...
JJ: No sure every KI assessor is going to be able to make these judgments about risk and effectiveness. Might create a risk to Kantara's reputation.
MH: If K states we are doing this analysis of alternative controls' effectiveness on reasonable criteria, then believe risk to Kantara can be reduced.
JJ: Believe RW's suggested added IAF criteria seem a reasonable basis.
Ken: Notes that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency.
ET: What we must do is make sure an agency customer is aware of the requirements of accepting "comparables"
RW: We assess CSPs. Not RPs. We have criteria for federations that would impose requirements on their member RPs.
JJ: How would we express the results of an assessment based on use of a comparable alternative control?
ET: We would provide a memo clarifying that the service is/uses an alternative control.
Ken: good discussion. Summary: seems worth pursuing, incorporating RW's draft criteria.
RW, ET, KD, MH. – agree. Ken: asks RW to be ready to discuss initial draft criteria., But may not be available for a couple of meeting in August. Ken Next week is the 15th.
RW: Can have something for the 15th.
JJ: Does ARB need to get involved? What's the process where an alternative control is involved? RW: agrees there needs to be a process to communicate the decision.
RQ: yes we need to coordinate and communicate with NIST. RW: Yes, but we are not asking permission.
MK: Australia: individual submissions only Ken: yes. Deadline 7/14.
Ken: Pan-Can framework new doc out for comment by 28 July revisiting "vectors of thrust" concept. Doesn't seem to orelevant but wil send around.
CLose meeitng at 2:05.
Next meeting 15ht.
JJ:
.
Next Meeting: Next Thursday, July ?? at 1PM US Eastern