...
Process for addressing assessor/field reports on new methods not covered in 63-3
If a CSP/service applicant does things in a way not listed in the NIST guidelines but they believe meets the outcomes required – can they get a pass? Currently, no, because NIST does not list it that way. Andrew would like to see if IAWG and/or Kantara has a way to process these types for requests since there is a lag between NIST guidelines and the development in the industry. We’ve been referred a case from PROVE Identity about using SIM cards as strong evidence.
Eric sees a challenge in approaching this since there is not a baseline – only stated control requirements to compare against in 63-3. How can you prove equivalency?
Andrew asked if we should deal with it or just stick with NIST standards? Are we exposing ourselves/ our customers/ their customers to unacceptable risks if we don’t allow new methods? Eric feels the only approach is figuring out what measurements are associated with the outcomes to then be able to show equivalency and display both sets of data side by side. Shy of that, it’s just argument for argument’s sake without that baseline. Through a standard framework of measurement – the possibility is there – but shy of that, there isn’t.
Martin suggested the person proposing the alternate be the party responsible to assert the comparison data. Maria agrees the problem is the lack of data and there isn’t a good mechanism to get the data. There is an appetite for being able to have compensating controls evaluated independently by an organization. Andrew asked if we have a sense of what that data is and where it might come from? Could we do a research project to figure out the baseline? Maria believes the idea would be that all agencies implementing NIST 63 standards should be required to collect data on the controls they’re using, fraud they’re seeing, reasons for the fraud and report up to have the data compiled there. Academic programs can only do so much for understanding what types of fraud can get through this type of system. Due to time, this will be held over to a future meeting.
Any Other Business