The federal government must overcome several major challenges before public key infrastructure (PKI) technology can be widely and effectively used. These challenges include providing interoperability among agency PKIs, ensuring that PKI implementations can support a potential large scale of users, reducing the cost of building PKI systems, setting policies to maintain trust levels among agencies, and establishing training programs for users at all levels. Although such challenges are difficult to overcome in the near term, the federal government can take steps to better assist agencies develop and implement PKIs that may eventually be interconnected into a federal governmentwide system. The recent effort to develop a Federal Bridge Certification Authority (FBCA) is an excellent first step in this direction, but this effort lacks the context of a well-defined program plan for the government as well as key policy and technical standards. Establishing a federal PKI management framework could facilitate and accelerate participation in the FBCA as well as overall federal adoption of key technology for enabling electronic government.
Recommendations for Executive Action
|Office of Management and Budget||1. Although federal agencies are accountable for assessing their own information security risks and determining what measures they will take in response, the Office of Management and Budget (OMB) has statutory responsibility to develop and oversee policies, principles, standards, and guidelines used by agencies for ensuring the security of federal information and systems. As such, the Director, OMB, should establish a governmentwide framework to provide agencies with direction for implementing PKIs. Recognizing the government's evolving efforts in implementing PKI technology, OMB's framework should encompass initiatives currently being developed by the Chief Information Officer's Council (CIO), such as the activities of the Federal PKI Steering Committee (FPKISC) and the FBCA, as well as existing guidance related to PKI issued by the National Institute of Standards and Technology (NIST) and the Department of Justice.|
|Office of Management and Budget||2. To construct this framework, the Director, OMB, should develop federal PKI policy guidance in order to (1) facilitate the use of PKI, (2) ensure that agency PKI applications meet consistent levels of security, and (3) reduce the overall risk to the government of developing disparate PKI implementations. The guidance should discuss the full range of policy issues relevant to PKI--including privacy, trust levels, encryption key recovery, and long-term proof of identity and authenticity.|
|Office of Management and Budget||3. To construct this framework, the Director, OMB, should ensure the development and periodic review of technical guidance, such as high-level application programming interfaces, as use of PKI technology in the public and private sectors broadens and standards develop and mature.|
|Office of Management and Budget||4. To construct this framework, the Director, OMB, should ensure the preparation of a program plan for the federal PKI, including implementation of the FBCA. The program plan should define roles and responsibilities among participating agencies and identify milestones and resources needed to develop, deploy, and maintain a federal PKI and associated applications, including the need for PKI-related training.|
|Office of Management and Budget||5. To construct this framework, the Director, OMB, should ensure, through ongoing oversight of federal information security activities, that agencies are adhering to federal PKI policy and technical guidance, including providing justification for nonparticipation in the FBCA.|
|Office of Management and Budget||6. In implementing these recommendation, OMB should work with other key federal organizations, especially the CIO Council, FPKISC, and NIST, to ensure broad acceptance within the federal government.|