Assertion Assessor Capability

Introduction

We have previously introduced the ABA’s Assertion Assessor Capability (AAC) here. To summarize again, the AAC is designed to enable the growth of a thriving ISE Assessment Ecosystem in which ISE participants can undergo assessments and receive assertions based on those assessments, to demonstrate their compliance with trust criteria imposed by their prospective information sharing partner agencies. We cover the following topics on this page.

High-Level Overview of AAC Components

The AAC includes the following components.

  1. It includes an Assertion Assessment Management Capability (AAMC) to enable assessors to perform assessments, manage the assessment lifecycles for those assessments, issue assertions based on those assessments, and manage the lifecycles for assertions issued.
  2. It includes Policy and Agreement Artifacts to enable assessors to establish appropriate policies for the issuance of assertions and enter into legal agreements with entities that receive and/or rely upon the assertions issued.
  3. It includes a Third-Party Assessor Onboarding Program to provide training to entities that want to perform “third-party” assessments and offer assertions to other entities as a business. This program enables entities to become familiar with the use of the AAMC and the Policy and Agreement Artifacts before beginning to perform third-party assessments and issue assertions to other entities. Each entity completing this onboarding program becomes registered as a Qualified Third-Party Assessor in an Assessor Registry.
  4. It includes a Self-Assessment Onboarding Program to provide training to entities that want to perform self-assessments and issue assertions to themselves. This program enables entities to become familiar with the use of the AAMC and the Policy and Agreement Artifacts before beginning to perform self-assessments and issue assertions to themselves. Each entity completing this onboarding program becomes registered as a Qualified Self-Assessor in an Assessor Registry.
  5. It includes an Assessor Registry that maintains a record of each Qualified Third-Party Assessor and Qualified Self-Assessor. Inclusion in the registry indicates endorsement in an entity’s basic understanding and competence in the issuance of assertions in either a self-assessment or third-party assessment capacity.

AAC Components in Greater Depth

This section discusses each AAC component from the previous section in more detail.

Assertion Assessment Management Capability

The Assertion Assessment Management Capability (AAMC) exists in the form of a cloud-based “software-as-a-service” component that entities can use to perform and manage the results of self-assessments and third-party assessments. It has the following characteristics:

  1. It enables users to load assertion definitions (ADs) and assertion profiles (APs) that have been published through the Assertion Authoring and Publishing Capability (AAPC), so that users can perform assessments in accordance with the requirements specified in those ADs and APs.
  2. It enables users to perform assessments (including self-assessments and third-party assessments) in accordance with the assessment steps specified within ADs. Specifically, it enables users to capture their responses to each assessment step and capture appropriate digital evidence in support of their responses.
  3. It enables users to generate reports to capture and communicate the current status of one or more assessments, and share those reports with others through a secure web interface. This feature facilitates and encourages communication between assessors and the entities they assess about the details of each assessment.
  4. It enables users to generate, cryptographically sign, and publish assertions based on assessments that have been completed successfully.
  5. It allows for the publication and ongoing maintenance of assertion status reports (ASRs), which are used to query for the latest status of an assertion (e.g., “active”, “expired”, or “revoked”).
  6. It enables users to revoke assertions when necessary, including revocation of individual assertions and bulk assertion revocation for cases such as termination of a legal agreement or compromise of a private key used to sign an assertion.
  7. It supports reissuance of assertions and supersession of expired assertions with new assertions, for cases in which an assertion has expired and a new assertion is needed.
  8. It allows for each Qualified Third-Party Assessor and Qualified Self-Assessor to maintain a separate instance/installation of the AAMC, using a custom domain and custom skinning to support the entity’s brand identity as appropriate.
  9. It allows for each Qualified Third-Party Assessor and Qualified Self-Assessor to choose from among several options for storage of the digital evidence collected during the course of its assessments. For example, one option may be to store the evidence locally within the cloud host that runs the local AAMC instance, while another option may be to offload the storage of evidence to a private account within the Amazon Simple Storage Service (S3). The purpose of this feature is to accommodate the needs of those entities that do not want to store sensitive digital assessment artifacts within a cloud-based system that is not fully under their control.
  10. It allows for each Qualified Third-Party Assessor and Qualified Self-Assessor to administer a team of multiple users with access to the assessment capability, such that each user has his/her own account and the AAMC captures audit logs of each action taken by each user.

Policy and Agreement Artifacts

The Policy and Agreement Artifacts allow for the establishment of appropriate legal relationships to underpin the issuance and use of assertions in both the self-assessment and third-party assessment cases. These artifacts exist as a set of policy and agreement templates that can be used either as-is or with appropriate modification by Qualified Third-Party Assessors and Qualified Self-Assessors. There are two sets of template artifacts: one for assertions based on third-party-assessments, and the other for assertions based on self-assessments. Each set of template artifacts contains the following:

  1. An Assertion Policy Template that specifies the terms and conditions under which an assertion is issued, as well as the terms and conditions of its use;
  2. An Assertion Recipient Agreement Template that specifies the legal contract between the assessor and the assertion recipient; and
  3. An Assertion Relying Party Agreement Template that specifies the legal contract between the assessor and the party that relies upon the assertion for the purpose of trusting the assertion recipient.

Third-Party Assessor Onboarding Program

The Third-Party Assessor Onboarding Program provides prospective third-party assessors with the training and tools that they need to begin performing third-party assessments and issuing assertions to other entities. This program includes the following components and characteristics:

  1. It includes a comprehensive training program covering the fundamentals of the ABA as well as proper use of the AAMC and the Policy and Agreement Artifacts for third-party assessments. The training program includes online documentation and tutorials, plus a series of online/virtual training sessions.
  2. It includes the provisioning and setup of a dedicated, cloud-based instance of the AAMC. The setup includes initial configuration and “skinning” to match the assessor's business branding preferences, as well as initial setup of the capability with ADs and APs based on the assessor's business needs and plans.
  3. It includes the execution of a service-level agreement (SLA) that stipulates the terms and conditions for use of the AAMC by the assessor.

Self-Assessment Onboarding Program

The Self-Assessment Onboarding Program provides prospective self-assessors with the training and tools that they need to begin performing self-assessments and issue assertions to themselves based on those assessments. This program is very similar to the Third-Party Assessor Onboarding Program. It includes a training program, provisioning and setup of an AAMC instance, and execution of an SLA; however, each of these components is tailored to self-assessment and self-issuance of assertions.

Assessor Registry

The Assessor Registry is a web-facing, searchable database of entities (businesses and other organizations) that have taken the necessary steps to become Qualified Third-Party Assessors and/or Qualified Self-Assessors. Each registered entity has a dedicated page with basic information, including:

  1. “Bona Fides” information (type of business, history, etc.);
  2. Point of Contact for assessment-related inquiries;
  3. Types of assessments offered (e.g., via a list of ADs and/or APs); and
  4. Branding/Skinning in accordance with the entity’s preferences.

This registry is centrally maintained and updated on behalf of the ISE communities, and its contents are read-only for listed assessors and those who do business with them.