The University of Nebraska Medical Center (UNMC) has become the second higher-education organization to become certified for the Bronze Identity Assurance Profile under the InCommon Assurance Program.
UNMC is also the first to use the representation of conformance method for qualifying for Bronze certification. Using this simplified approach for Bronze requires no audit; the identity provider attests to compliance by signing the assurance addendum to the InCommon participation agreement. You can see UNMC’s implementation example on the wiki (go to https://spaces.internet2.edu/x/gJmKAQ and look for “Bronze” under “implementation examples”).
“Since we were already aligned with HIPAA requirements, there were only a few things left that we had to do to qualify for Bronze,” said Sharon Welna, chief information security officer for the University of Nebraska Medical Center.
InCommon developed the assurance program as part of its mission to provide secure and privacy-preserving trust services for its participants. Enabling higher-value, higher-risk services requires increased trust by the organizations that run the identity and cloud services.
InCommon currently has two assurance profiles — Bronze and Silver. Bronze, comparable to the National Institute of Standards and Technology (NIST) Assurance 1 level, has credential security associated with basic Internet interactions. Silver, comparable to NIST’s level of Assurance 2, requires proof of identity and has security appropriate for higher-risk transactions.
Also in recent months, InCommon has made available an option (called alternative means) for achieving Silver certification that uses Safenet tokens and multifactor authentication. The assurance program allows for such approved alternative means for satisfying the criteria that an identity provider must meet to achieve certification. More information is available at https://www.incommon.org/assurance/alternativemeans.html
More information about the assurance program is at assurance.incommon.org.