[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA requirements


On Tue, 17 May 2016, Adinolfi, Daniel R wrote:

: Regarding the specific question concerning points of contact, I 
address it a bit in the draft CNA roster document:
: Periodically, each CNA will update their public, primary, and 
: contact points. The primary and alternate contacts should be 
: individuals, whereas the public should probably be a mail alias that 
: sends messages to queues or multiple individuals. This gives us a way 
: get into the generic email queue and also reach past that queue to 
: to the real people behind it.
: For projects where there is not a generic queue and contact is only 
: individuals, we could still request multiple contacts and keep that 
: updated periodically. If there is only one individual, if that person 
: falls off the face of the Earth and they don?t give you an alternate 
: replacement, they should be disqualified from being a CNA. Providing 
: active points of contact should be a requirement for being a CNA, I 
: believe.

If the org is giving us a single person, yes. This is spot on.

If the PoC is a an alias that goes to many people, no.

Also, pretty sure I brought this up in previous threads, but I will say 
again. Before we require CNAs to periodically do anything, MITRE 
absolutely MUST periodically send out current CNA guidelines. MITRE 
absolutely periodically call out the CNAs failing to assign per the 
guidelines, which is happening more and more. I'm getting really tired 
policing the CNAs, and I only send mails maybe 1 out of 50 times that I 
see them breaking policy. Yes, it's that bad.

Page Last Updated or Reviewed: May 31, 2016