RFP Checklist'PKI solutions
- By Edmund X. DeJesus
- May 31, 2007
Selecting the best public-key infrastructure for your organization requires close consideration of your hardware needs, other organizations you will share information with and whether your organization will manage its own certificates. Here are some questions you'll want to answer before investing in a solution.
■ What requirements and mandates does your agency have to satisfy that involve PKI? The most common include Homeland Security Presidential Directive 12 and Federal Information Processing Standard 201.
■ What other federal agencies do you need to share information or credentials with? What systems, protocols and providers are they using? How do your PKI systems map to theirs?
■ With what nonfederal agencies do you need to share information or credentials? What systems, protocols and providers are they using?
■ What is the vendor's experience operating managed and hosted services?
■ What else do you want from a PKI provider? Smart cards? Hardware such as card readers? Software? Consulting services? Technical support? Maintenance services?
■ How do vendors compare on service-level agreements? What kinds of disaster recovery features are in place? Where is the vendor located?
■ What kind of auditing does the vendor undergo? When was the last audit, and what were the results?
■ What business processes need to change to implement PKI technology? Can vendors help with that?
■ Minimizing resistance to new programs is essential. Do vendors have strategies ' trial programs, phased implementations, business process reengineering ' to reduce resistance?
■ Do vendors have programs for training users?
■ Will the agency or an outside entity manage the PKI system? What kinds of trade-offs will that decision entail?
■ Will physical security be part of the solution? Who will be responsible?
■ With what other applications do you anticipate using PKI?
■ What are the operating system requirements of these solutions? Do operating systems already in use have PKI capabilities?
■ What existing software will PKI be integrating with? Does this software have PKI support? If not, what other software options are there?
■ If the agency is seeking to perform PKI-based information sharing with other agencies, what kind of application interoperability will be necessary? Ensure that vendors use nonproprietary technologies and protocols, which may include:
- X.509 certificates.
- Public Key Cryptographic Standards (PKCS 1, 7, 10, 11, and 12).
- PKIX (CMP, CRMF).
- Lightweight Directory Access Protocol.
- Online Certificate Status Protocol.
- Simple Certificate Validation Protocol.
■ How many initial users do you anticipate? How well do PKI-based solutions scale? Can new locations be easily accommodated?
■ Can vendors transition an agency from managed services to self-managed certificate authority?