Identify your needs

GSA ACES

Agencies know they need to secure their electronic transactions with the public, but some don't know exactly how many transactions to expect. For them, a short-term, flat-fee "starter kit" is being offered as a way to determine future digital certificate needs.

Digital Signature Trust Co. is offering the ACES eKit as an extension of its governmentwide digital signature contract. The General Services Administration developed the Access Certificates for Electronic Services contract to provide public-key infrastructure products and services to agencies doing business with the public.

ACES enables participating agencies to accept digital certificates—which store a user's authentication and authorization information—from citizens no matter which agency issued the certificate. GSA also awarded ACES contracts to AT&T and Operational Research Consultants.

In addition to the upfront development and installation cost, under ACES, agencies pay the vendor every time a certificate is used in a transaction. Because part of the point of moving to e-government is to give citizens access to government services at any time, a person who currently interacts with an agency once a month might suddenly be conducting transactions once a week when given the option of electronic transactions.

That leaves officials with a big unknown—one that could get expensive as they navigate the complexities of integrating digital certificates into agency processes, said Keren Cummins, vice president of government services at Digital Signature Trust.

The company has been working with GSA in the past months to develop the ACES eKit, a package that allows agencies to "try out" ACES for a flat fee of $50,000. That covers all transactions within six months and can help agencies get a better idea of the level of activity they can expect to see, Cummins said.

At the end of the six months, Digital Signature Trust provides the agency with a report that includes how many certificates were issued and how many transactions were completed.

"The idea is [to] put boundaries around this unknown, uncertain piece," she said.

The eKit does not include an initial risk assessment to determine which applications most need the high level of security a PKI can provide. It also does not provide the technology or support to PKI-enable an application and thereby adapt it to accept the digital certificates that make the whole process work.

But those are processes involving one-time costs that all agencies face whether they implement a PKI through ACES or some other means, Cummins said.

When it comes to the technology, the eKit does not offer anything that is not already available on the ACES contract, Cummins said. But the flat fee allows agencies to sign a short-term contract that will give them a better picture of whether they need to increase or decrease their costs in the future. That is important as the Office of Management and Budget takes a closer look at the money being spent on information technology across government.

OMB has long been a strong proponent of PKI to advance e-government, and agencies must consider digital signatures as a way to ensure security, said Dan Chenok, chief of the information policy and technology branch of OMB's Office of Information and Regulatory Affairs.

OMB officials have been working with GSA to make sure agencies understand that electronic signatures are as legally binding for the government as paper-based signatures under the Government Paperwork Elimination Act of 1998 and the Electronic Signatures in Global and National Commerce Act of 2000. But all IT spending will be scrutinized in the fiscal 2003 budget to ensure that the approximately $45 billion the government spends on IT every year is being used effectively and efficiently, Chenok said.

Using the eKit, agency officials do not have to guess how much they will spend on PKI to secure their transactions. They can conduct a short-term test of their programs and then be able to show agency and OMB examiners exactly how much needs to be spent on PKI efforts.

"The only way your costs go up is if you choose to scale," Cummins said.