With ACES, GSA will set up a baseline PKI

In its recent draft request for proposals for a digital signature infrastructure, the
General Services Administration said the program would provide "the public with the
ability to do business with the government electronically."

Through the Access Certificates for Electronic Services buy, GSA intends to build a
public-key infrastructure using commercial products. GSA's Federal Technology Service will
issue the final RFP next month and award several ACES contracts later this year.

But some critics of the procurement said the draft solicitation fails to address the
continuing disputes over encryption and digital signature standards.

GSA officials acknowledged that ACES will not meet every agency's requirements, but it
is a beginning.

"We're trying to kick start the effort," said Judy Spencer, GSA's ACES
program manager.

"ACES is designed to provide a way for government to communicate with its
constituents," she said. It aims to create a baseline PKI environment. Later, GSA
might opt to set up other services, Spencer said.

Vendors voiced approval of the RFP at a briefing earlier this month, she said. "We
feel pretty positive about it," Spencer said.

A Social Security Administration official familiar with ACES, who asked not to be
identified, said SSA has not decided whether it will use the contracts. But he praised GSA
for trying to get the necessary governmentwide framework in place.

"They've got to be commended for doing what they're doing," he said.

ACES will spread among agencies the cost of creating a public-key infrastructure for
digital certificates because it is too expensive for each or any one agency to design, the
official said.

"It's a start," he said. "In the end, it may evolve into something

But some industry analysts and government officials said GSA is trying to accomplish
the impossible by being all things for all agencies.

"There's no one-size-fits-all approach, certainly not in security," said
Patricia N. Edfors, president of PNE Associates, a Reston, Va., security consulting
company. Until earlier this year, Edfors worked for the Government Information Technology
Services Board and was chairwoman of its Public-Key Infrastructure Committee.

"Each agency is a different animal; each agency has different [security] needs and
requirements," Edfors said. Instead of satisfying everybody, ACES could end up
pleasing nobody, she said.

But, Spencer said, "ACES is not designed to be one-size-fits-all, and we know it
won't be. We're trying to prevent a whole lot of stovepipe solutions."

No one knows whether ACES will require the use of the federal Digital Signature
Standard. The draft RFP said GSA wants agencies to use DSS or the de facto standard
developed by RSA Data Security Inc. of Redwood City, Calif. GSA would have to publish a
public notice that says it intends to waive federal standards before agencies could use
the RSA program, Edfors said.

The integral element of ACES is the Certificate Arbitrator Module. CAM would route
disparate vendor digital certificates so that all agencies could accept them. The draft
RFP said GSA will require each vendor to propose a CAM.

GSA has posted the draft RFP on the Web at http://www.gsa.gov/aces.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.