The National Strategy for Trusted Identities in Cyberspace (NSTIC) describes a vision of the future – an Identity Ecosystem – where individuals, businesses and other organizations enjoy greater trust and security as they conduct sensitive transactions online. The Identity Ecosystem is a user-centric online environment – a set of technologies, policies and agreed upon standards that securely supports transactions ranging from anonymous to fully-authenticated and from low to high value.
Key attributes of the Identity Ecosystem include privacy, convenience, efficiency, ease-of-use, security, confidence, innovation and choice.
Components of the Identity Ecosystem
The Identity Ecosystem consists of different online communities that use interoperable technology, processes and policies. These will be developed over time – but always with a strong baseline commitment to privacy, ease of use, interoperability and security.
- The Identity Ecosystem Framework (IDEF) is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements and accountability mechanisms that structure the Identity Ecosystem.
- The IDEF Self-Assessment Listing Service (SALS) is designed to build trust online. The SALS is a single web presence where online identity service providers and owners or operators applications that authenticate identity credentials can report their status through self-assessment with a set of common standards for reliable security, privacy, ease of use, cost savings, and user choice and declare their commitment to operate in accordance with the Identity Ecosystem Baseline Requirements
- The Identity Ecosystem Steering Group (IDESG) administers the development of policy, standards and accreditation processes for the IDEF in accordance with the Guiding Principles in the Strategy. The IDESG also ensures that accreditation authorities validate participants’ adherence to the requirements of the IDEF.
- Trust frameworks are developed by a community whose members have similar goals and perspectives, such as the NSTIC Pilots. A trust framework defines the rights and responsibilities of that community’s participants, specifies the policies and standards specific to the community, and defines the community-specific processes and procedures that provide assurance. A trust framework should address the level of risk associated with the transaction types of its participants For example, a trust framework designed for the financial services industry would incorporate the privacy requirements set forth in the Gramm-Leach-Bliley Act (GLBA), while a trust framework for the healthcare industry would look to the Health Insurance Portability and Accountability Act (HIPAA) for its privacy requirements. Different trust frameworks can exist within the Identity Ecosystem, and communities of interest can tailor trust frameworks to meet their particular needs. In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the IDEF.
- Accreditation authorities assess and validate identity providers, attribute providers, relying parties and identity media, ensuring that they all adhere to an agreed-upon trust framework. Accreditation authorities can issue trustmarks to the participants that they validate.
- Trustmark schemes are the combination of criteria that is measured to determine service provider compliance with the IDEF. The IDEF provides a baseline set of standards and policies that apply to all of the participating trust frameworks. This baseline is more permissive at the lowest levels of assurance, to ensure that it does not serve as an undue barrier to entry, and more detailed at higher levels of assurance, to ensure that requirements are aligned with the risk any given transaction.