PKI vendors wanted

A decade of work has led to public-key infrastructure standards that are close to making digital authentication a governmentwide reality, General Services Administration officials announced this week.

In a notice posted March 2, GSA officials said they are ready to create a list of bidders that can supply smart cards based on federal PKI standards that include a new electronic-authentication policy specification. Use of the new specification, known as the X.509 Certificate Policy for the Common Policy Framework, could save government and industry potentially thousands of dollars, GSA officials said.

GSA plans to invite potential bidders to demonstrate that they can put small amounts of code, called PKI certificates, onto smart cards to make online applications more secure. The certificates would provide a high degree of assurance that online users are who they say they are. The smart cards must conform to the Government Smart Card Interoperability Specification, Version 2.1.

The first group of companies that pass the demonstration test will be placed on GSA's qualified bidders' list by June 30.

Once the list is compiled, agencies will have to develop applications that make use of digital certificates, said William Burr, manager of the security technology group at the National Institute of Standards and Technology. But they can worry less about creating the plumbing for authenticating users' identities online, he said.

"As PKI matures, there's probably less for us to do," said Burr, who has worked on PKI issues for about a decade. But, he added, "we're still in the middle stages of this adventure. The real problem isn't so much building the PKI as it is getting the applications going."

The government's long-term goal, beginning in fiscal 2006, is for federal agencies to buy PKI services from qualified companies. A handful of agencies that now use PKI certificates, mostly for secure e-mail, manage their PKI service using a mechanism known as the Federal Bridge Certification Authority.

Those agencies would be allowed to continue what they are doing, but GSA officials said it may be desirable at some point for those agencies to switch to outsourced PKI services.

To answer questions from potential bidders, GSA will hold an industry day event beginning at 9 a.m. March 11 in the GSA Central Office Auditorium. Companies interested in demonstrating their capabilities would have to submit information to the Federal Identity Credentialing Committee by April 15, GSA officials said.

Companies that are already providing PKI services under a GSA schedule or other governmentwide contract would not be required to sign another contract. But they might have to sign a contract modification, GSA officials said.