The "components" referred to in the first part of the conformance clause [1] are only vaguely defined in sections 3.2. Section 3.1 only shows an activity diagram (no components). Then 3.2 very briefly introduces some components ("a component within the resource which functions as a policy engine capable of consuming the asserted user data and making a determination ...") or "second key component is again an antecedent service generated ..."
Such components do not seem to be related to the PEP and PDP or others (“Authentication Services” and “Risk-Based Engine” ) more precisely named and described in 3.3. or are they?
It is surprising that 3.3. does not seem to play any role in conformance, and therefore appears as unnecessary (yet normative?) content with components .
In any case, if these components and services are key to conformance, they should be clearly named, defined (separate subsection for each, that includes minimal set of their functions), and normative requirements stated in these definitions to express the conditions of operations if any or its context (e.g. The "resource must have previously performed a risk assessment and adopted a risk mitigation strategy ...", which probably is a MUST?)