Compilation of comments - 2017-12-14


  • During IAWG 2017-12-14 it was discussed the draft compilation of comments to submit to GSA. The process of gathering comments is open until Tuesday, December 18 COB ET.
  • The text that was discussed is the following:


"In reviewing the CONOPS and Process documents proposed by the GSA, Kantara’s members would like to make the following overall comments, which they believe challenge the practicality and implementability of the proposed program:

 

  1. GSA´s program appears to be requiring an identity trust framework to assume Federation framework operator responsibilities on behalf of the Federal Government that Kantara does not currently perform, and which will be prohibitively expensive to adopt;
  2. GSA’s proposed program appears to be requiring a certification scheme that will be difficult to resource (both in terms of financial resources as well as staff skills);
  3. GSA’s proposed program appears to be requiring conformance evaluation with SP 800-53 that will make assessment several times more expensive for those organizations that aren’t already pursuing SP 800-53 evaluation through FISMA or FedRAMP.
  4. The cost impact of the points made above will be accrued through:  development costs for the ‘trust framework’ to modify its operating practices:  $500k* of direct (procedure author/editor fees) and indirect (pro bono member time) costs;  audit costs upon the ‘trust framework’ operator (presently guesstimated at $150k - $300k**);  additional assessment and operational costs for service providers ($xxk to conform initially, and thereafter $yyyk annual conformity maintenance).  The bulk of these costs (excepting perhaps the members’pro bono contributions) will be passed back to the Federal Government through credential services fees;  
  5. GSA’s proposals appear to have no concept of BUSINESS operations:  what business model has been assumed in the development of this program.  It must be a given that no commercial entity can absorb these costs without passing them onto its customer, which is ultimately the Federal Government. 
  6. Given point (5), Kantara specifically would be obliged to absorb the cost implications of this program exclusively towards the Federal Government, whilst maintaining its ‘normal’ Trust Framework’ operations for the benefit of its non-Federal facing members, which only increases the cost burden that must be passed to its Federal membership community.
  7. GSA makes no reference at all to the existing FICAM Trust program, and that being proposed is so vastly different in its assumptions and proposed operation as to effectively render the existing program non-existent.  Is that GSA’s intentions and how does it anticipate a managed transition between these two programs (or, equally, how does it envisage their operation in parallel)?  

We also offer more detailed comments on the Process document, but stress that our greater concern is the overall practicality of what is being proposed, and therefore the detailed comments may be irrelevant if discussion leads to the practical changes we would hope to see".