Page Comparison

TBD

• Draft 2 of 800-63-4

  • Final comments

• Carol: Review comments provided.  Many duplicates, meaning some consensus within the group.

  1. Various members have been light on submitting comments through IAWG as their comments are incorporated into their company comments.

  2. Wallets section seemed particularly light

  3. Confirmed each comment is anonymized within the larger submission (not attributable to any particular individual).

  4. Most comments from Richard/Jimmy-neither report anything major that needs discussion.

     1. Richard-Noted phrasing/inconsistencies as biggest bug.

  5. Adam: NIST is particular with some phrasing (such as subscriber-as a particular meaning)

     1. Kantara’s distinction is that subscriber could be an organization paying for a service and its individual reps are the subjects of the proofing of the credentialing process. (RGW)

     2. Jimmy: Ryan (Galuzzo with NIST) has noted they are making guidelines, unfortunately some things are unenforceable.

        1. Line 16 (4-91) 63A: CSPs/organizations needing to do things, but they don’t distinguish between the organization doing the identification or needing options, and the CSP may just be a small section of this

     3. RGW: between rev. 2 and rev 3, Kantara has taken steps to make things accessible (introducing additional requirements not in NISTs documentation to better support the provision of services).  NIST seems to have picked up on these and made an attempt to incorporate them into their documentation, but struggling to do so correctly..  

        1. Requiring a published service description for each CSP (could reveal weaknesses)-RGW provided comments of line 8-31.

     4. Adam/RGW: note distinction between private entity ecosystem and govt agencies with proofing individuals v. working on behalf of an entity (subscriber v. subject)

  6. RGW: 63A-requires providing one unattended service and an attended service.  Now seems to be a standard that provides instructions on how to operate commercial services. (6.11-6.13)

     1. Adam: federal government is trying to have options available to encompass everyone (diversity/equity purposes).

     2. Jimmy:this seems fine for an agency, but not an appropriate request of CSPs

     3. Mike Magrath: Reminder that this guidance is mostly for federal agencies.  Private entities can use whomever, but federal agencies have to follow the NIST guidance.

  7. Jimmy/Richard: Always want to push for an accessible standard to all parties (IAL1-2-not present for government?)

     1. To put it in guidance would be fine, but to make it mandatory doesn’t seem right.

  8. Adam: More details in 1506 (4.1.1)--proofing type details

  9. RGW: 1509-1510 - also problematic (should not direct marketplace)

     1. Adam: guidelines needed for IAL3

  10. 4.2 line 1655-says same thing, but 4.3.1 won't say it because of restrictions on proofing types

  11. RGW: confirms these “shalls” should go because they are dictating the marketplace-not their job.

      1. Adam: Are they dictating the marketplace for government use?

      2. RGW: No-dictate a procurement v. provider policy.

      3. Mike Magrath: NIST also follows executive orders (EO).  There was an equity EO that maps to this requirement - doesn’t see NIST changing this requirement agencies.  Could be a “may” for commercial entities, but the “shall” stays for federal agencies.  

  12. Adam: These are guidelines for federal agencies and if we want to consume (procure) certain CSPs, they have to meet these guidelines for us to use them.

  13. Carol: Risk assessment: “appropriate level of risk”-this seems subjective.

      1. Mike Magrath-this maps to a specific document (FIPS 199) with detailed requirements regarding levels of risk.

      2. RGW: NIST hasn’t disclosed what they claimed to have done to come up with these requirements. Lack of transparency-how to make a judgment if you don’t know the original baseline?

      3. Adam: Every agency is required to do their own risk assessment-sees it as a federal government application.

      4. Richard: But if the agency wants to use a Kantara-approved CSP (requiring assessment)--it’s problematic to assess because the CSP doesn’t follow what NIST OR Kantara criteria says because they have a contract that says to do it this way.  Comparable alternatives come into play-how does the assessor come up with a judgment that this is/isn’t just as good?

  14. Next steps:  Carol to incorporate final notes/comments and circulate.  Requests a final offline review from the group before submission on Monday, October 7th, 2024.