Requirements Development & Template Presentation to All Chairs 8/12/2014.

Slides:



Advertisements
Similar presentations
TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state October.
Advertisements

TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
TFTM Sub-Committee What do we need for the IDESG Trust Mark Program Discussion Deck TFTM Committee April 16, IDESG TFTM Committee1.
Proposed Workflow IDESG Self-Assessment and Attestation Program For TFP’s Discussion Deck TFTM Committee 09/23/
Framework Planning Draft 1 Jack Suess Ian Glazer Peter Alterman Andrew Hughes Michael Garcia.
Security Controls – What Works
Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
RC14001 ® Update GPCA Responsible Care Committee September 23, 2013.
Opportunities & Implications for Turkish Organisations & Projects
1 Data Strategy Overview Keith Wilson Session 15.
ISO 9001:2015 Revision overview - General users
Justice Information Network Strategic Plan Development Justice Information Network Board March 18, 2008 Mo West, JIN Program Manager.
SCC Activities C. Tilton. Standards Are applied to SOMETHING Within some CONTEXT Something = ID Ecosystem Context = Use Cases 2.
Environmental Impact Assessment (EIA): Overview
Functional Model Workstream 1: Functional Element Development.
NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.
Identifying the Baseline IDESG Security Committee Discussion 10/23/
TFTM Interim Trust Mark/Listing Approach Paper Accreditation, Certification, and Trust Mark Program Key Administrative and Operational Responsibilities.
MSF Requirements Envisioning Phase Planning Phase.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
© Grant Thornton | | | | | Guidance on Monitoring Internal Control Systems COSO Monitoring Project Update FEI - CFIT Meeting September 25, 2008.
Profiling Metadata Specifications David Massart, EUN Budapest, Hungary – Nov. 2, 2009.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
TFTM TFTM Committee working call to discuss how to describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state November.
TFTM Deliverable Self Assessment and Attestation Program Discussion Deck TFTM Committee June 25, IDESG TFTM Committee1.
Standards Analysis Summary vMR – Pros Designed for computability Compact Wire Format Aligned with HeD Efforts – Cons Limited Vendor Adoption thus far Represents.
Copyright © 2004 by The Web Services Interoperability Organization (WS-I). All Rights Reserved 1 Interoperability: Ensuring the Success of Web Services.
IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.
SIM- Data Infrastructure Subcommittee November 14, 2013.
Identity Ecosystem Framework and Charter Gap Analysis.
IDESG Security Committee Charter Update. Objectives The Security Committee is responsible for defining a Security Model for the Identity Ecosystem Framework.
MC Sub-Committee for Workplanning: Recommendations Report Chair/presenter: Paul Laurent.
OpenSG Conformity IPRM Overview July 20, ITCA goals under the IPRM at a high level and in outline form these include: Organize the Test and Certification.
IEEE SCC41 PARs Dr. Rashid A. Saeed. 2 SCC41 Standards Project Acceptance Criteria 1. Broad market application  Each SCC41 (P1900 series) standard shall.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
ISO 9001:2008 to ISO 9001:2015 Summary of Changes
STANDARDS COORDINATION COMMITTEE PLENARY BREAKOUT 18 SEPTEMBER 2014 Interoperability Requirements.
Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.
HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,
RECOMMENDATIONS FOR THE INSTITUTIONALIZATION OF THE ACTIVITIES OF THE REMJA WORKING GROUP ON MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS AND EXTRADITION.
12/10/15.  It is a Cross Life Cycle Activity (CLCA) that may be performed at any stage ◦ In fact, some part of it (e.g. risk analysis and management)
Health eDecisions Use Case 2: CDS Guidance Service Strawman of Core Concepts Use Case 2 1.
TGDC Meeting, July 2010 Report of the UOCAVA Working Group John Wack National Institute of Standards and Technology DRAFT.
International Atomic Energy Agency Roles and responsibilities for development of disposal facilities Phil Metcalf Workshop on Strategy and Methodologies.
NSTIC and the Identity Ecosystem Jim Sheire Senior Advisor NSTIC National Program Office, NIST 14 November 2012.
The common structure and ISO 9001:2015 additions
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
Software Requirements Specification Document (SRS)
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Doc.: IEEE /0147r0 Submission January 2012 Rolf de Vegt (Qualcomm)) Slide ai Spec Development Process Update Proposal Date:
The Value of Creating the Identity Ecosystem. The Identity Ecosystem Steering Group (IDESG) is the source of expertise, guidance, best practices and tools.
Progress Report on the U.S. NSTIC Efforts Jack Suess – Delegate for Research, Development, Education & Innovation
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Agency Briefing - Overview
1 CURRENT PRACTICES AND FUTURE CHALLENGES IN METHODS VALIDATION – NEW AREAS OF APPLICATION THE POINT OF VIEW OF AN ACCREDITATION BODY EURACHEM Workshop.
true potential An Introduction to the First Line Manager Programme’s CMI Qualifications.
Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All Dirk Weiler Chairman of the ETSI IPR Special Committee Document No: GSC16-IPR-02 Source: ETSI Contact:
Sample Fit-Gap Kick-off
Update from the Faster Payments Task Force
Welcome to the Revolution – Day Two
Alignment of Part 4B with ISAE 3000
Structure–Feedback on Structure ED-2 and Task Force Proposals
Continuity Guidance Circular Webinar
Presentation transcript:

