PKI service vendors being lined up for federal users
- By William Jackson
- May 12, 2004
The Federal ID Credentialing Committee has begun prequalifying PKI service providers and expects to have the first vendors approved by the end of June.
Prequalification is being done by FICC's Shared Service Provider Working Group. Eventually, agencies acquiring PKI services will be required to buy from this list to satisfy the requirements of the government's common public-key infrastructure policy.
'We are not putting a contract in place,' said FICC chairwoman Judith Spencer. But the prequalification will ensure that the vendors meet the requirements of organizations creating the Federal PKI Architecture.
One of the standards of that architecture is the Common Policy Framework for PKI, written by the National Institute of Standards and Technology. NIST has released the final draft of the framework, which is undergoing review by the Office of Management and Budget. Upon adoption it will be mandatory for agencies implementing PKI.
The common policy will help ease mapping of digital-certificate policies to those of the Federal Bridge Certification Authority, and also could help agencies meet requirements of the Federal Information Security Management Act.
FISMA requires that all federal IT systems be certified and accredited, referred to as C&A.
'We required that vendors provide a C&A package,' with PKI services under the Common Policy Framework, said Tim Polk, NIST's cryptographic application and infrastructure program manager. Agencies should be able to use that package to meet FISMA requirements for that portion of the system.
The FICC working group earlier this year announced a five-year rolling open season for vendors to prequalify under the Common Policy Framework. Four companies submitted applications by the April 15 deadline for the first batch of approvals.
The process is not competitive.
'It is our intention that as many as possible qualify,' Spencer said. The working group will cooperate with vendors to work out problems and bring them into compliance with the framework.
The shared service provider list will be for services only, not for products such as smart cards or digital certificates. FICC has established an industry working group, the Electronic Authorization Partnership, to develop processes for certifying digital-certificate providers. The providers will be certified to the four levels of assurance spelled out in OMB's e-authentication guidelines, published earlier this year.
William Jackson is a Maryland-based freelance writer.