E-gov projects to get boost from sharing PKI credentials
The sharing of authentication credentials between government and the private sector is closer to reality than ever before.
After nearly four years of fits and starts, the General Services Administration’s E-Authentication project is expected, by Sept. 30, to share public-key infrastructure credentials for anywhere from one to more than 200 applications. Several agencies and a few private-sector financial institutions will take part in the initial programs.
The move should take federal e-government projects—both the 25 cross-agency initiatives the Office of Management and Budget set forth in 2001 and agency-specific applications—from providing mainly information to making transactions.
“This is a critical first step, because once you get started and understand the benefits, you expand,” said Chris Niedemayer, the Agriculture Department’s associate CIO for planning, project and information management. “I see a larger expansion of these services over the next few years, especially with Homeland Security Presidential Directive 12 as a driver.”
HSPD-12 calls for agencies to begin issuing interoperable identification cards by October of next year.
But even before HSPD-12 takes off, agencies such as Agriculture, the Social Security Administration and GSA will use the federated architecture to share certifications. GSA and Office of Management and Budget officials declined to provide the exact number of agencies that will share credentials.Joining E-Offer
The agencies will join GSA’s E-Offer program in using the architecture. E-Offer was the first application to go into production. So far, 6,000 feds and contractors use E-Offer to submit and receive requests for proposals online.
GSA originally tried to create a centralized gateway but realized after about a year that it wouldn’t work. The new approach addresses authenticating users through a portal, the agency transaction or the credential service provider. The portal will use the Security Assertion Markup Language scheme to verify the identity of remote users accessing government systems.
The architecture is based on open standards, using industry-accepted protocols that accommodate personal identification numbers and passwords as well as PKI digital certificate authentications.
“The main goal is to make reusing credentials simpler for citizens to securely interact with government online,” said Georgia Marsh, GSA’s E-Authentication deputy program manager. “Some agencies will bring individual applications, and some will bring enterprisewide applications.”
USDA has one of the most established programs, with 112 applications already using shared credentials. It has issued more than 120,000 credentials to em- ployees and citizens over the past three years.
Niedemayer said Agriculture will add e-authentication capabilities to 61 more systems by Sept. 30.
In the meantime, USDA is testing its system in GSA’s testing lab to make sure it is compliant with SAML. The agency is using eTrust SiteMinder software from Computer Associates International Inc.
The testing should be finished by the end of May, Niedemayer said. “SAML will let us be interoperable with other agencies’ authentication services,” he said.
USDA’s enterprise approach has saved the department more than $23 million a year in maintenance costs alone, Niedemayer said. He estimated that Agriculture’s cost to bring a new application online at no more than $30,000 using the enterprise scheme, instead of $300,000 per system if they set up the e-authentication structure piece by piece.
“The common infrastructure increases our flexibility and speed to respond to a changing environment,” Niedemayer said.
GSA tested the federated ap- proach over the last year with six agencies, said Mary Mitchell, deputy associate administrator for electronic government in GSA’s Office of Governmentwide Policy.
“We proved how the federated architecture works in their environment,” she said. “The purpose was to assess the components of the framework and to make sure the policy delivered what we intended it to.”
Connect with the GCN staff on Twitter @GCNtech.