FAL2 Security Controls

[dhs-BI]

NIST SP800-63Crev4 describes security controls in section 3.10 (see #71). These are American security control frameworks that are not applicable to all enterprises worldwide.

chair hat off
I recommend the WG writes guidance that implementers SHOULD implement a security controls program such as 800-53 or FEDRAMP, but not be prescriptive about the specific control program. Allowing implementers choices that are relevant to their locale or industry will lead to better adoption.
chair hat on

[deansaxe]

We discussed this issue on the 2025-05-13 call and agreed to pull these controls into a side-car document that is used alongside the SL1 federation protocols. I'll assign myself the task to begin writing this doc.

The doc will include language to cover the privacy controls discussed in #81.

[deansaxe]

I have published a draft to address this issue. Please see https://deansaxe.github.io/draft-saxe-ipsie-common-requirements-profile/draft-saxe-ipsie-common-requirements-profile.html.

[deansaxe]

I have incorporated this into the common requirements doc. If the doc is adopted, this issue can be closed. Labeled as pending close.