Requirements Development & Template Presentation to All Chairs 8/12/2014

Objectives Clarify the intent and purpose of Identity Ecosystem Framework Requirements Discuss potential approaches to requirements development Introduce and discuss the requirements catalog template

Agenda Overview Development Considerations Proposed Requirements Catalog Template Proposed Requirements Development Lifecycle Questions/Additional Items

Requirements Overview Requirements are a foundational component of the Identity Ecosystem Framework intended to: – define a baseline for participation in the Identity Ecosystem What is the baseline? Improving the security, privacy, usability, and interoperability of everyday online transactions What benefits could the everyday consumer see if this baseline was established? (e.g., reduced account compromise through increased use of multifactor authentication; greater user control through notice, consent requirements; etc.) – provide the foundation for the compliance/conformance program. I.E., to be part of the NSTIC inspired, IDESG defined ecosystem your organization must/should do A,B, and C with respect to security, privacy, interoperability, and usability These will be the basis for a future trustmark(s)

Requirements Overview The requirements are: – Discrete statements of activities, behaviors, and expectations for the various participants that are to be part of the identity ecosystem as envisioned in the NSTIC These requirements are not: – Business requirements – Software/technology/solution design requirements The IDESG is not building a specific identity solution or technology—but instead setting the general parameters, based on the Guiding Principles, in which solutions will operate May help shape and contribute to these other requirement types for future participants in the ecosystem

Requirements Overview: Goals for 2014 Develop requirements for all 4 guiding principles Establish an initial self-assessment and attestation compliance program – Assessment and attestation will be to applicable requirements

2014 Development Considerations Requirements should be ecosystem level requirements—not specific to sectors, communities, or technologies – Should not dictate specific solutions Should take into account the core operations of the functional model and the roles— specifically at the functional element layer – Some requirements may apply to more than one role, core operation, or function

Development Considerations: Criteria Should be relevant; should be tied to the four Guiding Principles, the NSTIC, and the establishment of the identity ecosystem Should be realistic; Potential participants should be capable of achieving conformance with these requirements without excessive technological or policy development time (i.e., quantum crypto should not be a requirement…) Should be balanced; taking into account the need to establish and maintain a marketplace while also preserving the NSTIC Guiding Principles Should be measurable; participants should be able to clearly state compliance through a binary or measurable response Should be technology agnostic; requirements should not specify or mandate a specific type of technology or solution and should be able to be met by multiple means (i.e., different technical solutions or combinations of tech and policy)

