Pentagon authorizes outside firm to manage access to some DOD systems

Exostar will issue digital credentials on its own behalf

The Defense Department has authorized its first non-DOD provider of digital certificates that can be used to access the department’s computer systems at a medium level of security, a senior official confirmed today.

The department named Exostar LLC of Herndon, Va. as a trusted external service provider. That means Exostar can issue smart cards and digital certificates on its own behalf to contractors and other non-federal employees that can be used to access DOD hardware systems at a medium level of security, said Paul Grant, special assistant, federated identity management and external partnering at DOD.

DOD already has several authorized vendors that provide digital credentials on the department’s behalf. Exostar is the first that will issue the credentials on its own behalf in a trust relationship with the department

“This is the first provider of credentials [to DOD systems] that are not DOD credentials,” Grant said. “We hope there will be many in the future so that our partners can go to one of these one of these trusted service providers and obtain a credential that can be trusted by the federal government.”

“This is a great step,” Grant added. “We want more organizations to be credential service providers.”

Exostar was authorized as an external provider of digital certificates under a memorandum of understanding on Sept. 22, company officials said. It reflects a policy decision made by DOD officials a year ago to accept third-party Public Key Infrastructures (PKI).

PKI is a system of identity management and information security developed over the last decade. PKI entities enter into trust relationships with each other and agree to trust one another’s credentials.

In June 2008, DOD officials opened the door to begin accepting third-party PKI providers.

Exostar was accepted after its PKI digital certificates were tested to ensure they are aligned with federal standards for identity verification and other requirements, Grant said.

Grant said it is advantageous for the government to use external PKI providers because those companies are likely to do an effective job at vetting and proving identities.

”We have many, many external partners and we do not plan to give credentials to all of them,” Grant said. “We want processes so that non-federal entities can issue these credentials.”

“The employers can do the vetting and credentialing better. It is far more efficient that way,” Grant said. The employer would be the first to know if employees lose their jobs or come under suspicion, he added.

While Exostar is the first external provider of digital certificates accepted by DOD, others are likely to follow, Grant said. He mentioned Verizon, Verisign and Citibank as possible candidates.


About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.