Date: Fri, 29 Mar 2024 08:13:29 +0000 (UTC)
Message-ID: <1704468944.7671.1711700009197@ip-10-10-7-29.ec2.internal>
Subject: Exported From Confluence
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_7670_125711786.1711700009195"
------=_Part_7670_125711786.1711700009195
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Content-Location: file:///C:/exported.html
InCommon has published candidate versions 1.2 of the Identity As=
surance Assessment Framework and Identity Assurance Profiles documents as w=
ell as an example of the new Representation of Conformance document. On thi=
s page we present our general approach, describe the major changes in these=
documents from the 1.1 versions, and suggest sections that are especially =
important for review.
Overall approach=
The revision team had these objectives:
- Simplify the Bronze profile (equivalent to NIST LoA 1) to address the U=
S government FICAM program's interest in promoting Bronze certification as =
a baseline for IdPs to authenticate to US government web sites.
- Respond to feedback from early-adopter campuses regarding confusing aud=
it requirements and provide further guidance on what's required for certifi=
cation.
- Update the documents to include missing items that were identified in d=
eveloping the Assurance Legal Addendum.
Identity Assurance Assessment Framework (IAAF) changes
- Section 1: Introduction
Reorganized section and added information about conformance to new version=
s of the IAAF and IAP.
- Section 4: Assessment and Audit of Identity Providers
Provided for flexibility of audit requirements and referred to the IAP for=
specific information about each Profile.
- 4.2: Audit Process and Report
(Previously section 4.2 Audit Reports and 4.2.1 Conveyance to InCommon) Re=
moved material that was not germane to the application process. Added a ref=
erence to the AICPA Statements on Standards for Attestation Engagements as =
an example of the audit framework auditors should be using. Cited an exampl=
e report for further guidance. Clarified what the audit report should inclu=
de. Clarified that the IdP Operator is responsible for submitting the summa=
ry report, along with a document outlining alternative means (if any were u=
sed).
Identity Assurance Profiles (IAP) changes
- Section 3: Silver and Bronze Profiles
Clarified use of IAQs.
- Section 4: Criteria
Modified and added criteria to reduce the burden of implementing Bronze.=
li>
- 4.2.1.4 (S) (B) IDPO Risk Management
Added periodic review of IdPO's IT operations to align with risk managemen=
t objectives. For the Bronze profile, this requirement replaces the need fo=
r a formal IdMS audit, which had been a major barrier. This provision is no=
t expected to be a burden for Silver certification.
- 4.2.3.2 (B) Basic Resistance to Guessing Authentication Secret<=
/strong>
Clarified language.
- 4.2.3.4 (S) Stored Authentication Secrets
Removed cross reference.
- 4.2.3.5 (New - Bronze Only) Protection of Authentica=
tion Secrets
Added to reduce the burden of implementing password-protection requirement=
s for Bronze-only applicants.
- 4.2.3.6 (S) Strong Protection of Authenticaton Secret=
s
Updated title to distinguish Silver from Bronze requirements.
- 4.2.5.6 Mitigate Risk of Credential Compromise
Removed the specific guidance on how to mitigate risk to align with the do=
cument approach taken in the 1.1 version.
- 4.2.7.2 (S) (B) Identity Assertion Qualifier (IAQ)
Added clarifying sentence that InCommon certifies IdPs as eligbl=
e to assert one more more qualifiers. And the IdPO must be capable of inclu=
ding the InCommon IAQ when the criteria are met for a subject.
- Section 5 Determination of Conformance
This new section distinguishes how conformance with the Bronze and Si=
lver profiles is requested by the IdPOs and how the new Representation of C=
onformance document supports Bronze as an option in lieu of the current aud=
it.
This document serves as an example of the final agreement that IdPOs wou=
ld need to sign, in addition to the Assurance Addendum, to attest =
;to conformance to the Bronze profile in lieu of a formal audit.
------=_Part_7670_125711786.1711700009195--