From ea6f7165f5455f6b5946dee6812d07cf8d38d511 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Fri, 8 Nov 2024 15:27:32 -0600 Subject: [PATCH 1/9] Add layout --- .../determining-your-assurance-level.html | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 _layouts/partners/determining-your-assurance-level.html diff --git a/_layouts/partners/determining-your-assurance-level.html b/_layouts/partners/determining-your-assurance-level.html new file mode 100644 index 000000000..949d238b2 --- /dev/null +++ b/_layouts/partners/determining-your-assurance-level.html @@ -0,0 +1,25 @@ +--- +layout: base +--- +
+ {% include skip_nav.html %} + {% include banner.html %} + {% include partners/header.html %} +
+
+
+
+
+

{{ page.title }}

+
+
+
+
+ {{ content }} +
+
+
+
+
+{% include partners/partners-banner.html %} +{% include partners/footer.html %} From 780ddbfb1859b0b9af8c906aa3c8d3dc1dfe0167 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Fri, 8 Nov 2024 15:27:43 -0600 Subject: [PATCH 2/9] Add nav --- _data/nav.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/_data/nav.yml b/_data/nav.yml index cedbe9678..eb171d937 100644 --- a/_data/nav.yml +++ b/_data/nav.yml @@ -18,6 +18,7 @@ partners: policies: '$BASE_URL/policy/' what_is_login_gov: '$BASE_URL/about-us/' partners: + determining_your_assurance_level: '$BASE_URL/partners/determining-your-assurance-level/' developer_guide: 'https://developers.login.gov' get_started: '$BASE_URL/partners/get-started/' security_experience: '$BASE_URL/partners/security-experience/' From ff74f4394a4f00f2a8f331454fe30c6924a311b1 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Fri, 8 Nov 2024 15:27:54 -0600 Subject: [PATCH 3/9] Add layout --- _includes/partners/header.html | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/_includes/partners/header.html b/_includes/partners/header.html index c632b647e..cd7efd1db 100644 --- a/_includes/partners/header.html +++ b/_includes/partners/header.html @@ -67,6 +67,14 @@ Security experience +
  • + + Determining your assurance level + +
  • Date: Fri, 8 Nov 2024 15:28:07 -0600 Subject: [PATCH 4/9] Add article --- .../determining-your-assurance-level._en.md | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 content/_partners/determining-your-assurance-level._en.md diff --git a/content/_partners/determining-your-assurance-level._en.md b/content/_partners/determining-your-assurance-level._en.md new file mode 100644 index 000000000..6d1a06657 --- /dev/null +++ b/content/_partners/determining-your-assurance-level._en.md @@ -0,0 +1,95 @@ +--- +layout: partners/determining-your-assurance-level +permalink: /partners/determining-your-assurance-level/ +title: >- + Determining your assurance level +--- + +## About assurance levels + +Assurance levels (also called “Service levels,” or “Levels of Assurance”) is a general term referring to the trustworthiness of a given transaction. Assurance levels are considered essential components of identity systems, due to the underlying complexity of identity verification processes. Generally, the higher the Service Levels, the greater the trustworthiness of the authentication and verification processes that occurred for a specific transaction and identity. + +Assurance levels can be general or specific. NIST’s 800-63 publication previously was a monolithic Level of Assurance (LOA) in revisions 1 and 2. Revision 3, the current version, distinguishes between the level of confidence in an identity proofing process (IAL), authentication assurance level (AAL), and federation assurance level (FAL). + +**Examples:** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Assurance Level TypeAuthentication Assurance Level (AAL)Identity Assurance Level (IAL)
    FocusVerifying the user is associated with an existing account + Verifying the legitimacy of the identity information when creating an + account +
    TechniquesPasswords, MFA + Credential issuance, document verification, data validation, biometrics +
    NIST Standards + NIST SP 800-63B + + NIST SP 800-63A +
    Levels of AssuranceAAL1, AAL2, AAL3IAL1, IAL2, IAL3
    + +### Guidance on assurance levels from OMB and NIST +Determining the right level of identity assurance is an important consideration when integrating your use case with Login.gov. This ensures you strike the appropriate balance between usability and identity fraud mitigation. It also ensures you are compliant. OMB Memo 19-17 requires agencies to incorporate Digital Identity Risk Management (DIRA) as defined in NIST Special Publication 800-63 into their processes. The ICAM Subcommittee developed a playbook that outlines a Digital Identity Risk Assessment (DIRA) process to help federal agency Chief Information Officer (CIO) and Chief Information Security Officer (CISO) teams and business application owners: + +- Update and maintain consistent processes; +- Determine whether an agency application requires a DIRA; +- Integrate DIRA into agency Risk Management Framework (RMF) processes; and +- Learn practices to implement DIRA processes. + +### What Identity Assurance Level (IAL) does your application need? + +If your application has an account, we recommend you complete the Digital Identity Risk Management (DIRA) process to determine IAL-level according to