NIST SP 800-39FPD Appendix G
APPROACHES TO ESTABLISHING TRUST RELATIONSIPS
The following trust models describe ways in which organizations can obtain the levels of trust needed to form partnerships, collaborate with other organizations, share information, or receive information system/security services. No single trust model is inherently better than any other model. Rather, each model provides organizations with certain advantages and disadvantages based on their circumstances (e.g., governance structure, risk tolerance, and criticality/sensitivity of organizational missions and business processes).
In the validated trust model, one organization obtains a body of evidence regarding the actions of another organization (e.g., the organization's information security policies, activities, and risk-related decisions) and uses that evidence to establish a level of trust with the other organization. An example of validated trust is where one organization develops an application or information system and provides evidence (e.g., security plan, assessment results) to a second organization that supports the claims by the first organization that the application/system meets certain security requirements and/or addresses the appropriate security controls in NIST Special Publication 800- 53. Validated trust may not be sufficient--that is, the evidence offered by the first organization to the second organization may not fully satisfy the second organization's trust requirements or trust expectations. The more evidence provided between organizations as well as the quality of such evidence, the greater the degree of trust that can be achieved. Trust is linked to the degree of transparency between the two organizations with regard to risk and information security-related activities and decisions.
Direct Historical Trust
In the direct historical trust model, the track record exhibited by an organization in the past, particularly in its risk and information security-related activities and decisions, can contribute to and help establish a level of trust with other organizations. While validated trust models assume that an organization provides the required level of evidence needed to establish trust, obtaining such evidence may not always be possible. In such instances, trust may be based on other deciding factors, including the organization's historical relationship with the other organization or its recent experience in working with the other organization. For example, if one organization has worked with a second organization for years doing some activity and has not had any negative experiences, the first organization may be willing to trust the second organization in working on another activity, even though the organizations do not share any common experience for that particular activity. Direct historical trust tends to build up over time with the more positive experiences contributing to increased levels of trust between organizations. Conversely, negative experiences may cause trust levels to decrease among organizations.
In the mediated trust model, an organization establishes a level of trust with another organization based on assurances provided by some mutually trusted third party. There are several types of mediated trust models that can be employed. For example, two organizations attempting to establish a trust relationship may not have a direct trust history between the two organizations, but do have a trust relationship with a third organization. The third party that is trusted by both organizations, brokers the trust relationship between the two organizations, thus helping to establish the required level of trust. Another type of mediated trust involves the concept of transitivity of trust. In this example, one organization establishes a trust relationship with a second organization. Independent of the first trust relationship, the second organization establishes a trust relationship with a third organization. Since the first organization trusts the second organization and the second organization trusts the third organization, a trust relationship is now established between the first and third organizations (illustrating the concept of transitive trust among organizations).
In the mandated trust model, an organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. This mandate can be established by the respective authority through Executive Orders, directives, regulations, or policies (e.g., a memorandum from an agency head directing that all subordinate organizations accept the results of security assessments conducted by any subordinate organization within the agency). Mandated trust can also be established when some organizational entity is decreed to be the authoritative source for the provision of information resources including information technology products, systems, or services. For example, an organization may be given the responsibility and the authority to issue Public Key Infrastructure (PKI) certificates for a group of organizations.
In general, the trust models described above are not mutually exclusive. Each of the trust models may be used independently as a stand-alone model or in conjunction with another model. Several trust models may be used at times within the organization (e.g., at various phases in the SDLC). Also, since organizations are often large and diverse, it is possible that subordinate organizations within a parent organization might independently employ different trust models in establishing trust relationships with potential partnering organizations (including subordinate organizations). The organizational governance structure may establish the specific terms and conditions for how the various trust models are employed in a complementary manner within the organization.
Suitability of Various Trust Models
The trust models can be employed at various tiers in the risk management approach described in this publication. None of the trust models is inherently better or worse than the others. However, some models may be better suited to some situations than others. For example, the validated trust model, because it requires evidence of a technical nature (e.g., tests completed successfully), is probably best suited for application at Tier 3. In contrast, the direct historical trust model, with a significant emphasis on past experiences, is more suited for application at Tiers 1 or 2. The mediated and mandated trust models are typically more oriented toward governance and consequently are best suited for application at Tier 1. However, some implementations of the mandated trust model, for example, being required to trust the source of a PKI certificate, are more oriented toward Tier 3. Similarly, although the mediated trust model is primarily oriented toward Tier 1, there can be implementations of it that are more information system-, or Tier 3-oriented. An example of this application might be the use of authentication services that validate the authenticity or identity of an information system component (i.e., device) or service.
The nature of a particular information technology service can also impact the suitability and the applicability of the various trust models. The validated trust model is the more traditional model for validating the trust of an information technology product, system, or service. However, this trust model works best in situations where there is a degree of control between parties (e.g., a contract between the government and an external service provider) or where there is sufficient time to obtain and validate the evidence needed to establish a trust relationship. Validated trust is a suboptimal model for situations where the two parties are peers and/or where the trust decisions regarding shared/supplied services must occur quickly due to the very dynamic and rapid nature of the service being requested/provided (e.g., service-oriented architectures).
- 69 In the mediated trust model, the first organization typically has no insight into the nature of the trust relationship between the second and third organizations.
- 70 The authoritative organization explicitly accepts the risks to be incurred by all organizations covered by the mandate and is accountable for the risk-related decisions imposed by the organization.