Identity Evidence - Evidence Strength for IAL3, v3.0

Requirements for types of evidence collected as part of identity proofing for identity assurance level 3.

Assessment Steps (2)

1
Evidence Collected (EvidenceCollected)
Does the CSP collect satisfactory evidence confirming the applicant's identity? It must collect:
  1. Two pieces of SUPERIOR evidence; OR
  2. One piece of SUPERIOR evidence and one piece of STRONG evidence IF the STRONG evidence's issuing source, during its identity proofing event, confirmed the claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence AND the CSP validates the evidence directly with the issuing source; OR
  3. Two pieces of STRONG evidence plus one piece of FAIR evidence.
. Provide documentation of which ones of the above the CSP uses (they can use any or all of them).
Artifact
Documentation
Provide policies and practices indicating conformance.
2
Evidence Justification (EvidenceJustification)
Does the CSP's Credential Policy document the strength of each form of evidence it collects when collecting evidence from applicants? The strengths assigned must align with NIST 800-63-3 Section 5-1. Provide the details for each type of evidence the CSP uses.
Artifact
Documentation
Provide policies and practices indicating conformance.

Conformance Criteria (2)

Evidence Collected
The CSP SHALL collect from the Applicant / Service Consumer identity evidence of appropriate strength, as determined by the further requirements in NIST 800-63-3 Section 5-1. The CSP SHALL collect:
  1. Two pieces of SUPERIOR evidence; OR
  2. One piece of SUPERIOR evidence and one piece of STRONG evidence IF the STRONG evidence's issuing source, during its identity proofing event, confirmed the claimed identity by collecting two or more forms of SUPERIOR or STRONG evidence AND the CSP validates the evidence directly with the issuing source; OR
  3. Two pieces of STRONG evidence plus one piece of FAIR evidence.
.
Citation
SP800-63A
Section 4.5.2 (IAL3)
Evidence Justification
The CSP SHALL document its justification, for each form of evidence it recognises and collects in fulfilling its CrP and these criteria, of how the strength of the evidence it collects satisfies the qualities identified in NIST 800-63-3 Section 5-1.
Citation
SP800-63A
Section 4.5.2 (IAL3)