EXECUTIVE SUMMARY The MBA's wholly owned nonprofit subsidiary Secure Identity Services Accreditation Corporation (SISAC) is responsible for accrediting digital identity credential issuers for the mortgage industry. On March 10, 2003 the formation of the SISAC organization was announced at the MBA Technology Convention. Since that time many outstanding issues have been pursued and resolved with the support and involvement of various mortgage industry organizations. SISAC's work has resulted in the development of an industry wide set of policy requirements around secure identity management, a process for accrediting identity credential issuers, a contract infrastructure to legally bind participants (i.e., Auditor, Issuer, and Relying Party agreements), a gap analysis comparing SISAC requirements to existing commercial audit processes, and educational information to assist mortgage organizations in understanding the value of the SISAC solution. In addition, SISAC has strived to mitigate the total cost associated with accreditation by leveraging as much existing commercial capability as possible. The mortgage industry, as a whole, has no desire or requirement to develop its own industry specific identity management solution. Therefore, SISAC has established a framework for the governance (policies and operational rules) of commercial digital identity credential issuing systems that can be used in support electronic mortgage applications and processes. Conceptually, this is described as a “federated” identity framework, as there is no single authority responsible for the issuance of identity credentials. SISAC has created this Federated framework through the establishment of a contract infrastructure that identifies accredited issuing organizations and binds together all participants that are associated with the use of a SISAC identity credential. The value of such a framework is that it allows affiliated and non-affiliated organizations to securely execute electronic transactions without having to rely on one specific identity credential provider.   In addition, the framework allows for industry market forces to dictate the appropriate operational cost for identity management by promoting competition amongst the accredited identity credential providers. SISAC's framework is based on minimum standards for four major components of an identity management solution, and specifically, a Public Key Infrastructure (Identification & Authentication (I&A), Issuance, Validation and Publication.) Once a commercial identity credential provider has demonstrated that its PKI meets the minimum standards for these components, it will receive an official SISAC accreditation certificate. SISAC certifications will be administered through a contract arrangement with approved firms of nationwide auditing capacity. SISAC certifications are equally applicable to both the commercial and residential industries, as the certification focuses on enterprise-wide PKI programs and not transaction-based programs. Further, and to promote interoperability outside the mortgage industry, SISAC's PKI standards are modeled after the U.S. Federal PKI standards. In some cases however, SISAC defined additional requirements that are not addressed in the Federal requirements. For example, SISAC has defined financial liability requirements for a Accredited Issuing Authority (AIA), while the Federal standard defines none. SISAC has focused on the liability that an AIA must assume in order for credentials issued by that AIA to be usable by, and interoperable with, the majority of real-estate relying parties. Liability is further defined in the SISAC requirements as an aggregate errors and omissions (E&O) insurance amount that must be maintained by AIAs, where the specific dollar amount is based on the level of credential the AIA issues (i.e., higher assurance levels for identity credentials require higher insurance amounts). By claiming liability for the credentials they issue, AIAs effectively communicate to the mortgage industry's relying parties that the AIA has “put skin into the game” and financially backs the credentials it issues. It also reinforces that an AIA complies with the standardized SISAC policies and procedures, and that an insurance company believes strongly enough in the AIA to cover a claim that may be made against a failure to perform its stated practices. All SISAC requirements, which include a contract infrastructure to establish a common identity trust network for the mortgage industry, are documented in a Certificate Policy Requirements Document (CPRD).   This CPRD defines the minimum set of secure identity credential requirements that must be met in order for an organization to become an AIA or related PKI Service Provider. The CPRD also describes the roles, responsibilities, and relationships of these parties and establishes the rules, procedures and requirements for the issuance, acquisition, management and use of identity credentials to verify digital signatures and to sign, encrypt and authenticate electronic communications and digital documents.