1. TFTM 01-06 Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee March 12, 2014 3-12-2014IDESG TFTM Committee1

2. 3-12-2014IDESG TFTM Committee2 Key terms for this discussion NSTIC/IDESGGTRI Trustmark A form of visual or digital certification to indicate that a product or service provider has been certified to meet the requirements of a specific trust framework. (Source: NSTIC- Slightly modified) Trustmark Statement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI) Trust Framework Defines the rules, rights and responsibilities of a specific community of interest participants in the Identity Ecosystem; specifies the policies, rules and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. (Source: NSTIC) Trust Framework A trust framework is any structure that builds trust among autonomous actors for the purpose of sharing and reusing identities. Trustmark Definition The conformance criteria that must be met in order to be issued a trust mark AND the assessment steps that an independent 3 rd -party must follow to determine conformance to the criteria. (Source: GTRI)

3. 3-12-2014IDESG TFTM Committee3 Key terms for this discussion NSTIC/IDESGGTRI Trust Framework Provider An organization that defines or adopts a trust framework and then, certifies participants that are in compliance with the requirements of that framework. (Source: FICAM TFPAP-slightly modified for context) Trustmark Defining Organization An organization that develops and maintains Trustmark Definitions to represent the interests of one or more Stakeholder Communities. Trustmark Provider An organization that issues a trustmark to a Service Provider (AKA “Trustmark Recipient”) based on a formal assessment process. (Source: GTRI) Certification The processes of assessing, validating, and determining that a product or service provider meets the defined requirements of a specific trust framework. (Source: FICAM TFPAP-slightly modified for context)

4. Accreditation Program Certification Program Service Provider Administrative Responsibilities: Document and maintain : Policies and participation rules Requirements Application/Onboarding processes Standard agreement for accredited entities Maintain public trust list/registry of accredited entities Operational Responsibilities: Evaluate the capability of applicant entities for certification activities Perform policy mapping, as appropriate, for entity certification policies/requirements conformance/comparability to Accreditation Program requirements Administrative Responsibilities: Document and maintain: Requirements Assessment Processes Assessment Criteria Application/onboarding processes Standard agreement for certified entities Formal recognition of certified services Maintain public trust list/registry of certified entities Operational Responsibilities: Perform and document assessments Validate conformance to Certification Program requirements Provide formal recognition for approved/validated identity services Monitor continued conformance for certified entities Administrative Responsibilities: Document and maintain Trust Mark issuance and usage policies and participation rules Document and maintain Trust Mark (Usage) Agreement Document and maintain security and controls for Trustmark monitoring. Operational Responsibilities: Execute and maintain Trust Mark (Usage) Agreements for certified entities Monitor continued conformance to Trustmark usage requirements for certified entities Establish and maintain security and controls for issued trust marks Trust Mark Issuance Accredit Certify/Issue Certification Accreditation 3-12-2014IDESG TFTM Committee4

5. Certifies TF Conformity Issues Trust marks 3-12-2014IDESG TFTM Committee5 Stakeholder Community Is Represented By Defines Trust Framework Relying Parties Trustmark Recipient (e.g., IDP, CSP, AA) Assessment Rules/Criteria End Users Issues Identity Assertions Required By Required By Current Industry Model GTRI Pilot Model (Trustmark Concept Map) IE Roles Current Industry and GTRI Pilot Models Source : GTRI Trust Framework Provider Assessor/ Auditor

6. 3-12-2014IDESG TFTM Committee 6 Modular Trust Components (AKA “Trust Marks”)= Sets of defined requirements for trust in specific areas GTRI Examples of Modular Trust Components Examples of Modular Trust Components that may be defined requirements for trust marks. Source : GTRI

7. 3-12-2014IDESG TFTM Committee7 Potential Sources for Modular Trust Components Source : GTRI

8. GTRI pilot seeks to define “modular trust components “ (AKA “Trustmarks”) that can be used/reused by multiple organizations. Need to define common, core requirements for trust components that are/should be common to different stakeholder communities – e.g., business, legal, security, privacy, etc. TFTM 01-05: Requirements Mapping and Analysis Paper Requirements analysis and mapping of trust framework components to assess their alignment with NSTIC/IDESG Guiding Principles. Could inform the process of establishing core requirements and trustmarks based on TF components most aligned with IDESG/NSTIC Guiding Principles Could support reuse of framework components within the identity ecosystem. The NPO issued “derived requirements” from NSTIC strategy to articulate requirements for NSTIC guiding principles (strategy, privacy, interoperability, ease of use) that should be a starting point for common, core requirements for the Identity Ecosystem Framework. 3-12-2014IDESG TFTM Committee8 The Need for NSTIC Core Requirements The following activities seek to define common, core requirements for trust and are directly related:

9. 3-12-2014IDESG TFTM Committee9 Building the Identity Ecosystem Framework See NSTIC NPO 11/26/2013 Blog: Interim Identity Ecosystem: “Are we there yet?”

10. 3-12-2014IDESG TFTM Committee 10 NSTIC Guiding PrincipleCore RequirementIDPRPAP 1Privacy Enhancing Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements. XXX 2Privacy Enhancing Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes. XXX 3Privacy Enhancing Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information. XXX 16Secure and Resilient Confidentiality, Integrity, and Availability shall be maintained. Where appropriate, non-repudiation shall also be supported. XXX 17Secure and ResilientOrganizations shall have auditable security processes.XXX 16Secure and Resilient Organizations shall utilize credentials which have been issued based on sound criteria for verifying individuals and devices. XX 26InteroperableOrganizations shall accept external users authenticated by third parties.XX 27Interoperable Organizations shall issue credentials capable of being utilized by multiple different service providers. X 28Interoperable Organizations shall utilize technologies that communicate and exchange data based upon well- defined and testable interface standards. XXX 32 Cost Effective and Easy- to-use Organizations shall utilize identity solutions that are simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training. XXX 33 Cost Effective and Easy- to-use Organizations shall utilize identity solutions that are available to all individuals, and accessible to the disadvantaged and disabled. XXX 34 Cost Effective and Easy- to-use Organizations shall, wherever possible, build identity solutions into online services.XXX Examples of 34 NSTIC Derived Requirements