...
SS commented about the philosophy that was applied.
- A shall SHALL was an easy guidance to follow. NIST requirement about SHOULD highly desired various alternatives, it is not mandatory, discussing is this sth what was intendedbut there was a lot of discussion on this. What is intended with SHOULD?, you should but there sis are not consequences?. Should it be interpreted as a shall SHALL or weak so (no enforceable at all)?.
- Original requirement on the left, . In KI criteria we added a subject Subject as most of the text texts were passive.
- The group tunned the requirements to ensure CSP is doing its part.
...
AH asked if SACs reflect the errata of 800-63-3 documents? He does not see version and date of document, so he suggested to make sure the documents are correctly labeled and identify the date we pulled the source document.
SS commented that an as additional value add it would be good some exposition about theories of why different types of identity evidence meet different strings, provide specific examples, explanations and analysis. He is not sure if KI would put a stamp on it or GSA would like to provide a implementation Guidance that guidance similar to what NIST did with FIPs 114. Now He said that now that we have new requirements let´s make sure real work examples are following into the same slots when everybody evaluates.
AH as KI closer to an actual certification process, AH added that having guidance documents and Real real implementation examples would be part of the document kit. AH He also commented that we can collate the material over the time.
Take SS said that we can take a proposal to ARB, take out of each assessment what level of evidence was used, etc. more transparency when possible. CW confirmed Policy that this is a policy decision to ARB.
Potential Changes to the policy
SSH Panels 2 and 3 Identity evidence validation string table for the different levels. Verification of identity evidence at the different levels.
AH spreadsheets forms into a traceability matrix, we can demonstrate coverage to 800-63-3 requirements. Other are mapping to the requirements of 800-63-3. KI criteria has some traceable properties
63B done for AL2. Only one panel, no sub-tables. Types of authenticators are reflected in groups below, there come blocks of applicable criteria are mandatory.
Row 91 Number 63B#0280- Scott to add references.
AH suggested that we should remove the highlights in yellow.
Motion on 63A SAC moving to next step in the process.
...
Mark H seconded both motions.
GSA has circulated process and procedures documents for TFS Program ConOps and Certification Process drafts. They request hthat 22 December to have comments back to them on these 2 documents.
Second part of KI work will be to identify changes to its internal process
KD presented the Project Plan to tackle comments to GSA and changes to KI Trust Framework Operations Program
KD proposed to create a sub-group and made a call for participants
Confirmed Volunteers:
Colin W.
...
Scott S.
Mark H.
Richard W.
First meeting Tuesday 14:00EST
AH stressed that importance of this process, as these docs. under review at GSA are the requirements for KI to be able to offer approvals and assessments.
There are some significant requirement increases, these are the docs by which KI operates.
KD ARB emphasizes get their input to this process. Encouraging to offer their comments.
RP to re-send the comments of RW
RW
RW reviewed the COSA 4.5 tcriteria could be withdrawn as they are covereded 63A oB SAV
Scott suggested Cross cjeck discussion Next Tuesday
CW encouraged the participants to take this survey as it is related to current IAWG discussion: https://www.surveymonkey.com/r/5YZ3Y9X
...