GAO-04-157, Information Security: Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies


This is the accessible text file for GAO report number GAO-04-157 
entitled 'Information Security: Status of Federal Public Key 
Infrastructure Activities at Major Federal Departments and Agencies' 
which was released on January 14, 2004.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to the Committee on Government Reform and the Subcommittee on 
Technology, Information Policy, Intergovernmental Relations and the 
Census, House of Representatives:

December 2003:

INFORMATION SECURITY:

Status of Federal Public Key Infrastructure Activities at Major Federal 
Departments and Agencies:

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-157] GAO-04-157:

GAO Highlights:

Highlights of GAO-04-157, a report to the House Committee on 
Government Reform and the Subcommittee on Technology, Information 
Policy, Intergovernmental Relations and the Census 

Why GAO Did This Study:

The federal government is increasingly using online applications to 
provide access to information and services and to conduct internal 
business operations. In light of this trend, strong security 
assurances are needed to properly safeguard sensitive, personal, and 
financial data, in part by ensuring that the identities of those who 
use such applications are appropriately authenticated. When fully and 
properly implemented, public key infrastructure (PKI) offers many of 
these assurances. In 2001, GAO reported that the federal government 
faces a number of challenges in deploying PKI technology (GAO-01-277). 
GAO was requested to follow up this work by (1) determining the status 
of federal PKI activities, including initiatives planned or under way 
at 24 major federal departments and agencies, as well as the status 
and planned activities of the Federal Bridge Certification Authority 
(FBCA) and Access Certificates for Electronic Services (ACES) 
programs, and (2) identifying challenges encountered by the 24 
agencies in implementing PKI initiatives since the 2001 report was 
issued.

In commenting on a draft of this report, GSA and OMB officials 
generally agreed with its content and conclusions. Technical comments 
provided by OMB have been addressed as appropriate.

What GAO Found:

PKI and its associated hardware, software, policies, and people can 
provide greater security assurances than simpler means of 
authenticating identity, such as passwords. In pursuit of these 
benefits, 20 of the 24 agencies reported that they are undertaking a 
total of 89 PKI initiatives. The 89 initiatives are at various stages 
of development, and collectively they represent a significant 
investment, estimated at about $1 billion. In addition, the 
governmentwide FBCA and ACES programs continue to promote the adoption 
and implementation of PKI, but these programs have seen mixed progress 
and results. The level of participation in the FBCA, which provides a 
means to link independent agency PKIs into a broader network, is the 
same as in 2001—four agencies have been certified as meeting technical 
and security requirements to interconnect through the network. 
Additional organizations are planning to participate in the future, 
including four federal agencies and some nonfederal organizations, 
such as the state of Illinois, the Canadian government, and 
educational consortiums. Similarly, the ACES program, which offers 
agencies various PKI services through a General Services 
Administration (GSA) contract, has seen lower than expected 
participation by federal agencies. GSA plans to revise the pricing 
structure associated with the ACES program to encourage participation.

PKI implementation continues to pose major challenges for agencies, 
which are shown in the table. Many of these challenges are similar to 
those identified in GAO’s 2001 report. In that report, GAO recommended 
that the Office of Management and Budget (OMB), working with other key 
federal entities, take action to address these challenges, including 
establishing a governmentwide framework of policy and technical 
guidance and a program plan for the federal PKI. GAO also recommended 
that OMB take steps to ensure that agencies adhere to federal PKI 
guidance. OMB has not yet fully addressed the recommendations related 
to the construction of a PKI policy framework, but it issued a policy 
memorandum in July 2003 that lays out steps for consolidating 
investments related to authentication and identity management 
processes across government.

www.gao.gov/cgi-bin/getrpt?GAO-04-157.

To view the full product, including the scope and methodology, click 
on the link above. For more information, contact Linda Koontz at (202) 
512-6240 or koontzl@gao.gov.

[End of section]

Contents:

Letter: 

Appendix:

Appendix I: Status of Federal Public Key Infrastructure Activities at 
24 Major Federal Departments and Agencies: 

Abbreviations: 

ACES: Access Certificates for Electronic Services:

FBCA:  Federal Bridge Certification Authority: 

GSA:  General Services Administration: 

NIST: National Institute of Standards and Technology:

OMB:  Office of Management and Budget: 

PKI:  public key infrastructure:

Letter December 15, 2003:

The Honorable Tom Davis: 
Chairman, Committee on Government Reform: 
House of Representatives:

The Honorable Adam H. Putnam: 
Chairman, Subcommittee on Technology, Information Policy, 
Intergovernmental Relations and the Census:  
Committee on Government Reform: 
House of Representatives:

Increasingly, the federal government is using the World Wide Web and 
other Internet-based applications to provide online public access to 
information and services as well as to improve internal business 
operations. To properly conduct communications and transactions with 
the government over the Internet may require security assurances that 
go beyond simple security measures--such as passwords--to properly 
safeguard sensitive, personal, and financial data. Public key 
infrastructure (PKI)[Footnote 1] offers many of the security assurances 
that, when fully and properly implemented, can protect online 
communications and transactions. In 2001, we reported that the federal 
government must address a number of challenges before PKI technology 
can be effectively deployed, including providing well-defined PKI 
policies and guidance; addressing funding constraints; ensuring 
interoperability; and managing training and administrative 
problems.[Footnote 2] This report responds to your request that we 
(1) determine the status of federal PKI activities, including 
initiatives planned or under way at 24 major federal departments and 
agencies,[Footnote 3] as well as the status and planned activities of 
the Federal Bridge Certification Authority (FBCA) and Access 
Certificates for Electronic Services (ACES) programs, and (2) identify 
challenges encountered by these 24 agencies in implementing PKI 
initiatives since our 2001 report was issued.

