...
NIST has already seen in comments the wildly different interpretations and views on where they have gone with rev.4 in the risk management assurance selection. Some love it while others are terrified. There will need to be a balance of outcomes between the guidance itself but add-on in the implementation guidance and feedback to the agencies other components and artifacts to help them through. Again, thoughts to help communicate and fit those into a broader construct is requested!
If 800-63 is suggesting that agencies have the flexibility to determine alternative ways to perform their proofing/authentication while achieving the same degree of risk mitigation, then one of the difficulties in rev.3 is that it does not
...
list anything for a given assurance level (i.e., here is how we have gauged the risk in order to come up with these requirements for steps that should be taken to perform proofing/authentication). In
...
that absence
...
, it is difficult to list an alternative approach and how it achieves an equivalence of rigor
...
. Making the determination of what would constitute acceptable evidence for IAL1 as opposed to IAL2/3, would be helpful in trying to maintain accordance with the guidance. It gives a baseline in which to measure any variation and justify it.
NIST presents characteristics for evidence in a new section of 63a. NIST requests particular comments that Kantara/assessors would make to that new section. NIST is trying to be more explicit and list the determination of whether evidence that is being presented can be accepted. That’s the purpose of that section. NSIT welcomes review and comment on that.
NIST has heard already in feedback to better align the assurance levels to the specific threats for risk that they are intended to mitigate. Seems close to what is suggested above. If you selected IAL2 and are implementing the controls as laid out in IAL2, here are the common sets of threats and risks that we have designed to help mitigate. NIST is trying to figure out how to do that – they have some ideas – but they’d’ take recommendations on how to structure that.
We have two types of CSPs– Identity verification companies approved at IAL and then Full CSPs that offer both IAL and AAL. Can an ID proofing company exist as a stand-alone service offering and actually provide services that conform to 800-63-3 Volume A? Or does an ID proofing company always have to be paired up with an authenticator provider to become the CSP? If an agency requires proof of legal name and they ask for evidence to a certain degree, there doesn’t necessarily have to be an authenticator in play.
There is no reason that the agency/organization may or may not act as the authentication component of that. And then the full CSP set of services would be whoever is offering that authentication plus whoever is offering that identity proofing service. It’s a reasonable criticism in that many of the requirements are targeted toward a structure called a CSP – when in practice, that CSP may be a number of different conglomerations of different subservices and sub-capabilities. It gets hard for NIST to try and break those down too far – simply because of the potential combinations, but if you are packaging just the ID proofing component of what would fit into a larger CSP – whether that is run by another 3rd party or the agency/organization – it can easily be determined what falls within the scope of the ID proofing services offered by the organization to be assessed and evaluated.
NIST does not specify how any assessing organization or certifying organization requires conformance. NIST deliberately tries to allow for componentization of services that are described across the volumes. By separating the volumes, NIST recognized that they are addressing different components in the overall identity management for an identity service. But, NIST’s purpose was to be able to allow for components to address the requirements however those components are arranged in an overall identity service.