Specifications include, but are not limited to: 4.1.1. The vendor must provide services that meet or exceed the standards set forth by NIST IAL2 (National Institute of Standards, Identity Assurance 2) identity verification option that allows individuals to verify their identity without using facial recognition. 4.1.2. The vendor must be responsible with IWD’s customers data. This includes deleting sensitive information before or after 30 days it has been in the possession of the vendor or upon agency request. The data must be stored within the continental United States. 4.1.3. The vendor must provide IWD at least two ways to verify a customer: 4.1.3.1. The customer can be verified on their own free will, a way of self-service and convenience for the customer. This must be done via NIST IAL2 standards and; 4.1.3.2. If a customer lacks credit history, is homeless, or lives outside of the continental US or overseas, they must have the ability to verify with the vendor’s representative and that representative must be a human. 4.1.4. The vendor must allow flexibility for IWD to verify, if needed, customers on their own. The vendor must not interfere with the customer’s right to do the aforementioned. 4.1.5. The vendor must meet or exceed the California Consumer Privacy Act (CCPA) and NIST-800-63 standard. This means that the vendor cannot and will not sell the personal information of IWD’s customers. The vendor must comply with this request by also reporting to FedRAMP officials at least monthly.