TFTM Deliverable Trustmark and Conformance Program Discussion Deck TFTM Committee May 07, IDESG TFTM Committee1
2014 Goal Meeting Objectives Approach Assumptions Conformance Assessment/Assertion Comparison Self-Attestation Self-Certification 3 rd Party Certification Overview Next Steps IDESG TFTM Committee2 Meeting Agenda
Develop and establish an initial IDESG Trustmark and conformance program for the IDESG IE Framework by the end of IDESG TFTM Committee TFTM Sub-Committee Goal
Discuss and compare the approach for current industry conformance programs for applicability to the IDESG’s needs. Three approaches for discussion today: Self Attestation Self Certification 3 rd Party Certification Peer-to-Peer Independent Assessors IDESG Assessment IDESG TFTM Committee4 Meeting Objectives
Programs will be compared based upon four primary factors: Resource Burden- The resources required to implement and operate the conformance program Implementation Time- Time needed to establish and implement Cost- The cost to both the IDESG and organizations seeking conformance assertion Assurance- Assurance that participants are operating in conformance with rules/framework Express each factor on a 3-point scale: High, Moderate, or Low This is not intended to be an exhaustive analysis, but a high level discussion of existing conformance program types and the relative applicability to the IDESG in IDESG TFTM Committee5 Format for Comparison of Conformance Programs
Initial Version of the Identity Ecosystem Framework will be complete by the end of 2014 and key dependencies for conformance program implementation will be met Functional Model (Security Committee deliverable) Initial Requirements Catalog (TFTM 01-04) -- committees will create and plenary will approve requirements; Conformance program rules established (policy, process --TFTM 01-07) Recommend approach for 2014 IDESG conformance recognition (e.g., trustmark, trust list, white list, etc.) as supporting/complementary activity (TFTM 01-06) 2014 Program should be open to all IE service providers – e.g., relying parties, credential providers, attribute providers, etc.— regardless of size IDESG TFTM Committee6 Assumptions
Participants in a self-attestation framework assert their own conformance with a specified set of rules or requirements Written and signed document to confirm that assertions made are true and accurate based on the best knowledge and belief No specific assessments required for attestation Enforcement relies on community awareness and reporting with potential action through FTC IDESG could take minimal action, including removal from the white list or revocation of a TM Examples: InCommon Bronze Payment Card Industry merchant self-assessment and compliance attestation CMS Compliance self-attestation to EHR utilization criteria (aka “meaningful use” standards IDESG TFTM Committee7 Self Attestation
IDESG TFTM Committee8 Self Attestation Resource BurdenLOW Resources required to implement a self attestation program are low Minimal administrative capability/burden required to confirm bona fides of applicants and process applications Minimum operational capacity required to determine acceptability of applicant bona fides Resource burden on applicants would be limited to those required to complete the application and provide any new services/controls not currently provided Implementation TimeLOW Minimum resource and operational requirements would allow a self-attestation program to be stood up relative quickly (months rather than years) CostLOW Cost to the IDESG would be low, only requiring those items needed to stand up the limited administrative and operational process (e.g., application process, communications, file submission/maintenance, certification) —which could potentially be handled by existing resources (secretariat, MC, board, committees, etc.) Cost to participants should be low, covering the application/renewal processes Additional SP costs may be necessary to meet requirements not currently provided AssuranceLOW Low assurance that participants are operating in compliance with IEF rules/requirements.
Similar to a self-attestation framework, participants would assert their own compliance with a specified set of rules or requirements based on internal review of documentation/operations Written and signed document to certify that results from internal review are true and accurate based results of internal review/other assessments Participants may also have to meet periodic internal assessment requirements and may need to provide assessment results or other documentation Assessment guide/process would need to be created or established Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list) Examples: Federal FedRamp self-attestation for cloud service security - Department of Commerce EU/US Safe Harbor Program - Types of PCI self-assessment compliance attestation IDESG TFTM Committee9 Self Certification
IDESG TFTM Committee10 Self Certification Resource BurdenLow to Moderate Resource burdens on the IDESG would be low to moderate, depending on the degree of validation required (e.g., submission of internal review documents or other documentation), additional administrative burden for supporting the application and maintenance processes. Resource burden on applicants would be moderate, requiring periodic internal assessments, potentially new documents and the establishment of internal processes to support these assessments Implementation TimeLow Development or adoption of assessment standards would increase implementation time, however leveraging existing frameworks and practices could expedite implementation (6 months-1 year) CostModerate Cost to the IDESG would be moderate, especially if some degree of validation would be performed. Cost to participants could be higher depending upon existing internal assessment/audit capabilities; organizations with existing structures could leverage these to limit cost while others may need to stand them up from scratch (small relying parties, etc.) Some SPs may incur higher costs in order to meet requirements/documentation not currently provided. AssuranceLow Assurance depends on the degree of validation, but would likely not exceed low assurance even with internal review and/or other documentation submission requirements.
