Material during the meeting
Meeting Notes
Attendees 800-63-3 10 August 2017
Scott Shorter, KUMA – Coordinator (member)
David Temoshok, NIST (member)
Mark Hapner, Resilient (member)
Aakash Yadav, OKTA (member)
Jenn Behrens, KUMA (member)
Andrew Hughes, LC Chair (member)
Ken Dagg, IAWG Chair (observer)
Richard Wilsher, Zygma (observer)
- Scott made a presentation that included:
-Scope of the sub-group
-Ground rules for requirements decomposition
-Requirements Naming Scheme
-Requirements Data Model
-Work Plan
-Timeframe
-Participation - sub-group members
-Logistics
Q1 – what is the relative priority of 63A,B,C? we want all them done.
A1 – time is of the essence – we should drive towards completion on all.
David T reports that they (NIST) are working on a list of requirements pulled from 63A and 63B. Work group would appreciate the contribution.
Ken inquires why A and B rather than C. David responds that the task is to find common mappings with GPG44/45 of UK cabinet office, and a range of Canadian government documents. GPG44/45 correspond to 63A and 63B. Federation as an operational component was beyond the scope of that mapping. May need to turn to 63C when they get to operational stage of this project.
Andrew Comment that compliance is the wrong word, suggest ‘conformity’, defined as fulfilling the requirements.
Andrew One suggestion about the 'assessment methods' piece - Paul Grassi mentioned yesterday on the TFP call that NIST is aiming to produce a 63-3 guidance document in around January 2018. Maybe the 'assessment methods' piece might be dealt with as that material develops.
David asks – IAF has to date required on qualified assessors to determine the assessment methodology to apply to SAC. Documenting assessment methods goes beyond the current scope of IAF – qualified assessors would determine assessment methodologies to their satisfaction. Is this a conscious expansion of the scope of the IAF?
Colin responds we’re trying to clarify more than anything else. May be a need to codify aspects of the assessment methods – middle ground between nothing and fully open.
David notes that the initial work plan task was to state the requirements into a clearly understandable set of criteria that qualified assessors would be in a position to evaluate.
Colin general objective give a general approach and broad guidance.
Scott we cannot say that these are the required assessment methods because there is not external standard driving those requirements; we are here to identify the requirements in the source documents. We can talk about “potential assessment methods”. Difference between Common organizational vs functional criteria in the IAF. Distinction Security assurance requirements and security functional requirements. The guidance is full of functional requirements what CSP shall do, and little guidance how do we know they shall do that. Although the assessor determines the amount of activity. Middle ground would be found some equivalent where potential level of effort that could go to verifying different types of of functional requirements.
Why is it better third assessment that self assessment.
AH Content on the rules for assessment, how certain aspects must be done.
Andrew suggests assessment methods comment is around putting more content into rules for assessment.
Mark asks if the overall goal is Kantara’s assessment of assessors? This is an update to the Identity Assurance Framework (IAF) which includes requirements on assessors as well as on service providers. This is the process of changing Kantara’s criteria to reflect 63-3. Who is going to use it? RGW answers that Kantara accredited assessors will use the decomposed requirements work product to judge the service providers.
RGW asks about the common organizational SAC is still applicable – it’s a fundamental one that is to do with what can Kantara say when it grants approval after 63-3 assessment. CO-SAC contents (in RGW’s opinion) are not covered by 63-3.
Ken mentions that the new document coming from FICAM could necessitate the enhancement of CO-SAC.
David asks – IAF has to date required on qualified assessors to determine the assessment methodology to apply to SAC. Documenting assessment methods goes beyond the current scope of IAF – qualified assessors would determine assessment methodologies to their satisfaction. Is this a conscious expansion of the scope of the IAF?
Colin responds we’re trying to clarify more than anything else. May be a need to codify aspects of the assessment methods – middle ground between nothing and fully open.
David notes that the initial workplan task was to state the requirements into a clearly understandable set of criteria that qualified assessors would be in a position to evaluate.
Andrew suggests assessment methods comment is around putting more content into rules for assessment.
