Notice of action: The Virginia Information Technologies Agency (VITA) is announcing an opportunity for public comment on two proposed guidance documents that were developed by the Identity Management Standards Advisory Council (IMSAC) (Code of Virginia  § 2.2-437).

The Identity Management Standards Advisory Council is established to advise the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to § 2.2-436.

Regulations affected: There are no regulations affected or proposed by this action.

Purpose of notice: IMSAC is seeking comment on whether the two proposed guidance documents should be submitted as is, or if revisions should be made before the final posting.

The guidance documents have been developed by the Virginia Information Technologies Agency (VITA), acting on behalf of the Secretary of Technology, and at the direction of the Identity Management Standards Advisory Council (IMSAC).  IMSAC was created by the General Assembly of the Commonwealth of Virginia in 2015 and advises the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to §2.2-436.

The Advisory Council recommends to the Secretary of Technology guidance documents relating to (i) nationally recognized technical and data standards regarding the verification and authentication of identity in digital and online transactions; (ii) the minimum specifications and standards that should be included in an identity trust framework, as defined in §59.1-550, so as to warrant liability protection pursuant to the Electronic Identity Management Act (§59.1-550 et seq.); and (iii) any other related data standards or specifications concerning reliance by third parties on identity credentials, as defined in §59.1-550.

Purpose statement for Electronic Authentication guidance document:

The purpose of this document is to establish minimum specifications for electronic authentication within an identity management system.  The document assumes that the identity management system will be supported by a trust framework, compliant with Applicable Law.* The minimum specifications have been stated based on language in NIST SP 800-63-3.

The document defines minimum requirements, components, process flows, assurance levels and privacy and security provisions for electronic authentication. The document assumes that specific business, legal and technical requirements for electronic authentication will be established in the trust framework for each distinct identity management system, and that these requirements will be designed based on the Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) requirements for the system.

The document limits its focus to electronic authentication.  Minimum specifications for other components of an identity management system will be defined in separate IMSAC guidance documents in this series, pursuant to §2.2-436 and §2.2-437.

Purpose statement for Authenticators & Lifecycle Management guidance document:

The purpose of this document is to establish minimum specifications for authenticators and lifecycle management within an identity management system.  The document assumes that the identity management system will be supported by a trust framework, compliant with Applicable Law.*  The minimum specifications have been stated based on language in NIST SP 800-63B.

The document defines minimum requirements, assurance levels, and privacy and security provisions for authenticators and lifecycle management. The document assumes that specific business, legal and technical requirements for authenticators will be established in the trust framework for each distinct identity management system, and that these requirements will be designed based on the Identity Assurance Level (IAL) and Authenticator Assurance Level (AAL) requirements for the system.

The document limits its focus to authenticators and lifecycle management.  Minimum specifications for other components of an identity management system will be defined in separate IMSAC guidance documents in this series, pursuant to §2.2-436 and §2.2-437.

The proposed guidance documents are also available with comments and proposed changes by the IMSAC council on the VITA website: https://www.vita.virginia.gov/About/default.aspx?id=6442474173 

Public comment period:  August 8 - September 9, 2016.

Public hearing: A public meeting will be held on September 12, 2016 at 11 a.m. The meeting will be held at the Commonwealth Enterprise Solutions Center, 11751 Meadowville Lane, Chester VA 23836.

Public comment stage: The two guidance documents were developed by the IMSAC and being posted as general notices pursuant to §2.2-437.C. Proposed guidance documents and general opportunity for oral or written submittals as to those guidance documents shall be posted on the Virginia Regulatory Town Hall and published in the Virginia Register of Regulations as a general notice following the processes and procedures set forth in subsection B of § 2.2-4031 of the Virginia Administrative Process Act (§ 2.2-4000 et seq.). The Advisory Council shall allow at least 30 days for the submission of written comments following the posting and publication and shall hold at least one meeting dedicated to the receipt of oral comment no less than 15 days after the posting and publication.

 For the purpose of defining the timeframe for public participation and comment, VITA is defining "days" as "calendar days."  IMSAC will receive public comment at its September 2016 meeting.  For additional information in the definition of “days,” please reference page 6 of 15 of VITA’s Information Technology Resource Management (ITRM), Policies, Standards and Guidelines (PSGs) Briefs and Supporting Documents found here: https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/ITRMPSG_Brief_Supportdocs.pdf

IMSAC will hold a meeting dedicated to the receipt of oral comment on September 12, 2016. Meeting details will be posted on the Commonwealth Calendar and the VITA website (https://www.vita.virginia.gov/About/default.aspx?id=6442474171 )

Description of proposal: The proposed guidance documents are being posted for review by the general public with an opportunity for public comment.

Federal information: No federal information.

How to comment: IMSAC accepts written comments by email and postal mail. In order to be considered, comments must include the full name, address and telephone number of the person commenting and be received by VITA by the last day of the comment period. All materials received are part of the public record.

To review regulation documents: The proposed guidance documents and any supporting documents are available on the VITA website (https://www.vita.virginia.gov/About/default.aspx?id=6442474173 ). The documents may also be obtained by contacting the VITA representative named below.

* For the purpose of this guidance document, the term “Applicable Law” shall mean laws, statutes, regulations and rules of the jurisdiction in which each participant in an identity management system operates.