Industry criticizes Pentagon PKI practices

Office of the Secretary of Defense officials say they're revamping their public-key infrastructure policy in light of an industry consortium report last month that sharply criticized their practices.

The Federal Electronic Commerce Coalition called for the Defense Department to relax its Aug. 12, 2000, PKI policy that mandates the highest level of PKI certification—Level 4—for every transaction by 2005.

Given the fact that retirees will need to access DOD financial, health and personnel systems, and vendors that deal with DOD may not use Level 4 certificates, the armed forces should mandate different levels of certification—from Level 2 to Level 4—depending on the business area, said Michael Mestrovich, member of the FECC executive group and chairman of the Armed Forces Communications and Electronics Association.

Thirty-eight industry officials signed the FECC "Impact Assessment of DOD's PKI Policy" white paper on Dec. 11. The organization represents 16 industry associations with 7,000 members. The associations include AFCEA, the Association for Federal Information Resources Management and the Industry Advisory Council.

The opinion paper could be released officially as early as Friday.

"They're suggesting we use the federal [PKI] bridge, and we have always been committed to that," said Paul Grant, the electronic business executive for the assistant secretary of Defense for command, control, communications and intelligence.

FECC officials wrote in the white paper that they saw no evidence of the commitment to the federal PKI bridge. "The policy has no leeway for conducting electronic commerce as industry does it," Mestrovich said.

Rather than DOD's "one size fits all" policy, FECC officials called for separate panels to consult with vendors to determine how much security is needed in DOD business areas such as finance, health care and transportation.

The FECC white paper did not address DOD's internal systems for command and control.

The opinion paper also criticized DOD's PKI implementation for being too "network-centric," rather than focused on how to meet the armed service's different business needs. It predicted that some vendors that sell products to DOD might not deploy PKI technology at all if Level 4 certification is an across-the-board requirement. Level 4, with its tighter security, costs more to deploy than Level 2 and Level 3 PKI certifications.

"We wanted to be in lockstep with what industry was doing," Grant said. OSD officials, therefore, welcomed FECC's report, and they're implementing key areas.

Nonetheless, it will be a challenge to enable retirees and vendors with weaker certificate authority to perform transactions with DOD systems without compromising sensitive or classified data, he said.

Grant predicted that the Bush administration would try to implement the FECC recommendations.

The white paper called for OSD to issue a new PKI directive, which would come from the successor to Art Money, the assistant secretary of Defense for command, control, communications and intelligence.