Development Considerations: Examples Ecosystem participants follow an adopted IDESG information security standard – Is it relevant to the identity ecosystem? Yes, all ecosystem participants should operate according to a strong, recognized set of information security principles, practices, and processes – Is it realistic? Yes, most organizations that handle customer or individual data already (or should) follow established information security standards or frameworks; implementing or using an IDESG adopted standard should not require an “excessive” shift in policy—though this will require IDESG to identify and adopt existing standards and frameworks in a timely manner – Is it balanced? Yes, the use of strong information security standards will only enhance the delivery of services and expansion of the market place – Is it measurable or binary? Yes, participants can clearly and easily state whether or not they follow an adopted standard – Is it technology agnostic? Most core information security standards do not specify solutions or technology types

Development Considerations: Examples Ecosystem participants provide and/or technically support the use of multi-factor authentication solutions. – Is it relevant to the identity ecosystem? Yes, all ecosystem participants should provide strong, multi-factor authentication options – Is it realistic? Yes, there are a significant number of existing multi- factor solutions in different forms and technologies; integration with these should not be excessive for ecosystem participants – Is it balanced? Yes, the need for strong, multi-factor authentication options is the primary driver behind the NSTIC and should only improve market growth and delivery of services – Is it measurable or binary? Yes, organizations can clearly and easily state whether or not they provide users access to multi-factor authentication options – Is it technology agnostic? Yes, no specific form or technology is included in the requirements

Development Considerations: Artifacts and Resources Many artifacts support requirements development: – The NSTIC; is the cornerstone of IDESG and essential guidance for requirements – Derived Requirements; a set of requirements statements derived from the NSTIC intended to stimulate requirements development – Existing standards, frameworks, and compliance programs; for example PCI-DSS, FICAM, ISO/IEC provide fertile ground for identification of potential ecosystem requirements – Pilot and operational experience; engage the pilots as participants in the development process

Development Considerations: Language and Structure Shall vs should, etc.: – Committee judgment matters: if it’s required, shall is likely appropriate. Use may or should appropriately If/then/else: – The fewer conditionals the better, but if needed, use them Hierarchical/sub-requirements: – This probably makes sense in some contexts, but this should be determined by the needs of the chairs. If committees need conditionals, use them.

Development Approach: Privacy Committee Privacy Committee has initiated requirements development Started with the Derived Requirements – Refined and updated to use as “guidance” – Creating more granular requirements based on the derived requirements and committee feedback; referring to these internally as “functional requirements” Incorporated several NSTIC pilots into the discussion to provide input Goal will be a set of requirements for incorporation into the identity ecosystem framework—the initial set may be updated, augmented, and added to as the framework matures Security committee is currently considering a similar approach for their own requirements development

Proposed Requirements Catalog Matrix Will be provided to the committees as a template that is intended to: – Capture requirements in a common format – Allow for consistent approaches, language, and structure Must think of these from the point of view of those who will need to consume these – Provides a uniformity and a foundation for the compliance program and ultimately trustmarks – Once IDESG requirements have been established they can then be compared to existing Trust Frameworks and Trust Framework Provider requirements; laying the foundation for streamlined self-assessment and future accreditation programs All information contained in the sample version of the matrix is for ILLUSTRATIVE PURPOSES ONLY

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix The NSTIC Guiding Principle that most closely relates to the requirement; there may be more than one 1

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix 2 A concise statement of the requirement (those contained in this document are for illustrative purposes only)

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix 3 The core operations to which the requirement applies (may be one or many); will be hyperlinked to a separate page that lists the functions and definitions of each core operation (registration shown below)

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix 4 Source of the requirement (if adapted from an existing document)

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix 5 Candidate standards, protocols, or profiles that can be used to fulfill the stated requirement or referenced to illustrate conformance with the requirement; not all requirements will have existing standards (etc.) to reference

