https://identityassurance.blog.gov.uk/2015/07/17/gov-uk-verify-making-sure-certified-companies-are-ready-to-connect/

GOV.UK Verify: making sure certified companies are ready to connect

GOV.UK Verify allows people to choose from a list of certified companies. Before certified companies can join the GOV.UK Verify public beta, they must demonstrate that they can deliver services that are secure, trustworthy and meet users’ needs.

The first stage is to win a contract - to do that, companies have to show that they are capable of becoming a certified company. Once a company has been awarded a contract, they must undertake a series of tests to demonstrate that they are ready to start providing services as part of GOV.UK Verify. This includes gaining external certification and completing a series of contractual gates. This post is about the contractual gates we’ve developed.

Each company can use its own unique combination of technology, methods and approaches to meet the same overall standards and guidance.

We’ve been working to develop an efficient, consistent way of assessing companies’ progress and readiness to join the public beta in four main areas: identity proofing and verification; user experience; operations; and technical integration.

In each of these areas, the  company must first provide a plan and then pass through a series of gates where we assess delivery against the required standards and plans. At all stages, we are working to make sure that the companies meet the required standards, rather than against a detailed specification. The standards and requirements at each stage are set out in the company’s contract with the Government. The company must demonstrate through the onboarding process that they have:

A service that meets the required identity proofing and verification standards

All certified companies have to carry out identity proofing and authentication to the same defined levels of assurance, set out in Good Practice Guides (GPG) 44, 45 and the IPV Operations Manual.

When they present their initial plans, the company must demonstrate that their designs are compliant through the completion of compliance statements, the presentation of system designs, and the details of their proposed data sets and methods. They must also ensure that all the features outlined in their bid are evidenced in their designs.

Once the solution is developed, the company must show that their implementation is consistent with the statements made and documentation they previously supplied. They must provide evidence of test results that demonstrate their compliance with the relevant standards.

A service that works for users

The company must demonstrate that their service works for users, and is as straightforward as possible to use, by:

  • Producing a plan for usability and accessibility testing of their service
  • Undertaking usability and accessibility tests and providing evidence of performing those tests
  • Making their user journey available for usability and accessibility testing by GDS
  • Showing that they have resolved any defects

A service that is ready for live operations

The company must provide documented evidence of their operational processes and responsible points of contact within their organisation.

The company has to demonstrate that they are ready for live operations. This includes exhibiting capabilities including, but not limited to, the following:

  • Incident management
  • Change control
  • Security
  • Support handover
  • Scaling
  • Business continuity and disaster recovery
  • Billing
  • Management Information
  • Audit requests

A service that can successfully technically integrate with GOV.UK Verify

The company has to demonstrate that their solutions will integrate with the GOV.UK Verify service in accordance with the OASIS SAML 2.0 specification, a specification for sharing Identity attributes.

GDS have added to the SAML specification to meet their own specific requirements; the company must ensure that they can meet all the outcomes and conditions within the GDS SAML 2.0 Profile. Testing is carried out against a test environment provided by GDS.

Onboarding

Once a company has completed all the necessary gates, they are added to the list of certified companies on GOV.UK Verify.

However, this is not the end of the process. The certified company undertakes continuous improvement through the analysis of management information from the live service. This ongoing development will result in new data sets and methods, giving users a wider range of ways to prove their identity.