Mark asks if the overall goal is Kantara’s assessment of assessors? This is an update to the Identity Assurance Framework (IAF) which includes requirements on assessors as well as on service providers. This is the process of changing Kantara’s criteria to reflect 63-3. Who is going to use it? RGW answers that Kantara accredited assessors will use the decomposed requirements work product to judge the service providers.
RGW asks about the common organizational SAC is still applicable – it’s a fundamental one that is to do with what can Kantara say when it grants approval after 63-3 assessment. CO-SAC contents (in RGW’s opinion) are not covered by 63-3.
Ken mentions that the new document coming from FICAM could necessitate the enhancement of CO-SAC.
Ground rules were agreed
DT Include conditional requirements
Conditional controls will take place if you choose a certain authenticator or a certain registration workflow.
Aakash points out that unlocking mobile phone is not considered biometric authentication for example. This requirement applies during the phone unlocking scenario.
David inquires – we’re intending that this will not follow the IAF, is that correct? Scott It is not part of our task to work with the current IAF . Make a comparison to see where the IAF needs adjustment to the new requirements.
Andrew suggests that the direct reference methods is useful during this exercise. An independently named scheme will be useful in the long run, we should be ready to impose a Kantara specific naming scheme.
Google spreadsheet
Are the edited / decomposed requirements the same as the service assessment criteria?
Andrew responds that the requirements from the source document will be closely linked to the service assessment criteria, by Kantara’s adoption process. The SAC are about how to demonstrate having fulfilled the requirement. Without dictating what assessors must do, this may convey specific tests or evidence. RGW asks how to define an assessment method if you don’t know the solution? Andrew points out that this can point to a policy being in place without the implementation of the policy being validated in the text of the SAC. Each accredited assessor should be able to achieve the same conclusions, given the same evidence. If two assessors can’t agree on what nonconformities are, that’s a problem.
Scott Definition of a requirement:
Andrew suggests that “assessment methods” could be “criteria”. How you fulfill the requirements.
RGW is not yet persuaded that we need assessment methods.
Colin responds that depending on the requirement, we may state if the requirement is such that we can repeat it direct from the requirement. Envision that we would have a category of terms to choose from to show the interpretation of the requirement.
David comments – Kantara ARB does not assess the methodology that assessors have used to determine conformity to the assessment criteria. Assessors should indicate their approach in assessment plans in accordance with security review standards, but to date there’s been no methodology for individual assessment criteria reported by the assessor. If the intention is to have an evaluation of the assessment method that qualified assessors apply, that’s a departure from the way assessments have been done to date.
RGW points out that it could impose an expertise qualification on the ARB. Andrew suggest that we may be overstating the significance of the assessment methods – if something must be assessed a certain way. RGW suggests we are confusing how something may be required versus how it may be fulfilled. Ex: CSP SHALL NOT misuse PII. We could have a criterion that shows that there must be a policy statement, we could also require that a credential policy.
RGW suggests that we strike step three from the plan. Identify the requirements and refine them. Andrew notes different usage of requirements – for Andrew, the SAC are not the same as the requirements as stated in the standard. RGW says that requirements are normative statements from the source documents.
David has pulled the normative requirements from 63A and 63B. Aakash suggests contributing his work on 63C.
David observes that there are different ways to pull out the requirements and organize them. Organized by AL for 63A, by generalized authentication approach and specific authenticators in 63B.
David will look into potential errata on the source documents.
- It was agreed that Google spreadsheet works with static snapshots.
- Scott commented that Kantara IAF has encoded assurance levels into each unique criteria, map to what reqires to which level, we will be able to do that , which subset is applicable to at level 2 and 3.
Tasks for week 1
The Tasks for week 1 are: Identification: Analyze the source texts with the ground rules below to create a list of the requirements, conditions and recommendations.
ACTION ITEMS:
-Mark Hapner volunteered to work with 800-63A
-Andrew Hughes volunteered to work with 800-63B
-Scott Shorter volunteered to work with 800-63C
-David will check with NIST team if he can share the requirements that NIST extracted.
-David will look into potential errata on the source documents.
-Aakash Yadav will share his compilation of A, B and C.