Versions Compared

Old Version 4

changes.mady.by.user Lynzie Adams

Saved on

compared with

New Version Current

changes.mady.by.user Lynzie Adams

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2022-07-07 Minutes

    • General Updates

    • Assurance Updates

  2.  Discussion: 

    • Assurance Program - continued discussion from previous weeks

    • 63b SoCA proposal

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Chair Andrew Hughes called the meeting to order.  Roll was called. Meeting was quorate. 

...

The meeting is lined up with David Temoshok for early August.

Discussion:

Assurance Program

There seems to be inconsistent use in the terms in scope - applicable, in scope - not applicable, and not in scope between the assessors, CSPs and ARB. Andrew asked the assessors what customers use as justification on why something is not applicable versus out of scope. Ray confirmed this is a gray area and that there are often discussion within KUMA about the proper term to use. These terms have been used interchangeably so we need to settle on consistent application of terms.

...

Andrew noted that IAWG needs to make sure that conditional requirements are clearly stated as conditional. And those requirements are explicitly where the use of ‘not applicable’ is used. That may be the determination. If it is not a conditional requirement, rather a mandatory requirement, then it should either be in scope - applicable or out of scope. Jimmy asked we think a step further to whether there is a minimum mandatory of criteria that must be met for partial solutions.

There was a short discussion if Kantara should/could move to something like FedRamp Ready. Ray thinkings that we have an opportunity now that more companies have gone through he program to go back and look at the assessment criteria with our learned experiences and have another go at it. What is minimum in scope? What is optional? It could be handled in this group and could be a good exercise. The framework does not need to change - it’s solid - but the nuances need refined.

Andrew suggested our roadmap for this project to be before a public version of 64-4 is out because rewriting our criteria will be a massive undertaking at that point. Having the framework solidified by then will make that transition easier as well.

Martin reminded the group of the previous discussions around accepting other certifications (FedRamp, SOC2, etc) in lieu of the CO_SAC still needs to be considered. Andrew believes that is still the plan - that we need to do the analysis to see the relationship between the certificate and the criteria we have. This will go into the roadmap of revamping the assurance program.

Ray added that KUMA has had a number of clients recently claim they qualify for 63-3 because of REAL ID. Though 63-4 will tackle MDLs, there is a discrepancy between the NIST implementation guide and the notion of strong plus for Real ID. Andrew mentioned that an action item for IAWG leadership is to ask NIST specifically about Real ID - superior or strong?

Due to time and Richard Wilsher’s absence, the 63b SoCA proposal will be deferred to the next meeting.

Any Other Business

IAWG leadership keeps an action item list. All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!

Martin alerted the group that LC has moved their monthly calls to Tuesdays. Andrew provided a short updated from the LC meeting that the CO_SAC approval will be handled by eballot.