2022-04-21 Minutes

Attendees:

Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Richard Wilsher, Mark King, Jimmy Jung
Other IAWG Members: Hiroyuki Sato, Andrew Hughes 
Staff: Lynzie Adams

Proposed Agenda

  • Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 2022-04-14 DRAFT Minutes
    • Staff reports and updates
    • International liaisons updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)
  •  Discussion: 
    • CO_SAC revisit - LoA 1 & 4
    • DIACC Request
    • Kantara Service Descriptors continued conversation
  • Any Other Business and Next Meeting Date

Meeting Notes 

Administrative Items:

IAWG Chair Ken Dagg called the meeting to order at 1:03pm.  Roll was called. Meeting was quorate. Distributed agenda was confirmed. 

Minutes approval:  Mark King motioned to approve the draft minutes from the April 14 IAWG meeting. Mark Hapner seconded the motion. The minutes were approved unanimously.

Staff Reports and Updates:

No staff or international updates.  

LC reported that Ryan Howell from the CARIN Alliance presented at the previous LC meeting about their current Proof of Concept in the healthcare industry. Kantara is engaged in the CARIN Alliance and meets with stakeholders weekly. The slide deck from the presentation is available on the LC wiki page

Discussion:

CO_SAC Re-visit

The 45-day window did open on the CO_SAC yesterday. It closes on June 5.

Richard Wilsher suggested simplifying the CO_SAC (and OP_SAC) by removing LoA1 (and possibly LoA4) columns, and any LOA1 only applicable criteria, as neither level is assessed in our current program, with the exception of GakuNin in Japan. Guidance was adjusted to be preserved at the lowest LoA level.

Dr. Sato confirmed that GakuNin does use the CO_SAC and need the LoA1 column.

It was brought up that the delta would need adjusted if the LoA1 criteria are removed.

Andrew suggested that maybe if it’s not broken, don’t fix it. With removal, different alignment problems could surface. It could save trouble in future alignments.

This brought up the question – does Kantara still accept Classic applications? Lynzie has raised this with the ARB as a company seems interested in it currently but she did not get a definitive answer. Andrew sees accepting new Classic approvals as problematic. Richard countered that is only the case in US based companies. He believes if that’s what they want and they want to pay for it, why not?

Dr. Sato asked if this meant LoA1 was being removed. It is not. Dr. Sato can continue to use LoA1 under his current grant approval. GakuNin is currently in talks with ARB members about increasing GakuNin’s approval to assess xAL2. That is the ultimate goal for GakuNin is to move beyond LoA1. Andrew confirmed that we are looking to clean up the spreadsheet – not change the classes of approval.

Jimmy suggested that if this will cause any issue for an assessor, then we let it be. It was agreed to leave the spreadsheet as-is while GakuNin continues to do LoA1 assessments. This can be revisited once they achieve xAL2 status.


DIACC

Still unclear on if IAWG should be the one who comments on this or if other work groups would be more inclined. Pulled up the Conformance Profile Draft Recommendation to briefly review and discuss.

Ken’s fear is that different assessors would come up with different results. These criteria appear to have more likelihood for a ‘maybe’ answer, opposed to ‘yes’ or ‘no’. Where Kantara criteria lend themselves to ‘yes’/’no’ responses. It was proposed to follow up with the other groups and look further at the documents before fully committing.

As a note, previously, it was standard to have one primary author. The initial drafting would take about 3 hours and then 1-2 IAWG meetings dedicated to discussion. That’s the extent of time to spend on requests such as this. Maybe a bit more for members, but DIACC is not.

Lynzie will create a wiki page that has all of these files easily accessible.


Service Descriptors

With limited time, this will be the focus of the next meeting agenda.

Lynzie addressed the ARB’s concerns about technical approvals and feeling as though they should not be offered. Richard continues to believe it was a mistake to create the technical approvals – but the CO_SAC needs to be better aligned to support 63-3 criteria. It is currently written to support the OP_SAC.

Jimmy views it differently. Many companies he talks with already have FEDRAMP or a SOC that they are showing people. So, saying they have to pay for a CO_SAC too seems unnecessary. Hesitant to make it required.

Richard pointed out that there are Proofing and credential management criteria in the CO_SAC that are important and would not be included in a FEDRAMP/SOC assessment. 

Jimmy laid out the questions:

  1. Full v. component – IAL and AAL or can it by just one?
  2. Technical  – have it or not?
  3. Who owns this? Board owns classes of approval. We can advise them. But the KIBOD makes the decision. The service descriptions are a business decision. Andrew confirmed the matrix is confusing to companies from his prior experiences and could be tweaked. These are market acceptance topics for what we want to call things. Make sure the label matches up with the class of approval. We can recommend this all to the Board, but they will vote.

Next Meeting:

April 28 to continue the discussion on Service Descriptors.