Public Key Infrastructure (PKI) Hosting Services
What is PKI? A combination of people, policies, procedures and technologies that collectively provide a high degree of trust in: People: The individuals who govern, manage, and use PKI services Policies: Just as laws affect the way we conduct ourselves in our daily lives, policies affect the way a PKI is governed, maintained and used. Procedures: In order to maximize the benefits of PKI technology, special procedures must be followed by the people who administer and use its services. Technologies: Trust in PKI is asserted through the issuance and use of digital certificates - objects created by highly secure systems known as Certification Authorities (CAs).
What’s it do? Authentication: Digital certificates can provide a strong means of identifying the bearer when access to an online resource is requested. Confidentiality: Digital certificates can be used to encrypt information, either at rest or in motion, to prevent interception by an unauthorized party. Integrity: PKI makes use of mathematical algorithms to enable the user to apply digital signatures to data.. Non-Repudiation: Just as digital signatures can strengthen integrity, they can also be leveraged to prevent data users from claiming (repudiating) that they weren't party to a transaction.
Why do I need it? Homeland Security Presidential Directive #12 (HSPD-12): This mandate requires universal deployment of PKI certificates throughout every agency as part of establishing a standard means of identifying Government personnel. E-Authentication: OMB memorandum M-04-04: E-Authentication Guidance for Federal Agencies requires the use of digital certificates in systems evaluated at higher levels of risk. Government Information Protection: OMB M-06-16: Protection of Sensitive Agency Information enforces encryption of sensitive agency data on mobile Government devices, as well as multi-factor authentication to sensitive agency resources. Government Paperwork Elimination Act (GPEA) and Electronic Signatures in National Commerce Act (ESIGN): ESIGN legislation identifies PKI-based digital signatures to be as legally significant as their inked counterparts, thus enabling significant progress toward GPEA goals.
Why ARC? OMB M-05-05: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services directs Government organizations to employ Shared Service Providers when using PKI technology. In July 2006 Treasury was certified as a Shared Service Provider under the GSA-managed FIPS 201 Evaluation Program. ARC serves as Treasury’s PKI Operational Authority, providing PKI solution design, hosting, operations, and maintenance, to Treasury, NASA, SSA, and DHS – over 400,000 Federal employees and contractors.
What do I get? Managed Services: A fully-managed PKI infrastructure housed in our Government-owned and operated data center. Six of our seven hosted PKI environments received unqualified opinions following a grueling triennial compliance audit (the seventh isn’t due until 2010). Oversight and Governance: Treasury’s PKI Policy Management Authority provides continuity with Federal Common Policy and ensures your PKI is fully compliant. Experience: ARC’s PKI services are delivered by a team whose expertise dates back to 1997, designing and delivering one of government’s earliest PKI initiatives. This level of experience allows us to integrate our back-office operations with your client-side and system-level requirements. Cost-effectiveness: Our long experience and robust hosting environment allow us to quickly deploy solutions using shared enterprise infrastructure to reduce your direct costs. Further, our strict focus on back-office activities enables a standardized, compliant solution, reducing engineering and implementation costs.
Where’s the program heading? User Self-service: We’ve just implemented a self-service pilot for Treasury’s external business partners. By the summer of 2009, we expect to offer this service to all our SSP customers. End-user administration is a significant component of PKI’s TCO, self- service is a way to reduce that cost. Operational and Financial Improvements: We continually evaluate our products and processes to ensure we’re providing the best value to the government. Increased use of automation for monitoring and compliance checking, virtualization (esp. of non- production services), and the use of shared Enterprise services wherever possible, are examples of ways in which we’re improving service and controlling costs. Further, we’re refreshing a significant amount of PKI and cryptographic hardware in PACS/LACS: Public Debt is moving towards the use of our PIV credentials for system access. The lessons learned from this project will allow us to help our customers reach the same goal.
How do I start? Gather your requirements and constraints: Number of potential subscribers Existing PKI solution (if any) Desired usage of PKI (PIV, S/MIME, etc.) Implementation constraints (time, budget, technology, etc.) Contact: Michelle Yanok