Phishing-Resistant Authenticator Product Criteria
Version 1.5
April 2023
| Version Number | Date | Change Description |
|---|---|---|
| 1.5 | 04/2023 | Initial draft |
Objective
GSA Office of Government-wide Policy Office of Technology Policy Identity Assurance and Trusted Access Division is establishing a product criteria and vetting process to accelerate federal adoption of phishing-resistant authenticators across federal agencies. This process leverages a combination of independent certification bodies, third party audit organization, and testing facilities aligned with the NIST 800-63 digital identity guidelines to ensure interoperability, security, and resiliency in support of federal mandates to move toward using passwordless authentication.
Summary
Office of Management and Budget (OMB) Memorandum M-22-09 Federal Zero Trust Strategy dated January 26, 2022, encourages federal agencies to pursue greater use of phishing resistant multi-factor authenticators as they modernize their agency-managed identity systems.
This includes:
- Identifying methods to leverage passwordless authenticators.
- Replacing memorized secrets with a minimum phishing-resistant alternative such as FIDO2/WebAuthn.
Enterprisewide implementation should support centralized management of these authentication methods connected to current identity management systems. Agencies are encouraged to procure phishing-resistant authenticators that meet third-party standards aligned with NIST 800-63 guidelines relating to digital identity security, interoperability and resiliency.
Scope
The scope of this product list is to leverage third-party certification and testing organizations to identify phishing-resistant authenticators that meet NIST 800-63 standards.. The criteria is scoped to work as an accelerator to guide federal agencies in adopting phishing-resistant authenticators as they modernize their identity management systems.. The first set of third-party testing and standards organizations to be recognized includes Fast Identity Online and the Kantara Initiative.
Process overview
The GSA IATAD will use existing resources to verify vendor submissions. The anticipated effort is low based on an initial vendor market review.
-
Application – The application is posted on idmanagement.gov and manually submitted to the IATAD through the icam@gsa.gov email. The vendor enters into an agreement with GSA based on the FIPS 201 Evaluation Program Vendor Agreement outlining roles and responsibilities for product listing, however, third-party criteria will be used for vetting.
-
Processing – Applications are processed on the first of every month and monthly updates will be provided. The schedule is adjusted based on volume of submissions or other factors.
-
Review process – The application is assigned a product list number for tracking, and the application is verified that it contains all necessary information and links to validate a vendor’s compliance with an external certification body.
-
Decision – If all information is verified and validated, the vendor and product are listed on the product list available at idmanagement.gov/acquisition-professionals/#products.
-
Maintenance – Vendors are required to provide timely updates with changes within their product certification.
-
Removal – If a vendor fails to provide accurate information or an issue is found that brings into question the security and resiliency, the product is moved to the Removed Product List and the community is notified of its removal through idmanagement.gov, ICAMSC, and Digital identity Community of Practice, as well as federal acquisition channels.
Part of this process also includes recognizing external certification and testing processes. These bodies include Fast Identity Online Alliance and the Kantara Initiative, but others may be used and assessed as identified by either agencies or vendors. Formal organizations will sign an agreement with GSA, recognizing their roles and responsibilities, their conformance schema, and testing processes, as well as GSA’s participation or interaction with the entity.
Product list criteria
The questionnaire is intended to provide a consistent and standard way to receive feedback These questions are to be used for initial vetting of vendor products to achieve interoperability, security, and reliability assurances. The questionnaire collects input on the security compliance status of proposed products based on federal guidelines such as external body conformance testing and certification to NIST 800-63, FIPS 140 certification, and supply chain security. Vendors are encouraged to complete the questionnaire to the maximum extent possible and provide artifacts to validate their inputs.
Once approved, the product will be listed on idmanagement.gov and shared through federal security and acquisition communities.
Vendor information
Vendor name:
Product name:
Date:
| # | Question | Answer | Evidence |
| 1 | Which external certification body has certified or assessed your product to a NIST 800-63-3 assurance level? Provide certification documentation. | ||
| 2 | Which FIPS 140 certification level(s) applies to your product? | ||
| 3 | Is the product TAA compliant? | ||
| 4 | What artifacts support supply chain security and software bill of materials measures? | ||
| 5 | Does the product have a vulnerability management cycle? | ||
| 6 | What methods are used for product security and interoperability testing? | ||
| 7 | How often are security and interoperability testing conducted? | ||
| 8 | What product implementation documentation applies? Provide links for evidence. | ||
| 9 | How does your product map to a FICAM practice area or CDM architecture? | ||
| 10 | Does the product or vendor have other certifications recognized by the US Government? |
Conclusion
Phishing-resistant product vetting criteria will help accelerate federal government adoption and support OMB Memo 22-09 objectives. This criteria intent is to leverage third-party certification bodies and testing processes that conform or align to NIST 800–63-3 standards. Such organizations include the FIDO Alliance and the Kantara Initiative.
