PKI solves access headaches for FEMA

The Federal Emergency Management Agency puts a lot of information on its Web site, at .There’s news on the latest grant awards, flood hazard maps and tips on disaster preparedness. But the agency also maintains data and applications that are not public, including national security information, contingency plans for terrorist attacks and private information from grant applications.“We’ve always kept about 20 percent back” as not appropriate for public disclosure, FEMA project officer Steve Crosby said.Keeping the secret stuff from the public while making it available to those who need it was difficult. Client-based tunneling software turned out to be a “massive headache,” Crosby said. “It didn’t work out for us.”The agency also found internal resistance to a new security technology infrastructure just as daunting.FEMA wanted to slim down its dial-in infrastructure, so officials turned to the General Services Administration’s Access Certificates for Electronic Services program for authentication and access control.“We were the first to issue a certificate since President Clinton used one to sign the E-Sign bill” in July of last year, Crosby said, referring to the Electronic Signatures in Global and National Commerce Act.FEMA also is the first agency to field a working public-key infrastructure. “Now I don’t have to maintain terminal access accounts and dial-in capability,” he said.FEMA went with ACES contractor Digital Signature Trust Co. of Salt Lake City as its certificate authority. It initially licensed 10,000 digital certificates and began issuing them in April.“Between now and next spring, we expect quite a lot of expansion,” Crosby said. FEMA has authorized another 90,000 certificates.Crosby said access by local officials to status information on public assistance grants would be a big driver for the growth.Digital certificates are electronic identification cards issued by an authority that keeps track of who they are issued to and which are valid. Certificates can be stored on a user’s computer, a diskette or another storage device. A public-private encryption key pair is issued along with the certificate. The certificate holder keeps the private key; the other key is publicly available.The certificate can be used to authenticate a user’s identity online to control access to data, and keys let users exchange encrypted messages and electronically sign documents for an added layer of security.Users of the protected FEMA site get one-time personal ID codes that let them apply for certificates. Application information is forwarded to Digital Signature Trust, which verifies it and notifies users by mail when digital certificates are ready. Each user downloads and stores the certificate so it can be used to access information from any online computer.Because the system does not require a high level of security, Digital Signature Trust does not require in-person verification for the FEMA certificates, Crosby said. Users in systems with higher levels of security would have to show up in person with various forms of ID to get their certificates.FEMA hosts its secure site in a so-called demilitarized zone, between the Internet and the agency’s internal network.The agency chose ACES for its digital certificates because it could accommodate certificates from a variety of issuers.The key to making the system work is an engine for routing certificate information to the proper issuing authority for verification when access is requested. Mitretek Systems Inc. of McLean, Va., developed the engine, the Certificate Arbitrator Module.CAM is an application-level router that examines certificate data to determine the issuing authority and routes the data from the site to the authority.Anteon Corp. of Fairfax, Va., integrated CAM into the FEMA Web site. Anteon also developed software to identify a valid user once a certificate has been verified by the issuer. The software controls what information each user can access and tracks user sessions.This was the first time CAM had been integrated in a PKI system, Anteon program manager Frank Stellar said. “When we got on board, nobody had implemented an ACES system yet.”He said additional certificate authorities—not limited to ACES contractors—can be added to CAM as needed to allow wider access.“It wasn’t that tough, technically,” Stellar said of the job. But it took the better part of a year to get it into place because of internal politics, he said.The need to get everyone on board with a new technology was one of the lessons learned in implementing PKI, Crosby said.“You’ve got to sell,” he said. “The program officer and the security folks are your biggest hurdle.”Crosby’s next hurdle is gaining acceptance of an online document tracking system that uses digital signature technology from E-Lock Technologies Inc. of Fairfax, Va.