To address these objectives, we conducted a structured query at 24 
major federal departments and agencies to obtain up-to-date information 
on PKI initiatives planned or under way across government since 2001, 
including information on the costs associated with PKI projects, the 
number of certificates issued, and other details on project-related 
issues. As part of the query, we obtained information on key challenges 
to implementing and deploying PKI technology. We also interviewed key 
officials responsible for or involved in the FBCA and ACES programs to 
obtain information on the status of PKI activities. In addition, we 
conducted follow-up discussions with selected agency officials to 
verify or clarify their responses to the query as needed. All 24 
agencies responded to our query. We did not independently verify the 
information provided by agencies. Our evaluation work was completed 
between November 2002 and July 2003 in accordance with generally 
accepted government auditing standards.

On September 12, 2003, we provided your staff with a briefing on the 
results of our study. The slides from that briefing[Footnote 4] are 
included as appendix I to this report. The purpose of this report is to 
provide you with the published briefing slides.

In summary, we found that of the 24 agencies involved in our query, 20 
are pursuing a total of 89 PKI initiatives. The 89 initiatives are at 
various stages of development, and collectively they represent a 
significant investment, estimated at about $1 billion. In addition, the 
governmentwide FBCA and ACES programs continue to promote the adoption 
and implementation of PKI, but these programs have seen mixed progress 
and results. The level of participation in the FBCA, which provides a 
means to link independent agency PKIs into a broader network, is the 
same as in 2001--four agencies are certified to operate through the 
network. Additional agencies are planning to participate in the future, 
as well as nonfederal organizations, such as the state of Illinois, the 
Canadian government, and educational consortiums. Similarly, the ACES 
program, which offers agencies various PKI services through a General 
Services Administration (GSA) contract, has garnered lower than 
expected participation among federal agencies. GSA plans to revise the 
pricing structure associated with the ACES program to improve 
participation levels.

PKI implementation continues to pose major challenges for agencies, and 
many of these challenges are similar to those identified in our 2001 
report. The challenges identified by agencies involved in our query 
fell into the following general categories:

* Policy and guidance. These are lacking or ill-defined in a number of 
areas, including both technical standards and legal issues.

* Funding. Besides the high costs associated with the technology, cost 
models are lacking that would aid budgeting, and cost is increased when 
systems must be designed to accommodate the uncertainty associated with 
undefined standards.

* Interoperability. Integrating PKI systems with other systems (such as 
network, security, and operating systems) often requires significant 
changes or even replacement of existing systems.

* Training and administration. Training is required for personnel to 
use and manage PKI, and basic PKI requirements and processes impose 
significant administrative burdens.

In 2001, we recommended that the Office of Management and Budget (OMB)-
-working with other key federal entities, such as the Chief Information 
Officers (CIO) Council and the National Institute of Standards and 
Technology (NIST)--take action to address the PKI implementation 
challenges that we had identified, including establishing a 
governmentwide framework of policy and technical guidance and a program 
plan for the federal PKI. We also recommended that OMB take steps to 
ensure that agencies adhere to federal PKI guidance.

OMB has not yet fully addressed our recommendations related to the 
construction of a framework of policy and technical guidance for PKI, 
but it issued a policy memorandum in July 2003 that lays out steps for 
consolidating investments related to authentication and identity 
management processes across government, including a timetable for 
consolidation of agency investments in identity credentials and PKI 
services. Shared service providers were to be selected to manage 
credentials and PKI services by December 2003, and agencies are 
expected to migrate to these services by 2005.

We received oral comments on a draft of this report from GSA's 
Associate Administrator, Office of Governmentwide Policy, and from 
officials of OMB's Office of Information and Regulatory Affairs and its 
Office of General Counsel. Both GSA and OMB generally agreed with the 
content and conclusions in the draft report. Technical comments 
provided by OMB have been addressed as appropriate.

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the date of this letter. At that time, we will send copies of this 
report to the Ranking Minority Member, House Committee on Government 
Reform; the Ranking Minority Member, Subcommittee on Technology, 
Information Policy, Intergovernmental Relations and the Census, House 
Committee on Government Reform; and other interested congressional 
committees. We will also send copies to the Director of OMB and the 
Administrator of GSA. Copies will be made available to others upon 
request. In addition, this report will be available at no charge on the 
GAO Web site at [Hyperlink, www.gao.gov] www.gao.gov.

Signed by:

If you have any questions concerning this report, please call me at 
(202) 512-6240 or send e-mail to [Hyperlink, koontzl@gao.gov] 
koontzl@gao.gov. Other major contributors to this report included 
Theresa Canjar, Barbara Collier, John de Ferrari, Vijay D'Souza, Steven 
Law, and Yvonne Vigil.

Linda D. Koontz: 
Director, Information Management Issues:

Signed by Linda D. Koontz: 

[End of section]

Appendixes: 

Appendix I: Status of Federal Public Key Infrastructure Activities at 
24 Major Federal Departments and Agencies:

[See PDF for image] 

[End of figure]

[End of section]

(310390):

FOOTNOTES

[1] PKI is a system of hardware, software, policies, and people that, 
when fully and properly implemented, can provide a suite of information 
security assurances--including confidentiality, data integrity, 
authentication, and nonrepudiation--that are important in protecting 
sensitive communications and transactions. 

[2] U.S. General Accounting Office, Information Security: Advances and 
Remaining Challenges to Adoption of Public Key Infrastructure 
Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001).

[3] Major federal departments and agencies included the 24 
organizations subject to the Chief Financial Officers Act at the time 
we began our review; these do not include the newly established 
Department of Homeland Security. 

[4] We have amended the briefing as of November 25, 2003, to include 
technical corrections and clarifications.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone:  

 Voice: (202) 512-6000:

 TDD: (202) 512-2537:

 Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: