GSA SG Meeting 2017-12-11

Attendees:

Andrew Hughes

Colin Wallis

Mark Hapner

Richard Wilsher

Scott Shorter

Ruth Puente

Draft Meeting Notes on TFS Certification Process discussion

High-level comments compiled by Scott Shorter from previous SG discussion (2017-12-05):

GSA model appears to conflate an identity trust framework legal structure with operator responsibilities, this change will be prohibitively expensive to adopt.
GSA documents expect a certification scheme that will be difficult to resource (both in terms of financial resources as well as staff skills)
GSA document expect conformance evaluation with SP 800-53 that will make assessment several times more expensive for those organizations that aren’t already pursuing SP 800-53 evaluation through FISMA or FedRAMP.

Mark asks if the goal is clear. CW answers the goal of GSA is to shift the work of determining if a CSP is performing well from the agency to the trust framework operator. Partly to save money and to create a cleaner procurement.

CW commented that is trying to get answers to the SG questions and start a dialogue. He hopes to meet with GSA this week.

RGW suggests that the three points are pretty well phrased. Suggest that the first – don’t assume framework operator responsibilities. Add “federation framework operator responsibilities on behalf of the federal government”. Do we choose to state the specific amount again? Would we put a number (e.g. 200-300K) per trust framework provider + cost to CSPs?

CW said that as soon as the comments are out of the way and cleared the program manager’s plate, the next mini project we might have to do would be a bottom up costing of the estimated cost impact (time and effort) per components. RGW - why would that be more successful that a face to face?

CW assumes that there would be a f2f but we should assume that we may not be able to change their mind.

CW has said to Chi and Jim if you want to stop the program you could’ve just said to.

CW commented that when he met FICAM in April they were facing resources challenges and wanted to merge the Federal PKI and TFS Program. RGW sees this as a new invention. CW suggested to ask Federal PKI folks if they were asked to look at the same documents. RGW and CW will talk to their Federal PKI contacts. CW already reached out Peter Alterman but no response; Ruth suggested to copy Matt King, Peter´s colleague.

RGW said that he sent to IAWG a comment sheet with 62 comments with very detailed level, but he doubts about their relevance until we underdstand the big picture.

He suggested to decide if we want to pull some of those comments to submit to GSA.

Also, he added that he will send Scott 2-3 comments in relation to these questions, is there any understanding of the business model behind this?; which is the intention with the existing Program?

Regarding costing, we should use orders of magnitude.

CW suggested using the checklist of requirements from the document and work through a dollar figure for each resource/effort.

Action items

CW to schedule a call with GSA end of this week or early next week.
RGW to send Scott comments questioning if there is any understanding of the business model behind this and which is the intention with the existing Program.
CW and RGW to reach out contacts related to Federal PKI. CW to contact Certipath and RGW Execert.
Decide in the next meeting if the SG wants to pull some comments from RGW comment sheet for the compilation that will be submitted to GSA.

Next meeting: Thursday 14th at 3pm ET together with IAWG meeting.

Browser not supported