E-gov security gateway in works

E-Authentication GSA presentation

The General Services Administration this fall plans to take bids on the development of one of the linchpins of the Bush administration's vision for e-government: a security gateway that would provide a single point at which users can sign on to access services that require passwords or other means of authentication.

GSA is the lead agency on the e-Authentication initiative, one of two crosscutting initiatives under the administration's e-government strategy.

The initiative aims to provide whatever level of authentication is deemed appropriate — a password, online digital certificate or smart card — for services offered as part of the other 22 e-government initiatives. The other initiatives include services such as online grant applications and electronic disaster benefits payments.

Not everyone or every service will require authentication. Many people visit Web sites only to search for information and others may choose to authenticate themselves only when they get to the site where the application resides, said Sallie McDonald, GSA's assistant commissioner for information assurance and critical infrastructure protection.

"But if you want to engage in a transaction with government, and you want to authenticate at the gateway, then you can do that and only authenticate yourself once," she said.

Most of the initiative services will be accessed through the FirstGov Web portal, and GSA plans to release a request for proposals (RFP) in September for an authentication gateway that will be attached to FirstGov, according to McDonald, speaking last week at the E-Security and Homeland Defense conference in New York City.

Before GSA issues the RFP, Mitretek Systems Inc. will define the requirements and start developing a pilot program, said Steve Timchak, program manager for the e-Authentication initiative.

Citizens, vendors and government employees will provide their authentication when they sign on through FirstGov. A password will provide access to services with relatively low security requirements. For every higher level of authentication, a broader range of services will be available, McDonald said.

The gateway takes authentication technology to a height that few have tried to reach before, said Alan Paller, director of research at the SANS Institute, a security education and consulting organization.

"This is an example of the government leading by example," Paller said. "The best part of this is it's a demo [of authentication technology] and it's a wonderful use of FirstGov."

For the gateway, GSA will analyze the security risks associated with four of the initiatives that are the farthest along to identify what authentication might be needed, Timchak said.

GSA will perform the analysis using the Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) tool developed by the CERT Coordination Center at Carnegie Mellon University in Pennsylvania.

OCTAVE is intended for use on mature systems, so GSA is waiting for the center to modify the tool for use on systems during the requirements-development phase, Timchak said. The modifications should be completed within the next month.

***

E-Authentication timeline

Now: Mitretek Systems Inc. is determining technical options.

June 18: General Services Administration briefs vendors.

Summer: Request for information released.

September: Request for proposals released.

Sept. 30: Mitretek gateway pilot project reaches initial operating capability.

Sept. 30, 2003: Vendor prototype gateway reaches final operating capability.