Pentagon authorizes outside firm to manage access to some DOD systems

Exostar will issue digital credentials on its own behalf

The Defense Department has authorized its first non-DOD provider of digital certificates that can be used to access the department’s computer systems at a medium level of security, a senior official confirmed today.

The department named Exostar LLC of Herndon, Va. as a trusted external service provider. That means Exostar can issue smart cards and digital certificates on its own behalf to contractors and other non-federal employees that can be used to access DOD hardware systems at a medium level of security, said Paul Grant, special assistant, federated identity management and external partnering at DOD.

DOD already has several authorized vendors that provide digital credentials on the department’s behalf. Exostar is the first that will issue the credentials on its own behalf in a trust relationship with the department

“This is the first provider of credentials [to DOD systems] that are not DOD credentials,” Grant said. “We hope there will be many in the future so that our partners can go to one of these one of these trusted service providers and obtain a credential that can be trusted by the federal government.”

“This is a great step,” Grant added. “We want more organizations to be credential service providers.”

Exostar was authorized as an external provider of digital certificates under a memorandum of understanding on Sept. 22, company officials said. It reflects a policy decision made by DOD officials a year ago to accept third-party Public Key Infrastructures (PKI).

PKI is a system of identity management and information security developed over the last decade. PKI entities enter into trust relationships with each other and agree to trust one another’s credentials.

In June 2008, DOD officials opened the door to begin accepting third-party PKI providers.

Exostar was accepted after its PKI digital certificates were tested to ensure they are aligned with federal standards for identity verification and other requirements, Grant said.

Grant said it is advantageous for the government to use external PKI providers because those companies are likely to do an effective job at vetting and proving identities.

”We have many, many external partners and we do not plan to give credentials to all of them,” Grant said. “We want processes so that non-federal entities can issue these credentials.”

“The employers can do the vetting and credentialing better. It is far more efficient that way,” Grant said. The employer would be the first to know if employees lose their jobs or come under suspicion, he added.

While Exostar is the first external provider of digital certificates accepted by DOD, others are likely to follow, Grant said. He mentioned Verizon, Verisign and Citibank as possible candidates.


About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.