High Level View of the Kantara Service Provider Approval Process
Kantara Initiative grants Approval for services which have been found to be conformant to a set of Kantara-defined criteria typically specific to a particular standard or specification, such as NIST SP 800-63-3, for which a CSP seeks a third-party assessment of their conformity. In the case of NIST SP 800-63-3 for example, Kantara’s criteria focus on the operation of identity proofing, credential management and federated assertion functions at given levels of assurance, IAL2, IAL3; AAL2; AAL3; FAL2, FAL3. The Kantara service assessment criteria address the technical functionality of the target service, the service provider’s bona fides and the applicable information security management practices.
The process shown below apply to the following applicants seeking to gain Kantara Service Approval: Credential Service Providers and Component Services.
1) Design & Build the Identity Service, which includes policy practice and technologies. Might be in development, implementation or full operation. May or may not initially conform to the Kantara Identity Assurance Framework (IAF) requirements, specifically the Service Assessment Criteria.
2) Read: Classes of Approval; Service Approval Handbook
3) Contact Kantara & Become a Kantara Member
4) Complete the implementation of the Identity Service in a way that meets the requirements of the Kantara IAF.
5) Initial Application – The Applicant shall submit to Secretariat an Initial Application Package, Application for Service Approval (ASA); Specification of a Service Subject to Assessment (S3A); Statement of Criteria Applicability (SoCA), essentially to introduce themselves and their service to Kantara, defining the scope and nature of their service, including which Service Assessment Criteria (SAC) and specific criteria therein they believe are applicable to their service. Please see: Application Package – Service Approval
6) Be Assessed & Address Findings – Assurance Review Board accepts the initial application and applicant selects and engages a Kantara Accredited Assessor. Accredited Assessor conducts assessment relative to appropriate Service Assessment Criteria and produces a Kantara Assessor Report (KAR) and Statement of Conformity (SoC). Applicant works with the Assessor to address non-conforming service areas (if any).
7) Applicant submits the approval package to Secretariat , including, KAR, SoC, S3A, ASA.
8) Kantara Evaluation & Decision. Assurance Review Board (ARB) evaluates material, seeking clarification if needed. ARB makes a recommendation to the Kantara Board of Directors (KIBoD) to Approve License Grant, Approve License Grant with Conditions or Deny License Grant. Kantara Board of Directors (BoD) ratifies ARB approval.
10) Trust Mark – If Approved, the Applicant enters the process to formalize the Grant of License to use the Kantara Initiative Identity Assurance Framework Trademark. A grant of Approval is valid for three years, with Annual Conformity Reviews taking place in the two intervening years.
- One-pager – High Level Description of the Kantara Initiative Identity Assurance Framework
- Review Kantara Identity Assurance Framework Controlling Documents
- Kantara Trust Status List – List of Kantara Approved CSPs and Accredited Assessors
- Spotlights – Approved CSPs and Accredited Assessors Spotlights
- Contact us if you have any questions and/or want to learn more