GSA pushes E-Authentication
- By Jason Miller
- Jan 20, 2006
Contract for free credentials and digital certificates designed to encourage public to use online services
Steve Timchak, former project executive of E-Authentication
For the past four years, the promise of E-Government has hinged on the ability of users to authenticate themselves to systems. Without a trusted federation to exchange security information over the Internet, E-Government applications are nothing more than consolidated Web sites.
Many times since the Office of Management and Budget launched the 25 E-Government initiatives in 2001 and assigned the E-Authentication project to the General Services Administration, experts have said the government has put the horse before the cart'having vendors or agencies offer credentials without systems ready to use them.First things first
But it seems the horse and the cart are finally in order. GSA late last year awarded a contract to Operational Research Consultants Inc. of Fairfax, Va., to become the first commercial provider of Level 1 or Level 2 Security Assertion Markup Language 1.0 credentials. The contract, along with at least four agency applications prepared to accept the credentials from the public, makes E-Government more of a reality than ever.
'This is part of the evolution of E-Authentication,' said Steve Timchak, the former GSA E-Authentication project executive, who retired this month. 'This is no longer a concept. It is working and growing, and that is the important thing.'
Under the contract, for which GSA paid $900,000, ORC will provide up to 250,000 credentials to the public at no cost.
SAML 1.0-compliant Level 1 and 2 means that users will receive a user name and a password that is at least eight characters long, can be upper and lower case, and uses special characters.
'GSA is priming the pump,' said Daniel Turissini, president and chief executive officer of ORC. Once a handful of credentials are out there, he added, and 'a lot of people [are] providing or getting these services across multiple applications, we will see a lot more movement in the credentialing and public-key infrastructure environment.'
OMB tried to jump-start the process in the fiscal 2005 budget by requiring all agencies to have at least one application using e-authentication services last year and one in 2006. An OMB official said 11 agencies met the requirement by December and more are working on it. Overall nine applications use e-authentication services, the official added.
In addition to the contract for Level 1 and 2 credentials, GSA awarded ORC another contract worth $700,000 to provide digital certificates'at Level 3 and 4'for the Federal Acquisition Services E-Offer and E-Modification systems.
ORC will provide 15,000 certificates'two per company'free under the Access Certificates for Electronic Services governmentwide acquisition contract.
Vendors will submit offers electronically for task orders under the schedules program, or modify their schedule contracts online using the public-key infrastructure.More to come
Timchak said E-Offer and E-Mod are just two of a number of applications that are part of the E-Authentication federation and that are accepting either SAML 1.0 credentials or Level 3 and 4 digital certificates.
OMB in 2003 laid out four assurance levels for e-authentication. They are:
Level 1: For applications that require little or no assurance about the identity of the user, such as a citizen logging on to a customized Web page
Level 2: For applications in which it is highly probable that the user's identity is accurate, such as a federal employee taking courses through an online education site
Level 3: For applications that require a high degree of confidence that the user is authentic, such as a lawyer who provides patent data to the Patent and Trademark Office
Level 4: For applications in which it is absolutely necessary that the user's identity is accurate, such as a law enforcement official accessing a federal database of criminal records.
The Energy Department recently went online with its Vendor Inquiry Payment Electronic Reporting System. The National Science Foundation's FastLane, which lets academics apply for grants online, and the Labor Department's Mine Safety and Health Administration's online forms also use Level 2 credentials.
The Agriculture Department has more than 122 applications using e-authentication services, but only a handful are accessible by the public.
Turissini said users can obtain credentials or certificates fairly easily. They can download an application and get it notarized before submitting it to ORC. Or they can come to ORC's office and submit it there.
Timchak said other private-sector credential providers are on the horizon, including Wells Fargo, Bank of America and Fidelity Brokerage Services.