...
Kay had a call with Phil Lam this morning. Federal agencies are talking to him about the difficulty they're having with pass rates due to facial recognition (AL2). Kay mentioned IAWG is drafting of material to offer guidance/information to federal agencies about alternative controls. Phil agreed with David Temoshok that this is not a good move and does not think Kantara should take this position. He commented that it could negatively impact the relationship Kantara has with both NIST and GSA. Phil suggested if agencies reach out that they should be directed to NIST or even to him. Kay wanted to ensure IAWG was aware before moving forward in the current process.
Richard confirmed that our current currently proposed revision is to formalize what is stated in Sec. 5.4 of NIST 800-63. We are not inventing things, just making a stronger case.
...
Richard suggested drafting a very clear case of document showing which pieces of text in 800-63 our proposed criteria embodies embody, and if anything was invented – , to justify it. Show That would show that there is rigor applied throughout the entire process we have been discussing.
Through further discussion, it was suggested to have further conversations with Phil and delay our timeline for publication, aiming for publication after the holidaysIt was noted that the first step of the Kantara review process is to make the proposed criterion changes available for public review. There was concern that putting the draft into the public domain could be perceived negatively by GSA and NIST. After further discussion the WG agreed to have further conversations with Phil, and meanwhile to hold off on initiating the Kantara review. This would delay final approval and publication of the revised criteria until after the holidays.
Regarding the anticipated discussion with GSA, Martin suggested asking about whether the comparable alternatives language projected in current language on comparable alternatives in NIST 800-63-3 would be retained in current or modified form in the nest NIST version of the standard (63-4 during these conversations.) Roger concurred. The group agreed that having GSA on board was critical.
Martin suggested a conversation with Eric Thompson from the Department of Labor regarding the timeliness of this effort related to the idea of inclusiveness. Current standards make it difficult to be inclusive. , to validate the our understanding of their intent to explore the use of the alternative controls provision of the current (800-63-3) NIST standard. We have been told they want to enable credentialing of populations who often cannot provide the documentary evidence currently required for identity proofing. He suggested that the current Administration's emphasis on inclusiveness might make it timely to exercise the provisions for comparable alternative controls.
Richard stated he is currently talking to 3 CSPs who are interested in comparative alternatives because they have federal agencies asking about it and they are having difficulties meeting the NIST criteria. He reaffirmed agreed with much of the prior conversation including conversation, including the idea of a meeting with DOL's Eric Thompson, to bring him up to speed. Kay will undertook to set up a meeting with Eric.
Discussion was had around the timeline of 63-4 colliding with this publication, but Ken believes Regarding the schedule for revising the current Kantara criteria, it was noted that the group had previously been concerned with not requiring Kantara reviewers, assessors and services providers to deal with frequent updates. When NIST updates the underlying standard from 63-3 to 63-4, Kantara will definitely have to do its own major update of the criteria. Avoiding updating the current Kantara criteria and then having to do another update soon thereafter was the main schedule consideration that led the WG to set a goal of getting the current revisions approved before the 2021 holidays.
Ken D. believes that at this point we are looking at early 2023 before that is released. Nobody NIST releases 800-63-4, which would mark the start of the conforming Kantara assessment criteria update. Given that outlook, nobody voiced concern in delaying until January for publication2022 the final approval and publication of the currently proposed updates. The consensus is of the group was thus to delay initiating Kantara review, and thus releasing the package for public comment, until further conversations are had with GSA and potentially NIST. Richard will write agreed to draft a clear expectation comparison of the changes and get to Kay our proposed language vs. the NIST 800-63 language on comparable alternatives, and provide that to Kay as background for her next meeting with Phil.
Roger stressed that the concern is the maturity inflexibility of the standardexisting NIST standards for identity proofing and uncertainty about the process for using comparable alternative controls.
Kay Kay will continue to keep Ken and the IAWG up-to-date with progress from the discussions and how the group wants to proceedwith GSA and others.
UK Response:
Ken put together a response and will circulate after the meeting. He had preliminary feedback from Martin and Mark King. Please review and send comments. The group will discuss at next week's meeting as it is due Monday, September 13.
...