Trustmark Initiative

Frequently Asked Questions (FAQ)

What is a trustmark?

A trustmark is a machine-readable assertion that an organization, system, or endpoint has satisfied specific trust and interoperability requirements. Trustmarks provide verifiable evidence that the subject has been assessed against published criteria and is operating in a manner consistent with a defined standard or policy.

What is the trustmark framework?

The trustmark framework is a modular model for defining, publishing, assessing, and verifying trust and interoperability requirements across digital ecosystems. It provides structured artifacts — trustmark definitions and trust interoperability profiles — combined with assessment and validation processes to enable scalable and dynamic trust management within and across communities.

How do trustmarks improve digital trust within a community of interest?

Trustmarks allow communities to formalize and verify trust requirements in a transparent and consistent manner. They make it possible to automate trust decisions based on verifiable assertions rather than informal agreements, thereby improving the scalability, rigor, and adaptability of trusted interactions within a community.

What is the Trustmark Initiative, and what role does it play?

The Trustmark Initiative serves as the technical steward of the trustmark framework. It publishes and maintains the Trustmark Framework Technical Specification, provides implementation guidance, develops open-source trustmark tools, and supports the instantiation of communities of interest. It does not govern individual communities or make policy decisions for them.

What trustmark tools are available to implementers?

The trustmark framework is supported by several open-source tools, including:

How can organizations deploy trustmark tools within their environments?

Organizations can deploy trustmark tools independently or as part of a coordinated community infrastructure. Deployment guidance for each tool is available in the respective Trustmark Initiative GitHub repositories. Each tool is designed for modular deployment and can be adapted to different operational models depending on the organization’s role within a trust community.

How does the Trustmark Initiative relate to individual communities that use trustmarks?

The Trustmark Initiative provides technical infrastructure, specifications, and guidance to support communities, but it does not govern individual communities. Each community of interest is responsible for defining its own trust policies, membership criteria, and governance processes.

How do communities decide which trustmarks are required for participation?

Each community establishes its own trust requirements by defining trust interoperability profiles. These profiles specify which trustmarks an organization must possess in order to participate in specific transactions, services, or federated activities within the community.

How does an assessor become authorized to issue trustmarks within a community?

Communities control which assessors are recognized as authorized trustmark providers. Typically, a governance process determines eligibility criteria, qualifications, and any necessary approval processes for assessors to issue trustmarks that are recognized within the community’s trustmark binding registry.

Can organizations define their own trust policies beyond what the community requires?

Yes. Organizations are encouraged to publish their own trust policies, which may adopt, extend, or refine the community’s baseline requirements. This is typically done by authoring and publishing organization-specific trust interoperability profiles that incorporate community profiles by reference and add organization-specific requirements where needed.

What happens if a trustmark needs to be revoked?

Trustmarks are always published and controlled by the issuing trustmark provider, using a trustmark assessment tool instance. If a trustmark needs to be revoked — for example, if a participant no longer satisfies the required criteria — the issuer can remove it from publication, thereby invalidating the trustmark for relying parties. Trustmark relying party tools and trustmark binding registries detect such changes automatically.

What pilots or operational implementations have demonstrated the trustmark framework?

Two major pilots have demonstrated the trustmark framework. The Interop22 testbed showcased dynamic trustmark-based authentication and authorization in a federated environment using WebAuthn and PIV-I credentials. The Texas operational pilot validated the trustmark framework’s use in real-world agency environments, with more than 1,700 trustmarks issued to support trusted information sharing among public safety organizations.

How scalable is the trustmark framework for large communities or ecosystems?

The trustmark framework is designed for high scalability. Because trustmarks are modular, machine-readable, and can be validated dynamically, the framework supports large numbers of participants, trust relationships, and evolving policy requirements without the need for centralized manual administration.

How do trustmarks relate to cloud computing?

Trustmarks provide a scalable way to validate whether cloud services and providers meet specified cybersecurity, privacy, and interoperability standards. Cloud service providers can obtain trustmarks that attest to compliance with defined trust criteria, making it easier for relying parties to assess and verify trustworthiness in cloud environments.

How do trustmarks relate to single sign-on (SSO)?

Trustmarks complement federated single sign-on (SSO) by providing structured assurance that identity providers (IDPs) and service providers (SPs) meet specific trust requirements. This strengthens the security of federated identity systems by verifying the policies, practices, and technical capabilities of participating entities.

How do trustmarks relate to LDAP and Active Directory?

Trustmarks complement Lightweight Directory Access Protocol (LDAP) and Active Directory environments by externally validating that organizational attributes, credentials, or access control information are properly sourced and asserted when shared with external partners. Trustmarks provide an additional layer of assurance about the integrity and management of directory-based attributes across organizational boundaries.

How do trustmarks relate to blockchain technologies?

Trustmarks and blockchain represent fundamentally different models for establishing digital trust. Trustmarks focus on verifying compliance with trust and interoperability requirements defined through a managed governance process within a community. Blockchain focuses on achieving decentralized consensus without a managed governance structure. In general, trustmarks and blockchain address different use cases, and in scenarios where trustmarks are applicable, incorporating blockchain typically offers little or no additional benefit.