Kantara Initiative has been running identity assurance programs since 2011.
As the global leader in this area, we asked our current US Assurance Program Manager, Lynzie Adams, to give us her top tips for organizations wishing to apply for a Kantara Grant of Approval – particularly against the NIST 800-63 standards. Having worked with a Kantara Accredited Assessor, you will be ready to submit your application for final consideration by our Assurance Review Board (ARB) who review many different applications every month. We want to make sure that by the time you get to this stage, you have the best possible chance of Approval.
1 Consider the standards in detail as you may not be quite ready to submit an application. [link to See the NIST guidelines directly or request the Service Assessment Criteria] Be self-critical: does your product or service truly align to the criteria? You may be able to refine your processes slightly to help move things along more quickly.
2 Talk to us before you consider investing! Our team can help you understand the full requirements, which templates to use (and when) and whether you may be able to refine some of your processes to improve your chances of success.
3 Focus on your Service Description (S3A) as this is often the first thing our Assurance Review Board will read. The ARB requires a detailed overview of the service you offer. They don’t see all the materials you have shared with your assessor so they can only judge by what the S3A tells them. Be honest about what you DO (and DON’T) offer in the realm of identity assurance.
4 Your solution overview needs to clearly point to the relevant sections on the corresponding Service Assessment Criteria (SAC) spreadsheet. Make sure everything cross-references correctly. The ARB needs the Service Description (S3A) document to be clear and detailed for them to understand fully what your service does. Clear reference to the Service Assessment Criteria sheet will help enormously.
5 Provide as much evidence as you can in the S3A to support your application. Can you add visuals such as diagrams or graphics as these often help the Assurance Review Board to understand your application better? Be detailed and don’t be afraid to share supportive graphics that might help support SAC conformity. The S3A is a confidential document that will only be reviewed by the ARB.
6 Why not involve your wider colleagues – including your Communications team who will be well practised at writing materials for diverse audiences? They will offer a more “independent” view on how easy your application is for a reader who doesn’t know your solution. And, significantly, they will help pick up any areas of conflicting information so you can remedy these before submission.