Digital Signatures Key to Cross-Governmental Biz

The General Services Administration last month awarded the first in a series of contracts for public-key infrastructure services and products that states will be able to use in their dealings with the federal government.

GSA awarded Digital Signature Trust Co. the first contract under the Access Certificates for Electronic Services program to provide encryption and digital signature technology and services. Other awards were expected to follow.

Under the ACES program, GSA is setting up multiple vendors to provide commercial off-the-shelf solutions for issuing and managing digital certificates.

These certificates, containing digital signatures, will be used as part of a PKI system to verify the identities of people conducting business with the federal government electronically.

Digital signatures, which verify the identities of people who sign forms or send messages and ensure that communications have not been tampered with during transmission, are widely viewed as the key to secure electronic commerce.

Judith Spencer, director of GSA's Center for Governmentwide Security, said that while the contract is intended to be used by the federal government, a state agency performing work for a federally sponsored program could use the contract to obtain digital signatures to secure communications pertaining to that program. The purpose of ACES is to provide citizens with a secure, uniform way for citizens to communicate with government, she said.

"It's less wear and tear on the citizen and hopefully more cost-effective for the government," Spencer said. "We're going to be able to get rid of the paper process entirely. We have to make sure if you are asking about specific information...that you're the person who is entitled to that information." Contracts were scheduled be awarded late last month.

Mike Benzen, Missouri chief information officer and president of the National Association of State Information Resource Executives, noted that ACES may help increase the use of digital signatures among states doing business with federal agencies. While most states have passed legislation recognizing digital signatures to be as legally binding as handwritten signatures, they have chosen various technologies to provide them.

"It would probably make more sense to do this in parallel with the federal government as opposed to each state doing it individually," Benzen said. "If the feds will accept it, and it's dealing with the feds, we probably will use it."

In addition, Benzen said that while the states have adopted digital signature legislation, Congress has not. So using a federal digital signature contract for dealings with the federal government would alleviate some concerns about the lack of federal digital signature legislation.

Texas has begun designing a PKI to issue digital signatures to the state's 250 agencies. All of the infrastructure is in place, except for what is needed to perform security checks to verify user identities to issue certificates, said Stuart Nichols, a systems analyst with the Texas Information Resources Department.

"If we were going to go and be the public-key database for the state, we would have to ramp up a staff for that," Nichols said. For secure electronic interactions with the federal government, using a third party to provide some of these validation and maintenance services would be beneficial, he added.