Michaela Iorga
Michaela Iorga
@david-waltermire-nist - I see your point regarding the scalability but at the same time, everything we are listing on a NIST website becomes, partially, our responsibility to ensure the quality...
@degenaro -as earlier discussed, OSCAL component definitions are not meant to describe **implemented components**, but rather suggest to or guide system owners that are using respective components for their systems...
The way I think this should work is: 1) the system providing SSO gets ATOed 2) the AI controls that can be implemented by this system are explained in a...
@gregelin and @degenaro - To highlight the points @david-waltermire-nist is making, let's use one concrete example: Microsoft Azure offers Active Directory as a service. The service has been ATO at...
> @iMichaela @david-waltermire-nist both state that the SSO service would have its own ATO, therefore its own SSP, and that seems to suggest the proper way to include the SSO...
> Thanks for your comments Greg & Michaela. If you look at Figure 1 and Table 1 here https://www.ibm.com/cloud/blog/compass-compliance-part-1 it is evident that the control provider, who authors the component-definition,...
> @iMichaela if I understand correctly, in your example the component is the Active Directory Service whose owner knows that the implementation status is IL5. Why should not the owner...
@openprivacy - we have in our oscal-content repo a [component definition example](https://raw.githubusercontent.com/usnistgov/oscal-content/main/examples/component-definition/json/example-component-definition.json) which describs MongoDB's TLS which would implement SC-8(1) BUT it requires the customer to configure it in order...
The following diagram aims to reproduce the _new SSP_ generation process and highlight the constraints.  A well-structured ATO package in OSCAL could decompose the CSP's monolithic SSP into common...
@wendellpiez and @ohsh6o The Customer Responsibility Matrix (FedRAMP's approach) or the broader System Security Responsibility Matrix concept are different from the question raised in issue #945 over the potential use...