Digital identity services are often made up of many different constituent parts and have complex supply chains. Whilst an identity service might build its own app, it might use another company’s service to do things like biometric liveness detection. We call those parts of services “component services”, and they can be certified under the gamma (0.4) publication of the UK digital identities and attributes trust framework.
If you are seeking certification and your service includes component services from other companies, you might be wondering:
Do I have to use a certified component?
And the answer is no, you don’t – but you will probably want to.
Using certified components can make your certification easier
We want people to trust digital identity services, and so we set a high bar for quality through the trust framework. Whilst meeting the rules should be challenging, we don’t want the process of getting certified itself to be difficult. To that end, the certification process that our approved Conformity Assessment Bodies (CABs) follow discourages auditors from re-evaluating things that have already been recently evaluated.
If you have a certified component service within your own service, your CAB can rely on the pre-existing certification for that component service as part of the evaluation. This means the CAB may be able to reduce or, in some cases, completely avoid the effort involved in looking at that part of the service; they don’t necessarily need to do a full evaluation, because those parts have already been looked at.
For service providers that use components, using a certified component might enable you to reduce the cost and time it takes to obtain certification against the trust framework.
For component service providers themselves, you can offer a benefit to your own clients, and avoid the repetitive poking and prodding that comes with being audited as part of the supply chain.
Pick the easier path
The beta and gamma trust frameworks do not require that you exclusively use certified components in your supply chain. There’s nothing stopping you from using any component services from any providers, provided those components meet the rules. Your CAB will check any non-certified components meet with rules as part of your audit.
So it isn’t mandatory, but it is smart! Using certified services as part of your supply chain means you can take a smoother path to certification.
Leave a comment