Delivering Identity Assurance: You must be certified

We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government’s Good Practice Guides.

The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.

What does certification mean?

When a provider is certified it means they have demonstrated that they have met standards for providing a trusted, reliable and secure service. Those standards are defined and published by the Cabinet Office and the National Technical Authority (CESG).

Certification will also mean that standards are consistently applied and the identities they prove are reusable across national and local government.

tScheme

tScheme is an independent, industry-led, self-regulatory scheme. It was set up to create strict assessment criteria, based on industry best practice, for Trust Services (professional assurance and advisory services that address the risks and opportunities of digital technology) such as Identity Assurance.

It’s similar to the US Kantara Initiative, and we are working with both to try and ensure that their certifications are globally interoperable and mutually recognised.

Membership of tScheme is available to all interested sectors of industry, and a broad range of organisations are already represented and contributing to its development.

tScheme particularly welcome the contributions from representatives of end users – people who need to rely on Trust Services.

What does this mean for suppliers?

Certification provides suppliers with a consistent benchmark for their services, and gives them confidence that their services are robust and reliable. It is how government, and users, will know that the suppliers can be trusted.

Organisations who play a part in a process like Identity Assurance must be trusted to protect and manage user data, and users must remain in control of the data they disclose and how it is used.

8 comments

  1. Possibly a silly question – and I may not be reading the article correctly – but shouldn’t the providers be certified *before* being appointed?

  2. Page 16 of the HMRC Digital Strategy says:
    “The HMRC Digital Solutions Programme (DSP) will deliver a government wide capability that implements a package of measures including new identity verification processes that proves that customers are who they say they are.”

    How does this HMRC work relate to the DWP work on identity for Universal Credit?

    1. Thank you for your comments.

      Regarding the provider’s certification, being on the supplier framework does not guarantee an active (call-off) contract. The award of a call-off contract and the provision of identity services by a supplier will depend on the supplier meeting certain requirements, including certification.

      The HMRC work relates in the same way as any central government department wanting to access online identity assurance services. These services are being created as a cross-government ‘platform’ that will benefit users by being reusable for any online government service requiring proof of identity.

      Hope this answers your questions.

      1. Thanks Steve.

        Sorry – I’m sure I’m making a balls-up of understanding this. Why are HMRC and DWP building their own ‘platforms’ that any online government service requiring proof of identity can use? I thought that the DWP / Universal Credit work was THE platform that all other departments would use. Are you saying that there’ll be multiple platforms? With a single log in?

  3. Thanks for your reply,

    We (IDAP) are currently building a single platform that any department which wants to can use. As departments come on board, users will (subject to their choice) be able to use a single log on to access multiple services.

  4. What will be role or strengths of each individual supplier? Also where can I read about Identity Assurance framework?

    1. Thanks for your questions,

      Information about the framework should be available on the Government Procurement Service website shortly.

      Regarding the role or strengths of the suppliers, all suppliers who are successfully called off the framework to provide ID Assurance services will need to provide a service in line with the standards as laid out in our Good Practice Guides. As long as the standards can be met and the supplier certified by our recognised Assessors (see this post) we have not specified any preferred solution by which the provider will assure the identity with the user. This will enable us to benefit from innovation and allow novel and SME providers to participate in the future.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s