Overview#
Assurance Level is the level of Assurance or confidence within than Assertion and is used within the Risk AssessmentBalancing the Level Of Assurance with the Risk Assessment is complex; However, it must be simplified enough for decision actions to be made in a reasonable time.
Assurance Level for Data Classification Example#
A Data Classification assessment is required to properly determine the sensitivity of access. Below is a Example of a Risk Assessment for an Organizational Entity.| Impact of Authentication Error | LOA 1 | LOA 2 | LOA 3 | LOA 4 |
|---|---|---|---|---|
| LoA | Little or no Assurance exists in the asserted Digital Identity - usually self-asserted; essentially a persistent identifier | Assurance exists that the asserted Digital Identity is accurate; used frequently for self service applications | High Assurance in the asserted Digital Identity's accuracy; used to access Protected Data | Very high Assurance in the asserted Digital Identity's accuracy; used to access highly Protected Data. |
| Potential Damage to reputation | Low | Moderate | Moderate | High |
| Potential Financial damage or liability | Low | Moderate | Moderate | High |
| Potential for unauthorized release of sensitive information | N/A | |||
| Potential civil (or Criminal action) violations; e.g. out of compliance with Regulatory compliance rules | N/A | Low | Moderate | High |
| Potential harm to Organization's programs or public interests | N/A | Low | Moderate | High |
| Potential impact to personal safety | N/A | N/A | Low | Moderate/High |
- N/A - can be thought of as "Not Appropriate" for the chart.
NIST.SP.800-63-3 Assurance Level#
NIST.SP.800-63-3 sections on Selecting Assurance Levels:The Risk Assessment results are the primary factor in selecting the most appropriate Assurance Level. This section details how to apply the results of the Risk Assessment with additional factors unrelated to risk to determine the most advantageous Assurance Level selection.
First, compare the risk assessment impact profile to the impact profiles associated with each Assurance Level, as shown below. To determine the required Assurance Level, find the lowest Assurance Level whose impact profile meets or exceeds the potential impact for every category analyzed in the Risk Assessment
Maximum Potential Impacts for Each Assurance Level
| Impact Categories | 1 | 2 | 3 |
|---|---|---|---|
| Inconvenience, distress or damage to standing or reputation | Low | Moderate | High |
| Financial loss or agency liability | Low | Moderate | High |
| Harm to agency programs or public interests | N/A | Low/Moderate | High |
| Unauthorized release of Sensitive Data | N/A | Low/Moderate | High |
| Personal Safety | N/A | Low | Moderate/High |
| Civil or criminal violations | N/A | Low/Moderate | High |
