...
RW: Without any documentation of the NIST risk assessment for the specified controls, how can assessor establish "comparable."? Difficult situation.
KD: This implies that the service provider has to provide its own analysis of the effectiveness of the regular NIST control, in order to have something to which the proposed alternative can be compared.
KD: Moves to approve language for the package: seconded by Mark Hapner.
...
Finalize proposed text (if any) regarding use of "presentation attack detection" (PAD.)
Ken D. invited Kay C. to provide background on the exchange with Phil Lamm of GSA,
KC: The background is just an email question: does KI require PAD to approve CSP at IAL2? cc: David Tthe one short email question; and Phil has not followed up on it in other discussions since then. The subject of the email from Phil (cc: David T.) was "Kantara's view on facial biometric comparison and PAD as a 63-3A IAL2 requirement." The text says that 63-3A IAL2 does not have a normative requirements for use of PAD for IAL2 remote, but that NIST's Implementation {SIC} Guidance does require it. Does Kantara require use of PAD at IAL2 remote?
"cc David T: Subj K view of 63-3A IAL requirement.
RQ: NIST does not require PAD currently, thought the letter might be asking if KI was doing anything more.
...
To change SAC in 63 a nd b to reflect optional nature of PAD, and if used to assess as indicaftedindicated.
Confirmation of other non-substantive changes to criteria to be included in the package to be submitted.
...