ID Ecosystem Steering Group
IDESG’s mapping program allows other trust frameworks and requirement systems to map to the Identity Ecosystem Framework (IDEF) developed by IDESG. Below is a description of the program for mapping to the IDEF and that IDESG may use to map to other’s frameworks.
On-Boarding Trust Framework Service Providers to the IDESG IDEF Registry
The IDESG Identity Ecosystem Framework (IDEF) presents 45 Baseline Requirements across four categories: Interoperability, Security, Privacy and Usability. The IDESG IDEF Registry implements the IDEF for service providers in the identity ecosystem. Service providers can self-assess their policies, procedures and operations against the 45 Baseline Requirements and attest to their degree of conformity to those requirements. Service organizations that have completed self-assessment against the Baseline Requirements are publicly listed on the IDEF registry along with their attested degree of conformance.
Other Trust Frameworks that have similar programs for conformance assessment against standardized requirements and assessment criteria may qualify for prequalification against the IDEF Baseline Requirements. Service providers that have been assessed (through self-assessment of third-party processes) against other Trust Frameworks can use those assessment processes and results to pre-qualify against the IDESG IDEF Baseline Requirements and be on-boarded to the IDEF Registry. This on-boarding to the IDEF Registry allows service providers to use the results of similar conformance assessment programs to receive recognition for satisfying associated requirements in the IDEF (i.e., prequalification) and can be listed on the IDEF Registry. Note: the Kantara Initiative has completed such on-boarding and requirements mapping against the IDEF; Kantara Mapping to IDEF.
The following 5 steps present the key activities for Trust Frameworks to enable service providers that have completed Trust Framework conformance assessment processes to be on-boarded to the IDESG IDEF Registry.
1. Map the Trust Framework requirements (including any controls or criteria that are part of conformance assessment evaluation) to the IDEF Baseline Requirements.
2. Determine and confirm the degree of conformance for mapped requirements.
3. Prequalification of service Providers for applicable IDEF Baseline Requirements (based on Steps 1 & 2).
4. Self-assessment and attestation for service providers against any IDEF Baseline Requirements that have not been prequalified during Steps 1 through 3.
5. Listing on IDEF Registry for Trust Framework service providers.
These 5 steps are detailed in the sections that follow.
Step 1: Mapping Trust Framework Requirements and Assessment Criteria to IDEF Baseline Requirements.
The IDESG has developed an Excel workbook that should be used as the basis for requirements mapping and comparison for any Trust Framework to the IDEF Baseline Requirements. All Trust Framework requirements that are included in conformance assessment processes should be mapped (compared) to the IDEF Baseline requirements and listed on the mapping workbook.
Step 2: Determine Degree of Comparability for Mapped Requirements.
The Trust Framework should determine the degree of comparability for all mapped requirements. There may be more than one Trust Framework requirement(s) that map to a single IDEF Baseline Requirements; the degree of comparability should be determined for all Trust Framework requirements mapped to each IDEF Baseline requirements. Comparability determination should be based on the degree that Trust Framework satisfy the IDEF Baseline Requirements using the following following status:
• Full Comparability: the Trust Framework requirement(s) mapped to the IDEF Baseline Requirement fully satisfy the IDEF requirement;
• Partial Comparability: the Trust Framework requirement(s) mapped to the IDEF Baseline Requirement partially satisfy the IDEF requirement;
• Not Comparable: no Trust Framework requirement(s) are comparable to the IDEF Baseline requirement.
The degree of comparability determined by the Trust Framework will be reviewed and confirmed by the IDESG. The requirements mapping workbook and degree of comparability determination should be sent to the IDESG Trust Framework Committee at___________.
Step 3: Prequalification of Trust Framework Service Providers to Applicable IDEF Baseline Requirements.
Trust Framework service providers that have been assessed and determined compliant to Trust Framework requirements will receive the following prequalification status for applicable IDEF Baseline Requirements:
• “Fully Implemented” status for IDEF Baseline requirements for Trust Framework comparability determination of “Full” comparability;
• “Implementation Underway” status for IDEF Baseline requirements for Trust Framework comparability determination of “Partial Comparability”;
• No prequalification for IDEF Baseline Requirements for Trust Frameworks with no comparable requirement.
Step 4: Trust Framework service providers self-assessment and attestation for IDEF Baseline Requirements that have not been prequalified through Steps 1 through 3.
To be listed on the IDEF Registry, Trust Framework Service Providers will need to self-assess and attest to the implementation status for all applicable IDEF Baseline Requirements for which they are not prequalified as “Fully Implemented” by Step 3 above.
Step 5: Listing on IDEF Registry for Trust Framework Service Providers.
The IDESG will list all Trust Framework Service Providers that complete the registration, self-assessment and attestation processes on the IDEF Registry. The prequalified status will be presented unless the Service Provider’s attestation presents a different status. The listings for these Service Providers will be annotated to show that they are part of a Trust Framework and will include a link to the Trust Framework and the Service Providers’ status.