Defense's PKI slowly takes root

The Defense Department is getting serious about its mandate that all employees and contractors conduct business through a public-key infrastructure.

As Defense agencies work to PKI-enable applications and Web sites, contractors without the digital certificates necessary for operation in that environment are being denied entry, said George Schu, vice president of public affairs for VeriSign Inc. The Mountain View, Calif., company is one of three DOD-approved certificate vendors.

Until recently, the number of PKI-enabled sites'and the impact on contractors'was limited. A Defense spokeswoman said 10 percent to 20 percent of all Defense applications and sites are PKI-enabled. That number is expected to increase significantly this year.

Defense Directive 8500 requires that e-mail be digitally signed and that Web-based applications and networks use encryption certificates for user authentication. The directive set an April 1, 2004, deadline for contractors to have digital certificates, but vendors who have not obtained them can still do business with Defense offices that have not yet set up a PKI.

Vendors looking to work within DOD's PKI must participate in the External Certification Authority program. ECA followed the Interim External Certification Authority program, which started in 1999 and will be completely phased out within the next six months.

So far, about 5,000 ECA certificates have been issued to contractors.
Besides VeriSign, DOD has approved Digital Signature Trust of Salt Lake City and Operational Research Consultants Inc. of Fairfax, Va., as certificate vendors.

'Contractors and/or non-DOD individuals requiring access to DOD information protected by PKI-based authentication will be required to utilize ECA/IECA certificates for authentication,' said a spokeswoman for the Defense Information Systems Agency, which runs ECA.

'More of the Web sites that contractors have to hit are being locked down,' said Dan Turissini, president and CEO of Operational Research Consultants.

DOD's military, civilian and contractor employees who work at Defense facilities enter the PKI via the department's Common Access Cards, smart identification cards with embedded credentials. About 90 percent of DOD employees have them, officials say.

Schu said it has taken additional time for the department to enable sites for public-key infrastructure, due to the extensive engineering work involved.
'Some of the contractors are finding out, 'Oh my God, I need a certificate,' at the moment they can't get into a site,' he said.

Kerin Cummins, vice president of government services with Digital Signature Trust, said she would like to see more companies pick up the pace of adopting the certificates.

'This is something the DOD has been talking about for five years,' she said. 'Obviously, we'd like to see things happen faster, but we're forging along.'
She added that most of the larger Defense contractors are aware of the directive and have taken steps to get certified. Midsize and smaller companies 'are less cognizant of it.'

Centrist point of view

As DOD moves forward on its plans to implement PKI throughout its operations, it will continue to migrate to network-centric functions that connect its agencies more quickly and easily.

'Being connected is not a nice-to-have feature, it's an integral part' of the lifestyle of military workers, Defense CIO Linton Wells II said recently.
The department plans to make ECA interoperable with the Federal Bridge Certification Authority.

The Federal Bridge supports peer-to-peer interoperability among federal PKI domains and promotes interoperability among civilian agencies' PKIs. N



'Being connected is not a nice-to-have feature, it's an integral part' of the lifestyle of military workers, CIO Linton Wells II says.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above