• Joseph Arcelo to go through the CM: Configuration Management control category and review so that it focuses on control mapping for FaaS. - DONE.
• Vrettos Moulos to review the work from Joseph in the CM category. - Cancelled.
• Marina to contact Vani for the I column in the IA: Identification and Authentication control category. - DONE.
• Christopher Wall to fill column G for the SC: System and Communications Protection control category. - Partially DONE.
• Vishwas Manral to fill column I for the SC: System and Communications Protection control category. -  DONE.
• Aradhna Chetal to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters. - PENDING.

Action items for next call:

• All lead authors to review their respective control categories and wherever they mention Serverless in the implementations details column it should be changed to FaaS. In case the details mentioned are specific to Serverless then they should be made FaaS specific. -  @Eric Peeters
• Joseph ( @Joseph Arcelo) to finalize: CM-6 to point at CM-2, CM-8 define system components, CM-9, CM-11, CM-13, CM-14.
• Joseph ( @Joseph Arcelo) to review AC-5, AC-6 (1), (5), (9), and AC-14 from the Access Control category.
• Christopher ( @Christopher Wall) to finalize column G for the SC: System and Communications Protection control category.
• Christopher ( @Christopher Wall) to fill in the FaaS Relevance of AC-16 in Access Control category, row 19.
• Christopher ( @Christopher Wall) to fill in column G for SC-3 (X) in row 136 and for SC-8 in row 141 and for SC-13( X), row 146, and SC- 16, SC-17 in row 149, 150 respectively.
• Aradhna ( @Aradhna Chetal) to review and vote on the details of the SI: System and Information Integrity control category entered by Eric Peeters.
• Vrettos ( @Vrettos Moulos) to work on column I of the CA: Assessment, Authorization, and Monitoring control category.
• Reviewer needed for the AT: Awareness and Training control category.
• Shamik ( @Shamik Kacker) to review and vote on AU-3 and AU-3 (1) in rows 35, 36 respectively.
• Vishwas ( @Vishwas Manral) to review and vote on column of the CA: CA: Assessment, Authorization, and Monitoring control category filled in by Vrettos.
• Vishwas ( @Vishwas Manral) to fill in column G for SC-12 in row 145.
• Vrettos ( @Vrettos Moulos) to review column H of the CA: CA: Assessment, Authorization, and Monitoring control category filled in by Vishwas.
• Vani ( @Vani Murthy) to fill in column G and I for the IA-1 sub-control in row 89.
• Crystal ( @Crystal Cuneo @Crystal Cuneo) to fill in columns G, H, I for sub-control RA-01, row 106.

Next working group call: Thursday 22nd of September, ​​​​​​​​​​​​​​​​at 09:00 a.m. PST, 12:00 p.m. EST, 17:00 GMT, 18:00 CET.
url: https://zoom.us/j/98681420926  (Meeting ID: 986 8142 0926)

Kind regards,
Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------