DOD digital certificates need interoperability

Federated Electronic Government Coalition

The Defense Department and the General Services Administration must find a way to allow broader use of government-approved digital certificates, according to a new report.

Officials from DOD and GSA have been meeting regularly to discuss how DOD can adopt or at least recognize the Access Certificates for Electronic Services (ACES) digital certificates, which are issued under a multiple-vendor contract awarded several years ago by GSA's Federal Technology Service. Those talks have yet to resolve policy and technical issues, however.

"Organizational elements within the DOD are still on a path to their preferred technical solution," according to the Federated Electronic Government Coalition report issued May 6. DOD officials have focused on internal uses for digital certificates rather than on making them interoperable with the rest of the federal government, let alone with vendors and state and local governments, the report stated.

The coalition includes private-sector trade associations, educational institutions and nonprofit groups.

The coalition praised DOD for its efforts to develop a public-key infrastructure, but the agency has been focusing on its own needs and ignoring the benefits of a larger PKI that could become the basis of e-government efforts, said Michael Mestrovich, co-chairman of the coalition and president and chief executive officer of Unlimited New Dimensions LLC, a consulting firm.

Group members stressed that despite years of talking about interoperability the government risks undermining the potential benefits of a PKI unless it develops common policies and processes to ensure that the pieces can work together.

"Interoperability is paramount," according to the report. "If this is not achieved, the U.S. government and American industry [are] dealing with a potentially disruptive technology that will affect the policy, legal, technical and process implementation aspects of their business."

PKI technology enables users to conduct secure transactions via a Web browser. Transactions are encrypted, and the decryption key is provided when a user's identity has been authenticated by checking the user's certificate against the issuing certificate authority's validation list.

Many PKI technologies are available commercially, but they issue slightly different digital certificates. When an organization chooses to go with one PKI technology, it normally cannot accept the digital certificates issued by another. If there is no unified way for the certificates to work across government, vendors will have to create and support multiple environments. "The subsequent overhead costs would be significant for all parties," the report stated.

Because DOD officials have focused on developing their own PKI, the department has failed to take advantage of relatively easy ways to create a broader PKI and, therefore, extend e-government efforts, according to the report.

The government should establish pilot projects along similar business lines, such as law enforcement or procurement, that involve federal, state and local governments and industry, the report recommended. The projects would "promote interoperability and evaluate how the differing technological solutions can enable applications and support requirements in a secure environment," the report stated.

A relatively easy project would be to adapt DOD's Central Contractor Registration system for PKI technology, according to the report. The repository of vendor data makes transactions, especially electronic ones, more efficient. It could be "PKI enabled," which would promote greater electronic communication.

The report is based primarily on work with DOD, but it has implications across government, Mestrovich said. Although the report is critical of DOD's PKI efforts, the agency has been on the cutting edge of government PKI initiatives, he added.

The issues are not technological, said Katherine Hollis, director of global information assurance services at EDS. Instead, they raise questions about how PKI works with business processes. Therefore, the leaders of the business processes must drive the government's PKI development.

***

Broadening DOD's public-key infrastructure

In a new report, the Federated Electronic Government Coalition says that the Defense Department should help promote a governmentwide public-key infrastructure by adopting or recognizing Access Certificates for Electronic Services (ACES) digital certificates issued under a multiple-vendor contract with the General Services Administration's Federal Technology Service.

To accomplish this goal, the coalition advises that:

* PKI must be driven by groups of shared interest, such as law enforcement, finance, health care, supply chains or transportation. Those groups must be involved in defining the assurance processes that best meet their needs.

* Interoperability is critical.

* Strong leadership from the Office of Management and Budget is needed to create enforceable policies.

* Officials from DOD and the ACES program must work together.