| Trustmark Definition Name | Version |
|---|---|
|
Relying Parties must request attribute references when a viable option in place of attributes. Attribute references are derived attributes that answer a question that could also be answered by revealing the attributes value. For example is the subject over 18 as opposed to asking the subject's age.
|
1.0 |
|
Authenticated and Protected Channels will be used for all communication between the IdP, Subscriber, and RP.
|
1.0 |
|
Relying Parties must make sure that all assertions include an audience that includes the RP within it's membership.
|
1.0 |
|
Relying Parties must prove the possession of the key specified within holder-of-key assertions. If they do not then such assertions are not qualified for FAL3 and should be treated as bearer assertions.
|
1.0 |
|
Relying Parties must require assertions to be encrypted or delivered via protected and authenticated channels.
|
1.0 |
|
Relying Parties must validate the assertion integrity by verifying the assertion signature using approved cryptography.
|
1.0 |
|
Relying Parties must validate a baseline set of assertion elements including the signature, the issuer, the time validity window, and the audience restriction.
|
1.0 |
|
The use of proxies within a federation must not incorrectly present the Federation Assurance Level (FAL) to any relying parties. All proxies must strictly advertise the lowest FAL that operate at as the only FAL they operate at for the purposes of considering the FAL for any transaction using the proxy.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for FICAM approved products as related to overall identification and authentication requirements.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for FICAM approved third-party credentials for non-organizational users as related to overall identification and authentication requirements.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for FICAM issued profiles as related to overall identification and authentication requirements.
|
1.0 |
|
Approved cryptography hardware devices must be used to ensure overall system security. Systems should be validated for FIPS 140 compliance level.
|
1.0 |
|
Approved cryptography hardware devices must be used to ensure physical security. Systems should be validated for FIPS 140 compliance level.
|
1.0 |
|
Approved cryptography verifiers must be used to ensure overall system security. Systems should be validated for FIPS 140 compliance level.
|
1.0 |
|
Addresses the requirement for PKI key generation to be performed using a FIPS approved method.
|
1.0 |
|
Addresses the requirement for PKI key generation to be performed using a FIPS equivalent international standard.
|
1.0 |
|
Addresses the requirement for cryptographic keying material used to sign certificates, CRLs or status information by Organization CAs to be generated in FIPS 140 validated cryptographic modules.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for FIPS-201 approved PIV products as related to overall system and services acquisition requirements.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for fire protection as related to overall physical and environmental protection requirements.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles and defined emergency responders in the event of a fire.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization ensures that the facility undergoes inspections by authorized and qualified inspectors at an organization-defined frequency and resolves identified deficiencies within an organization-defined time period.
|
1.0 |
|
Defines conformance and assessment criteria for verifying that an organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel or roles and defined emergency responders.
|
1.0 |
|
This Trustmark Definition addresses organizational requirements to implement firmware integrity verification tools for information systems.
|
1.0 |
|
Defines conformance and assessment criteria for compliance with minimum security requirements for flaw identification, reporting, and correction as related to overall system and information integrity requirements.
|
1.0 |
