GAO: PKI spending hits $1 billion

Twenty federal agencies are investing about $1 billion in public key infrastructure activities, but significant challenges to PKI projects remain, according to a General Accounting Office report released today.

"PKI is making steady progress in penetrating these government agencies, but there are still some tough nuts to crack," said John de Ferrari, assistant director in the GAO's IT group.

PKI represents a system of digital certificates and certificate authorities for authenticating users on a network. It is considered more secure than current authentication technologies, such as passwords.

GAO found that 89 separate PKI initiatives are in various stages of development, but few agencies have tied their projects into the governmentwide Federal Bridge Certification Authority, which was set up to link agencies' PKI programs into a broader network.

GAO found only four agencies had certified their PKI projects to meet the technical and security requirements of the larger network.

In addition, GAO's report said agencies have been slow to participate in the Access Certificates for Electronic Services program, which was designed to offer PKI services through a General Services Administration contract. The GAO said the GSA would revise the program's pricing structure to encourage participation.

Agencies still face significant challenges in implementing PKI security. Those challenges are the same as when GAO reported on PKI initiatives in 2001, de Ferrari said. At that time, GAO recommended the Office of Management and Budget take steps to improve PKI adoption.

However, "OMB has not yet fully addressed the recommendations related to the construction of a PKI policy framework," the report read.

Among the challenges the GAO cited: