...
NIST has already seen in comments the wildly different interpretations and views on where they have gone with rev.4 in the risk management assurance selection. Some love it while others are terrified. There will need to be a balance of outcomes between the guidance itself but add-on in the implementation guidance and feedback to the agencies other components and artifacts to help them through. Again, thoughts to help communicate and fit those into a broader construct is requested!
If 800-63 is suggesting that agencies have the flexibility to determine alternative ways to perform their proofing/authentication while achieving the same degree of risk mitigation, then one of the difficulties in rev.3 is that it does not say anything for a given assurance level (i.e., here is how we have gauged the risk in order to come up with these requirements for steps that should be taken to perform proofing/authentication). In the absence of anything recorded, it is difficult to list an alternative approach and how it achieves an equivalence of rigor. There is nothing against to measure in the first place. Making the determination of what would constitute acceptable evidence for IAL1 as opposed to IAL2/3, would be helpful in trying to maintain accordance with the guidance. It gives a baseline in which to measure any variation and justify it.
NIST presents characteristics for evidence in a new section of 63a. NIST requests particular comments that Kantara/assessors would make to that new section. NIST is trying to be more explicit and list the determination of whether evidence that is being presented can be accepted. That’s the purpose of that section. NSIT welcomes review and comment on that.
NIST has heard already in feedback to better align the assurance levels to the specific threats for risk that they are intended to mitigate. Seems close to what is suggested above. If you selected IAL2 and are implementing the controls as laid out in IAL2, here are the common sets of threats and risks that we have designed to help mitigate. NIST is trying to figure out how to do that – they have some ideas – but they’d’ take recommendations on how to structure that.