U.S. Government Pilot Program Participation Requirements

The Pilot Program covers Identity Provider participation in pilots with U.S. government Relying Parties during a pilot period before the OIDF/ICF Open Trust Framework Certification Program is finalized (see the FAQ for more about milestones). During this pilot period, Identity Providers must agree to abide by the following requirements.

1. The pilot participation period runs from 1 August to 31 October 2009.
2. Identity Provider intends to issue credentials consistent with the relevant ICAM release candidate identity scheme for use in the pilot program.
3. The pilot covers LOA (Level of Assurance) 1 usage only.
4. Identity Provider's services for use at U.S. government websites must include the following privacy protections:
   a.    Opt In: Identity Provider must obtain positive confirmation from the End User before any end User information is transmitted to any government applications. The End User must be able to see each attribute that is to be transmitted as part of the Opt In process. Identity Provider should allow End Users to opt out of individual attributes for each transaction.
   b.    Minimalism: Identity Provider must transmit only those attributes that were explicitly requested by the Relying Party application or required by the Federal profile.
   c.    Activity Tracking: Identity Provider must not disclose information on End User activities with the government to any party, or use the information for any purpose other than federated authentication.
   d.    Adequate Notice: Identity Provider must provide End Users with adequate notice regarding federated authentication. Adequate Notice includes a general description of the authentication event, any transaction(s) with the Relying Party, the purpose of the transaction(s), and a description of any disclosure or transmission of Personally Identifiable Information (PII) to any party. Adequate Notice should be incorporated into the Opt In process.
   e.    Termination: In the event an Identity Provider ceases to provide this service, the Provider shall continue to protect any sensitive data including PII.
5. Identity Provider intends to pursue certification under the Open Trust Framework Certification Program when it is finalized. 
6. Identity Provider and Information Card Foundation verify that Identity Provider's credentials conform to the profile and the protocol specification.
7. Identity Provider is providing their own resources for participation in the pilot.

Identity Providers who comply with the above should send an email to director -- at -- informationcard -- dot -- net indicating they wish to participate in the Pilot Program and that they intend to comply with these requirements. The email should also include at least one URL where an End User can obtain a credential. 

Upon receipt of an email indicating an interest in participating in the pilot program, the ICF Certification Committee will contact the candidate participant and make arrangements to test their Identity Provider and credential implementation.

The ICF will make available to government agencies and publish on its website the list of the Identity Providers accepted into this program.

The ICF will also provide Identity Providers who are accepted into this program a list of the U.S. government Relying Parties participating in the pilot so these Relying Parties may be configured as necessary in the Identity Provider's systems.