1. Identity Ecosystem Framework and Charter Gap Analysis

2. Putting It All Together to Form Enforceable “Operating Rules”* 2 Contract(s): “I Agree” to... Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Existing Law Privacy Standards Privacy Standards Credential Issuance Credential Issuance Authentication Requirements Authentication Requirements Reliance Rules Audit & Assessment Oversight Audit & Assessment Oversight Credential Management Security Standards Security Standards Identity Proofing Identity Proofing Technical Specifications Enrolment Rules Enrolment Rules Business and Technical Rules Legal Rules (Contractual) Enforcement Element * Content on this slide created by Thomas Smedinghoff of Edwards Wildman Palmer LLP

3. IE Framework Proposed Components 3 Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Operating Rules (Business and Technical) Legal Rules (Contractual) NSTIC Strategy Document Accreditation/ Certification Rules Security Standards Privacy Policies and Rules Identity Proofing Standards Technical and Process Standards and Specs Credential Management Rules Authentication Rules Risk and Assurance Models/Rules Risk and Assurance Models/Rules Interoperability Rules Usability and Accessibility Guidelines Attribute Management Rules Enrollment and Registration Rules Data Management/ Transmission Rules Data Management/ Transmission Rules Additional IDESG Needs IDESG Sustainment Plan Participant Business Models Red Circles = Potential component additions to Tom Smedinghoff’s concept

4. Committee-Framework Gap Analysis 4 Framework ComponentLead Committee (Today)* Technical and Process Standards and SpecificationsStandards Committee Credential Management RulesGAP Authentication RulesSecurity Committee Risk and Assurance Models/RulesSecurity Committee Enrollment/Registration RulesGAP Identity Proofing StandardsStandards Committee Privacy Policies and RulesPrivacy Committee Security StandardsSecurity Committee Accreditation and Certification RulesAccreditation/Trust Framework Committee Attribute Management RulesGAP Data Management and Transmission RulesSecurity Committee Usability/Accessibility GuidelinesUser Experience Committee Interoperability RulesAccreditation/Trust Framework Committee IDESG Sustainment ModelManagement Council Participant Business Models and Value PropositionsGAP Legal RulesLiability and Contract Committee * Committees that are not listed (Health Care, Financial, Communications, Policy, International) have a contributory and advisory role – to contribute and advise on requirements for their respective domains/sectors to develop these Framework Components.

5. Charter-Framework Gap Analysis 5 Framework ComponentLead Committee(s) Charter Mention Technical and Process Standards and Specifications Standards Committee Addressed in current charter--Scope and Deliverables Credential Management RulesGAPN/A Authentication RulesSecurity Committee Addressed in current charter--Scope and Objectives Risk and Assurance Models/RulesSecurity Committee Not specifically addressed in current charter– may be part of the Security Model deliverable which is included. Enrollment/Registration RulesGAPN/A Identity Proofing StandardsStandards CommitteeNot specifically addressed in current charter Privacy Policies and RulesPrivacy CommitteeAddressed in current charter Security StandardsSecurity CommitteeAddressed in current charter Accreditation and Certification RulesAccreditation/Trust Framework CommitteeAddressed in current Accreditation Attribute Management RulesGAPN/A Data Management and Transmission RulesSecurity Committee Not specifically addressed in current charter-- could be part of Security Model deliverable which is included. Usability/Accessibility GuidelinesUser Experience CommitteeDeliverables not addressed in charter Interoperability RulesAccreditation/Trust Framework Committee Not specifically addressed in the Accreditation or TF charters. IDESG Sustainment ModelManagement Council Specified in RoA (Fiduciary and Administrative Responsibility) Participant Business Models and Value Propositions GAPN/A Legal RulesLiability and Contract CommitteeNot specifically addressed in current charter

6. A.General: 1.Establish an Identity Ecosystem (IE) Operating Rules Committee to manage the maintenance of the IE Framework, identify gaps in the Framework, and where necessary develop components to fill those gaps. 2.Establish a Business Model Committee to create participant business models and value propositions; these are not necessarily “framework components” but are vital to promoting adoption of the Identity Ecosystem. B.Credential Management Rules and Enrollment/Registration Rules: 1.Designate the Operating Rules Committee as the lead; these components do not fit clearly into the purpose and scope of existing committees and this committee is intended to address such gaps. Or 2.Designate the Accreditation/Trust Framework (TF) Committee as the lead; the committee could address these as part of the accreditation process for IE participants. Filling the Gaps—Recommendations 6

7. 7 C.Attribute Management Rules: 1.Establish an Attribute Management Committee as the lead; this component does not fit clearly into the purpose and scope of existing committees and the level of work needed to develop requirements for the IE attribute trust model necessitates the creation of a dedicated committee. Or 2.Designate the Accreditation/TF Committee as the lead; the committee could address these rules as part of the accreditation process for IE participants. Additionally, some trust frameworks have begun efforts to address attribute management—this committee would be best placed to liaise with the trust frameworks and incorporate these efforts.

8. Filling the Gaps—Recommendations 8 D.Interoperability Rules: 1.Designate the Accreditation/TF Committee as the lead; this committee will need to develop a means to ensure interoperability in the IE for adopted standards and specifications as part of the accreditation process for participants. This committee will need to work closely with the Standards Committee in the development of interoperability rules. Or 2.Designate the Standards Committee as the lead; this committee will have the responsibility for reviewing and recommending standards and specifications for adoption and could also lead the development of interoperability rules for the implementation of adopted standards and specifications.

9. Filling the Gaps—Recommendations 9 E.Data Management and Transmission Rules: 1.Designate the Security Committee as the lead with significant input from the Privacy Committee; Data Management and Transmission Rules are intended to address the specifications and controls for data interface, transmission, receipt and recording/maintenance which are primarily security issues. Or 2.Designate the Privacy Committee and Security Committee as co-leads with responsibility for the Data Management and Transmission Rules which fall under their respective charters. Regardless of how the lead is established for this framework component, there will need to be significant coordination between these committees.