NIST 800-63 revision 3. We’ve extrapolated the following from the DIRA shortcut guide: + +**Login.gov’s Authentication-only service (IAL1 in 800-63 rev 3) may be the appropriate service if ALL of the following are true:** + +- Your application does not provide Controlled Unclassified Information (CUI) to the public. +- Your application does not allow users to complete a financial transaction or provide banking information. +- Your application does not allow users to request records +- Your application does not require users to verify their Personally Identifiable Information (PII) or Protected Health Information (PHI) of other people. + +**Login.gov’s IAL2 Identity Verification (IdV) services may be the appropriate service if ANY of the following are true:** + +- Your application provides access to Controlled Unclassified Information (CUI) +- Your application allows users to complete a financial transaction or provide banking information +- Your application allows users to request records +- Your application requires users to verify their PII or PHI + +**Login.gov also offers a IdV service without a facial matching step.** + +We encourage agencies to leverage our IAL2 workflow from a compliance and anti-fraud perspective. For agencies that do not need IAL2 compliance, but desire document verification in addition to a username and password, we offer a version of identity verification that does not include a facial matching step. There is no cost difference between this and our IAL2 service. + +NIST is in the process of drafting a fourth revision of 800-63 that includes an updated set of assurance levels. We plan to support these assurance levels, but will not be able to provide guidance on them until the final version is published. From a5b3e2ca8fbe1d7a8dcef9441776345df982272c Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Fri, 8 Nov 2024 15:33:57 -0600 Subject: [PATCH 5/9] Change list style --- content/_partners/determining-your-assurance-level._en.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/_partners/determining-your-assurance-level._en.md b/content/_partners/determining-your-assurance-level._en.md index 6d1a06657..4b17e647c 100644 --- a/content/_partners/determining-your-assurance-level._en.md +++ b/content/_partners/determining-your-assurance-level._en.md @@ -65,10 +65,10 @@ Assurance levels can be general or specific. OMB Memo 19-17 requires agencies to incorporate Digital Identity Risk Management (DIRA) as defined in NIST Special Publication 800-63 into their processes. The ICAM Subcommittee developed a playbook that outlines a Digital Identity Risk Assessment (DIRA) process to help federal agency Chief Information Officer (CIO) and Chief Information Security Officer (CISO) teams and business application owners: -- Update and maintain consistent processes; -- Determine whether an agency application requires a DIRA; -- Integrate DIRA into agency Risk Management Framework (RMF) processes; and -- Learn practices to implement DIRA processes. +1. Update and maintain consistent processes; +2. Determine whether an agency application requires a DIRA; +3. Integrate DIRA into agency Risk Management Framework (RMF) processes; and +4. Learn practices to implement DIRA processes. ### What Identity Assurance Level (IAL) does your application need? From 28a002d049587e86249c14f2ee7918516e55a961 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Fri, 8 Nov 2024 16:00:01 -0600 Subject: [PATCH 6/9] Add plural name --- _data/nav.yml | 2 +- _includes/partners/header.html | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/_data/nav.yml b/_data/nav.yml index eb171d937..684570dad 100644 --- a/_data/nav.yml +++ b/_data/nav.yml @@ -18,7 +18,7 @@ partners: policies: '$BASE_URL/policy/' what_is_login_gov: '$BASE_URL/about-us/' partners: - determining_your_assurance_level: '$BASE_URL/partners/determining-your-assurance-level/' + assurance_levels: '$BASE_URL/partners/determining-your-assurance-level/' developer_guide: 'https://developers.login.gov' get_started: '$BASE_URL/partners/get-started/' security_experience: '$BASE_URL/partners/security-experience/' diff --git a/_includes/partners/header.html b/_includes/partners/header.html index cd7efd1db..569ca8997 100644 --- a/_includes/partners/header.html +++ b/_includes/partners/header.html @@ -72,7 +72,7 @@ class="usa-nav__link {% if page.url contains '/determining-your-assurance-level' %}usa-current{% endif %}" href="{{ '/partners/determining-your-assurance-level/' | locale_url }}" > - Determining your assurance level + Assurance levels
