Define MPI as an authoritative source

[skirkman16]

We need to consider how encrypted data can be transferred between applications (Login.gov, toolkit, and potentially a custom application).

Use Case As a security / compliance officer evaluating an in person proofing process between VA and Login.gov, I want to understand MPI better so that I can make a positive adjudication that MPI is an authoritative source of Veteran data.

Pertinent discussion from 7/27 workshop NIST - Need to understand what MPI is based on so that we can show why it can act as an authoritative source of data for certain documents. Keep in mind that authoritative data is not devoid of gaps/inconsistencies. From a policy perspective, if VA has determined MPI as an authoritative source it will aid in that determination.

Login.gov - Asking for understanding of how are changes made on MPI data (i.e. if it's "easy" to make changes to MPI data, is it authoritative?)

Open question - There was mention that MPI can be authoritative data for certain documents (definitely VHIC). Need clarification why authoritative data is document specific. i.e. Credit bureaus seemingly can be authoritative data irrespective of the identity evidence (state ID, passport etc).

Useful references: MPI Service Description

Acceptance Criteria

• Writeup on MPI

• Summary of what it is

• What datastores make up MPI

• Inclusion of correlation score as multiple data stores have the same identity

• List of what document types can be used for MPI

  6510

• Review current and draft of directive (work with Tom Black to get access)

• Recommendations of items to include based on IPP flows

[porta-antiporta]

@skirkman16 going to split this up into two stories.

1. 62779 Define how MPI acts as an authoritative source (policy discussion)

2. 62830 Determine approach for Login.gov and our IPP application will exchange validated PII (technical discussion)

[porta-antiporta]

For this ticket proposing the following to be refined during backlog refinement.

Use Case

As a security / compliance officer evaluating an in person proofing process between VA and Login.gov, I want to understand MPI better so that I can make a positive adjudication that MPI is an authoritative source of Veteran data.

Pertinent discussion from 7/27 workshop

NIST - Need to understand what MPI is based on so that we can show why it can act as an authoritative source of data for certain documents. Keep in mind that authoritative data is not devoid of gaps/inconsistencies. From a policy perspective, if VA has determined MPI as an authoritative source it will aid in that determination.

Login.gov - Asking for understanding of how are changes made on MPI data (i.e. if it's "easy" to make changes to MPI data, is it authoritative?)

Open question - There was mention that MPI can be authoritative data for certain documents (definitely VHIC). Need clarification why authoritative data is document specific. i.e. Credit bureaus seemingly can be authoritative data irrespective of the identity evidence (state ID, passport etc).

Useful references:

• MPI Service Description

Acceptance Criteria

• [ ] Writeup on MPI

  • [ ] Summary of what it is
  • [ ] What datastores make up MPI
  • [ ] Inclusion of correlation score as multiple data stores have the same identity
  • [ ] List of what document types can be used for MPI

• [ ] 6510

  • [x] Review current and draft of directive (work with Tom Black to get access)
  • [ ] Recommendations of items to include based on IPP flows

[porta-antiporta]

Guidanceo on how to write a DIRA

[SophiaPhilipMO]

@lmorris3 this will be come pertinent for DIRA as Porta mentioned in comment history and for the charter as NIST requires we assert that MPI is an authoritative source to enable IAL2 compliance.

[SophiaPhilipMO]

Review Mural