...
Ken D, suggested that "a defined risk profile" might work, which both avoids implying that the types of risks that a control might create are limited to its performance on false positives and negatives. Others agreed that an open-ended look at possible risks is appropriate and that Kantara should not imply that assessors would perform quantitative analysis of a controls' effectiveness. Richard W. observed that as far as he could determine, NIST had not done such quantitative analysis in developing the 800-63 standards, so there is not even a basis for that sort of determination that an alternative control is "comparable."
RQ: pushback. When RP gets CSP metrics, they Roger Q. expressed concern that most customers (RPs) will not know whether how to believe the CSP. Martin: that's K assor's job. judge the CPS's metrics on performance of their controls. Martin suggested that the RP would rely on the Kantara assessor's evaluation.
KD: is this stuff assessible?
...