...
The evidence requirements for IAL1 and IAL2 allow for a presentation of the STRONG piece of evidence with one piece of FAIR evidence, which present requirements for an additive control at both levels that make it more difficult for an attacker to be able to subvert the id proofing process. NIST recognizes that in 63a that the concept of core attributes that are required for id proofing that need to be validated so that the id proofing process represents the additive value of evidence presentation along with core attributes validation in order to get to the point where id verification combined that evidence as well as attributes to the real life person in the application and id proofing process.
NIST is still seeking feedback on IAL1. They are pretty happy with where it is at – but if there is concerns or specific modifications that CSPs have as far as recommendations – it is new to the workflow. NIST is very much open to direct feedback on where NIST sits with IAL1.
Do you see the direction that the current draft is right now giving agencies the risk assessment to determine their appropriate IAL? Do you see IAL1 really being more applicable to some of the lower risk applications? And really focusing on taking away the need for the selfie-match or the biometric matching and being able to meet some of the more equitable requirements given that is one thing known as impacting equity?
NIST wants to be careful not to say they are going to be the arbiters of the actual impact determinations that the agencies will make. They will be the ones who decide their own risk tolerance. What NIST was trying to do was to give them the flexibility to have more lower-level sets of controls to deal with applications that didn’t necessarily need to go all the way up to IAL2 and involve that biometric match/additional friction. The goal was to have something that could give a degree of confidence in identity, but not necessarily the same degree as IAL2. The target would be those lower risk applications. NIST is saying that cautiously, not implying there is something wrong with IAL1. It’s an attempt to give more granularity in risk management processes to agencies and organizations rather than what it was before – 0-100. The option remains to not identity proof. You can still have IAL0 (no id proofing). You do not have to identity proof if the application does not mandate it. Just because IAL1 is not ‘no proofing’ anymore does not mean the option was eliminated.
Sometimes there will be direct tradeoffs between security and equity objectives, but that will not always be the case. NIST wants to directly address that and say there is an unfortunate missed opportunity in thinking of this as a zero-sum game where we could be very creative and achieve both objectives simultaneously. Maybe the tradeoff is cost if you are engaging in a campaign to offset the cost for tokens for certain populations that are eligible - or to develop materials in multiple languages that will ultimately help everyone achieve security objectives. It’s one thing people just assume but NIST encourages everyone to think more creatively on how these objectives interact with one another to be achieved.
Rev.4 is really more outcome based rather than prescriptive. That’s the difference being noticed. Puts more onus on the agencies. One of the key things CSPs are seeing and having to talk through is the challenge of not being spoon-fed the requirements. It’s a new level of measuring that hasn’t been there previously. That’s not a strong point for agencies. It might warrant additional guidance and ways to measure these outcomes that agencies must have and publish. NIST requests thoughts on how to bridge the gap between setting outcomes and then how to achieve them – beyond 63 itself and other PIV related guidance.
NIST has already seen in comments the wildly different interpretations and views on where they have gone with rev.4 in the risk management assurance selection. Some love it while others are terrified. There will need to be a balance of outcomes between the guidance itself but add-on in the implementation guidance and feedback to the agencies other components and artifacts to help them through. Again, thoughts to help communicate and fit those into a broader construct is requested!