Instructions: for getting an app certified. This page used First net as an example.


  • The first principle is that if it is not documented, then it did not happen. Be sure that you have the documentation to provide to the team that certifies the app.
  • Create a good architectural design that includes a risk assessment.
  • Deploy a code management plan so that every line of code can be traced back to a developers check-in.
  • Secure the supply chain and only sign and deploy code that is validated a meeting security risk requirements.
  • Ensure that the user is never asked to agree to (or to sign) any access that they cannot fully understand. Options MUST be in plain language that is clear and easy for a general audience (typically defined to be an 8th grade education) to understand.
  • Protect the user's information assets in a manner consistent with the risk. The user's control of the use of the identifier would require the highest level of protection.


  • Management needs to understand and support the need for secure application development and deployment.
  • The development team needs to understand the commitments which typically will be contained in a Code of Conduct.
The following are souces of material that can be used to establish a code of conduct.

Follow Through

  • After the code has been in the field for a while, it is important to get feedback on real world experiences
  • It is always important to track issues that arise in the field, including attacks on similar code, to be sure that no vulnerabilities or attacks are in progress.
  • The Identity Ecosystem Framework will need fine-grained specifications for applying its principles to specific vertical industry and horizontal community requirements.
  • This Health Care Profile is one of the Framework Profiles that will allow developers of code and user experience to determine if their systems are compliant with the framework.