2023-05-04 Minutes
Attendees:
Voting Participants: Andrew Hughes [Ping], Martin Smith, Mark King, Richard Wilsher [Zygma], Jimmy Jung [Slandala]
Other Participants: Eric Thompson [Experian], Lisa Balzereit [USPS], Max Fathauer [Ping]
Staff: Lynzie Adams
Proposed Agenda
Administration:
Roll call, determination of quorum
Minutes approval -
April 27 DRAFT Minutes (non-quorum meeting, notes from discussion)
Kantara updates
Assurance updates
Discussion:
IAWG Comment Opportunity: DRAFT - NIST IAM Roadmap: Principles, Objectives, & Activities - Due June 1. Lynzie sent an email on Apr 27 with further information, including timeline listed below. Current comments here.
CARIN Credential Policy - primary focus around technical sections (§3-6). WG Needs to determine a plan of action.
KIAF 1050 - Glossary and Overview - updates done by IAWG in 2021 were never approved. Review & vote on set of updates; discuss plan for future document.
Any Other Business
Meeting Notes
Discussion:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Minutes Approval
The group of review meetings from our revision 4 comments were passed in one motion (Mar 9 - Apr 13). April 27 was a non-quorate meeting. Notes were taken.
Mark King moved to approve the draft minutes from the revision 800-63-4 review meetings. Andrew Hughes seconded the motion. Motion carried with no objections.
Kantara Updates
Andrew provided an update on upcoming conferences and Board work, including leadership roles and sub-committees. The Kantara newsletter was also recently sent out - if you have not received it, you may not be on the list. Please reach out to Lynzie if you are not receiving the newsletters. Kantara staff are working to clean up the Kantara contact database to ensure accurate email addresses are listed for everyone. Any assistance in providing updated information or letting us know if you aren’t receiving things is helpful.
Assurance Updates
Exostar was recently Approved for IAL2/AAL2. They become our third organization that has achieved 800-63 approval while maintaining their Classic approval as well. USPS has also recently become a registered applicant.
The ARB has finally started looking at the IAWG recommendations provided to them in November. The discussion is ongoing and this group will be updated once action is needed.
IAM Roadmap
Lynzie emailed IAWG with the link to the roadmap and an outline of dates to complete comments. She reviewed that timeline in the meeting:
April 27 - May 18 IAWG members review document, draft, and submit comments to IAWG either via email or added to the Google Doc.
May 25 - IAWG will review submitted comments for approval during regularly scheduled meeting.
May 25 - June 1 IAWG leadership will finalize any edits, draft a cover letter, and submit to NIST by the deadline.
Martin asked if we planned to address authorization and Andrew shared that we do need to address it in some way - but how is up for a discussion. Mark King brought up delegation as part of authorization. There was further discussion on the topic between Mark King, Andrew & Martin.
Mark King brought up that our comments should suggest that we have an opportunity to use the ‘sandbox’. Andrews believes we have an opportunity in their new lab. Andrew asked to pencil in the 18th for further discussion of this topic.
CARIN Credential Policy
Andrew provided background on the CARIN project and what they need from Kantara. Richard paraphrased that it is Kantara’s intention to offer assessment and approval for CARIN CSPs. He further argued that if this is the intention, we need a distinct class of approval. It does not seem to align with what we currently have and it would not suit non-CARIN CSPs. Andrew believes that detailed determination is still TBD. Andrew agreed that there are requirements in the CARIN credential policy that are not in our current criteria - and likely enough of them to separate the criteria. There was some further discussion on the language used in the policy.
Andrew said Kantara will do something, but unsure what that is. There will be a plan and there are timelines that we should move on rather quickly. Lynzie highlighted the fact that each week that we don’t make a plan, allows DirectTrust to be one week closer to rolling out their program and being in the market before we are. The email from DirectTrust came on March 10 - and in that email they said it will be out the door in a few months. We are at that ‘few months’ potentially and still don’t have a plan to tackle the project. Richard feels this is beyond the scope of what the IAWG can tackle in a timely manner, if at all. He offered his services, if this is a funded activity, to get the project completed as this is not a trivial piece of work. Andrew does not disagree with this. Richard reiterated that it needs funding - like we had with the revision 3 criteria. Then we come back to IAWG and CARIN before publication.
Richard’s suggested plan of action is to review the current draft policy (and potentially provide suggested edits), develop a CARIN class of approval, and draft the criteria. He believes that could cost up to $18k. Andrew acknowledged he agrees it needs someone to focus on it.
Jimmy voiced concern that this is not trying to ‘rebrand’ IAL2. It still must meet and follow all IAL2 criteria. Lynzie confirmed that was not the intent, it is to be IAL2, and then in addition there are 800-53 standards included and some specific requirements that weren’t explicit in 800-63 (expiration limits, etc).
Andrew will follow up with Kay, Denny & Lynzie for next steps and provide follow-up to this group.
KIAF 1050 - Glossary and Overview
Due to time this was not able to be fully addressed and will be addressed again at an upcoming meeting. There is work being done in the ARB to update the Service Approval Handbook - and this document is referenced in there so it would be good to update it as well. Additionally, IAWG did work on this document in early 2021 that was never finalized. Andrew believes it needs a large overhaul but in the meantime, small updates that reflect new processes (i.e., approvals go to executive director rather than KIBoD, etc) should be approved and published.
Mark King suggested adding a ‘changes in this revision’ section. If people are relying on the document, they need that section. If they are not relying on the document, then why have the document? Lynzie will add that section and a log at the bottom.
Andrew feels the document is very helpful to anyone going through the assurance program, however, it’s likely not useful to anyone else. This will go on the next agenda.
Any Other Business
IAWG is cancelled next week, May 11, due to EIC.