Effective: 06/30/2008

 

Excerpt from OMB E-Authentication Guidance for Federal Agencies; memorandum dated December 16, 2003.

Description of Assurance Levels

This guidance describes four identity authentication assurance levels for e-government transactions. Each assurance level describes the agency’s degree of certainty that the user has presented an identifier (a credential5 in this context) that refers to his or her identity. In this context, assurance is defined as 1) the degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued, and 2) the degree of confidence that the individual who uses the credential is the individual to whom the credential was issued. The four assurance levels are:

  • Level 1: Little or no confidence in the asserted identity’s validity.
  • Level 2: Some confidence in the asserted identity’s validity.
  • Level 3: High confidence in the asserted identity’s validity.
  • Level 4: Very high confidence in the asserted identity’s validity.

Potential Impact Categories: To determine the appropriate level of assurance in the user’s asserted identity, agencies must assess the potential risks, and identify measures to minimize their impact. Authentication errors with potentially worse consequences require higher levels of assurance. Business process, policy, and technology may help reduce risk. The risk from an authentication error is a function of two factors:

  1. potential harm or impact, and
  2. the likelihood of such harm or impact.

Categories of harm and impact include:

  • Inconvenience, distress, or damage to standing or reputation
  • Financial loss or agency liability
  • Harm to agency programs or public interests
  • Unauthorized release of sensitive information
  • Personal safety
  • Civil or criminal violations.

Required assurance levels for electronic transactions are determined by assessing the potential impact of each of the above categories using the potential impact values described in Federal Information Processing Standard (FIPS) 199, “Standards for Security Categorization of Federal Information and Information Systems.” The three potential impact values are:6

  • Low impact
  • Moderate impact
  • High impact.

The next section defines the potential impacts for each category. Note: If authentication errors cause no measurable consequences for a category, there is “no” impact. Determining Potential Impact of Authentication Errors:

Potential impact of inconvenience, distress, or damage to standing or reputation:

  • Low—at worst, limited, short-term inconvenience, distress or embarrassment to any party.
  • Moderate—at worst, serious short term or limited long-term inconvenience, distress or damage to the standing or reputation of any party.
  • High—severe or serious long-term inconvenience, distress or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly severe effects or which affect many individuals).

Potential impact of financial loss:

  • Low—at worst, an insignificant or inconsequential unrecoverable financial loss to any party, or at worst, an insignificant or inconsequential agency liability.
  • Moderate—at worst, a serious unrecoverable financial loss to any party, or a serious agency liability.
  • High—severe or catastrophic unrecoverable financial loss to any party; or severe or catastrophic agency liability.

Potential impact of harm to agency programs or public interests:

  • Low—at worst, a limited adverse effect on organizational operations or assets, or public interests. Examples of limited adverse effects are: (i) mission capability degradation to the extent and duration that the organization is able to perform its primary functions with noticeably reduced effectiveness, or (ii) minor damage to organizational assets or public interests.
  • Moderate—at worst, a serious adverse effect on organizational operations or assets, or public interests. Examples of serious adverse effects are: (i) significant mission capability degradation to the extent and duration that the organization is able to perform its primary functions with significantly reduced effectiveness; or (ii) significant damage to organizational assets or public interests.
  • High—a severe or catastrophic adverse effect on organizational operations or assets, or public interests. Examples of severe or catastrophic effects are: (i) severe mission capability degradation or loss of to the extent and duration that the organization is unable to perform one or more of its primary functions; or (ii) major damage to organizational assets or public interests.

Potential impact of unauthorized release of sensitive information:

  • Low—at worst, a limited release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a low impact as defined in FIPS PUB 199.
  • Moderate—at worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with a moderate impact as defined in FIPS PUB 199.
  • High—a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with a high impact as defined in FIPS PUB 199.

Potential impact to personal safety:

  • Low—at worst, minor injury not requiring medical treatment.
  • Moderate—at worst, moderate risk of minor injury or limited risk of injury requiring medical treatment.
  • High—a risk of serious injury or death.

The potential impact of civil or criminal violations is:

  • Low—at worst, a risk of civil or criminal violations of a nature that would not ordinarily be subject to enforcement efforts.
  • Moderate—at worst, a risk of civil or criminal violations that may be subject to enforcement efforts.
  • High—a risk of civil or criminal violations that are of special importance to enforcement programs.

Determining Assurance Level

Compare the impact profile from the risk assessment to the impact profiles associated with each assurance level, as shown in Table 1 below. To determine the required assurance level, find the lowest level whose impact profile meets or exceeds the potential impact for every category analyzed in the risk assessment (as noted in step 2 below).

