...
Non-voting participants: Jimmy Jung, Roger Quint, Eric ThompsonInvited Guests: , Chris Lee
Staff: Kay Chopard
...
IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern), and called the roll. It was noted that the meeting was quorate.
Minutes approval: Mark Hapner H moved approval of the the draft Minutes of the IAWG meeting of June 24; Richard . Richard W seconded. The Minutes, as written, were approved unanimously, as written.
Staff reports and updates: .ED ED Kay ChopardC. Focus is finding a replacement for Ruth as Program Manager (PM) for the Assurance Program. First After first pair of finalist candidates both dropped. Back to LinkedIn, starting interviews again. Looking for more junior PM rather than trying to replicate Ruth's deep experience out-of-the-box. Best case for new IAF PM to be on-board is some time in August. Still open to getting more applicants referred by WG members.
LC reports and updates: Ken D: LC had one meeting. Of interest, long-time Chair of UMA has stepped down due to business demands. mDL Privacy report is out for review–have a look.
Ken reminded KenD: reminded WG participants that Kantara staff is ready to help them publicize their newsworthy activities and via the @KantaraNews Twitter handle. Or send to Ken D or Kay C.
Discussion:
Continued consideration of 'comparable alternatives' - See: https://groups.google.com/g/idassurance/c/GIGLjValdg4
Ken notes D: noted that a listserv discussion is accessible via a link in the Agenda emailed before the meeting. He then invites invited Richard W to lead the resumed discussion.
Richard W: believe believed we should do something in this space ; and it may not be just for Fed Federal agencies. Suggests Suggested that we need a capability to assess alternative controls, based on a thorough process based on evidence regarding risk, etc.
Eric T: agree agreed that there 's is a need and opportunity here, to provide some rigor around alternative controls. Key thing is needing to quantify risk being controlled. Need to remember that service providers want to let appropriate people in, not just keep inappropriate people out. Agencies / orgs don't have ability themselves to do the rigorous analysis develop and document use of "comparable alternative controls."
Mark H: Agree. There agreed that there is a broader need than just for CSPs serving Govt Federal agency customers.
Kay C: Other Fed agencies I talk to feel identified that other Federal agencies with whom she has talked feel that they need unbiased technical help to make their decisions on IAM risk. Believe Understands that NIST (David T) is very wary about Kantara involvement but believe that his concern can be reconciled.
RQRoger Q: If asked if we do work in this area, will NIST welcome or oppose?
Richard W. – we : we should respond to what our customers request and work on getting acceptance, if not support, from NIST.
Ken D: Maybe and maybe an approach to GSA would work–they work as they owned FICAM. We need a Federal central-agency supporter of our work in this area. Kay says Kantara
Kay C: Kantara is still meeting with GSA --Phil. Just her (Kay) regularly. It will be just her until the new IAF PM is on-board. IN any event, things It was noted that hings might be slow for a bit as everyone in Government seems to be planning deferred vacations.
RQRoger Q: Kantara needs some awareness and at, or at least tolerance at from, NIST and/or GSA for anything we do in this area.
ET: Is there Eric T: asked if there is an opportunity for IAWG to help move this forward by putting out guidance related to quantifying risk and the effectiveness of alternatives alternative controls for ID proofing systems?
RWRichard W: Notes noted that Kantara having a set of criteria for evaluating risk and control effectiveness would be useful for assessors who have customers (e.g., private sector , or non-US) that are not strictly locked in to into (very conservative, tech-focused) NIST standards.
Mark K: Is asked if this is just a US issue? (He will check a bit to see if he can locate any EU-developed materials for risk analysis/quantification and controls effectiveness. )
JJ: Believe Jimmy J: believed that many US Fed agencies are thinking "I need IAL2", and would not want to get involved with something "comparable.."
RWRichard W: We have reminded the meeting that Kantara has been asked by a Member CSP working with a real Fed Federal agency that has a business need to identify public clients who cannot provide the proofing documents required by NIST standards, We . Believes that Kantara should respond to these those needs.
JJJimmy J: No stated that he is not sure that every KI assessor is going to be able to making make and documenting document these judgments about risk and effectiveness. Inconsistent assessments would create a risk to Kantara's reputation.
MH: If Mark H: believed that the risk to Kantara can be reduced if Kantara is transparent about this what it is doing and shows we are that it is doing this analysis of an alternative controls' control’s effectiveness based on reasonable criteria, then I believe risk to Kantara can be reduced. JJ: Believe RW
Jimmy J: believed Richard W's suggested added additional IAF criteria seem a reasonable basis to begin developing a process for evaluating alternative controls.
Ken D: Notes noted that the NIST language seems directed at Agencies, not CSPs. Not sure how to put the onus on the Agency.
ETEric T: What believed that, as a supplier, we must do is make sure an agency (customer) is aware of the requirements of accepting "comparables"
RW: We assess CSPs. Not Richard W: noted that Kantara assesses CSPs and not RPs. (But we have Kantara has criteria for federations, and federations would presumably impose various requirements on their member RPs.)
JJ: How would we Jimmy J: asked how Kantara would express the results of an assessment based on the use of a comparable alternative control?
ETEric T: We indicated that, as a supplier, they would provide a memo to their customers clarifying that the service is/uses an alternative control.
Ken D: thanked everyone for the good discussion. Summary: seems worth pursuing, building on RWRichard W's draft criteria.
RWRichard W, ET, KD, MHEric T, Mark H. – agree. Ken: asks RW when he can — check the recording. I think that Roger Q and Jimmy J also agreed
Ken D: asked Richard W when he could be ready to discuss initial draft criteria. RW: I may
Richard W: noted that he might not be available for a couple of meeting meetings in August.
Ken Next D: asked Richard W if something could be available IAWG to look at for next week's meeting is the 15th, can you have something for the IAWG to look at then? RW: Yes. JJ: Does ARB need on the 15th.
Richard W: indicated that he could.
Jimmy J: asked if the ARB needs to get involved? What's the process where an alternative control is involved? RW: agrees
Richard W: agreed that there needs to be a process to communicate the decision to SP the CSP and to the (RP) customer.
RQ: We Roger Q: identified that Kantara need to coordinate and communicate with NIST to avoid appearance of going around them. RW: Yes, but we are not asking
Richard W: agreed but stated that Kantara is not asking for permission.
Ken D: indicated that Kantara would inform NIST for their information.
Other Business:
MK: Australia: Mark K: asked if individual submissions only for providing input to Australia? Ken: yes. Deadline 7/14.
Ken D: identified that the Pan-Canadian Trust Framework has a new document out for comment by 28 July. Seems to be revisiting the "vectors of thrust" concept. Doesn't seem too relevant to IAWG but will send around, and WG can decide at next meeting if we want to submit comments.
Other topics on the agenda deferred to the next meeting.
————————
Next meeting July 15th, 1PM US Eastern as usual.
Ken D closed the meeting at 2:05.
...