TFTM Committee March 12, 2014

1. TFTM 01-06Interim Trust Mark/Listing Approach PaperAnalysis of Current Industry Trustmark Programsand GTRI PILOT ApproachDiscussion Deck TFTM Committee March 12, 2014 IDESG TFTM Committee

2. Key terms for this discussion IDESG TFTM Committee

3. Key terms for this discussion IDESG TFTM Committee

4. Accreditation • Administrative Responsibilities: • Document and maintain : • Policies and participation rules • Requirements • Application/Onboarding processes • Standard agreement for accredited entities • Maintain public trust list/registry of accredited entities • Operational Responsibilities: • Evaluate the capability of applicant entities for certification activities • Perform policy mapping, as appropriate, for entity certification policies/requirements conformance/comparability to Accreditation Program requirements Accreditation Program Accredit Certification • Administrative Responsibilities: • Document and maintain: • Requirements • Assessment Processes • Assessment Criteria • Application/onboarding processes • Standard agreement for certified entities • Formal recognition of certified services • Maintain public trust list/registry of certified entities • Operational Responsibilities: • Perform and document assessments • Validate conformance to Certification Program requirements • Provide formal recognition for approved/validated identity services • Monitor continued conformance for certified entities Certification Program Certify/Issue Certify/Issue Trust Mark Issuance • Operational Responsibilities: • Execute and maintain Trust Mark (Usage) Agreements for certified entities • Monitor continued conformance to Trustmark usage requirements for certified entities • Establish and maintain security and controls for issued trust marks • Administrative Responsibilities: • Document and maintain Trust Mark issuance and usage policies and participation rules • Document and maintain Trust Mark (Usage) Agreement • Document and maintain security and controls for Trustmark monitoring. Service Provider Service Provider IDESG TFTM Committee

5. IE Roles Current Industry and GTRI Pilot Models GTRI Pilot Model (Trustmark Concept Map) Current Industry Model Stakeholder Community Is Represented By Trustmark Recipient (e.g., IDP, CSP, AA) Trust Framework Provider Certifies TF Conformity Issues Trust marks Assessor/ Auditor Issues Identity Assertions Required By Defines Trust Framework Relying Parties Required By Assessment Rules/Criteria End Users Source : GTRI IDESG TFTM Committee

6. GTRI Examples of Modular Trust Components Modular Trust Components (AKA “Trust Marks”)= Sets of defined requirements for trust in specific areas Source : GTRI Examples of Modular Trust Components that may be defined requirements for trust marks. IDESG TFTM Committee

7. Potential Sources for Modular Trust Components Source : GTRI IDESG TFTM Committee

8. The Need for NSTIC Core Requirements The following activities seek to define common, core requirements for trust and are directly related: GTRI pilot seeks to define “modular trust components “ (AKA “Trustmarks”) that can be used/reused by multiple organizations. Need to define common, core requirements for trust components that are/should be common to different stakeholder communities – e.g., business, legal, security, privacy, etc. TFTM 01-05: Requirements Mapping and Analysis Paper Requirements analysis and mapping of trust framework components to assess their alignment with NSTIC/IDESG Guiding Principles. Could inform the process of establishing core requirements and trustmarks based on TF components most aligned with IDESG/NSTIC Guiding Principles Could support reuse of framework components within the identity ecosystem. The NPO issued “derived requirements” from NSTIC strategy to articulate requirements for NSTIC guiding principles (strategy, privacy, interoperability, ease of use) that should be a starting point forcommon, core requirements for the Identity Ecosystem Framework. IDESG TFTM Committee

9. Building the Identity Ecosystem Framework See NSTIC NPO 11/26/2013 Blog: Interim Identity Ecosystem: “Are we there yet?” IDESG TFTM Committee

10. Examples of 34 NSTIC Derived Requirements IDESG TFTM Committee