Deadline looms for secure defense communications

Integrators have until April 1 to adopt encryption certificates that will let them communicate securely with the Defense Department.

Companies that do not implement Interim External Certification Authority (IECA) certificates risk being cut off from crucial parts of the department's network, said an executive at VeriSign Inc., one of three companies approved to sell the certificates.

Barry Leffew, VeriSign's vice president for the public sector, said there are roughly 350,000 companies doing business with the Defense Department that need IECA certificates. The IECA program has been in place for about two years, but Leffew said adoption only recently began to pick up.

"Our phones have been ringing off the hook," he said, adding he expects to see even greater adoption in the days after April 1, as contractors scramble to get their certificates in order. VeriSign can deploy certificates in under 48 hours, he said.

The IECA program brings contractors into compliance with the Defense Department's requirement that outside companies use public key infrastructure encryption to secure communications. Contractors that are onsite at Defense Department facilities and have access to department networks behind firewalls will be issued PKI certificates through the Defense Department.

Soon after April 1, the Defense Department is expected to lay out plans for the permanent External Certification Authority program. Leffew said ECA certificates will incorporate additional interoperability features.

Mountain View, Calif.-based VeriSign, Digital Signature Trust Co. of Salt Lake City and Operational Research Consultants Inc. of Chesapeake, Va., are the only companies approved by the Defense Department to sell IECA certificates. According to the Defense Information Systems Agency, which runs the program, no other certificates are deemed compatible with the Defense Department's PKI initiative.

VeriSign's Leffew said larger integrators are requesting competitive bids for IECA certificates. Such installations require anywhere from 1,000 to 10,000 certificates, at a cost of roughly $70,000 to "several hundred thousand" dollars, he said.

Without Defense Department-approved certificates, contractors may not be able to send e-mail to department officials, access Web sites, find information about RFPs and more.

To learn more about the IECA/ECA program, integrators should visit DISA on the Web.