- Many IAWG regulars were on the FICAM TFS call
- 'Comparability' versus 'compliance' was a hot topic
- FICAM TFS says that TFP's TF rules must show Comparability to the FICAM Trust Criteria. Then the CSP must Conform to the TFP TF rules
- Comparability versus conformance matters more in some areas than others
- The Federal Agencies are asking for certified services that are not the FICAM approved services
- A challenge is that the reasons the Agencies are not accepting FICAM offerings are not fully understood or known
- Is there a view that FICAM Approved services do not deliver services that meet the Agency needs? (needs to be checked)
- FICAM Trust Framework Solutions needs to work with Industry to inform Agencies on the programs and how they meet the requirements
- Should look at how other governments (Canada, New Zealand) have addressed this, and help FICAM
- Kantara could work towards a Comparability Framework drawing on global experiences would be very helpful
- Need to define the process to determine comparability
- Could state the objective for comparability so that the Assessors would have guidance
- Comparability must start at the objective point - this must precede and support the Criteria
- many schemes state criteria without obvious objectives statements
- Look at Canada's work on objectives
- Look at UK GPG 43 - sets up the objectives for service delivery
- Canada did a guide on how RPs should approach risk assessment to determine what they need. Then the CSP offers the AL service and can express how it meets.
- Comment: 4 AL seems to work best when Comparability is not in play - only when there are strict criteria do all parties know what they are getting. When there's uncertainty on what's included, it is hard to stay within an AL and variability ensues.
- Shorter will send: Implementation Guidance for FIPS 140-2 which sets out the cases that have been examined.
Reference links to Canada work: