Completing the Electronic Authentication Threshold (e-TA) and the e-Authentication Risk Assessment (e-RA)

E-Authentication risk assessments are used to define electronic assurance levels (EAL) needed to ensure authentication processes are appropriate for electronic transactions requiring authentication. The EALs also provide a basis for assessing credential service providers (CSP) on behalf of federal agencies. Either the system owner or the business owner of a system is required to complete the eTA alone, or both the eTA and the eRA based on the criteria discussed below. Both forms must be reviewed and approved in writing by the Information System Security Officer (ISSO) or the system's designated ISSO and the designated authorizing official (AO). The completed form must be updated if changes are made to the system that result in changes to previous e-Authentication ratings.

The e-Authentication policy is found in the Office of Management and Budget Memo 04-04, E-Authentication Guidance for Federal Agencies. Technology recommendations and guidance are discussed in the National Institute of Standards and Technology (NIST) SP 800-63, Electronic Authentication Guideline.

Complete the eTA form 

The eTA form poses three screening questions to help you determine whether a given system is covered by the e-Authentication policy.

  • Is the system web enabled?
  • Does it provide a user login and authentication service?
  • Is it accessible via the Internet?

If you answer YES to all three of these questions, then you must complete the full eRA form (which includes the eTA front page). If you answer NO to any one of the questions, then you only need to complete the eTA.

Three more steps are needed to finish the eTA.

  1. Fill in the complete system name in the space provided at the top of the eTA form and include NCI as your Institute or Center (IC).
  2. Have your designated Information Systems Security Officer (ISSO) and Authorizing Official (AO) sign the completed eTA.
  3. Keep your signed eTA to include with your security package.

Completing the eRA form

Fill in the complete system name in the space provided at the top of the form and include the name of your IC (e.g., NCI).  Consult the nciirm [at] mail.nih.gov (NCI ISSO) if you need assistance.

  1. Answer Questions 1-6 on pages 2-6 by placing an “X” in the appropriate boxes for each transaction type (e.g., read, write, create, delete). You must provide a response for each type of transaction.
  2. At the bottom of each question, mark the highest level response for each transaction type.
  3. To complete Section 2, circle the rating that corresponds with each question's highest rating to complete the "Potential Impact Categories" table.
  4. Select the corresponding Assurance Level Impact Profile Number and enter it on the last page of the eRA. In some cases, an impact rating may correspond to more than one assurance level. You should choose the dominant recurring rating in the Assurance Level Impact Profiles table to determine the final rating.
  5. Submit the completed eTA and/or eRA forms to your designated ISSO and AO for approval.
  6. Consult NIST SP 800-63 to select the technology that aligns with your rating.

e-Assurance levels (EALs) and tokens

The e-Authentication policy defines four assurance levels:

  • Level 1: Little or no confidence in the asserted identity's validity.
  • Level 2: Some confidence in the asserted identity's validity.
  • Level 3: High confidence in the asserted identity's validity.
  • Level 4: Very high confidence in the asserted identity's validity.

Each EAL allows one or more token types.  More details on the different tokens as well as various methods for proving identity are discussed in in NIST 800-63.

Token Type

Level 1

Level 2

Level 3

Level 4

Hard Crypto Token

X

X

X

X

One-time password device

X

X

X

 

Soft Crypto Token

X

X

X

 

Passwords and PINs

X

X

 

 

It's important to note that the E-Authentication guidance does not apply to authorization. Authorization focuses on the actions permitted of an identity after authentication has taken place. Decisions concerning authorization are and should remain the purview of the business process owner.

Either form can be completed by the System Owner (contractor) or the Business Owner (Fed), but the appropriate completed form needs to be reviewed and approved in writing by the system's designated ISSO and the designated authorizing official (AO). The completed form is also maintained by the NCI ISSO and must be updated if changes are made to the system that impact the previous e-Auth ratings. Contact the NCI ISSO for help completing these forms (nciirm [at] mail.nih.gov).

e-Authentication resources