DOD to use GSA digital certificates

DOD IECA site

The Defense Department intends by the end of this year to use the General Services Administration's governmentwide digital certificates to authenticate electronic trans.actions with many of its contractors and outside partners.

In 1999, DOD awarded its own contract to create the Interim External Certificate Authority (IECA), which issues and manages public-key infrastructure certificates to Defense partners. Those certificates are equivalent to the medium-level certificates issued internally to DOD personnel.

The Pentagon is now working with GSA to bring together the IECA and GSA Access Certificates for Electronic Services (ACES) contracts. That will enable the department to take advantage of the governmentwide pricing the GSA contract provides, and it also sets a single strategy for the private-sector entities that work with both Defense and civilian agencies, officials said.

"We are today exploring with the GSA the possibility of replacing the DOD IECA with the business-quality certificates of ACES," John Osterholz, DOD acting deputy chief information officer, told the House Government Reform Committee last month. "This would provide a single approach for the private sector to authenticate themselves instead of the two approaches previously contemplated."

Almost 300,000 DOD personnel were expected to apply for IECA certificates to use three applications, including the Defense Travel System, which provides a single, electronic point of access for all military travel services.

GSA awarded the ACES contract in 1999. And although DOD considered using the governmentwide contract then instead of developing its own, the department "assessed the initial ACES as providing relatively weak authentication," Osterholz said.

The two agencies have been talking for some time now, and GSA has finally convinced DOD that the ACES certificates provide the level of authentication deemed necessary by the department (see box), said Judith Spencer, chairwoman of the Federal PKI Steering Committee and a creator of ACES.

"DOD had a misconception about the trust level that was available through ACES vs. the trust level they were requiring for their IECA," she said. "They've come to the realization, or at least we've explained to them, that the business [certificates] in ACES actually afford the same level of trust as the IECA [certificates]."

Bringing together the two contracts will be eased by the fact that two of the four.IECA vendors—Digital Signature Trust Co. and Operational Research Consultants Inc.—are also prime contractors on the ACES contract, Spencer said. And the other two IECA vendors are subcontractors on the third ACES contract, held by AT&T.

The DOD certificates will boost the number of ACES users. The contract began slowly, with GSA providing 500,000 free certificates to jump-start agency use of the contract.

But although civilian agency projects so far have been relatively small in scope, there is potential for larger numbers. That is especially true with task orders for programs such as Access America for Students, which includes an initiative to allow the 14 million students who apply for financial aid from the Education Department to file those applications online.

IECA contractors, including Digital Signature Trust and Operational Research Consultants, believe DOD's strategy is to use both certificates for different transactions, rather than using one in place of the other. But DOD is serious when it talks about "replacing" the IECA certificates with those from ACES, officials said.

"It seems quite clear to me, and no one feels there has been a "misstatement,' " said Pentagon spokeswoman Susan Hansen.

The result is that DOD's use of ACES will aid most vendors, said Keren Cummins, vice president of government services at Digital Signature Trust. "If you look at the [Defense] contractors, most of them do business with the civilian agencies as well, and for them to have to use two different certificates is unnecessarily painful."

MORE INFO

Getting Certified

Under the Defense Department policy for public-key infrastructure,

certificates for the Interim External Certificate Authority must equal DOD

Class 3 certificates. Class 3 certificates—intended for applications that

handle medium-value information in a low- to medium-risk environment—are

appropriate for applications that typically require identifying an entity

as a legal person, rather than merely as a member of an organization.

The General Services Administration's Access Certificates for Electronic

Services policy has three levels. The "unaffiliated individual" certificates

are for users with no specific organizational connection, and the "business

representative" certificates are for users who conduct business electronically

on behalf of an organization. The third type of certificate is for certification

authorities.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.