Table 1 – Maximum Potential Impacts for Each Assurance Level

 
Assurance Level Impact Profiles
Potential Impact Categories for Authentication Errors
1
2
3
4
Inconvenience, distress or damage to standing or reputation
Low
Mod
Mod
High
Financial loss or agency liability
Low
Mod
Mod
High
Harm to agency programs or public interests
N/A
Low
Mod
High
Unauthorized release of sensitive information
N/A
Low
Mod
High
Personal Safety
N/A
N/A
Low
Mod-High
Civil or criminal violations
N/A
Low
Mod
High

 

Assurance Levels and Risk Profiles: Descriptions and Examples

Level 1 Little or no confidence exists in the asserted identity. For example, Level 1 credentials allow people to bookmark items on a web page for future reference.

Examples:

  • In some instances, the submission of forms by individuals in an electronic transaction will be a Level 1 transaction: (i) when all information is flowing to the Federal organization from the individual, (ii) there is no release of information in return, and (iii) the criteria for higher assurance levels are not triggered. For example, if an individual applies to a Federal agency for an annual park visitor's permit (and the financial aspects of the transaction are handled by a separate contractor and thus analyzed as a separate transaction, the transaction with the Federal agency would otherwise present minimal risks and could be treated as Level 1.
  • A user presents a self-registered user ID or password to the U.S. Department of Education web page, which allows the user to create a customized “My.ED.gov” page. A third party gaining unauthorized access to the ID or password might infer personal or business information about the individual based upon the customization, but absent a high degree of customization however, these risks are probably very minimal.
  • A user participates in an online discussion on the whitehouse.gov website, which does not request identifying information beyond name and location. Assuming the forum does not address sensitive or private information, there are no obvious inherent risks.

Level 2 On balance, confidence exists that the asserted identity is accurate. Level 2 credentials are appropriate for a wide range of business with the public where agencies require an initial identity assertion (the details of which are verified independently prior to any Federal action).

Examples:

A user subscribes to the Gov Online Learning Center (golearn).  The site’s training service must authenticate the person to present the appropriate course material, assign grades, or demonstrate that the user has satisfied compensation-or promotion-related training requirements. The only risk associated with this transaction is a third party gaining access to grading information, thereby harming the student’s privacy or reputation. If the agency determines that such harm is minor, the transaction is Level 2.

  • A beneficiary changes her address of record through the Social Security web site. The site needs authentication to ensure that the entitled person’s address is changed. This transaction involves a low risk of inconvenience. Since official notices regarding payment amounts, account status, and records of changes are sent to the beneficiary’s address of record, it entails moderate risk of unauthorized release of personally sensitive data. The agency determines that the risk of unauthorized release merits Assurance Level 2 authentication.
  • An agency program client updates bank account, program eligibility, or payment information. Loss or delay would significantly impact him or her. Errors of this sort might delay payment to the user, but would not normally result in permanent loss. The potential individual financial impact to the agency is low, but the possible aggregate is moderate.
  • An agency employee has access to potentially sensitive personal client information. She authenticates individually to the system at Level 2, but technical controls (such as a virtual private network) limit system access to the system to the agency premises. Access to the premises is controlled, and the system logs her access instances. In a less constrained environment, her access to personal sensitive information would create moderate potential impact for unauthorized release, but the system’s security measures reduce the overall risk to low.

Level 3 — Level 3 is appropriate for transactions needing high confidence in the asserted identity’s accuracy. People may use Level 3 credentials to access restricted web services without the need for additional identity assertion controls.

Examples:

  • A patent attorney electronically submits confidential patent information to the US Patent and Trademark Office. Improper disclosure would give competitors a competitive advantage.
  • A supplier maintains an account with a General Services Administration Contracting Officer for a large government procurement. The potential financial loss is significant, but not severe or catastrophic, so Level 4 is not appropriate.
  • A First Responder accesses a disaster management reporting website to report an incident, share operational information, and coordinate response activities.
  • An agency employee or contractor uses a remote system giving him access to potentially sensitive personal client information. He works in a restricted-access Federal office building. This limits physical access to his computer, but system transactions occur over the Internet. The sensitive personal information available to him creates a moderate potential impact for unauthorized release.

Level 4 — Level 4 is appropriate for transactions needing very high confidence in the asserted identity’s accuracy. Users may present Level 4 credentials to assert identity and gain access to highly restricted web resources, without the need for further identity assertion controls.

Examples:

  • A law enforcement official accesses a law enforcement database containing criminal records. Unauthorized access could raise privacy issues and/or compromise investigations.
  • A Department of Veteran’s Affairs pharmacist dispenses a controlled drug. She would need full assurance that a qualified doctor prescribed it. She is criminally liable for any failure to validate the prescription and dispense the correct drug in the prescribed amount.
  • An agency investigator uses a remote system giving her access to potentially sensitive personal client information. Using her laptop at client worksites, personal residences, and businesses, she accesses information over the Internet via various connections. The sensitive personal information she can access creates only a moderate potential impact for unauthorized release, but her laptop’s vulnerability and her non-secure Internet access raise the overall risk.

5 A credential is defined as: an object that is verified when presented to the verifier in an authentication transaction.

6 For the purposes of this document, the impact value not applicable may apply to the categories of harm.