The Assertion-Based Architecture (ABA) includes the following capabilities:
- An Assertion Authoring and Publishing Capability that enables stakeholder organizations and communities within the ISE to develop and publish assertion definitions and assertion profiles to express their policy requirements;
- An Assertion Assessor Capability that enables ISE participants to conduct assessments of participant compliance with requirements and generate and publish assertions based on those assessments;
- An Assertion Operational Infrastructure Capability that enables ISE participants to leverage assertions and machine-readable trust policies for partner discovery and automated trust policy enforcement; and
- An Information Sharing Agreement Builder Capability that leverages the ABA to enable ISE participants to rapidly develop and execute machine-readable information sharing legal agreements with partner agencies.
Each of these capabilities is represented in the diagram below.
Note, as indicated by the blue arrow in the above diagram, that ICIF governance is a critical aspect of each capability. As you will learn, each of these capabilities contains certain ICIF-level governance structures to ensure the proper operation of the capability itself. But in addition, each capability is designed to enable stakeholder agencies and stakeholder communities to engage with the capability and embrace it to meet their specific needs at various stages of their IS&S missions.
We discuss each ABA capability in brief within the following subsections.
The Assertion Authoring and Publishing Capability (AAPC) enables IS&S stakeholder organizations and communities to manage all activities associated with the development, componentization, harmonization, aggregation, publication, and lifecycle management of assertion definitions and assertion profiles. The AAPC includes the following components.
- It includes a robust set of software tools to support assertion definition and assertion profile authoring, allowing for any number of stakeholder groups to develop assertion definitions and assertion profiles without the need for custom software scripts or detailed knowledge of the underlying normative specification.
- It includes standard facilities to enable easy search and discovery of existing assertion definitions and assertion profiles, to facilitate wide adoption and reuse of existing assertion artifacts and encourage stakeholder groups and communities to pursue strategies of artifact reuse rather than wasteful and counterproductive redevelopment of existing artifacts.
- It includes facilities to support the creation of collaborative online workspaces for assertion definition and assertion profile development by various stakeholder groups, in support of their respective governance models and processes.
- It includes facilities to provide assistance in governance and harmonization efforts for assertion definitions and assertion profiles developed by various stakeholder groups, to ensure that the landscape of assertion definitions and assertion profiles evolves in a manner that is logically coherent and not chaotic or counterproductive to the vision of the ICIF.
See this page for more about the Assertion Authoring and Publishing Capability.
The Assertion Assessor Capability (AAC) is designed to enable the growth of a thriving ISE Assessment Ecosystem in which ISE participants can undergo assessments and receive assertions based on those assessments, to demonstrate their compliance with trust criteria imposed by their prospective information sharing partner agencies. The AAC includes the following components.
- It includes an Assertion Assessment Management Capability (AAMC), a software tool to enable assessors to perform assessments, manage the assessment lifecycles for those assessments, issue assertions based on those assessments, and manage the lifecycles for assertions issued.
- It includes Policy and Agreement Artifacts to enable assessors to establish appropriate policies for the issuance of assertions and enter into legal agreements with the organizations that receive and/or rely upon the assertions issued.
- It includes a Third-Party Assessor Onboarding Program that provides training to entities that want to perform “third-party” assessments and issue assertions to other entities as a business. This program enables entities to become familiar with the use of the AAMC and the policy and agreement artifacts before beginning to perform third-party assessments and issue assertions to other entities. Each entity that completes this onboarding program gets registered as a Qualified Third-Party Assessor in an Assessor Registry.
- It includes a Self-Assessment Onboarding Program that provides training to entities that want to perform self-assessments and issue assertions to themselves. This program enables entities to become familiar with the use of the AAMC and the policy and agreement artifacts before beginning to perform self-assessments and issue assertions to themselves. Each entity that completes this onboarding program gets registered as a Qualified Self-Assessor in an Assessor Registry.
- It includes an Assessor Registry that maintains a record of each Qualified Third-Party Assessor and Qualified Self-Assessor. Inclusion in the registry is intended to indicate endorsement in an entity’s basic understanding and competence in the issuance of assertions in either a self-assessment or third-party assessment capacity.
See this page for more about the Assertion Assessor Capability.
The Assertion Operational Infrastructure Capability (AOIC) enables ISE participants to take advantage of machine-readable assertions, machine-readable trust policies, and cryptographic bindings of assertions to system and application endpoints, to enable automated partner discovery and automated trust policy enforcement within the ISE, thereby increasing agility and speed of ISE participants. The following is a partial list of AOIC components.
- The AOIC includes a Service Endpoint and Assertion Registry (SEAR) that stores assertions made about ISE participants, trust policies published by ISE participants, and bindings of those assertions and trust policies to system and application endpoints owned by those ISE participants.
- It includes a SEAR Query Tool and a SEAR Gap Analysis Tool to support a variety of search, discovery, matching, and gap analysis use cases based on data within the registry. For example, the following search concepts are supported by the query tool.
- “Which systems operated by agencies within New Jersey conform to trust policy X?”
- “How close are Org. A and Org. B to a state of mutual trust interoperability for use case Y?”
- “List all agencies in Texas that have a published trust policy that Org. C is able to satisfy through its current set of assertions.”
- It includes a SEAR Pub/Sub Tool to support a publish/subscribe model for monitoring changes to systems and the assertions bound those systems. For example, an agency could subscribe to be notified if any assertions bound to System X become revoked or expired.
- It includes a SEAR Assertion Relying Party Guide that provides instructions for using the registry and guidance for relying on assertions properly (e.g., how to properly validate an assertion’s digital signature, how to validate that the assertion is not revoked, how to ensure that the assertion is bound to the right subject, etc.), and also describes in detail how to use the AOIC to establish assertion-based trust relationships within the ISE.
- It includes a SEAR Assertion Relying Party Implementer Toolkit: a set of software libraries, tools, and APIs that implementers can use for parsing, using, and relying upon assertions at “trust time” and “run time”. These software components simplify the process of “ABA Enablement” for both new and legacy systems and applications, making the implementation process easier for all ISE participants.
See this page for more about the Assertion Operational Infrastructure Capability, including the full list of its components.
The Information Sharing Agreement Builder Capability (ABC) enables ISE participants to rapidly develop and execute machine-readable information sharing legal agreements with partner agencies. It includes a suite of software tools and supporting infrastructure to enable authoring and sharing of bilateral and multilateral legal agreements between ISE participants, using the assertion-based trust model of the ABA. The ABC supports a variety of features in support of this purpose, including:
- Collaborative development of information sharing agreements among IS&S stakeholders;
- Execution of information sharing agreements among IS&S stakeholders;
- Templatization of information sharing agreements and agreement components into reusable agreement templates and component templates (e.g., preamble templates, role and responsibility templates, liability clause templates, etc.) that enable IS&S stakeholders to leverage each other’s prior work and avoid gratuitous variation from artifacts previously proven to be sufficient; and
- Lifecycle management of existing information sharing agreements, including agreement publication, agreement renewal and renegotiation, agreement deprecation, etc.
See this page for more about the Agreement Builder Capability.