This is the accessible text file for GAO report number GAO-04-157 entitled 'Information Security: Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies' which was released on January 14, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Committee on Government Reform and the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, House of Representatives: December 2003: INFORMATION SECURITY: Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-157] GAO-04-157: GAO Highlights: Highlights of GAO-04-157, a report to the House Committee on Government Reform and the Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census Why GAO Did This Study: The federal government is increasingly using online applications to provide access to information and services and to conduct internal business operations. In light of this trend, strong security assurances are needed to properly safeguard sensitive, personal, and financial data, in part by ensuring that the identities of those who use such applications are appropriately authenticated. When fully and properly implemented, public key infrastructure (PKI) offers many of these assurances. In 2001, GAO reported that the federal government faces a number of challenges in deploying PKI technology (GAO-01-277). GAO was requested to follow up this work by (1) determining the status of federal PKI activities, including initiatives planned or under way at 24 major federal departments and agencies, as well as the status and planned activities of the Federal Bridge Certification Authority (FBCA) and Access Certificates for Electronic Services (ACES) programs, and (2) identifying challenges encountered by the 24 agencies in implementing PKI initiatives since the 2001 report was issued. In commenting on a draft of this report, GSA and OMB officials generally agreed with its content and conclusions. Technical comments provided by OMB have been addressed as appropriate. What GAO Found: PKI and its associated hardware, software, policies, and people can provide greater security assurances than simpler means of authenticating identity, such as passwords. In pursuit of these benefits, 20 of the 24 agencies reported that they are undertaking a total of 89 PKI initiatives. The 89 initiatives are at various stages of development, and collectively they represent a significant investment, estimated at about $1 billion. In addition, the governmentwide FBCA and ACES programs continue to promote the adoption and implementation of PKI, but these programs have seen mixed progress and results. The level of participation in the FBCA, which provides a means to link independent agency PKIs into a broader network, is the same as in 2001—four agencies have been certified as meeting technical and security requirements to interconnect through the network. Additional organizations are planning to participate in the future, including four federal agencies and some nonfederal organizations, such as the state of Illinois, the Canadian government, and educational consortiums. Similarly, the ACES program, which offers agencies various PKI services through a General Services Administration (GSA) contract, has seen lower than expected participation by federal agencies. GSA plans to revise the pricing structure associated with the ACES program to encourage participation. PKI implementation continues to pose major challenges for agencies, which are shown in the table. Many of these challenges are similar to those identified in GAO’s 2001 report. In that report, GAO recommended that the Office of Management and Budget (OMB), working with other key federal entities, take action to address these challenges, including establishing a governmentwide framework of policy and technical guidance and a program plan for the federal PKI. GAO also recommended that OMB take steps to ensure that agencies adhere to federal PKI guidance. OMB has not yet fully addressed the recommendations related to the construction of a PKI policy framework, but it issued a policy memorandum in July 2003 that lays out steps for consolidating investments related to authentication and identity management processes across government. www.gao.gov/cgi-bin/getrpt?GAO-04-157. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512-6240 or koontzl@gao.gov. [End of section] Contents: Letter: Appendix: Appendix I: Status of Federal Public Key Infrastructure Activities at 24 Major Federal Departments and Agencies: Abbreviations: ACES: Access Certificates for Electronic Services: FBCA: Federal Bridge Certification Authority: GSA: General Services Administration: NIST: National Institute of Standards and Technology: OMB: Office of Management and Budget: PKI: public key infrastructure: Letter December 15, 2003: The Honorable Tom Davis: Chairman, Committee on Government Reform: House of Representatives: The Honorable Adam H. Putnam: Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census: Committee on Government Reform: House of Representatives: Increasingly, the federal government is using the World Wide Web and other Internet-based applications to provide online public access to information and services as well as to improve internal business operations. To properly conduct communications and transactions with the government over the Internet may require security assurances that go beyond simple security measures--such as passwords--to properly safeguard sensitive, personal, and financial data. Public key infrastructure (PKI)[Footnote 1] offers many of the security assurances that, when fully and properly implemented, can protect online communications and transactions. In 2001, we reported that the federal government must address a number of challenges before PKI technology can be effectively deployed, including providing well-defined PKI policies and guidance; addressing funding constraints; ensuring interoperability; and managing training and administrative problems.