Public Key Infrastructure:
Examples of Risks and Internal Control Objectives Associated with Certification Authorities
GAO-04-1023R: Published: Aug 10, 2004. Publicly Released: Sep 9, 2004.
This letter is in response to a Congressional request that we examine our advice to executive branch agencies regarding commercial managed service public key infrastructure (PKI) solutions to see if the advice is consistent with current federal policy and private sector best practices. Specifically, over the past several years, staff from various agencies has asked for informal advice on these matters. Our informal advice was based on the control environment described to us by the agencies. This control environment, which is discussed later in this letter, resulted in the informal advice that the agencies may incur a greater burden in ensuring that a contract certification authority whose certificates are used in financial management applications has implemented an adequate system of internal controls than would be necessary if the certification authority were implemented internally. However, if agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks (not all of which may be known and understood at this time) associated with commercial certification authorities contracting out, a certification authority may be able to provide the same level of security assurances as an internal certification authority. One key aspect of mitigating the risk will be the close involvement of agency personnel in the commercial implementation. We also told the agencies that until we were formally requested by an agency to review a commercial service provider's system, we could not express a formal position. To date, we have not received such a request.