S&I Framework

Architecture Refinement & Management (ARM)01/07/2013

Trust Bundle SWG Background

Direct Scalable Trust Forum organized by ONC in November 2012 in Washington D.C to discuss “Scalable Trust” and wide spread adoption of Direct.

• Outcomes from the forum

• Start a WG to define/refine a package of requirements that will limit/avoid the need for HISP to HISP agreements

• Start a WG to determine what has to be done “In the Meantime”

• Standardize Trust Bundle distribution for Direct which can then be automated• Scope:

• Distribute Direct Trust Bundles within and between Trust Communities.• Collaborate with Trust Communities to pilot the Implementation Guide.• Refine the Implementation Guide based on feedback from the pilots.

• Out of Scope: • Trust Anchor management policies (Addition/Removal/Modification etc) within a Trust

Bundle.• Business Processes and/or Governance of the Trust Community or any of the

organizations participating in the Trust Community.

Trust Bundle SWG Timeline1/31/201312/31/2012 2/28/2013 3/31/2013 4/30/2013

Trust Bundle SWG kickoff

Finalize Technical Approach (Leverage work performed by ABBI, DirectTrust, WSC, NSTIC pilots etc.)

Develop Implementation Guide

Pilot Implementation Guide

Refine Implementation Guide

Proof of Concept

Implementation Guide Consensus

Trust Bundle Distribution Context

Trust Community: Trust Communities are formed by organizations electing to follow a common set of policies and processes related to health information exchange. Examples of these policies are identity proofing policies, certificate management policies, HIPAA compliance processes etc. 

Trust Community Profile: A Trust Community can create multiple sets of policies and processes and enforce these sets of policies on selected organizations who want to conform. For e.g A Trust Community can create a set of policies and processes which organizations have to conform to for regular treatment related use cases, a different set of policies and processes that organizations have to conform to for Behavioral Health related use cases and so on. These sets of policies and processes are called as Trust Community Profiles. The word “Profile” indicates a set of policies and processes.  

Trust Bundle: Trust Bundle is a collection of Direct Trust Anchors within a Trust Community that conform to a Trust Community Profile. Trust Anchor’s of member organizations who have elected to conform to a Trust Community Profile are included in the Trust Bundle for that particular Trust Community Profile. Some examples of Trust Bundles conforming to different Trust Community Profiles are:• A Trust Bundle could have Trust Anchors that conform to NIST Level of Assurance 3 • A Trust Bundle could have Trust Anchors that are FBCA Cross-certified at Medium Level of Assurance.

Trust Bundle Distribution Context

Trust Bundle Requestor

Trust Bundle Publisher

Trust Bundle Requestor: A Trust Bundle Requestor is an entity (person, software system, Direct STA etc) that requests a Trust Bundle from a Trust Bundle Publisher.

Trust Bundle Publisher: A Trust Bundle Publisher is an entity that publishes one ore more Trust Bundles for a Trust Community.

The focus of the implementation guide is to detail the technical standards, protocols and content that will be used to implement the two transactions identified in the above diagram

• Requesting a Trust Bundle and• Receiving a Trust Bundle

1. Request Trust Bundle

2. Receive Trust Bundle

Trust Bundle Distribution IG

• http://wiki.directproject.org/file/view/Implementation%20Guide%20for%20Direct%20Project%20Trust%20Bundle%20Distribution_v0.7.docx/408482894/Implementation%20Guide%20for%20Direct%20Project%20Trust%20Bundle%20Distribution_v0.7.docx