Service Provider Approval
Kantara Initiative grants Approval for services which have been found to be conformant to a set of Kantara-defined criteria typically specific to a particular standard or specification, such as NIST SP 800-63-3, for which a Service Provider seeks a third-party assessment of their conformity. In the case of NIST SP 800-63-3 for example, Kantara’s criteria focus on the operation of identity proofing, credential management and federated assertion functions at given levels of assurance. The Kantara service assessment criteria address the technical functionality of the target service, the service provider’s bona fides and the applicable information security management practices.
High Level View of the Kantara Service Provider Approval
The process shown below applies to Credential Service Providers seeking to gain Kantara Service Approval
1. Design & Build The Identity Service
which includes policy practice and technologies. Might be in development, implementation or full operation. May or may not initially conform to the Kantara Identity Assurance Framework (IAF) requirements, specifically the Service Assessment Criteria.
3. Complete the implementation of the Identity Service
in a way that meets the requirements of the Kantara IAF.
4. Initial Application
The Applicants shall submit an Initial Application Package essentially to introduce themselves and their service to Kantara, defining the scope and nature of their service, including which Service Assessment Criteria (SAC) and specific criteria therein they believe are applicable to their service. Submissions shall include: Application for Service Approval (ASA); Specification of a Service Subject to Assessment (S3A); Statement of Criteria Applicability (SoCA).
Please see: Application Package – Service Approval
5. Be Assessed & Address Findings
Assurance Review Board accepts the initial application and applicant selects and engages a Kantara Accredited Assessor. Accredited Assessor conducts assessment relative to appropriate Service Assessment Criteria and produces a Kantara Assessor Report (KAR) and Statement of Conformity (SoC). Applicant works with the Assessor to address non-conforming service areas (if any).
6. Submit the approval package
Submit the Kantara Assessor Report, SoC, S3A, ASA.
7. Kantara Evaluation & Decision
Assurance Review Board (ARB) evaluates material, seeking clarification if needed. ARB Approves License Grant, Approves License Grant with Conditions or Denies License Grant.
8. Trust Mark
If Approved, the Applicant enters the process to formalize the Grant of License to use the Kantara Initiative Identity Assurance Framework Trust Mark. A grant of Approval is valid for three years, with Annual Conformity Reviews taking place in the two intervening years.
More Information:
- One-pager – High Level Description of the Kantara Initiative Identity Assurance Framework
- Review Kantara Identity Assurance Framework Controlling Documents
- Kantara Trust Status List – List of Kantara Approved CSPs and Accredited Assessors
- Spotlights – Approved CSPs and Accredited Assessors Spotlights