https://trustmark.nief.org/tpat/tips/nief-simple-authenticator-assurance-profile-for-data-categories-with-moderate-risk-impact/1.0/NIEF Simple Authenticator Assurance Profile for Data Categories with MODERATE Risk Impact1.0NIEF authenticator assurance profile for access to categories of data whose highest risk impact level (among confidentiality risk, integrity risk, and availability risk) is LOW. Derived from NIST Special Publication 800-63B Authenticator Assurance Level 2 (AAL2) requirements, excluding security controls and privacy controls. Intended for use in conjunction with appropriate NIEF profiles for security and privacy controls.2021-08-28T00:00:00.000ZtrueThis artifact is published by the National Identity Exchange Federation (NIEF). This artifact and the information contained herein is provided on an "AS IS" basis, and NIEF disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, NIEF disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.https://nief.org/NIEFPRIMARYNIEF Supporthelp@nief.orghttps://nief.org/NIEFAuthenticator AssuranceAAL2MODERATEhttps://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63b-aal2-permitted-authenticators/1.0/1NIST SP 800-63B AAL2 Permitted Authenticators1.0Profile of requirements related to permitted authenticator types that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, <i>Digital Identity Guidelines: Authentication and Lifecycle Management</i>, at Authenticator Assurance Level 2 (AAL2).https://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63b-aal2-general-authenticator-requirements/1.0/2NIST SP 800-63B AAL2 General Authenticator Requirements1.0Profile of general authenticator requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, <i>Digital Identity Guidelines: Authentication and Lifecycle Management</i>, at Authenticator Assurance Level 2 (AAL2).https://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63b-authenticator-lifecycle-management/1.0/3NIST SP 800-63B Authenticator Lifecycle Management1.0Profile of authenticator lifecycle management requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, <i>Digital Identity Guidelines: Authentication and Lifecycle Management</i>.https://artifacts.trustmarkinitiative.org/lib/tips/nist-sp-800-63b-session-management/1.0/4NIST SP 800-63B Session Management1.0Profile of session management requirements that a Credential Service Provider (CSP) must satisfy to comply with NIST Special Publication 800-63B, <i>Digital Identity Guidelines: Authentication and Lifecycle Management</i>.https://artifacts.trustmarkinitiative.org/lib/tds/authentication---use-of-authenticated-protected-channel-between-claimant-and-verifier/1.0/5Authentication - Use of Authenticated Protected Channel between Claimant and Verifier1.0All communications during authentication between the claimant and verifier must use authenticated and protected channels.https://artifacts.trustmarkinitiative.org/lib/tds/fips-140-cryptographic-verifier-validation-for-overall-security/1.0/6FIPS 140 Cryptographic Verifier Validation for Overall Security1.0Approved cryptography verifiers must be used to ensure overall system security. Systems should be validated for FIPS 140 compliance level.https://artifacts.trustmarkinitiative.org/lib/tds/bona-fide-non-us-federal-government-agency-or-organization/1.0/7Bona Fide Non-US Federal Government Agency or Organization1.0Used to demonstrate that an agency or organization is NOT part of the United States federal government, and therefore is not subject to certain rules and regulations that pertain to U.S. federal agencies.https://artifacts.trustmarkinitiative.org/lib/tds/csp-compliance-with-applicable-records-retention-policies/1.0/8CSP Compliance with Applicable Records Retention Policies1.0Credential Service Providers (CSPs) must comply with records retention policies as appropriate for the organization, including adhering to applicable laws, regulations, and policies. CSPs must also inform their subscribers of their records retention policy.https://artifacts.trustmarkinitiative.org/lib/tds/authentication---enforcement-of-an-acceptable-maximum-session-duration/1.0/9Authentication - Enforcement of an Acceptable Maximum Session Duration1.0All sessions must have a maximum acceptable duration that must be enforced to qualify for AAL1, AAL2, or AAL3.https://artifacts.trustmarkinitiative.org/lib/tds/authentication---enforcement-of-periodic-subscriber-reauthentication/1.0/10Authentication - Enforcement of Periodic Subscriber Reauthentication1.0Subscribers must reauthenticate after periods of inactivity according to the AAL being operated at.https://artifacts.trustmarkinitiative.org/lib/tds/authentication---no-allowance-of-unlocking-a-mobile-device-as-a-valid-authentication-factor/1.0/11Authentication - No Allowance of Unlocking a Mobile Device as a Valid Authentication Factor1.0Unlocking a smart phone device must not be considered an authentication factor, as a verifier cannot verify this was done.= 1 or TD_ref3) and TD_ref4 and (TD_ref5.max_session_duration_seconds <= 43200) and (TD_ref6.inactivity_timeout_seconds <= 1800) and TD_ref7]]>NIEFNational Identity Exchange FederationNIST SP 800-63BNIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. Available at <a href="https://doi.org/10.6028/NIST.SP.800-63b">https://doi.org/10.6028/NIST.SP.800-63b</a>.