Participant’s compliance with a set of rules or requirements is confirmed through assessment by an independent 3 rd party Requires the development of a comprehensive certification and assessment framework e.g., requirements for service providers and for assessors in performing assessments May require the development of an accreditation program to qualify assessors for assessment requirements More complex legal arrangements to support roles/responsibilities of the assessors, assessed service providers, certifying body Enforcement relies on community awareness and reporting with potential action through FTC and revocation of trusted status by trustmark provider (TM or white list) Examples: Kantara Initiative – FICAM TFS - FICAM TFPAP IDESG TFTM Committee11 3 rd Party Certification
Peer-to-Peer- Participating organizations are assessed for compliance by other framework participants. This is typically done on behalf of the certifying body who would make actual certification decisions based on the assessment Ex. – AICPA typically uses peer review to maintain CPA certification status Independent Assessors- Service providers are assessed for compliance by entities whose sole purpose within the framework is compliance assessment; supports independence and objectivity in the assessment process May require an accreditation program for assessors This is typically done on behalf of the certifying body who would make actual certification decisions based on the assessment Ex. –Kantara Initiative - InCommon Silverhttps://kantarainitiative.org/confluence/display/certification Certifying Body (IDESG) Assessment- Participating organizations are assessed for compliance directly by the certifying body (e.g., the IDESG) FICAM PKI, IDESG TFTM Committee12 3 rd Party Certification: Types
IDESG TFTM Committee13 3 rd Party Certification: Peer Review Resource BurdenMODERATE IDESG would need to establish a comprehensive assessment framework and associated processes to support peer review, and support administrative and operational requirements to support applications and certification processes, IDESG would validate Participating organizations would need to support assessment by peer review, probably onsite and support services/documentation that are not currently provided. Implementation TimeMODERATE Development of an assessment framework and associated processes would require more time to develop/implement than a self-attestation or self-certification framework (1-2 years) CostHIGH Cost to the IDESG would be moderate and primarily focused around assessment framework development and support for the administrative costs of application/certification processes. Cost to participants would be high, requiring the capability to conduct assessments on other members of the ecosystem; legal complications and establishing mechanisms for external assessments could be costly AssuranceMODERATE The possibility of conflicts of interest in conformance assessments (e.g. market partners or competitors as assessors) could negatively impact assurance Lack of professional assessors may limit testing and conformance capabilities
IDESG TFTM Committee14 3 rd Party Certification: Independent Assessment Resource BurdenMODERATE IDESG would need to establish a comprehensive assessment framework and accreditation program; external assessors would limit steady-state resource requirements, but stand up needs would be high Participating organizations would need to support assessment by third parties—overall resource requirements would likely depend on ecosystem function and existing capabilities Implementation TimeHIGH Development of an assessment framework and accreditation program as well as associated processes would require significant time (2-3 years) CostMODERATE Cost to the IDESG would be moderate and primarily focused around assessment framework development and accreditation program development and maintenance Cost to participants would be moderate and primarily focused around preparation for assessments and hiring of an assessor AssuranceHIGH Independent assessments by qualified and accredited entities should provide high levels of assurance that participants are operating according to established rules and requirements
IDESG TFTM Committee15 3 rd Party Certification: Certifying Body Assessment Resource BurdenHIGH Establishment of assessment framework and operational/personnel capacity to conduct assessments would require significant resources for IDESG; assessments would likely need to be conducted at the SP increasing administrative burden and costs. Participating organizations would need to establish necessary documentation and processes to support assessment by third parties and share or bear the costs of assessment. Implementation TimeHIGH Development of an assessment framework and standing up necessary operational capabilities would take a significant period of time (2+ years) CostHIGH Cost to the IDESG would high, requiring significant staff for assessments, administration, and operational requirements Cost to participants would be moderate and primarily focused around preparation for assessments and paying any assessment fees AssuranceHIGH If operated properly, this should provide a high degree of assurance that participants/SPs are operating in accordance with applicable rules and requirements
IDESG TFTM Committee16 Overview TypeResource Burden Implementation Time CostAssurance Self-AttestLOW Self-CertificationMODERATELOWMODERATELOW Peer-to-PeerMODERATE HIGHMODERATE Independent Assessment MODERATEHIGHMODERATEHIGH Certifying Party (IDESG) Assessment HIGH
1.Other factors for additional evaluation? 2.What can realistically be implemented in 2014 to establish a foundation to build from? 3.What can/should be the target for 2015 and 2016? 4.What are risks to IDESG? 5.Would other forms of certification increase the level of assurance for any of these approaches? TFPs, ISO 9000/001, ISO 27001, CompTIA, BBBonline, etc IDESG TFTM Committee17 Discussion Considerations
1.Develop recommendation for 2014 conformance program approach (self attest, self cert, etc.) and discuss with full TFTM 2.Prepare recommendations paper for plenary on the 2014 Trustmark and Compliance Program IDESG TFTM Committee18 Next Steps Summary