Agencies leery of PKI storage without guidance
Agencies leery of PKI storage without guidance
BY DIPKA BHAMBHANI
| GCN STAFF
Agencies that use digital certificates have found themselves working without a net in terms of electronic record-keeping.
GSA's Barry West says it's risky to wait on developing electronic-storage approaches.
Lacking guidance, agencies are simply backing up digitally signed documents and certificates with folders of paper printouts'a fatal mistake, said Barry West, chairman of the Business Working Group of the Public-Key Infrastructure Steering Committee.
'You really can't wait,' he said. At the very least, agencies should buy a storage infrastructure and then manage the records themselves, he said.
Yet some are waiting. The Social Security Administration, the first agency to set up large-scale PKI, has been accepting wage reports online for several months. But the agency doesn't plan to implement a storage system for the records for another year.Policy needed
Tony Trenkle, deputy associate commissioner for electronic services, said SSA is still trying to work out whether to store the electronic files remotely or centrally'and in what format.
'The policy infrastructure is still not there,' Trenkle said.
SSA's Tony Trenkle says his agency needs policy guidance on formats and rules.
Until the National Archives and Records Administration specifies a completely electronic record-keeping system, West said, 'you're going to see agencies still storing paper copies.'
SSA's PKI working group has concluded that records should be managed in-house, not by a third party.
'Most agencies feel more comfortable having that in-house, as part of their architecture,' West said.
The Patent and Trademark Office, Federal Emergency Management Agency, Agriculture Department and USDA's National Finance Center all run PKI systems and manage records in-house without sophisticated systems, though they all keep paper backups.
In contrast, the FBI currently stores all its documents in manila folders, West said, and the folders are transferred via the mail instead of electronically.
But agencies that delay setting PKI and electronic-storage plans risk missing the 2003 deadline in the Government Paperwork Elimination Act, West said.Security measure
PKI and electronic archiving work in tandem. Agencies without PKI are going to have to adopt it as a security measure to maintain records, he said.
'Next year at this time, we'll have two to three times more agencies using PKI,' West predicted.
Agencies need to be prepared to deal with audits and any possible lawsuits or other disputes that arise, said David Temoshok, PKI policy manager in the Government-
wide Policy Office at the General Services Administration.
'You don't really need a third party to store that data for you; you need to recognize, just like with debit transactions at an automated teller machine, there's a stream of data that you, the user, never see, that's associated with a transaction, should you ever need to dispute it,' Temoshok said.
'What is really needed is guidance,' said Judith Spencer, chairwoman of the federal PKI Steering Committee. 'We're concentrating our attention on digitally signed documents'how do you validate a signature five years later?'
Official guidance from NARA is unlikely until sometime in 2003.
The Chief Information Officers Council and the National Institute of Standards and Technology plan to set electronic-storage standards by late next year.
In the meantime, agencies should go with already issued guidance, Temoshok said. 'Principally, I'm referring to the guidance from NARA,' for PKI, issued in October, he said. 'That includes date and time stamps, the message and the signature itself.'
GSA will review the new proposed standards, and the Office of Management and Budget and NIST will give final approval.Third-party worries
Until standards are issued, West said, agencies should probably stick with products from big companies that can easily upgrade their storage systems and can make the environments interoperable. He recommended that they consult OMB and NIST for guidance before they buy.
John Vasko, who heads the Electronic Records Workgroup of the Federal Information and Records Management Council, also warned against third-party records management'at least at the moment, when the technology is so new.
'I would have serious concerns over something like that. A disgruntled contractor could have access to sensitive information. You have to have some sort of guidelines to go by.'
At the same time, agencies should not delay adopting PKI just because storage options are limited, he said.
'Something is better than nothing. I'm for no paper, cradle to grave,' Vasko said. 'You have to sort of pull up your pants and jump in.'