2025-05-01 IAWG Meeting Notes DRAFT

Hughes, Andrew

FaceTec

Present

Jung, Jimmy

Slandala 

Present

Silberstein, Yehoshua

Notarize

Present

Wilsher, Richard

Zygma Inc. 

Present

Magrath, Michael

Easy Dynamics

Present

Stojkovski, Vladimir

CLEAR

Donald, India

GSA

Present

Brown, Cynetheia

FPKIMA

Present

Brown, Wendy

FPKIMA

Present

Bachenheimer, Dan

Present

Olsen, Chris

Eric Thompson

Experian

Present

Chopard, Kay

Kantara

Buttle, Carol

Kantara

Present

Comparable Alternative Criteria - Y.S. email focus questions

https://mailman.kantarainitiative.org/hyperkitty/list/wg-idassurance@kantarainitiative.org/thread/TV6JE5RCMXG73FQ7J6CAVBISJZ6A6HCS/

See notes below

• Rationale for Alternatives: What is the intended policy for using comparable alternatives? Are they for specific necessity (where a barrier exists), or permissible for any equally effective approach? How should the required justification criteria (63A#0700/0710) reflect this policy?

• Discussion about whether comparable alternatives can be used in any situation? or only for insurmountable obstacles or thresholds to fulfilling the 800-63 stated requirements?

• 800-63-3 Section 5.4 makes it clear that comparable alternatives should not be used simply because an agency cannot meet the IAL requirements easily.

• Paraphrasing s5.4 - if an agency wants to reach an IAL but their implementation does not directly fulfill the requirements, how can an assessor determine comparability? Or should they even accept this approach? The agency shall document their justification, but it is not clear whether evaluation of the sufficiency of the justification is necessary?

•  

• Process & Approval: How will comparable alternative justifications be formally evaluated and approved within our assessment process? Who makes the final decision?

• Approval Scope: How will approvals effectively represent services that use a mix of standard criteria and approved comparable alternatives across different flows? What exactly does the program's approval and the resulting trustmark guarantee regarding the specific alternatives to service providers and agencies?

• Defining & Assessing Comparability: How will assessors consistently and objectively evaluate if an alternative truly achieves "same or better" risk management? What specific evidence is required? How is the assessment impacted if the rationale for the alternative was a specific barrier?

• Program Value & Clarity for Agencies: What is the distinct value proposition of a Kantara-approved comparable alternative specifically for agencies? How does our approval program interact with an agency's own authority and process for determining acceptable controls?

• Note: the CSP is being assessed on their capabilities, not for a single specific customer. The Agency/customer still must evaluate/accept the chosen (alternative) solution relative to their risk tolerance.

•  

• Operational Impact: What are the expected impacts on assessment time, cost, and resources with the introduction of these criteria, especially considering the need to potentially evaluate the rationale for the alternative and how it fits within a single approval scope?

• Do the proposed criteria prior to last week’s call address the need?

• There is an outstanding question: section 5.4 puts the obligation for comparability on the Agency directly. The Agency may have put obligations on the CSP to meet the Agency’s needs. The question is: what interaction Kantara assessors have with the Agency (vs the CSP) when the Agency evaluates risks related to the overall solution?

Motion: (Richard, Jimmy) Should we continue working towards developing criteria for the “alternatives” topic, or not?

Continue: 1, 1, 1, 1, 1 == 6

Stop: 1 == 1

Abstain: 1, 1 ==2

Motion withdrawn after discussion.