...
In order to assert Sirtfi for your entire infrastructure it is important that you can ensure that the list of Sirtfi requirements is met for both the AAI layer and all connected services. Since Sirtfi requires that best practices in operational security are met, e.g. regular patching, you will need to adopt a policy for your infrastructure to ensure that these practices are followed by each service. A central operational security team for your infrastructure may play an important role in supporting these practices, such as handling communication during an incident and propagating information on vulnerabilities and breaches to downstream systems.
...
Sirtfi is referenced in several AARC policy guidelines such as
How to express your Sirtfi compliance?
Please visit https://wiki.refeds.org/display/SIRTFI/Guide+for+Federation+Participants
...