Open skirkman16 opened 1 year ago
@skirkman16 going to split this up into two stories.
For this ticket proposing the following to be refined during backlog refinement.
As a security / compliance officer evaluating an in person proofing process between VA and Login.gov, I want to understand MPI better so that I can make a positive adjudication that MPI is an authoritative source of Veteran data.
NIST - Need to understand what MPI is based on so that we can show why it can act as an authoritative source of data for certain documents. Keep in mind that authoritative data is not devoid of gaps/inconsistencies. From a policy perspective, if VA has determined MPI as an authoritative source it will aid in that determination.
Login.gov - Asking for understanding of how are changes made on MPI data (i.e. if it's "easy" to make changes to MPI data, is it authoritative?)
Open question - There was mention that MPI can be authoritative data for certain documents (definitely VHIC). Need clarification why authoritative data is document specific. i.e. Credit bureaus seemingly can be authoritative data irrespective of the identity evidence (state ID, passport etc).
[ ] Writeup on MPI
[ ] 6510
Guidanceo on how to write a DIRA
@lmorris3 this will be come pertinent for DIRA as Porta mentioned in comment history and for the charter as NIST requires we assert that MPI is an authoritative source to enable IAL2 compliance.
Review Mural
We need to consider how encrypted data can be transferred between applications (Login.gov, toolkit, and potentially a custom application).
Use Case As a security / compliance officer evaluating an in person proofing process between VA and Login.gov, I want to understand MPI better so that I can make a positive adjudication that MPI is an authoritative source of Veteran data.
Pertinent discussion from 7/27 workshop NIST - Need to understand what MPI is based on so that we can show why it can act as an authoritative source of data for certain documents. Keep in mind that authoritative data is not devoid of gaps/inconsistencies. From a policy perspective, if VA has determined MPI as an authoritative source it will aid in that determination.
Login.gov - Asking for understanding of how are changes made on MPI data (i.e. if it's "easy" to make changes to MPI data, is it authoritative?)
Open question - There was mention that MPI can be authoritative data for certain documents (definitely VHIC). Need clarification why authoritative data is document specific. i.e. Credit bureaus seemingly can be authoritative data irrespective of the identity evidence (state ID, passport etc).
Useful references: MPI Service Description
Acceptance Criteria
Writeup on MPI
Summary of what it is
What datastores make up MPI
Inclusion of correlation score as multiple data stores have the same identity
List of what document types can be used for MPI
6510
Review current and draft of directive (work with Tom Black to get access)
Recommendations of items to include based on IPP flows