OMB mandates agency use of approved PKI providers

The Office of Management and Budget is requiring agencies to use one of three approved shared-service providers for public-key infrastructure and electronic-signature services.

These three service providers—the Agriculture Department’s National Finance Center, Verisign Inc. of Mountain View, Calif., and Betrusted U.S. Inc. of New York—meet the level-four certification outlined in OMB’s December 2003 memo (See GCN story.

In the memo, Karen Evans, OMB’s administrator for IT and e-government, and David Safavian, administrator of the Office of Federal Procurement Policy, said agencies must use these shared-service providers to mitigate security risks.

“Strong government oversight and internal controls mitigate the risk of using a commercial service,” the memo noted.

The memo comes after some agencies were concerned whether commercial providers of PKI or e-signatures would meet the Government Accountability Office’s criteria for assessing these systems.

GAO sent a letter to Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, in August detailing what agencies should consider when choosing a PKI system, no matter if the provider is from the public or private sector.

“Our report said these are the types of controls needed to have adequate security,” said Chris Martin, a senior-level technologist with GAO, who worked on the letter. “We outlined our views on the subject based on our experience in reviewing these systems for agencies.”

To qualify as a shared-service provider, vendors or agencies must:

  • Operate their certification authorities under the certificate policy developed and controlled by the federal government


  • Demonstrate compliance with this policy annually with a third-party audit


  • Receive approval from the General Services Administration


  • Comply with existing security laws, including certification and accreditation.



About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/Shutterstock.com)

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected