I attach two documents which represent the mapping ‘state of play’ as discussed during yesterday’s IAWG call.  We agreed that we would seek review and response in time for discussion during the call on 2013-06-20.

In order to allow me time to prepare a proposed disposition of comments I am requesting your responses by cob Monday 2013-06-17.

I will shortly send out a pro forma for your use when responding with your comments.  I have chosen to provide Word copies, which may facilitate your extraction of text if need be, rather than PDF, since I believe that the re-structuring of the -63 text has provided sufficiently discrete clause references to make a ‘frozen’ version unnecessary.

I suggest you review first ‘EZP 800-63-2’ and use the SAC mark-up as a cross-reference to determine the correctness of the proposed mapping.  Mappings from EZP to SAC are precise – the reverse mapping from the SAC doc is not, in some instances, quite as clear as to which explicit clauses are being mapped back to the EZP doc.  I will resolve that at the time that I later create a stand-alone cross-reference document.

Finally, some qualifying comments / excuses which I offered when I first circulated this on Wednesday and discussed on Thursday’s call.

Key observations:

1)                  The sections against which the mapping has been conducted are shown clearly in EZP;

2)                  Some new SAC requirements have had to be created and these are clearly shown as mark-up plus any new SAC text has background shading;

3)                  There are parts of 63-2 where the requirement is unclear – I’ve tried to highlight these and would appreciate your feedback on how I’ve interpreted them.  I have also appealed to Bill Burr (NIST) for interpretations or clarifications of NIST’s intent and expect to hear back from Bill around June 5^th;

4)                  I have put into the SAC cross-references to 63-2 with the applicable criteria, but as recently discussed (see below) will collate those mappings into another document – for the moment I think they are most useful as placed;

5)                  In some areas I feel that 63-2 goes into more detail or is quite explicitly US-centric than the IAF needs in general, and therefore have indicated with the following text, “+US / EZP800-63-2 Profiling”, where I think that it is appropriate to step back and require that CSPs applying for Approval of their service state explicitly that they are seeking SP 800-63-2 compliance and wish this extent of specificity be included in their assessment.  They would then be required to show how their specific conformity to the IAF (SAC) requirement was met by adopting a particular profile aligned to 63-2.  During the IAWG call of 05-28 there was discussion about how this could be represented in the final deliverables and the consensus appeared to be that this be conveyed in a discrete document, effectively a US Federal Profile for the SAC.  Any further thoughts?

6)                  An implication of the above is that we should add to the SAC a comment to the effect that alignment is in general terms within the SAC and may require profiling within the application to a service seeking conformity to 800-63-2;

7)                  I’m interested in receiving comments on the appropriateness of criteria in sections 5.[AL#].6.4;

8)                  You may feel that, by expanding the 63-2 requirements into sections which discretely address each AL I have created a larger volume of text than is necessary, especially since in many cases the equivalence determined is only a matter of changing the digit applicable to the AL.  Always wanting to get my rebuttal in first, I think this is justified to be sure that the implied requirements of 63-2 are drawn out, and my experience in performing this work has been that this approach has proven valuable because it has identified some shortcomings within the SP which are not apparent without this dissection.  I therefore argue that, despite the inefficiencies of the duplication of text, it is better that we do this.

Thank you for your efforts,
Regards,

Richard G. WILSHER