...
April 27 - May 18 IAWG members review document, draft, and submit comments to IAWG either via email or added to the Google Doc.
May 25 - IAWG will review submitted comments for approval during regularly scheduled meeting.
May 25 - June 1 IAWG leadership will finalize any edits, draft a cover letter, and submit to NIST by the deadline.
Martin asked if we planned to address authorization and Andrew shared that we do need to address it in some way - but how is up for a discussion. Mark King brought up delegation as part of authorization. There was further discussion on the topic between Mark King, Andrew & Martin.
Mark King brought up that our comments should suggest that we have an opportunity to use the ‘sandbox’. Andrews believes we have an opportunity in their new lab. Andrew asked to pencil in the 18th for further discussion of this topic.
CARIN Credential Policy
Andrew provided background on the CARIN project and what they need from Kantara. Richard paraphrased that it is Kantara’s intention to offer assessment and approval for CARIN CSPs. He further argued that if this is the intention, we need a distinct class of approval. It does not seem to align with what we currently have and it would not suit non-CARIN CSPs. Andrew believes that detailed determination is still TBD. Andrew agreed that there are requirements in the CARIN credential policy that are not in our current criteria - and likely enough of them to separate the criteria. There was some further discussion on the language used in the policy.
Andrew said Kantara will do something, but unsure what that is. There will be a plan and there are timelines that we should move on rather quickly. Lynzie highlighted the fact that each week that we don’t make a plan, allows DirectTrust to be one week closer to rolling out their program and being in the market before we are. The email from DirectTrust came on March 10 - and in that email they said it will be out the door in a few months. We are at that ‘few months’ potentially and still don’t have a plan to tackle the project. Richard feels this is beyond the scope of what the IAWG can tackle in a timely manner, if at all. He offered his services, if this is a funded activity, to get the project completed as this is not a trivial piece of work. Andrew does not disagree with this. Richard reiterated that it needs funding - like we had with the revision 3 criteria. Then we come back to IAWG and CARIN before publication.
Richard’s suggested plan of action is to review the current draft policy (and potentially provide suggested edits), develop a CARIN class of approval, and draft the criteria. He believes that could cost up to $18k. Andrew acknowledged he agrees it needs someone to focus on it.
Jimmy voiced concern that this is not trying to ‘rebrand’ IAL2. It still must meet and follow all IAL2 criteria. Lynzie confirmed that was not the intent, it is to be IAL2, and then in addition there are 800-53 standards included and some specific requirements that weren’t explicit in 800-63 (expiration limits, etc).
Andrew will follow up with Kay, Denny & Lynzie for next steps and provide follow-up to this group.
KIAF 1050 - Glossary and Overview
Due to time this was not able to be fully addressed and will be addressed again at an upcoming meeting. There is work being done in the ARB to update the Service Approval Handbook - and this document is referenced in there so it would be good to update it as well. Additionally, IAWG did work on this document in early 2021 that was never finalized. Andrew believes it needs a large overhaul but in the meantime, small updates that reflect new processes (i.e., approvals go to executive director rather than KIBoD, etc) should be approved and published.
Mark King suggested adding a ‘changes in this revision’ section. If people are relying on the document, they need that section. If they are not relying on the document, then why have the document? Lynzie will add that section and a log at the bottom.
Andrew feels the document is very helpful to anyone going through the assurance program, however, it’s likely not useful to anyone else. This will go on the next agenda.
Any Other Business
IAWG is cancelled next week, May 11, due to EIC.