CIC InCommon Silver Certification

DATE and TIME:26 May 2011 1330 MDT

CONVENER: Jim Green @ MSU

SCRIBE: Gary Schwartz @ RPI

# of ATTENDEES: ~20

MAIN ISSUES DISCUSSED 

InCommon Silver Certification
    No one certified silver yet
    
    Bronze = LOA1, Silver LOA2
    Compatible with NIST 800-63
    
CIC = Big Ten (12) + U CHi = 13, + Va Tech & UWash ~15
    CIC Idenitfy Management TF: CIC-wide goal = all Silver  by Fall 2011
    Motivation
        String contacts within InCommon
        Anticipate Federal government requirements - get ahead, not find themselves behind
        Provide feedback to InCommon
        Silver certification has a lot of use cases
    Penn St leading some part of CIC effort
    Project plan had phases with gap analysis; overall plan scrapped by goals remain
Q: When will NIH, NSF, etc require Silver?
A: NIH will require silver ofr federated access this year; CILogin now requires LOA1

CIC feedback to InCommon
    Original spec was overspecififed
    Auditors felt original spec was too difficult to audit
    InCommon absorbed feedback and came up with more acceptable v2, including streamlined documentation requirements

MSU Involved internal autitors in their process
    Work = 10% tech, 90% business processes, policies, etc
    MSU has 3 person team which includes auditor
    did gap analysis of tech, and the business processes
    biggest problem was lack of documentation, including that for co9nforming practices
    did small, internal "dry runs"  of audit

CIC working groups
    documentation
    AD
    2factor
    kerberos
    registration authority processes
    try  to shre work across all of CIC

MSU did their own mini-audit, including processes walkthrough with their internal auditors
    CIC may practice vet/aduit each other
    UC system may do something similar - UC now has their own "UC Trust Basic"

Not a lot of interest to date in Bronze certification, which is not identical to InCommon Basic (which has no spec)

Scope of certification
    Some institutions including all employees in certification
    Others just some employees
    At least one including all employees and students
    
Some CIC believe they will not achieve Silver level this fall

Jim's notes put together over lunch and used for the talk:

1.  scribe volunteer

2.  others to talk briefly

3.  what do folks want to hear about 

CIC

fall 2009

joined by U Wash and VTU

led by Renee Shuey of Penn State

work subgroups – Documentation, Active Directory, Two factor auth, Kerberos (inactive), RA processes (inactive) 

Identity Assurance Profiles

technical, business, audit

technical

strength of authentication

authn context

SAML2 only

IAQ assertion 

business 

business

policy

practices/processes

documentation 

audit

management assertions

audit report 

IAP revised

auditor involvement in CIC

documentation burden reduced 

MSU ID office

special process

not going with 2 factor -> down the road

management assertions – one per factor -- simplistic model – just points to where compliance with Silver is documented for that factor

mini-audit -  dry run – 4.2.2 section only.  Discovered a problem with encryption for one of our enterprise systems 

action items ways to get involved

-
ACTIVITIES GOING FORWARD / NEXT STEPS

InCommon to

  • develop a list of campuses implementing InC IAPs
  • create a mailing list of folks implementing InC IAPs who wish to share ideas 
  • announce when a campus becomes Silver (or Bronze) compliant on the InC Participants list
  • create an implementation wiki to include case studies and community-driven implementation FAQ

-
If slides are used in the session, please ask presenters to convert their slides to PDF and email them to SteveO@internet2.edu

Thank you!

  • No labels