Classes of Approval

This page lists the various Classes of Approval available to Credential Service Providers (CSPs) and sets out the Service Assessment Criteria (SAC) applicable to each Class. Identity services which meet the appropriate requirements of the SAC will be awarded the relevant Trust Mark under the Kantara Trust Operations Program.

  1. Classes of Approval for Identity and Credential Management Systems
  2. Available Service Assessment Criteria & Assessment Profiles for Identity & Credential Management Systems
  3. Reference criteria for each Class of Approval
  4. Applicable Kantara Service Assessment Criteria sets and Service descriptors/Approval types

1. Classes of Approval for Identity Proofing and Credential Management Systems

The following Classes are available to CSPs offering Full or Component credential management services:

Class of Approval Description
NIST 800-63 rev.3

Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

Assurance Levels: IAL2, IAL3;  AAL2, AAL3;  FAL2, FAL3

NIST 800-63 rev.3 (Technical)

Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is based on criteria derived strictly from NIST SP 800-63 rev.3 requirements that ensure conformant technical provision of the provider organization’s service. This Class of Approval does not assess the provider organization’s good standing and management/ operational practices; it focuses on the technical provision ONLY.

Assurance Levels: IAL2, IAL3;  AAL2, AAL3;  FAL2, FAL3
*The Technical Class of Approval will be discontinued, likely in 2024. 

Classic

Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria modeled on a generalized interpretation of NIST SP 800-63 rev.2 requirements, ensuring conformant technical provision of the provider organization’s service.

Levels of Assurance: 1, 2, 3 & 4, as described in OMB M-04-04

2. Available Service Assessment Criteria & Assessment Profiles for Identity Proofing & Credential Management Systems

A number of SAC sets may have additional Assessment Profiles associated with them. The available SAC sets are listed below.

SAC sets: Please note that most current SAC sets were published on August 31, 2022. Contact the secretariat for the newest version.

Set title Published in
CO_SAC IAF-1410
OP_SAC IAF-1420
63A_SAC IAF-1430
63B_SAC IAF-1440
63C_SAC IAF-1450

No SAC publication version numbers are cited – the links above provide the latest published version of the respective SAC documents

3. Reference criteria for each Class of Approval

Class of Approval: NIST 800-63 Rev. 3

NIST 800-63 Rev. 3 (Technical)

Classic
SAC Sets:
  • CO_SAC @ LoA3
  • 63A_SAC
  • 63B_SAC
  • 63C_SAC
  • 63A_SAC
  • 63B_SAC
  • 63C_SAC
  • CO_SAC
  • OP_SAC
SAC Owner: Kantara Initiative, Inc.
Assurance Levels:
  • IAL2, IAL3
  • AAL2, AAL3
  • FAL2, FAL3
  • IAL2, IAL3
  • AAL2, AAL3
  • FAL2, FAL3
  • LoA 1, 2, 3, 4
Available Assessment Modes: Full or Component Service

Ready to Operate or Full Approval
(Full Approval based on Period of Time [PoT] or Triennial assessment and Annual Conformity Reviews [ACR], as required)

Available Profiles: None None US Federal Privacy Criteria

4. Applicable Kantara Service Assessment Criteria sets and Service descriptors/approval types

The tables below provide consistent descriptors for each service type and relate each to the Service Assessment Criteria (SAC) against which the service is assessed. Credential Service Providers are required to use one of these descriptors when preparing their award application.

We will recognize and approve services, according to the the applicable SACs.

Class of Approval: NIST 800-63 rev. 3 

Service Descriptor/Approval Type Applicable SACs
Full Service

 

Identity Proofing CO_SAC with ALL applicable criteria In Scope
+
63A_SAC with ALL applicable criteria In Scope
Credential Management CO_SAC with ALL applicable criteria In Scope
+
63B_SAC with ALL applicable criteria In Scope
Identity Proofing & Credential Management CO_SAC with ALL applicable criteria In Scope
+
63A_SAC with ALL applicable criteria In Scope
+
63B_SAC with ALL applicable criteria In Scope
Component Service

 

Identity Proofing CO_SAC with ALL applicable criteria In Scope
+
63A_SAC with NOT ALL criteria In Scope
Credential Management CO_SAC with ALL applicable criteria In Scope
+
63B_SAC with NOT ALL criteria In Scope
Identity Proofing & Credential Management CO_SAC with ALL applicable criteria In Scope
+
63A_SAC with NOT ALL criteria In Scope
+
63B_SAC with NOT ALL criteria In Scope
Federated Identity Proofing & Credential Management CO_SAC with ALL criteria In Scope
+
63A_SAC with ALL criteria In Scope
+
63B_SAC with ALL criteria In Scope
+
63C_SAC with ALL [‘CSP’ OR ’CSP+RP’] criteria InScope

 

Class of Approval: NIST 800-63 rev. 3 (Technical)

  • CO_SAC not included in any Technical assessment 
Service Descriptor/Approval Type Applicable SACs
Full Service (Technical) Identity Proofing   63A_SAC with ALL criteria In Scope
Credential Management   63B_SAC with ALL criteria In Scope
Identity Proofing & Credential Management 63A_SAC with ALL criteria In Scope
+
63B_SAC with ALL criteria In Scope
Component Service (Technical) Identity Proofing 63A_SAC with NOT all criteria In Scope
Credential Management  63B_SAC with NOT all criteria In Scope
Identity Proofing & Credential Management 63A_SAC with NOT all criteria In Scope
+
63B_SAC with NOT ALL criteria In Scope
Federated (Technical) Identity Proofing & Credential Management 63A_SAC with ALL criteria In Scope
+
63B_SAC with ALL criteria In Scope
+
63C_SAC with ALL [‘CSP’ OR ’CSP+RP’] criteria InScope

Class of Approval: Classic

Service Descriptor/Approval Type Applicable SACs
Full Service CO_SAC with ALL applicable criteria In Scope
+
OP_SAC with ALL applicable criteria In Scope
Component Service CO_SAC with ALL applicable criteria In Scope
+
OP_SAC with NOT all criteria In Scope

Acknowledgement: Kantara Initiative, Inc. is grateful for the support of ID.me in editing the Service Assessment Criteria for NIST SP 800-63 rev.3.

More Information 

Last updated 2023-09-12