August 29, 2017 Security Conference Call
Attendees
x | Member Name | x | Member Name | x | Member Name | x | Member Name | |||
---|---|---|---|---|---|---|---|---|---|---|
. | John MoehrkeSecurity Co-chair | x | Kathleen ConnorSecurity Co-chair | . | Alexander Mense Security Co-chair | . | Trish WilliamsSecurity Co-chair | |||
x | Mike Davis | x | Suzanne Gonzales-Webb | x | David Staggs | x | Mohammed Jafari | |||
x | Glen Marshall, SRS | x | Beth Pumo | . | Ioana Singureanu | . | Rob Horn | |||
x | Diana Proud-Madruga | . | Serafina Versaggi | x | Joe Lamy | . | Galen Mulrooney | |||
. | Duane DeCouteau | . | Chris Clark | . | Johnathan Coleman | . | Aaron Seib | |||
. | Ken Salyards | . | Christopher D Brown TX | . | Gary Dickinson | x | Dave Silver | |||
x | Rick Grow | . | William Kinsley | . | Paul Knapp | x | Mayada Abdulmannan | |||
. | Kamalini Vaidya | . | Bill Kleinebecker | x | Christopher Shawn | . | Grahame Grieve | |||
. | Oliver Lawless | . | Ken Rubin | . | David Tao | . | Nathan Botts |
Agenda
- (2 min) Roll Call, Agenda Approval
- (4 min) Review and Approval of Security WG Call Minutes August 15, 2017 and Security WG Call Minutes August 22, 2017
- (5 min) San Diego Sept WGM Agenda - Kathleen
- (15 min) Working Group Meeting Agenda Items - Mike Davis
- (5 min) Security WG Interim Health Metrics - presiding cochair
- (5 min) ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
- (5 min) FHIR Security call -
News and Review Material
- Need assisteance with PASS Audit Ballot Comments from Bernd Blobel resolved. E.g., Move Figure 1 to Functional Section because it is too detailed. Make references to "client" as source of audit content and "source" as source of audit content consistent.
- NSTC National Privacy Research Strategy
- NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft Comments due Sept. 12. Please add to CBCC and Security WG NIST SP 800-53 Rev 5 Comment Page
- NIST SP Security and Privacy Controls for Information Systems and Organizations Revision 5 Comments due September 12, 2017 See [CBCC and Security WG Comment Page and Security WG Comment Page for NIST 800-53 Rev 5 Review Security and Privacy Controls for Information Systems and Organizations Initial Public Draft ]]
- Understanding the Major Update to NIST SP 800-63: Digital Identity Guidelines
- Introduction: Digital identities are used in nearly every aspect of our online activities each day. A digital identity is the unique representation of a subject that is engaged in an online transaction. This bulletin outlines updates that NIST recently made in its four-volume Special Publication (SP) 800-63, Digital Identity Guidelines, which provide agencies with technical guidelines regarding the digital authentication of users to federal networked systems. Rather than being a single, monolithic guideline, SP 800-63-3 has been separated in multiple parts – each representing a distinct component of digital identity services. This way, organizations can choose the document that applies to the digital identity services they want to offer. This approach makes applying the guidelines easier for agencies—and also sets the stage for a nimble continuous improvement process. Also, NIST can quickly release key updates, rather than delivering in two or three year cycles.
- This bulletin will describe the components of digital identity – identity proofing, authentication, and federation – and explain how federal agencies can use them to protect the digital identities of their employees. It also provides an overview of the NIST documents that describe these digital identity components and explains how the information in them is organized.
Understanding Digital
- Identity proofing is the process used to verify a subject’s association with their real-world
identity, establishing that a subject is who they claim to be.
- An authenticator is something the subject possesses and controls (typically, a cryptographic
module or password) that is used to authenticate the subject’s identity.
- Digital authentication is the process of determining the validity of one or more authenticators
used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same that previously accessed the service.
