Is HHS certifiable?

 

Connecting state and local government leaders

The Health and Human Services Department's public-key infrastructure will be the first broad civilian use of digital credentials and one of the first departmentwide uses of a revamped governmentwide e-authentication program.

The Health and Human Services Department's public-key infrastructure will be the first broad civilian use of digital credentials and one of the first departmentwide uses of a revamped governmentwide e-authentication program.'We are on the brink of initial implementation and rollout,' said Mark Silverman, the department's PKI program manager. Up to 100,000 users will receive certificates over the next three or four years, he said.Through a $4.54 million deal under the General Services Administration's Access Certificates for Electronic Services program, Digital Signature Trust Co. of Salt Lake City by April will begin issuing digital certificates to all HHS staff for authentication, digital signatures and encryption.In the first phase, the program office is identifying people who will use one or more of six PKI-enabled applications.Not all will be government employees. HHS staff also includes contractors, public health personnel, researchers and even some volunteers, said Silverman, who is also deputy CIO for the National Institutes of Health. But the primary use will be for internal HHS applications, plus some government-to-government and government-to-business transactions.Although HHS works with the drug industry, research institutions, health care organizations and the general public, 'we don't want to issue digital certificates to the whole world,' Silverman said.But such use was the original purpose of the ACES contract, said Keren Cummins, Digital Signature Trust's vice president of government sales.'The contract was first conceived to provide certificates to the public and to businesses,' Cummins said. 'The focus was on constituents, not the agencies.'Over time, the demand for employee certificates grew, as agencies decided not to get into the business of supplying certificates to constituents. A federal employee certificate profile was added to the ACES contract in January.'This is the first time the focus has been on the federal employee,' Cummins said of the HHS program.Her company will issue and manage the X.509 Version 3 certificates. SRA International Inc. of Fairfax, Va., is integrating the certificates with the department's PKI-enabled applications.Each digitally signed certificate will store the user's identifying information, separate private keys for digital signatures and encryption, and provide a link to Digital Signature Trust's issuing policy.Because of the level of security required, users must be verified in person before they can download their software certificates to their hard drives.'My project is not ready to issue them en masse on hardware tokens,' Silverman said.To minimize the issuing agent's face time, the first users will register online and print out a bar-coded form that links to existing directory listings. That will speed up registration and reduce the chances of forgery and mistakes from retyping, Silverman said.It would make sense eventually to issue the certificates along with HHS badges, which also require a face-to-face encounter, Silverman said. 'But it's not going to be like that on Day 1.' Digital Signature Trust will handle the certificate registration as part of its contract.The initial PKI applications include three that will accept digital signatures on external Web documents in compliance with the Government Paperwork Elimination Act, and three others for credential authentication, workflow routing and validation of research protocols.'This is not intended to be a pilot,' Silverman said. 'The applications are fully operational, but the uses are limited enough that we can do' the first phase.Although digital certificates give better security than passwords and personal identification numbers, they bring the highest return when replacing paper forms, Cummins said.'You could not justify the expense of issuing certificates just to replace a PIN and password system,' she said. But when the number of certificates reaches a critical mass, their use becomes economical for authentication in existing systems, she said. HHS will be a laboratory for that progression.The HHS infrastructure will accept certificates issued by other organizations through the federal E-Authentication architecture, said Peter Alterman, assistant CIO for e-authentication at NIH.'The HHS PKI is the first agency infrastructure that is following right down the groove what the Office of Management and Budget is trying to do' with e-authentication, Alterman said. He is HHS' representative to the E-Authentication Executive Steering Committee and the Federal Identity Coordinating Committee.'E-Authentication is in flux right now,' Alterman said. What was called the E-Authentication Gateway is undergoing a makeover.Revised plans for a more distributed authentication system will come out next month, he said.In the meantime, the HHS infrastructure will work with the Federal Bridge Certification Authority, the sole operational e-authentication element. Using a Certificate Authorization Module, HHS connects to the federal bridge to OK certificates issued by other trusted authorities that are cross-certified with the bridge.'We have had our version of CAM 4.0 up and running' at NIH for a year, Alterman said. It has received and validated digitally signed documents from four universities in the Higher Education Bridge Certification Authority, which is cross-certified with the federal bridge.As the rest of the E-Authentication architecture develops, 'HHS is ready to link up with every piece of it,' Alterman said.

'This is not intended to be a pilot,' HHS' Mark Silverman says. 'The applications are fully operational."

Henrik G. de Gyor

Department keyed up to make the leap to widespread e-authentication



























Face to face first





















Coming and going









X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.