GAO warns to look before you leap into PKI

The Government Accountability Office figures that managed public-key infrastructure services might be more trouble than they're worth to agencies in some instances.

Chief technologist Keith Rhodes conveyed GAO's findings in a recent letter to Rep. Tom Davis (R-Va.), chairman of the House Committee on Government Reform. Rhodes noted that several agencies had asked GAO informally for advice on managed PKI services.

GAO's position is that agencies might face a greater burden in using managed services, specifically contract certification authorities, than if they implemented the technology themselves, Rhodes said.

GAO is especially concerned about managed services when it comes to using PKI for financial transactions.

'If the certification authority is compromised, the impacts can be catastrophic to an agency's operations,' Rhodes said.

GAO made several suggestions for implementing PKI, such as exercising strict physical control over the necessary hardware and software so it can't be compromised.

According to GAO, agencies should study managed PKI services to ensure they use proper controls.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected