Abstract

The Kantara Initiative Identity Assurance Work Group (IAWG) was formed to foster adoption of identity trust services.  The primary deliverable of the IAWG is the Identity Assurance Framework (IAF), which is comprised of many different documents that detail the levels of assurance and the certification program that bring the Framework to the marketplace.  The IAF is comprised of a set of documents that includes an Overview publication, the IAF Glossary, a summary Assurance Levels document, and an Assurance Assessment Scheme (AAS), which encompasses the associated assessment and certification program, as well as several subordinate documents, among them the Service Assessment Criteria (SAC), which establishes baseline criteria for general organizational conformitycompliance, identity proofing services, credential strength, and credential management services against which all CSPs will be evaluated.  The present document describes the Service Assessment Criteria component of the IAF, including setting out the Assurance Levels.

The latest versions of each of these documents can be found on Kantara’s Identity Assurance Framework - General Information web page.

Notice

This document has been prepared by Participants of Kantara Initiative.  Permission is hereby granted to use the document solely for the purpose of implementing the Specification.  No rights are granted to prepare derivative works of this Specification. Entities seeking permission to reproduce portions of this document for other uses must contact Kantara Initiative to determine whether an appropriate license for such use is available.

Implementation or use of certain elements of this document may require licenses under third party intellectual property rights, including without limitation, patent rights.  The Participants of and any other contributors to the Specification are not and shall not be held responsible in any manner for identifying or failing to identify any or all such third party intellectual property rights.  This Specification is provided "AS IS," and no Participant in Kantara Initiative makes any warranty of any kind, expressed or implied, including any implied warranties of merchantability, non-infringement of third party intellectual property rights, and fitness for a particular purpose.  Implementers of this Specification are advised to review Kantara Initiative’s website (http://www.kantarainitiative.org/) for information concerning any Necessary Claims Disclosure Notices that have been received by the Kantara Initiative Board of Trustees.

Kantara Initiative formed the Identity Assurance Work Group (IAWG) to foster adoption of consistently managed identity trust services.  The The IAWG's objective is to create a Framework of baseline policy requirements (criteria) and rules against which identity trust services can be assessed and evaluated.  The goal is to facilitate trusted identity federation and to promote uniformity and interoperability amongst identity service providers, with a specific focus on the level of trust, or assurance, associated with identity assertions.  The primary deliverable of IAWG is the Identity Assurance Framework (IAF).

The IAF specifies criteria for a harmonized, best-of-breed, industry-recognized identity assurance standard.  The IAF is a Framework supporting mutual acceptance, validation, and life cycle maintenance across identity federations.  It is composed ofof the IAF is a set of documents that includes an Overview publication, the IAF Glossary, a summary document detailingon Assurance Levels, and an Assurance Assessment Scheme (AAS) document supported by Rules governing Assurance Assessments (RAA), which encompasses defines the associated assessment and certification program, as well as several subordinate documents.  The present document, subordinate to the AAS, describes the Service Assessment Criteria component of the IAF.

The latest versions of each of these documents can be found on Kantara’s Identity Assurance Framework - General Information web page.

Assurance Levels (ALs) are the levels of trust associated with a credential as measured by the associated technology, processes, and policy and practice statements controlling the operational environment.  The IAF defers to the guidance provided by the U.S. National Institute of Standards and Technology (NIST) Special Publication 800-63 version 1.0.1 [NIST800-63-1] which outlines four levels of assurance, ranging in confidence level from low to very high.  Use of ALs is determined by the level of confidence or trust (i.e. assurance) necessary to mitigate risk in the transaction.

The Service Assessment Criteria part of the IAF establishes baseline criteria for general organizational conformitycompliance, identity proofing services, credential strength, and credential management services against which all credential service providers (CSPs) will be evaluated.  The IAF will initially focuses on baseline identity assertions and will evolve to include attribute- and entitlement-based assertions in future releases.  The IAF will also establish a protocol for publishing updates, as needed, to account for technological advances and preferred practice and policy updates. 

Changes in this revision

The principal reason for changes in this revision is to permit greater flexibility in the combination of Service Components and Full Service Provision and identifies the specific criteria from within the following SAC with which Service Components embracemust comply.

Specifically:

a)         The merging of the Credential Management (CM)-SAC and the Identity (ID)-SAC into a single grouping, the Operational (OP)? SAC (i.e. Operational Criteria).  The OP-SAC is intended to facilitates the flexible allocation of criteria to specific components of a full service;

b)        Placing of Organizational (CO)- SAC and OP-- SAC into their own discrete first-level sections, thus making them more distinct;

c)         Restructuring of the functional criteria by placing them into contiguous sets for each Assurance Level, making it easier for developers, service operators and assessors to access and apply the criteria applicable to the Assurance Levels for which they have chosen to seek certification;

d)        Requirement for certain OP-SAC Part A criteria to be Mandatory for all Component Service applicants;

e)         Consistency in the use of ‘Subscriber’ and ‘Subject’;

f)          Appropriate revisions to other text within this doc to reflect and consistently deal with the points above;

g)         Clear statement that the requirements of this document are normative within the IAF.

In the course of these revisions the opportunity has been taken to perform incidental tidy-up where the originally-drafted language no longer reflects practice or terminology.

Excepting where text has been moved within the document and is otherwise unchanged, all revisions between v2.0 and v3.0 are shown with a grey background.

The IAF has adopted four Assurance Levels (ALs), based on the four levels of assurance posited by the U.S. Federal Government and described in OMB M?04?04 [M-04-04] and NIST Special Publication 800-63-1 [NIST800-63-1].  These are further described in the Identity Assurance Framework: Levels of Assurance document, which can be found on Kantara’s Identity Assurance Framework - General Information page.

Context and Scope

The Identity Assurance Work Group (IAWG) developed and maintains Tthe Service Assessment Criteria (SAC) are prepared and maintained by the Identity Assurance Work Group (IAWG) as part of its Identity Assurance Framework.  These criteria set out the requirements for credential services and their identity providers at all assurance levels within the Framework.  These criteria focus onidentify the specific requirements, at each Assurance Level (AL), against with which Services Service providers must comply and against which they must be assessed by Kantara -Accredited Assessors.  They are divided into two parts:

1)    Organizational Criteria:
These criteria address the general business and organizational conformitycompliance  of services and their providers.  They are generally referred-to as the ‘CO-SAC’;

2)    Operational Criteria:
These criteria address operational conformitycompliance of credential management services and the necessary functions which they embrace.  They are generally referred-to as the ‘OP?SAC’.

Criteria Applicability

Any Full Service Provider applying for certification under the Identity Assurance Framework (IAF)must comply with Aall criteria (i.e. CO-SAC and OP-SAC, at the applicable level) for must be complied-with by all Full Service Provisions that are submitted for ApprovalCertification under the Identity Assurance Framework (IAF).

Each Service Component within supporting, or included as a part of,  a Full Service Provision Provider offering must comply with the CO-SAC and a defined sub-set of OP-SAC clauses which fall within the component’s sccomponent’s scope. The Full Service Provider retains the responsibility to ensure each requirement is met.

These criteria have been approved under the IAWG’s governance rules as being suitableby the Kantara membership for use by Kantara-Accredited Assessors in the performance of their CSP/IdP assessments of credentialing services for which a CSP is seeking Kantara ApprovalCertificationcertification. 

In the context of the Identity Assurance Framework, the status of this document is normative.  An applicant’s credential service shall comply with all applicable criteria within these SAC at their nominated requested AL(s).

This document describes the specific criteria that must be met to achieve each of the four ALs under the IAF.  To be Approved certified under the IAF Identity Assurance Program and be granted the right to use Kantara Initiative Trust Mark, credential services must conform to all applicable criteria at the appropriate level.

Status and Readership

This document sets outestablishes normative Kantara requirements and is required reading for Kantara-Accredited Assessors and applicant Service Providers.  It will also be of interest to those wishing to gain a detailed knowledge of the workings of the Kantara Initiative’s Identity Assurance Framework.  It sets outestablishes the Service Assessment Criteria to with which credential service providers must conform in ordercomply to be granted Kantara Approvalcertification.

The description of criteria in this document is required reading for all organizations wishing to become Kantara-Approved credential services, and also for those wishing to become Kantara-Accredited Assessors.  It is also recommended reading for those involved in the governance and day-to-day administration of the Identity Assurance Framework[FR1] .

This document will also be of interest to those seeking a detailed understanding of the operation of the Identity Assurance Framework but who are not actively involved in its operations or in services that may fall within the scope of the Framework[FR2] .

Criteria Descriptions

The Service Assessment Criteria are organized by AL.  Subsections within each level describe the criteria that apply to specific functions.  The subsections are parallel.  Subsections describing the requirements for the same function at different levels of assurance have the same title. 

Each criterion consists ofincludes three components: a unique alphanumeric tag, a short name, and the specific criterion (or criteria) associated with the tag.  The tag provides a unique reference for each criterion that assessors and service providers can use to refer to that criterion.  The name identifies the intended scope or purpose of the criterion. 

The criteria are described as follows:

          «ALn_CO_ZZZ#999»«name»Criterion ALn (i.e., AL1_CO_ESM#010)

When a given criterion changes (i.e. becomes more rigorous) at higher Assurance Levels the new or revised text is shown in bold or ‘[Omitted]’ is indicated where text has been removed.  With the obvious exception of AL1, when a criterion is first introduced it is also shown in bold.

As noted in the above schematic, when originally prepared, the tags had numbers incrementing in multiples of ten to permit the later insertion of additional criteria.  Since then there has been addition and withdrawal of criteria.

Where a criterion is not used in a given AL but is used at a higher AL its place is held by the inclusion of a tag which is marked ‘No stipulation’.  A title and appropriate criteria will be added at the higher AL which occupies that position.  Since in general higher ALs have a greater extent of criteria than lower ALs, where a given AL extends no further through the numbering range, criteria beyond that value are by default omitted rather than being included but marked ‘No stipulation’.

Further, over time, some criteria have been removed, or withdrawn.  In order to avoid the re-use of that tag such tags are retained but marked ‘Withdrawn’.

Not only do these editorial practices preserve continuity they also guard against possible omission of a required criterion through an editing error.

Terminology

All special terms used in this document are defined in the IAF Glossary, which can be found on Kantara’s Identity Assurance Framework - General Information page.

Note that when, in these criteria, the term ‘Subscriber’ is used it applies equally to ‘Subscriber’ and ‘Subject’ as defined in the IAF Glossary, according to the context in which used.  The term ‘Subject’ is used when the reference is explicitly toward that party.

The Service Assessment Criteria in this section establish the general business and organizational requirements for conformitycompliance of services and service providers at all Assurance Levels (AL) – refer to Section 2.  These criteria are generally referred to elsewhere within IAWG documentation as CO-SAC and can be identified by their tag “ALn_CO_ xxxx”.

All applicants for Certification, whether Service Components or Full Service Providers These criteria must be conformed-tocomply with these criteria by all applicants for Approval, whether for Service Components or Full Service Provision.

Assurance Level 1

4.1.1     Enterprise and Service Maturity

These criteria apply to the establishment of the organization offering the service and its basic standing as a legal and operational business entity within its respective jurisdiction or country.

An enterprise and its specified service must:

AL1_CO_ESM#010            Established enterprise

Be a valid legal entity, and a person with the legal authority to commit the organization must submit the signed assessment application package.

AL1_CO_ESM#020            Withdrawn

Withdrawn  

AL1_CO_ESM#030            Legal & Contractual compliance

Demonstrate that it understands and complies with any legal requirements incumbent on it in connection with operation and delivery of the specified service, accounting for all jurisdictions and countries within which its services may be used.

Guidance: ‘Understanding’ is implicitly the correct understanding.  Both it and compliance are required because it could be that understanding is incomplete, incorrect or even absent, even though compliance is apparent, and similarly, correct understanding may not necessarily result in full compliance.  The two are therefore complementary.

AL1_CO_ESM#040            No stipulation

AL1_CO_ESM#050            No stipulation

AL1_CO_ESM#055            Termination provisions

Define the practices in place for the protection of Subjects' private and secret information related to their use of the service which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.

4.1.2     Notices and User information

These criteria address the publication of information describing the service and the manner of and any limitations upon its provision.

An enterprise and its specified service must:

AL1_CO_NUI#010             General Service Definition

Make available to the intended user community a Service Definition that includes all applicable Terms, Conditions, and Fees, including any limitations of its usage.  Specific provisions are stated in further criteria in this section.

Guidance: The intended user community encompasses potential and actual Subscribers, Subjects, and relying parties.

AL1_CO_NUI#020             Service Definition inclusions

Make available a Service Definition for the specified service containing clauses that provide the following information:

a)              a Privacy Policy that complies with the Kantara Federal Privacy Policy

AL1_CO_NUI#030             Due notification

Have in place and follow appropriate policy and procedures to ensure that it notifies Users in a timely and reliable fashion of any changes to the Service Definition and any applicable Terms, Conditions, and the required Privacy Policy for the specified service.

AL1_CO_NUI#040             User Acceptance

Require Subscribers and Subjects to:

a)              indicate, prior to receiving service, that they have read and accept the terms of service as defined in the Service Definition;

b)             at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal), re-affirm their understanding and observance of the terms of service at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal),;

c)              always provide full and correct responses to requests for information.

AL1_CO_NUI#050             Record of User Acceptance

Obtain a record (hard-copy or electronic) of the Subscriber's and Subject’s acceptance of the terms and conditions of service, prior to initiating the service and thereafter at periodic intervals, determined by significant service provision events (e.g. re-issuance, renewal).

4.1.3     Not used

4.1.4     Not used

4.1.5     Not used

4.1.6     Not used

4.1.7     Secure Communications

AL1_CO_SCO#010            No stipulation

AL1_CO_SCO#020            Limited access to shared secrets

Ensure that:

a)              access to shared secrets shall be Subject to discretionary controls which permit access to those roles/applications needing such access;

b)             stored shared secrets are not held in their plaintext form unless given adequate physical or logical protection;

c)              any plaintext passwords or secrets are not transmitted across any public or unsecured network are encrypted.

Assurance Level 2

Criteria in this section address the establishment of the enterprise offering the service and its basic standing as a legal and operational business entity within its respective jurisdiction or country.

4.1.8     Enterprise and Service Maturity

These criteria apply to the establishment of the enterprise offering the service and its basic standing as a legal and operational business entity.

An enterprise and its specified service must:

AL2_CO_ESM#010            Established enterprise

Be a valid legal entity, and a person with legal authority to commit the organization must submit the signed assessment packageapplication for certification.

AL2_CO_ESM#020            Withdrawn

Withdrawn

AL2_CO_ESM#030            Legal & Contractual compliance

Demonstrate that it understands and complies with any legal requirements incumbent on it in connection with the operation and delivery of the specified service, accounting for all jurisdictions within which its services may be offered.  Any specific contractual requirements shall also be identified.

Guidance: Kantara Initiative will not recognize certify a service which is not fully released for the provision of services to its intended user/client community.  Systems, or parts thereof, which are not fully proven and released shall not be considered in an assessment and therefore should not be included within the scope of the assessment packageapplication.  Parts of systems still under development, or even still being planned, are therefore ineligible for inclusion within the scope of assessment[FR3] .

AL2_CO_ESM#040            Financial Provisions

Provide documentation of financial resources that allow for thesupport for continued operation of the service and demonstrate appropriate liability processes and procedures that satisfy the degree of liability exposure being carried.

Guidance: The organization must show that it has a budgetary provisionthe financial resources to operate the service for at least a twelve-month period, with a clear review of the budgetary planning within that period so as to keep the budgetary provisions extended.  It must also show how it has determined the degree of liability protection required, in view of its exposure per ‘service’ and the number of users it has.  This criterion helps ensure that Kantara Initiative does not grant Recognition certify to services that are not likely to be sustainable over at least this minimum period of time.

AL2_CO_ESM#050            Data Retention and Protection

Specifically set out and demonstrate that it understands and complies with those legal and regulatory requirements incumbent upon it concerning the retention and destruction of private andpersonally identifiable information (PII) (personal and business - i.e. its secure storage and protection against loss, accidental public exposure, and/or improper destruction) and the protection of Subjects’ private information (PII) against unlawful or unauthorized access, excepting that permitted by the information owner or required by due process).

Guidance: Note that whereas the criterion is intended to address unlawful or unauthorized access arising from malicious or careless actions (or inaction), some access may be unlawful UNLESS authorized by the Subscriber or Subject, or effected as a part of a specifically-executed legal process.

AL2_CO_ESM#055            Termination provisions

Define the practices in place for the protection of Subjects’ private and secretPII information related to their use of the service.  These practices which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.

4.1.9     Notices and User Information/Agreements

These criteria apply to the publication of information describing the service and the manner of and any limitations upon its provision, and how users are required to accept those terms.

An enterprise and its specified service must:

AL2_CO_NUI#010             General Service Definition

Make available a Service Definition that includes all applicable Terms, Conditions, and Fees, including any limitations of its usage, and definitions of any terms having specific intention or interpretation to the intended user community a Service Definition that includes all applicable Terms, Conditions, and Fees, including any limitations of its usage, and definitions of any terms having specific intention or interpretation.  Specific provisions are stated in further criteria in this section.

Guidance: The intended user community encompasses potential and actual Subscribers, Subjects, and relying parties.

AL2_CO_NUI#020             Service Definition inclusions

Make available a Service Definition for the specified service containing clauses that provide the following information:

a)             Privacy, Identity Proofing & Verification, and Revocation and Termination Policies; 

b)             the country in, or legal jurisdiction under, which the service is operated;

c)              if different from the above, the legal jurisdiction under which Subscriber and any relying party enter into agreements are entered into;

d)             applicable legislation with which the service complies;

e)             obligations incumbent upon the CSP;

f)              obligations incumbent upon the Subscriber/Subject;

g)             notifications and guidance for relying parties, especially in respect of actions they are expected to take should they choose to rely upon the service[FR4] ;

h)             statement of warranties;

i)              statement of liabilities toward Subscribers, Subjects and Relying Parties;

j)              procedures for notification of changes to terms and conditions;

k)             steps the CSP will take in the event that it chooses or is obliged to terminate the service;

l)              availabilityavailability of the specified service per se and of its help desk facility.

AL2_CO_NUI#030             Due notification

Have in place and follow appropriate policy and procedures to ensure that it notifies Subscribers and Subjects in a timely and reliable fashion of any changes to the Service Definition and any applicable Terms, Conditions, Fees, and Privacy Policy for the specified service, and provide a clear means by which Subscribers and Subjects must indicate that they wish to accept the new terms or terminate their subscription.

AL2_CO_NUI#040             User Acceptance

Require Subscribers and Subjects to:

a)         indicate, prior to receiving service, that they have read and accept the terms of service as defined in the Service Definition;

b)         at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal) and otherwise at least once every five years, re-affirm their understanding and observance of the terms of service;

c)         always provide full and correct responses to requests for information.

AL2_CO_NUI#050             Record of User Acceptance

Obtain a record (hard-copy or electronic) of the Subscriber's and Subject’s acceptance of the terms and conditions of service, prior to initiating the service and thereafter at periodic intervals, determined by significant service provision events (e.g. re-issuance, renewal) and otherwise at least once every five years.

AL2_CO_NUI#060             Withdrawn

Withdrawn.

AL2_CO_NUI#070             Change of Subscriber Information

Require and provide the mechanisms for Subscribers and Subjects to provide in a timely manner, as required under the terms of their use of the serviceand only after the Subscriber's and/or Subject’s identity has been authenticated, in a timely manner full and correct amendments should any of their recorded information change, as required under the terms of their use of the service, and only after the Subscriber's and/or Subject’s identity has been authenticated.

AL2_CO_NUI#080             Withdrawn

Withdrawn.

4.1.10 Information Security Management

These criteria address the way in which the enterprise management ofs the security requirements of its business, the specified service, and information it holds relating to its user community.  This section focuses on the key components that comprise a well-established and effective Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body.

An enterprise and its specified service must:

AL2_CO_ISM#010             Documented policies and procedures

Have documentedDocument all security-relevant administrative, management, and technical policies and procedures.  The enterprise must ensure that these are based upon recognized standards, and published references or organizational guidelines, guidelines which are adequate for the specified service, and are implemented in the manner intended.

AL2_CO_ISM#020             Policy Management and Responsibility

Have a clearly defined managerial role, at a senior level, in which full responsibility for the business's security policies is vested and from which review, approvalcertification, and promulgation of policy and related procedures is applied and managed.  The latest approved versions of these policies must be applied at all times.

AL2_CO_ISM#030             Risk Management

Demonstrate a risk management methodology that adequately identifies and mitigates risks related to the specified service and its user community.

AL2_CO_ISM#040             Continuity of Operations Plan

Have, and keep updatedmaintian the currency of, a Continuity of Operations Plan that covers disaster recovery and the resilience of the specified service. 

AL2_CO_ISM#050             Configuration Management

Demonstrate that there is in place a configuration management system in place that at least includes:

a)             version control for software system components;

b)             timely identification and installation of all organizationally -approved patches for any software used in the provisioning of the specified service.

AL2_CO_ISM#060             Quality Management

Demonstrate that there is in place a quality management system in place that is appropriate for the specified service.

AL2_CO_ISM#070             System Installation and Operation Controls

Apply controls during system development, procurement installation, and operation that protect the security and integrity of the system environment, hardware, software, and communications.

AL2_CO_ISM#080             Internal Service Audit

Be subjected to a first-party audit of at least once every 12 months for the effective provision of the specified service by an independent enterprise internal audit functions, of the enterprise responsible for the specified service, unless it can show that by reason of its organizational size or due to other operational restrictions it is unreasonable to be so audited.

Guidance:  ‘First-party’ audits are those undertakenconducted by an independent part of the same organization which offers the service.  The auditors cannot be involved in the specification, development or operation of the service.
Using a ‘third-party’ auditor (i.e. one having no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently) should be considered when the organization cannot easily provide truly independent internal resources but wishes to benefit from the value which audits can provide.  This could be accomplished by fulfilling the AL2_CO_ISM#090 requirement on a 12-monthly basis.

AL2_CO_ISM#090             Independent Audit

Be subjected to a third-party audit at least every 24 36 months to ensure the organization's security-related practices are consistent with the policies and procedures for the specified service and the applicable SAC.

Guidance: The appointed auditor should have appropriate accreditation or other acceptable experience and qualification, comparable to that required ofshall be a  Kantara-Accredited Assessors.  It is expected that it will be cost-effective for the organization to use the same Kantara-Accredited Assessor for the purposes of fulfilling this criterion as they do for the maintenance of their grant of Kantara Recognition.

AL2_CO_ISM#100             Audit Records

Retain records of all audits, both internal and independent, for a period which, as a minimum, fulfills its legal obligations and otherwise for greater periods either as it may have committed to in its Service Definition or required by any other obligations it has with/to a Subscriber or Subject, and which in any event is not less than 36 months.  Such records must be held securely and be protected against unauthorized access, loss, alteration, public disclosure, or unapproved destruction.

AL2_CO_ISM#110             Withdrawn

Withdrawn.

4.1.11 Security-relevant Event (Audit) Records

These criteria apply to the need to provide an auditable log of all events that are pertinent to the correct and secure operation of the service.

An enterprise and its specified service must:

AL2_CO_SER#010             Security event logging

Maintain a log of all relevant security events concerning affecting the operation of the service, together with an accurate record of the time, date and individual who performed the action at which the event occurred (time-stamp), and retain such records with appropriate protection and controls to ensure successful retrieval, and accounting for service definition, risk management requirements, applicable legislation, and organizational policy.

Guidance:  It is sufficient that the accuracy of the time source is based upon an internal computer/system clock synchronized to an Internet time source.  The time source need not be authenticable.

4.1.12 Operational infrastructure

These criteria apply to the infrastructure within which the delivery of the specified service takes place.  These criteria emphasize the personnel involved and their selection, training, and duties.

An enterprise and its specified service must:

AL2_CO_OPN#010            Technical security

Demonstrate that the technical controls employed will provide the level of security protection required by the risk assessment and the ISMS, or other IT security management methods recognized by a government or professional body, and that these controls are effectively integrated with the applicable procedural and physical security measures.

Guidance: Appropriate technical controls, suited to this Assurance Level, should be selected from [NIST800-63-1] or its equivalent, as established by a recognized national technical authority.

AL2_CO_OPN#020            Defined security roles

Define, by means of a job description, the roles and responsibilities for each service -related security-relevantsecurity relevant task. , relating Relatie tasksit to specific procedures, (which shall be set out in the ISMS, or other IT security management methodology recognized by a government or professional body) and other service-related job descriptions.  Where the role is security -critical or where special privileges or shared duties exist, these must be specifically identified as such, including the applicable access privileges relating to logical and physical parts of the service's operations.

AL2_CO_OPN#030            Personnel recruitment

Demonstrate that it has defined practices for the selection, evaluation, and contracting of all service-related personnel, both direct employees and those whose services are provided by third partiesconsultants/contractors.

AL2_CO_OPN#040            Personnel skills

Ensure that employees are sufficiently trained, qualified, experienced, and current for the roles they fulfill.  Such measures must be accomplished either by recruitment practices or through a specific training program.  Where employees are undergoing on-the-job training, they must only do so under the guidance of a mentor possessing the defined service experiences for the training being provided.

AL2_CO_OPN#050            Adequacy of Personnel resources

Have sufficient qualified staff to adequately operate and resource the specified service according to its policies and procedures.

AL2_CO_OPN#060            Physical access control

Apply physical access control mechanisms to ensure that:

a)             access to sensitive areas is restricted to authorized personnel;

b)             all removable media and paper documents containing sensitive information as plain-text are stored in secure containers.

Require a minimum of two-person physical access control when accessing any cryptographic modules.

AL2_CO_OPN#070            Logical access control

Employ logical access control mechanisms that ensure access to sensitive system functions and controls is restricted to authorized personnel.

4.1.13 External Services and Components

These criteria apply to the required relationships and obligations upon contracted parties both tomust apply to the policies and procedures of the enterprise.  These policies and procedures must  and also to be available for assessment as critical parts ofparts of the overall service provision.

An enterprise and its specified service must:

AL2_CO_ESC#010             Contracted policies and procedures

Where the enterprise uses external suppliers for specific packaged components of the service or for resources that are integrated with and under its control its own operations and under its control, ensure that those parties suppliers are engaged through reliable and appropriate contractsual arrangements which stipulate which critical policies, procedures, and practices subcontractors are required to fulfill.

AL2_CO_ESC#020             Visibility of contracted parties

Where the enterprise uses external suppliers for specific packaged components of the service or for resources that are integrated with its own operations and under its control,as noted above ensure that the suppliers' compliance with contractually -stipulated policies and procedures, and thus with IAF Service Assessment Criteria, can be independently verified, and subsequently monitored if necessary.

4.1.14 Secure Communications

An enterprise and its specified service must:

AL2_CO_SCO#010            Secure remote communications

If the specific service components are located remotely from and communicate over a public or unsecured network with other service components or other CSPs which it services, the communications must be cryptographically authenticated, including long-term and session tokens, by an authentication method that meets, at a minimum, the requirements of AL2 and encrypted using a [FIPS140-2] Level 1-compliant encryption method or equivalent, as established by a recognized national technical authority.

AL2_CO_SCO#015            Verification / Authentication confirmation messages

Ensure that any verification or confirmation of authentication messages, which asserts either that a weakly bound credential is valid or that a strongly bound credential has not been subsequently revoked, is logically bound to the credential and that the message, the logical binding, and the credential are all transmitted within a single integrity-protected session between the service and the Verifier / Relying Party.

AL2_CO_SCO#016            Verification of Revoked Credential

When a verification / authentication request results in notification of a revoked credential one of the following measures shall be taken:

a)             the confirmation message shall be time-stamped, or;

b)             the session keys shall expire with an expiration time no longer than that of the applicable revocation list, or;

c)              the time-stamped message, binding, and credential shall all be signed by the service.

AL2_CO_SCO#020            Limited access to shared secrets

Ensure that:

a)              access to shared secrets shall be Subject to discretionary controls that only permit access by those roles/applications requiring such access;

b)             stored shared secrets are not held in their plaintext form unless given adequate physical or logical protection;

c)              any long-term (i.e., not session) shared secrets are revealed only to the Subject or to the CSP’s direct agents (bearing in mind (a) above).

These roles should be defined and documented by the CSP in accordance with AL2_CO_OPN#020 above[FR5] .

AL2_CO_SCO#030            Logical protection of shared secrets

Ensure that one of the alternative methods (below) is used to protect shared secrets:          

a)         concatenation of the password to a salt and/or username which is then hashed with an Approved algorithm such that the computations used to conduct a dictionary or exhaustion attack on a stolen password file are not useful to attack other similar password files, or;

b)         encryption using an Approved algorithm and modes, and the shared secret decrypted only when immediately required for authentication, or;

c)         any secure method allowed to protect shared secrets at Level 3 or 4.

Assurance Level 3

Achieving AL3 requires meeting more stringent criteria in addition to all criteria required to achieve AL2. 

4.1.15 Enterprise and Service Maturity

Criteria in this section address the establishment of the enterprise offering the service and its basic standing as a legal and operational business entity.

An enterprise and its specified service must:

AL3_CO_ESM#010            Established enterprise

Be a valid legal entity and a person with legal authority to commit the organization must submit the signed assessment packagecertification application.

AL3_CO_ESM#020            Withdrawn

Withdrawn

AL3_CO_ESM#030            Legal & Contractual compliance

Demonstrate that it understands and complies with any legal requirements incumbent on it in connection with operation and delivery of the specified service, accounting for all jurisdictions within which its services may be offered.  Any specific contractual requirements shall also be identified.

Guidance: Kantara Initiative will not recognize certify a service which is not fully released for the provision ofto provide services to its intended user/client community.  Systems, or parts thereof, which are not fully proven and released shall not be considered in an assessment and therefore should not be included within the scope of the assessment packagecertification application.  Parts of systems still under development, or even still being planned, are therefore ineligible for inclusion within the scope of assessment.

AL3_CO_ESM#040            Financial Provisions

Provide documentation ofproof of financial resources that allow forsupport the continued operation of the service and demonstrate appropriate liability processes and procedures that satisfy the degree of liability exposure being carried.

Guidance: The organization must show that it has the financial resources to operate the service for at least a twelve-month period, with a clear review of the budgetary planning within that period.  It must also show how it has determined the degree of liability protection required, in view of its exposure per ‘service’ and the number of users it has.  This criterion helps ensure that Kantara Initiative does not grant certification to services that are not likely to be sustainable over at least this minimum period of time.The organization must show that it has a budgetary provision to operate the service for at least a twelve-month period, with a clear review of the budgetary planning within that period so as to keep the budgetary provisions extended.  It must also show how it has determined the degree of liability protection required, in view of its exposure per ‘service’ and the number of users it has.  This criterion helps ensure that Kantara Initiative does not grant Recognition to services that are not likely to be sustainable over at least this minimum period of time.

AL3_CO_ESM#050           

Data Retention and Protection

Specifically set out and demonstrate that it understands and complies with those legal and regulatory requirements incumbent upon it concerning the retention and destruction of personally identifiable information (PII) (personal and business - i.e. its secure storage and protection against loss, accidental public exposure, and/or improper destruction) and the protection of Subjects’ PII against unlawful or unauthorized access, excepting that permitted by the information owner or required by due process.

Guidance: Note that whereas the criterion is intended to address unlawful or unauthorized access arising from malicious or careless actions (or inaction), some access may be unlawful UNLESS authorized by the Subscriber or Subject, or effected as a part of a specifically-executed legal processData Retention and Protection

Specifically set out and demonstrate that it understands and complies with those legal and regulatory requirements incumbent upon it concerning the retention and destruction of private and identifiable information (personal and business) (i.e. its secure storage and protection against loss, accidental public exposure and/or improper destruction) and the protection of private information (against unlawful or unauthorized access, excepting that permitted by the information owner or required by due process).

AL3_CO_ESM#055            Termination provisions

Define the practices in place for the protection of Subjects' private and secret informationPII related to their use of the service which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.

AL3_CO_ESM#060            Ownership

If the enterprise named as the CSP is a part of a larger entity, the nature of the relationship with its parent organization shall be disclosed to the assessors and, on their request, to customers.

AL3_CO_ESM#070            Independent management and operations

Demonstrate that, for the purposes of providing the specified service, its management and operational structures are distinct, autonomous, have discrete legal accountability, and operate according to separate policies, procedures, and controls.

4.1.16 Notices and User Information

Criteria in this section address the publication of information describing the service and the manner of and any limitations upon its provision, and how users are required to accept those terms.

An enterprise and its specified service must:

AL3_CO_NUI#010             General Service Definition

Make a Service Definition available to the intended user community a Service Definition that includes all applicable Terms, Conditions, and Fees, including any limitations of its usage, and definitions of any terms having specific intention or interpretation.  Specific provisions are stated in further criteria in this section.

Guidance: The intended user community encompasses includes potential and actual Subscribers, Subjects and relying parties.

AL3_CO_NUI#020             Service Definition inclusions

Make a Service Definition available a Service Definition for the specified service containing clauses that provide the following information:

a)              Privacy, Identity Proofing & Verification, and Revocation and Termination Policies; 

b)             the country in or the legal jurisdiction under which the service is operated;

c)              if different to the above, the legal jurisdiction under which Subscriber and any relying party agreements are entered into;

d)             applicable legislation with which the service complies;

e)              obligations incumbent upon the CSP;

f)              obligations incumbent upon the Subscriber and Subject;

g)              notifications and guidance for relying parties, especially in respect of actions they are expected to take should they choose to rely upon the service's product;

h)             statement of warranties;

i)               statement of liabilities toward both Subjects and Relying Parties;

j)               procedures for notification of changes to terms and conditions;

k)             steps the CSP will take in the event that it chooses or is obliged to terminate the service;

l)               availability of the specified service per se and of its help desk facility.

AL3_CO_NUI#030             Due notification

Have in place and follow appropriate policy and procedures to ensure that it notifies Subscribers and Subjects in a timely and reliable fashion of any changes to the Service Definition and any applicable Terms, Conditions, Fees, and Privacy Policy for the specified service, and provide a clear means by which Subscribers and Subjects must indicate that they wish to accept the new terms or terminate their subscription.

AL3_CO_NUI#040             User Acceptance

Require Subscribers and Subjects to:

a)         indicate, prior to receiving service, that they have read and accept the terms of service as defined in the Service Definition;

b)         at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal) and otherwise at least once every five years, re-affirm their understanding and observance of the terms of service;

c)         always provide full and correct responses to requests for information.

AL3_CO_NUI#050             Record of User Acceptance

Obtain a record (hard-copy or electronic) of the Subscriber’s and Subject’s acceptance of the terms and conditions of service, prior to initiating the service and thereafter reaffirm the agreement at periodic intervals, determined by significant service provision events (e.g. re-issuance, renewal) and otherwise at least once every five years.

AL3_CO_NUI#060             Withdrawn

Withdrawn.

AL3_CO_NUI#070             Change of Subscriber Information

Require and provide the mechanisms for Subscribers and Subjects to provide in a timely manner full and correct amendments should any of their recorded information change, as required under the terms of their use of the service, and only after the Subscriber's and/or Subject’s identity has been authenticated.

AL3_CO_NUI#080             Withdrawn

Withdrawn.

4.1.17 Information Security Management

These criteria address the way in which the enterprise manages the security of its business, the specified service, and information it holds relating to its user community.  This section focuses on the key components that make upof a well-established and effective Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body.

An enterprise and its specified service must:

AL3_CO_ISM#010             Documented policies and procedures

Have documentedDocument all security-relevant administrative management and technical policies and procedures.  The enterprise must ensure that these are based upon recognized standards, published references or organizational guidelines, are adequate for the specified service, and are implemented in the manner intended.

AL3_CO_ISM#020             Policy Management and Responsibility

Have a clearly defined managerial role, at a senior level, where full responsibility for the business’ security policies is vested and from which review, approvalcertification, and promulgation of policy and related procedures is applied and managed.  The latest approved versions of these policies must be applied at all times.

AL3_CO_ISM#030             Risk Management

Demonstrate a risk management methodology that adequately identifies and mitigates risks related to the specified service and its user community.  The risk assessment review shall be performed at least once every six months and must show that a risk assessment review is performed at least once every six months, adherence to practices such as adherence to Control Objectives for Information and Related Technology (CobIT) or [ISO27001] practices.

AL3_CO_ISM#040             Continuity of Operations Plan

Have and keep updatedDevelop and maintain a continuity of operations plan that covers disaster recovery and the resilience of the specified service and must show that a review of this plan is performed at least once every six months.

AL3_CO_ISM#050             Configuration Management

Demonstrate that there is in place a configuration management system in place that at least includes:

a)              version control for software system components;

b)             timely identification and installation of all organizationally-approved patches for any software used in the provisioning of the specified service;

c)              version control and managed distribution for all documentation associated with the specification, management, and operation of the system, covering both internal and publicly available materials.

AL3_CO_ISM#060             Quality Management

Demonstrate that there is in place a quality management system in place that is appropriate for the specified service.

AL3_CO_ISM#070             System Installation and Operation Controls

Apply controls during system development, procurement, installation, and operation that protect the security and integrity of the system environment, hardware, software, and communications having with particular regard to:

a)             the software and hardware development environments, for customized components;

b)             the procurement process for commercial off-the-shelf (COTS) components;

c)              contracted consultancy/support services;

d)             shipment of system components;

e)             storage of system components;

f)              installation environment security;

g)             system configuration;

h)             transfer to operational status.

AL3_CO_ISM#080             Internal Service Audit

Perfrom and submit the report of  a first-party audit of the effective provision of the specified service by an independent enterprise internal audit function at least once every 12 months unless it can show that by reason of its organizational size or due to other operational restrictions it is unreasonable to be so audited.

Guidance:  ‘First-party’ audits are those undertaken by an independent part of the same organization which offers the service.  The auditors cannot be involved in the specification, development or operation of the service.
Using a ‘third-party’ auditor (i.e. one having no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently) should be considered when the organization cannot easily provide truly independent internal resources but wishes to benefit from the value which audits can provide.  This could be accomplished by fulfilling the AL2_CO_ISM#090 requirement on a 12-monthly basis.Be subjected to a first-party audit at least once every 12 months for the effective provision of the specified service by internal audit functions of the enterprise responsible for the specified service, unless it can show that by reason of its organizational size or due to other justifiable operational restrictions it is unreasonable to be so audited.

Guidance:  ‘First-party’ audits are those undertaken by an independent part of the same organization which offers the service.  The auditors cannot be involved in the specification, development or operation of the service.

Using the third-party audit required by AL3_CO_ISM#090 to provide the independent audit instead of the assignment of an internal audit function is not an acceptable means of fulfilling this criterion.  Management systems require that there be internal audit conducted as an inherent part of management review processes.  Third-party audit of the management system is a fully separate requirement, intended to show that the internal management system controls are being appropriately applied.

AL3_CO_ISM#090             Independent Audit

Be subjectedPerfrom and submit the results to of a third-party audit of the organization’s security-related practices at least every 12 36 months to ensure the organization’s security-related practices they are consistent with the policies and procedures for the specified service and the applicable SAC.

Guidance: Assessors who have no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently perform ‘Third-party’ audits are undertaken by assessors who have no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently.  The appointed auditor should have appropriate accreditation or other acceptable experience and qualification, comparable to that required of Kantara- Accredited Assessors.  It is expected that it will be cost-effective for the organization to use the same Kantara-Accredited Certified Assessor for the purposes of fulfilling this criterion as they do for the maintenance of their grant of Kantara RecognitionCertification.

AL3_CO_ISM#100             Audit Records

Retain records of all audits, both internal and independent, for a period which, as a minimum, fulfills its legal obligations which in any event is not less than 36 months.  Such records must be held securely and be protected against unauthorized access, loss, alteration, public disclosure, or unapproved destruction.

Retain records of all audits, both internal and independent, for a period which, as a minimum, fulfills its legal obligations and otherwise for greater periods either as it may have committed to in its Service Definition or required by any other obligations it has with/to a Subscriber or Subject, and which in any event is not less than 36 months.  Such records must be held securely and be protected against unauthorized access, loss, alteration, public disclosure, or unapproved destruction.

