DOD to vendors: Join PKI system or take a hike

If vendors don't register by April 1 for encryption certificates to do business with the Defense Department, DOD intends to severely limit their ability to work on contracts.

Beginning next month, the department plans to enforce a requirement that DOD contractors participate in the Interim External Certification Authority program.

IECA requires DOD contractors to have one-year encrypted digital certificates to ensure the security of vendor communications with the department.

Roughly 350,000 contractors that are doing business with the department need certificates, said Barry Leffew, vice president for the public-sector group of VeriSign Inc.

The IECA program has been in place for about three years, but adoption picked up only recently because of the looming deadline, said Leffew, whose Mountain View, Calif., company is one of three that DOD has approved to provide the certificates.

'Because of the impending deadline and because DOD has raised the awareness of this program, interest has increased exponentially over the past three months,' Leffew said.

Defense Directive 8500 mandated the program and set the April 1 deadline. The directive requires the 'exchange of unclassified information with vendors and contractors' be conducted using public-key infrastructure certificates obtained from approved certificate authorities.

Other vendors

Besides VeriSign, Defense has approved Digital Signature Trust of Salt Lake City and Operational Research Consultants Inc. of Fairfax, Va., to sell IECA certificates. The Defense Information Systems Agency, which runs the program, said only certificates from these vendors are compatible with the department's PKI initiative.

It takes only about 48 hours to get a certificate, Leffew said.

The current certificates are temporary and good for only one year because DOD next month plans to award contracts for the permanent External Certification Authority program.
Those certificates will last three years.

The DOD PKI Management Office has informed vendors it has the option of cutting off a non-certificate-holding contractor's communications, collaboration rights, e-mail privileges and ability to tap into access-controlled Defense Web sites.

'There are two primary uses for External Certification Authority certificates,' said an official in the DOD PKI Program Management Office.

The certificates let users digitally sign and encrypt e-mail messages. Secondly, they let DOD authenticate vendors using department Web applications.

'The IECA PKI was designed to be interoperable with the DOD PKI,' the official said.

The department's PKI technologies are becoming widespread. Defense employees and contractors who work inside Defense facilities, for instance, are required to use Common Access Cards with embedded PKI credentials. About 90 percent of Defense users currently have one of the smart cards.

Over the long haul, DOD plans to make ECA interoperate with the Federal Bridge Certification Authority. The Federal Bridge supports peer-to-peer interoperability among federal PKI domains and promotes interoperability among civilian agencies' PKIs.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above