OMB mandates agency use of approved PKI providers

The Office of Management and Budget is requiring agencies to use one of three approved shared-service providers for public-key infrastructure and electronic-signature services.

These three service providers?the Agriculture Department's National Finance Center, Verisign Inc. of Mountain View, Calif., and Betrusted U.S. Inc. of New York?meet the level-four certification outlined in OMB's December 2003 memo.

In the memo, Karen Evans, OMB's administrator for IT and e-government, and David Safavian, administrator of the Office of Federal Procurement Policy, said agencies must use these shared-service providers to mitigate security risks.

"Strong government oversight and internal controls mitigate the risk of using a commercial service," the memo noted.

The memo comes after some agencies were concerned whether commercial providers of PKI or e-signatures would meet the Government Accountability Office's criteria for assessing these systems.

GAO sent a letter to Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, in August detailing what agencies should consider when choosing a PKI system, no matter if the provider is from the public or private sector.

"Our report said these are the types of controls needed to have adequate security," said Chris Martin, a senior-level technologist with GAO, who worked on the letter. "We outlined our views on the subject based on our experience in reviewing these systems for agencies."

To qualify as a shared-service provider, vendors or agencies must:

* Operate their certification authorities under the certificate policy developed and controlled by the federal government

* Demonstrate compliance with this policy annually with a third-party audit

* Receive approval from the General Services Administration

* Comply with existing security laws, including certification and accreditation.