DOD digital certificates need interoperability

Federated Electronic Government Coalition

The Defense Department and the General Services Administration must find a way to allow broader use of government-approved digital certificates, according to a new report.

Officials from DOD and GSA have been meeting regularly to discuss how DOD can adopt or at least recognize the Access Certificates for Electronic Services (ACES) digital certificates, which are issued under a multiple-vendor contract awarded several years ago by GSA's Federal Technology Service. Those talks have yet to resolve policy and technical issues, however.

"Organizational elements within the DOD are still on a path to their preferred technical solution," according to the Federated Electronic Government Coalition report issued May 6. DOD officials have focused on internal uses for digital certificates rather than on making them interoperable with the rest of the federal government, let alone with vendors and state and local governments, the report stated.

The coalition includes private-sector trade associations, educational institutions and nonprofit groups.

The coalition praised DOD for its efforts to develop a public-key infrastructure, but the agency has been focusing on its own needs and ignoring the benefits of a larger PKI that could become the basis of e-government efforts, said Michael Mestrovich, co-chairman of the coalition and president and chief executive officer of Unlimited New Dimensions LLC, a consulting firm.

Group members stressed that despite years of talking about interoperability the government risks undermining the potential benefits of a PKI unless it develops common policies and processes to ensure that the pieces can work together.

"Interoperability is paramount," according to the report. "If this is not achieved, the U.S. government and American industry [are] dealing with a potentially disruptive technology that will affect the policy, legal, technical and process implementation aspects of their business."

PKI technology enables users to conduct secure transactions via a Web browser. Transactions are encrypted, and the decryption key is provided when a user's identity has been authenticated by checking the user's certificate against the issuing certificate authority's validation list.

Many PKI technologies are available commercially, but they issue slightly different digital certificates. When an organization chooses to go with one PKI technology, it normally cannot accept the digital certificates issued by another. If there is no unified way for the certificates to work across government, vendors will have to create and support multiple environments. "The subsequent overhead costs would be significant for all parties," the report stated.

Because DOD officials have focused on developing their own PKI, the department has failed to take advantage of relatively easy ways to create a broader PKI and, therefore, extend e-government efforts, according to the report.

The government should establish pilot projects along similar business lines, such as law enforcement or procurement, that involve federal, state and local governments and industry, the report recommended. The projects would "promote interoperability and evaluate how the differing technological solutions can enable applications and support requirements in a secure environment," the report stated.

A relatively easy project would be to adapt DOD's Central Contractor Registration system for PKI technology, according to the report. The repository of vendor data makes transactions, especially electronic ones, more efficient. It could be "PKI enabled," which would promote greater electronic communication.

The report is based primarily on work with DOD, but it has implications across government, Mestrovich said. Although the report is critical of DOD's PKI efforts, the agency has been on the cutting edge of government PKI initiatives, he added.

The issues are not technological, said Katherine Hollis, director of global information assurance services at EDS. Instead, they raise questions about how PKI works with business processes. Therefore, the leaders of the business processes must drive the government's PKI development.

***

Broadening DOD's public-key infrastructure

In a new report, the Federated Electronic Government Coalition says that the Defense Department should help promote a governmentwide public-key infrastructure by adopting or recognizing Access Certificates for Electronic Services (ACES) digital certificates issued under a multiple-vendor contract with the General Services Administration's Federal Technology Service.

To accomplish this goal, the coalition advises that:

* PKI must be driven by groups of shared interest, such as law enforcement, finance, health care, supply chains or transportation. Those groups must be involved in defining the assurance processes that best meet their needs.

* Interoperability is critical.

* Strong leadership from the Office of Management and Budget is needed to create enforceable policies.

* Officials from DOD and the ACES program must work together.

About the Author

Christopher J. Dorobek is the co-anchor of Federal News Radio’s afternoon drive program, The Daily Debrief with Chris Dorobek and Amy Morris, and the founder, publisher and editor of the DorobekInsider.com, a leading blog for the Federal IT community.

Dorobek joined Federal News Radio in 2008 with 16 years of experience covering government issues with an emphasis on government information technology. Prior to joining Federal News Radio, Dorobek was editor-in-chief of Federal Computer Week, the leading news magazine for government IT decision-makers and the flagship of the 1105 Government Information Group portfolio of publications. As editor-in-chief, Dorobek served as a member of the senior leadership team at 1105 Government Information Group, providing daily editorial direction and management for FCW magazine, FCW.com, Government Health IT and its other editorial products.

Dorobek joined FCW in 2001 as a senior reporter and assumed increasing responsibilities, becoming managing editor and executive editor before being named editor-in-chief in 2006. Prior to joining FCW, Dorobek was a technology reporter at PlanetGov.com, one of the first online community centers for current and former government employees. He also spent five years at Government Computer News, another leading industry publication, covering a variety of federal IT-related issues.

Dorobek is a frequent speaker on issues involving the government IT industry, and has appeared as a frequent contributor to NewsChannel 8’s Federal News Today program. He began his career as a reporter at the Foster’s Daily Democrat, a daily newspaper in Dover, N.H. He is a graduate of the University of Southern California. He lives in Washington, DC.


Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.