Defense mulls securing comm with vendors

The Defense Department last week released a request for information for technology that would allow defense contractors and suppliers to encrypt their communications with the department.

DOD is interested in using a public-key infrastructure (PKI), which uses digital signature and encryption techniques to authenticate a user's identity and to ensure data is not tampered with during transmission.

DOD, which is building the largest PKI in the world, already has tapped Netscape Communications Corp. to provide products that will allow DOD employees to access various business applications, including administrative, procurement, health care, travel, payroll and personnel data. Netscape certificates also will be used to perform encryption to protect data in transit across a network, secure e-mail and protect users while accessing sensitive documents.

However, DOD has not found a solution to allow those outside the agency to transmit secure e-mail and perform transactions with DOD personnel. The RFI is targeted toward vendors who could potentially provide digital signature certificates to DOD's external trading partners and subcontractors, said John Menkart, Netscape's federal sales manager. The number of external users could surpass the 2 million internal DOD users, he said.

The non-DOD users must receive their certificates from entities that meet the same level of assurance required by the DOD PKI, which will secure all communications classified as top secret or below. According to the RFI, vendors will be tested and evaluated against DOD policies to become certified to dole out certificates to non-DOD users.

Victor Wheatman, vice president of the Information Security Strategy Group at Gartner Group, San Jose, Calif., said the DOD PKI will be seen by many as a test bed because it surpasses the largest commercial effort, which encompasses 40,000 users. Defense agencies in other countries already have expressed interest in being able to communicate with the U.S. DOD via the PKI, he said.

However, he noted that the DOD PKI effort could encounter some of the same snags that killed the Federal Acquisition Computer Network (FACNET), a common architecture required for agencies and vendors to use for electronic commerce. Mandatory use of FACNET was lifted in 1997, and vendors resisted.

"The vendor community was slow in moving toward that model.... There will be resistance [to the DOD PKI] particularly if people don't understand what certificates are, how they are used, where to get them," Wheatman said. "Market education still needs to take place."

Interoperability problems also have caused problems among various certificate vendors, he said. However, IBM Corp. in recent weeks announced plans to release in the public domain a certificate architecture that could bring about interoperability among vendors. The most likely candidates to bid on a DOD PKI contract would be VeriSign Inc., Entrust Technologies, GTE CyberTrust and Digital Signature Trust Co., Wheatman said.

Nick Piazzola, vice president of VeriSign's Federal Markets Division, said his company plans to be the first to become certified to supply certificates to DOD external partners because of the potential for a large amount of business. VeriSign has long been attempting to offer its certificate services to DOD but has been told to wait until the internal PKI is in place, he said.

But James Brandt, director of VeriSign's federal division, noted that DOD still needs to iron out policy issues such as how the external certificates will be managed. He also described the process outlined in the RFI for certifying certificate vendors as "capricious and arbitrary" because the RFI does not provide enough information on the criteria that will be used to evaluate potential vendors for certification.

GTE CyberTrust also is tracking the RFI and is interested in learning more about DOD's plans, said Joe Vignaly,

CyberTrust's director of marketing and business development. Although he did not have an exact estimate on how much an acquisition could be worth, he did note that it would have "very large potential."

DOD still needs to answer various questions such as how the vendors will be reimbursed and how the certificates will be validated and stored, he said.

DOD officials had not responded to inquiries about the RFI at press time. Responses to the RFI are due at the end of August.