Pentagon authorizes outside firm to manage access to some DOD systems
Exostar will issue digital credentials on its own behalf
- By Alice Lipowicz
- Oct 06, 2009
The Defense Department has authorized its first non-DOD provider of
digital certificates that can be used to access the department’s
computer systems at a medium level of security, a senior official
The department named Exostar LLC of Herndon, Va. as a trusted
external service provider. That means Exostar can issue smart cards and
digital certificates on its own behalf to contractors and other
non-federal employees that can be used to access DOD hardware systems
at a medium level of security, said Paul Grant, special assistant,
federated identity management and external partnering at DOD.
DOD already has several authorized vendors that provide digital
credentials on the department’s behalf. Exostar is the first that will
issue the credentials on its own behalf in a trust relationship with
“This is the first provider of credentials [to DOD systems] that
are not DOD credentials,” Grant said. “We hope there will be many in
the future so that our partners can go to one of these one of these
trusted service providers and obtain a credential that can be trusted
by the federal government.”
“This is a great step,” Grant added. “We want more organizations to be credential service providers.”
Exostar was authorized as an external provider of digital
certificates under a memorandum of understanding on Sept. 22, company
officials said. It reflects a policy decision made by DOD officials a year ago to accept third-party Public Key Infrastructures (PKI).
PKI is a system of identity management and information security
developed over the last decade. PKI entities enter into trust
relationships with each other and agree to trust one another’s
In June 2008, DOD officials opened the door to begin accepting third-party PKI providers.
Exostar was accepted after its PKI digital certificates were
tested to ensure they are aligned with federal standards for identity
verification and other requirements, Grant said.
Grant said it is advantageous for the government to use external
PKI providers because those companies are likely to do an effective job
at vetting and proving identities.
”We have many, many external partners and we do not plan to give
credentials to all of them,” Grant said. “We want processes so that
non-federal entities can issue these credentials.”
“The employers can do the vetting and credentialing better. It
is far more efficient that way,” Grant said. The employer would be the
first to know if employees lose their jobs or come under suspicion, he
While Exostar is the first external provider of digital
certificates accepted by DOD, others are likely to follow, Grant said.
He mentioned Verizon, Verisign and Citibank as possible candidates.
Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.