Versions Compared

Old Version 1

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version 2

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung, Eric Thompson

Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

...

  • Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 

...

...

    • 28 DRAFT Minutes
    • Staff reports and updates
    • International liaisons updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)

  •  Discussion: 
    • Update on

...

    • Alternative Controls Language
    • Component Services 
  • Any Other Business and Next Meeting Date

      ...

        • Charter Review & Nominations for Chair 
        • Next meeting - December 2nd

      Meeting Notes 

      Administrative Items:

      IAWG Chair Ken Dagg called the meeting to order at 1:04PM 05PM (US Eastern).  Roll was called. Meeting was quorate. Distributed agenda was confirmed. 

      Minutes approval:  Martin Smith   Mark Hapner moved approval of the draft Minutes of the IAWG meetings of September 23 and October 7. Mark Hapner meeting of October 28. Martin Smith seconded. The minutes, as distributed, were approved unanimously.

      Staff Reports and Updates:Lynzie reported

      the first organization seeking FAL certification recently reached out. They are still a few months out from getting started but wanted to begin learning more. Numerous other organizations have been reaching out with interest in Kantara certification - including companies from Korea, Japan, and India who are looking to get into the US market and believe a Kantara certification can assist them with that. Kay provided an update on GSA and FedRAMP. Matt Thompson, Jeremy Grant and Kay met with the GSA political appointee on November 2nd. She presented an overview of who Kantara is and the assurance program. We provided the Assurance Program criteria and have been trying to schedule a follow-up meeting, both at their request. We requested recognition of Kantara’s program on the GSA website. There was no response. Kay plans to continue working up the chain to let them know more about us, in hopes Kantara's services are spread by word of mouth.  A FedRAMP contractor approached Kay last month wanting FedRAMP to list Kantara on their website. Unfortunately, the chief counsel’s office said no; probably for similar reasons as GSA (endorsement vs. informational). He shared our information with his contacts, so more spreading by word of mouth. The CARIN Alliance held their quarterly meeting last week and they to prompted their partners to get Kantara certified multiple times during the 3-hour meeting. 

      There was a brief discussion about who is monitoring the requirement that federal agencies adhere to 800-63 rev. 3. It was suggested that Kay ask Phil Lam 1) how do you know someone is compliant with 63-3? and 2) who is responsible for determining that compliance?

      International Liaisons Updates:

      Kay provided an update on:

      • OSIA (France):  They are not looking for a new assurance program, it's a much smaller scale project. Conversations are continuing of how we can fit into their future. 
      • UK:  Had a meeting regarding certification and seemed positive. They are interested in Kantara pursuing certification - allows Kantara to be a certifying body in the UK. Similar to Kantara/GSA, but more formalized. Mark King asked if Kantara is part of the International Accreditation Forum. It's relevant for international collaboration. Nobody was sure at the moment but we will revisit. Mark King shared the link: https://iaf.nu/en/home/ 
      • New Zealand:  They requested a meeting but this has not occurred yet. 
      • Australia:  Continued discussions are occurring with Jonathan Thorpe. Mark King reviewed Australia's Draft Law document and it seems much we said was not taken into consideration nor was there a response as to why much of this was overlooked. Ken asked to send IAWG's apologies that we were not able to address the latest request. 

      Ken requested adding this new 'international liaisons updates' standing agenda item given the amount of work we've done in the past for other governments. We tend to get involved in a lot of these things and it is part of the mandate of IAWG to know what is going on around the world and aide them. 

      LC Reports and Updates:

      A new working group, "Privacy Enhancing Mobile Credentials" is being set up. John Wunderlich is the chair. If you'd like to join, reach out to Ken and/or John.

      Discussion:

      Update on Open Issues Regarding the Pending Package of Proposed Criteria Changes:

      Ken noted that the pending package is set on all the criteria except for the ones around alternative controls. Kantara is currently trying to schedule a meeting with GSA/NIST to have an initial discussion around the package. Kay has sent the request. 

      Eric Thompson proposed focusing on publishing guidance around alternative controls measurement. He sees this as an area holding agencies back and with some leadership and guidance from Kantara it could move the discussion forward immensely. Ken suggested this be proposed as a new discussion group. He believes there would be interest from folks in other groups as well. Ken requested a half page overview with the scope of the problem to take to LC for approval to get this going. Eric and Ken will work together to propose this discussion group. 

      Initial Discussion on Component Services:

      The ARB shared concerns with the IAWG regarding how the assessment views component services, particularly what requirements are the responsibility of the full service and what is the responsibility of the component service. This raised the general question - What kind of requirements do we place on a full service and what do we place on a component service? ARB feels a general review of criteria to consider how it works with a component service could be beneficial. Ken was unsure if such a review has occurred. Jimmy worries it could be a complicated lift to address. 

      Martin suggested we consider a need for a contract between the parties that clarifies the relative responsibilities. Have we addressed what the contract has to cover when a component service is in use? Ken will review the CO_SAC for any contractual obligations already listed and see if this is a place we could clarify. 

      Ken asked everyone to think on it more and we will address further on the next call. 

      Other Business:

      ...

      •  Looking at their current needs, this project may be outside IAWG's wheelhouse. Ken suggested that although it is not IAWG work, it might be something Kantara is interested in and that the current proposal should be taken to LC. A work group could possibly be established to make the determination of next steps.

      LC Reports and Updates:

      No Leadership Council Updates. Ken informed everyone that the Kantara General Membership Meeting will be held on Wednesday, December 8th at 11am EST. The President, ARB Chair, Kay and the LC will be speaking. The LC will handle what the work groups have been up to and their plans for 2022. 

      Discussion:

      Update on Alternative Controls Language:

      Ken reported that after several email exchanges with Phil Lam and David Temoshok he finally understands the subtle nuances concerning alternative controls (800-63-3 Section 5.4). The use of an alternative control is a decision that has to be justified by an agency and has to occur prior to the agency implementing anything. Those justifications need to include a quantitative risk analysis. Once an agency receives approval to use the alternative control, then they can go approach vendors about implementing an alternative control. While IAWG has already approved the language, Ken believes we need to remove this language from the package. Martin confirmed this was his understanding as well and supports removing the language from the package. Jimmy concurred. 

      Continued Discussion on Component Services:

      The ARB held a joint Assessors/ARB call on Monday, November 15. Martin and Ken attended on IAWG's behalf as observers. There seems to be some back and forth between the ARB and the IAWG about who should be driving the format of these needed changes on the various forms. Martin felt there was a consensus for more guidance to both assessors and applicants in written form. He did not hear a request for any extra requirements within the criteria that would further hold-up the current package of changes. There is a need for additional discussion between the IAWG and ARB to determine what needs done and which party is responsible for the task. 

      Other Business:



      The next IAWG meeting will be Thursday, November 11 December 2 at 1pm EST. Continued discussion on component services will occur. Ken adjourned the meeting at 1:50 pm EST.