Public Key Infrastructure:

Examples of Risks and Internal Control Objectives Associated with Certification Authorities

GAO-04-1023R: Published: Aug 10, 2004. Publicly Released: Sep 9, 2004.

Additional Materials:

Contact:

Keith A. Rhodes
(202) 512-6412
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

This letter is in response to a Congressional request that we examine our advice to executive branch agencies regarding commercial managed service public key infrastructure (PKI) solutions to see if the advice is consistent with current federal policy and private sector best practices. Specifically, over the past several years, staff from various agencies has asked for informal advice on these matters. Our informal advice was based on the control environment described to us by the agencies. This control environment, which is discussed later in this letter, resulted in the informal advice that the agencies may incur a greater burden in ensuring that a contract certification authority whose certificates are used in financial management applications has implemented an adequate system of internal controls than would be necessary if the certification authority were implemented internally. However, if agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks (not all of which may be known and understood at this time) associated with commercial certification authorities contracting out, a certification authority may be able to provide the same level of security assurances as an internal certification authority. One key aspect of mitigating the risk will be the close involvement of agency personnel in the commercial implementation. We also told the agencies that until we were formally requested by an agency to review a commercial service provider's system, we could not express a formal position. To date, we have not received such a request.

Nov 21, 2014

Nov 14, 2014

Nov 13, 2014

Nov 12, 2014

Oct 31, 2014

Oct 30, 2014

Oct 27, 2014

Oct 24, 2014

Oct 20, 2014

Oct 9, 2014

Looking for more? Browse all our products here