[Footnote 2] This report responds to your request that we (1) determine the status of federal PKI activities, including initiatives planned or under way at 24 major federal departments and agencies,[Footnote 3] as well as the status and planned activities of the Federal Bridge Certification Authority (FBCA) and Access Certificates for Electronic Services (ACES) programs, and (2) identify challenges encountered by these 24 agencies in implementing PKI initiatives since our 2001 report was issued. To address these objectives, we conducted a structured query at 24 major federal departments and agencies to obtain up-to-date information on PKI initiatives planned or under way across government since 2001, including information on the costs associated with PKI projects, the number of certificates issued, and other details on project-related issues. As part of the query, we obtained information on key challenges to implementing and deploying PKI technology. We also interviewed key officials responsible for or involved in the FBCA and ACES programs to obtain information on the status of PKI activities. In addition, we conducted follow-up discussions with selected agency officials to verify or clarify their responses to the query as needed. All 24 agencies responded to our query. We did not independently verify the information provided by agencies. Our evaluation work was completed between November 2002 and July 2003 in accordance with generally accepted government auditing standards. On September 12, 2003, we provided your staff with a briefing on the results of our study. The slides from that briefing[Footnote 4] are included as appendix I to this report. The purpose of this report is to provide you with the published briefing slides. In summary, we found that of the 24 agencies involved in our query, 20 are pursuing a total of 89 PKI initiatives. The 89 initiatives are at various stages of development, and collectively they represent a significant investment, estimated at about $1 billion. In addition, the governmentwide FBCA and ACES programs continue to promote the adoption and implementation of PKI, but these programs have seen mixed progress and results. The level of participation in the FBCA, which provides a means to link independent agency PKIs into a broader network, is the same as in 2001--four agencies are certified to operate through the network. Additional agencies are planning to participate in the future, as well as nonfederal organizations, such as the state of Illinois, the Canadian government, and educational consortiums. Similarly, the ACES program, which offers agencies various PKI services through a General Services Administration (GSA) contract, has garnered lower than expected participation among federal agencies. GSA plans to revise the pricing structure associated with the ACES program to improve participation levels. PKI implementation continues to pose major challenges for agencies, and many of these challenges are similar to those identified in our 2001 report. The challenges identified by agencies involved in our query fell into the following general categories: * Policy and guidance. These are lacking or ill-defined in a number of areas, including both technical standards and legal issues. * Funding. Besides the high costs associated with the technology, cost models are lacking that would aid budgeting, and cost is increased when systems must be designed to accommodate the uncertainty associated with undefined standards. * Interoperability. Integrating PKI systems with other systems (such as network, security, and operating systems) often requires significant changes or even replacement of existing systems. * Training and administration. Training is required for personnel to use and manage PKI, and basic PKI requirements and processes impose significant administrative burdens. In 2001, we recommended that the Office of Management and Budget (OMB)- -working with other key federal entities, such as the Chief Information Officers (CIO) Council and the National Institute of Standards and Technology (NIST)--take action to address the PKI implementation challenges that we had identified, including establishing a governmentwide framework of policy and technical guidance and a program plan for the federal PKI. We also recommended that OMB take steps to ensure that agencies adhere to federal PKI guidance. OMB has not yet fully addressed our recommendations related to the construction of a framework of policy and technical guidance for PKI, but it issued a policy memorandum in July 2003 that lays out steps for consolidating investments related to authentication and identity management processes across government, including a timetable for consolidation of agency investments in identity credentials and PKI services. Shared service providers were to be selected to manage credentials and PKI services by December 2003, and agencies are expected to migrate to these services by 2005. We received oral comments on a draft of this report from GSA's Associate Administrator, Office of Governmentwide Policy, and from officials of OMB's Office of Information and Regulatory Affairs and its Office of General Counsel. Both GSA and OMB generally agreed with the content and conclusions in the draft report. Technical comments provided by OMB have been addressed as appropriate. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the date of this letter. At that time, we will send copies of this report to the Ranking Minority Member, House Committee on Government Reform; the Ranking Minority Member, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, House Committee on Government Reform; and other interested congressional committees. We will also send copies to the Director of OMB and the Administrator of GSA. Copies will be made available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, www.gao.gov] www.gao.gov. Signed by: If you have any questions concerning this report, please call me at (202) 512-6240 or send e-mail to [Hyperlink, koontzl@gao.gov] koontzl@gao.gov. Other major contributors to this report included Theresa Canjar, Barbara Collier, John de Ferrari, Vijay D'Souza, Steven Law, and Yvonne Vigil. Linda D. Koontz: Director, Information Management Issues: Signed by Linda D. Koontz: [End of section] Appendixes: Appendix I: Status of Federal Public Key Infrastructure Activities at 24 Major Federal Departments and Agencies: [See PDF for image] [End of figure] [End of section] (310390): FOOTNOTES [1] PKI is a system of hardware, software, policies, and people that, when fully and properly implemented, can provide a suite of information security assurances--including confidentiality, data integrity, authentication, and nonrepudiation--that are important in protecting sensitive communications and transactions. [2] U.S. General Accounting Office, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001). [3] Major federal departments and agencies included the 24 organizations subject to the Chief Financial Officers Act at the time we began our review; these do not include the newly established Department of Homeland Security. [4] We have amended the briefing as of November 25, 2003, to include technical corrections and clarifications. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: