Governmental Trust Community

There is a mutual benefit for members of both governmental agencies – federal, state, local – and private-sector health care organizations to exchange health information between the two communities via the Direct Messaging standards and protocols.  DirectTrust members in the private sector already utilize the DirectTrust Accredited Trust Anchor Bundle to support the exchange of Direct messages and attachments among their subscribers and end users.  Several federal agencies have expressed interest in becoming members of the DirectTrust community, and they want to rely upon the DirectTrust Security and Trust Framework, accreditation programs, and trust bundle operations for the purpose of facilitating trusted relationships between themselves and private sector HISPs and their customers.

Because these federal agencies generally require security and trust in identity policies and controls that are stronger than those supported by the DirectTrust framework and as asserted by inclusion in the DirectTrust Accredited Trust Anchor Bundle, there is a recognized need for a new trust bundle that captures these additional requirements.  (See: “Federal Health Architecture Directed Exchange Guidelines,” May 2015, and the “Federal Health Architecture Federal Directed Exchange Trust Framework,” January 2015.)

The key value proposition of the DirectTrust Governmental Trust Anchor Bundle (GTAB) is to facilitate voluntary, interoperable Direct Message exchange between governmental agencies and private sector members of the DirectTrust community.  The DirectTrust Governmental Trust Anchor Bundle creates a single community of trust shared by participating governmental agencies and private sector provider organizations.

All participants in this bundle must successfully achieve DirectTrust HISP Accreditation and DTAAP-CA/RA accreditation status, meet all of the requirements of the Accredited Trust Anchor Bundle Standard Operating Procedures and meet the set of profile requirements described by the GTAB’s standard operating procedure (SOP).

HISP-Anchor Inclusion Requirements

Trust anchors are submitted to the DirectTrust Trust Network Services web site with these required materials:

• Executed copy of the DirectTrust Federated Services Agreement from both the submitting HISP and from the relied-upon certificate and registration authority. If the HISP and certificate authority represent the same entity, then only the single executed agreement is necessary
• All trust anchor file(s)
• Sample end entity certificate(s) pairs chaining to each trust anchor. Each pair must consist of one certificate asserting the digital signature key usage attribute and the other asserting the key encipherment key usage attribute.
  • An example of each certificate type that will be issued by the trust anchor should be submitted. Certificates types include:
    • Org level certs
    • Address level certs
  • Example of Address level cert with validated National Provider Identifier (for NPI holders only). Both provider and organization NPIs are valid.  HISPs are not required to deploy Address level certificates with validated NPI attributes in production, but MUST prove that they have the ability to do so in the correct format.
• CRLs from your anchor taken at two separate publication times.
• If the sample end entity certificates do not directly chain to the submitted anchors, all intermediate issuing certificates in the certificate chain between the anchors and end entity certificates must be submitted.
• A list of all current intermediate CAs. This list must contain the common name of each intermediate CA.
• Completed application including conformance attestation to PKI requirements.

• All necessary certificates that build a path chain from the anchor up to a specific FBCA cross certificate. The format of the chain will be in the form of a PKCS7 container of certificates.

All of these documents and more can be found on the Application Page.

Requirements

Bundle inclusion requirements are explicitly outlined in the DirectTrust Governmental Trust Anchor Bundle SOP.  At a high level, it consists of two parts:

• Baseline trust anchor approval consisting of a review of artifacts and inspection of submitted anchors and end entity certificates
• Validation Interoperability Testing