Mark K. asked how we can expect CSPs to provide a quantitative comparison of the effectiveness of a control specified in 800-63-3 vs. a proposed "comparable alternative", since as far as we know NIST has not provided such data on controls. Roger Q. asked if we could or should be more specific about what should be measured for a "quantitative assessment.
Roger: can we spec the quants? Ken: too general to specify. Assessor has to determine that the quant analysis makes sense.
JJ: seems OK, transparency is about all we can do. and involves numbers.
Ken: get thru 18 months and hope it's covered in 63-4.
JJ: think NIST tries to be academic and flexible. Don't want to enforce.
Kay: D had strong reaction to K getting involves, and pushed to making the decision political vs. requiring NIST to approve.
JJ: only way for CIO to make the decision is based on the CSP's K certification.
Ken thinks our language permits the agency to take apolitical decision based on the CSPs representations about the risk analysis, as certified by K.
Mark K: from outside view: by providing one standard that all agencies could use, creates a market for CSPs.
Ken: I think we're close but how to market and avoid bad stuff for Kantara's rep. Need another meeting with Richard.
Meetign in 2 weeks. Aug 12. resolve comparable AND PAD, and richard provide non-subs.
ROGER for FIRE.
Ken responded that the potential variety of alternative controls and use-cases makes it impossible to be very specific about what data might be relevant. Jimmy J. suggested that the best Kantara can do is to require transparency about the CSP's analysis of the risk of using an alternative control, and have the assessors apply some basic judgment about the logic of the CSP's risk analysis and the evidence supporting it.
Several WG members then speculated about possible reaction of NIST to Kantara's acceptance of the use of alternative controls in certifying a CSP. Jimmy J. believes NIST doesn't want to get involved in enforcement; Martin S. agreed. Kay C. recalled that NIST's David T. expressed a strong negative reaction to Kantara involvement in the assessment of alternative controls. Ken thinks our near-final draft language permits an agency to take a political decision (to accept the risk of an alternative control) based on a CSP's documented analysis, and Kantara's certification of the CSP.
Ken summarized by saying the WG is close to having the draft of a good process for assessment of alternative controls, but we need to "market" the approach so Kantara's reputation for quality assessments doesn't suffer. He believes we do need to have another discussion with Richard W. present.
Noting that the meeting time was up, Ken recapitulated open actions on finalizing the criteria update package: at the next meeting in two weeks, we need to finalize the "comparable alternative control" assessment language, and also finalize a criteria revision related to PAD. Ken will remind Richard that we also need to see the non-substantive criteria changes to be included in the package. Martin S suggested that Ken might expedite consensus on the PAD language by circulating the email dialog between Ken and Richard on this topic that took place over the past few days.
Next Meeting: August 12. In addition to the items noted above related to finalizing the criteria change package, we hope to get a report from ED Kay C. on her outreach to her contact at the the UK Digital Identity program. \
Ken adjourned the meeting at about 2:05PM US Eastern.