The approach used to assess external (to the US Federal Government) credential issuance processes against these privacy and security requirements is called the FICAM Trust Framework Solutions:
As you can see in the diagram above, the entities in this mix are a Trust Framework Provider, one or more Identity Providers (IdPs), and FICAM.
- A Trust Framework Provider (TFP) is an entity, separate from the Federal Government, that has a certain level of organizational maturity and owns/manages/has a mechanism to assess credentialing process across a range of facets that include assurance, privacy as well as auditing & certification processes using qualified independent auditors i.e. it owns and is responsible for a Trust Framework.
- The Trust Framework Provider in turn has the capability to assess Identity Providers to see if the IdP has a certain level of organizational maturity and if its registration & identity proofing processes, credentials, credential issuance processes and privacy policies meet the policies codified under the TFP's Trust Framework.
- Where FICAM comes into the picture is via using our Trust Framework Adoption Process (PDF) in order to "adopt" an existing Industry Trust Framework. What that means is that we use the adoption process to see if the requirements of the Trust Framework we are using internally within the Government are comparable to the existing Industry Trust Framework. I especially want to emphasize that the intent here is comparability and NOT compliance. If they are indeed comparable, we adopt and certify that industry Trust Framework Provider, and customers of Identity Providers who have been assessed and approved by that TFP can now use those credentials at TFP-enabled Federal Government relying parties.
- Trust Framework Providers are NOT Identity Providers
- Trust Framework Providers assess IdPs for conformance against their Trust Framework and not the Government Trust Framework
- The Government does not directly certify Identity Providers under the Trust Framework Solutions Process; The Government directly certifies ("adopts") Trust Framework Providers
Let me, at this point in time, add a bit of nuance to this process. The Government E-Authentication Model provides for a logical and physical separation between the Registration/Identity-Proofing function and the Token and Credential Registration/Issuance function. In the IdP model noted above those functions are shown together. They do not have to be. It is perfectly feasible under the Trust Framework Solutions Model to have separate entities doing the Identity Proofing and the Credential Issuance, and coming together to provide a combined solution that can be certified by a TFP. Simply be aware that under the current FICAM TFP regime the term "FICAM Approved" applies to that combined solution and NOT to the individual components.
Since October 2011, there has been an OMB Policy that requires Government web sites that allow members of the public and business partners to register or log on, to be enabled to accept externally-issued credentials (i.e. credentials issued by an entity other than the US Federal Government) in accordance with government-wide requirements (PDF). The Trust Framework Solutions Process satisfies that requirement by enabling a scalable model for extending identity assurance across a broad range of citizen and business needs.
- Current List of FICAM Approved/Adopted Trust Framework Providers
- Current List of Identity Providers who have been assessed and certified by their respective TFPs
NOTE: Strictly speaking there is no "FICAM Approved IdP". That terminology is more of a short-cut to describe an IdP that has been approved in turn by a "FICAM Approved/Adopted Trust Framework Provider"
- OMB Requirements for Accepting Externally-Issued Identity Credentials [PDF]
- Trust Framework Provider Adoption Process [PDF]
- Privacy Guidance for Trust Framework Assessors and Auditors [PDF]
- NIST SP-800-63-1 E-Authentication Model