Dear IAWG members: I am currently traveling and will continue to be on travel through next week, so my responses are delayed. I would like to clarify a couple of things, but I won't provide a detailed response to all the emails that have been exchanged. 1. A year ago, I met with all the assessors in one-on-one meetings to discuss the changes we are revisiting this summer. Only a couple of companies were opposed to these changes back then and declined to sign an NDA or engage in contract discussions as we move forward. That offer remains open. 2. There should be very little change for the assurance companies except with whom they contract. They already have contracts with Kantara, and these will be expanded to include the assessment itself and the assessor services. - We will allow companies to choose their assessor and for existing companies to be able to continue to use the same assessor if they would like, assuming their chosen assessor continues to do Kantara assessments. - We will not be reducing prices, so there will be no cost savings in assessor services. - One company has already signed a subcontract with Kantara to do assessment services. Although they have not conducted NIST 800-63 assessments, they have assisted Kantara in providing other services and will be available in the future as needed. - I am already meeting with individual companies to effect this change. 3. Some organizations have criticized me for not having sufficient numbers of assessors. I sense that those who have been vocal on this group appear to be the only Kantara assessors. - On the Kantara website, you will see other assessor options, including large auditing firms. - When I first came to Kantara there were only four companies in the program, we now have over 35 services that are assessed each year and have added four new companies this year alone. - We will continue to bring on more assessors to meet demand as necessary and have engaged in discussions with additional auditing firms. 4. The business operations decisions are more complicated than simply the requirements for ISO 17065. As you can see from the program's growth over the last four years, the Board and I have recognized the need to update our processes to meet the demand and provide better service to the assurance companies. Kantara provides a vital service, and we must improve our processes to ensure we maintain a high-quality program. - The IAWG is not being "defrocked". The public comment periods for the version 4 assessment criteria will still be in place, and IAWG as a group or individuals may provide the feedback. (Public review and comment for the criteria updates are 45 days, as always.) - The IAWG will not be responsible for writing the new version 4 assessment criteria. The assurance program will become the scheme owners, and I will be assigning people to write the 800-63 version 4 assessment criteria, subject to public review and comment. - I am responsible for the business operations, and the decision of who will write the assessment criteria will be part of my business decision-making. - The Board of Directors discussed the change in audit services last year during its budget approval process for 2025. These are reflected in their approved 2025 budget. They will continue to monitor the business processes as required by their fiduciary responsibility. 5. NIST 800-63 version 4 is required to be implemented by federal agencies one year from its release. We will work to have it written, reviewed, and commented on so that it is ready to be assessed by late summer of 2026. I am still working on the project timelines and tasks to get this done as efficiently as possible. - Assurance companies will continue to be assessed and receive a trust mark against version 3 for at least three more years, if they choose. - Kantara previously offered the Classic assessment and trust mark for those companies that needed to maintain an 800-63 version 2 trust mark. That has been retired, with only a couple of legacy companies that still need this version. We will revisit whether we need a similar program for version 3 and will be gathering input in that regard next year. 6. I have already begun to assemble a stakeholder oversight body. It will be a smaller group. Participants must be willing to work on all aspects of the assurance program documentation, processes, policies, and procedures. They must also commit to working collaboratively and in a forward-looking manner. They are required to have expertise in the area of digital identity guidelines. - Some of the stakeholder groups to whom I have made invitations include relying parties for several industry verticals, government agencies, assessors, assurance companies, the ARB, the Board of Directors, and members of the public/consumers. This group will begin meeting in September. - The open items approved by the IAWG and requiring implementation will be assigned to assurance program staff. The oversight group will then oversee the proper implementation of these updates. - The size of the IAWG does not allow it to be responsive and timely as the program has grown. But they will still have the opportunity for review and comment during all public comment periods. 7. I have received many complaints regarding the email traffic on this group email. Please refrain from using this email to espouse personal views or to denigrate the Kantara organization or other individuals. I refer you to the Code of Conduct adopted by the Leadership Council, as that is the governing body for all workgroups. Thank you for your continued support of Kantara and its work. Best regards, Kay *Kay Chopard | **Executive Director* Email: kay@kantarainitiative.org <amanda@kantarainitiative.org> LinkedIn: @KantaraInitiative <https://www.linkedin.com/company/kantara-initiative/>