And my comments are on the site, and pasted here for your convenience:
I want to be clear here, that the community is in desperate need of more materials like this. There a ton of people who do this everyday who would watch this and it would be news to them.
I found the slides to be very good, I especially liked the scenarios.
I will be making changes to some of the semantics. Where it says that a certifier is finding risks, they in fact don’t. They discover findings. Those findings could be policy violations, evidence of policy violations or general system architecture weaknesses.
For instance, when I was a certification agent I did not list out all the patches they did not have installed. This is evidence that a patch management program is ineffective (depending on the date that a patch was released and that the SSP says that it is an implemented control).
The assignment of risk would be left up to the system owner, the certifier (a role that is disappearing in 800-37 Rev 1) or the AO. They would do this by going through an 800-30 exercise. They would start with the security assessment findings and then assign likelihood and impact ratings. This is also presuming that there is even a threat vector.
Let me know if you had a different interpretation or if I missed something.
Also, it is better if you listen to AC/DC's Hells Bells or any Metallica song while you read the slides.