Notice of action: The Virginia Information Technologies Agency (VITA) is announcing an opportunity for public comment on two proposed guidance documents that were developed by the Identity Management Standards Advisory Council (IMSAC) (Code of Virginia  § 2.2-437).

The Identity Management Standards Advisory Council was established to advise the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to § 2.2-436.

Regulations affected: There are no regulations affected or proposed by this action.

Purpose of notice: IMSAC is seeking comment on whether the two proposed guidance documents should be submitted as is, or if revisions should be made before the final posting.

The guidance documents were developed by the Virginia Information Technologies Agency (VITA), acting on behalf of the Secretary of Technology, and at the direction of the Identity Management Standards Advisory Council (IMSAC).  IMSAC was created by the General Assembly of the Commonwealth of Virginia in 2015 and advises the Secretary of Technology on the adoption of identity management standards and the creation of guidance documents pursuant to § 2.2-436.

The Advisory Council recommends to the Secretary of Technology guidance documents relating to  (i) nationally recognized technical and data standards regarding the verification and authentication of identity in digital and online transactions; (ii) the minimum specifications and standards that should be included in an identity trust framework, as defined in § 59.1-550, so as to warrant liability protection pursuant to the Electronic Identity Management Act (§ 59.1-550 et seq.); and (iii) any other related data standards or specifications concerning reliance by third parties on identity credentials, as defined in        § 59.1-550.

Purpose Statement for Digital Identity Assertions Guidance Document:

The purpose of this document is to establish minimum specifications for Assertions within a Digital Identity System. The minimum specifications have been designed to be conformant with NIST SP 800-63-3.  The document defines minimum requirements Assertion types, core components, presentation methods, security, and process flows, assurance levels, and privacy and security provisions for Assertions within a Digital Identity System.

The document limits its focus to Digital Identity Assertions.  Minimum specifications for other components of a Digital Identity System have been defined in separate IMSAC guidance documents in this series, pursuant to § 2.2-436 and § 2.2-437.

Purpose Statement for Federation and Participant Requirements Guidance Document:

The purpose of this document is to establish minimum specifications for electronic Federation and Participant Requirements within a Digital Identity System. The minimum specifications have been designed to be conformant with NIST SP 800-63-3. The document defines governance models, minimum requirements processes, assurance levels, and Participant Requirements for a Federated Digital Identity System.

The document limits its focus to Federation and Participant Requirements.  Minimum specifications for other components of a Digital Identity System have been defined in separate IMSAC guidance documents in this series, pursuant to §2.2-436 and §2.2-437.

The proposed guidance documents are also available with comments and proposed changes by IMSAC on the VITA website: https://www.vita.virginia.gov/About/default.aspx?id=6442474173 

Public comment period:  Oct. 31 – Dec. 1, 2016.

Public hearing: A public meeting will be held on Dec. 5, 2016, at 11 a.m. The meeting will be held at the Commonwealth Enterprise Solutions Center, 11751 Meadowville Lane, Chester VA 23836 in room 1222.

Public comment stage: The two guidance documents were developed by IMSAC and are being posted as general notices pursuant to §2.2-437.C. Proposed guidance documents, and general opportunity for oral or written submittals as to those guidance documents, shall be posted on the Virginia Regulatory Town Hall and published in the Virginia Register of Regulations as a general notice following the processes and procedures set forth in subsection B of § 2.2-4031 of the Virginia Administrative Process Act (§ 2.2-4000 et seq.). The Advisory Council shall allow at least 30 days for the submission of written comments following the posting and publication and shall hold at least one meeting dedicated to the receipt of oral comment no less than 15 days after the posting and publication.

For the purpose of defining the timeframe for public participation and comment, VITA is defining "days" as "calendar days."  IMSAC will receive public comment at its Dec. 5, 2016 meeting.  For additional information in the definition of “days,” please reference page 6 of 15 of VITA’s Information Technology Resource Management (ITRM), Policies, Standards and Guidelines (PSGs) Briefs and Supporting Documents found here: https://www.vita.virginia.gov/uploadedFiles/VITA_Main_Public/Library/PSGs/ITRMPSG_Brief_Supportdocs.pdf

IMSAC will hold a dedicated meeting to public comment on Dec. 5, 2016. Meeting details will be posted on the Commonwealth Calendar and the VITA website (https://www.vita.virginia.gov/About/default.aspx?id=6442474171 )

Description of proposal: The proposed guidance documents are being posted for review by the general public with an opportunity for public comment.

Federal information: No federal information.

How to comment: IMSAC accepts written comments by email and postal mail. In order to be considered, comments must include the full name, address, and telephone number of the person commenting and be received by VITA by the last day of the comment period. All materials received are part of the public record.

To review regulation documents: The proposed guidance documents and any supporting documents are available on the VITA website (https://www.vita.virginia.gov/About/default.aspx?id=6442474173). The documents may also be obtained by contacting the VITA representative named below.