Example: National Identity Exchange Federation
This page discusses select aspects of the use of the Assertion-Based Architecture (ABA) by members and participants within the National Identity Exchange Federation (NIEF). We present the following use cases.
- Development of ADs and APs for NIEF/FICAM Alignment
- Development of ADs and APs for Select Law Enforcement Security Policies
- Establishment of Legal Agreements for Assertion Issuance
- Issuance of Assertions to Select NIEF Members and Participants
- Establishment of a NIEF Program for Third-Party Assertion Assessors
- Publication of Assertions and Assertion Bindings in a NIEF Registry
- Use of Assertions for Trust Establishment Between NIEF Participants
Note that these are actual (not hypothetical) uses of the ABA.
NIEF comprises a collection of prominent organizations from the U.S. Law Enforcement (LE) community and other related communities that interact with LE agencies and other government agencies at the federal, state, and local levels. To enable its members and participants to better understand the broad requirements landscape related to federated identity for government agencies, and to facilitate greater alignment with those requirements, NIEF developed and published a set of Assertion Definitions (ADs) and Assertion Profiles (APs) that represent the componentization and aggregation of federated identity requirements from various sources, including NIEF’s own requirements as well as requirements from the Federal Identity, Credentialing, and Access Management (FICAM) program. These requirements covered such topics as technical interoperability with SAML, security policies, privacy policies, identity assurance policies (e.g., regarding end-user vetting, credentialing, etc.), user interface characteristics, and organizational integrity (“bona fides”). To create and publish these ADs and APs, NIEF used an early, primitive version of the Assertion Authoring and Publishing Capability (AAPC).
To enable its members and participants to better understand the broad requirements landscape related to security policy and guidance, and to facilitate greater alignment with those requirements, NIEF developed and published an additional set of ADs and APs that represent the componentization and aggregation of security-related requirements from prominent sources including NIST Special Publication 800-53, the FBI CJIS Security Policy, and others. As in the prior use case, NIEF developed and published these artifacts using an early version of the AAPC.
As a prerequisite to the issuance of assertions to NIEF’s members and participants, NIEF negotiated and executed legal agreements with over 10 agencies under the Assertion Legal Framework. The purpose and nature of these assertion recipient agreements is discussed here under the heading of Micro-Level Legal Agreement via Assertions.
Pursuant to the execution of the assertion recipient agreements discussed in the previous use case, NIEF acted in the role of Assertion Assessor, performing third-party assertion assessments and issuing assertions to various agencies. These agencies are Assertion Recipients (ARs). NIEF performed these tasks using an early version of the Assertion Assessor Capability (AAC).
During NIEF’s early use of the ABA, NIEF itself acted as the sole Assertion Assessor. But to facilitate growth and scalability of its assertion-based approach to trust and interoperability, NIEF subsequently created a pilot program whereby other third-party organizations could establish themselves as trusted Third-Party Assessors within the NIEF community. NIEF is now working with the IJIS Institute, which is authorized to issue select types of assertions to NIEF members and participants. In this role, IJIS is using an early version of the AAC. More information about this NIEF program is available here and here.
In addition to issuing and publishing assertions to select members via an early version of the AAC, NIEF has also published bindings of those assertions to the appropriate software system endpoints owned and operated by those organizations. These bindings allow Assertion Relying Parties (ARPs) to make automated or semi-automated trust decisions about partner agencies based in whole or in part on what assertions have been granted and bound to those agencies and their systems. To publish these bindings, NIEF has used an early version of the Assertion Operational Infrastructure Capability (AOIC).
As noted in the previous item, the publication of assertions and their bindings in a NIEF registry enables agencies in NIEF to use assertions as a basis for trust decisions about other agencies, and there are numerous instances in which NIEF participants are doing this in the course of fulfilling their business missions. Here are some examples.
- The Texas Dept. of Public Safety (TX DPS) uses assertions for making trust decisions about partner agencies that want to access its TXMAP mapping and “common operational picture” application for law enforcement and first responders.
- The Tennessee Dangerous Drugs Task Force uses assertions for making trust decisions for sharing drug enforcement data with its partner agencies, including the Tennessee Courts, TX DPS, Regional Information Sharing Systems (RISS), and others.
- The Alabama Center for Advanced Public Safety uses assertions for making trust decisions about partner agencies that want to access its Alabama Secure Sharing Utility for Recidivism Elimination (ASSURE) application for the sharing of mental health and substance abuse data for parolees and other former state prison inmates.
- Los Angeles County has used assertions for making trust decisions about partner agencies that want to access its Consolidated Criminal History Reporting System (CCHRS) application for sharing criminal history data.