Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 GPO PKI – Getting Started U.S. Government Printing Office May 20, 2011.

Similar presentations

Presentation on theme: "1 GPO PKI – Getting Started U.S. Government Printing Office May 20, 2011."— Presentation transcript:

1 1 GPO PKI – Getting Started U.S. Government Printing Office May 20, 2011

2 2 Agenda  About GPO PKI  Using GPO PKI for OFR eDOCS  GPO PKI Services

3 3 About GPO PKI  Shared Service Provider (SSP) certification – July 2007  Cross-Certified with Federal Bridge Certification Authority since December 2005  Meets all Federal PKI requirements  In operation at GPO since 2004

4 4 GPO PKI Services  End User Certificates  Medium Assurance Level (federal PKI)  Requires in-person identity proofing for Users  End user must present themselves in person to the RA or LRA  Two options:  At GPO Main Office  Agency Local Registration Authority (LRA)  Agency LRA personnel require a hardware token  LRA personnel (agency) must be identity proofed at GPO\  Hardware token required due to sensitive nature of enrollment function performed  LRA enrolls other agency personnel at agency– record keeping requirements  Agency users must present themselves in person to LRA at agency

5 5 GPO PKI Services  Help Desk  GPO provides technical assistance to users  Email notification by users to GPO  Automatically routed to GPO PKI support  Phone number provided for emergencies  Agency IT Help Desk  Most agencies wish end users to coordinate IT problem reporting and resolution through the agency IT Help Desk  GPO will work with agencies and PKI end users  GPO will always provide technical assistance to resolve end user PKI problems  May involve IT problems at the agency and agency will need to resolve those

6 6 Certificate Uses  File signing  eDOCS, for example  File encryption  Email encryption and signing (S/MIME)  For Outlook email  Other uses are possible, in consultation with GPO PKI

7 7 OFR eDOCS PKI  Background:  OFR eDOCS application  Hosted by GPO on behalf of OFR  Allows email submission of digitally signed files  Saves time and money  Requires official agency submitter to have PKI certificate  Required Medium Assurance PKI certificate  Requires In-Person Identity Proofing  GPO PKI services for the OFR eDOCS application  In Operation since September 16, 2006  OFR eDOCS originally used NFC PKI (pre Sept. 2006)

8 8 eDOCS Document Submission Process  Step 1:  End user logs into GPO PKI end user software (COTS client software meeting FIPS 140-2 and Federal PKI standards from Entrust, configured by GPO to interface to the FBCA cross-certified GPO PKI). User enters appropriate password (from certificate issuance process, for initial password).  Step 2:  End user locates the file to be signed using Windows operating system process.  Step 3:  End user RIGHT CLICKS on the file to be signed.  Step 4:  End User selects Entrust Advanced.  Step 5:  End User selects Sign.  Step 6:  GPO PKI software signs the file.  Step 7:  End user uses their normal agency email to send email to the Federal Register email address. User attaches file selected and signed in Step 6.  Step 8:  Process COMPLETE.

9 9 GPO PKI Services – Cost Structure  Cost Structure  End User Certificates:  $97 per user per year  NOTE: Software certificate (does not apply to smartcard certificate)  LRA Users:  $225 per LRA per year (includes hardware token)  LRA’s perform enrollment of agency users for GPO PKI  Costs documented in GPO Circular Letter 744  URL:  Business Enablement:  SF-1 Form executed for GPO  Printing Officers at each federal agency – liaison to GPO  Memorandum of Agreement  Spells out roles and responsibilities

10 10 GPO PKI Services – Getting Started  Step 1: Execute a Standard Form 1 (SF-1) and send to GPO  Send to: Bobbie McKoy at GPO (contact information on last slide)  Sample SF-1 shown on a later slide  Identify the Number of End Users that will have Certificates  Decide if Agency will use Local Registration Authority (LRA) function  Step 2: Execute Memorandum of Agreement and send to GPO  Spells out Roles and Responsibilities  Send to: John Hannan at GPO (contact information on last slide)  Step 3: Ensure Agency IT Support staff know about:  A: Entrust Software installation on end user computers  Agencies normally review and certify software for use on Agency computers  B: Firewall Settings Required (see next slide)  Firewall changes may be needed at some Agencies (depends on Agency controls)  C: Help Desk Notification for End User Problems  Decide how Agency End Users will request Help Desk support for PKI problems  Most common model: End Users notify Agency Help Desk (using standard agency procedures)  Agency Help Desk notifies GPO PKI Help Desk, if needed  Step 4: Install Entrust software on end user computers at Agency  Entrust software provided by GPO as part of fee per user  Available for download at URL:  Step 5: Arrange a date and time for End Users to come to GPO for in-person Identity Proofing (federal PKI requirement)  Contact John Hannan at GPO for this

11 11 Example SF-1 Form

12 12 Agency Firewall Settings Required

13 13 Contact Information  Technical  John Hannan, CISSP Chief Information Security Officer U.S. Government Printing Office 202-512-1021  Business  Official Journals of Government office U.S. Government Printing Office 202-512-2100

Download ppt "1 GPO PKI – Getting Started U.S. Government Printing Office May 20, 2011."

Similar presentations

Ads by Google