A.2 Identity Proofing Process Documentation

SP 800-63A section 4.2 #6 requires the CSP to document the identity proofing and enrollment processes in an applicable written policy or practice statement that specifies the steps used to perform identity proofing and enrollment processes. Such documented policies and procedures are fundamental controls and prerequisite for transparency, accountability, quality control, auditability, and interoperability among federated communities. The documentation, dissemination, review and update for identity management processes and controls represent a fundamental control under NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations control IA-1: Identification and Authentication Policy and Procedures applicable to low, moderate and high control baselines.

This documentation should present all of the specific steps involved for identity proofing and enrolling applicants into the CSP identity system. The process documentation should also present the procedures for addressing errors and circumstances that result in failure to successfully enroll applicants in the identity system. Such circumstances that may result in the inability or failure to complete the identity proofing and enrollment processes include:

• Applicant abandons the identity proofing and enrollment processes;
• Applicant fails to provide mandatory attribute information;
• Identity evidence of required strength is not provided;
• Identity evidence is rejected following inspection;
• Identity evidence and information do not correlate;
• Information from identity evidence is not validated by issuing or authoritative sources at the required strength;
• Identity evidence verification of binding to the applicant fails; and
• Applicant fails to confirm enrollment code within its validity period.

SP 800-63A does not specify required actions or procedures to address such circumstances. The CSP should determine the appropriate processing steps for doing so and include applicable written documentation in the identity proofing procedural documentation.

It also is recommended that this documentation include the information and activities that would be collected, recorded, and maintained in enrollment records and audit logs of identity proofing activities and events. Key security-related activities and steps for such enrollment records and documentation associated with the identity proofing process may include:

• Identity information collected;
• Identity evidence provided;
• Identity evidence validated;
• Identity evidence validation source;
• Identity evidence binding verification method;
• Identity evidence verification result;
• Enrollment code confirmation result;
• Enrollment result; and
• Authenticator registration.

For the preparation of identity proofing and enrollment procedural documentation, CSPs may find it useful to consult the reference guidance published by the MITRE Corporation in May 2020 entitled Enrollment and Identity Proofing Practices Statement Templates: Supporting Remote Proofing in accordance with NIST SP 800-63A Identity Assurance Levels 2 & 3 [MITRE Practices Statement Guide]. This guidance document provides a methodology, process flow, and customizable templates for government agencies to use in developing identity proofing and enrollment process documentation in the form of an Enrollment and Identity Proofing Practices Statement. The scope of this guidance for the development of identity proofing practices statement documentation is IAL2 remote identity proofing and IAL3 supervised remote identity proofing. The guidance also provides sample templates for recording key security-related activities for enrollment records. This reference guidance may be useful to agencies and organizations in the development of identity proofing and enrollment practices statement documentation.