AL3_CO_ISM#110             Withdrawn

 Withdrawn.

AL3_CO_ISM#120             Best Practice Security Management

Have an Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body, in place an Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body, that follows best practices as accepted by the information security industry and that applies and is appropriate to the CSP in question.  All requirements expressed in preceding criteria in this section must inter alia fall wholly within the scope of this ISMS or selected recognized alternative.

Guidance:  The auditors determining that this ISMS meets the above requirement must be appropriately qualified in assessing the specific management system or methodology applied.

4.1.18 Security-Relevant Event (Audit) Records

The criteria in this section are concerned with the need to providestate the need for an auditable log of all events that are pertinent to the correct and secure operation of the service.

An enterprise and its specified service must:

AL3_CO_SER#010             Security Event Logging

Maintain a log of all relevant security events affecting the operation of the service, together with an accurate record of the time, date and individual who performed the action and retain such records with appropriate protection and controls to ensure successful retrieval, and accounting for service definition, risk management requirements, applicable legislation, and organizational policy.

Maintain a log of all relevant security events concerning the operation of the service, together with an accurate record of the time at which the event occurred (time-stamp), and retain such records with appropriate protection and controls to ensure successful retrieval, accounting for Service Definition risk management requirements, applicable legislation, and organizational policy.

Guidance: It is sufficient that the accuracy of the time source is based upon an internal computer/system clock synchronized to an Internet time source.  The time source need not be authenticatable.

4.1.19 Operational Infrastructure

The criteria in this section address the infrastructure within which the delivery of the specified service takes place.  It puts particular emphasis upon the personnel involved, and their selection, training, and duties.

An enterprise and its specified service must:

AL3_CO_OPN#010            Technical security

Demonstrate that the technical controls employed will provide the level of security protection required by the risk assessment and the ISMS, or other IT security management methods recognized by a government or professional body, and that these controls are effectively integrated with the applicable procedural and physical security measures.

Guidance: Appropriate technical controls, suited to this Assurance Level, should be selected from [NIST800-63-1] or its equivalent, as established by a recognized national technical authority.

AL3_CO_OPN#020            Defined security roles

Define, by means of a job description, the roles and responsibilities for each service-related security-relevant task, relating it to specific procedures (which shall be set out in the ISMS, or other IT security management methodology recognized by a government or professional body) and other service-related job descriptions.  Where the role is security-critical or where special privileges or shared duties exist, these must be specifically identified as such, including the applicable access privileges relating to logical and physical parts of the service’s operations.

AL3_CO_OPN#030            Personnel recruitment

Demonstrate that it has defined practices for the selection, vetting, and contracting of all service-related personnel, both direct employees and those whose services are provided by third parties. Full records of all searches and supporting evidence of qualifications and past employment must be kept for the duration of the individual’s employment plus the longest lifespan of any credential issued under the Service Policy.

AL3_CO_OPN#040            Personnel skills

Ensure that employees are sufficiently trained, qualified, experienced, and current for the roles they fulfill.  Such measures must be accomplished either by recruitment practices or through a specific training program.  Where employees are undergoing on-the-job training, they must only do so under the guidance of a mentor possessing the defined service experiences for the training being provided.

AL3_CO_OPN#050            Adequacy of Personnel resources

Have sufficient staff to adequately operate and resource the specified service according to its policies and procedures.

AL3_CO_OPN#060            Physical access control

Apply physical access control mechanisms to ensure that:

a)              access to sensitive areas is restricted to authorized personnel;

b)             all removable media and paper documents containing sensitive information as plain-text are stored in secure containers;

c)              there is 24/7 monitoring for unauthorized intrusions.

AL3_CO_OPN#070            Logical access control

Employ logical access control mechanisms that ensure access to sensitive system functions and controls is restricted to authorized personnel.

4.1.20 External Services and Components

This section addresses the relationships and obligations upon contracted parties both to apply the policies and procedures of the enterprise and also to be available for assessment as critical parts of the overall service provision.

An enterprise and its specified service must:

AL3_CO_ESC#010             Contracted policies and procedures

Where the enterprise uses external suppliers for specific components of the service or for resources that are integrated with and under its control its own , ensure that those suppliers are engaged through reliable and appropriate contractswhich stipulate which critical policies, procedures, and practices subcontractors are required to fulfill.Where the enterprise uses external suppliers for specific packaged components of the service or for resources which are integrated with its own operations and under its control, ensure that those parties are engaged through reliable and appropriate contractual arrangements which stipulate which critical policies, procedures, and practices sub-contractors are required to fulfill.

AL3_CO_ESC#020             Visibility of contracted parties

Where the enterprise uses external suppliers as noted above ensure that the suppliers' compliance with contractually stipulated policies and procedures, and thus with IAF Service Assessment Criteria, and can be independently verified, and subsequently monitored if necessary.Where the enterprise uses external suppliers for specific packaged components of the service or for resources which are integrated with its own operations and under its controls, ensure that the suppliers’ compliance with contractually-stipulated policies and procedures, and thus with the IAF Service Assessment Criteria, can be independently verified, and subsequently monitored if necessary.

4.1.21 Secure Communications

An enterprise and its specified service must:

AL3_CO_SCO#010            Secure remote communications

If the specific service components are located remotely from, and communicate over a public or unsecured network with, other service components or other CSPs it services, the communications must be cryptographically authenticated, including long-term and session tokens, by an authentication protocol that meets, at a minimum, the requirements of AL3 and encrypted using either a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 validated cryptographic module, or equivalent, as established by a recognized national technical authority.

AL3_CO_SCO#020            Limited access to shared secrets

Ensure that:

a)              access to shared secrets shall be Subject to discretionary controls that permit access to those roles/applications requiring such access;

b)             stored shared secrets are encrypted such that:

i           the encryption key for the shared secret file is encrypted under a key held in either a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 validated cryptographic module, or equivalent, as established by a recognized national technical authority, and decrypted only as immediately required for an authentication operation;

ii         they are protected as a key within the boundary of either a FIPS 140-2 Level 2 (or higher) validated hardware cryptographic module or any FIPS 140?2 Level 3 or 4 validated cryptographic module, or equivalent, as established by a recognized national technical authority, and are not exported from the module in plaintext;

iii        they are split by an "n from m" cryptographic secret-sharing method;

c)              any long-term (i.e., not session) shared secrets are revealed only to the Subject and the CSP’s direct agents (bearing in mind (a) above).

These roles should be defined and documented by the CSP in accordance with AL3_CO_OPN#020 above.

Assurance Level 4

Achieving AL4 requires meeting even more the most stringent criteria in addition to the criteria required to achieve AL3. 

4.1.22 Enterprise and Service Maturity

Criteria in this section address the establishment of the enterprise offering the service and its basic standing as a legal and operational business entity.

An enterprise and its specified service must:

AL3[FR6] _CO_ESM#010        Established enterprise

Be a valid legal entity and a person with legal authority to commit the organization must submit the signed certification application.

AL3_CO_ESM#020            Withdrawn

Withdrawn

AL3_CO_ESM#030            Legal & Contractual compliance

Demonstrate that it understands and complies with any legal requirements incumbent on it in connection with operation and delivery of the specified service, accounting for all jurisdictions within which its services may be offered.  Any specific contractual requirements shall also be identified.

Guidance: Kantara Initiative will not certify a service which is not fully released to provide services to its intended user/client community.  Systems, or parts thereof, which are not fully proven and released shall not be considered in an assessment and therefore should not be included within the scope of the certification application.  Parts of systems still under development, or even still being planned, are therefore ineligible for inclusion within the scope of assessment.

AL4_CO_ESM#040            Financial Provisions

Provide proof of financial resources that support the continued operation of the service and demonstrate appropriate liability processes and procedures that satisfy the degree of liability exposure being carried.

Guidance: The organization must show that it has the financial resources to operate the service for at least a twelve-month period, with a clear review of the budgetary planning within that period.  It must also show how it has determined the degree of liability protection required, in view of its exposure per ‘service’ and the number of users it has.  This criterion helps ensure that Kantara Initiative does not grant certification to services that are not likely to be sustainable over at least this minimum period of time.

AL3_CO_ESM#050           

Data Retention and Protection

Specifically set out and demonstrate that it understands and complies with those legal and regulatory requirements incumbent upon it concerning the retention and destruction of personally identifiable information (PII) (personal and business - i.e. its secure storage and protection against loss, accidental public exposure, and/or improper destruction) and the protection of Subjects’ PII against unlawful or unauthorized access, excepting that permitted by the information owner or required by due process.

Guidance: Note that whereas the criterion is intended to address unlawful or unauthorized access arising from malicious or careless actions (or inaction), some access may be unlawful UNLESS authorized by the Subscriber or Subject, or effected as a part of a specifically-executed legal processAL3_CO_ESM#055   Termination provisions

Define the practices in place for the protection of Subjects' PII related to their use of the service which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.AL4_CO_ESM#010 Established enterprise

Be a valid legal entity and a person with legal authority to commit the organization must submit the signed assessment package.

AL4_CO_ESM#020            Withdrawn

Withdrawn

AL4_CO_ESM#030            Legal & Contractual compliance

Demonstrate that it understands and complies with any legal requirements incumbent on it in connection with operation and delivery of the specified service, accounting for all jurisdictions within which its services may be offered.  Any specific contractual requirements shall also be identified.

Guidance: Kantara Initiative will not recognize a service which is not fully released for the provision of services to its intended user/client community.  Systems, or parts thereof, which are not fully proven and released shall not be considered in an assessment and therefore should not be included within the scope of the assessment package.  Parts of systems still under development, or even still being planned, are therefore ineligible for inclusion within the scope of assessment.

AL4_CO_ESM#040            Financial Provisions

Provide documentation of financial resources that allow for the continued operation of the service and demonstrate appropriate liability processes and procedures that satisfy the degree of liability exposure being carried.

Guidance: The organization must show that it has a budgetary provision to operate the service for at least a twelve-month period, with a clear review of the budgetary planning within that period so as to keep the budgetary provisions extended.  It must also show how it has determined the degree of liability protection required, in view of its exposure per ‘service’ and the number of users it has.  This criterion helps ensure that Kantara Initiative does not grant Recognition to services that are not likely to be sustainable over at least this minimum period of time.

AL4_CO_ESM#050            Data Retention and Protection

Specifically set out and demonstrate that it understands and complies with those legal and regulatory requirements incumbent upon it concerning the retention and destruction of private and identifiable information (personal and business) (i.e. its secure storage and protection against loss, accidental public exposure, and/or improper destruction) and the protection of private information (against unlawful or unauthorized access excepting that permitted by the information owner or required by due process).

AL3_CO_ESM#055            Termination provisions

Define the practices in place for the protection of Subjects' PII related to their use of the service which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.

AL3_CO_ESM#060            Ownership

If the enterprise named as the CSP is a part of a larger entity, the nature of the relationship with its parent organization shall be disclosed to the assessors and, on their request, to customers.

AL3_CO_ESM#070            Independent management and operations

Demonstrate that, for the purposes of providing the specified service, its management and operational structures are distinct, autonomous, have discrete legal accountability, and operate according to separate policies, procedures, and controls.

                                             Termination provisions

Define the practices in place for the protection of Subjects’ private and secret information related to their use of the service which must ensure the ongoing secure preservation and protection of legally required records and for the secure destruction and disposal of any such information whose retention is no longer legally required.  Specific details of these practices must be made available.

Guidance: Termination covers the cessation of the business activities, the service provider itself ceasing business operations altogether, change of ownership of the service-providing business, and other similar events which change the status and/or operations of the service provider in any way which interrupts the continued provision of the specific service.

AL4_CO_ESM#060            Ownership

If the enterprise named as the CSP is a part of a larger entity, the nature of the relationship with its parent organization, shall be disclosed to the assessors and, on their request, to customers.

AL4_CO_ESM#070            Independent Management and Operations

Demonstrate that, for the purposes of providing the specified service, its management and operational structures are distinct, autonomous, have discrete legal accountability, and operate according to separate policies, procedures, and controls.

4.1.23 Notices and Subscriber Information/Agreements

Criteria in this section address the publication of information describing the service and the manner of and any limitations upon its provision, and how users are required to accept those terms.

An enterprise and its specified service must:

AL4_CO_NUI#010             General Service Definition

Make available to the intended user community a Service Definition to the intended user community that includes all applicable Terms, Conditions, and Fees, including any limitations of its usage, and definitions of any terms having specific intention or interpretation.  Specific provisions are stated in further criteria in this section.

Guidance: The intended user community encompasses potential and actual Subscribers, Subjects, and relying parties.

AL4_CO_NUI#020             Service Definition inclusions

Make available a Service Definition for the specified service containing clauses that provide the following information:

a)         Privacy, Identity Proofing & Verification, and Revocation and Termination Policies; 

b)         the country in or legal jurisdiction under which the service is operated;

c)         if different to the above, the legal jurisdiction under which Subscriber and any relying party agreements are entered into;

d)         applicable legislation with which the service complies;

e)         obligations incumbent upon the CSP;

f)          obligations incumbent upon the Subscriber and Subject;

g)         notifications and guidance for relying parties, especially in respect of actions they are expected to take should they choose to rely upon the service’s product;

h)         statement of warranties;

i)          statement of liabilities toward both Subjects and Relying Parties;

j)          procedures for notification of changes to terms and conditions;

k)         steps the CSP will take in the event that it chooses or is obliged to terminate the service;

l)          availability of the specified service per se and of its help desk facility.

AL4_CO_NUI#030             Due Notification

Have in place and follow appropriate policy and procedures to ensure that it notifies Subscribers and Subjects in a timely and reliable fashion of any changes to the Service Definition and any applicable Terms, Conditions, Fees, and Privacy Policy for the specified service, and provide a clear means by which Subscribers and Subjects must indicate that they wish to accept the new terms or terminate their subscription.

AL4_CO_NUI#040             User Acceptance

Require Subscribers and Subjects to:

a)         indicate, prior to receiving service, that they have read and accept the terms of service as defined in the Service Definition, thereby indicating their properly-informed opt-in;

b)         at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal) and otherwise at least once every five years, re-affirm their understanding and observance of the terms of service;

c)         always provide full and correct responses to requests for information.

AL4_CO_NUI#050             Record of User Acceptance

Obtain a record (hard-copy or electronic) of the Subscriber’s and Subject’s acceptance of the terms and conditions of service, prior to initiating the service and thereafter reaffirm the agreement at periodic intervals, determined by significant service provision events (e.g. issuance, re-issuance, renewal) and otherwise at least once every five years.

AL4_CO_NUI#060             Withdrawn

Withdrawn.

AL4_CO_NUI#070             Change of Subscriber Information

Require and provide the mechanisms for Subscribers and Subjects to provide in a timely manner full and correct amendments in a timely manner should any of their recorded information change, as required under the terms of their use of the service, and only after the Subscriber’s and/or Subject’s identity has been authenticated.

AL4_CO_NUI#080             Withdrawn

Withdrawn.

4.1.24 Information Security Management

These criteria address the way in which the enterprise manages the security of its business, the specified service, and information it holds relating to its user community.  This section focuses on the key components that comprise a well-established and effective Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body.

An enterprise and its specified service must:

AL4_CO_ISM#010             Documented policies and procedures

Have all security-relevant administrative, management, and technical policies and procedures documented all security-relevant administrative, management, and technical policies and procedures.  The enterprise must ensure that these are based upon recognized standards, published references, or organizational guidelines, are adequate for the specified service, and are implemented in the manner intended.

AL4_CO_ISM#020             Policy Management and Responsibility

Have a clearly defined managerial role, at a senior level, where full responsibility for the business’ security policies is vested and from which review, approvalcertification, and promulgation of policy and related procedures is applied and managed.  The latest approved versions of these policies must be applied at all times.

AL4_CO_ISM#030             Risk Management

Demonstrate a risk management methodology that adequately identifies and mitigates risks related to the specified service and its user community and must show ensures that on-going risk assessment review , such as adherence to SAS 70 or [ISO27001]is conducted as a part of the business’ procedures, such as adherence to SAS 70 or [IS27001] methods.

AL4_CO_ISM#040             Continuity of Operations Plan

Have and keepDevelop and maintain an updated a continuity of operations plan that covers disaster recovery and the resilience of the specified service and must showrequires that on-going review of this plan is conducted as a part of the business’ procedures.

AL4_CO_ISM#050             Configuration Management

Demonstrate that there a configuration management system is in place a configuration management system that at least includes:

a)              version control for software system components;

b)             timely identification and installation of all organizationally-approved patches for any software used in the provisioning of the specified service;

c)              version control and managed distribution for all documentation associated with the specification, management, and operation of the system, covering both internal and publicly available materials.

AL4_CO_ISM#060             Quality Management

Demonstrate that there is a quality management system in place a quality management system that is appropriate for the specified service.

AL4_CO_ISM#070             System Installation and Operation Controls

Apply controls during system development, procurement, installation, and operation that protect the security and integrity of the system environment, hardware, software, and communications having with particular regard to:

a)              the software and hardware development environments, for customized components;

b)             the procurement process for commercial off-the-shelf (COTS) components;

c)              contracted consultancy/support services;

d)             shipment of system components;

e)              storage of system components;

f)              installation environment security;

g)              system configuration;

h)             transfer to operational status.

AL4_CO_ISM#080             Internal Service Audit

Perfrom and submit the report of  a first-party audit of the effective provision of the specified service by an independent enterprise internal audit function at least once every 12 months unless it can show that by reason of its organizational size or due to other operational restrictions it is unreasonable to be so audited.

Guidance:  ‘First-party’ audits are those undertaken by an independent part of the same organization which offers the service.  The auditors cannot be involved in the specification, development or operation of the service.
Using a ‘third-party’ auditor (i.e. one having no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently) should be considered when the organization cannot easily provide truly independent internal resources but wishes to benefit from the value which audits can provide.  This could be accomplished by fulfilling the AL2_CO_ISM#090 requirement on a 12-monthly basis.Be subjected to a first-party audit at least once every 12 months for the effective provision of the specified service by internal audit functions of the enterprise responsible for the specified service, unless it can show that by reason of its organizational size or due to other justifiable operational restrictions it is unreasonable to be so audited.

Guidance:  ‘First-party’ audits are those undertakenperfromed by an independent part of the same organization which offers the service.  The auditors cannot be involved in the specification, development or operation of the service.

Using the third-party audit required by AL4_CO_ISM#090 to provide the independent audit instead of the assignment of an internal audit function is not an acceptable means of fulfilling this criterion.  Management systems require that there be internal audit conducted as an inherent part of management review processes.  Third-party audit of the management system is a fully separate requirement, intended to show that the internal management system controls are being appropriately applied.

AL4_CO_ISM#090             Independent Audit

AL3_CO_ISM#090             Independent Audit

Perfrom and submit the results to a third-party audit of the organization’s security-related practices at least every 36 months to ensure they are consistent with the policies and procedures for the specified service and the applicable SAC.

Guidance: ‘Third-party’ audits are undertaken by assessors who have no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently.  The appointed auditor should have appropriate accreditation or other acceptable experience and qualification, comparable to that required of Kantara Accredited Assessors.  It is expected that it will be cost-effective for the organization to use the same Kantara Certified Assessor for the purposes of fulfilling this criterion as they do for the maintenance of their grant of Kantara Certification.

AL3_CO_ISM#100             Audit Records

Retain records of all audits, both internal and independent, for a period which, as a minimum, fulfills its legal obligations which in any event is not less than 36 months.  Such records must be held securely and be protected against unauthorized access, loss, alteration, public disclosure, or unapproved destruction.

Be subjected to a third-party audit at least every 12 months to ensure the organization’s security-related practices are consistent with the policies and procedures for the specified service.

Guidance: ‘Third-party’ audits are undertaken by assessors who have no relationship with the Service Provider nor any vested interests in the outcome of the assessment other than their professional obligations to perform the assessment objectively and independently.  The appointed auditor should have appropriate accreditation or other acceptable experience and qualification, comparable to that required of Kantara-Accredited Assessors.  It is expected that it will be cost-effective for the organization to use the same Kantara-Accredited Assessor for the purposes of fulfilling this criterion as they do for the maintenance of their grant of Kantara Recognition.  This criterion may be fulfilled by the certified ISMS required by AL4_CO_ISM#120.

