Security+and+Privacy+Workgroup+Backlog

The Security and Privacy team is aware of the following requests, and has accepted them into our backlog.

Security and Privacy Workgroup Process

This page is depreciated. Issues are now being tracked in the Google Docs spreadsheet found under the FAQ section of this wiki.


 * ~ Item Num ||~ Title ||~ Description ||~ Source ||~ Size ||~ Priority ||~ Status ||~ Blocking ||~ **Owner** ||~ **Next Step** ||
 * = 5 || Refactor Authorization Framework Specification || Move existing Auth Framework 2010 Production Spec into the new NIEM packaging format. This priority for our workgroup was set directly by Dr. Fridsma. The purpose of this is to test and rationalize the NIEM packaging process for our use. ||  ||= 50 ||= 1 || In Process || No || Eric Heflin || Create prototype ||
 * = 8 || TLS Encryption Clarification || The current 2010 Production Specifications do not indicate the allowable TLS configuration and options in terms of cryptographic families permitted, and strength. The esMD Core II rule topic (item number 6) has illustrated some areas where additional updates and clarity is needed in the Nationwide Health Information Network specifications related to versions of TLS that are permissible. || Eric Heflin resh ||= 10 ||= 6 || In Process || No ||  || Review draft text with the NIST and Nationwide Health Information Network Sec and Priv team ||
 * = 6 || CORE Phase II Current Profile Documentation || Rolled into the TLS task (item number 8). || CMS ||=  ||= 5 || See item #8 || No || Eric Heflin || Members of the Security workgroup will join esMD workgroup calls. ||
 * 7 || Transport Encryption WSDL Policy Statements || Determine and document the resolution whereby which some devices, such as the SSA's DataPower device, attempt to enforce the WSDL policy statements regarding 2-way-SLL encryption algorithm. This is causing failures since the 2-way-SSL negotiation process is selecting a different, more secure in this case, encryption algorithm. A solution has been advanced to remove the encryption algorithm statement from the WSDL policy and require that the encryption algorithm be specified in the SSL implementation as being at or above minimal FIPS levels. || Tom Davidson / SSA / Lockheed Martin ||=  ||= 7 || In Process || No || TBD || Discuss issue. ||
 * = 1 || XML-Dig || A possible inconsistency has been identified whereby which only certain elements of the SOAP message are signed. This work effort is focused on determining if this is inconsistent. As a side-product, we are clarifying some areas of the Nationwide Health Information Network specifications where they are silent such as on the allowable / required subjectConfirmation methods. || Tom Davidson / SSA / Lockheed Martin ||= 50 ||= 8 || In Process || No || Eric Heflin/Tom Davidson? || Will be actively worked on once higher priority items are resolved. ||
 * = 2 || Port Assignment || An issue has been identified whereby which two federal agencies are unable to communicate, and whereby which dynamic changes to the service end points on the UDDI registry may result in a service disruption. This effort has a proposed solution, which is currently tentativly approved by the Nationwide Health Information Network Exchange Security and Privacy Workgroup, and the overall Spec Factory Workgroup. Near final text has been drafted. Update: Eric H has received some technical questions from the IANA "expert evaluation committee" regarding the low-level transport. He's responded. || VA / SSA ||= 1 ||= 4 || In Process || No || Eric Heflin || Incorporate final text into AF spec. ||
 * = 3 || Final Rule MU || The Meaningful Use Final Rule from the CMS/HHS may impact the Nationwide Health Information Network Exchange's security and privacy requirements. We need to analyze the final MU text and determine if it introduces new requirements or changes existing requirements for the current production specifications. || Craig Miller / esMD Workgroup ||=  ||= 6 || Not Started || No || TBD || Will be actively worked on once higher priority items are resolved. ||
 * = 4 || Testing Team and Reference Implementation Team Issues || Multiple issues have been discovered by the Testing Team and the Reference Implementation Team related to the Authorization Framework specification. The Security and Privacy Workgroup will address them as needed. || ONC Testing Team and RI Team ||=  ||= 2 || On Going || Yes || TBD || Reactionary ||
 * = 9 || confidentiality code || Should the Nationwide Health Information Network Exchange restrict this value set? || GE/John M ||= 1 ||= 3 || In Process || No || Eric Heflin || Review draft text with the NIST and Nationwide Health Information Network Sec and Priv team ||

media type="custom" key="7737591"