...
a. Review the roadmap for moving a consolidated set of criterion changes through the Kantara approval process. Ken provided an overview of the process, indicating that the total Kantara approval timeline is about 2 1/2 months. Given that, he believes the WG should aim for publication of the updated criteria in mid-November, which implies having a package ready to submit by the end of August. The package would consist of at least one "substantive" update – the "comparable alternative control" criteria we have been discussing – plus several non-substantive revisions that Richard has been accumulating. If the PAD issue results in revised criteria language, that would also be included. He pointed out that one important consideration is to avoid frequent changes to the criteria as that has an impact on CSP's (as well as on all Kantara reviewers.) NIST's update of SP 800-63 to version 4 will definitely required require another revision of the Kantara criteria, but he believes
A. Ken: roadmap. process requires 45 + 15 + LC approval. So maybe 2 1/2 months. Nice to get published by October. So, beginning of August. Impossible. November then. So prepped by and of August. "Comparables" plus maybe PAD plus misc by end August of possible.
NIST: saying 63-4 draft in spring, but might be optimistic. Looking at at least 18 months before we revise for 63-4. SO not too frequent changes.
Mark K: will reviewers get background rationale for changes. ? Ken -not normally but might want to this time. Only times in the package that are subst are "alternative controls: and maybe PAD language. Display spreadsheet for comparable alternative, latest changes in blue text.
Mark K: how can we do quantative without the NIST control. believes that NIST's schedule for 800-63-4 will likely slip a bit so there should be at least 18 months between the Kantara update we are now preparing and the major one that will result from the NIST revision.
Mark K. asked if reviewers will be provided with any notes on the rationale for each of the proposed changes. Ken said notes like that have not been provided in the past, but that it might be a good idea this time, as a way to expedite review of the package of proposed changes. He noted that the only substantive updates planned are the "comparable alternative" language changes and possibly new PAD-related language. (He noted that Richard W.'s latest draft of the former was currently being shared on-screen, and that a link to the spreadsheet was included in the email with the invitation and Agenda for this meeting, Revisions since the previous IAWG call are in blue text in the spreadsheet.)
Mark K. asked how we can expect CSPs to provide a quantitative comparison of the effectiveness of a control specified in 800-63-3 vs. a proposed "comparable alternative", since as far as we know NIST has not provided such data on controls. Roger Q. asked if we could or should be more specific about what should be measured for a "quantitative assessment.
Roger: can we spec the quants? Ken: too general to specify. Assessor has to determine that the quant analysis makes sense.
...