AL4_CO_ISM#100             Audit Records

Retain records of all audits, both internal and independent, for a period which, as a minimum, fulfills its legal obligations and otherwise for greater periods either as it may have committed to in its Service Definition or required by any other obligations it has with/to a Subscriber or Subject, and which in any event is not less than 36 months.  Such records must be held securely and be protected against unauthorized access loss, alteration, public disclosure, or unapproved destruction.

AL4_CO_ISM#110             Withdrawn

Withdrawn.

AL4_CO_ISM#120             Best Practice Security Management

Have a certified Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body in place a certified Information Security Management System (ISMS), or other IT security management methodology recognized by a government or professional body, that has been assessed and found to be in compliance with the requirements of ISO/IEC 27001 [ISO27001] and which applies and is appropriate to the CSP in question.  All requirements expressed in preceding criteria in this section must inter alia fall wholly within the scope of this ISMS or the selected recognized alternative.

4.1.25 Security-Related (Audit) Records

The criteria in this section are concerned with the need to provide an auditable log of all events that are pertinent to the correct and secure operation of the service.

An enterprise and its specified service must:

AL4_CO_SER#010             Security Event Logging

Maintain a log of all relevant security events concerning the operation of the service, together with a precise record of the time at which the event occurred (time-stamp)  provided by a trusted time -source, date and individual who performed the action and retain such records with appropriate protection and controls to ensure successful retrieval, accounting for service definition, risk management requirements, applicable legislation, and organizational policy.

Guidance: The trusted time source could be an external trusted service or a network time server or other hardware timing device.  The time source must be not only precise but authenticatable as well.

4.1.26 Operational Infrastructure

The criteria in this section address the infrastructure within which the delivery of the specified service takes place.  It puts particular emphasis upon the personnel involved, and their selection, training, and duties.

An enterprise and its specified service must:

AL4_CO_OPN#010            Technical Security

Demonstrate that the technical controls employed will provide the level of security protection required by the risk assessment and the ISMS, or other IT security management methods recognized by a government or professional body, and that these controls are effectively integrated with the applicable procedural and physical security measures.

Guidance: Appropriate technical controls, suited to this Assurance Level, should be selected from [NIST800-63-1] or its equivalent, as established by a recognized national technical authority.

AL4_CO_OPN#020            Defined Security Roles

Define, by means of a job description, the roles and responsibilities for each service-related security-relevant task, relating it to specific procedures (which shall be set out in the ISMS, or other IT security management methodology recognized by a government or professional body) and other service-related job descriptions.  Where the role is security-critical or where special privileges or shared duties exist, these must be specifically identified as such, including the applicable access privileges relating to logical and physical parts of the service’s operations.

AL4_CO_OPN#030            Personnel Recruitment

Demonstrate that it has defined practices for the selection, vetting, and contracting of all service-related personnel, both direct employees and those whose services are provided by third parties. Full records of all searches and supporting evidence of qualifications and past employment must be kept for the duration of the individual’s employment plus the longest lifespan of any credential issued under the Service Policy.

AL4_CO_OPN#040            Personnel skills

Ensure that employees are sufficiently trained, qualified, experienced, and current for the roles they fulfill.  Such measures must be accomplished either by recruitment practices or through a specific training program.  Where employees are undergoing on-the-job training, they must only do so under the guidance of a mentor possessing the defined service experiences for the training being provided.

AL4_CO_OPN#050            Adequacy of Personnel resources

Have sufficient staff to adequately operate and resource the specified service according to its policies and procedures.

AL4_CO_OPN#060            Physical access control

Apply physical access control mechanisms to ensure that:

a)              access to sensitive areas is restricted to authorized personnel;

b)             all removable media and paper documents containing sensitive information as plain-text are stored in secure containers;

c)              there is 24/7 monitoring for unauthorized intrusions.

AL4_CO_OPN#070            Logical access control

Employ logical access control mechanisms that ensure access to sensitive system functions and controls is restricted to authorized personnel.

4.1.27 External Services and Components

This section addresses the relationships and obligations upon contracted parties both to apply the policies and procedures of the enterprise and also to be available for assessment as critical parts of the overall service provision.

An enterprise and its specified service must:

AL4_CO_ESC#010             Contracted Policies and Procedures

Where the enterprise uses external suppliers for specific components of the service or for resources that are integrated with and under its control its own , ensure that those suppliers are engaged through reliable and appropriate contractswhich stipulate which critical policies, procedures, and practices subcontractors are required to fulfill.AL3_CO_ESC#020  Visibility of contracted parties

Where the enterprise uses external suppliers as noted above ensure that the suppliers' compliance with contractually stipulated policies and procedures, and thus with IAF Service Assessment Criteria, and can be independently verified, and subsequently monitored if necessary.Where the enterprise uses external suppliers for specific packaged components of the service or for resources which are integrated with its own operations and under its control, ensure that those parties are engaged through reliable and appropriate contractual arrangements which stipulate which critical policies, procedures, and practices sub-contractors are required to fulfill.

AL4_CO_ESC#020             Visibility of Contracted Parties

Where the enterprise uses external suppliers for specific packaged components of the service or for resources which are integrated with its own operations and under its control, ensure that the suppliers’ compliance with contractually-stipulated policies and procedures, and thus with the IAF Service Assessment Criteria, can be independently verified, and subsequently monitored if necessary.

4.1.28 Secure Communications

An enterprise and its specified service must:

AL4_CO_SCO#010            Secure remote communications

If the specific service components are located remotely from and communicate over a public or unsecured network with other service components or other CSPs it services, the communications must be cryptographically authenticated, including long-term and session tokens, by an authentication protocol that meets the requirements of AL4 and encrypted using either a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 validated cryptographic module, or equivalent, as established by a recognized national technical authority.

AL4_CO_SCO#020            Limited access to shared secrets

Ensure that:

a)              access to shared secrets shall be Subject to discretionary controls which permit access only to those roles/applications which need such access;

b)             stored shared secrets are encrypted such that:

i           the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2] Level 2 (or higher) validated hardware cryptographic module, or equivalent, as established by a recognized national technical authority, or any FIPS 140-2 Level 3 or 4  validated4 validated cryptographic module, or equivalent, as established by a recognized national technical authority, and decrypted only as immediately required for an authentication operation;

ii          they are protected as a key within the boundary of a FIPS 140-2 Level 2 (or higher) validated hardware cryptographic module, or equivalent, as established by a recognized national technical authority, or any FIPS 140?2 Level 3 or 4 cryptographic module, or equivalent, as established by a recognized national technical authority, and are not exported in plaintext from the module;

iii         they are split by an "n from m" cryptographic secret-sharing method;

c)              any long-term (i.e., not session) shared secrets are revealed only to the Subject and the CSP's direct agents (bearing in mind (a) above).

Compliance Tables

Use the following tables to correlate criteria for a particular Assurance Level (AL) and the evidence offered to support compliance.

Service providers preparing for an assessment can use the table appropriate to the AL at which they are seeking approvalcertification to correlate evidence with criteria or to justify non-applicability (e.g., "specific service types not offered").

Assessors can use the tables to record the steps in their assessment and their determination of compliance or failure.

Table 3-1.  CO-SAC -  AL1 Compliance

Table 3-2.  CO-SAC -  AL2 Compliance

Table 3-3.  CO-SAC -  AL3 compliance

Table 3-4.  CO-SAC -  AL4 compliance

The Service Assessment Criteria in this section establish requirements for the operational conformitycompliance of credential management services and their providers at all Assurance Levels (AL) – refer to Section 2.  These criteria are generally referred to elsewhere within IAF documentation as OP-SAC.

Previous editions of this document have these criteria set outspecified these creteria in two distinct sections and have used the terms CM-SAC and ID-SAC:  the OP-SAC is the combination ofcombines those two previous SAC sections, with optimizations necessary for their integration.  To ensure backwards compatibility with assessments already performed against previous editions of this document the criteria within the OP-SAC continue to be identified either by a tag  “ALn_ID_ xxxx” or “ALn_CM_ xxxx”.

Within each Assurance Level the criteria are divided into six Partsparts.  Each part deals with a specific functional aspect of the overall credential management process, including identity proofing services (see Parts B, at each Assurance Level).

Full Service Provision requires conformityte CSP comply with to all of the following operational criteria at the chosen Assurance Level for which the CSP is applying.  This may be demonstrated either either:

• by the Full Service Provider itself fulfilling complying with all of these criteria i;
• tself or by its the service being a compositionusing separately Kantara certified of Service Components which must, collectively, fulfill all of thesecomply with all criteria, under the overall management of the Full Service Provider.  Providers of Service Components may conform to a defined sub-set of these criteria (although, within Part A at each Assurance Level, there is a small number of criteria which are mandatory for Component Services, which are marked as such). The  Full Service Provider retains responsibility to ensure the consolidated service complies with ALL required criteria.

The procedures and processes required to create a secure environment for management of credentials and the particular technologies that are considered strong enough to meet the assurance requirements differ considerably from level to level.

Assurance Level 1

5.1.1     Part A  -  Credential Operating Environment

These criteria describe requirements for the overall operational environment in which credential lifecycle management is conducted.  The Common Organizational criteria describe broad requirements.  The criteria in this Part describe operational implementation specifics

These criteria apply to PINs and passwords, as well as SAML assertions.

The criterion AL1_CM_CTR#030 is marked as MANDATORY for all Component Services.

5.1.1.1         Not used

No stipulation.

5.1.1.2         Security Controls

An enterprise and its specified service must:

AL1_CM_CTR#010           No stipulation

AL1_CM_CTR#020           Protocol threat risk assessment and controls

Account for, and protect against, at least the following protocol threats and apply appropriate controls:

a)              password guessing, such that the resistance to an on-line guessing attack against a selected user/password is at least 1 in 2¹⁰ (1,024);

b)             message replay.

AL1_CM_CTR#025           No stipulation

AL1_CM_CTR#030           System threat risk assessment and controls

MANDATORY.

Account for, and protect against,Account for the following system threats and apply appropriate controls:

a)              the introduction of malicious code;

b)             compromised authentication arising from insider action;

c)              out-of-band attacks by other users and system operators (e.g., the ubiquitous shoulder-surfing);

d)             spoofing of system elements/applications;

e)              malfeasance on the part of Subscribers and Subjects.

5.1.1.3         Storage of Long-term Secrets

AL1_CM_STS#010            Withdrawn

Withdrawn   (AL1_CO_SCO#020 (a) & (b) enforce this requirement)

5.1.1.4          Not used

5.1.1.5         Subject Options

AL1_CM_OPN#010           Withdrawn

Withdrawn – see AL1_CM_RNR#010.

5.1.2     Part B  -  Credential Issuing

These criteria apply to the verification of the identity of the Subject of a credential and with token strength and credential delivery mechanisms.  They address requirements levied by the use of various technologies to achieve.

5.1.2.1         Identity Proofing Policy

The specific service must show that it applies identity proofing policies and procedures and that it retains appropriate records of identity proofing activities and evidence. At Level 1, there is no specific requirement, however some effort should be made to uniquely identify and track applications.

The enterprise and its specified service must:

AL1_CM_IDP#010            Withdrawn

Withdrawn.

AL1_CM_IDP#020            Withdrawn

Withdrawn.

AL1_CM_IDP#030            Withdrawn

Withdrawn.

AL1_ID_POL#010              Unique service identity

Ensure that a unique identity is attributed to the specific service, such that credentials issued by it can be distinguishable from those issued by other services, including services operated by the same enterpriseentity.

AL1_ID_POL#020              Unique Subject identity

Ensure that each applicant’s identity is unique within the service’s community of Subjects and uniquely associable with tokens and/or credentials issued to that identity.

5.1.2.2         In-Person Public Identity Verification

An enterprise or specified service must:

AL1_ID_IPV#010               Required evidence

Accept a self-assertion of identity.

AL1_ID_IPV#020               Evidence checks

Accept self-attestation of evidence.

5.1.2.3         Remote Public Identity Verification

If the specific service offers remote identity proofing to applicants with whom it has no previous relationship, then it must comply with the criteria in this section.

An enterprise or specified service must:

AL1_ID_RPV#010              Required evidence

Require the applicant to provide a contact telephone number or email address.No stipulation[FR7] .

AL1_ID_RPV#020              Evidence checks

No stipulation[FR8] .Verify the provided information by either:

a)                  confirming the request by calling the number;

a)              successfully sending a confirmatory email and receiving a positive acknowledgement.

5.1.2.4         Secondary Identity Verification

In each of the above cases, an enterprise or specified service must:

AL1_ID_SCV#010              Secondary checks

No stipulation[FR9] .Have in place additional measures (e.g., require additional documentary evidence, delay completion while out-of-band checks are undertaken) to deal with any anomalous circumstances that can be reasonably anticipated (e.g., a legitimate and recent change of address that has yet to be established as the address of record).

AL1_CM_IDP#040            Revision to Subscriber information

No stipulation[FR10] .Provide a means for Subscribers and Subjects to amend their stored information after registration.

5.1.2.5         Credential Creation

These criteria address the requirements for creation of credentials that can only be used at AL1.  Any credentials/tokens that comply with the criteria stipulated for AL2 and higher are acceptable at AL1.

An enterprise and its specified service must:

AL1_CM_CRN#010           Authenticated Request

Only accept a request to generate a credential and bind it to an identity if the source of the request can be authenticated as being authorized to perform identity proofing at AL1 or higher. No stipulation[FR11] .

AL1_CM_CRN#020           No stipulation

AL1_CM_CRN#030           Credential uniqueness

Allow the Subject to select a credential (e.g., UserID) that is verified to be unique within the specified service’s community and assigned uniquely to a single identity Subject.

5.1.2.6         Not used

5.1.2.7         Not used

5.1.3     Part C  -  Credential Renewal and Re-issuing

These criteria apply to the renewal and re-issuing of credentials.  They address requirements levied by the use of various technologies to achieve the appropriate Assurance Level 1. At Level 1, there is no specific requirement, however some effort should be made to uniquely identify and track applications.

5.1.3.1         Renewal/Re-issuance Procedures

These criteria address general renewal and re-issuance functions, to be exercised as specific controls in these circumstances while continuing to observe the general requirements established for initial credential issuance.

An enterprise and its specified service must:

AL1_CM_RNR#010           Changeable PIN/Password

Permit Subjects to change their PINs/passwords.

5.1.4     Part D  -  Credential Revocation

These criteria deal with credential revocation and the determination of the legitimacy of a revocation request. At Level 1, there is no specific requirement, however some effort should be made to uniquely identify and track applications.

An enterprise and its specified service must:

5.1.4.1         Not used

5.1.4.2         Not used

1.1.1.1                         Not used Secure Revocation Request

1.1.1.1                         This criterion applies when revocation requests between remote components of a service are made over a secured communication.

1.1.1.1                         An enterprise and its specified service must:

1.1.1.1                         AL1_CM_SRR#010           Submit Request

1.1.1.1                         Submit a request for revocation to the Credential Issuer service (function), using a secured network communication, if necessary.

5.1.5     Part E  -  Credential Status Management

These criteria deal with credential status management, such as the receipt of requests for new status information arising from a new credential being issued or a revocation or other change to the credential that requires notification.  They also deal with the provision of status information to requesting parties (Verifiers, Relying Parties, courts and others having regulatory authority, etc.) having the right to access such information.

5.1.5.1         Status Maintenance

An enterprise and its specified service must:

AL1_CM_CSM#010          Maintain Status R ecord

Maintain a record of the status of all credentials issued.

AL1_CM_CSM#020          No stipulation

AL1_CM_CSM#030          No stipulation

AL1_CM_CSM#040          Status Information Availability

Provide, with 95% availability, a secure automated mechanism to allow relying parties to determine credential status and authenticate the Claimant's identity.Not used per Section 7.3.1.1 of NIST SP 800-63-1

5.1.6     Part F  -  Credential Validation/Authentication

These criteria apply to credential validation and identity authentication. 

5.1.6.1         Assertion Security

An enterprise and its specified service must:

AL1_CM_ASS#010            Validation and Assertion Security

Provide validation of credentials to a Relying Party using a protocol that:

a)                  requires authentication of the specified service or of  the validation source;

a)                  ensures the integrity of the authentication assertion;

a)                  protects assertions against manufacture, modification and substitution, and secondary authenticators from manufacture;

and which, specifically:

a)                  creates assertions which are specific to a single transaction;

a)                  where assertion references are used, generates a new reference whenever a new assertion is created;

a)                  when an assertion is provided indirectly, either signs the assertion or sends it via a protected channel, using a strong binding mechanism between the secondary authenticator and the referenced assertion;

a)                  requires the secondary authenticator to:

i)         be signed when provided directly to Relying Party, or;

i)      have a minimum of 64 bits of entropy when provision is indirect (i.e. through the credential user).

Use of any ICAM adopted authentication scheme defined for this assurance level is acceptable.

AL1_CM_ASS#015            No stipulation

AL1_CM_ASS#020            No Post Authentication

Not authenticate credentials that have been revoked.

AL1_CM_ASS#030            Proof of Possession

Use of any ICAM adopted authentication scheme defined for this assurance level is acceptable.Use an authentication protocol that requires the claimant to prove possession and control of the authentication token.

AL1_CM_ASS#040            Assertion Lifetime

Generate assertions so as to indicate and effect their expiration within:

a)                  12 hours after their creation, where the service shares a common Internet domain with the Relying Party;

a)              five minutes after their creation, where the service does not share a common Internet domain with the Relying Party.No stipulation.

Assurance Level 2

5.1.7     Part A  -  Credential Operating Environment

These criteria describe requirements for the overall operational environment in which credential lifecycle management is conducted.  The Common Organizational criteria describe broad requirements.  The criteria in this Part describe operational implementation specifics.

These criteria apply to passwords, as well as acceptable SAML assertions.

The following three criteria are MANDATORY for all Services, Full or Component, and are individually marked as such:
AL2_CM_CPP#010, AL2_CM_CPP#030, AL2_CM_CTR#030.

5.1.7.1         Credential Policy and Practices

These criteria apply to the policy and practices under which credentials are managed.

An enterprise and its specified service must:

AL2_CM_CPP#010            Credential Policy and Practice Statement

MANDATORY.

Include in its Service Definition a description of the policy against which it issues credentials and the corresponding practices it applies in their management.  At a minimum, the Credential Policy and Practice Statement must specify:

a)             if applicable, any OIDs[FR12]  related to the Practice and Policy Statement;

b)             how users may subscribe to the service/apply for credentials and how users’ credentials will be delivered to them;

c)              how Subjects acknowledge receipt of tokens and credentials and what obligations they accept in so doing (including whether they consent to publication of their details in credential status directories);

d)             how credentials may be renewed, modified, revoked, and/or suspended, including how requestors are authenticated or their identity re-provenverified;

e)             what actions a Subject must take to terminate a subscription;

f)              how records are retained and archived.

AL2_CM_CPP#020            No stipulation

AL2_CM_CPP#030            Management Authority

MANDATORY.

Have an internal nominated management body with authority and responsibility for approving the Credential Policy and Practice Statement and for its implementation.

5.1.7.2         Security Controls

An enterprise and its specified service must:

AL2_CM_CTR#010           Secret revelation

Withdrawn.

AL2_CM_CTR#020           Protocol threat risk assessment and controls

Account for at least the following protocol threats in its risk assessment and apply [omitted] controls that reduce them to acceptable risk levels:

a)              password guessing, such that the resistance to an on-line guessing attack against a selected user/password is at least 1 in 2¹⁴ (16,384);

b)             message replay, showing that it is impractical;

c)              eavesdropping, showing that it is impractical.

AL2_CM_CTR#025           Permitted authentication protocols

Use of any ICAM adopted authentication scheme defined for this assurance level is acceptable.

Permit only the following authentication protocols:

a)                  tunneled password;

a)                  zero knowledge-base password;

a)                  SAML assertions.

AL2_CM_CTR#028           One-time passwords

Use only one-time passwords which:

a)             are generated using an approved block-cipher or hash function to combine a symmetric key, stored on the device, with a nonce;

b)             derive the nonce from a date and time, or a counter generated on the device;

c)              have a limited lifetime, in the order of minutes.

AL2_CM_CTR#030           System threat risk assessment and controls

MANDATORY.

Account for the following system threats in its risk assessment and apply [omitted] controls that reduce them to acceptable risk levels:

a)              the introduction of malicious code;

b)             compromised authentication arising from insider action;

c)              out-of-band attacks by both users and system operators (e.g., the ubiquitous shoulder-surfing);

d)             spoofing of system elements/applications;

e)              malfeasance on the part of Subscribers and Subjects;

f)              intrusions leading to information theft.

AL2_CM_CTR#040           Specified Service’s Key Management

Specify and observe procedures and processes for the generation, storage, and destruction of its own cryptographic keys used for securing the specific service’s assertions and other publicized information.  At a minimum, these should address:

a)             the physical security of the environment;

b)             access control procedures limiting access to the minimum number of authorized personnel;

c)              public-key publication mechanisms;

d)             application of controls deemed necessary as a result of the service’s risk assessment;

e)             destruction of expired or compromised private keys in a manner that prohibits their retrieval, or their archival in a manner that prohibits their reuse;

f)              applicable cryptographic module security requirements, quoting FIPS 140?2 [FIPS140-2] or equivalent, as established by a recognized national technical authority.

5.1.7.3         Storage of Long-term Secrets

AL2_CM_STS#010            Withdrawn

Withdrawn   (AL2_CO_SCO#020 (a) & (b) enforce this requirement).

5.1.7.4         Security-Relevant Event (Audit) Records

5.1.7.5         No stipulation

AL2_CM_OPN#010           Withdrawn

Withdrawn – see AL2_CM_RNR#010.

5.1.8     Part B  -  Credential Issuing

These criteria apply to the verification of the identity of the Subject of a credential and with token strength and credential delivery mechanisms.  They address requirements levied by the use of various technologies to achieve Assurance Level 2

5.1.8.1         Identity Proofing Policy

The specific service must show that it applies identity proofing policies and procedures and that it retains appropriate records of identity proofing activities and evidence.

The enterprise and its specified service must:

AL2_CM_IDP#010            Withdrawn

Withdrawn.

AL2_CM_IDP#020            Withdrawn

Withdrawn.

AL2_CM_IDP#030            Withdrawn

Withdrawn

AL2_ID_POL#010              Unique service identity

Ensure that a unique identity is attributed to the specific service, such that credentials issued by it can be distinguishable from those issued by other services, including services operated by the same enterprise.

AL2_ID_POL#020              Unique Subject identity

Ensure that each applicant’s identity is unique within the service’s community of Subjects and uniquely associable with tokens and/or credentials issued to that identity.

AL2_ID_POL#030              Published Proofing Policy

Make available the Identity Proofing Policy under which it verifies the identity of applicants[1] in form, language, and media accessible to the declared community of Users.

AL2_ID_POL#040              Adherence to Proofing Policy

Perform all identity proofing strictly in accordance with its published Identity Proofing Policy.

5.1.8.2         Identity Verification

The enterprise or specific service:

AL2_ID_IDV#000              Identity Proofing classes

a)             must include in its Service Definition at least one of the following classes of identity proofing service, and;

b)             may offer any additional classes of identity proofing service it chooses, Subject to the nature and the entitlement of the CSP concerned;

c)              must fulfill the applicable assessment criteria according to its choice of identity proofing service, i.e. conform to at least one of the criteria sets defined in:

i)     §5.1.8.35.2.2.3, “In-Person Public Identity Verification”;

ii)   §5.1.8.45.2.2.4, “Remote Public Identity Verification[FR13] ”;

iii) §5.1.8.55.2.2.5, “Current Relationship Identity Verification”;

iv)   §5.1.8.65.2.2.6, “Affiliation Identity Verification”.

5.1.8.3         In-Person Public Verification

If the specific service offers in-person identity proofing to applicants with whom it has no previous relationship, then it must comply with the criteria in this section.

The enterprise or specified service must:

AL2_ID_IPV#010               Required evidence

For In-Person Proofing – Possession of a valid current primary Government Picture ID that contains Applicant’s picture, and either address of record or nationality (e.g. driver’s license or Passport). Inspect photo-ID, compare picture to Applicant, record ID number, address and DoB. If ID appears valid and photo matches Applicant then:

a. If ID confirms address of record, authorizes or issues credentials and sends notice to address of record, or;

b. If ID does not confirm address of record, issues credentials in a manner that confirms address of record.

If ID does not confirm address of record, then the issuance process should include a mechanism to confirm the address of record.

Ensure that the applicant is in possession of a primary Government Picture ID document that bears a photographic image of the holder.

AL2_ID_IPV#020               Evidence checks

Have in place and apply processes which ensure that the presented document:

a)             appears to be a genuine document properly issued by the claimed issuing authority and valid at the time of application;

b)             bears a photographic image of the holder that matches that of the applicant;

c)              provides all reasonable certainty that the identity exists and that it uniquely identifies the applicant.

5.1.8.4          Remote Public Identity Verification

If the specific service offers remote identity proofing to applicants with whom it has no previous relationship, then it must comply with the criteria in this section.

An enterprise or specified service must:

AL2_ID_RPV#010              Required evidence

Possession of a valid Government ID (e.g. a driver’s license or Passport) number and a financial account number (e.g., checking account, savings account, loan or credit card) with confirmation via records of either number. Inspect both ID number and account number supplied by Applicant (e.g. for correct number of digits). Verifies information provided by Applicant including ID number OR account number through record checks either with the applicable agency or institution or through credit bureaus or similar databases, and confirms that: name, DoB, address other personal information in records are on balance consistent with the application and sufficient to identify a unique individual. Address confirmation and notification:

a. Sends notice to an address of record confirmed in the records check or;

b. Issues credentials in a manner that confirms the address of record supplied by the Applicant; or

c. Issues credentials in a manner that confirms the ability of the Applicant to receive telephone communications or e-mail at number or e-mail address associated with the Applicant in records. Any secret sent over an unprotected channel shall be reset upon first use.

Ensure that the applicant submits the references of and attests to current possession of a primary Government Picture ID document, and one of:

a)                  a second Government ID;

a)                  an employee or student ID number;

a)                  a financial account number (e.g., checking account, savings account, loan or credit card) or;

a)                  a utility service account number (e.g., electricity, gas, or water) for an address matching that in the primary document.

Ensure that the applicant provides additional verifiable personal information that at a minimum must include:

a)                  a name that matches the referenced photo-ID;

a)                  date of birth and;

a)                  current address or personal telephone number.

Additional information may be requested so as to ensure a unique identity, and alternative information may be sought where the enterprise can show that it leads to at least the same degree of certitude when verified.

AL2_ID_RPV#020              Evidence checks

Inspection and analysis of records against the provided identity references with the specified issuing authorities/institutions or through similar databases:

a)             the existence of such records with matching name and reference numbers;

b)             corroboration of date of birth, current address of record, and other personal information sufficient to ensure a unique identity.

Confirm address of record by at least one of the following means:

a)             RA sends notice to an address of record confirmed in the records check and receives a mailed or telephonic reply from applicant;

b)             RA issues credentials in a manner that confirms the address of record supplied by the applicant, for example by requiring applicant to enter on-line some information from a notice sent to the applicant;

c)              RA issues credentials in a manner that confirms ability of the applicant to receive telephone communications at telephone number or email at email address associated with the applicant in records.  Any secret sent over an unprotected channel shall be reset upon first use.

Additional checks should be performed so as to establish the uniqueness of the claimed identity.

Alternative checks may be performed where the enterprise can show that they lead to at least the same degree of certitude.

5.1.8.5         Current Relationship Identity Verification

If the specific service offers identity proofing to applicants with whom it has a current relationship[FR14] , then it must comply with the criteria in this section.

The enterprise or specified service must:

AL2_ID_CRV#010             Required evidence

Ensure that it has previously exchanged a shared secret (e.g., a PIN or password) that meets AL2 (or higher) entropy requirements[2].with the applicant a shared secret (e.g., a PIN or password) that meets AL2 (or higher) entropy requirements[3].

AL2_ID_CRV#020             Evidence checks

Ensure that it has:

a)             only issued the shared secret after originally establishing the applicant’s identity with a degree of rigor equivalent to that required under either the AL2 (or higher) requirements for in-person or remote public verification;

b)             an ongoing business relationship sufficient to satisfy the enterprise of the applicant’s continued personal possession of the shared secret.

5.1.8.6         Affiliation Identity Verification

If the specific service offers identity proofing to applicants on the basis of some form of affiliation, then it must comply with the criteria in this section for the purposes of establishing that affiliation, in addition to the previously stated requirements for the verification of the individual’s identity.

The enterprise or specified service must:

AL2_ID_AFV#000             Meet preceding criteria

Meet all the criteria set out above, under §5.1.8.55.2.2.5, “Current Relationship Verification”.

AL2_ID_AFV#010             Required evidence

Ensure that the applicant possesses:

a)             identification from the organization with which it is claiming affiliation;

b)             agreement from the organization that the applicant may be issued a credential indicating that an affiliation exists.

AL2_ID_AFV#020             Evidence checks

Have in place and apply processes which ensure that the presented documents:

a)             each appear to be a genuine document properly issued by the claimed issuing authorities and valid at the time of application;

b)             refer to an existing organization with a contact address;

c)              indicate that the applicant has some form of recognizable affiliation with the organization;

d)             appear to grant the applicant an entitlement to obtain a credential indicating its affiliation with the organization.

5.1.8.7         Secondary Identity Verification

In each of the above cases, the enterprise or specified service must:

AL2_ID_SCV#010              Secondary checks

Have in place additional measures (e.g., require additional documentary evidence, delay completion while out-of-band checks are undertaken) to deal with any anomalous circumstances that can be reasonably anticipated (e.g., a legitimate and recent change of address that has yet to be established as the address of record).

5.1.8.8         Identity Verification Records 

The specific service must retain records of the identity proofing (verification) that it undertakes and provide them to qualifying parties when so required.

An enterprise or specified service must:

AL2_ID_VRC#010             Verification Records for Personal Applicants

Log, taking account of all applicable legislative and policy obligations, a record of the facts of the verification process, including a reference relating to the verification processes and the date and time of verification.

Guidance: The facts of the verification process should include the specific record information (source, unique reference, value/content) used in establishing the applicant’s identity, and will be determined by the specific processes used and documents accepted by the CSP.  The CSP need not retain these records itself if it uses a third-party service which retains such records securely and to which the CSP has access when required, in which case it must retain a record of the identity of the third-party service providing the verification service or the location at which the (in-house) verification was performed.

AL2_ID_VRC#020             Verification Records for Affiliated Applicants

In addition to the foregoing, log, taking account of all applicable legislative and policy obligations, a record of the additional facts of the verification process must be performed.  At a minimum, records of identity information must include:

a)             the Subject’s[4] full name;

b)             the Subject’s current address of record;

c)              the Subject’s current telephone or email address of record;

d)             the Subscriber’s acknowledgement for issuing the Subject with a credential;

e)             type, issuing authority, and reference number(s) of all documents checked in the identity proofing process[FR15] .

AL2_ID_VRC#030             Record Retention

Either retain, securely, the record of the verification process for the duration of the Subject account plus a further period[FR16]  sufficient to allow fulfillment of any period required legally, contractually or by any other form of binding agreement or obligation, or submit same record to a client CSP that has undertaken to retain the record for the requisite period or longer.seven and one-half years after credential expirationor revocation.

AL2_CM_IDP#040            Revision to Subject information

Provide a means for Subjects to securely amend their stored information after registration, either by re-proving their identity, as in the initial registration process, or by using their credentials to authenticate their revision.

5.1.8.9         Credential Creation

These criteria define the requirements for creation of credentials whose highest use is at AL2.  Credentials/tokens that comply with the criteria stipulated at AL3 and higher are also acceptable at AL2 and below.

Note, however, that a token and credential required by a higher AL but created according to these criteria may not necessarily provide that higher level of assurance for the claimed identity of the Subject.  Authentication can only be provided at the assurance level at which the identity is proven.

An enterprise and its specified service must:

AL2_CM_CRN#010           Authenticated Request

Only accept a request to generate a credential and bind it to an identity if the source of the request can be authenticated, i.e., Registration Authority, as being authorized to perform identity proofing at AL2 or higher.

AL2_CM_CRN#020           Unique identity

Ensure that the identity which relates to a specific applicant is unique within the specified service, including identities previously used and that are now cancelled, other than its re-assignment to the same applicant. 

Guidance:  This requirement is intended to prevent identities that may exist in a Relying Party’s access control list from possibly representing a different physical person.

AL2_CM_CRN#030           Credential uniqueness

Allow the Subject to select a credential (e.g., UserID) that is verified to be unique within the specified service’s community and assigned uniquely to a single identity Subject.

AL2_CM_CRN#035           Convey credential

Be capable of conveying the unique identity information associated with a credential to Verifiers and Relying Parties.

AL2_CM_CRN#040           Password strength

Only allow passwords that, over the life of the password, have resistance to an on-line guessing attack against a selected user/password of at least 1 in 2¹⁴ (16,384), accounting for state-of-the-art attack strategies, and at least 10 bits of min-entropy[5].

AL2_CM_CRN#050           One-time password strength

Only allow password tokens that have a resistance to online guessing attack against a selected user/password of at least 1 in 2¹⁴ (16,384), accounting for state-of-the-art attack strategies, and at least 10 bits of min-entropy⁵4.

AL2_CM_CRN#060           Software cryptographic token strength

Ensure that software cryptographic keys stored on general-purpose devices:

a)             are protected by a key and cryptographic protocol that are evaluated against FIPS 140-2 [FIPS140-2] Level 2, or equivalent, as established by a recognized national technical authority;

b)             require password or biometric activation by the Subject or employ a password protocol when being used for authentication.

AL2_CM_CRN#070           Hardware token strength

Ensure that hardware tokens used to store cryptographic keys:

a)             employ a cryptographic module that is evaluated against FIPS 140-2 [FIPS140-2] Level 1 or higher, or equivalent, as established by a recognized national technical authority;

b)             require password or biometric activation by the Subject or also employ a password when being used for authentication.

AL2_CM_CRN#080           No stipulation

AL2_CM_CRN#090           Nature of Subject

Record the nature of the Subject of the credential (which must correspond to the manner of identity proofing performed), i.e., physical person, a named person acting on behalf of a corporation or other legal entity, corporation or legal entity, or corporate machine entity, in a manner that can be unequivocally associated with the credential and the identity that it asserts.  If the credential is based upon a pseudonym this must be indicated in the credential.

5.1.8.10      Subject Key Pair Generation

No stipulation.

5.1.8.11      Credential Delivery

An enterprise and its specified service must:

AL2_CM_CRD#010           Notify Subject of Credential Issuance

Notify the Subject of the credential’s issuance and, if necessary, confirm the Subject’s contact information by:

a)             sending notice to the address of record confirmed during identity proofing  or;

b)             issuing the credential(s) in a manner that confirms the address of record supplied by the applicant during identity proofing or;

c)              issuing the credential(s) in a manner that confirms the ability of the applicant to receive telephone communications at a fixed-line telephone number or postal address supplied by the applicant during identity proofing.

AL2_CM_CRD#015           Confirm Applicant’s identity (in person)

Prior to delivering the credential, require the Applicant to identify themselves in person in any new electronic transaction (beyond the first transaction or encounter) by either:

(a)           using a secret which was established during a prior transaction or encounter, or sent to the Applicant’s phone number, email address, or physical address of record, or;

(b)           through the use of a biometric that was recorded during a prior encounter.

AL2_CM_CRD#016           Confirm Applicant’s identity (remotely)

Prior to delivering the credential, require the Applicant to identify themselves in any new electronic transaction (beyond the first transaction or encounter) by presenting a temporary secret which was established during a prior transaction or encounter, or sent to the Applicant’s phone number, email address, or physical address of record.

5.1.9     Part C  -  Credential Renewal and Re-issuing

These criteria apply to the renewal and re-issuing of credentials.  They address requirements levied by the use of various technologies to achieve Assurance Level 2.

5.1.9.1         Renewal/Re-issuance Procedures

These criteria address general renewal and re-issuance functions, to be exercised as specific controls in these circumstances while continuing to observe the general requirements established for initial credential issuance.

An enterprise and its specified service must:

AL2_CM_RNR#010           Changeable PIN/Password

Permit Subjects to change their [omitted] passwords, but employ reasonable practices with respect to password resets and repeated password failures.

AL2_CM_RNR#020           Proof-of-possession on Renewal/Re-issuance

Subjects wishing to change their passwords must demonstrate that they are in possession of the unexpired current token prior to the CSP proceeding to renew or re-issue it.

AL2_CM_RNR#030           Renewal/Re-issuance limitations

1. a.              not renew but may re-issue Passwords;
2. b.              neither renew nor re-issue expired tokens;
3. c.              conduct all renewal / re-issuance interactions with the Subject over a protected channel such as SSL/TLS.

Guidance: Renewal is considered as an extension of usability, whereas re-issuance requires a change.

5.1.10 Part D  -  Credential Revocation

These criteria deal with credential revocation and the determination of the legitimacy of a revocation request.

5.1.10.1      Revocation Procedures

These criteria address general revocation functions, such as the processes involved and the basic requirements for publication.

An enterprise and its specified service must:

AL2_CM_RVP#010           Revocation procedures

a)             State the conditions under which revocation of an issued credential may occur;

b)             State the processes by which a revocation request may be submitted;

c)              State the persons and organizations from which a revocation request will be accepted;

d)             State the validation steps that will be applied to ensure the validity (identity) of the Revocant, and;

e)             State the response time between a revocation request being accepted, the actual revocation and the publication of revised certificate status.

AL2_CM_ RVP#020          Secure status notification

Ensure that published credential status notification information can be relied upon in terms of the enterprise of its origin (i.e., its authenticity) and its correctness (i.e., its integrity).

AL2_CM_ RVP#030          Revocation publication

Unless the credential will expire automatically within 72 hours:

Ensure that published credential status notification is revised within 72 hours of the receipt of a valid revocation request, such that any subsequent attempts to use that credential in an authentication shall be unsuccessful.

AL2_CM_RVP#040           Verify revocation identity

Establish that the identity for which a revocation request is received is one that was issued by the specified service.

AL2_CM_RVP#050           Revocation Records

Retain a record of any revocation of a credential that is related to a specific identity previously verified, solely in connection to the stated credential.  At a minimum, records of revocation must include:

a)             the Revocant’s full name;

b)             the Revocant’s authority to revoke (e.g., Subscriber, the Subject themselves, someone acting with the Subscriber’s or the Subject’s power of attorney, the credential issuer, law enforcement, or other legal due process);

c)              the Credential Issuer’s identity (if not directly responsible for the identity proofing service);

d)             the identity associated with the credential (whether the Subject’s name or a pseudonym);

e)             the reason for revocation.

AL2_CM_RVP#060           Record Retention

Securely rRetain, securely, the record of the revocation process for the duration of the Subscriber’s account plus 7.5 years post revocation date.

5.1.10.2      Verify Revocant’s Identity

Revocation of a credential requires that the requestor and the nature of the request be verified as rigorously as the original identity proofing.  The enterprise should not act on a request for revocation without first establishing the validity of the request (if it does not, itself, determine the need for revocation).

In order to do so, the enterprise and its specified service must:

AL2_CM_RVR#010           Verify revocation identity

Establish that the credential for which a revocation request is received was one that was issued by the specified service, applying the same process and criteria as would be applied to an original identity proofing.

AL2_CM_RVR#020           Revocation reason

Establish the reason for the revocation request as being sound and well founded, in combination with verification of the Revocant, according to AL2_ID_RVR#030, AL2_ID_RVR#040, or AL2_ID_RVR#050.

