FICAM Trust Framework Solutions - A Primer

It is in the Government's best interest to not re-invent the wheel and leverage Industry resources whenever possible. To support E-Government activities, FICAM aims to leverage industry-based credentials that citizens already have for other purposes. At the same time, the Government has specific Privacy and Security requirements that need to be satisfied in order for a Government relying party to trust a credential that has been issued by an entity other than the US Federal Government.

The approach used to assess external (to the US Federal Government) credential issuance processes against these privacy and security requirements is called the FICAM Trust Framework Solutions:

As you can see in the diagram above, the entities in this mix are a Trust Framework Provider, one or more Identity Providers (IdPs), and FICAM.
  • A Trust Framework Provider (TFP) is an entity, separate from the Federal Government, that has a certain level of organizational maturity and owns/manages/has a mechanism to assess credentialing process across a range of facets that include assurance, privacy as well as auditing & certification processes using qualified independent auditors i.e. it owns and is responsible for a Trust Framework.
  • The Trust Framework Provider in turn has the capability to assess Identity Providers to see if the IdP has a certain level of organizational maturity and if its registration & identity proofing processes, credentials,  credential issuance processes and privacy policies meet the policies codified under the TFP's Trust Framework.
  • Where FICAM comes into the picture is via using our Trust Framework Adoption Process (PDF) in order to "adopt" an existing Industry Trust Framework. What that means is that we use the adoption process to see if the requirements of the Trust Framework we are using internally within the Government are comparable to the existing Industry Trust Framework. I especially want to emphasize that the intent here is comparability and NOT compliance. If they are indeed comparable, we adopt and certify that industry Trust Framework Provider, and customers of Identity Providers who have been assessed and approved by that TFP can now use those credentials at TFP-enabled Federal Government relying parties.
It is important to call out some specific points:
  • Trust Framework Providers are NOT Identity Providers
  • Trust Framework Providers assess IdPs for conformance against their Trust Framework and not the Government Trust Framework
  • The Government does not directly certify Identity Providers under the Trust Framework Solutions Process; The Government directly certifies ("adopts") Trust Framework Providers
It is critical to note that the Level of Assurance (LOA) you can have in an Identity is a big deal to the US Federal Government, and as you go to higher LOAs (from 1 to 4) the more stringent the credential issuance and identity proofing processes become.  As such, TFPs and their Trust Frameworks need to have comparable processes to the Government Trust Framework at higher LOAs in order for them to be able to assess IdPs as being able to issue higher LOA credentials.  In some cases, a TFP may make a conscious choice that they will assess only IdPs at specific LOA levels.

Let me, at this point in time, add a bit of nuance to this process. The Government E-Authentication Model provides for a logical and physical separation between the Registration/Identity-Proofing function and the Token and Credential Registration/Issuance function. In the IdP model noted above those functions are shown together. They do not have to be. It is perfectly feasible under the Trust Framework Solutions Model to have separate entities doing the Identity Proofing and the Credential Issuance, and coming together to provide a combined solution that can be certified by a TFP. Simply be aware that under the current FICAM TFP regime the term "FICAM Approved" applies to that combined solution and NOT to the individual components.

Since October 2011, there has been an OMB Policy that requires Government web sites that allow members of the public and business partners to register or log on, to be enabled to accept externally-issued credentials (i.e. credentials issued by an entity other than the US Federal Government) in accordance with government-wide requirements (PDF). The Trust Framework Solutions Process satisfies that requirement by enabling a scalable model for extending identity assurance across a broad range of citizen and business needs.

Related Information
:- by Anil John