IDManagement.gov is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.
Other
35
stars
61
forks
source link
NIST SP 800-XX Issues in IA Control Mapping Comments #971
Several requirements in 800-63 are specified for CSPs or other entities. 800-53 does not have an equivalent concept. Should our mapping incorporate this difference somehow? If so, what is the best way?
IA-1. a. 1 (b) stipulates that documented policy must be "consistent with applicable laws, executive orders, directives, regulations, policies,
standards, and guidelines;" This policy references "requirements of a given AAL" but not a specific law, etc. Should this requirement map to that 800-53 control?
https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L250
There is no specific requirement in 800-63 related to privileged vs. non-privileged accounts.
https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L274
This requirement is unique to shared accounts or authenticators, which are not addressed in 800-63
https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L2935
Several requirements in 800-63 are specified for CSPs or other entities. 800-53 does not have an equivalent concept. Should our mapping incorporate this difference somehow? If so, what is the best way?
https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L4314
IA-1. a. 1 (b) stipulates that documented policy must be "consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;" This policy references "requirements of a given AAL" but not a specific law, etc. Should this requirement map to that 800-53 control?
https://github.com/GSA/idmanagement.gov/blob/b9c94ee011fdcb18c64b06463dfb0628d298d28f/security-controls-mapping3.md?plain=1#L5002
This 800-53 requirements contradicts the 800-63 requirement it references.