GAO warns to look before you leap into PKI

The Government Accountability Office figures that managed public-key infrastructure services might be more trouble than they're worth to agencies in some instances.

Chief technologist Keith Rhodes conveyed GAO's findings in a recent letter to Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform. Rhodes noted that several agencies had asked GAO informally for advice on managed PKI services.

GAO's position is that agencies might face a greater burden in using managed services, specifically contract certification authorities, than if they implemented the technology themselves, Rhodes said.

GAO is especially concerned about managed services when it comes to using PKI for financial transactions.

'If the certification authority is compromised, the impacts can be catastrophic to an agency's operations,' Rhodes said.

GAO made several suggestions for implementing PKI, such as exercising strict physical control over the necessary hardware and software so it can't be compromised.

According to GAO, agencies should study managed PKI services to ensure they use proper controls.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected