...
Minutes approval: Mark Hapner moved approval of the the draft Minutes of the IAWG meeting of June 24; Eric Thompson Richard W seconded. The Minutes were approved unanimously, as written.
Staff reports and updates: .ED Kay Chopard. Focus is replacement for Ruth as PM for Assurance. First finalist candidates dropped. . Back to LinkedIn, starting interviews. Looking for more junior PM rather than trying to replicate Ruth's experience out-of-the-box. Best case on-board is some time in August. Still open to getting more applicants referred by WG members.
LC reports and updates: Ken said : LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look.
Ken reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken or Kay.
Discussion:
Consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
Ken notes listserv discussion and then invites Richard to lead resumed discussion. Richard W: believe we should do something in this space; may not be just for Fed agencies. Suggests we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc.
Eric: agree that there's a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled. Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out. Agencies / orgs don't have ability to do this themselves.
Mark H: Agree. Broader need than Govt agencies.
Kay C: Other Fed agencies I talk to feel they need technical, neutral help to make their decisions on IAM risk. Believe NIST (David) is very wary about Kantara involvement but believe this can be reconciled.
Richard W: Anil John was concerned about lack of communication between government and industry, but didn't have results.
RQ: If we do work in this area, will NIST welcome or oppose? Richard W. – we should respond to our customers and work on NIST.
Ken: Maybe approach to GSA would work–they owned FICAM. We need a Federal central-agency customer. Kay says still meeting with GSA--Phil. New PM will do that when they arrive. Might be slow for a bit.
RQ: Need some awareness and at least tolerance. at NIST and GSA.
ET: Is there an oppty for IAWG to help move this forward by putting out guidance related to quantifying proofing systems.
RW: Another point is , if we have a set of criteria, for assessors have customers not strictly locked in to (very conservative, tech-based) NIST stds.
Mark K: Is this just a US issue? Will check a bit with EU-developed materials.
JJ: Believe Fed agencies are thinking "I need IAL2", and would not buy something "comparable.."
RW: We have been asked by a Member CSP working with a real Fed agency that has a need, We should respond.
JJ: No sure every KI assessor is going to be able to make these judgments about risk and effectiveness. Might create a risk to Kantara's reputation.
.
Next Meeting: Next Thursday, July ?? at 1PM US Eastern