Some thoughts on how to approach the subject of standards for NSTIC.

1. NSTIC & Standards ? How and where do standards fit into NSTICWho should be developing standards What standards are requiredRichard G. WilsherCEO, Zygma LLC[www. | RGW@]Zygma.biz 1 1

2. NSTIC & Standards Should NSTIC foster (another) SDO? Not directly Perhaps be a Standards DirectingOrganization Standards Management Organization (SMO) Identifying the needs Adopting best practices Optimizing / re-using existing frameworks & stds Creating the glue Funding specific (infrastructural standards) needs 2

3. NSTIC & Standards Identifying the needs Information security management Policies, Procedures Risks Control selection Review & audit Formal certification Service provision & usage Technical API ProvidesIndependentAssurance … … that thesethings arebeing donecorrectly 3

4. Accept existing standards Adopt existing standards Profile for specific needs Render assessable Where justified, define and develop standards Development, refinement, profiling all progress more rapidly with dedicated resources = NSTIC funding The Steering Group needs a Standards Manager 4 NSTIC & Standards

5. NSTIC & Standards essential that holistic approach is taken the whole business has to be secure, so establish the Id framework within a larger context – ‘Identity’ may not be the business’ primary function international recognition is a must 5

6. Assessment / Evaluation is key Need independent assessment of service providers and of users of those services E.g. Kantara’s extension from Id Service Providers to recipients of id-related data (so-called Relying Parties) Standards need to support assessment as well as service provision & usage technical inter-operability 6 NSTIC & Standards

7. AND(just for laughs) …Don’t let NIST write Standards!!(we can talk about this)