Pentagon authorizes outside firm to manage access to some DOD systems

Exostar will issue digital credentials on its own behalf

The Defense Department has authorized its first non-DOD provider of digital certificates that can be used to access the department’s computer systems at a medium level of security, a senior official confirmed today.

The department named Exostar LLC of Herndon, Va. as a trusted external service provider. That means Exostar can issue smart cards and digital certificates on its own behalf to contractors and other non-federal employees that can be used to access DOD hardware systems at a medium level of security, said Paul Grant, special assistant, federated identity management and external partnering at DOD.

DOD already has several authorized vendors that provide digital credentials on the department’s behalf. Exostar is the first that will issue the credentials on its own behalf in a trust relationship with the department

“This is the first provider of credentials [to DOD systems] that are not DOD credentials,” Grant said. “We hope there will be many in the future so that our partners can go to one of these one of these trusted service providers and obtain a credential that can be trusted by the federal government.”

“This is a great step,” Grant added. “We want more organizations to be credential service providers.”

Exostar was authorized as an external provider of digital certificates under a memorandum of understanding on Sept. 22, company officials said. It reflects a policy decision made by DOD officials a year ago to accept third-party Public Key Infrastructures (PKI).

PKI is a system of identity management and information security developed over the last decade. PKI entities enter into trust relationships with each other and agree to trust one another’s credentials.

In June 2008, DOD officials opened the door to begin accepting third-party PKI providers.

Exostar was accepted after its PKI digital certificates were tested to ensure they are aligned with federal standards for identity verification and other requirements, Grant said.

Grant said it is advantageous for the government to use external PKI providers because those companies are likely to do an effective job at vetting and proving identities.

”We have many, many external partners and we do not plan to give credentials to all of them,” Grant said. “We want processes so that non-federal entities can issue these credentials.”

“The employers can do the vetting and credentialing better. It is far more efficient that way,” Grant said. The employer would be the first to know if employees lose their jobs or come under suspicion, he added.

While Exostar is the first external provider of digital certificates accepted by DOD, others are likely to follow, Grant said. He mentioned Verizon, Verisign and Citibank as possible candidates.


About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.