AL2_CM_RVR#030           Verify Subscriber as Revocant

When the Subscriber or Subject seeks revocation of the Subject’s credential, the enterprise must:

a)             if in person, require presentation of a primary Government Picture ID document[FR17]  that shall be electronically verified by a record check against the provided identity with the specified issuing authority’s records;

b)             if remote:

1. i.               electronically verify a signature against records (if available), confirmed with a call to a telephone number of record, or;
2. ii.             authenticate an electronic request as being from the same Subscriber or Subject, supported by a credential at Assurance Level 2 or higher.

AL2_CM_RVR#040           CSP as Revocant

Where a CSP seeks revocation of a Subject’s credential, the enterprise must establish that the request is either:

a)             from the specified service itself, with authorization as determined by established procedures, or;

b)             from the client Credential Issuer, by authentication of a formalized request over the established secure communications network.

AL2_CM_RVR#050           Verify Legal Representative as Revocant[FR18] 

Where the request for revocation is made by a law enforcement officer or presentation of a legal document, the enterprise must:

a)                  if in-person, verify the identity of the person presenting the request;

a)                  if remote:

1. i.                  in paper/facsimile form, verify the origin of the legal document by a database check or by telephone with the issuing authority, or;
2. i.                  as an electronic request, authenticate it as being from a recognized legal office, supported by a credential at Assurance Level 2 or higher.

5.1.10.3      Secure Revocation Request

This criterion applies when revocation requests must be communicated between remote components of the service organization.

An enterprise and its specified service must:

AL2_CM_SRR#010            Submit Request

Submit a request for the revocation to the Credential Issuer service (function), using a secured network communication.

5.1.11 Part E  -E -  Credential Status Management

These criteria deal with credential status management, such as the receipt of requests for new status information arising from a new credential being issued or a revocation or other change to the credential that requires notification.  They also deal with the provision of status information to requesting parties (Verifiers, Relying Parties, courts and others having regulatory authority, etc.) having the right to access such information.

5.1.11.1      Status Maintenance

An enterprise and its specified service must:

AL2_CM_CSM#010          Maintain Status Record

Maintain a record of the status of all credentials issued.

AL2_CM_CSM#020          Validation of Status Change Requests

Authenticate all requestors seeking to have a change of status recorded and published and validate the requested change before considering processing the request.  Such validation should include:

a)             the requesting source as one from which the specified service expects to receive such requests;

b)             if the request is not for a new status, the credential or identity as being one for which a status is already held.

AL2_CM_CSM#030          Revision to Published Status

Process authenticated requests for revised status information and have the revised information available for access within a period of 72 hours.

AL2_CM_CSM#040          Status Information Availability

Provide, with 95% availability, a secure automated mechanism to allow relying parties to determine credential status and authenticate the Claimant's identity.

AL2_CM_CSM#050          Inactive Credentials

Disable any credential that has not been successfully used for authentication during a period of 18 months.

5.1.12 Part F  -  Credential Validation/Authentication

These criteria apply to credential validation and identity authentication. 

5.1.12.1      Assertion Security

An enterprise and its specified service must:

AL2_CM_ASS#010            Validation and Assertion Security

Provide validation of credentials to a Relying Party using a protocol that:

a)              requires authentication of the specified service, itself, or of  the validation source;

b)             ensures the integrity of the authentication assertion;

c)              protects assertions against manufacture, modification, substitution and disclosure, and secondary authenticators from manufacture, capture and replay;

d)             uses approved cryptography techniques;

and which, specifically:

e)              creates assertions which are specific to a single transaction;

f)              where assertion references are used, generates a new reference whenever a new assertion is created;

g)              when an assertion is provided indirectly, either signs the assertion or sends it via a protected channel, using a strong binding mechanism between the secondary authenticator and the referenced assertion;

h)             send assertions either via a channel mutually-authenticated with the Relying Party, or signed and encrypted for the Relying Party;

i)               requires the secondary authenticator to:

i)      be signed when provided directly to Relying Party, or;

ii)    have a minimum of 64 bits of entropy when provision is indirect (i.e. through the credential user);

iii) be transmitted to the Subject through a protected channel which is linked to the primary authentication process in such a way that session hijacking attacks are resisted;

iv)   not be subsequently transmitted over an unprotected channel or to an unauthenticated party while it remains valid.

AL2_CM_ASS#015            No False Authentication

Employ techniques which ensure that system failures do not result in ‘false positive authentication’ errors.

AL2_CM_ASS#020            No Post Authentication

Not authenticate credentials that have been revoked unless the time of the transaction for which verification is sought precedes the time of revocation of the credential.

AL2_CM_ASS#030            Proof of Possession

Use an authentication protocol that requires the claimant to prove possession and control of the authentication token.

AL2_CM_ASS#040            Assertion Lifetime

Generate assertions so as to indicate and effect their expiration:

a)              12 hours after their creation, where the service shares a common Internet domain with the Relying Party;

b)             five minutes after their creation, where the service does not share a common Internet domain with the Relying Party.

Assurance Level 3

5.1.13 Part A  -  Credential Operating Environment

These criteria describe requirements for the overall operational environment in which credential lifecycle management is conducted.  The Common Organizational criteria describe broad requirements.  The criteria in this Part describe operational implementation specifics These criteria apply to one-time password devices and soft crypto applications protected by passwords or biometric controls, as well as cryptographically-signed SAML assertions.

The following four criteria are MANDATORY for all Services, Full or Component, and are individually marked as such:
AL3_CM_CPP#010, AL3_CM_CPP#030, AL3_CM_CTR#030, AL3_CM_SER#010.

5.1.13.1      Credential Policy and Practices

These criteria apply to the policy and practices under which credentials are managed.

An enterprise and its specified service must:

AL3_CM_CPP#010            Credential Policy and Practice Statement

MANDATORY.

Include in its Service Definition a full description of the policy against which it issues credentials and the corresponding practices it applies in their issuance.  At a minimum, the Credential Policy and Practice Statement must specify:

a)              if applicable, any OIDs related to the Credential Policy and Practice Statement;

b)             how users may subscribe to the service/apply for credentials and how the users’ credentials will be delivered to them;

c)              how Subscribers and/or Subjects acknowledge receipt of tokens and credentials and what obligations they accept in so doing (including whether they consent to publication of their details in credential status directories);

d)             how credentials may be renewed, modified, revoked, and suspended, including how requestors are authenticated or their identity proven;

e)              what actions a Subscriber or Subject must take to terminate a subscription;

f)              how records are retained and archived.

AL3_CM_CPP#020            No stipulation

AL3_CM_CPP#030            Management Authority

MANDATORY.

Have a nominated or appointed high-level management body with authority and responsibility for approving the Certificate Policy and Certification Practice Statement, including ultimate responsibility for their proper implementation.

5.1.13.2      Security Controls

AL3_CM_CTR#010           No stipulation

AL3_CM_CTR#020           Protocol threat risk assessment and controls

Account for at least the following protocol threats in its risk assessment and apply controls that reduce them to acceptable risk levels:

a)              password guessing, such that the resistance to an on-line guessing attack against a selected user/password is at least 1 in 2¹⁴ (16,384);

b)             message replay, showing that it is impractical;

c)              eavesdropping, showing that it is impractical;

d)             relying party (verifier) impersonation, showing that it is impractical;

e)             man-in-the-middle attack, showing that it is impractical.

The above list shall not be considered to be a complete list of threats to be addressed by the risk assessment.

AL3_CM_CTR#025           Permitted authentication protocols

For non-PKI credentials, permit only the following authentication protocols:

a)              tunneled password;

b)             zero knowledge-base password;

c)              SAML assertions.

AL3_CM_CTR#030           System threat risk assessment and controls

MANDATORY.

Account for the following system threats in its risk assessment and apply controls that reduce them to acceptable risk levels:

a)              the introduction of malicious code;

b)             compromised authentication arising from insider action;

c)              out-of-band attacks by both users and system operators (e.g., shoulder-surfing);

d)             spoofing of system elements/applications;

e)              malfeasance on the part of Subscribers and Subjects;

f)              intrusions leading to information theft.

The above list shall not be considered to be a complete list of threats to be addressed by the risk assessment.

AL3_CM_CTR#040           Specified Service’s Key Management

Specify and observe procedures and processes for the generation, storage, and destruction of its own cryptographic keys used for securing the specific service’s assertions and other publicized information.  At a minimum, these should address:

a)              the physical security of the environment;

b)             access control procedures limiting access to the minimum number of authorized personnel;

c)              public-key publication mechanisms;

d)             application of controls deemed necessary as a result of the service’s risk assessment;

e)              destruction of expired or compromised private keys in a manner that prohibits their retrieval or their archival in a manner that prohibits their reuse;

f)              applicable cryptographic module security requirements, quoting FIPS 140-2 [FIPS140-2] or equivalent, as established by a recognized national technical authority.

5.1.13.3      Storage of Long-term Secrets

An enterprise and its specified service must:

AL3_CM_STS#010            Withdrawn

Withdrawn (AL3_CO_SCO#020 (a) & (b) enforce this requirement).

AL3_CM_STS#020            Stored Secret Encryption

Encrypt such shared secret files so that:

a)             the encryption key for the shared secret file is encrypted under a key held in a FIPS 140-2 [FIPS140-2] Level 2 or higher validated hardware or software cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module, or equivalent, as established by a recognized national technical authority;

b)             the shared secret file is decrypted only as immediately required for an authentication operation;

c)              shared secrets are protected as a key within the boundary of a FIPS 140-2 Level 2 or higher validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and are not exported from the module in plain text, or equivalent, as established by a recognized national technical authority;

d)             shared secrets are split by an "n from m" cryptographic secret sharing method.

5.1.13.4      Security-relevant Event (Audit) Records

These criteria describe the need to provide an auditable log of all events that are pertinent to the correct and secure operation of the service.  The common organizational criteria  applying to provision of an auditable log of all security-related events pertinent to the correct and secure operation of the service must also be considered carefully.  These criteria carry implications for credential management operations.

In the specific context of a certificate management service, an enterprise and its specified service must:

AL3_CM_SER#010            Security event logs

MANDATORY, to the extent that the sub-items relate to the scope of service.

Ensure that such audit records include:

a)     the identity of the point of registration (irrespective of whether internal or outsourced);

b)    generation of the Subject’s keys or the evidence that the Subject was in possession of both parts of their own key-pair;

c)     generation of the Subject’s certificate;

d)    dissemination of the Subject’s certificate;

e)     any revocation or suspension associated with the Subject’s certificate.

5.1.13.5      Subject options

AL3_CM_OPN#010           Changeable PIN/Password

Withdrawn – see AL3_CM_RNR#010.

5.1.14 Part B  -  Credential Issuing

These criteria apply to the verification of the identity of the Subject of a credential and with token strength and credential delivery mechanisms.  They address requirements levied by the use of various technologies to achieve Assurance Level 3.

5.1.14.1      Identity Proofing Policy

The specific service must show that it applies identity proofing policies and procedures and that it retains appropriate records of identity proofing activities and evidence.

The enterprise and its specified service must:

AL3_CM_IDP#010            Withdrawn

Withdrawn.

AL3_CM_IDP#020            Withdrawn

Withdrawn.

AL3_CM_IDP#030            Withdrawn

Withdrawn.

AL3_ID_POL#010              Unique service identity

Ensure that a unique identity is attributed to the specific service, such that credentials issued by it can be distinguishable from those issued by other services, including services operated by the same enterprise.

AL3_ID_POL#020              Unique Subject identity

Ensure that each applicant’s identity is unique within the service’s community of Subjects and uniquely associable with tokens and/or credentials issued to that identity.

AL3_ID_POL#030              Published Proofing Policy

Make available the Identity Proofing Policy under which it verifies the identity of applicants[6] in form, language, and media accessible to the declared community of Users.

AL3_ID_POL#040              Adherence to Proofing Policy

Perform all identity proofing strictly in accordance with its published Identity Proofing Policy, through application of the procedures and processes set out in its Identity Proofing Practice Statement.

5.1.14.2      Identity Verification

The enterprise or specific service:

AL3_ID_IDV#000              Identity Proofing classes

a)              must include in its Service Definition at least one of the following classes of identity proofing services, and;

b)             may offer any additional classes of identity proofing service it chooses, Subject to the nature and the entitlement of the CSP concerned;

c)              must fulfill the applicable assessment criteria according to its choice of identity proofing service, i.e. conform to at least one of the criteria sets defined in:

i)     §5.1.14.35.3.2.3, “In-Person Public Identity Verification”;

ii)   §5.1.14.45.3.2.4, “Remote Public Identity Verification”;

iii) §5.1.14.65.3.2.6, “Affiliation Identity Verification”.

5.1.14.3      In-Person Public Identity Verification

A specific service that offers identity proofing to applicants with whom it has no previous relationship must comply with the criteria in this section.

The enterprise or specified service must:

AL3_ID_IPV#010               Required evidence

Ensure that the applicant is in possession of a primary Government Picture ID document that bears a photographic image of the holder.

AL3_ID_IPV#020               Evidence checks

Have in place and apply processes which ensure that the presented document:

a)              appears to be a genuine document properly issued by the claimed issuing authority and valid at the time of application;

b)             bears a photographic image of the holder that matches that of the applicant;

c)              is electronically verified by a record check with the specified issuing authority or through similar databases that:

i)              establishes the existence of such records with matching name and reference numbers;

ii)            corroborates date of birth, current address of record, and other personal information sufficient to ensure a unique identity;

d)             provides all reasonable certainty that the identity exists and that it uniquely identifies the applicant.

5.1.14.4      Remote Public Identity Verification

A specific service that offers remote identity proofing to applicants with whom it has no previous relationship must comply with the criteria in this section.

The enterprise or specified service must:

AL3_ID_RPV#010              Required evidence

Ensure that the applicant submits the references of and attests to current possession of a primary Government Picture ID document, and one of:

a)         a second Government ID;

b)         an employee or student ID number;

c)         a financial account number (e.g., checking account, savings account, loan, or credit card),  or;

d)         a utility service account number (e.g., electricity, gas, or water) for an address matching that in the primary document.

Ensure that the applicant provides additional verifiable personal information that at a minimum must include:

e)         a name that matches the referenced photo-ID;

f)         date of birth;

g)         current address or personal telephone number.

Additional information may be requested so as to ensure a unique identity, and alternative information may be sought where the enterprise can show that it leads to at least the same degree of certitude when verified.

AL3_ID_RPV#020              Evidence checks

Electronically verify by a record check against the provided identity references with the specified issuing authorities/institutions or through similar databases:

a)              the existence of such records with matching name and reference numbers;

b)             corroboration of date of birth, current address of record, or personal telephone number, and other personal information sufficient to ensure a unique identity;

c)              dynamic verification of personal information previously provided by or likely to be known only by the applicant.

Confirm address of record by at least one of the following means:

a)              RA sends notice to an address of record confirmed in the records check and receives a mailed or telephonic reply from applicant;

b)             RA issues credentials in a manner that confirms the address of record supplied by the applicant, for example by requiring applicant to enter on-line some information from a notice sent to the applicant;

c)              RA issues credentials in a manner that confirms ability of the applicant to receive telephone communications at telephone number or email at email address associated with the applicant in records.  Any secret sent over an unprotected channel shall be reset upon first use.

Additional checks may be performed so as to establish the uniqueness of the claimed identity, and alternative checks may be performed where the enterprise can show that they lead to at least the same degree of certitude.

5.1.14.5      Current Relationship Identity Verification

No stipulation.

5.1.14.6      Affiliation Identity Verification

A specific service that offers identity proofing to applicants on the basis of some form of affiliation must comply with the criteria in this section to establish that affiliation and with the previously stated requirements to verify the individual's identity.

The enterprise or specified service must:

AL3_ID_AFV#000             Meet preceding criteria

Meet all the criteria set out above, under §5.1.14.45.3.2.4, “Remote Public Identity Verification”.

AL3_ID_AFV#010             Required evidence

Ensure that the applicant possesses:

a)              identification from the organization with which it is claiming affiliation;

b)             agreement from the organization that the applicant may be issued a credential indicating that an affiliation exists.

AL3_ID_AFV#020             Evidence checks

Have in place and apply processes which ensure that the presented documents:

a)              each appear to be a genuine document properly issued by the claimed issuing authorities and valid at the time of application;

b)             refer to an existing organization with a contact address;

c)              indicate that the applicant has some form of recognizable affiliation with the organization;

d)             appear to grant the applicant an entitlement to obtain a credential indicating an affiliation with the organization.

5.1.14.7      Secondary Identity Verification

In each of the above cases, the enterprise or specified service must also meet the following criteria:

AL3_ID_SCV#010              Secondary checks

Have in place additional measures (e.g., require additional documentary evidence, delay completion while out-of-band checks are undertaken) to deal with any anomalous circumstance that can reasonably be anticipated (e.g., a legitimate and recent change of address that has yet to be established as the address of record).

5.1.14.8      Identity Verification Records

The specific service must retain records of the identity proofing (verification) that it undertakes and provide them to qualifying parties when so required.

The enterprise or specified service must:

AL3_ID_VRC#010             Verification Records for Personal Applicants

Log, taking account of all applicable legislative and policy obligations, a record of the facts of the verification process and the identity of the registrar, including a reference relating to the verification processes and the date and time of verification.

Guidance: The facts of the verification process should include the specific record information (source, unique reference, value/content) used in establishing the applicant’s identity, and will be determined by the specific processes used and documents accepted by the CSP.  The CSP need not retain these records itself if it uses a third-party service which retains such records securely and to which the CSP has access when required, in which case it must retain a record of the identity of the third-party service providing the verification service or the location at which the (in-house) verification was performed.

AL3_ID_VRC#020             Verification Records for Affiliated Applicants

In addition to the foregoing, log, taking account of all applicable legislative and policy obligations, a record of the additional facts of the verification process must be performed.  At a minimum, records of identity information must include:

a)              the ‘full name;

b)             the Subject’s[7] current address of record;

c)              the Subject’s current telephone or email address of record;

d)             the Subject’s acknowledgement of issuing the Subject with a credential;

e)              type, issuing authority, and reference number(s) of all documents checked in the identity proofing process;

f)              where required, a telephone or email address for related contact and/or delivery of credentials/notifications.

AL3_ID_VRC#030             Record Retention

Either retain, securely, the record of the verification/revocation process for the duration of the Subject account plus a further period sufficient to allow fulfillment of any period required legally, contractually or by any other form of binding agreement or obligation , or submit the same record to a client CSP that has undertaken to retain the record for the requisite period or longer.

AL3_CM_IDP#040            Revision to Subject information

Provide a means for Subjects to securely amend their stored information after registration, either by re-proving their identity as in the initial registration process or by using their credentials to authenticate their revision.  Successful revision must, where necessary, instigate the re-issuance of the credential.

5.1.14.9      Credential Creation

These criteria define the requirements for creation of credentials whose highest use is AL3.  Any credentials/tokens that comply with the criteria stipulated at AL4 are also acceptable at AL3 and below.

Note, however, that a token and credential type required by a higher AL but created according to these criteria may not necessarily provide that higher level of assurance for the claimed identity of the Subject.  Authentication can only be provided at the assurance level at which the identity is proven.

An enterprise and its specified service must:

AL3_CM_CRN#010           Authenticated Request

Only accept a request to generate a credential and bind it to an identity if the source of the request, i.e., Registration Authority, can be authenticated as being authorized to perform identity proofing at AL3 or higher.

AL3_CM_CRN#020           Unique identity

Ensure that the identity which relates to a specific applicant is unique within the specified service, including identities previously used and that are now cancelled other than its re-assignment to the same applicant. 

Guidance: This requirement is intended to prevent identities that may exist in a Relying Party’s access control lists from possibly representing a different physical person.

AL3_CM_CRN#030           Credential uniqueness

Allow the Subject to select a credential (e.g., UserID) that is verified to be unique within the specified service’s community and assigned uniquely to a single identity Subject.

AL3_CM_CRN#035           Convey credential

Be capable of conveying the unique identity information associated with a credential to Verifiers and Relying Parties.

AL3_CM_CRN#040           PIN/Password strength

Not use PIN/password tokens.

AL3_CM_CRN#050           One-time password strength

Only allow one-time password tokens that:

a)             depend on a symmetric key stored on a personal hardware device evaluated against FIPS 140-2 [FIPS140-2] Level 1 or higher, or equivalent, as established by a recognized national technical authority;

b)             permit at least 10⁶ possible password values;

c)              require password or biometric activation by the Subject.

