GSA fleshes out gateway concept

GSA soon will call on industry for ideas on how to build a single authentication system for all e-government services

e-Authentication initiative

By the end of the month, the General Services Administration plans to release a formal call to industry for ideas on how to build a single authentication system for all e-government services.

This system will be used to validate the identities of users conducting business through e-government applications, a necessary ingredient for securing sensitive transactions.

But any solution vendors put forward also must take into account the fact that the proposed e-Authentication gateway eventually will have to accept credentials issued by nonfederal trusted sources, such as state and local governments, banks and health organizations, GSA officials said.

The GSA-led e-Authentication team plans to release a request for information within the next two weeks for the gateway, said Steve Timchak, GSA's e-Authentication program manager, at the June 18 Industry Day Conference at the Commerce Department.

The gateway, one of the 24 e-government initiatives backed by the Bush administration, would consolidate the validation of multiple levels of authentication, such as a password or digital certificate, through a single interface, which could be used for other initiatives.

The Bush administration's entire E-Government Strategy is built on the concept of eliminating redundant services and investments. The e-Authentication initiative is intended to be an enabler for e-government initiatives focused on specific services that rely on legacy applications at multiple agencies.

E-Authentication also has a group of legacy applications that it must tackle, according to Mark Forman, associate director for information technology and e-government at the Office of Management and Budget, which oversees the E-Government Strategy.

Dozens of unique yet redundant authentication systems exist throughout the federal government, he said. And many agencies have recently signed contracts to create additional public-key infrastructure (PKI) certificate authorities, which issue some of the highest levels of digital credentials, he said.

"We have e-authentication today; it's just not smartly architectured," he said. "There's got to be some consistency, and it has to be citizen-focused."

Beyond the proposed gateway, the e-Authentication initiative will not simply add another layer to the existing, redundant solutions, Forman said. "We will have to retool the investments different agencies are making."

While industry leaders consider their responses to the RFI, the e-Authentication team will work with Mitretek Systems Inc., a nonprofit company that provides technical expertise to the government, to build a prototype version of the gateway and have it up and running in September (see box).

This prototype is intended to be a proof-of-concept trial, demonstrating whether it is possible to validate multiple levels of credentials for multiple applications, Timchak said. It will also be used to find technical challenges that have not yet been considered, and the subsequent request for proposals will incorporate those lessons, said Monette Respress, a member of Mitretek's technical team.

But the technical issues are not the biggest challenges the e-Authentication team faces. The policy and legal aspects of working with multiple credentials are a key feature of the gateway and will be much more complex problems to solve, said David Temoshok, PKI policy manager within GSA's Office of Governmentwide Policy and a member of the e-Authentication team.

Validating multiple levels of credentials issued by many agencies will require a thorough mapping of the policies behind the credentials, he said. Those policies determine issues such as how a user applies for credentials, how credentials are issued and what management controls are in place to ensure proper use of credentials.

The government has already set up a mechanism for managing the policy mapping for digital certificates: the Federal PKI Policy Authority. That organization will likely be a model for mapping policies for other levels of credentials, said Judith Spencer, chairwoman of the Federal PKI Steering Committee. The United Kingdom offers another potential model, she said. That country's tScheme program is an independent, industry-led effort to evaluate and assign a level of trust to commercial security services.

***

Gateway progress

Crucial next steps for the e-Authentication initiative:

* Issue a request for information by the end of June.

* Conduct risk assessments for all 24 e-government initiatives to determine the appropriate levels of authentication and map those needs to known types of credentials, such as smart cards.

* Work with Mitretek Systems Inc. to design, test and deploy a prototype gateway by September 2002.

* Release a request for proposals this fall, based on the lessons learned from the prototype.

* Roll out the full-scale production gateway in September 2003.