A Simple Guide to the Kantara Initiative’s Identity Assurance Framework ‘SP 800-63 rev.3’ Assessment Services
What is it that Kantara does?
Within its Assurance Program Kantara Initiative operates an Identity Assurance Framework (IAF). Under the IAF Kantara-Accredited Assessors assess (i.e. evaluate) Identity Proofing and Credential Management services to determine their conformity to published Service Assessment Criteria. Services which meet these requirements are Approved by Kantara Initiative.
What do the Service Assessment Criteria cover?
The criteria are owned and published by Kantara. They encompass the normative (mandatory) requirements of the NIST SP 800-63 rev.3 suite of publications. Credential Service Providers (CSP) identify the criteria which their services’ functionality provides. These services may cover the entire scope of the Service Assessment Criteria or may provide selected component parts of the total functionality, allowing other providers to incorporate those components into their own services. In addition, Kantara applies a set of criteria which assess the good standing and information security management posture of the CSP offering the subject service.
What denotes that a Service is Kantara-Approved?
Kantara Initiative grants a Trust Mark for services which have been found to be conformant to the applicable Kantara Service Assessment Criteria. Approved services are also listed in Kantara’s Trust Status List (TSL). The claim of being (Kantara-)Approved can be made only for those services in respect of which a Trust Mark has been granted by Kantara Initiative.
How are Assessors’ appointed?
Kantara Accredits its Assessors, against its published requirements. These ensure that Assessors have the skills, experience and qualifications required to provide impartial and reliable opinions as to whether assessed services meet the applicable Service Assessment Criteria. Accredited Assessors are also granted a Trust Mark and are listed in the TSL. Only Kantara-Accredited Assessors may perform Kantara assessments.
Does the IAF include other criteria?
Kantara maintains criteria and trust marks to meet market demand. Currently, the IAF includes additional criteria which are based on the broad requirements previously set out in NIST SP 800-63 rev.2. Some Kantara clients continue to offer services which meet these criteria and whilst that remains so, Kantara continues to publish these criteria and to offer specific Approvals against them. To support orderly transition to newer versions of SP 800-63, Kantara offers trust marks for older versions of SP 800-63 until market demand drops off. Older trust marks are retired in an orderly manner to allow holders to transition.
Always Use Caution!
It may be claimed that other services are ‘compliant’, ‘certified’, ‘aligned-to’ (or other such phrases) the NIST SP 800-63 rev.3 guidelines but this does not mean that those services are Kantara-Approved and they may not even have been independently evaluated by a third-party to give any credence to claims being made. Only the Kantara Initiative’s Trust Mark affirms Kantara’s independent third-party assessment of conformity, and this is only for the specifically-named service, not any other service the same CSP may offer. If you are in any doubt, check against the Trust Services List or contact Kantara’s Assurance Program Manager.