AL3_CM_CRN#060           Software cryptographic token strength

Ensure that software cryptographic keys stored on general-purpose devices:

a)              are protected by a key and cryptographic protocol that are evaluated against FIPS 14-2 [FIPS140-2] Level 2, or equivalent, as established by a recognized national technical authority;

b)             require password or biometric activation by the Subject or employ a password protocol when being used for authentication.

AL3_CM_CRN#070           Hardware token strength

Ensure that hardware tokens used to store cryptographic keys:

a)              employ a cryptographic module that is evaluated against FIPS 140-2 [FIPS140-2] Level 1 or higher, or equivalent, as established by a recognized national technical authority;

b)             require password or biometric activation by the Subject or also employ a password when being used for authentication.

AL3_CM_CRN#080           Binding of key

If the specified service generates the Subject’s key pair, that the key generation process securely and uniquely binds that process to the certificate generation and maintains at all times the secrecy of the private key, until it is accepted by the Subject.

AL3_CM_CRN#090           Nature of Subject

Record the nature of the Subject of the credential (which must correspond to the manner of identity proofing performed), i.e., private person, a named person acting on behalf of a corporation or other legal entity, corporation or legal entity, or corporate machine entity, in a manner that can be unequivocally associated with the credential and the identity that it asserts.  [Omitted]

5.1.14.10   Subject Key Pair Generation

An enterprise and its specified service must:

AL3_CM_SKP#010            Key generation by Specified Service

If the specified service generates the Subject’s keys:

a)             use a FIPS 140-2 [FIPS140-2] compliant algorithm, or equivalent, as established by a recognized national technical authority, that is recognized as being fit for the purposes of the service;

b)             only create keys of a key length and for use with a FIPS 140-2 [FIPS140-2] compliant public key algorithm, or equivalent, as established by a recognized national technical authority, recognized as being fit for the purposes of the service;

c)              generate and store the keys securely until delivery to and acceptance by the Subject;

d)             deliver the Subject’s private key in a manner that ensures that the privacy of the key is not compromised and only the Subject has access to the private key.

AL3_CM_SKP#020            Key generation by Subject

If the Subject generates and presents its own keys, obtain the Subject’s written confirmation that it has:

a)             used a FIPS 140-2 [FIPS140-2] compliant algorithm, or equivalent, as established by a recognized national technical authority, that is recognized as being fit for the purposes of the service;

b)             created keys of a key length and for use with a FIPS 140-2 [FIPS140-2] compliant public key algorithm, or equivalent, as established by a recognized national technical authority, recognized as being fit for the purposes of the service.

5.1.14.11   Credential Delivery

An enterprise and its specified service must:

AL3_CM_CRD#010,          Notify Subject of Credential Issuance

Notify the Subject of the credential’s issuance and, if necessary, confirm Subject’s contact information by:

a)              sending notice to the address of record confirmed during identity proofing, and either:

i)              issuing the credential(s) in a manner that confirms the address of record supplied by the applicant during identity proofing, or;

ii)            issuing the credential(s) in a manner that confirms the ability of the applicant to receive telephone communications at a phone number supplied by the applicant during identity proofing, while recording the applicant’s voice.

AL3_CM_CRD#020           Subject’s acknowledgement

Receive acknowledgement of receipt of the credential before it is activated and its directory status record is published (and thereby the subscription becomes active or re-activated, depending upon the circumstances of issue).

5.1.15 Part C  -  Credential Renewal and Re-issuing

These criteria apply to the renewal and re-issuing of credentials.  They address requirements levied by the use of various technologies to achieve Assurance Level 3.  

5.1.15.1      Renewal/Re-issuance Procedures

These criteria address general renewal and re-issuance functions, to be exercised as specific controls in these circumstances while continuing to observe the general requirements established for initial credential issuance.

An enterprise and its specified service must:

AL3_CM_RNR#010           Changeable PIN/Password

Permit Subjects to change the passwords used to activate their credentials.

Further criteria may be determined after AL3 comparability assessment against Federal CAF and NIST SP 800-63-n is performed.

5.1.16 Part D  -  Credential Revocation

These criteria deal with credential revocation and the determination of the legitimacy of a revocation request.

5.1.16.1      Revocation Procedures

These criteria address general revocation functions, such as the processes involved and the basic requirements for publication.

An enterprise and its specified service must:

AL3_CM_RVP#010           Revocation procedures

a)              State the conditions under which revocation of an issued credential may occur;

b)             State the processes by which a revocation request may be submitted;

c)              State the persons and organizations from which a revocation request will be accepted;

d)             State the validation steps that will be applied to ensure the validity (identity) of the Revocant, and;

e)              State the response time between a revocation request being accepted and the publication of revised certificate status.

AL3_CM_ RVP#020          Secure status notification

Ensure that published credential status notification information can be relied upon in terms of the enterprise being its origin (i.e., its authenticity) and its correctness (i.e., its integrity).

AL3_CM_ RVP#030          Revocation publication

[Omitted] Ensure that published credential status notification is revised within 24 hours of the receipt of a valid revocation request, such that any subsequent attempts to use that credential in an authentication shall be unsuccessful.  The nature of the revocation mechanism shall be in accord with the technologies supported by the service.

AL3_CM_RVP_#040         Verify Revocation Identity

Establish that the identity for which a revocation request is received is one that was issued by the specified service.

AL3_CM_RVP#050           Revocation Records

Retain a record of any revocation of a credential that is related to a specific identity previously verified, solely in connection to the stated credential.  At a minimum, records of revocation must include:

a)              the Revocant’s full name;

b)             the Revocant’s authority to revoke (e.g., Subscriber or the Subject themselves, someone acting with the Subscriber’s or the Subject’s power of attorney, the credential issuer, law enforcement, or other legal due process);

c)              the Credential Issuer’s identity (if not directly responsible for the identity proofing service);

d)             the identity associated with the credential (whether the Subject’s name or a pseudonym);

e)              the reason for revocation.

AL3_CM_RVP#060           Record Retention

Retain, securely, the record of the revocation process for a period which is in compliance with:

a)             the records retention policy required by AL3_CM_CPP#020, and;

b)             applicable legislation;

and which, in addition, must be not less than the duration of the Subscriber’s account plus 7.5 years.

5.1.16.2      Verify Revocant’s Identity

Revocation of a credential requires that the requestor and the nature of the request be verified as rigorously as the original identity proofing.  The enterprise should not act on a request for revocation without first establishing the validity of the request (if it does not, itself, determine the need for revocation).

In order to do so, the enterprise and its specified service must:

AL3_CM_RVR#010           Verify revocation identity

Establish that the credential for which a revocation request is received is one that was initially issued by the specified service, applying the same process and criteria as would be applied to an original identity proofing.

AL3_CM_RVR#020           Revocation reason

Establish the reason for the revocation request as being sound and well founded, in combination with verification of the Revocant, according to AL3_ID_RVR#030, AL3_ID_RVR#040, or AL3_ID_RVR#050.

AL3_CM_RVR#030           Verify Subscriber as Revocant

When the Subscriber or Subject seeks revocation of the Subject’s credential:

a)              if in-person, require presentation of a primary Government Picture ID document that shall be electronically verified by a record check against the provided identity with the specified issuing authority’s records;

b)             if remote:

1. electronically verify a signature against records (if available), confirmed with a call to a telephone number of record, or;
2. as an electronic request, authenticate it as being from the same Subscriber or Subject, supported by a credential at Assurance Level 3 or higher.

AL3_CM_RVR#040           Verify CSP as Revocant

Where a CSP seeks revocation of a Subject’s credential, establish that the request is either:

a)              from the specified service itself, with authorization as determined by established procedures, or;

b)             from the client Credential Issuer, by authentication of a formalized request over the established secure communications network.

AL3_CM_RVR#050           Verify Legal Representative as Revocant

Where the request for revocation is made by a law enforcement officer or presentation of a legal document:

a)              if in person, verify the identity of the person presenting the request, or;

b)             if remote:

1. in paper/facsimile form, verify the origin of the legal document by a database check or by telephone with the issuing authority, or;
2. as an electronic request, authenticate it as being from a recognized legal office, supported by a credential at Assurance Level 3 or higher.

5.1.16.3      Secure Revocation Request

This criterion applies when revocation requests must be communicated between remote components of the service organization.

An enterprise and its specified service must:

AL3_CM_SRR#010            Submit Request

Submit a request for the revocation to the Credential Issuer service (function), using a secured network communication.

5.1.17 Part E  -  Credential Status Management

These criteria deal with credential status management, such as the receipt of requests for new status information arising from a new credential being issued or a revocation or other change to the credential that requires notification.  They also deal with the provision of status information to requesting parties (Verifiers, Relying Parties, courts and others having regulatory authority, etc.) having the right to access such information.

5.1.17.1      Status Maintenance

An enterprise and its specified service must:

AL3_CM_CSM#010          Maintain Status Record

Maintain a record of the status of all credentials issued.

AL3_CM_CSM#020          Validation of Status Change Requests

Authenticate all requestors seeking to have a change of status recorded and published and validate the requested change before considering processing the request.  Such validation should include:

a)              the requesting source as one from which the specified service expects to receive such requests;

b)             if the request is not for a new status, the credential or identity as being one for which a status is already held.

AL3_CM_CSM#030          Revision to Published Status

Process authenticated requests for revised status information and have the revised information available for access within a period of 72 hours.

AL3_CM_CSM#040          Status Information Availability

Provide, with 99% availability, a secure automated mechanism to allow relying parties to determine credential status and authenticate the Claimant's identity.

AL3_CM_CSM#050          Inactive Credentials

Disable any credential that has not been successfully used for authentication during a period of 18 months.

5.1.18 Part F  -  Credential Validation/Authentication

These criteria apply to credential validation and identity authentication. 

5.1.18.1      Assertion Security

An enterprise and its specified service must:

AL3_CM_ASS#010            Validation and Assertion Security

Provide validation of credentials to a Relying Party using a protocol that:

a)              requires authentication of the specified service, itself, or of  the validation source;

b)             ensures the integrity of the authentication assertion.

AL3_CM_ASS#015            No False Authentication

Employ techniques which ensure that system failures do not result in ‘false positive authentication’ errors.

AL3_CM_ASS#020            Post Authentication

Not authenticate credentials that have been revoked unless the time of the transaction for which verification is sought preceeds the time of revocation of the credential.

AL3_CM_ASS#030            Proof of Possession

Use an authentication protocol that requires the claimant to prove possession and control of the authentication token.

AL3_CM_ASS#040            Assertion Lifetime

For non-cryptographic credentials, generate assertions so as to indicate and effect their expiration 12 hours after their creation; otherwise, notify the relying party of how often the revocation status sources are updated.

Assurance Level 4

5.1.19 Part A  -  Credential Operating Environment

These criteria describe requirements for the overall operational environment in which credential lifecycle management is conducted.  The Common Organizational criteria describe broad requirements.  The criteria in this Part describe operational implementation specifics These criteria apply exclusively to cryptographic technology deployed through a Public Key Infrastructure.  This technology requires hardware tokens protected by password or biometric controls.  No other forms of credential are permitted at AL4.

The following four criteria are MANDATORY for all Services, Full or Component, and are individually marked as such:
AL4_CM_CPP#020, AL4_CM_CPP#030, AL4_CM_CTR#030, AL4_CM_SER#010.

5.1.19.1      Certification Policy and Practices

These criteria apply to the policy and practices under which certificates are managed.

An enterprise and its specified service must:

AL4_CM_CPP#010            No stipulation

AL4_CM_CPP#020            Certificate Policy/Certification Practice Statement

MANDATORY.

Include in its Service Definition its full Certificate Policy and the corresponding Certification and Practice Statement.  The Certificate Policy and Certification Practice Statement must conform to IETF RFC 3647 (2003-11) [RFC 3647] in their content and scope or be demonstrably consistent with the content or scope of that RFC.  At a minimum, the Certificate Policy must specify:

a)             applicable OIDs for each certificate type issued;

b)             how users may subscribe to the service/apply for certificates, and how certificates will be issued to them;

c)              if users present their own keys, how they will be required to demonstrate possession of the private key;

d)             if users’ keys are generated for them, how the private keys will be delivered to them;

e)             how Subjects acknowledge receipt of tokens and credentials and what obligations they accept in so doing (including whether they consent to publication of their details in certificate status directories);

f)              how certificates may be renewed, re-keyed, modified, revoked, and suspended, including how requestors are authenticated or their identity proven;

g)             what actions a Subject must take to terminate their subscription.

AL4_CM_CPP#030            Management Authority

MANDATORY.

Have a nominated or appointed high-level management body with authority and responsibility for approving the Certificate Policy and Certification Practice Statement, including ultimate responsibility for their proper implementation.

5.1.19.2      Security Controls

An enterprise and its specified service must:

AL4_CM_CTR#010           No stipulation

AL4_CM_CTR#020           Protocol threat risk assessment and controls

Account for at least the following protocol threats in its risk assessment and apply controls that reduce them to acceptable risk levels:

a)              password guessing, showing that there is sufficient entropy;

b)             message replay, showing that it is impractical;

c)              eavesdropping, showing that it is impractical;

d)             relying party (verifier) impersonation, showing that it is impractical;

e)              man-in-the-middle attack, showing that it is impractical;

f)              session hijacking, showing that it is impractical.

The above list shall not be considered to be a complete list of threats to be addressed by the risk assessment.

AL4_CM_CTR#025           No stipulation

AL4_CM_CTR#030           System threat risk assessment and controls

MANDATORY.

Account for the following system threats in its risk assessment and apply controls that reduce them to acceptable risk levels:

a)              the introduction of malicious code;

b)             compromised authentication arising from insider action;

c)              out-of-band attacks by both users and system operators (e.g., shoulder-surfing);

d)             spoofing of system elements/applications;

e)              malfeasance on the part of Subscribers and Subjects;

f)              intrusions leading to information theft.

The above list shall not be considered to be a complete list of threats to be addressed by the risk assessment.

AL4_CM_CTR#040           Specified Service’s Key Management

Specify and observe procedures and processes for the generation, storage, and destruction of its own cryptographic keys used for securing the specific service's assertions and other publicized information.  At a minimum, these should address:

a)              the physical security of the environment;

b)             access control procedures limiting access to the minimum number of authorized personnel;

c)              public-key publication mechanisms;

d)             application of controls deemed necessary as a result of the service’s risk assessment;

e)              destruction of expired or compromised private keys in a manner that prohibits their retrieval, or their archival in a manner which prohibits their reuse;

f)              applicable cryptographic module security requirements, quoting FIPS 140-2 [FIPS140-2] or equivalent, as established by a recognized national technical authority.

5.1.19.3      Storage of Long-term Secrets

The enterprise and its specified service must meet the following criteria:

AL4_CM_STS#010            Stored Secrets

a)         Withdrawn (AL4_CO_SCO#020 (a) & (b) enforce this requirement)

b)         apply discretionary access controls that limit access to trusted administrators and to those applications that require access.

AL4_CM_STS#020            Stored Secret Encryption

Encrypt such [omitted] secret files so that:

a)              the encryption key for the [omitted] secret file is encrypted under a key held in a FIPS 140?2 [FIPS140-2] Level 2 or higher validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module, or equivalent, as established by a recognized national technical authority;

b)             the [omitted] secret file is decrypted only as immediately required for a key recovery operation;

c)              [omitted] secrets are protected as a key within the boundary of a FIPS 140-2 Level 2 or higher validated hardware cryptographic module or any FIPS 140-2 Level 3 or 4 cryptographic module and are not exported from the module in plaintext, or equivalent, as established by a recognized national technical authority;

d)             escrowed secrets are split by an "n from m" cryptographic secret storing method.

5.1.19.4      Security-relevant Event (Audit) Records

These criteria describe the need to provide an auditable log of all events that are pertinent to the correct and secure operation of the service.  The common organizational criteria relating to the recording of all security-related events must also be considered carefully.  These criteria carry implications for credential management operations.

In the specific context of a certificate management service, an enterprise and its specified service must:

AL4_CM_SER#010            Security event logs

MANDATORY, to the extent that the sub-items relate to the scope of service.

Ensure that such audit records include:

a)              the identity of the point of registration (irrespective of whether internal or outsourced);

b)             generation of the Subject’s keys or evidence that the Subject was in possession of both parts of the key-pair;

c)              generation of the Subject’s certificate;

d)             dissemination of the Subject’s certificate;

e)              any revocation or suspension associated with the Subject’s credential.

5.1.19.5      Subject Options

AL4_CM_OPN#010           Changeable PIN/Password

Withdrawn – see AL4_CM_RNR#010.

5.1.20 Part B  -  Credential Issuing

These criteria apply to the verification of the identity of the Subject of a credential and with token strength and credential delivery mechanisms.  They address requirements levied by the use of various technologies to achieve Assurance Level 4.  

5.1.20.1      Identity Proofing Policy

Identity proofing at Assurance Level 4 requires the physical presence of the applicant in front of the registration officer with photo ID or other readily verifiable biometric identity information, as well as the requirements set out by the following criteria.

The specific service must show that it applies identity proofing policies and procedures and that it retains appropriate records of identity proofing activities and evidence.

An enterprise and its specified service must:

AL4_CM_IDP#010            Withdrawn

Withdrawn.

AL4_CM_IDP#020            Withdrawn

Withdrawn.

AL4_CM_IDP#030            Withdrawn

Withdrawn.

AL4_ID_POL#010              Unique service identity

Ensure that a unique identity is attributed to the specific service, such that credentials issued by it can be distinguishable from those issued by other services, including services operated by the same enterprise.

AL4_ID_POL#020              Unique Subject identity

Ensure that each applicant’s identity is unique within the service’s community of Subjects and uniquely associable with tokens and/or credentials issued to that identity.

AL4_ID_POL#030              Published Proofing Policy

Make available the Identity Proofing Policy under which it verifies the identity of applicants[8] in form, language, and media accessible to the declared community of users.

AL4_ID_POL#040              Adherence to Proofing Policy

Perform all identity proofing strictly in accordance with its published Identity Proofing Policy, through application of the procedures and processes set out in its Identity Proofing Practice Statement.

5.1.20.2      Identity Verification

The enterprise or specific service may:

AL4_ID_IDV#000              Identity Proofing classes

[Omitted] offer only face-to-face identity proofing service.  Remote verification is not allowed at this assurance level;

The enterprise or specified service must:

5.1.20.3      In-Person Public Identity Verification

AL4_ID_IPV#010               Required evidence

Ensure that the applicant is in possession of:

a)             a primary Government Picture ID document that bears a photographic image of the holder and either:

i)              secondary Government Picture ID or an account number issued by a regulated financial institution or;

ii)             two items confirming name, and address or telephone number, such as:  utility bill, professional license or membership, or other evidence of equivalent standing.

AL4_ID_IPV#020               No stipulation

AL4_ID_IPV#030               Evidence checks – primary ID

Ensure that the presented document:

a)             appears to be a genuine document properly issued by the claimed issuing authority and valid at the time of application;

b)             bears a photographic image of the holder which matches that of the applicant;

c)              is electronically verified by a record check with the specified issuing authority or through similar databases that:

i)              establishes the existence of such records with matching name and reference numbers;

ii)            corroborates date of birth, current address of record, and other personal information sufficient to ensure a unique identity;

d)             provides all reasonable certainty, at AL4, that the identity exists and that it uniquely identifies the applicant.

AL4_ID_IPV#040               Evidence checks – secondary ID

Ensure that the presented document meets the following conditions:

a)         If it is secondary Government Picture ID:

i)              appears to be a genuine document properly issued by the claimed issuing authority and valid at the time of application;

ii)            bears a photographic image of the holder which matches that of the applicant;

iii)          states an address at which the applicant can be contacted.

b)         If it is a financial institution account number, is verified by a record check with the specified issuing authority or through similar databases that:

i)              establishes the existence of such records with matching name and reference numbers;

ii)            corroborates date of birth, current address of record, and other personal information sufficient to ensure a unique identity.

c)         If it is two utility bills or equivalent documents:

i)              each appears to be a genuine document properly issued by the claimed issuing authority;

ii)            corroborates current address of record or telephone number sufficient to ensure a unique identity.

