In or out?

Companies that provide authentication services are pushing federal agencies to outsource digital certification to contractors, claiming that in-house solutions could end up costing more while not being interoperable with other agencies' systems. On Feb. 15, Secretary of Energy Spencer Abraham signed a formal recommendation on the Yucca Mountain Project and e-mailed it to President Bush, marking the first time digital signature technology has been used to pass official correspondence between the president and a cabinet official.For authentication provider VeriSign Inc., Mountain View, Calif., which provided the digital certification for Abraham's e-mail, the signing was a clear victory for its model of managed public key infrastructure, or PKI, service. "We had the service running within a day. There's no way you can have an in-house service up that quickly," said John Weinschenk, vice president of VeriSign's enterprise services division. The company opened a federal office in early 2002.James Lucier, vice president and senior Washington analyst with the Prudential Insurance Company of America, Newark, N.J., praised the Energy Department initiative, saying agencies have a strong tendency to build PKI systems in-house, which can lead to interoperability problems."The secretary's decision to use a managed-services model rather than in-house PKI services represents a significant step for future applications of digital signature technology by the government," Lucier said. Government officials, however, don't see managed services as a cure-all. Many managed services could be inoperable if each agency selects a different vendor for its PKI services, said Judith Spencer, chairwoman of the Federal PKI Steering Committee. Under a managed service scenario, the only way to guarantee interoperability would be for all agencies to use just one service, "which probably wouldn't be the case," said Spencer, whose committee oversees the General Services Administration's effort to build a governmentwide PKI infrastructure. The project is one of the Office of Management and Budget's 24 e-government initiatives.Several factors are pushing government use of digital signatures. The Government Paperwork Elimination Act requires that by October 2003, federal agencies use electronic forms to conduct official business when practicable. E-signing was made possible by the Electronic Signatures in Global and National Commerce Act of 2000, which gives legal recognition to electronic signatures. Agencies are still in the early stage of PKI deployments, said Arthur Coviello, chief executive officer of security product provider RSA Security Inc., Bedford, Mass. Among the early adopters are Veterans Affairs and the Navy, both of which have been investigating smart cards with PKI components, he said. Others include the Federal Aviation Administration and Congress, where many members carry tokens for the secure checking of e-mail. A public key infrastructure is recognized as the standard, at least in the United States, for generating legally binding digital signatures. In this infrastructure, a central repository keeps the public keys of individuals, which others can use to validate a sender's identity. The question VeriSign and industry analysts are asking is whether the public key server should be managed by the agency itself or by a vendor as a managed service accessible over the Internet. "If you don't run a managed service, you create islands of proprietary systems," said VeriSign's Weinschenk. The problem with an in-house approach is that when people from outside the agency need to verify a public key, they may not have the access to do so.Weinschenk also said his company can provide managed service at about 25 percent the cost of an in-house solution because it runs multiple data centers worldwide.GSA's Spencer, however, said managed services do not fit every agency's needs. Agencies that deal with the public or large numbers of business clients might find a managed service preferable, whereas an agency with a specialized mission in which certificates are needed only internally may decide it's more cost-effective to have an in-house solution. "One [solution] is not necessarily better than the other; each has its own concerns," she said.The Federal Bridge Certification Authority, overseen by Spencer's group, establishes a bridge framework on which agencies with different PKI systems can translate the security levels of authentication among themselves. "If one agency has security clearance levels based on numbers, say, 8, 9 or 10, and another by letters, A, B, C, they can use them to bridge framework to match levels," said Brian O'Higgins, chief technology officer and founder of authentication service and product provider Entrust Inc., Addison, Texas, which sits on the PKI steering committee. These translations would allow an employee of one agency to obtain to appropriate clearance at another, he said. This also gives agencies the freedom to go with several different vendors, Spencer said.VeriSign officials said they are working on a project with the University of California at Berkeley "to demonstrate VeriSign's interoperability with the Federal Bridge."GSA oversees its own managed services contract vehicle, the Access Certificates for Electronic Services, which offers PKI solutions for government transactions. A requirement of this contract is that all the vendor services be interoperable with one another. Contract vendors include AT&T Corp., New York; Digital Signature Trust Co., Salt Lake City; and Operational Research Consultants Inc., Alexandria, Va., Spencer said. Thus far, the National Institute of Standards and Technology and the Social Security Administration have employed ACES.Each of these companies can issue certificates on behalf of agencies, and charge a transaction fee from 40 cents to $1.20 each time the certificate is used, according to a February 2001 Government Accounting Office report on federal PKI usage. "Agencies will have to determine which applications are best suited to use ACES certificates," the report said. "For example, GSA officials have stated it would probably not be cost effective to use ACES for less sensitive, high-volume applications," such as e-mail. Another concern is that the managed service provider may set the policies for certification itself, which may be less rigorous than the agency's own. "An agency isn't going to want the credentials they use to be exactly the same as those issued by Bob's Bait and Tackle," said Spencer. "The way they get that distinction is to have the managed service provide you with distinctive credentials with a set of rules that are not the same as Bob's." Bill Smithson, vice president for information technologies at MatCom International Corp., Alexandria, Va., said his company has worked on PKI contracts that involved both in-house solutions, such as one for the National Institute of Standards and Technology, and managed services, including one for the Federal Retirement Thrift Investment Board. Although managed services may save money, Smithson said it isn't an option for for many agencies. They rely on customized software written for mission-specific needs, and documents generated from this software can't easily be signed through a managed service. Another reason an agency may stay in-house, Smithson said, is lack of Internet access. Some agencies still don't have dedicated access, either to keep down costs or discourage employees from surfing the Internet. Without a full-time connection, it would be impossible to check the validity of even in-house signatures through a managed service.