Thank you for this excellent document. Three points for clarification:

1. Is the reference to "Certification Authorities" (starting on page 6) intended to encompass/include "Trust Framework Providers" as referenced in NIST/IDESG/and other global identitiy forums?  

2. This statement appears on page 10 - "IMSAC shall maintain and publish on the VITA website a list of eligible certification authorities." How does a Certification Authority qualify/be deemed eligible to be listed on the VITA website? Will the Certification Authoriry first need to be on the approved US federal ICAM/FICAM lists (or the equivalent lists in the European Union or elsewhere)?

3. On page 11, appears the statement that a Certification Authority "must be a legal entity with the requisite standing to perform certifications of compliance of identity trust framework operators within the Commonwealth of Virginia." Is the reference to "standing" intended to mean 'legal standing" such as to require the Certification Authority to make certain corporate filings/status along with the appointment of a corporate agent in Virginia?

Thank you for this opportunity to comment. These comments are derived from a review period involving Kantara Initiative leadership and staff, the chair and vice-chair of the Identity Assurance Working Group and the editor of the Identity Assurance Framework.  Comment and questions are grouped by document below.

Guidance Document 3 - Privacy, Security and Confidentiality

3.1 We note a selection of specific security controls are identified in the Privacy, Security and Confidentiality guidance document.  We recommend consideration of the NIST SP 800-63-3 approach, which requires security controls from NIST SP 800-53 at a baseline corresponding to the assurance level, rather than explicitly listing the security controls in the IMSAC guidance.

3.2. With respect to the classification of identity information, at what level of organization is this taking place?  Would individual operators make this determination, or would the classification methods be standard for each identity trust framework?

Guidance Document 6 - Certification

6.1 We suggest that diagram that shows the relationships between the different types of actors identified in the guidance (e.g. CSP, IDP, RP, identity trust framework operator, certification authority) would be very helpful.

6.2 We appreciate the idea behind the law - the limitation of liability is an excellent incentive for organizations to operate in accordance with the identified standards.  Please clarify whether this limitation of liability extends to certification authorities as well as identity trust framework operators?

6.3 What is the process for determining certification authority eligibility or requisite standing?  We understand that the list of ten functional requirements are applicable, but what is the process for evaluating and approving certification authorities?

6.4 Would the notification process required in item 9 extend to the level of reporting compromised credentials, or is the intention to report on system level breaches?

Guidance Document 7 - Trustmarks

7.1 Is it mandatory to implement trustmarks in order to obtain the liability protections under the law?  Or is the purpose of this document to state the minimum standards and specification if trustmarks are utilized? 

7.2 Who is the intended user of a trustmark for an identity trust framework operator or identity provider?  Could the guidance document include use cases demonstrating trustmark verification?