Over the last decade, government and various companies have implemented identity and access management credential schemes for secure access to their applications. In the past, identity federations such as TSCP established and followed rules and specifications that permitted interoperability, trust and governance within a particular community of interest or domain. More recently, they are starting to set up identity federations in order to facilitate the exchange of credentials across sector communities. A key NSTIC objective is to facilitate interoperability across such communities that use secure credentials and promote their usage when conducting commercial transactions over the Internet; in fact, interoperability is one of the four NSTIC Guiding Principles. In addition to interoperability, the NSTIC strategy also requires the introduction of controls that implement the other three Guiding Principles: privacy-enhancing (and voluntary); secure and resilient; and, cost-effective and easy to use.
As governments and TSCP member companies continue to require highly secure transactions at LOA 4 for Defense and certain other applications, they now also need to be able to authenticate at lower levels of assurance in a federated manner for both government and commercial applications to accommodate participants who conduct less sensitive transactions. In addition, these communities are looking to ensure that their trust frameworks incorporate the types of protections inherent in the NSTIC principles for individuals using business credentials for commercial use.
TSCP has developed a trust governance framework to combine both categories of credentials that will leverage common functions and requirements. This guidance document provides a basis for developing a trust framework that meets the NSTIC goals and provides a common, well-understood basis for trust.