GSA assumes liability risk on ACES project
- By Christopher J. Dorobek
- Mar 15, 1999
In the latest action on its digital certificate service project, the General Services
Administration this month determined that vendors will be safe from liability if they
follow contract specifications.
Liability arose last month as one of the two impediments vendors saw to success of the
Access Certificates for Electronic Service (ACES) project. Vendors also told GSA officials
at a bidders conference that they doubted they could make money from ACES [GCN, Feb. 8, Page 3]. GSA has not overcome that hurdle.
But confident that it has removed a major barrier, GSA officials set April 19 as the
new ACES bid deadline. Originally, bids were due Feb. 19, but GSA postponed the submission
date to rework the solicitation and resolve the liability issue.
Vendors told GSA officials at the bidders conference they were worried they could be
held liable because of the private information they would maintain about digital
certificate holders. What would happen if someone lost their digital certificate and
someone else figured out how to use it to sign documents electronically?
The ACES draft request for proposals did not make it clear who would be responsible and
who would assume risk for unauthorized use of certificates.
Vendors asked GSA whether they or the government would be liable for the registration,
revocation and issuance of certificates.
GSA attorneys, in a notification posted on the ACES Web site at www.gsa.gov/aces, said
contractors would be covered by the Federal Tort Claims Act, which prohibits lawsuits
against the government except in specific circumstances.
This is not one of those circumstances, said Judith A. Spencer, director of the
GSAs Center for Governmentwide Security in the Office of Information Security.
An ACES vendor would be under contract to the government, and the government is telling
the vendor how to carry out the project, she said.
Vendors said they will review the wording of the GSA determination closely.
We need to understand what [the determination] really means, said Scott
Lowrey, chief executive officer for Digital Signature Trust Co. of Salt Lake City.
Its under review.
ACES is one of the governments initial forays into real-world use of digital
certificates. GSA essentially wants to establish a certificate service for use by agencies
The ACES vendor must create a certificate process as well as set up a public-key
infrastructure to handle the certificate exchanges.
Because its an untested market, vendors have not jumped to bid on ACES, GSA
officials said. At the bidders conference, for instance, several company officials
suggested they would be interested in participating as subcontractors. None openly said
their companies wanted the prime contract.
Now, however, industry sources predict at least two companies, Digital Signature Trust
and AT&T Corp., will bid on ACES.
The big question left is how a company can make money on ACES, said Ed Giorgio, a
principal at Booz, Allen & Hamilton Inc. of McLean, Va., and former chief of
cryptoanalysis and cryptography at the National Security Agency.