Skip to main content

Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology

GAO-01-277 Published: Feb 26, 2001. Publicly Released: Feb 26, 2001.
Jump To:
Skip to Highlights

Highlights

The federal government must overcome several major challenges before public key infrastructure (PKI) technology can be widely and effectively used. These challenges include providing interoperability among agency PKIs, ensuring that PKI implementations can support a potential large scale of users, reducing the cost of building PKI systems, setting policies to maintain trust levels among agencies, and establishing training programs for users at all levels. Although such challenges are difficult to overcome in the near term, the federal government can take steps to better assist agencies develop and implement PKIs that may eventually be interconnected into a federal governmentwide system. The recent effort to develop a Federal Bridge Certification Authority (FBCA) is an excellent first step in this direction, but this effort lacks the context of a well-defined program plan for the government as well as key policy and technical standards. Establishing a federal PKI management framework could facilitate and accelerate participation in the FBCA as well as overall federal adoption of key technology for enabling electronic government.

Recommendations

Recommendations for Executive Action

Agency Affected Sort descending Recommendation Status
Office of Management and Budget To construct this framework, the Director, OMB, should ensure the development and periodic review of technical guidance, such as high-level application programming interfaces, as use of PKI technology in the public and private sectors broadens and standards develop and mature.
Closed – Implemented
In December 2003, OMB issued policy guidance on electronic authentication that establishes and describes four levels of identity assurance for electronic transactions requiring authentication. In conjunction with that guidance, in June 2004, NIST issued the Electronic Authentication Guideline to provide technical guidance to federal agencies implementing electronic authentication. The NIST guidance defines technical requirements for each of the four levels of assurances defined in the OMB policy, specifying ways in which PKI technology could be used to meet the requirements of each of the four assurance levels.
Office of Management and Budget To construct this framework, the Director, OMB, should ensure the preparation of a program plan for the federal PKI, including implementation of the FBCA. The program plan should define roles and responsibilities among participating agencies and identify milestones and resources needed to develop, deploy, and maintain a federal PKI and associated applications, including the need for PKI-related training.
Closed – Implemented
The e-Authentication governmentwide initiative, led by GSA, has developed specific implementation milestones, a financing strategy, and responsibilities among participating agencies. As with all IT funding requests, requests for PKI funds are a part of OMB's review of an agency's IT portfolio. OMB is supplementing this work by working with the Federal PKI Steering Committee to refine a program plan. In addition, the Federal PKI Policy Authority (FPKIPA), which sets policy governing the operation of the Federal Bridge Certification Authority, has issued a draft Federal PKI Memorandum of Agreement and By-Laws and Operational Procedures/Practices for the FPKIPA.
Office of Management and Budget To construct this framework, the Director, OMB, should ensure, through ongoing oversight of federal information security activities, that agencies are adhering to federal PKI policy and technical guidance, including providing justification for nonparticipation in the FBCA.
Closed – Implemented
OMB has directed agencies to implement NIST security guidelines, including their guidelines on PKI. If agencies decide to implement stronger controls than recommended in NIST guidance, agencies are instructed to report those decisions to OMB. In response to our recommendation, OMB has exercised oversight of agency adherence to e-Authentication guidance, which includes PKI. It has exercised this oversight through its quarterly e-Government scorecard for each agency.
Office of Management and Budget In implementing these recommendation, OMB should work with other key federal organizations, especially the CIO Council, FPKISC, and NIST, to ensure broad acceptance within the federal government.
Closed – Implemented
OMB, in response to GAO's recommendation, issued a memorandum on July 3, 2003 that required agencies to participate in the development of a common policy for authentication and identity management, which includes the development of a common, comprehensive policy for the credentialing of federal employees through the efforts of the Federal Identity and Credentialing Committee (FICC). As a result, OMB is coordinating with key federal organizations through the efforts of the FICC, which drafted a policy framework for authentication and identity management to ensure that agencies would deploy PKI technology based on established guidance and standards established by the FPKISC, NIST, and the CIO Council.
Office of Management and Budget Although federal agencies are accountable for assessing their own information security risks and determining what measures they will take in response, the Office of Management and Budget (OMB) has statutory responsibility to develop and oversee policies, principles, standards, and guidelines used by agencies for ensuring the security of federal information and systems. As such, the Director, OMB, should establish a governmentwide framework to provide agencies with direction for implementing PKIs. Recognizing the government's evolving efforts in implementing PKI technology, OMB's framework should encompass initiatives currently being developed by the Chief Information Officer's Council (CIO), such as the activities of the Federal PKI Steering Committee (FPKISC) and the FBCA, as well as existing guidance related to PKI issued by the National Institute of Standards and Technology (NIST) and the Department of Justice.
Closed – Implemented
On July 3, 2003, OMB issued a memorandum to major departments and agencies that called for the consolidation of agency investments in credentials and PKI services as part of an effort to streamline authentication and identity management across government. The memo also requires agencies to consult with the Federal Identity and Credentialing Committee--formerly known as the Federal PKI Steering Committee--before acquiring authentication technologies. Agencies also were tasked with following governmentwide authentication guidance established by GSA and NIST and complying with guidance by no later than 2006. By taking this action, OMB has coordinated authentication and identity management practices as well as established a framework for implementing PKI across government.
Office of Management and Budget To construct this framework, the Director, OMB, should develop federal PKI policy guidance in order to (1) facilitate the use of PKI, (2) ensure that agency PKI applications meet consistent levels of security, and (3) reduce the overall risk to the government of developing disparate PKI implementations. The guidance should discuss the full range of policy issues relevant to PKI--including privacy, trust levels, encryption key recovery, and long-term proof of identity and authenticity.
Closed – Implemented
On July 3, 2003, OMB issued a memorandum to major departments and agencies that called for the consolidation of agency investments in credentials and PKI services as part of an effort to streamline authentication and identity management across government. The memo also created the Federal Identity Credentialing Committee (FICC)--formerly known as the Federal PKI Steering Committee--which is charted to recommend policies, procedures and standards to support a Federal Identity Credentialing component of the federal enterprise architecture. The FICC, in conjunction with OMB, GSA, NIST and other federal agencies, has developed a federal authentication policy framework that applies to all authentication services and processes, including those for deploying a PKI. The policy documents currently issued include (1) OMB E-Authentication Guidance for Federal Agencies (December 2003), (2) NIST Electronic Authentication Guideline (June 2004) (3) GSA E-Authentication Interim Credential Assessment Framework (December 2003) , (4) FICC Authentication and Identity Framework for Federal Agencies (July 2004), (5) FICC Guidance Regarding Smart Card Systems for Identification and Credentialing Employees (March 2004), (6) FICC X.509 Certificate Policy for the U.S. PKI Common Policy Framework (February 2004), and (7) X.509 Certificate Policy for the Federal Bridge Certification Authority (September 2002). The above policy documents provide guidance to facilitate the use of PKI, ensure that agency PKI applications meet consistent levels of security, and reduce the overall risk to the government of developing disparate PKI implementation.

Full Report

Office of Public Affairs

Topics

Certification authorityComputer networksComputer securityData encryptionE-governmentElectronic signaturesHomeland securityInformation resources managementInformation technologyInteragency relationsInteroperabilityPublic key infrastructureSecure sockets layerStrategic information systems planningTerrorism