OMB mandates agency use of approved PKI providers

The Office of Management and Budget is requiring agencies to use one of three approved shared-service providers for public-key infrastructure and electronic-signature services.

These three service providers'the Agriculture Department's National Finance Center, Verisign Inc. of Mountain View, Calif., and Betrusted U.S. Inc. of New York'meet the level-four certification outlined in OMB's December 2003 memo (See GCN story.

In the memo, Karen Evans, OMB's administrator for IT and e-government, and David Safavian, administrator of the Office of Federal Procurement Policy, said agencies must use these shared-service providers to mitigate security risks.

'Strong government oversight and internal controls mitigate the risk of using a commercial service,' the memo noted.

The memo comes after some agencies were concerned whether commercial providers of PKI or e-signatures would meet the Government Accountability Office's criteria for assessing these systems.

GAO sent a letter to Rep. Tom Davis (R-Va.), chairman of the Government Reform Committee, in August detailing what agencies should consider when choosing a PKI system, no matter if the provider is from the public or private sector.

'Our report said these are the types of controls needed to have adequate security,' said Chris Martin, a senior-level technologist with GAO, who worked on the letter. 'We outlined our views on the subject based on our experience in reviewing these systems for agencies.'

To qualify as a shared-service provider, vendors or agencies must:

  • Operate their certification authorities under the certificate policy developed and controlled by the federal government


  • Demonstrate compliance with this policy annually with a third-party audit


  • Receive approval from the General Services Administration


  • Comply with existing security laws, including certification and accreditation.



inside gcn

  • HPE SGI 8600

    New supercomputers headed to DOD

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group