FICAM's Trust Framework Adoption Process allows us to use comparability criteria to adopt industry trust frameworks for use by the Government. Flexibility and innovation in managing the process are critical to making sure Government requirements can take advantage of innovation in the industry. Kantara Initiative, one of our approved Trust Framework Providers (TFPs), recently updated their assessment criteria in a manner that continues to meet the requirements of FICAM and NIST, while at the same time providing flexibility in assessing solution providers.
Kantara's trust framework, which has been approved by FICAM, is called the Kantara Initiative Identity Assurance Framework. A critical component of it is the Service Assessment Criteria which establishes baseline criteria for general organizational conformity, identity proofing services, credential strength, and credential management services against which all FICAM Credential Service Providers are verified for assurance.
General thinking of the TFPs has been a single entity would perform all activities of a solution, but it has always been feasible under the Trust Framework Solutions process to have separate entities doing the identity proofing and credential issuance functions. Kantara has restructured their Identity Assurance Service Assessment Criteria to accommodate independent assessment of these functions, which in turn can now be offered by different providers as a component of the complete solution.
In line with how the E-Authentication model in NIST SP 800-63 provides for logical and physical separation between the Registration/Identity-Proofing function and the Token/Credential Management function, Kantara's restructured service assessment criteria performs assessments across two dimensions:
- Organizational Assessment, which is required of all entities undergoing assessment
- Operational Criteria Assessment, which covers the actual component services being offered
The flexibility in this approach comes from the fact that multiple organizations, each with its own unique service offering, can now come together to offer component services. The restructured assessment criteria now allows for these individual service components to be assessed independently. These services can be unique to each assurance level, but taken together provides a full service capability that combines both Registration/Identity-Proofing and Credential Management.
This approach provides significant opportunities for partnering between organizations, which can now put together unique and tailored solutions that, in total, satisfy the service assessment criteria. From the FICAM perspective, it is important to note that we apply the "FICAM Approved" label only to the total package made up of the various service components that together offer the complete Registration/Identity-Proofing and Credential Management functions.
National Institute of Standards and Technology (NIST) and General Services Administration (GSA) personnel welcome this new approach from Kantara, which without reducing the rigor of the assessment criteria, allows for innovative industry partnering as well as tailored and flexible service offerings to the Government.
RELATED POSTS
:- by Deb Gallagher
