The BBFA has an evolving organisational design to cover six main areas:
- Governance. BBFA Steering Group of End User companies.
- Fiduciary. BBFA Ltd provides the commercial, financial and secretariat support.
- Policy Generation.
- Working groups. The BBFA Commercial Working Group
- Policy management authorities (see below).
- Service Providers WG comprising service providers that want to federate.
- Federation Consortia. The investment and delivery consortia to build collaborative capabilities that HMG cannot afford or does not wish to build.
- Support. Project management, design authority, government liaison, vendor liaison, business development.
- Operations. Audit, accreditation, dispute resolution, trust & identity repair.
Four Policy Management Authorities (PMAs) exist today:
- Federation PMA. To develop and manage the federation policies based on the Kantara Identity Assurance Framework and ISO 29115. Some members are also national representatives on SC27 WG5.
- Identity Proofing & Verification PMA. To develop a UK IPV Framework that maps onto the four Levels of Assurance, and supports identity proofing and verification of employees.
- The resulting IPV Framework should become a BSI British Standard (or a HMG contractual requirement) in the same way that US and Canada are developing an equivalent standards.
- These national IPV standards are designed to be compliant with the international ISO/IEC 29003 - Identity Proofing & Verification, for people, devices, organisations and software, thus enabling international federation.
- The OrganisationalID policies will be used to support the enrolment and registration of Employing organisations into ROLO, prior to the issuance of credentials to their employees. ROLO (Register of Legal Organisations)
- The DeviceID will be used to support the enrolment and registration of devices. The current focus is limited to Trusted Platform Module (TPM), which is driven by a business requirement to establish a binding between Level 3 PKI federated hardware tokens and an associated Intel TPM platform. Other forms of device authentication at a lower Level of Assurance are expected to come into scope in 2013, depending on HMG intentions.
- Secure Email. Based on PKI Federation and product agnostic, Secure Email supports end-to-end encryption, enterprise gateway filtering and more. The solution has been successfully piloted by UK MOD for operation at IL3. An earlier version is in operational use in 4 nations.
- Energy. Its focus is upon the federated trust needs of the energy sector. This includes employee and device authentication for Smart Metering and Smart Grid.