Public Key Infrastructure:

Examples of Risks and Internal Control Objectives Associated with Certification Authorities

GAO-04-1023R: Published: Aug 10, 2004. Publicly Released: Sep 9, 2004.

Additional Materials:


Keith A. Rhodes
(202) 512-6412


Office of Public Affairs
(202) 512-4800

This letter is in response to a Congressional request that we examine our advice to executive branch agencies regarding commercial managed service public key infrastructure (PKI) solutions to see if the advice is consistent with current federal policy and private sector best practices. Specifically, over the past several years, staff from various agencies has asked for informal advice on these matters. Our informal advice was based on the control environment described to us by the agencies. This control environment, which is discussed later in this letter, resulted in the informal advice that the agencies may incur a greater burden in ensuring that a contract certification authority whose certificates are used in financial management applications has implemented an adequate system of internal controls than would be necessary if the certification authority were implemented internally. However, if agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks (not all of which may be known and understood at this time) associated with commercial certification authorities contracting out, a certification authority may be able to provide the same level of security assurances as an internal certification authority. One key aspect of mitigating the risk will be the close involvement of agency personnel in the commercial implementation. We also told the agencies that until we were formally requested by an agency to review a commercial service provider's system, we could not express a formal position. To date, we have not received such a request.

Feb 16, 2018

Jan 30, 2018

Dec 12, 2017

Nov 21, 2017

Nov 20, 2017

Nov 8, 2017

Oct 31, 2017

Oct 26, 2017

Oct 17, 2017

Oct 12, 2017

Looking for more? Browse all our products here