  • From 029e48976e06edb36be548740eaba82c2be65717 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Tue, 12 Nov 2024 14:57:59 -0600 Subject: [PATCH 7/9] Remove key --- _data/nav.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/_data/nav.yml b/_data/nav.yml index 684570dad..cedbe9678 100644 --- a/_data/nav.yml +++ b/_data/nav.yml @@ -18,7 +18,6 @@ partners: policies: '$BASE_URL/policy/' what_is_login_gov: '$BASE_URL/about-us/' partners: - assurance_levels: '$BASE_URL/partners/determining-your-assurance-level/' developer_guide: 'https://developers.login.gov' get_started: '$BASE_URL/partners/get-started/' security_experience: '$BASE_URL/partners/security-experience/' From 7fab259dac07b75ee6637f3fb44842624dc5bf54 Mon Sep 17 00:00:00 2001 From: jc-gsa <104452882+jc-gsa@users.noreply.github.com> Date: Wed, 13 Nov 2024 15:37:25 -0600 Subject: [PATCH 8/9] Update content/_partners/determining-your-assurance-level._en.md Co-authored-by: Andrew Duthie <1779930+aduth@users.noreply.github.com> --- content/_partners/determining-your-assurance-level._en.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/_partners/determining-your-assurance-level._en.md b/content/_partners/determining-your-assurance-level._en.md index 4b17e647c..610352da4 100644 --- a/content/_partners/determining-your-assurance-level._en.md +++ b/content/_partners/determining-your-assurance-level._en.md @@ -16,9 +16,9 @@ Assurance levels can be general or specific. - Assurance Level Type - Authentication Assurance Level (AAL) - Identity Assurance Level (IAL) + Assurance Level Type + Authentication Assurance Level (AAL) + Identity Assurance Level (IAL) From 54c20cc88e2947acd1a3706ee01a60100748c351 Mon Sep 17 00:00:00 2001 From: Jack Cody Date: Thu, 14 Nov 2024 13:16:17 -0500 Subject: [PATCH 9/9] Change external link class --- .../determining-your-assurance-level._en.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/_partners/determining-your-assurance-level._en.md b/content/_partners/determining-your-assurance-level._en.md index 610352da4..22102bde5 100644 --- a/content/_partners/determining-your-assurance-level._en.md +++ b/content/_partners/determining-your-assurance-level._en.md @@ -7,9 +7,9 @@ title: >- ## About assurance levels -Assurance levels (also called “Service levels,” or “Levels of Assurance”) is a general term referring to the trustworthiness of a given transaction. Assurance levels are considered essential components of identity systems, due to the underlying complexity of identity verification processes. Generally, the higher the Service Levels, the greater the trustworthiness of the authentication and verification processes that occurred for a specific transaction and identity. +Assurance levels (also called “Service levels,” or “Levels of Assurance”) is a general term referring to the trustworthiness of a given transaction. Assurance levels are considered essential components of identity systems, due to the underlying complexity of identity verification processes. Generally, the higher the Service Levels, the greater the trustworthiness of the authentication and verification processes that occurred for a specific transaction and identity. -Assurance levels can be general or specific. NIST’s 800-63 publication previously was a monolithic Level of Assurance (LOA) in revisions 1 and 2. Revision 3, the current version, distinguishes between the level of confidence in an identity proofing process (IAL), authentication assurance level (AAL), and federation assurance level (FAL). +Assurance levels can be general or specific. NIST’s 800-63 publication previously was a monolithic Level of Assurance (LOA) in revisions 1 and 2. Revision 3, the current version, distinguishes between the level of confidence in an identity proofing process (IAL), authentication assurance level (AAL), and federation assurance level (FAL). **Examples:** @@ -42,14 +42,14 @@ Assurance levels can be general or specific. NIST SP 800-63B NIST SP 800-63A @@ -63,7 +63,7 @@ Assurance levels can be general or specific. OMB Memo 19-17 requires agencies to incorporate Digital Identity Risk Management (DIRA) as defined in NIST Special Publication 800-63 into their processes. The ICAM Subcommittee developed a playbook that outlines a Digital Identity Risk Assessment (DIRA) process to help federal agency Chief Information Officer (CIO) and Chief Information Security Officer (CISO) teams and business application owners: +Determining the right level of identity assurance is an important consideration when integrating your use case with Login.gov. This ensures you strike the appropriate balance between usability and identity fraud mitigation. It also ensures you are compliant. OMB Memo 19-17 requires agencies to incorporate Digital Identity Risk Management (DIRA) as defined in NIST Special Publication 800-63 into their processes. The ICAM Subcommittee developed a playbook that outlines a Digital Identity Risk Assessment (DIRA) process to help federal agency Chief Information Officer (CIO) and Chief Information Security Officer (CISO) teams and business application owners: 1. Update and maintain consistent processes; 2. Determine whether an agency application requires a DIRA; @@ -72,7 +72,7 @@ Determining the right level of identity assurance is an important consideration ### What Identity Assurance Level (IAL) does your application need? -If your application has an account, we recommend you complete the Digital Identity Risk Management (DIRA) process to determine IAL-level according to NIST 800-63 revision 3. We’ve extrapolated the following from the DIRA shortcut guide: +If your application has an account, we recommend you complete the Digital Identity Risk Management (DIRA) process to determine IAL-level according to NIST 800-63 revision 3. We’ve extrapolated the following from the DIRA shortcut guide: **Login.gov’s Authentication-only service (IAL1 in 800-63 rev 3) may be the appropriate service if ALL of the following are true:**