This release of updates to the Kantara Identity Assurance framework (KIAF) consists of the following significant changes which have been coordinated to provide a single, harmonized, release. The changes incorporated in this release are:
- a new required document, a Statement of Criteria Applicability (SoCA), to support assessment, review and deployment of Approved services;
- a new Service Assessment Criteria (SAC) suite addressing the Federation requirements found in NIST SP 800-63 revision 3 (63C at FAL2 & FAL3);
- addition of AL3 criteria across all three NIST SP 800-63 revision 3 SAC suites (IAL3, AAL3, FAL3);
- transition of the ‘Classical’ CO_SAC and OP_SAC criteria from Word format to XLS;
- revision to all SAC suites to recognize the different roles of players within the identity eco-system (e.g. CSP, RP, FA, US Fed Agcy);
- requirement to identify service with a specific ‘service descriptor’.
The table below lists all of the revised or new documents associated with this release, by their formal title, reference and version, and provides overviews of the changes with regard to the six specific changes identified above. The document title also provides a hyperlink to the version of the document associated with this release.
All parties interested in the progression of Kantara are encouraged to review these changes – Assessors and CSPs are required to review and fully comprehend them. It is the Approval Applicant’s (essentially the CSP’s, but this release now recognizes other roles) responsibility to prepare a SoCA. It is the Assessor’s responsibility to prepare a SoC stating its findings from the assessment, which must align to the SoCA.
Approval Applicants MAY incorporate some or all of the changes in this release with immediate effect. Approval Applicants making submissions for new Approvals or for Approval renewals after 2021-01-31 SHALL comply with all of the changes in this release.
Enquiries may be directed to: email@example.com
Acknowledgement: Kantara Initiative Inc. is grateful for the support of ID.me in sponsoring the editing of the service assessment criteria for NIST SP 800-63 rev.3