...
Voting Participants: Ken Dagg, Martin Smith, Mark HapnerRichard Wilsher, Mark King
Non-voting participants: Jimmy Jung, Eric Thompson
...
- Administration:
- Roll call, determination of quorum
- Agenda confirmation
- Minutes approval - 20212021-1011-28 18 DRAFT Minutes
- Staff reports and updates
- International liaisons updates
- LC reports and updates
- Call for Tweet-worthy items to feed (@KantaraNews)
- Discussion:
- Update on Alternative Controls Language
- Component Services
- to the SAC
- Charter Update
- Voting on Chair & Vice-Chair
- Any Other Business and Next Meeting Date
- Charter Review & Nominations for Chair
- Next meeting - December 2nd16th
Meeting Notes
Administrative Items:
IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern). Roll was called. Meeting was quorate. Distributed agenda was confirmed.
Minutes approval: Mark Hapner Jimmy Jung moved approval of the draft Minutes of the IAWG meeting of October 28November 18. Martin Smith seconded. The minutes, as distributed, were approved unanimously.
Staff Reports and Updates:
Kay provided an update on GSA and FedRAMP. Matt Thompson, Jeremy Grant and Kay met with the GSA political appointee on November 2nd. She presented an overview of who Kantara is and the assurance program. We provided the Assurance Program criteria and have been trying to schedule a follow-up meeting, both at their request. We requested recognition of Kantara’s program on the GSA website. There was no response. Kay plans to continue working up the chain to let them know more about us, in hopes Kantara's services are spread by word of mouth. A FedRAMP contractor approached Kay last month wanting FedRAMP to list Kantara on their website. Unfortunately, the chief counsel’s office said no; probably for similar reasons as GSA (endorsement vs. informational). He shared our information with his contacts, so more spreading by word of mouth. The CARIN Alliance held their quarterly meeting last week and they to prompted their partners to get Kantara certified multiple times during the 3-hour meeting.
There was a brief discussion about who is monitoring the requirement that federal agencies adhere to 800-63 rev. 3. It was suggested that Kay ask Phil Lam 1) how do you know someone is compliant with 63-3? and 2) who is responsible for determining that compliance?
International Liaisons Updates:encouraged everyone to attend the Annual All Member General Meeting on December 8th at 11am ET.
International Liaisons Updates:
Kantara continues to struggle to get engagement from the UK for the Kantara Government Working Group and other initiatives. The next Government Working Group meeting is scheduled for December 9th with Australia, New Zealand and the US. Kay has recently received a contact for Canada that she hopes to be adding to that group in December or January.
Kay provided an update on : OSIA
...
. She reiterated that this is a different line of business than our current assessors are engaged in.
LC Reports and Updates:No Leadership Council Updates. Ken informed everyone that the Kantara General Membership Meeting will be held on Wednesday, December 8th at 11am EST. The President, ARB Chair, Kay and the LC will be speaking. The LC will handle what the work groups have been up to and their plans for 2022
The Privacy Enhancing Mobile Credentials (PEMC) work group has started. Meetings occur at 1pm ET on Wednesdays. Complete a GPA if you are interested in joining that work group.
Discussion:
Update on Alternative Controls Language:
Ken reported that after several email exchanges with Phil Lam and David Temoshok he finally understands the subtle nuances concerning alternative controls (800-63-3 Section 5.4). The use of an alternative control is a decision that has to be justified by an agency and has to occur prior to the agency implementing anything. Those justifications need to include a quantitative risk analysis. Once an agency receives approval to use the alternative control, then they can go approach vendors about implementing an alternative control. While IAWG has already approved the language, Ken believes we need to remove this language from the package. Martin confirmed this was his understanding as well and supports removing the language from the package. Jimmy concurred.
Continued Discussion on Component Services:
The ARB held a joint Assessors/ARB call on Monday, November 15. Martin and Ken attended on IAWG's behalf as observers. There seems to be some back and forth between the ARB and the IAWG about who should be driving the format of these needed changes on the various forms. Martin felt there was a consensus for more guidance to both assessors and applicants in written form. He did not hear a request for any extra requirements within the criteria that would further hold-up the current package of changes. There is a need for additional discussion between the IAWG and ARB to determine what needs done and which party is responsible for the task.
Other Business:
IAWG Charter & Nominations for Chair, Vice-chair & Secretary - We can vote on the charter at the next meeting. Please review by then to determine if any changes are needed. In terms of nominations, please send nominations and justification to Ken, Martin & Lynzie. Ken is willing to continue to take on chair unless someone wants to step in. Duties include running these meetings, attending LC meetings and LC planning meetings, being a liaison to the ARB when required, and to act as the LC rep to the Board of Directors (if requested by LC). Martin is also willing to continue on as vice-chair unless someone else wants to step in.
Martin asked people to consider quantum computing. It's coming really fast! It will effect how controls are done - so something to think about. Jimmy mentioned NIST had a presentation for federal agencies awhile back that they might still have for our use. NIST is working on quantum resistance protocols - the target is to be done early next year.
DIACC has just issued two documents for review. One is the verified person conformance the other is the privacy component. We've seen both before. Due date is December 17. Ken will circulate to the list and we can decide at the next meeting if we want to respond.
to the SAC:
Richard walked the group through the changes. The group discussed substantive vs. non-substantive changes. Ken reminded the group of the discussions with David Temoshok at NIST about alternate controls. It was decided to remove the alternative control criteria for this revisions but keep the language as a possible consideration to include in the Rev. 4 revisions.
Richard reviewed the changes to the KIAF-1430. Jimmy motioned to approved the changes. Mark King seconded the motion. Richard abstained from the vote as the editor. Unanimously approved as non-substantive changes.
Richard reviewed the changes to the KIAF-1440. The group agrees that these are editorial and non-substantive changes. Martin motioned to approve. Jimmy seconded the motion. Richard abstained from the vote as the editor. Unanimously approved as non-substantive changes.
Richard reviewed the changes to the KIAF-1450. The group agrees that these are non-substantive changes. Martin moved to approve the changes. Jimmy seconded the motion to approved. Richard abstained from the vote as the editor. Unanimously approved as non-substantive changes.
Richard reviewed the changes to the CO_SAC. The group agreed that these are material changes that will need to go out for public comment. Jimmy moved to approved the changes. Martin seconded the motion to approved. Richard abstained from the vote as the editor. Unanimously approved as substantive changes.
Charter Update:
Other Business:
The next IAWG meeting will be Thursday, December 2 16 at 1pm EST.
Topics for that meeting will include discussing concrete ways and actions we can take to help expedite the completion of component services, reviewing the IAWG charter and nominations, and the decision on the DIACC request. include