This page lists Kantara Initiative’s various Classes of Approval available to Kantara Credential Service Providers (CSP) members and sets out the Service Assessment Criteria (SAC) applicable to each Class.
CSPs conforming to the applicable sets of SACs (and their related Assessment Profiles, if also applicable) are eligible for a Grant of Approval under the Kantara Trust Operations Program.
Classes of Approval for Identity and Credential Management Systems
(effective 2018-03-21)
Kantara offers a number of Classes of Approval. Each Class is based upon a specific SAC or set of SAC. CSPs may seek Approval of a discrete service in any one or more of these Classes. The following Classes are available to CSPs offering Full or Component credential management services:
| Class of Approval | Description |
| NIST 800-63 rev.3 | Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is modelled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115) to ensure the provider organization’s good standing and management / operational practices and criteria which are derived strictly from NIST SP 800-63 rev.3 requirements, that ensure conformant technical provision of the provider organization’s service.
Only Assurance Levels IAL2 and AAL2 are supported at present. |
| NIST 800-63 rev.3 (Technical) | Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is based on criteria derived strictly from NIST SP 800-63 rev.3 requirements that ensure conformant technical provision of the provider organization’s service.
Only Assurance Levels IAL2 and AAL2 are supported at present. |
| Classic | Available to Credential Service Providers offering Full or Component credential management services. This Class of Approval is modelled on best practice (drawing from, among other sources, ISO/IEC 27001, ISO/IEC 29115) to ensure the provider organization’s good standing and management / operational practices and criteria modelled on a genericized interpretation of NIST SP 800-63 rev.2 requirements, that ensure conformant technical provision of the provider organization’s service. Levels of Assurance 1, 2, 3 & 4, as described in OMB M-04-04 |
Available Service Assessment Criteria & Assessment Profiles for Identity & Credential Management Systems
Kantara supports a number of SAC sets, any of which may have additional Assessment Profiles associated with them. The available SAC sets are identified below and further cited in the context of the Class of Approval which they support (some being employed within multiple Classes).
SAC sets:
| Set title | Published in |
| CO_SAC | IAF-1410 |
| OP_SAC | IAF-1420 |
| 63A_SAC | IAF-1430 (Kantara Corporate Members Only download) |
| 63B_SAC | IAF-1440 (Kantara Corporate Members Only download) |
No SAC publication version numbers are cited – the links above provide the latest published version of the respective SAC documents
Reference criteria for each Class of Approval
| Class of Approval: | NIST 800-63 rev.3 |
| SAC set(s) | CO_SAC@AL3 + 63A_SAC + 63B_SAC |
| SAC Owner: | Kantara Initiative, Inc. |
| Assurance Levels | IAL2 & AAL2 (only) |
| Available Assessment Modes | Full or Component services; Ready To Operate or Full Approval (based on Period of Time, PoT, or Triennial assessment and Annual Conformity Reviews, ACR, as required) |
| Available Profiles | None |
| Class of Approval: | NIST 800-63 rev.3 (Technical) |
| SAC set(s) | 63A_SAC + 63B_SAC |
| SAC Owner: | Kantara Initiative, Inc. |
| Assurance Levels | IAL2 & AAL2 (only) |
| Available Assessment Modes | Full or Component services; Triennial assessment and Annual Conformity Reviews (ACR), as required) |
| Available Profiles | None |
| Class of Approval: | Classic |
| SAC set(s) | CO_SAC + OP_SAC NIST SP 800-63 rev.2 and US Federal Privacy Criteria (optional) |
| SAC Owner: | Kantara Initiative, Inc. |
| Assurance Levels | LoAs 1, 2, 3 & 4, as described in OMB M-04-04 |
| Available Assessment Modes | Full or Component services; Ready To Operate or Full Approval (based on Period of Time (PoT) or Triennial assessment and Annual Conformity Reviews (ACR) as required) |
| Available Profiles | US Federal Privacy Criteria |
Acknowledgement: Kantara Initiative Inc. is grateful for the support of ID.me in sponsoring the editing of the service assessment criteria for NIST SP 800-63 rev.3
Identity Assurance Framework Controlling Documents: https://kantarainitiative.org/identity-assurance-framework/
Last updated 2020-01-27