...
Ken asked Richard Wilsher to introduce the topic and provide background. Richard reported that a US Federal agency has asked how Kantara would handle its using a CSP implementing a "compatible comparable alternative" to the IA identity proofing controls included in 800-63-3. He said Sec 5.4. does allow US Federal agencies to use "comparable alternatives" and provides some guidance on how that would be done. Richard suggested that KI might perform an assessment of a service that used an alternative control, but he feels that Kantara can't take on determination of what is "comparable." He shared draft language for an approach to this issue Kantara might take. Richard further reported discussion of this issue with David Temoshok of NIST. He said David strongly discouraged KI involvement in assessing these alternative controls because it's the Federal Agencies CIO responsibility; he further believes use of such alternatives would only be appropriate to address a use-case unique to one agency. and that sign-off for use of an alternative control would have to be made at the agency executive level, i.e., by the CIO.
Blake Hall said he believe the "Federal agency" Richard mentioned is the Department of Labor, which is exploring the possibility of allowing the use of expired drivers licenses as identity documentation for their public "customers." Blake said his company hopes to service this requirement.
...