Page Comparison

...

Review and Approve KIAF NIST SP 800-63C Service Assessment Criteria at FAL2; KIAF 1450:

Draft reviewed during the meeting: KIAF-1450 SP 800-63C Service Assessment Criteria v0.13.0.xlsx

• Ken mentioned that last week it was asked for input on this, nothing was received.
• Tom argued that a comment was posted to the web on the mailing list. Ruth clarified she checked in her inbox and the list archives, and she did not find Tom’s email. There must be technical issues or something, she did not even receive a request for moderation of that email.
• Richard commented that he talked to David Temoshok last week, and he said they want to try developing a certain type of Assessment or Conformity Framework in rev.4. Certainly, he put aside doing that for Federation until they have a lot more experience.
• Richard explained that he made a comment on 63C#010, 63C#020 and 63C#030 to eliminate “Federation Protocol” and “Federation’s Agreement Protocol”. It was accepted.
• Richard also mentioned that Andrew suggested to reorder the four columns I-L. These four columns were reordered considering priority. The CSP is the one with most applicable criteria and the RP is next to Federal Agencies.
• Richard said he will delete the comment in row 63.
• Ruth reminded Richard to add on the doc record sheet the Sub-Group participants. Ruth will send the names’ list to him.
• Richard said that 63C says that Federation Authority will vet participants, which is a very open statement. He does not think that it has to go so far as to mandate Kantara Approval for participants within a Federation, if it is done, it limits the potential for Kantara to offer a Federation Assessment approval scheme. He stressed it cannot be mandated any level of rigor in this process. Tom asked if he is saying that FA could just get the whole concept of 63C and it has to go on with it, he said it seems problematic. Richard agreed, but he explained that there is a limit to the extent to which it can be enforced further requirements; the 63C says that RPs and CSPs have to meet the applicable requirements in IAL and in AAL. However, it does not say how they have to demonstrate that they have done that, it simply fails to address it. Even if the Federation Authority needed to check that they had met those criteria in 63A and B, they could do so by asking the question, and they get a yes or a no. There is nothing in here that imposes real rigor. The idea is to encourage but not mandate the levels of rigor that are liked to see.
• Tom mentioned that in row 40 it is on encryption; you cannot say you have a certain level of encryption. Richard responded that the only requirement is that it is approved, by the government or industry body. Tom said it is not very good, he said that at least it could have said FIPS 140, but it cannot. Richard said it is possible, because 63C says that. Tom argued he does not think 63C calls FIPS 140. Richard showed it does appear in row 13. Tom said he did not read that.
• Tom asked if there is a glossary for this. Richard said there is, but it is a separate document. Ruth said it is probably in the notes. 
• Tom mentioned there is a typo mistake, it says II, instead of SSI.
• Richard said that a definition should be included when it is ready for the 45-days revision.
• Richard showed that in 63C#0330 it says that it should be approved by the Federation Authority itself, or an Independent Framework, or Independent Assessor designated by the Federation Authority. Richard said it could be Kantara, but he does not believe it would be good to go so far as to state it and require it to be Kantara. ED agreed on this, it would go too far. Richard added that the other option is to make NIST to come up with their own Conformity Assessment requirement. ED said they are.
• Ruth said that SSI definition is on the version 0.12, under the sheet NIST phrasing. She copied it on the chat too. Ken commented he also wrote Federation Agreement in there.
• Richard will add to the final draft:

...