Classes of Approval

This page lists Kantara Initiative’s various Classes of Approval available to Credential Service Providers (CSPs) and sets out the Service Assessment Criteria (SAC) applicable to each Class, and Service descriptors/Approval types under Kantara’s Identity Assurance Framework scheme.
CSPs conforming to the applicable sets of SAC (and their related Assessment Profiles, if also applicable) are eligible for a Grant of Approval under the Kantara Trust Operations Program.

  1. Classes of Approval for Identity and Credential Management Systems
  2. Available Service Assessment Criteria & Assessment Profiles for Identity & Credential Management Systems
  3. Reference criteria for each Class of Approval
  4. Applicable Kantara Service Assessment Criteria sets and Service descriptors/Approval types

1. Classes of Approval for Identity Proofing and Credential Management Systems

Kantara offers a variety of Classes of Approval. Each Class is based upon a specific SAC or set of SAC. CSPs may seek Approval of a discrete service in any one or more of these Classes. The following Classes are available to CSPs offering Full or Component credential management services:

Class of Approval Description
NIST 800-63 rev.3

Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, ensuring a conformant technical provision of the provider organization’s service.

Assurance Levels: IAL2, IAL3;  AAL2, AAL3;  FAL2, FAL3

NIST 800-63 rev.3 (Technical)

Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is based on criteria derived strictly from NIST SP 800-63 rev.3 requirements that ensure conformant technical provision of the provider organization’s service. This Class of Approval does not assess the provider organization’s good standing and management/ operational practices; it focuses on the technical provision ONLY.

Assurance Levels: IAL2, IAL3;  AAL2, AAL3;  FAL2, FAL3

Classic

Available to Credential Service Providers offering Full or Component credential management services. Modeled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115), this Class of Approval ensures the provider organization’s good standing and management / operational practices and assesses criteria modeled on a generalized interpretation of NIST SP 800-63 rev.2 requirements, ensuring conformant technical provision of the provider organization’s service.

Levels of Assurance: 1, 2, 3 & 4, as described in OMB M-04-04

2. Available Service Assessment Criteria & Assessment Profiles for Identity Proofing & Credential Management Systems

Kantara supports a number of SAC sets, which may have additional Assessment Profiles associated with them. The available SAC sets are identified below and further cited in the context of the Class of Approval which they support (some being employed within multiple Classes).

SAC sets:

Set title Published in
CO_SAC IAF-1410
OP_SAC IAF-1420
63A_SAC IAF-1430
63B_SAC IAF-1440
63C_SAC IAF-1450

No SAC publication version numbers are cited – the links above provide the latest published version of the respective SAC documents

3. Reference criteria for each Class of Approval

Class of Approval: NIST 800-63 Rev. 3

NIST 800-63 Rev. 3 (Technical)

Classic
SAC Sets:
  • CO_SAC @ LoA3
  • 63A_SAC
  • 63B_SAC
  • 63C_SAC
  • 63A_SAC
  • 63B_SAC
  • 63C_SAC
  • CO_SAC
  • OP_SAC
SAC Owner: Kantara Initiative, Inc.
Assurance Levels:
  • IAL2, IAL3
  • AAL2, AAL3
  • FAL2, FAL3
  • IAL2, IAL3
  • AAL2, AAL3
  • FAL2, FAL3
  • LoA 1, 2, 3, 4
Available Assessment Modes: Full or Component Service

Ready to Operate or Full Approval
(Full Approval based on Period of Time [PoT] or Triennial assessment and Annual Conformity Reviews [ACR], as required)

Available Profiles: None None

 

4. Applicable Kantara Service Assessment Criteria sets and Service descriptors/Approval types

The table below gives consistent descriptors to service types and relates each to the sets of SAC against which conformity is assessed and the Classes of Approval which are granted, for each type. Credential Service Providers are required to use one of these service descriptors when describing their service.

Kantara will recognize and approve services as being in one of the following types, according to the choice and degree of scoping of the service with respect to applicable SACs.


Acknowledgemen
t: Kantara Initiative, Inc. is grateful for the support of ID.me in sponsoring the editing of the service assessment criteria for NIST SP 800-63 rev.3

More Information 

Last updated 2022-08-02