AL4_ID_IPV#050               Applicant knowledge checks

Where the applicant is unable to satisfy any of the above requirements, that the applicant can provide a unique identifier, such as a Social Security Number (SSN), that matches the claimed identity.

5.1.20.4      Remote Public Identity Verification

Not permitted

5.1.20.5      Affiliation Identity Verification

A specific service that offers identity proofing to applicants on the basis of some form of affiliation must comply with the criteria in this section to establish that affiliation, in addition to complying with the previously stated requirements for verifying the individual's identity.

The enterprise or specified service must:

AL4_ID_AFV#000             Meet preceding criteria

Meet all the criteria set out above, under §5.1.20.35.4.2.3, “In-Person Public Identity Verification”.

AL4_ID_AFV#010             Required evidence

Ensure that the applicant possesses:

a)              identification from the organization with which it is claiming affiliation;

b)             agreement from the organization that the applicant may be issued a credential indicating that an affiliation exists.

AL4_ID_AFV#020             Evidence checks

Have in place and apply processes which ensure that the presented documents:

a)              each appear to be a genuine document properly issued by the claimed issuing authorities and valid at the time of application;

b)             refer to an existing organization with a contact address;

c)              indicate that the applicant has some form of recognizable affiliation with the organization;

d)             appear to grant the applicant an entitlement to obtain a credential indicating an affiliation with the organization.

5.1.20.6      Secondary Identity Verification

In each of the above cases, the enterprise or specified service must also meet the following criteria:

AL4_ID_SCV#010              Secondary checks

Have in place additional measures (e.g., require additional documentary evidence, delay completion while out-of-band checks are undertaken) to deal with any anomalous circumstances that can reasonably be anticipated (e.g., a legitimate and recent change of address that has yet to be established as the address of record).

5.1.20.7      Identity Verification Records

The specific service must retain records of the identity proofing (verification) that it undertakes and provide them to qualifying parties when so required.

The enterprise or specified service must:

AL4_ID_VRC#010             Verification Records for Personal Applicants

Log, taking account of all applicable legislative and policy obligations, a record of the facts of the verification process and the identity of the registrar, including a reference relating to the verification processes and the date and time of verification issued by a trusted time-source.

Guidance: The facts of the verification process should include the specific record information (source, unique reference, value/content) used in establishing the applicant’s identity, and will be determined by the specific processes used and documents accepted by the CSP.  The CSP need not retain these records itself if it uses a third-party service which retains such records securely and to which the CSP has access when required, in which case it must retain a record of the identity of the third-party service providing the verification service or the location at which the (in-house) verification was performed.

AL4_ID_VRC#020             Verification Records for Affiliated Applicants

In addition to the foregoing, log, taking account of all applicable legislative and policy obligations, a record of the additional facts of the verification process must be performed.  At a minimum, records of identity information must include:

a)              the Subject’s[9] full name;

b)             the Subject’s current address of record;

c)              the Subject’s current telephone or email address of record;

d)             the Subscriber’s authorization for issuing the Subject a credential;

e)              type, issuing authority, and reference number(s) of all documents checked in the identity proofing process;

f)              a biometric record of each required representative of the affiliating organization (e.g., a photograph, fingerprint, voice recording), as determined by that organization’s governance rules/charter.

AL4_ID_VRC#030             Record Retention

Either retain, securely, the record of the verification/revocation process for the duration of the Subject account plus a further period sufficient to allow fulfillment of any period required legally, contractually or by any other form of binding agreement or obligation, or submit the record to a client CSP that has undertaken to retain the record for the requisite period or longer.

AL4_CM_IDP#040            Revision to Subscriber information

Provide a means for Subscribers and Subjects to securely amend their stored information after registration, either by re-proving their identity as in the initial registration process or by using their credentials to authenticate their revision.  Successful revision must, where necessary, instigate the re-issuance of the credential.

5.1.20.8      Credential Creation

These criteria define the requirements for creation of credentials whose highest use is AL4. 

Note, however, that a token and credential created according to these criteria may not necessarily provide that level of assurance for the claimed identity of the Subject.  Authentication can only be provided at the assurance level at which the identity is proven.

An enterprise and its specified service must:

AL4_CM_CRN#010           Authenticated Request

Only accept a request to generate a credential and bind it to an identity if the source of the request, i.e., Registration Authority, can be authenticated as being authorized to perform identity proofing at AL4.

AL4_CM_CRN#020           Unique identity

Ensure that the identity which relates to a specific applicant is unique within the specified service, including identities previously used and that are now cancelled, other than its re-assignment to the same applicant.

Guidance: This requirement is intended to prevent identities that may exist in a Relying Party’s access control lists from possibly representing a different physical person.

AL4_CM_CRN#030           Credential uniqueness

Allow the Subject to select a credential (e.g., UserID) that is verified to be unique within the specified service’s community and assigned uniquely to a single identity Subject.

AL4_CM_CRN#035           Convey credential

Be capable of conveying the unique identity information associated with a credential to Verifiers and Relying Parties.

AL4_CM_CRN#040           PIN/Password strength

Not use PIN/password tokens.

AL4_CM_CRN#050  One-time password strength

Not use one-time password tokens.

AL4_CM_CRN#060           Software cryptographic token strength

Not use software cryptographic tokens.

AL4_CM_CRN#070           Hardware token strength

Ensure that hardware tokens used to store cryptographic keys:

a)              employ a cryptographic module that is validated against FIPS 140-2 [FIPS140-2] Level 2 or higher, or equivalent, as determined by a recognized national technical authority;

b)             are evaluated against FIPS 140-2 Level 3 or higher, or equivalent, as determined by a recognized national technical authority, for their physical security;

c)              require password or biometric activation by the Subject [omitted].

AL4_CM_CRN#080           Binding of key

If the specified service generates the Subject’s key pair, that the key generation process securely and uniquely binds that process to the certificate generation and maintains at all times the secrecy of the private key, until it is accepted by the Subject.

AL4_CM_CRN#090           Nature of Subject

Record the nature of the Subject of the credential [omitted], i.e., private person, a named person acting on behalf of a corporation or other legal entity, corporation or legal entity, or corporate machine entity, in a manner that can be unequivocally associated with the credential and the identity that it asserts.

5.1.20.9      Subject Key Pair Generation

An enterprise and its specified service must:

AL4_CM_SKP#010            Key generation by Specified Service

If the specified service generates the Subject’s keys:

a)              use a FIPS 140-2 [FIPS140-2] compliant algorithm, or equivalent, as established by a recognized national technical authority, that is recognized as being fit for the purposes of the service;

b)             only create keys of a key length and for use with a FIPS 140-2 [FIPS140-2] compliant public key algorithm, or equivalent, as established by a recognized national technical authority, recognized as being fit for the purposes of the service;

c)              generate and store the keys securely until delivery to and acceptance by the Subject;

d)             deliver the Subject’s private key in a manner that ensures that the privacy of the key is not compromised and only the Subject has access to the private key.

AL4_CM_SKP#020            Key generation by Subject

If the Subject generates and presents its own keys, obtain the Subject’s written confirmation that it has:

a)              used a FIPS 140-2 [FIPS140-2] compliant algorithm, or equivalent, as established by a recognized national technical authority, that is recognized as being fit for the purposes of the service;

b)             created keys of a key length and for use with a FIPS 140-2 [FIPS140-2] compliant public key algorithm, or equivalent, as established by a recognized national technical authority, recognized as being fit for the purposes of the service.

5.1.20.10   Credential Delivery

An enterprise and its specified service must:

AL4_CM_CRD#010           Notify Subject of Credential Issuance

Notify the Subject of the credential’s issuance and, if necessary, confirm Subject’s contact information by:

a)             sending notice to the address of record confirmed during identity proofing;

b)             unless the Subject presented with a private key, issuing the hardware token to the Subject in a manner that confirms the address of record supplied by the applicant during identity proofing;

c)              issuing the certificate to the Subject over a separate channel in a manner that confirms either the address of record or the email address supplied by the applicant during identity proofing.

AL4_CM_CRD#020           Subject’s acknowledgement

Receive acknowledgement of receipt of the hardware token before it is activated and the corresponding certificate and its directory status record are published (and thereby the subscription becomes active or re-activated, depending upon the circumstances of issue).

5.1.21 Part C  -  Credential Renewal and Re-issuing

These criteria apply to the renewal and re-issuing of credentials.  They address requirements levied by the use of various technologies to achieve Assurance Level 4.

5.1.21.1      Renewal/Re-issuance Procedures

These criteria address general renewal and re-issuance functions, to be exercised as specific controls in these circumstances while continuing to observe the general requirements established for initial credential issuance.

An enterprise and its specified service must:

AL4_CM_RNR#010           Changeable PIN/Password

Permit Subjects to change the passwords used to activate their credentials.

Further criteria may be determined after AL4 comparability assessment against Federal CAF and NIST SP 800-63 is performed.

5.1.22 Part D  -  Credential Revocation

These criteria deal with credential revocation and the determination of the legitimacy of a revocation request.

5.1.22.1      Revocation Procedures

These criteria address general revocation functions, such as the processes involved and the basic requirements for publication.

An enterprise and its specified service must:

AL4_CM_RVP#010           Revocation procedures

a)              State the conditions under which revocation of an issued certificate may occur;

b)             State the processes by which a revocation request may be submitted;

c)              State the persons and organizations from which a revocation request will be accepted;

d)             State the validation steps that will be applied to ensure the validity (identity) of the Revocant, and;

e)              State the response time between a revocation request being accepted and the publication of revised certificate status.

AL4_CM_ RVP#020          Secure status notification

Ensure that published credential status notification information can be relied upon in terms of the enterprise of its origin (i.e., its authenticity) and its correctness (i.e., its integrity).

AL4_CM_ RVP#030          Revocation publication

Ensure that published credential status notification is revised within 18 hours of the receipt of a valid revocation request, such that any subsequent attempts to use that credential in an authentication shall be unsuccessful.  The nature of the revocation mechanism shall be in accordance with the technologies supported by the service.

AL4_CM_RVP#040           No stipulation

AL4_CM_RVP#050           Revocation Records

Retain a record of any revocation of a credential that is related to a specific identity previously verified, solely in connection to the stated credential.  At a minimum, records of revocation must include:

a)              the Revocant’s full name;

b)             the Revocant’s authority to revoke (e.g., Subscriber or Subject themselves, someone acting with the Subscriber's or Subject’s power of attorney, the credential issuer, law enforcement, or other legal due process);

c)              the Credential Issuer’s identity (if not directly responsible for the identity proofing service);

d)             the identity associated with the credential (whether the Subject’s name or a pseudonym);

e)              the reason for revocation.

AL4_CM_RVP#060           Record Retention

Retain, securely, the record of the revocation process for a period which is in compliance with:

c)              the records retention policy required by AL2_CM_CPP#010, and;

d)             applicable legislation;

and which, in addition, must be not less than the duration of the Subscriber’s account plus 7.5 years.

5.1.22.2      Verify Revocant’s Identity

Revocation of a credential requires that the requestor and the nature of the request be verified as rigorously as the original identity proofing.  The enterprise should not act on a request for revocation without first establishing the validity of the request (if it does not, itself, determine the need for revocation).

In order to do so, the enterprise and its specified service must:

AL4_CM_RVR#010           Verify revocation identity

Establish that the credential for which a revocation request is received is one that was initially issued by the specified service, applying the same process and criteria as would apply to an original identity proofing.

AL4_CM_RVR#020           Revocation reason

Establish the reason for the revocation request as being sound and well founded, in combination with verification of the Revocant, according to AL4_CM_RVR#030, AL4_CM_RVR#040, or AL4_CM_RVR#050.

AL4_CM_RVR#030           Verify Subscriber as Revocant

Where the Subscriber or Subject seeks revocation of the Subject’s credential:

a)              if in person, require presentation of a primary Government Picture ID document that shall be [Omitted] verified by a record check against the provided identity with the specified issuing authority’s records;

b)             if remote:

1. verify a signature against records (if available), confirmed with a call to a telephone number of record, or;
2. as an electronic request, authenticate it as being from the same Subscriber or Subject, supported by a different credential at Assurance Level 4.

AL4_CM_RVR#040           Verify CSP as Revocant

Where a CSP seeks revocation of a Subject's credential, establish that the request is either:

a)              from the specified service itself, with authorization as determined by established procedures, or;

b)             from the client Credential Issuer, by authentication of a formalized request over the established secure communications network.

AL4_CM_RVR#050           Verify Legal Representative as Revocant

Where the request for revocation is made by a law enforcement officer or presentation of a legal document:

a)              if in-person, verify the identity of the person presenting the request, or;

b)             if remote:

1. in paper/facsimile form, verify the origin of the legal document by a database check or by telephone with the issuing authority;
2. as an electronic request, authenticate it as being from a recognized legal office, supported by a different credential at Assurance Level 4.

5.1.22.3      Re-keying a credential

Re-keying of a credential requires that the requestor be verified as the Subject with as much rigor as was applied to the original identity proofing.  The enterprise should not act on a request for re-key without first establishing that the requestor is identical to the Subject.

In order to do so, the enterprise and its specified service must:

AL4_CM_RKY#010           Verify Requestor as Subscriber

Where the Subject seeks a re-key for the Subject’s own credential:

a)             if in-person, require presentation of a primary Government Picture ID document that shall be verified by a record check against the provided identity with the specified issuing authority’s records;

b)             if remote:

1. i.               verify a signature against records (if available), confirmed with a call to a telephone number of record, or;
2. ii.             authenticate an electronic request as being from the same Subject, supported by a different credential at Assurance Level 4.

AL4_CM_RKY#020           Re-key requests other than Subject

Re-key requests from any parties other than the Subject must not be accepted.

5.1.22.4      Secure Revocation/Re-key Request

This criterion applies when revocation or re-key requests must be communicated between remote components of the service organization.

The enterprise and its specified service must:

AL4_CM_SRR#010            Submit Request

Submit a request for the revocation to the Credential Issuer service (function), using a secured network communication.

5.1.23 Part E  -  Credential Status Management

These criteria deal with credential status management, such as the receipt of requests for new status information arising from a new credential being issued or a revocation or other change to the credential that requires notification.  They also deal with the provision of status information to requesting parties (Verifiers, Relying Parties, courts and others having regulatory authority, etc.) having the right to access such information.

5.1.23.1      Status Maintenance

An enterprise and its specified service must:

AL4_CM_CSM#010          Maintain Status Record

Maintain a record of the status of all credentials issued.

AL4_CM_CSM#020          Validation of Status Change Requests

Authenticate all requestors seeking to have a change of status recorded and published and validate the requested change before considering processing the request.  Such validation should include:

a)              the requesting source as one from which the specified service expects to receive such requests;

b)             if the request is not for a new status, the credential or identity as being one for which a status is already held.

AL4_CM_CSM#030          Revision to Published Status

Process authenticated requests for revised status information and have the revised information available for access within a period of 72 hours.

AL4_CM_CSM#040          Status Information Availability

Provide, with 99% availability, a secure automated mechanism to allow relying parties to determine credential status and authenticate the Claimant's identity.

AL4_CM_CSM#050          Inactive Credentials

Disable any credential that has not been successfully used for authentication during a period of 18 months.

5.1.24 Part F  -  Credential Validation/Authentication

These criteria apply to credential validation and identity authentication. 

5.1.24.1      Assertion Security

An enterprise and its specified service must:

AL4_CM_ASS#010            Validation and Assertion Security

Provide validation of credentials to a Relying Party using a protocol that:

a)              requires authentication of the specified service, itself, or of  the validation source;

b)             ensures the integrity of the authentication assertion.

AL4_CM_ASS#015            No False Authentication

Employ techniques which ensure that system failures do not result in ‘false positive authentication’ errors.

AL4_CM_ASS#020            Post Authentication

Not authenticate credentials that have been revoked unless the time of the transaction for which verification is sought precedes the time of revocation of the credential.

AL4_CM_ASS#030            Proof of Possession

Use an authentication protocol that requires the claimant to prove possession and control of the authentication token.

AL4_CM_ASS#040            Assertion Life-time

[Omitted] Notify the relying party of how often the revocation status sources are updated.

Compliance Tables

Use the following tables to correlate criteria for a particular Assurance Level (AL) and the evidence offered to support compliance.

Service providers preparing for an assessment can use the table appropriate to the AL at which they are seeking approvalcertification to correlate evidence with criteria or to justify non-applicability (e.g., "specific service types not offered").

Assessors can use the tables to record the steps in their assessment and their determination of compliance or failure.

Table 3-5.  OP-SAC -  AL1 Compliance

Table 3-6.  OP-SAC -  AL2 Compliance

Table 3-7.  OP-SAC -  AL3 compliance

Table 3-8.  OP-SAC -  AL4 compliance

[CAF]  Louden, Chris, Spencer, Judy; Burr, Bill; Hawkins, Kevin; Temoshok, David; Cornell, John; Wilsher, Richard G.; Timchak, Steve; Sill, Stephen; Silver, Dave; Harrison, Von; eds.,  "E-Authentication Credential Assessment Framework (CAF)," E-Authentication Initiative, Version 2.0.0 (March 16, 2005).  http://www.cio.gov/eauthentication/documents/CAF.pdf

[EAP CSAC 04011]  "EAP working paper:  Identity Proofing Service Assessment Criteria (ID-SAC)," Electronic Authentication Partnership, Draft 0.1.3 (July 20, 2004)  http://eap.projectliberty.org/docs/Jul2004/EAP_CSAC_04011_0-1-3_ID-SAC.doc

[EAPTrustFramework]  "Electronic Authentication Partnership Trust Framework"  Electronic Authentication Partnership, Version 1.0.  (January 6, 2005)  http://eap.projectliberty.org/docs/Trust_Framework_010605_final.pdf

[FIPS140-2]  "Security Requirements for Cryptographic Modules"  Federal Information Processing Standards.  (May 25, 2001)  http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

[IS27001]  ISO/IEC 27001:2005 "Information technology - Security techniques - Requirements for information security management systems"  International Organization for Standardization.  http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103

[M-04-04]  Bolton, Joshua B., ed., "E-Authentication Guidance for Federal Agencies," Office of Management and Budget, (December 16, 2003).  http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf

[NIST800-63]  Burr, William E.; Dodson, Donna F.; Polk, W. Timothy; eds., "Electronic Authentication Guideline: : Recommendations of the National Institute of Standards and Technology," Version 1.0.2, National Institute of Standards and Technology, (April, 2006).  http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

[RFC 3647]  Chokhani, S.; Ford, W.; Sabett, R.; Merrill, C.; Wu, S.; eds., "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework,"  The Internet Engineering Task Force  (November, 2003).  http://www.ietf.org/rfc/rfc3647.txt

Revision History

1. 8May2008 – Identity Assurance Framework Version 1.0 Initial Draft
   1. Released by Liberty Alliance
   2. Revision and scoping of Initial Draft release
2. 23JUNE 2008 – Identity Assurance Framework Version 1.1 Final Draft
   1. Released by Liberty Alliance
   2. Inclusion of comments to Final Draft
3. 1OCTOBER2009 – Identity Assurance Framework Version 1.1 Final Draft
   1. Documents contributed to Kantara Initiative by Liberty Alliance
4. XAPRIL2010 – Identity Assurance Framework Version 2.0
   1. Released by Kantara Initiative
   2. Significant scope build
   3. Original Identity Assurance Framework all inclusive document broken in to a set of documents with specific focus:
      1.                                                i.     Kantara IAF-1000-Overview
      2.                                              ii.     Kantara IAF-1100-Glossary
      3.                                             iii.     Kantara IAF-1200-Levels of Assurance
      4.                                             iv.     Kantara IAF-1300-Assurance Assessment Scheme
      5.                                              v.     Kantara IAF-1400-Service Assessment Criteria
      6.                                             vi.     Kantara IAF-1600-Assessor Qualifications and Requirements

The diagram below illustrates how the components of the ID-SAC and Parts A – F of the CO-SAC, i.e. the structure of SAC v2.0, have been transformed into the structure of SAC v3.0, which has only the two SAC classifications and within each orders all criteria as contiguous sets for each Assurance Level.