Social Security helps states adopt federal PKI

Washington is about to become the first state whose employers can digitally sign their online wage reports to the Social Security Administration ? something all 50 states will be able to offer if a Social Security pilot program to unify state and federal public key infrastructures proves successful.

Social Security will begin accepting Washington's certificates in April as part of a pilot to bring states and federal agencies under a uniform PKI system. The agency began testing digital certificates two years ago and a year ago started accepting Access Certificates for Electronic Services, the centerpiece of the General Services Administration's PKI program, issued to other federal agencies.

Although Washington has used digital certificates for several years, federal agencies weren't ready to accept them.

Washington's PKI program manager, Scott Bream, said he expects no technical glitches with Social Security's system, because Washington's certificates come from one of the federal certification authorities, Digital Signature Trust Co., Salt Lake City. The company is a holder of GSA's Access Certificates for Electronic Services contract.

"We've been tracking the federal government for a long time, and we modeled our policy after what was going on at the federal level," Bream said.

Chuck Liptz, Social Security's management analyst for the pilot, said the agency hopes eventually to accept certificates from all 50 states once interoperability problems are resolved.

"When the opportunity came to test out interoperability with the state of Washington, we thought, let's try this," he said.
About 450 Washington employers uploaded their online wage reports last year, but the files were not digitally signed, said Keren Cummins, vice president for government services at Digital Signature Trust. The businesses used personal identification numbers and pass codes instead.

A browser service called Transact Washington lets employers digitally sign documents to state agencies. Bream said the state's certificates are even more secure than the ones used by federal agencies under ACES.

"We have three levels of assurance; ACES has one level of assurance," Bream said. The lowest level, standard assurance, is a verification feature in the browser. A second level can be information on a token or smart card, and the highest level requires obtaining a certificate in person with verification by a token or a biometric identifier.