Voting participants: Mark Hapner, Ken Dagg, Rich Furr, Martin Smith
Staff: Colin Wallis, Ruth Puente
Quorum: 4 of 7. There was quorum.
- DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile
- Criteria Guidance (Any participant suggestions for adding or enhancing guidance for understanding assessment criteria).
Any Other Business
2019-05-30 DRAFT Minutes were approved by Motion. Moved: Martin Smith; Seconded: Rich Furr. Unanimous Approval.
- Ken mentioned that there is a new Request for Comment and IPR Review: Pan-Canadian Trust Framework Model, which is under 45-day comment period and IPR Review. Link: https://diacc.ca/2019/06/03/pctf-draft-recommendation-v1-0/ Ken commented that there has been some improvement, but there is not a clear perception on it. He also added that they are in constant contact with US, NZ, AU and the UK over authentication solutions. He will send the link to the list.
- Colin pointed out that OMB Memo 19-17 was released, which is much better, GSA and NIST have more defined roles. He mentioned that he has maintained informal contact with GSA all along through the abdication period.
- Colin said that several conferences are coming, six conferences in June. He said it is starting with the newest liaison partner CARIN Alliance's Summit in DC.
- CARIN Alliance has a code of conduct; however, it is not clear how it may affect the IAWG.
- There is nothing to report from Leadership Council (LC).
DIACC Request for Review & Comment: Verified Login Component & Verified Login Conformance Profile
- Ken said that this would be the last meeting with respect to making suggestions or comments on the DIACC Verified Login Component & Verified Login Conformance Profile.
- Rich Furr pointed out that he is not sure to agree on the last session comments about “MAYs” and “SHOULDs” (about becoming SHALLs).
- It was mentioned that people experienced on assessment felt that they were not specific enough to result in consistent assessments by different assessors. Perhaps, they tried to cover too much scope and they could not get consistency in the assessment process.
- There was concern about the objective of the verified login component, it was suggested that it should be to ensure the ongoing integrity of the login processes and not trusted identity.
- Rich suggested to Eve to make a presentation about UMA in IAWG meeting. Ken stressed that cross group understanding is good.
- Martin talked about something that he posted in the chat: Moody's to rate companies' cyber risk: Excerpt: "Much is left to be seen, but as with any program surrounding the assessment of cybersecurity, a recognized and measurable risk framework will be required. It's unclear if Moody's cyber-risk ratings will go to the depth of compliance assessments or whether they will take a broader brush approach." https://searchsecurity.techtarget.com/tip/What-Moodys-cyber-risk-ratings-mean-for-enterprises
- Ruth reminded the voting participants to cast their vote on the submission to NIST.
- Ken to send the new DIACC RFC link to the list.
- Voting participants to cast their votes on the submission to NIST.