Organization: 1
Reference (Include section and paragraph number):
4.2 General Requirements
Comment (Include rationale for comment):
Requirement 3 states: “The CSP SHALL provide explicit notice at the time of collection to the applicant regarding the purpose for collecting and ‘maintaining a record’ of the attributes necessary for identity proofing, including whether the such attributes are voluntary or mandatory in order to complete the identity proofing transactions and the consequences for not providing the attributes.”
Requirement 7 states: “The CSP SHALL record the types of identity evidence presented in the proofing process, including any identification and reference number. The CSP SHALL NOT record an image, scan, or other copy of the evidence.”
Requirement 9 states: “The CSP SHALL conduct a privacy risk assessment to determine what PII is necessary to maintain a record of for identity proofing. The CSP SHALL maintain such records in accordance with National Archives and Records Administration (NARA) records retention schedules or agency specific schedules as appropriate.”
Requirement 3 reads as if copies of documents such as notary documents, possibly fingerprints, driver’s license, etc. can be used to proof an individual and made part of a record, but Requirement 7 reads as if you can’t make a record when it states “The CSP SHALL NOT record an image, scan, or other copy of the evidence.” Requirement 9 seems to rebut Requirement 7. I can possibly see not collecting some of this information when proofing is performed. It also begs the question with respect to fraudulent documents, if one doesn’t have a copy of evidence, how can one determine the veracity of the evidence if it comes into question at later point in time or a subscriber refutes being identity proofed?
This NIST presentation http://csrc.nist.gov/groups/SMA/forum/documents/feb2012_nist-sp-800-63-1_newton-perlner.pdf seems to support the above. “RA records a current biometric (e.g., photo or fingerprints) to ensure that Applicant cannot repudiate application.”
I believe clarification is needed with respect to the above.
Suggested Change:
Delete “The CSP SHALL NOT record an image, scan, or other copy of the evidence” from Requirement 7 and make the first sentence of Requirement 9 the second sentence of Requirement 7 so 7 reads as follows:
“The CSP SHALL record the types of identity evidence presented in the proofing process, including any identification and reference number. The CSP SHALL conduct a privacy risk assessment to determine what PII is necessary to maintain a record of for identity proofing.”
“The CSP SHALL maintain such records in accordance with National Archives and Records Administration (NARA) records retention schedules or agency specific schedules as appropriate.”
Organization: 1 = Federal, 2 = Industry, 3 = Other