GSA's digital signature plans hinge on standards

The General Services Administration hopes to award in January a governmentwide contract for digital-signature services to give citizens secure access to private data but policy-makers at the agency must settle issues related to federal standards before the solicitation can be issued this fall.

Judith Spencer acting director of GSA's Center for Governmentwide Security said the contract will offer public-key registration services and certification validation to agencies throughout the federal government. She said GSA's Federal Telecommunications Service will award multiple contracts to vendors which will issue private-key certificates to citizens - certificates that could be used to gain access to data such as personal earnings or benefits.

For example the Social Security Administration this year offered citizens online access to their earnings and Social Security benefits statements. But SSA shut down the service in April when news reports showed how easy it was for someone who knew basic information about another individual to access that person's earnings history.

"We are talking about validating the identification of an individual coming into a government agency online " Spencer said. "They would have a certificate and digitally sign requests for information."

Agencies would be billed for each time they use the infrastructure to provide information to the public or to other agencies she said.

Spencer said the governmentwide approach would benefit the public as well as agencies. Citizens would be able to obtain a single private key that would allow them to certify their identities to all participating federal offices. Agencies would be able to hop onto a pre-existing infrastructure and not bear the expense of building their own she said.

Certificates to the public will probably be software-based Spencer said adding that GSA is still not sure whether to require users to show proof of identification before receiving a certificate. She said a second level of certification will be provided for electronic commerce users that certification will require a hardware token and in-person identification.

A GSA briefing to agencies this month revealed widespread concern that GSA's plan for a commercial off-the-shelf infrastructure would not adhere to the Federal Information Processing Standard (FIPS) algorithm for digital signatures. Spencer acknowledged that industry has standardized on an algorithm developed by RSA Data Security Inc. that does not conform to federal standards.

Spencer suggested that the issue may be resolved if the National Institute of Standards and Technology proceeds with a plan to incorporate RSA's algorithm into the FIPS.

A NIST spokeswoman said the agency has asked for comments on a proposal "to change the digital signature standard itself to include other algorithms and RSA is one of those." She said it remains unclear whether NIST will pursue such an action but she said the comments received so far were "encouraging."

However a NIST official at GSA's meeting this month said responses to revise the standard "were less than overwhelming."

Most of the agency participants at the GSA meeting this week appeared to support the program. "I would like to see some closure among agencies on this issue " one attendee said. "As a citizen I would hate to have to stand in 10 different lines to receive 10 different certificates to deal with 10 different agencies."


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.