(authoritative version at http://www.idmanagement.gov/documents/Guidance_for_Assessors.pdf - Section 2 - v1.0, 6/29/2011)
cite #sec211 2.1.1 Adequate Notice
Adequate Notice – Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the RP, the purpose of the transaction(s), and a description of any disclosure or transmission of PII to any party. Adequate Notice should be incorporated into the Opt In process.
cite #sec212 2.1.2 Opt-In
Opt In – Identity Provider must obtain positive confirmation from the End User before any End User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
The goal is for the user is to understand the opt-in process, and to have a meaningful opportunity to agree. There are various ways to implement this goal. Users need to be able to see each piece of information, or attribute that is to be transmitted prior to it being transmitted. The confirmation mechanism must enable the user to make an explicit affirmation to permit the transmission of user information in accordance with the notice as described above. Confirmation mechanisms should be designed so that they are intuitive and easy to use. They need to be specific to the transaction. To the extent the information to be transmitted is not required for authentication (i.e., the Relying Party would like to have the information to pre-populate transaction fields or for other reasons, but the information is not necessary to accomplish the authentication of the user), users should have the ability to expressly permit or deny the transmission of specific pieces of such user information, for example, through radio buttons or similar mechanisms. As described above, the design of the notice and the confirmation mechanism should be considered as an integrated concept. Mechanisms that allow users to affirmatively waive notices and opt-in consents for each transmission such as a “don’t show me this message again” option are acceptable. Mechanisms such as a simple “agree” button on ‘general terms of service’ or pre-checked consents are strongly discouraged because they are unlikely to meet the essential objective of meaningful understanding.
Generally, it is less meaningful to obtain opt-in at the time the credential is issued rather than at the time of the transaction. In certain circumstances, the TFET may approve TFPs that accept this practice. Assessors should be made aware of agreements made between the TFP and TFET that affirmatively accept this practice and any constraints established for this practice.
cite #sec213 2.1.3 Minimalism
Minimalism – Identity Provider must transmit only those attributes that were explicitly requested by the RP application or required by the Federal profile.
Assessors and Auditors need to ensure that Identity Providers are only sending the information that is explicitly requested by the Relying Party or that is required by the Federal profile. Written documentation is important in ensuring that the Adequate Notice and Opt-in principles are appropriately executed in terms of distinguishing between information that the Relying Party needs to conduct the authentication transaction and information that the Relying Party would like to collect. In the absence of any such written documentation from the Relying Party, only the information required by the Federal profile may be sent.
cite #sec214 2.1.4 Activity Tracking
Activity Tracking – Commercial Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication.
cite #sec215 2.1.5 Non Compulsory
Non Compulsory – As an alternative to 3rd-party identity providers, agencies should provide alternative access such that the disclosure of End User PII to commercial partners must not be a condition of access to any Federal service.
No assessment required because this principle does not apply to Identity Providers.
cite #sec216 2.1.6 Termination
Termination – In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
Assessors and Auditors should evaluate whether the written policy or plan expressly provides for destruction of the data, as appropriate, or a commitment that the Identity Provider, to the best of its abilities, will require that any recipient of the data protect the data in kind. Ideally, Identity Providers also should plan to give users notice when their sensitive data will be transferred to another entity.
cite #sec217 2.1.7 Identity Provider Bona Fides
Identity Provider Bona Fides - The TFPAP requires that Trust Framework Providers sufficiently review member Identity Provider bona fides to ensure that the member Identity Provider has organizational maturity, legitimacy, stability, and reputation. (TFPAP Trust Criteria Assessment 3.3 (3))
In assessing the general organizational maturity, legitimacy, stability, and reputation of the Identity Provider, Assessors and Auditors should look for a general privacy or data use policy that covers how the Identity Provider uses and how long it retains the information collected, and what choices the user may have about the use and retention of such information. Assessors and Auditors should evaluate the Identity Provider’s data security practices, with particular attention to the occurrences of data breaches and the Identity Provider’s response. Assessors and Auditors also should evaluate whether the identity provider has training for its employees regarding the handling of user information or other means of ensuring compliance with its stated policies. In their overall assessment of the Identity Provider’s performance under these principles, Assessors and Auditors should pay particular attention to any complaints from users regarding the Identity Provider’s handling of personal information in its role as an Identity Provider, or in general, and how these complaints were resolved. In addition, Assessors and Auditors should evaluate whether the Identity Provider’s policies or procedures conform with applicable law, or in the absence of any such law, industry best practices or any guidance issued by the Federal Trade Commission or other federal agencies.