PKI: What is it and what can it do for us?

Public-key infrastructure is a term that many of us in the federal government have been hearing lately. But what does it mean? What benefits can it offer?

Here's some background. One driver of the need for PKI is the Government Paperwork Elimination Act, which, among other things, requires the federal government to allow the use of electronic signatures to reduce the paperwork burden on the public. OMB's guidance to federal agencies, as described in GPEA, is to determine their customers' abilities to interact electronically with the agency. The guidance is to select an appropriate combination of technology and practice to cost-effectively minimize risks and maximize benefits to agencies and customers.

Another driver is customer expectation, based on their ability to interact electronically with industry and academia for such transactions as banking, purchasing and information gathering. Yet another driver is the need to protect our critical infrastructure, which is threatened by malicious electronic attacks.

So, what is PKI? It is an implementation of public-key technology, which is also known as "asymmetric cryptography." Typically, each user has two key-pairs. One key-pair is used for digital signatures, to ensure that the person sending the message is who he says he is. The other key-pair is used for encryption, to encode the message. In the case of both key-pairs, one key is public and the other is kept private.

The Federal Bridge Certificate Authority (FBCA) is the "translator" of disparate certificate authorities (CAs). It is designed as a non-hierarchical hub that maps levels of assurance and ensures that appropriate levels are "matched." The immediate focus of the FBCA is to provide a seamless "trust path" verification between federal agencies. The ultimate goal is to provide a bridge to external organizations that want to cross-certify with the Federal Bridge. Such external organizations can include state governments, industry, academia and foreign governments.

For more details, please refer to PKI Guidance and Documents, a page on the CIO Council's Web site, maintained by the council's Electronic Government Subcommittee.

I found the PKI Handbook especially useful. The full title of this document is "The Evolving Federal Public Key Infrastructure," written by the Federal Public Key Infrastructure Steering Committee of the CIO Council. In addition, there is a February 2001 GAO report that summarizes the availability of PKI products and services as well as implementation issues experienced by federal agencies trying to develop their own PKI infrastructure.

More information about the GSA ACES program, Access Certificates for Electronic Services, can be found at And for more information on the OMB's guidance to the GPEA, see either Selected OMB Memoranda to Heads of Federal Departments and Agencies or the aforementioned PKI Guidance and Documents.

Rice is deputy director of the Emerging IT Policies Division in the Office of Governmentwide Policy at the General Services Administration. She can be reached at


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.