Commerce looks outside for security

The Commerce Department released a solicitation this month for commercial

authentication technologies to support its new Web-based time and attendance

system.

Commerce wants to outsource public-key infrastructure (PKI) and certificate

authority (CA) capabilities for the system because the department lacks

the resources for them in-house.

PKI is a system for encrypting, decrypting, signing and verifying information

transmitted via the Internet. A CA issues and manages digital certificates,

which store digital signatures used during electronic transactions.

Commerce expects the vendor to provide up to 1,000 digital certificates

to employees in the Office of the Secretary, said Karen Hogan, Commerce's

acting deputy chief information officer and director of its digital department

program. Those supervisors will use digital signatures in conjunction with

a new time and attendance system to certify that an em-ployee's time sheet

is accurate.

Commerce is piloting the Web-based time and attendance system with the

digital signature capability before it rolls out the system departmentwide

early next year. It will replace a system that stores employee time sheet

information on floppy disks, which are manually combined for payroll, Hogan

said. Commerce is also piloting a "few different digital signature" capabilities

in other offices before taking a departmentwide approach, Hogan said.

Commerce's approach is not unusual, said Richard Guida, chairman of

the Federal PKI Steering Committee. But he said it is important that there

is "the proper level of oversight and control over the contractor so that

the function can be transitioned to a different contractor if the need should

arise."