GSA kicks off key security contract

Several agencies have signed on to a proposed governmentwide digital certificates contract, giving the digital government initiative a boost. But vendors are concerned about how much money they can make on the contract and about technical hurdles.

The Access Certificates for Electronic Services (ACES) contract is intended to provide a commercial off-the-shelf solution to form part of the public-key infrastructure for electronic government. The digital certificates will verify the identity of people conducting electronic business with the federal government—a key component of electronic commerce.

The Social Security Administration issued a letter of intent to the General Services Administration's Office of Information Security, which oversees the contract, saying the agency plans to use ACES digital certificates for several programs, including the Personal Earnings and Benefit Estimate Statement system, according to Judith Spencer, director of the Center for Governmentwide Security at GSA.

In 1997 SSA introduced PEBES, an Internet-based system that allowed members of the public to view their earnings history and Social Security benefits information over SSA's World Wide Web site. SSA was forced to take the application down just months after it was introduced because Congress criticized the ease with which someone could access someone else's account if the first person knew some basic information about the second person.

But SSA officials said last week that they have no plans to bring PEBES back online. SSA will continue to take electronic requests from the public for Social Security benefits information and then send the information via mail. SSA officials said, however, that they plan to use ACES for other programs, which they did not identify.

Two other agencies—the Treasury Department and GSA—also issued letters of intent to use the contract. Their commitment represents a major incentive that was missing from previous requests for proposals for ACES. GSA canceled previous RFPs after vendors opposed them due to a lack of interest from agencies.

The letters of intent do not legally bind the agencies to use the contract, however, and many vendors said they still are questioning whether they will bid without a definite guarantee of customers.

"The real concern is that the integrators and vendor community [are] still not sure if they can make enough money to make it worth the bid," said Skip Hirsh, director of federal programs at Certicom Corp.

Vendors also have complained about technical problems, and enough vendor concerns have been raised that the proposal deadline may have to be moved back from Feb. 19 to answer them all, said ACES contracting officer Melanie Lewis.

The lack of guaranteed customers makes the contract an economic gamble for vendors, but if agencies do use it, the potential profits are enormous, said Lynn McNulty, director of government affairs at RSA Security Inc. "Nobody knows if it's going to take off or not, and they can't take the risk it will," he said.

However, the guarantee that vendors are looking for will not appear until they provide a usable product at a reasonable price because agencies are not going to commit to using a nonexistent product.

"It is very much a chicken-and-egg situation," said Richard Guida, chairman of the Federal PKI Steering Committee under the Government Information Technology Services Board. "There is no way to make a commitment to something that doesn't exist."

But the interest is out there, Guida said. "I know [more agencies] than Social Security and Treasury would love to use ACES if there is a reasonable contract."

--Orlando De Bruce contributed to this article.