Gateway opens another door for cross-agency authentication
Connecting state and local government leaders
The Federal e-Authentication Gateway has been cleared for government operation. <br>
SAN FRANCISCO'The Federal e-Authentication Gateway has been cleared for government operation.
"I have authorization to operate in a live environment," Stephen Timchak, e-Authentication project manager for the General Services Administration, announced at the RSA 2003 Conference.
The gateway is a tool that will provide a common way to authenticate users of e-government applications. It is being created to support the 24 other e-government initiatives identified under the President's Management Agenda, so that each agency does not have to develop its own authentication application.
"All of these require authentication of the user," said Tice DeYoung, NASA's project leader for the e-Authentication Gateway architecture project. "We think if we support the 24 initiatives, we have taken a large step toward supporting much broader electronic government."
Timchak said certification and accreditation for the gateway, required for all federal IT systems, was completed last week. He expects the gateway to begin full production services by early next year. The Office of Management and Budget is expected to issue policy for four levels of authentication assurance soon. This will be used to establish trust standards for credential issuers. Each credential will be mapped to one of the assurance levels, and e-government applications will decide which level of assurance it will require from users. A list of trusted credentials will be maintained on the gateway, which is hosted by Mitretek Systems Inc. of Falls Church, Va.
The e-Authentication Gateway is separate from the Federal Bridge Certification Authority, which provides cross-certification of certificates for public-key infrastructures. Authentication for PKI will be a subset of the e-Authentication Gateway's work. GSA's Judith Spencer, chief of the Federal PKI Steering Committee, said the Federal Bridge will provide a validation path for the gateway for certificates at the higher levels of assurance.
Authentication'verifying the identity of someone using electronic services'is the key to enabling e-government services. Before transactions can take place over the Internet, citizens, companies, agencies and organizations must be sure of whom they are dealing with. This lack of assurance foiled the Social Security Administration's efforts in 1997 to make its Personal Earnings and Benefits Statements available online.
"We have had limited success with electronic services" since PEBES was taken offline in April 1997, said Kent Weitkamp, senior analyst in SSA's office of electronic services.
Users who access an e-government application will be redirected to the gateway for authentication, said Monette Respress, senior engineer for Mitretek. The company is testing four gateway architectures supporting different protocols and technologies.
"We always envisioned that 'single gateway' is a virtual term, not a physical one," Respress said. "We have brought in multiple architectures and multiple protocols" that will interoperate.
The Federal Bridge, which is now operating with NASA, the Agriculture Department's National Finance Center and the departments of Defense and Treasury, expects to add its first nonfederal entities in the coming months. Illinois has nearly completed the cross-certification process and the Canadian government is in the process, Spencer said. "I believe by midsummer we will be able to announce we have cross-certified both of these organizations," she said.
Spencer said the PKI Steering Committee this year is funding agency development of PKI-enabled and Federal Bride-aware applications. She said projects have been funded at NFC, Defense, GSA and the Health and Human Services Department.