search

GSA / idmanagement.gov

IDManagement.gov is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.
Other
35 stars 61 forks source link

NIST SP 800-XX Issues in IA Control Mapping Comments #971

Closed TheInfinityBeyonder closed 2 months ago

TheInfinityBeyonder commented 4 months ago

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L250

There is no specific requirement in 800-63 related to privileged vs. non-privileged accounts.

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L274

This requirement is unique to shared accounts or authenticators, which are not addressed in 800-63

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L2935

Several requirements in 800-63 are specified for CSPs or other entities. 800-53 does not have an equivalent concept. Should our mapping incorporate this difference somehow? If so, what is the best way?

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L4314

IA-1. a. 1 (b) stipulates that documented policy must be "consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;" This policy references "requirements of a given AAL" but not a specific law, etc. Should this requirement map to that 800-53 control?

https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5002

This 800-53 requirements contradicts the 800-63 requirement it references.

JBPayne007 commented 2 months ago

Didn't receive stakeholder feed back on items.