Talk:Industry:Project Review/NIST SP 800-37r1 FPD Chapter 3

CHAPTER THREE

THE PROCESS

EXECUTING THE RISK MANAGEMENT FRAMEWORK TASKS

As an overall comment I find that the blocks of text making up these tasks are too dense and need to be broken up into shorter, more targetted segments. NIST SP 800-53r3 made excellent use of exploding out lists which had previously been embedded in paragraphs (e.g., (i) ..., (ii) ..., etc.). Reading security documents is often difficult for people who feel overwhelmed trying to link the different data elements into a comprehensive picture. Good writing practice and formatting can make reading dense guidance wording easier, much as good writing and formatting can make reading source code easier. Dan Philpott 04:10, 8 December 2009 (UTC)

APPLICATION OF THE RISK MANAGEMENT FRAMEWORK
In the line "Execution of the RMF tasks by common control providers, both internal and external to the organization, helps to ensure that the security capabilities provided by the common controls can be inherited by information system owners with a known degree of assurance." The issue here is the reference to a known degree of assurance. How is the degree of assurance known? Often organizations have no insight into the security operations of a common control provider or information system from which controls are inherited. To state that the degree of assurance is known may not be accurate. At best the degree of assurance can be estimated based on the level of trust one has in the controls provider, but trust is an inherently unmeasurable quality. Recommend restating "common controls can be inherited by information system owners with an appropriate level of trust."