Our 2023 #DEIA survey is now open! Click here to participate!
Classes of Approval
This page lists the various Classes of Approval available to Credential Service Providers (CSPs) and sets out the Service Assessment Criteria (SAC) applicable to each Class. Identity services which meet the appropriate requirements of the SAC will be awarded the relevant Trust Mark under the Kantara Trust Operations Program.
- Classes of Approval for Identity and Credential Management Systems
- Available Service Assessment Criteria & Assessment Profiles for Identity & Credential Management Systems
- Reference criteria for each Class of Approval
- Applicable Kantara Service Assessment Criteria sets and Service descriptors/Approval types
1. Classes of Approval for Identity Proofing and Credential Management Systems
The following Classes are available to CSPs offering Full or Component credential management services:
Class of Approval | Description |
NIST 800-63 rev.3![]() ![]() |
Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.
Assurance Levels: IAL2, IAL3; Â AAL2, AAL3; Â FAL2, FAL3 |
NIST 800-63 rev.3 (Technical)![]() ![]() |
Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is based on criteria derived strictly from NIST SP 800-63 rev.3 requirements that ensure conformant technical provision of the provider organization’s service. This Class of Approval does not assess the provider organization’s good standing and management/ operational practices; it focuses on the technical provision ONLY.
Assurance Levels: IAL2, IAL3; Â AAL2, AAL3; Â FAL2, FAL3 |
Classic![]() ![]() |
Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria modeled on a generalized interpretation of NIST SP 800-63 rev.2 requirements, ensuring conformant technical provision of the provider organization’s service.
Levels of Assurance: 1, 2, 3 & 4, as described in OMB M-04-04 |
2. Available Service Assessment Criteria & Assessment Profiles for Identity Proofing & Credential Management Systems
A number of SAC sets may have additional Assessment Profiles associated with them. The available SAC sets are listed below.
SAC sets: Please note that most current SAC sets were published on August 31, 2022. Contact the secretariat for the newest version.
Set title | Published in |
CO_SAC | IAF-1410 |
OP_SAC | IAF-1420 |
63A_SAC | IAF-1430 |
63B_SAC | IAF-1440 |
63C_SAC | IAF-1450 |
No SAC publication version numbers are cited – the links above provide the latest published version of the respective SAC documents
3. Reference criteria for each Class of Approval
Class of Approval: | NIST 800-63 Rev. 3 |
NIST 800-63 Rev. 3Â (Technical) |
Classic |
SAC Sets: |
|
|
|
SAC Owner: | Kantara Initiative, Inc. | ||
Assurance Levels: |
|
|
|
Available Assessment Modes: | Full or Component Service | ||
Ready to Operate or Full Approval |
|||
Available Profiles: | None | None | US Federal Privacy Criteria |
4. Applicable Kantara Service Assessment Criteria sets and Service descriptors/approval types
The tables below provide consistent descriptors for each service type and relate each to the Service Assessment Criteria (SAC) against which the service is assessed. Credential Service Providers are required to use one of these descriptors when preparing their award application.
We will recognize and approve services, according to the the applicable SACs.
Class of Approval: NIST 800-63 rev. 3Â
Service Descriptor/Approval Type | Applicable SACs | |
Full Service
 |
Identity Proofing | CO_SAC with ALL applicable criteria In Scope + 63A_SAC with ALL applicable criteria In Scope |
Credential Management | CO_SAC with ALL applicable criteria In Scope + 63B_SAC with ALL applicable criteria In Scope |
|
Identity Proofing & Credential Management | CO_SAC with ALL applicable criteria In Scope + 63A_SAC with ALL applicable criteria In Scope + 63B_SAC with ALL applicable criteria In Scope |
|
Component Service
 |
Identity Proofing | CO_SAC with ALL applicable criteria In Scope + 63A_SAC with NOT ALL criteria In Scope |
Credential Management | CO_SAC with ALL applicable criteria In Scope + 63B_SAC with NOT ALL criteria In Scope |
|
Identity Proofing & Credential Management | CO_SAC with ALL applicable criteria In Scope + 63A_SAC with NOT ALL criteria In Scope + 63B_SAC with NOT ALL criteria In Scope |
|
Federated | Identity Proofing & Credential Management | CO_SAC with ALL criteria In Scope + 63A_SAC with ALL criteria In Scope + 63B_SAC with ALL criteria In Scope + 63C_SAC with ALL [‘CSP’ OR ’CSP+RP’] criteria InScope |
Â
Class of Approval: NIST 800-63 rev. 3 (Technical)
- CO_SAC not included in any Technical assessmentÂ
Service Descriptor/Approval Type | Applicable SACs | |
Full Service (Technical) | Identity Proofing | Â 63A_SAC with ALL criteria In Scope |
Credential Management | Â 63B_SAC with ALL criteria In Scope | |
Identity Proofing & Credential Management | 63A_SAC with ALL criteria In Scope + 63B_SAC with ALL criteria In Scope |
|
Component Service (Technical) | Identity Proofing | 63A_SAC with NOT all criteria In Scope |
Credential Management | Â 63B_SAC with NOT all criteria In Scope | |
Identity Proofing & Credential Management | 63A_SAC with NOT all criteria In Scope + 63B_SAC with NOT ALL criteria In Scope |
|
Federated (Technical) | Identity Proofing & Credential Management | 63A_SAC with ALL criteria In Scope + 63B_SAC with ALL criteria In Scope + 63C_SAC with ALL [‘CSP’ OR ’CSP+RP’] criteria InScope |
Class of Approval: Classic
Service Descriptor/Approval Type | Applicable SACs |
Full Service | CO_SAC with ALL applicable criteria In Scope + OP_SAC with ALL applicable criteria In Scope |
Component Service | CO_SAC with ALL applicable criteria In Scope + OP_SAC with NOT all criteria In Scope |
Acknowledgement: Kantara Initiative, Inc. is grateful for the support of ID.me in editing the Service Assessment Criteria for NIST SP 800-63 rev.3.
More InformationÂ
- If you have any questions and/or want to learn more, please contact us
- Service Provider Approval Process
- Identity Assurance Framework Controlling Documents
- Kantara Trust Status List (Approved CSPs and Accredited Assessors)
Last updated 2023-09-12