...
- One thing to note about the new requirements is that unless there is something specific in the 863 800-63 (like password entropy), then it is left to your interpretation to see whether or not it is good enough. A reasonable technical management decision to determine this is acceptable. If there is a specific number requirement, however, then it harder to argue around that. It has become a lot more outcome oriented instead of specifying how you are supposed to solve the problem. These requirements only apply for the specific assertions you send out with the Silver or Bronze assurance. Nothing here says that you can't continue to specify no assurance. There are still assertions to be sent around with no assurance.
...