...
Continued consideration of 'comparable alternatives': discuss revised DRAFT Kantara criteria/process (Wilsher), and next steps
Ken Dagg and Richard Wilsher having joined the meeting, the WG resumed last week's discussion on this topic. Richard shared his draft Kantara "comparable alternative controls" with updates made following last week's WG discussion.
Richard suggested that the goal of an alternative control might be described as an appropriate balance between false positives and false negatives, or some way the CSP could express the risk accepted by using the alternative control. He added that he was not yet satisfied with this formulation.
Ken D, suggested that "a defined risk profile" might work, which both avoids implying that the types of risks that a control might create are limited to its performance on false positives and negatives. Others agreed that an open-ended look at possible risks is appropriate and that Kantara should not imply that assessors would perform quantitative analysis of a controls' effectiveness. Richard W. observed that as far as he could determine, NIST had not done such quantitative analysis in developing the 800-63 standards, so there is not even a basis for that sort of determination that an alternative control is "comparable."
Roger Q. expressed concern that most customers (RPs) will not know how to judge the CPS's metrics on performance of their controls. Martin suggested that the RP would rely on the Kantara assessor's evaluation. One member asked if these alternative controls would be assessible. Another said the RP use-cases would be varied, possibly making assessment more complex. Another said that use-case variations should not keep a CSP from documenting and estimating a control's performance, and that the KI assessor's role would be limited to evaluating the CSP's evidence and justifications. Another expressed the view that this was not too much different from what is done now in IAF assessments.
Ken D. noted that the scheduled meeting time had expired and suggested a summing-up of the WP's conclusions at this point.
Richard W offered the view that the CSP should review all the mitigated and residual risks of an alternative control, including any new risks created by the control. This analysis is documented. The CSP's top management is aware of the use of a comparable alternative control; and the CSP does in fact deploy the control. The CSP is required to make any RP client aware of the used of the alternative control and advised of any extra procedures or configuration adjustments needed because of new control. He added that we don't want to specify hard numbers for performance of a control in our criteria.
A member asked if the specification of the control and related documentation would be available for re-use by other CSPs. Several members agreed that the architecture of the alternative control and the associated assessment documentation should be considered proprietary to the CSP that developed it, but that re-use might be achieved by licensing or other agreement with the developer, or perhaps even by the developing CSP offering the control as service component on a SaaS basis. One member wondered if it might hurt the Kantara "brand" if it became known that a service had somehow been certified without meeting the 800-63 requirements. However, another member observed that existing Kantara requirements for publication of information about successful certifications would let other CSPs or interested RPs know that a "comparable alternative control" had been included in the certified CSP service offering, as permitted by NIST.
As for next steps, Ken D. said that once we get Richard's draft finalized, it would go through the standard Kantara process for making "material" changes to the IAF criteria. This process takes about 70-90 days in total.
Richard W. added that we have a number of minor (probably all "non-material") changes to the criteria that should be bundled with this one so as to avoid burdening reviewers with multiple rounds of review.
Richard also noted that he would be unavailable for IAWG work for three weeks starting next week, and suggested that another member take over as IAWG Editor to keep the process moving forward. Ken D. agreed to fill in for Richard as Editor.
4. Component Service Consumer criteria
Not discussed.
Other Business:
- Next Meeting:
Ken D. proposed that given an otherwise light agenda we should skip next week's IAWG meeting and meet next on July 29th, and then plan to meet two weeks after that (August 12th.) Ken closed the meeting at 3:18PM
---------------------
Martin's raw notes
RW: don't want to include hard number in criteria.
KD: is this stuff assessible?
...
KD: not meet next week, then again two wwks after
29th of July.
2:18 PM
4. Component Service Consumer criteria
Other Business:
Other topics on the agenda deferred to the next meeting.
————————
Next meeting July 22, 1PM US Eastern as usual.
Ken D closed the meeting at ?.