Page tree
Skip to end of metadata
Go to start of metadata


Voting Participants: Ken Dagg, Martin Smith, Mark Hapner, Mark King

Non-voting participants: Jimmy Jung

Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  • Administration:
    • Roll call, determination of quorum
    • Agenda confirmation
    • Minutes approval - 2021-10-28 DRAFT Minutes
    • Staff reports and updates
    • International liaisons updates
    • LC reports and updates
    • Call for Tweet-worthy items to feed (@KantaraNews)

  •  Discussion: 
    • Update on Alternative Controls Language
    • Component Services 
  • Any Other Business and Next Meeting Date
    • Charter Review & Nominations for Chair 
    • Next meeting - December 2nd

Meeting Notes 

Administrative Items:

IAWG Chair Ken Dagg called the meeting to order at 1:05PM (US Eastern).  Roll was called. Meeting was quorate. Distributed agenda was confirmed. 

Minutes approval:  Mark Hapner moved approval of the draft Minutes of the IAWG meeting of October 28. Martin Smith seconded. The minutes, as distributed, were approved unanimously.

Staff Reports and Updates:

Kay provided an update on GSA and FedRAMP. Matt Thompson, Jeremy Grant and Kay met with the GSA political appointee on November 2nd. She presented an overview of who Kantara is and the assurance program. We provided the Assurance Program criteria and have been trying to schedule a follow-up meeting, both at their request. We requested recognition of Kantara’s program on the GSA website. There was no response. Kay plans to continue working up the chain to let them know more about us, in hopes Kantara's services are spread by word of mouth.  A FedRAMP contractor approached Kay last month wanting FedRAMP to list Kantara on their website. Unfortunately, the chief counsel’s office said no; probably for similar reasons as GSA (endorsement vs. informational). He shared our information with his contacts, so more spreading by word of mouth. The CARIN Alliance held their quarterly meeting last week and they to prompted their partners to get Kantara certified multiple times during the 3-hour meeting. 

There was a brief discussion about who is monitoring the requirement that federal agencies adhere to 800-63 rev. 3. It was suggested that Kay ask Phil Lam 1) how do you know someone is compliant with 63-3? and 2) who is responsible for determining that compliance?

International Liaisons Updates:

Kay provided an update on:

  • OSIA (France):  Looking at their current needs, this project may be outside IAWG's wheelhouse. Ken suggested that although it is not IAWG work, it might be something Kantara is interested in and that the current proposal should be taken to LC. A work group could possibly be established to make the determination of next steps.

LC Reports and Updates:

No Leadership Council Updates. Ken informed everyone that the Kantara General Membership Meeting will be held on Wednesday, December 8th at 11am EST. The President, ARB Chair, Kay and the LC will be speaking. The LC will handle what the work groups have been up to and their plans for 2022. 


Update on Alternative Controls Language:

Ken reported that after several email exchanges with Phil Lam and David Temoshok he finally understands the subtle nuances concerning alternative controls (800-63-3 Section 5.4). The use of an alternative control is a decision that has to be justified by an agency and has to occur prior to the agency implementing anything. Those justifications need to include a quantitative risk analysis. Once an agency receives approval to use the alternative control, then they can go approach vendors about implementing an alternative control. While IAWG has already approved the language, Ken believes we need to remove this language from the package. Martin confirmed this was his understanding as well and supports removing the language from the package. Jimmy concurred. 

Continued Discussion on Component Services:

The ARB held a joint Assessors/ARB call on Monday, November 15. Martin and Ken attended on IAWG's behalf as observers. There seems to be some back and forth between the ARB and the IAWG about who should be driving the format of these needed changes on the various forms. Martin felt there was a consensus for more guidance to both assessors and applicants in written form. He did not hear a request for any extra requirements within the criteria that would further hold-up the current package of changes. There is a need for additional discussion between the IAWG and ARB to determine what needs done and which party is responsible for the task. 

Other Business:

IAWG Charter & Nominations for Chair, Vice-chair & Secretary - We can vote on the charter at the next meeting. Please review by then to determine if any changes are needed. In terms of nominations, please send nominations and justification to Ken, Martin & Lynzie. Ken is willing to continue to take on chair unless someone wants to step in. Duties include running these meetings, attending LC meetings and LC planning meetings, being a liaison to the ARB when required, and to act as the LC rep to the Board of Directors (if requested by LC). Martin is also willing to continue on as vice-chair unless someone else wants to step in. 

Martin asked people to consider quantum computing. It's coming really fast! It will effect how controls are done - so something to think about. Jimmy mentioned NIST had a presentation for federal agencies awhile back that they might still have for our use. NIST is working on quantum resistance protocols - the target is to be done early next year. 

DIACC has just issued two documents for review. One is the verified person conformance the other is the privacy component. We've seen both before. Due date is December 17. Ken will circulate to the list and we can decide at the next meeting if we want to respond. 

The next IAWG meeting will be Thursday, December 2 at 1pm EST.
Topics for that meeting will include discussing concrete ways and actions we can take to help expedite the completion of component services, reviewing the IAWG charter and nominations, and the decision on the DIACC request. 

  • No labels