We need to be sure that before any of the identity assurance framework suppliers begin providing services to departments, they are certified as being capable of delivering proof of identity as defined in the Government’s Good Practice Guides.
The Cabinet Office has joined a standards certification organisation (tScheme), who will be one of the initial certification bodies to provide the necessary independent assessment of the framework suppliers for compliance with the guides.
What does certification mean?
When a provider is certified it means they have demonstrated that they have met standards for providing a trusted, reliable and secure service. Those standards are defined and published by the Cabinet Office and the National Technical Authority (CESG).
Certification will also mean that standards are consistently applied and the identities they prove are reusable across national and local government.
tScheme is an independent, industry-led, self-regulatory scheme. It was set up to create strict assessment criteria, based on industry best practice, for Trust Services (professional assurance and advisory services that address the risks and opportunities of digital technology) such as Identity Assurance.
It’s similar to the US Kantara Initiative, and we are working with both to try and ensure that their certifications are globally interoperable and mutually recognised.
Membership of tScheme is available to all interested sectors of industry, and a broad range of organisations are already represented and contributing to its development.
tScheme particularly welcome the contributions from representatives of end users – people who need to rely on Trust Services.
What does this mean for suppliers?
Certification provides suppliers with a consistent benchmark for their services, and gives them confidence that their services are robust and reliable. It is how government, and users, will know that the suppliers can be trusted.
Organisations who play a part in a process like Identity Assurance must be trusted to protect and manage user data, and users must remain in control of the data they disclose and how it is used.