Concern from NIST about term “nonconformance” - could potentially signal to fed agencies to NOT use syncable authenticators, however the difficulty still lies in the fact that Kantara doesn’t have something to audit against.
Andrew: language is always present in NIST 8000-63 versions RE: conformance (If you don’t meet the requirements of the “shall’s”, you do not conform)
Carol: concerned about Kantara’s due process/integrity
“Guidance”--they want to use this word, what is it actually going to be?
Mike Magrath: Will they working on their own conformance criteria for syncable authenticators?
They intend to release something after rev. 4
Hughes: If we want improvements on syncable authenticators, the comment period on rev.4 is the vehicle.
Jimmy: 2 data points from presentation
Ryan-seems to have acknowledged that they don’t know some things about “bring your own authenticator” “hand waving–problematic for us as assessors
ARB response–well NIST says syncable authenticators are AAL2, we would like to take syncable authenticators as mildly nonconformant while IAWG works through the process. Waiting for IAWG is problematic for clients.
Andrew: heard that some mandatory requirements are not mandatory, we don’t want to guess
ACTION: @Carol-look at “BYO authenticators” sections in 63B and see if it is replicated–what are the mandatory requirements–do they match? Treated as optional? If they are doing it now, our discussion with NIST is different. If they aren’t doing it (just omitted things), then we have a stronger argument to make regarding these being shoulds/not mandatory/guidance/optional.
Emphasizes focusing on text as written, not interpretation.
Roger: Notes concern between a potential “split” between NIST as the publisher and Kantara as the approver
Jimmy: Concern with passkeys not being supported under current version of 800-63-3, and users/customers having to wait until rev.4 is finalized. How can Kantara recognize the current marketplace for vendors?
Andrew: Kantara’s framework was explicitly designed to reflect 800-63-3’s mandatory requirements.
Option for passkeys to get a “pass”? Where would that line be drawn?
Andrew: CSPS evaluate the risk and assessor confirm the evaluation is sound (seems to be the approach of companies using passkeys now)
Yehoshua: If NIST is telling us they don’t want companies to be “nonconformant”, are they saying it is is ok to use some kind of complementary control? Do we leave out some of the NIST requirements from Kantara’s framework? Will there be corresponding line items in the SAC/SoCA?
Tim: Agrees on not waiting too long to address syncable authenticators and would be open to future conversations on what rev 4 offers. Would also accept a CSP writing up/accepting the risk of not fulfilling a mandatory requirement.
Andrew: Compensating controls/risk acceptance may not be enough
Jimmy: ARB wants to wait for IAWG to fix it in the interim (Concurred by Kay/Carol)
Yehoshua: Seems to be an idea that IAWG could come up with things that serve as compensating controls. Could it be possible to come up with something to discuss and use as a group for a risk framework?
Carol: Propose a list of compensatory controls that would be acceptable.
Andrew/Tim: Could Kantara have criterion stating “The CSP shall produce some statement of risk/acceptance/exception” that would then be evaluated?
Jimmy/Andrew: Should the requirement be for the CSP to have a risk mitigation strategy? This could be evaluated.
Potential to be boxed into 63-3
Meaning-passkeys are good for AAL2 (since rev. 3 won’t be touched again-can’t change shall to should)
Jimmy: how is a compensating risk mitigation framework different from criteria saying if it’s a passkey, it’s okay?
Ultimately, the market needs to be able to use passkeys with AAL2 and Kantara needs a way to assess this (quickly) considering that the core requirement says it is mandatory, but it is impossible to achieve/assess. If we can manage with risk statements, that’s fine. But considering that the Trust Mark is tailored to NIST requirements, would that need to be changed? Ask the BoD?
Tim: Kantara already accepts compensating controls/risk mitigation frameworks (FEDRAMP, FISMA, etc). So if if discrete criteria isn’t an option, risk-based criteria/framework would be a reasonable path forward.
Andrew: Similar to his efforts to push against following the mandatory requirements of 800-63 beyond v.3.
Roger: Would Kantara pushing the risk back onto the CSP alleviate the need for Kantara?
Carol: Action is needed and should be based on the reality and accessible criteria. Will be looking at things immediately.