Attendees:
...
Administration:
Roll call, determination of quorum
Minutes approval
Kantara updates
Assurance updates
Discussion:
800-63-3 Criteria Issues to Resolve - numerous concerns have been brought up over several months and need to be discussed and likely updated.
IAWG Submitted Comments: NIST IAM Roadmap Update
KIAF 1050 - Glossary and Overview - eballot open for voting members until 6/27
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
...
800-63-3 Criteria Issues
The group worked through issues raised from ARB, assessors, etc that must be resolved. Notes are in the document as well.
63A#0120 - discussed and resolved. Group decided to update to twelve months - aligns with our annual review cycle as well. CO_SAC #0170 will be updated to remain aligned. It was discussed if this would be material - but the assumption is that when the entirety of these updates are concluded, it’ll likely be a material update. We’ll hold on to the determination of materiality until all updates are made.
63A#0180 a) - discussed and resolved. The proposed text that separates Superior and Strong requirements that were initially misinterpreted were accepted. The update revises both a) and b).
63A#300 e) - discussed and resolved. after discussion around ‘address OF record,' the group decided to add guidance to the criteria rather than updating the criteria. The added guidance is “The intention here is that there are two communication channels, in particular validated addresses.” Assessors thought this was a good option.
63A#0490-0580 - discussed, but not resolved. Will invite CSPs to discuss and revisit on July 13. These criteria were flagged by ARB and an assessor as being misapplied to IAL2. The discussion was around IAL2 services that utilize supervised remote identity proofing but are being assessed against IAL3 criteria. The current criteria for supervised remote is much more stringent than what IAL2 must meet to do supervised remote. There is a gap in the criteria for those services who do these proofing sessions at IAL2 and they may have un-assessed parts of their service without some criteria. Andrew asked to share the topic with the CSPs and let them know something will likely change, so please attend the meeting to share your feedback if your services uses supervised remote proofing. Inconsistency of application - and needs resolved one way or another.
...