Trust Fabric Expiration

The NIEF Cryptographic Trust Fabric Management Policy (Section 2.4.2) specifies that the NIEF Trust Fabric will be revised every 30 days or sooner as needed to accommodate updates. The trust fabric signing happens on an offline, air gapped certificate authority as specified within the NIEF Certificate Policy. Due to the ongoing COVID-19 crisis, and a mandate to work from home as much as possible, the use of the air gapped certificate authority system is more difficult. It is still critical that the trust fabric expire within some amount of time and that it be regenerated and republished prior to expiration, but to accommodate the working conditions of the COVID-19 crisis, we are relaxing the requirement within Section 2.4.2 and currently extending the period to 60 days, this may be extended further in the coming months if appropriate. Please direct any questions or concerns to

New NIST 800-63-3 Assurance Level Attributes

As you may know, NIST recently published a new version of the NIST SP 800-63 specification. To better align with the new levels of assurance that this updated specification defines, NIEF has defined three new assurance level attributes within the NIEF Attribute Registry as a new Assurance Level Attribute Bundle.  NIEF encourages participating Identity Providers to add support for these new attributes.  These attributes do not map precisely to the legacy assurance attributes, but many of the same underlying security principles dictate the appropriate levels of assurance.  If you have any concerns about what levels of assurance are appropriate for your IDP to assert, feel free to reach out to

Deprecation of TIBO/TIB Support

NIEF has officially deprecated support for the Trusted Identity Broker Organization (TIBO) membership role. A TIBO was a type of NIEF membership through which an agency could operate a Trusted Identity Broker (TIB) software service and thereby act as an identity broker for one or more other, non-NIEF-member agencies, enabling users from those agencies to gain access to resources offered by NIEF Service Provider Organizations (SPOs).

We previously supported the TIBO concept because it appeared to offer an appealing solution to “inter-federation” scenarios, in which users from one identity federation could reuse their identities across federation borders, within a different identity federation. But we discovered that the TIBO/TIB identity brokering model carries unacceptable consequences in terms of legal liability for NIEF and its member agencies. In lieu of the TIBO/TIB model, NIEF now supports a trustmark-based approach that enables many aspects of “inter-federation” connectivity without these legal limitations.

Announcing Availability of TXMAP to NIEF Members

We are pleased to announce the availability of the Texas Department of Public Safety’s TXMAP web mapping application. TXMAP is a multi-faceted data mapping and reporting tool.  It provides users access to a variety of data ranging from secure critical infrastructure and law enforcement data to public data such as registered sex offender home addresses.  TXMAP can provide value to law enforcement agencies, public safety organizations, emergency management groups, and others.

To gain access to TXMAP, your IDP must provide the minimal required set of attributes as per TXMAP auditing requirements. This includes given name, surname, email, employer name, federation id, and identity provider id.  TXMAP grants additional privileges to users that have additional attributes including ORI, identity proofing assurance level, electronic authentication assurance level, PCII Certification Indicator, Sworn LEO, and Public Safety Officer.

If your organization needs to update its local trust stores, you can find the NIEF trust fabric entry for TXMAP within the NIEF Trust Fabric Registry and in the NIEF Trust Fabric file.

If you have any questions about TXMAP and NIEF, or if you encounter any problems while trying to configure your IDP for access to TXMAP, please contact us at

Announcing Availability of Apiary to NIEF Members

GTRI is proud to announce the availability of Apiary as a new service provider on NIEF.

Apiary is an automated framework for malware analysis and threat intelligence that combines “crowd-sourced” data collection with a centralized set of sophisticated analysis tools for the benefit of all its users. Members of the Apiary vetted community can anonymously upload malware, or suspected malware, and benefit from Apiary’s ongoing in-depth malware correlation and behavior analysis algorithms. The results of Apiary’s analysis are delivered automatically within a secure information sharing environment. The Apiary and its community are an ideal resource for analysts and investigators who deal with cyber crime, as well as all companies and agencies that are trying to protect their organization’s IT assets from malware.

Apiary was developed by GTRI’s Cyber Technology and Information Security Laboratory (CTISL), and is now available to all users within NIEF. It is available via the NIEF Portal or directly via SAML Single Sign-On with your NIEF Identity Provider (IDP) at

To gain access to Apiary, your IDP must provide your first name, last name, email address, and employer name for UI customization and account provisioning purposes, but this data is not shared with any other users of Apiary, and therefore preserves the anonymity of both your employer and you as an individual as you use Apiary’s tools and features. Apiary is currently planning to offer additional capabilities and features at a cost, but the core functionality of the Apiary tool is available to NIEF users at no charge.

NIEF Identity Provider Organizations (IDPOs) may need to update their local trust configuration to add Apiary as a new trusted Service Provider (SP). (Those IDPOs that have deployed the Shibboleth IDP software need not take any action, as Shibboleth automatically refreshes its trust configuration based on updates to the NIEF Trust Fabric.) For those who need to update their configuration manually, the NIEF Trust Fabric is available here.

Within the NIEF Trust Fabric, the Apiary entry can be found by searching for the entity ID “”.

If you have any questions about Apiary and NIEF, or if you encounter any problems while trying to configure your IDP for access to Apiary, please contact us at