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix A specific control or additional detail from an existing standard, protocol, or specification that can be used to further illustrate conformance with the stated requirement 6

IDESG Requirements Catalog # Guiding PrincipleRequirement statement Applies to Source (Std., derived requirements, framework, etc.) Standard or Reference (spec, profile, etc.) Specific control(s), criteria, or additional info (Optional) Establishing Committee Last ModifiedDate Approved Registration Credentialing Authentication Authorization Transaction Intermediation 1 Secure and Resilient Ecosystem participants follow an adopted IDESG information security standard XXXXXNone ISO Certification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants provide and/or technically support the use of multi- factor authentication solutions. XXXNone FIDO U2F specification None Identified Security Committee 7/28/20147/29/ Secure and Resilient Ecosystem participants utilize credentials that are resistant to theft, tampering, counterfeiting, and exploitation. XX Modified from NSTIC Derived Requirements FICAM Trust Framework Solution (TFS) Trust Framework Provider Adoption Process (TFPAP) V 2.0 Trust Criteria: The authentication process shall resist online guessing threat. The authentication process shall resist replay threat. The authentication process shall resist session hijacking threat. The authentication process shall resist eavesdropping threat. The authentication process shall at least weakly resist man-in-the- middle threat. Security Committee 7/28/20147/29/ Privacy Enhancing Ecosystem participants determine the necessary quality of data used in identity assurance solutions based on the risk of that transaction, including to the individuals involved X Modified from NSTIC Derived Requirements NoneNone Identified Privacy Committee 7/28/20147/29/ Interoperable Ecosystem participants utilize an adopted IDESG standards and protocols for the exchange of identity data XXXXX Modified from NSTIC Derived Requirements Fido U2F Specification SAML 2.0 None Identified Standards Committee 7/28/20147/29/2014 Proposed Requirements Catalog Matrix 78 The establishing committee, date the requirement was last modified, and the date the document was last approved 9

Proposed Requirements Lifecycle Provides a high level over view of a potential approach to creating, consolidating, approving, and refreshing Identity Ecosystem Framework Requirements

Proposed Requirements Lifecycle Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs Met with Source of

Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs Proposed Requirements Lifecycle 1 Committees produce requirements 1 Met with Source of

Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs Proposed Requirements Lifecycle 2 TFTM consolidates committee requirements 2 Met with Source of

Proposed Requirements Lifecycle TFTM produces self assessment documentation (questionnaire, assessment criteria, etc.) and requirements catalog 3 Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs 3 Met with Source of

Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs Proposed Requirements Lifecycle 4 Requirements catalog, self-assessment documentation are approved through the plenary 4 Met with Source of

Proposed Requirements Lifecycle Requirements are periodically reviewed and updated as necessary by the committees; dependent documents are subsequently updated and approved. 5 Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs 5 Met with Source of

Proposed Requirements Lifecycle Security committee develops functional model and standards committee manages standards adoption process A&BA&B Privacy Committee Privacy Committee Security Committee UX Committee Standards Committee TFTM Consolidates Self-Assessment and Attestation Program Requirements “Catalog” Produces Identify Adopted Standards Requirements Standards Develops Self-Assessment and Attestation Program 2014 Identity Ecosystem Framework Requirements “Catalog” Periodic Review and Update Standards Committee Consolidates Plenary Approval Process Standards Adoption Process Functional Model Develops Informs B A Met with Source of

Suggested Milestones Decision to progress with self-assessment and attestation compliance program – TFTM consensus decision 28 May 2014 Finalize and approve standards adoption policy – Standards committee; September 2014 Develop GP based requirements– Security, Standards, UX, Privacy – Security, privacy, UX, and standards committees; November 2014 Consolidate requirements – TFTM; November 2014 Finalize self assessment documentation – TFTM; December 2014 Plenary approval of requirements catalog – Plenary; January 2015 Plenary approval of self-assessment documentation – Plenary; January 2015

Questions/Discussion?