As one peruses various vendor websites in the global identity and access management industry, words like “security”, “trust”, “privacy”, and “secure” leap off the home pages. While each vendor does its best to differentiate itself from the pack, buyers are challenged to identify the “haves” from the “have nots” when it comes to meeting their unique internal or customer requirements, or complying with regulations in the jurisdictions they do business in.
Governments have addressed this issue via technical guidance documents. A few examples are:
- The UK government’s Cabinet Office and Government Digital Service Good Practice Guides (GPGs) for identity proofing (GPG45) and authentication (GPG44).
- The UK Government released an alpha version 2 of a Digital Identity and Attributes Trust Framework with version 3 expected over the summer. · Effective April 6 the UK government permits employers and landlords to use certified digital identity service providers to carry out identity checks on their behalf for many who are not in scope to use the Home Office online services, including British and Irish citizens. This in in alignment with the government’s Disclosure and Barring Service’s (DBS) proposal to enable digital identity checking within their criminal record checking process, through the introduction of its Identity Trust Scheme.
- The Pan-Canadian Trust Framework (PCTF) developed by the Digital Identity and Authentication Council of Canada (DIACC) who members include government agencies, relying parties, security vendors, identity and authentication vendors, is “designed to meet current and future Canadian digital identity ecosystem innovation needs by verifying trust of services and networks.” The PCTF is comprised of several components including Privacy, Verified Person, Credentials, and Authentication. Organizations participating in the PCTF can be awarded a trustmark for each component via the Voilà Verified program, DIACC’s third-party conformity assessment verification program showing compliance with the PCTF.
- The U.S.’s National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines (Special Publication 800-63-3) requiring federal agencies to grant user access to networks using a risk-based approach for identity proofing, authentication and federation at three distinct levels of assurance while providing details as to what constitutes specific levels. NIST is currently working on version 4 of the guidance with a draft expected very soon.
To streamline the buying process, a benefit to procurement officials, vendors, and the public, NIST SP 800-63-3 certification is required by the U.S. Government and has become common in RFPs in federally regulated industries including financial services, healthcare, and automotive. Times have changed, and it is often no longer acceptable for vendors to state they comply – they need to prove it. They need to be certified. Digital identity vendors who are certified “check the box” and include their certification with their proposal, while uncertified vendors are often disqualified.
To obtain NIST SP 800-63-3 certification, vendors turn to the non-profit Kantara Initiative to be vetted to ensure conformant technical provision of the vendor’s service. The Kantara Initiative is the global trust community that promotes adherence to data and privacy standards by identity system providers. The objective: to obtain Kantara’s coveted Trust Mark, which recognizes trustworthy use of identity and personal data solutions characterized by three different elements: innovation, standardization, and good practice.
Below are a few examples of where NIST SP 800-63-3 certification is necessary:
- U.S. Health and Human Services Trusted Exchange Framework and Common Agreement (TEFCA. Per HHS, TEFCA’s goal “is to establish a universal floor of interoperability across the country. The Common Agreement will establish the infrastructure model and governing approach for users in different networks to securely share basic clinical information with each other—all under commonly agreed-to expectations and rules, and regardless of which network they happen to be in”. TEFCA brings together healthcare organizations, identity and authentication service providers, and the relying parties who, ultimately, provide services to patients. At the root of trusted exchange is having high confidence that the person accessing protected health information (PHI) is who they claim to be and to protect patient privacy and security, TEFCA mandates in healthcare for the assurance and accreditation of ID, and the providers of ID systems. (See Section 6, Identity Proofing mandated assurance levels, TEFCA.) Increasing adoption of NIST-800-63 standards across the healthcare sector will undoubtedly make for more robust EHI sharing, which will lead to greater trust in the whole sector. The challenges seen around the rollout of the COVID-19 vaccination program can be viewed now as a valuable lesson, as they’ve illuminated weak spots and shown that there is still a long way to go.
- The U.S. Department of Transportation’s (DOT) National Highway Traffic Safety Administration (NHTSA), published its Final Rule for Odometer Disclosure Requirement, which would enable states to allow electronic odometer disclosure statements in conjunction with electronic titling systems “e-titling” – leveraging electronic signature technology. Of all the benefits electronic signature technology offers, the technology cannot verify the identity of the person signing without prior enrollment and identity verification process. NHTSA realized that and has mandated that identity verification must be performed at NIST’s Identity Assurance Level 2 (IAL2), which requires evidence to support the real-world existence of the claimed identity, either remote or physically present identity proofing.
- Leveraging the precedent established by NHTSA, the American Association of Motor Vehicle Administrators (AAMVA) published its Electronic Titling Framework. This framework “adopts the minimum standard for identity proofing and authentication level for odometer disclosures, and all electronic titling transactions, to adopt and satisfy the requirements set by the National Institute of Standards and Technology (NIST) at a moderate level (IAL2 and AAL2).”
These few examples are just the beginning of an anticipated wave of National digital identity standards and certification requirements at the state and local levels, and within the private sector, especially in the mostly private sector owned and managed 16 critical infrastructure sectors as defined by DHS’ Cybersecurity and Infrastructure Security Agency (CISA).
If you’re a vendor in the digital identity and access management space without certification, the time has come to ask yourself, “Why?”
To support multi-national vendors, Kuma is one of the only accredited assessors in the United States for NIST 800-63-3, Canada (DIACC’s Pan-Canadian Trust Framework), and soon the United Kingdom (UK Government’s Digital Identity and Attributes Trust Framework). Please follow Kuma on social media for our latest news. Want to talk about how certification can help your business thrive? Contact us today.