Federal PKI slow to take off, GAO says

Twenty agencies have undertaken 89 public key infrastructure projects at a cost of about $1 billion, but a General Accounting Office study shows progress in PKI has been slow over the last three years.

Most of the programs are in the planning, design or development phases. Just 35 programs are operational; and six have been terminated, most because of funding problems.

'PKI implementation continues to pose major challenges similar to those we described in 2001,' said the GAO report issued today.

Funding and expense was the most commonly cited problem, but GAO also found a lack of governmentwide policy and guidance, interoperability problems with existing systems, and training and administration burdens.

The GAO study was requested by the House Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

By any measure, the Defense Department dominates federal PKI activity with its Common Access Card program. CAC accounts for about $823 million of the total estimated $1 billion being spent on existing programs, and more than nine out of every 10 digital certificates planned for use by government employees will be on CAC cards.

Two governmentwide programs intended to promote and tie together PKI projects show little progress since the 2001 study.

'The level of participation in the Federal Bridge Certification Authority is the same as in 2001,' GAO found.

Four agencies have been certified to connect with the bridge. A number of other entities, including the state of Illinois and the Canadian government as well as several federal agencies, are planning to join the bridge.

The General Services Administration's Access Certificates for Electronic Services program has had lower participation than expected. ACES has cost about $3 million since 1999. As of May 2003, 11 agencies said they have received or plan to receive digital certificates from the program.

Although ACES issued about 500,000 free certificates at the beginning of the program, only about 10,000 of these have been used. As of May, about 5,000 digital certificates had been purchased through ACES.

In 2001, GAO recommended that the Office of Management and Budget, which has statutory oversight responsibilities for PKI, develop a framework to provide guidance in implementing the technology. Although the National Institute of Standards and Technology has produced technical guidelines, OMB has not completed its work on an overarching framework.

OMB issued a policy memorandum for an authentication policy in July, and 'OMB officials said they were in the process of addressing these issues,' GAO said.

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group