AO's role in RMF seems like a conflict of interests

old.reddit.com / @/u/thehermitcoder, https://old.reddit.com/user/thehermitcoder

In the NIST SP 800-37 rev2, the AO is responsible for assessor selection and plan and also for risk analysis and risk response, and then finally the authorization decision. Isn't this a conflict of interest?

submitted by /u/thehermitcoder
[link] [comments]

published 11 months ago


Previous

PM-37
published 11 months ago

Next

Strategy for a compliant NIST 800-171 web app deployment in AWS
published 11 months ago
See all items from the same source