DOD adopts new policy on third-party PKIs

The Defense Department’s new policy decision to accept third-party public-key infrastructures should have a broad effect on contractors and across defense agencies, according to Paul Grant, special assistant for identification management and external partnering in the office of the Defense Chief Information Officer.

“Absolutely, this will have a major impact on the acceptance of PKI,” Grant told Federal Computer Week in an interview today. “It is going to get momentum now.”

PKI is a system of identification management and information assurance that has been developing during the past decade. Typically, a PKI authority issues digital certificates verifying the identity of individuals.

On July 22, DOD CIO John Grimes distributed a memo that outlined the new policy of accepting PKI certificates issued by external third parties.

Previously, DOD only accepted those certificates that were issued under its own authority. Those certificates currently are issued by DOD-authorized vendors Operational Research Consultants Inc., VeriSign Inc. and IdenTrust Inc.

The new policy opens the door for acceptance of such certificates, along with compliant ID cards, issued by eligible vendors affiliated with the Federal Bridge Certification Authority, which services federal agencies, and by a private bridge certification authority Certipath. Currently, Certipath is the only private-sector bridge authority in existence, but more such organizations may be formed in the future, Grant said.

.
Certipath is a Herndon, Va.-based joint venture formed by several PKI vendors. Its membership includes several major defense contractors. Federal contractors that meet Certipath’s information assurance standards are eligible to apply for membership.
 
To date, Certipath members Boeing Co., Lockheed Martin Corp., Northrop-Grumman Corp. and Raytheon Co. are the only contractors fully eligible to participate in the new policy, Grant said.
 
Certipath spearheaded the drive to be accepted as a PKI provider by DOD, Grant said, because it will provide benefits to the Certipath members and facilitate interactions with DOD.

“This will be a tremendous help for information sharing and collaboration,” Grant said. “Certipath jumped out in front on this. They said, ‘We need this and we will pay for it.’ ” Certipath’s development and alignment with DOD's PKI standards took several years and did not involve government funding, he added.
 
The new policy will become effective after interoperability testing is completed to ensure that the PKI certificates, along with use of identification cards aligned with the Personal Identity Verification federal standard, meet DOD's requirements, Grant said. The tests have already begun, but information was not immediately available on how long they would take to perform.

After testing is completed, participating contractor executives will be able to access DOD files online with an identification card rather than with a password, Grant said.

Grant said the greatest challenge has been in convincing DOD agency heads of the benefits of the complex PKI systems.“This has taken a long time to get into place,” Grant said. “We had to prove what the value of PKI was.”