OMB mandates agency use of approved PKI providers
The Office of Management and Budget is requiring agencies to use one of three approved providers for public-key infrastructure and e-signature services.
The Office of Management and Budget is requiring agencies to use one of three approved shared-service providers for public-key infrastructure and electronic-signature services.These three service providers—the Agriculture Department’s National Finance Center, Verisign Inc. of Mountain View, Calif., and Betrusted U.S. Inc. of New York—meet the level-four certification outlined in OMB’s December 2003 memo (See .In the , Karen Evans, OMB’s administrator for IT and e-government, and David Safavian, administrator of the Office of Federal Procurement Policy, said agencies must use these shared-service providers to mitigate security risks.“Strong government oversight and internal controls mitigate the risk of using a commercial service,” the memo noted.The memo comes after some agencies were concerned whether commercial providers of PKI or e-signatures would meet the Government Accountability Office’s criteria for assessing these systems.GAO sent a letter to Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, in August detailing what agencies should consider when choosing a PKI system, no matter if the provider is from the public or private sector.“Our report said these are the types of controls needed to have adequate security,” said Chris Martin, a senior-level technologist with GAO, who worked on the letter. “We outlined our views on the subject based on our experience in reviewing these systems for agencies.”To qualify as a shared-service provider, vendors or agencies must:
GCN story
memo
GCN story
memo
- Operate their certification authorities under the certificate policy developed and controlled by the federal government
- Demonstrate compliance with this policy annually with a third-party audit
- Receive approval from the General Services Administration
- Comply with existing security laws, including certification and accreditation.
NEXT STORY: Mencer to leave DHS