RFI/RFP Language for Federation Solutions and Identity Proofing Solutions

As noted in my earlier blog post "Comply with Requirements Quickly and Easily with RFI and RFP Templates", FICAM is working to make it easier for Agencies to align with OMB/NIST/FICAM policies. Given below is recommended language that aligns with policy for incorporation into Agency RFIs and RPFs.  The language covers both identity federation solutions, when the Agency is acting as a relying party, as well as identity proofing solutions.

Identity Federation Solution for Agency as Relying Party

Details: A federation solution is typically integrated with an Agency web application, and needs to support both non-government issued approved credentials as well as government issued credentials. Government issued credentials in this case are Agency issued PIV Cards and approved non-government credentials such as PIV-I and those that are governed by the FICAM Trust Framework Solutions Process.

Identity Proofing Service

  • MUST have an identity proofing service capable of implementing [remote and/or in-person] identity proofing processes at [OMB-O4-04 LOA Level(s) here] per NIST SP 800-63-1

Details: NIST SP 800-63-1(PDF) is the authoritative document that provides information on the technical controls and approaches that an Agency must use for remote as well as in-person identity proofing requirements from LOA 1-4. Currently, FICAM does not have a certification process for a stand-alone identity proofing capability; current FICAM certification, via the Trust Framework Adoption Process, applies to a combined identity proofing-credential issuance solution. As such the requirements levied on an Identity Proofing service are based on the foundational requirements that all US Government Agencies must follow in complying with NIST Guidance.

Do keep in mind the following:

  • The focus above is on the technical bits-n-bytes
  • The above is just a starting point; Agencies are free to modify and add on other requirements as needed
  • The above is subject to change based on new and/or updated policies


:- by Anil John