2022-07-21 Minutes
Attendees:
Voting Participants: Andrew Hughes, Martin Smith, Mark Hapner, James Jung, Michael Magrath, Denny Prvu
Non-voting participants: Eric Thompson
Guests: Matt King and Ray Kimble
Staff: Lynzie Adams
Proposed Agenda
Administration:
Discussion:
Assurance Program - continued discussion from previous weeks
63b SoCA proposal
Any Other Business
Meeting Notes
Administrative Items:
IAWG Chair Andrew Hughes called the meeting to order. Roll was called. Meeting was quorate.
The newest voting member, Denny Prvu, introduced himself to the group including his role with the Royal Bank of Canada.
Minutes approval: Mark Hapner motioned to approve the draft minutes from the July 7 IAWG meeting. Martin Smith seconded the motion. The minutes were approved unanimously.
Agenda was confirmed.
General Updates: Andrew provided a brief update in lieu of Kay’s absence. The UK program is in a bit of a lull attributed both to summer travel and the resignation of Boris Johnson. We will keep an eye on how it all progresses.
Assurance Updates
Andrew provided a brief update on the relying party feedback meeting being planned with NIST and financial institutions. There is little coverage in 63-3 around some of these topics that private institutions are already tackling (risk-based, fraud signals, etc). These meeting can provide information for NIST consideration. Awareness, consideration, and influence are all goals of this meeting.
Jimmy stated that NIST is government agency focused, but they need to think outside agencies and acknowledge what is happening outside their spectrum that could be implemented into 800-63. Michael mentioned that NIST did bring in outside organizations in 2017 for cybersecurity feedback - so this is not outside NIST’s realm.
Martin asked how Kantara will respond to NIST potentially saying they have no authorization to make standards outside the government realm. Andrew and Eric confirmed that is not what we are trying to accomplish. The hope is that they will consider current approaches from financial institutions and potentially implement them - especially from a DEI perspective. These are companies that are solving common problems - so potentially adopting their solutions could benefit everyone.
Mark Hapner initiated a short discussion on financial regulators. Denny provided his perceptive from the RBC and those regulations and guidelines.
The meeting is lined up with David Temoshok for early August.
Discussion:
Assurance Program
There seems to be inconsistent use in the terms in scope - applicable, in scope - not applicable, and not in scope between the assessors, CSPs and ARB. Andrew asked the assessors what customers use as justification on why something is not applicable versus out of scope. Ray confirmed this is a gray area and that there are often discussion within KUMA about the proper term to use. These terms have been used interchangeably so we need to settle on consistent application of terms.
Ray recalls that SHOULD statements should be listed as in scope. Some CSPs are not comfortable with that though and feel that certain SHOULD criteria are out of the scope of their service and adamantly want it listed that way on the SoCA.
Ray stated his understanding is that 100% must be in scope to be a full service - but one we get less than that it becomes a bit gray. Jimmy asked if that would mean if you do not offer supervised remote that you cannot be considered a full service. Andrew acknowledged that is one way to interpret it - even if it’s not the intended interpretation.
Martin summed up as ‘what IS offered by the CSP versus what IS required of the solution.’ Andrew feels like something like trusted referee - that is not essential to a solution - should not disqualify you from a full-service approval.
Jimmy referenced 63a#0470. Often not applicable is going to offer choices - you must do a, b, or c. The one that is offered is applicable while the others are listed as not. We should check the criteria to make them clearer.
Andrew noted that IAWG needs to make sure that conditional requirements are clearly stated as conditional. And those requirements are explicitly where the use of ‘not applicable’ is used. That may be the determination. If it is not a conditional requirement, rather a mandatory requirement, then it should either be in scope - applicable or out of scope. Jimmy asked we think a step further to whether there is a minimum mandatory of criteria that must be met for partial solutions.
There was a short discussion if Kantara should/could move to something like FedRamp Ready. Ray thinkings that we have an opportunity now that more companies have gone through he program to go back and look at the assessment criteria with our learned experiences and have another go at it. What is minimum in scope? What is optional? It could be handled in this group and could be a good exercise. The framework does not need to change - it’s solid - but the nuances need refined.
Andrew suggested our roadmap for this project to be before a public version of 64-4 is out because rewriting our criteria will be a massive undertaking at that point. Having the framework solidified by then will make that transition easier as well.
Martin reminded the group of the previous discussions around accepting other certifications (FedRamp, SOC2, etc) in lieu of the CO_SAC still needs to be considered. Andrew believes that is still the plan - that we need to do the analysis to see the relationship between the certificate and the criteria we have. This will go into the roadmap of revamping the assurance program.
Ray added that KUMA has had a number of clients recently claim they qualify for 63-3 because of REAL ID. Though 63-4 will tackle MDLs, there is a discrepancy between the NIST implementation guide and the notion of strong plus for Real ID. Andrew mentioned that an action item for IAWG leadership is to ask NIST specifically about Real ID - superior or strong?
Due to time and Richard Wilsher’s absence, the 63b SoCA proposal will be deferred to the next meeting.
Any Other Business
IAWG leadership keeps an action item list. All IAWG participants should be aware that the spreadsheet exists and it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!
Martin alerted the group that LC has moved their monthly calls to Tuesdays. Andrew provided a short updated from the LC meeting that the CO_SAC approval will be handled by eballot.