Origins of the Trustmark Framework

The concept of the Trustmark Framework (TMF) arose out of challenges related to scalable trust for federated identity within the U.S. law enforcement community.

 

Since its inception in 2005, the Global Federated Identity and Privilege Management (GFIPM) program has been working to develop a standardized architecture, specifications, and tools for enabling scalable federated identity in support of information sharing for the U.S. state and local law enforcement community. Like the National Information Exchange Model (NIEM) program, the GFIPM program originated within the Global community. And like the NIEM program, the GFIPM program succeeded in developing a collaborative, federated governance process for the development of specs, tools, and other useful artifacts.

 

But by 2012-2013, participants in the GFIPM community found that despite their success in developing a common set of technical standards and policy and governance guidelines for a federated information sharing environment, creating an actual, scalable, operational federation was fraught with challenges related to nuances in policy and legal requirements across its various participant sub-communities. Early attempts to meet these challenges revolved around the concept of “inter-federation,” in which one loosely coupled federation or community connects to another federation or community using a centrally brokered trust architecture (see diagram below). But this inter-federation strategy proved to be unworkable, even at a relatively small scale, due to policy and legal challenges.

 

Centrally Brokered Trust
Centrally Brokered Trust

 

The motivating challenges and use cases faced by the GFIPM community were quite similar to the challenges and use cases that the ISE communities now face, e.g.:

 

  1. The need to create a loosely coupled, federated environment;
  2. The need to support a wide variety of use cases within that environment;
  3. The need to support a wide variety of participating organizations within that environment; and
  4. The need to support participation of agencies and organizations from tangential communities that are not directly involved in law enforcement.

 

In response to these challenges, the Georgia Tech Research Institute (GTRI), which had been involved in the GFIPM community as an engineering partner since the GFIPM program’s inception, pursued and won a competitive grant under the National Strategy for Trusted Identities in Cyberspace (NSTIC) [1] program, for the purpose of developing and piloting a framework to solve the trust scalability problems encountered within the GFIPM community.

 

Through funding from the NSTIC program, as well as follow-up funding from PM-ISE, GTRI developed an agile and scalable Trustmark Framework (TMF) to enable organizations to establish trusted relationships based on the exchange of digital assertions (trustmarks) that convey details about each organization’s characteristics and capabilities related to security, privacy, identity, trust, and other topics. In essence, the objective of the TMF is to provide a richly expressive framework through which trust decisions can be made at the "edges" of the system rather than by a centralized trust broker in the center of it. (See diagram below.) Then, in partnership with the National Identity Exchange Federation (NIEF) [2], which serves the U.S. law enforcement community, GTRI piloted the TMF [3] to demonstrate its capabilities. In addition, in partnership with the State of Alabama, GTRI piloted the TMF in a unique cross-community use case involving the sharing of prison inmate health information with mental health and substance abuse counselors. Through this work, the TMF has demonstrated excellent potential as a basis upon which to build the ABA.

 

Direct Trust at the Edges of the System
Direct Trust at the Edges of the System

 

Footnotes:
1 Sponsored by the White House and managed by the National Institute of Standards and Technology (NIST), the NSTIC program seeks to create a vibrant identity ecosystem in which individuals and organizations can utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice, and innovation. Since 2012, the NSTIC Program has funded a series of pilot projects to develop and deploy solutions for trusted, high-assurance digital identity. See http://www.nist.gov/nstic/ for more information about the NSTIC program.
2 NIEF is a collection of agencies in the U.S. that have come together to share sensitive law enforcement information. It was created in 2008 as an outgrowth of the GFIPM program. See https://nief.org/ for more information about NIEF.
3 See https://trustmark.gtri.gatech.edu/ for more information about the GTRI NSTIC Trustmark Pilot.

Next: Trustmark Framework in Detail