- Federation is when the relying party (RP) and identity provider (IdP) are not a single entity or
not under common administration. Federation enables an IdP to proof and authenticate an individual and provide identity assertions that RPs can accept and trust. How has SP 800-63-3 evolved? Since the last revision of this document in 2013, NIST SP 800-63-2, digital identity components have evolved substantially. To better align with market-driven business models and innovation, the new revision replaces levels of assurance (LOAs) with ordinals for individual parts of the digital identity flow, providing implementers with more flexibility in their design and operations:
- Identity Assurance Level (IAL): the identity proofing process and the binding between one or
more authenticators and the records pertaining to a specific subscriber;
- Authenticator Assurance Level (AAL): the authentication process, including how additional
factors and authentication mechanisms can impact risk mitigation; and
- Federation Assurance Level (FAL): the assertion used in a federated environment to
communicate authentication and attribute information to a RP.
- SP 800-63 is a suite of four documents: SP 800-63-3 (the parent document; your starting point for all things digital identity and risk) and three additional documents – SP 800-63A, 800-63B, and 800-63C –which cover the various components of a digital identity system. These documents are described below:
- SP 800-63-3, Digital Identity Guidelines, provides an overview of general identity frameworks,
guidance regarding use of authenticators, credentials, and assertions together in a digital system, and a risk-based process of selecting assurance levels;
- SP 800-63A, Enrollment and Identity Proofing;
- SP 800-63B, Authentication and Lifecycle Management; and
- SP 800-63C, Federation and Assertions.
- See links @ *[ https://pages.nist.gov/800-63-3/NIST SP 800-63, Digital Identity Guidelines - 4 Volumes]
- NSTC National Privacy Research Strategy and Comment Page
- PEW Report - The Internet of Things and Future Shock: Too Much Change Too Fast?Lee Rainie, director of Internet, Science and Technology Research at the Pew Research Center, spoke on May 10, 2017 to the American Bar Association’s Section of Science and Technology Law about the rise of the Internet of Things and its implications for privacy and cybersecurity. The velocity of change today is remarkable and increasingly challenging to navigate. Rainie discussed Pew Research Center’s reports about “Digital Life in 2025”and “The Internet of Things Will Thrive by 2025,” which present the views of hundreds of “technology builders and analysts” on the future of the internet.
- PEW Report - The public and cybersecurity practices and knowledge Lee Rainie, director of internet, science and technology research at Pew Research Center, presented the Center’s findings about public practices and knowledge related to cybersecurity to the advisory board of the National Cybersecurity Alliance on May 5, 2017. He discussed the wide variance in what the public knows about key cybersecurity issues and concepts and people’s habits when it comes to handling the passwords to their online accounts and their use of public Wi-Fi networks.
Minutes
- Chaired by Kathleen
- Agenda Approved
- Approved Security WG Call Minutes August 15, 2017 (Beth, Mike)
- Approved Security WG Call Minutes August 22, 2017 ( Mike, John)
- San Diego Sept WGM Agenda - Kathleen
- Agenda still in progress
- Working Group Meeting Agenda Items - Mike Davis
- Pass Audit has comments against it that were adjudicated by the Work Group
- Mike requested John to help review some of the comments by Burns
- Comment (1) Mike: Ken Roubin is a proponent of Security topics but is stepping down as co-chair
- Chris will be the interim co-chair
- Currently focusing on SOA
- Comment (2) John: Security topics should become high priority for SOA for health care needs and standards
- Comment (3) Suzanne: SOA is primarily responsible for reference architecture
- Next Step: Will take comments and bring up as topic to see what action is needed from Security Working Group
- Comment (4) Kathleen: Recommends a FHIR Deep Dive by John
- Mike has been working with NIST for internet of things since resources are internet addressable
- Looking at how our security solutions work with big data and privacy and security solutions
- What is the Security and Privacy impact, and Harmonization topic are related to NIST
- Next Step (Recommendation/Mike): Propose to start a Study group and create a report with the implication of NIST and FHIR's Rule
- Comment (5) John: Gram is looking for the cross section with FHIR, and maybe interested in the connection of NIST and FHIR
- Comment (6) Mike: We have a RBAC road map and Rolled Based Access Control examples, and can update it in line with NIST
- Agenda still in progress
- Security WG Interim Health Metrics - presiding cochair
- ONC Trusted Exchange Common Agreement Framework Comments - Kathleen
- FHIR Security call -