Notice of action: The Virginia Information Technologies Agency (VITA) is announcing an opportunity for public comment on two proposed guidance documents that were developed by the Identity Management Standards Advisory Council (IMSAC) (Code of Virginia  § 2.2-437).

The Identity Management Standards Advisory Council is established to advise the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to § 2.2-436.

Regulations affected: There are no regulations affected or proposed by this action.

Purpose of notice: IMSAC is seeking comment on whether the two proposed guidance documents should be submitted as is, or if revisions should be made before the final posting.

The guidance documents have been developed by the Virginia Information Technologies Agency (VITA), acting on behalf of the Secretary of Technology, and at the direction of the Identity Management Standards Advisory Council (IMSAC).  IMSAC was created by the General Assembly of the Commonwealth of Virginia in 2015 and advises the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to §2.2-436.

The Advisory Council recommends to the Secretary of Technology guidance documents relating to (i) nationally recognized technical and data standards regarding the verification and authentication of identity in digital and online transactions; (ii) the minimum specifications and standards that should be included in an identity trust framework, as defined in §59.1-550, so as to warrant liability protection pursuant to the Electronic Identity Management Act (§59.1-550 et seq.); and (iii) any other related data standards or specifications concerning reliance by third parties on identity credentials, as defined in §59.1-550.

Purpose statement for Identity Proofing & Verification guidance document:

The purpose of this document is to establish minimum specifications for identity proofing and verification to enable registration and electronic authentication events within a trust-based identity management system.  The document assumes that the identity management system will be supported by a trust agreement, compliant with Applicable Law.[1] 

The document limits its focus to identity proofing and verification components of trust-based identity management systems.  Minimum specifications for other components of an identity management system will be defined in separate IMSAC guidance documents in this series, pursuant to §2.2-436 and §2.2-437.

The document defines minimum requirements, components, process flows, levels of assurance and privacy and security provisions for identity proofing and verification. The document assumes that specific business, legal and technical requirements for identity proofing and verification will be established in the trust agreement for each distinct identity management system, and that these requirements will be designed based on the specific level of assurance model supported by the system.

Purpose statement for Trust Frameworks guidance document:

 The purpose of this document is to establish minimum specifications for operational trust frameworks to enable and support a trust-based identity management system.  The document assumes that the identity management system’s trust framework will be compliant with Applicable Law.[2] 

The document limits its focus to operational trust frameworks for identity management systems.  Minimum specifications for other components of an identity management system will be defined in separate IMSAC guidance documents in this series, pursuant to §2.2-436 and §2.2-437.

The document defines minimum requirements, components, and related provisions for operational trust frameworks. The document assumes that specific trust frameworks will address the business, legal and technical requirements for each distinct identity management system, and that these requirements will be designed based on the specific level of assurance model supported by the system.

The proposed guidance documents are also available with comments and proposed changes by the IMSAC council on the VITA website: https://www.vita.virginia.gov/About/default.aspx?id=6442474173 

Public comment period:  June 14 – July 15, 2016.

Public hearing: A public meeting will be held on June 30, 2016 at 11 a.m. The meeting will be held at the Commonwealth Enterprise Solutions Center, 11751 Meadowville Lane, Chester VA 23836 in room 1222.

Public comment stage: The two guidance documents were developed by the IMSAC and being posted as general notices pursuant to §2.2-437.C. Proposed guidance documents and general opportunity for oral or written submittals as to those guidance documents shall be posted on the Virginia Regulatory Town Hall and published in the Virginia Register of Regulations as a general notice following the processes and procedures set forth in subsection B of § 2.2-4031 of the Virginia Administrative Process Act (§ 2.2-4000 et seq.). The Advisory Council shall allow at least 30 days for the submission of written comments following the posting and publication and shall hold at least one meeting dedicated to the receipt of oral comment no less than 15 days after the posting and publication.

 For the purpose of defining the timeframe for public participation and comment, VITA is defining "days" as "calendar days."  IMSAC will receive public comment at its June 2016 meeting.  For additional information in the definition of “days,” please reference page 6 of 15 of VITA’s Information Technology Resource Management (ITRM), Policies, Standards and Guidelines (PSGs) Briefs and Supporting Documents found here: https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/ITRMPSG_Brief_Supportdocs.pdf

IMSAC will hold a dedicated meeting to public comment on June 30, 2016. Meeting details will be posted on the Commonwealth Calendar and the VITA website: https://www.vita.virginia.gov/About/default.aspx?id=6442474171

Description of proposal: The proposed guidance documents are being posted for review by the general public with an opportunity for public comment.

Federal information: No federal information.

How to comment: IMSAC accepts written comments by email and postal mail. In order to be considered, comments must include the full name, address and telephone number of the person commenting and be received by VITA by the last day of the comment period. All materials received are part of the public record.

To review regulation documents: The proposed guidance documents and any supporting documents are available on the VITA website https://www.vita.virginia.gov/About/default.aspx?id=6442474173. The documents may also be obtained by contacting the VITA representative named below.

[1] For the purpose of this guidance document, the term “Applicable Law” shall mean laws, statutes, regulations and rules of the jurisdiction in which each participants of a trust-based identity management system operates.

[2] For the purpose of this guidance document, the term “Applicable Law” shall mean laws, statutes, regulations and rules of the jurisdiction in which the Participants of a trust-based identity management system operates.