Pentagon authorizes outside firm to manage access to some DOD systems

The Defense Department has authorized its first non-DOD provider of digital certificates that can be used to access the department’s computer systems at a medium level of security, a senior official confirmed today.

The department named Exostar LLC of Herndon, Va. as a trusted external service provider. That means Exostar can issue smart cards and digital certificates on its own behalf to contractors and other non-federal employees that can be used to access DOD hardware systems at a medium level of security, said Paul Grant, special assistant, federated identity management and external partnering at DOD.

DOD already has several authorized vendors that provide digital credentials on the department’s behalf. Exostar is the first that will issue the credentials on its own behalf in a trust relationship with the department

“This is the first provider of credentials [to DOD systems] that are not DOD credentials,” Grant said. “We hope there will be many in the future so that our partners can go to one of these one of these trusted service providers and obtain a credential that can be trusted by the federal government.”

“This is a great step,” Grant added. “We want more organizations to be credential service providers.”

Exostar was authorized as an external provider of digital certificates under a memorandum of understanding on Sept. 22, company officials said. It reflects a policy decision made by DOD officials a year ago to accept third-party Public Key Infrastructures (PKI).

PKI is a system of identity management and information security developed over the last decade. PKI entities enter into trust relationships with each other and agree to trust one another’s credentials.

In June 2008, DOD officials opened the door to begin accepting third-party PKI providers.

Exostar was accepted after its PKI digital certificates were tested to ensure they are aligned with federal standards for identity verification and other requirements, Grant said.

Grant said it is advantageous for the government to use external PKI providers because those companies are likely to do an effective job at vetting and proving identities.

”We have many, many external partners and we do not plan to give credentials to all of them,” Grant said. “We want processes so that non-federal entities can issue these credentials.”

“The employers can do the vetting and credentialing better. It is far more efficient that way,” Grant said. The employer would be the first to know if employees lose their jobs or come under suspicion, he added.

While Exostar is the first external provider of digital certificates accepted by DOD, others are likely to follow, Grant said. He mentioned Verizon, Verisign and Citibank as possible candidates.