2023-09-07 Minutes
Administration
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
Roll call:
Voting - Andrew Hughes, Jimmy Jung, Chris LaBarbera,, Mark Hapner, Mark King, Richard Wilsher, Zaid AlBukhari
Nonvoting - Yehoshua Silberstein
Invited Guests - Lisa Balzereit
Staff - Amanda/Lynzie
Minutes approval
Jimmy Jung motioned to approve, Mark Hapner seconded.
Motion carried to approve minutes from August 31, 2023
Kantara Updates
63A_SAC is open for public comment through October 19, 2023. The link has been sent out and it is linked on IAWG Wiki. Lynzie will be notified if anything comes through. All others are with the LC for approval.
DeepfakesIDV Discussion Group has had their first official meeting (chaired by Andrew H.).
Andrew reports that 15 people were on the call, with roughly 35 on the overall roster. More are coming in, with the attention of biometrics industry leaders and they are spreading the word. Goal is to get to 50-70 on the roster.
The call is Wednesdays at 12PM Noon, Eastern Time.
The group’s focus will be to shed light on generative AI and how it simulates humans and deceives biometric authentication systems. Andrew hopes to prepare some educational material and offer guidance on things you need to know when buying or selling biometric based authentication systems.
Aiming for a 9-month run of the group before publication.
IAWG connection-there will be a touch point along the way with remote identity verification and proofing because that’s where the application of deep fakes threat applies and touches NIST 800-63.
Assurance Updates - none
Discussion - IAWG Recommendations - specifically #3-4 regarding technical class of approval and CO_SAC Updates
Andrew H. notes that part of the discussion should be around Item D, a core requirement of service underassessment should have a certified ISMS or an operational SMS in place. If this is true, there are certified ISS schemes out there that should be recognized as equivalent to some current requirements regarding similar things.
Summary/History:
Andrew notes that for 800-63 rev.2, they still had levels of assurance 1-4 instead of the current IAL, AAL and FAL. Rev.2 was not a complete set of requirements. If you conformed to rev.2, it did not necessarily mean you would end up with an operational service that would deliver the desired level of assurance. So Kantara had the service assessment criteria for operations to cover the requirements.
Andrew also notes that for rev.3, Kantara tied the service assessment criteria very tightly to NIST language, in order to achieve conformance and for more companies to be able to sell services to the federal government by having a trust mark demonstrate the fulfillment of 800-63 rev.3 requirements.
Result of all this is that there is an “orphan” document, the CO_SAC, as this was not brought into 800-63 rev.3.
The CO_SAC still has value, as there are things in this document that are not covered by rev. 3 and possibly not by rev.4.
Jimmy notes some people are content with the technical certification, and do not see a need for anything further from Kantara.
Richard notes that there are requirements in the CO_SAC which pull from the generic concept of ISO 270001. Kantara would define a number of approved certification processes, and if the scope covers Kantara requirements, an organization would get a “free pass”. But some criteria would not be readily satisfied (ex. CO#0090). These things have not been effectively conveyed into rev. 3, but now there is different terminology and things need to be aligned (the same scope/requirements in each case). Richard also notes that there are dichotomies between the CO_SAC and other documents, and some refinement may be needed.
Andrew notes that the Kantara SACs are closely coupled with 800-63 rev.3, as it is accepted by federal government, but now we are learning about areas where divergence may be needed to meet an industry need that is not covered by 800-63 rev.3 (ex. supervised remote criteria). He also notes that incorporating the CO_SAC is the first step towards decoupling the Kantara criteria from the NIST criteria. Andrew sees this as a positive, as it allows Kantara more freedom to lead the way and to look at industry best practices (not only US federal government best practices). Richard concurs, as this is the added value of the Kantara approval.
Lynzie notes that #4 can’t be done until #3, as we can’t remove the technical class of approval without any consideration to the CO_SAC.
Richard cites 2 points regarding #3: 1. Some criteria could be given a pass if the applicant has a specific, recognized form of certification which has a scope that encompasses the service for which they are seeking Kantara approval. & 2. What do we do to refine the criteria that are replicated for similar things to the OP_SAC or any of the 63X_SAC? Should we pull them out of these locations because we know they will be enforced via the CO_SAC? A third note is keeping LOA1 and/or LOA4. Richard also notes that if substantial changes are made to the CO_SAC, where else can this information be optimized or eliminated?
Andrew notes that the level structure should be the same as 800-63 levels. So it’s no longer LOA1-4, it’s now Levels 1-3.
Lynzie notes concerns with alignment due to current program participants. All 800-63 participants use LOA3 on the CO_SAC and those with ‘classic’ approval use LOA2.
A conversation was had about retiring the classic approval, however, it was noted that it is minimal work for Kantara or the assessors as it is for long-standing clients (not much is changing in the services). Additionally, those who have this approval want to keep it and are not interested in changing. Andrew recommends outreach action to the customers to determine the value of the classic trustmark to the business, then take action based on the feedback. Andrew asks if the Assurance program can formally tell the IAWG that the classic approval is still in demand by clients, to have it on the record. Richard notes that during the outreach, the clients could be asked how much longer they will want to keep the classic approval (Andrew concurs). Lynzie will reach out to the clients to confirm. Andrew notes that in general, new clients should not be encouraged to pursue classic approval, as it is outdated, but current clients can stay on.
Andrew notes one option to address those still using LOA1 is to freeze the criteria for Classic since it is no longer updated. Richard notes this would result in two versions of the CO_SAC (one for Classic & one for rev.3). It will be easier to have CO_SAC frozen with classic approval, and a modified CO_SAC for 800-63 rev.3 and hopefully for rev.4.
ACTION: Richard offers to take the current version of the CO_SAC, and take a preliminary look at the criteria to determine if any is considered a “free pass” in accordance with D and if Kantara would want the criterion to continue to apply to 63X as a basis for discussing in detail future actions. To be ready for the 9.21.2023 meeting.
Any Other Business
Lynzie notes that with criteria updates concluding there is space on the agendas for different topics, which would be welcomed by the group.