...
Ken asked Richard Wilsher to introduce the topic and provide background. Richard reported that a US Federal agency has asked how Kantara would handle its using a CSP implementing a "comparable alternative" to the identity proofing controls included in 800-63-3. He
Background: It was commented that there is a US Federal Agency that is interested to know if Kantara has an opinion or guidance related to NIST 800-63-3, 5.4 - Risk Acceptance and Compensating Controls. In this section, the guidance states that the “Agencies MAY determine alternatives to the NIST-recommended guidance, for the assessed xALs, based on their mission, risk tolerance, existing business processes, special considerations for certain populations, availability of data that provides similar mitigations to those described in this suite, or due to other capabilities that are unique to the agency.” It follows that agencies “SHALL demonstrate comparability of any chosen alternative, to include any compensating controls, when the complete set of applicable SP 800-63 requirements is not implemented.” (pp 22-23). The agency is specifically concerned about the disparate impact on digital ID proofing for a relatively low inherent fraud risk within their program. They have risk assessed that this falls into IAL2, but think it is a candidate for this ‘comparable alternative” ID Proofing. However, there is no guidance on how to demonstrate comparability or details related to appropriate justification.
Moreover, this Agency is interested to explore the feasibility of a third party framework to certify Comparable Alternatives as allowed for in section 5.4 of NIST 800-63-3, such as Kantara.
Richard said Sec 5.4. does allow US Federal agencies to use "comparable alternatives" and provides some guidance on how that would be done. Richard suggested that KI might perform an assessment of a service that used an alternative control, but he feels that Kantara can't take on determination of what is "comparable."
He shared draft language for an approach to this issue Kantara might take.
Richard further reported discussion of this issue with David Temoshok of NIST. He said David strongly discouraged KI involvement in assessing these alternative controls because it's the Federal Agencies CIO responsibility; he further believes use of such alternatives would only be appropriate to address a use-case unique to one agency.
...