Is HHS certifiable?

The Health and Human Services Department's public-key infrastructure will be the first broad civilian use of digital credentials and one of the first departmentwide uses of a revamped governmentwide e-authentication program.'We are on the brink of initial implementation and rollout,' said Mark Silverman, the department's PKI program manager. Up to 100,000 users will receive certificates over the next three or four years, he said.Through a $4.54 million deal under the General Services Administration's Access Certificates for Electronic Services program, Digital Signature Trust Co. of Salt Lake City by April will begin issuing digital certificates to all HHS staff for authentication, digital signatures and encryption.In the first phase, the program office is identifying people who will use one or more of six PKI-enabled applications.Not all will be government employees. HHS staff also includes contractors, public health personnel, researchers and even some volunteers, said Silverman, who is also deputy CIO for the National Institutes of Health. But the primary use will be for internal HHS applications, plus some government-to-government and government-to-business transactions.Although HHS works with the drug industry, research institutions, health care organizations and the general public, 'we don't want to issue digital certificates to the whole world,' Silverman said.But such use was the original purpose of the ACES contract, said Keren Cummins, Digital Signature Trust's vice president of government sales.'The contract was first conceived to provide certificates to the public and to businesses,' Cummins said. 'The focus was on constituents, not the agencies.'Over time, the demand for employee certificates grew, as agencies decided not to get into the business of supplying certificates to constituents. A federal employee certificate profile was added to the ACES contract in January.'This is the first time the focus has been on the federal employee,' Cummins said of the HHS program.Her company will issue and manage the X.509 Version 3 certificates. SRA International Inc. of Fairfax, Va., is integrating the certificates with the department's PKI-enabled applications.Each digitally signed certificate will store the user's identifying information, separate private keys for digital signatures and encryption, and provide a link to Digital Signature Trust's issuing policy.Because of the level of security required, users must be verified in person before they can download their software certificates to their hard drives.'My project is not ready to issue them en masse on hardware tokens,' Silverman said.To minimize the issuing agent's face time, the first users will register online and print out a bar-coded form that links to existing directory listings. That will speed up registration and reduce the chances of forgery and mistakes from retyping, Silverman said.It would make sense eventually to issue the certificates along with HHS badges, which also require a face-to-face encounter, Silverman said. 'But it's not going to be like that on Day 1.' Digital Signature Trust will handle the certificate registration as part of its contract.The initial PKI applications include three that will accept digital signatures on external Web documents in compliance with the Government Paperwork Elimination Act, and three others for credential authentication, workflow routing and validation of research protocols.'This is not intended to be a pilot,' Silverman said. 'The applications are fully operational, but the uses are limited enough that we can do' the first phase.Although digital certificates give better security than passwords and personal identification numbers, they bring the highest return when replacing paper forms, Cummins said.'You could not justify the expense of issuing certificates just to replace a PIN and password system,' she said. But when the number of certificates reaches a critical mass, their use becomes economical for authentication in existing systems, she said. HHS will be a laboratory for that progression.The HHS infrastructure will accept certificates issued by other organizations through the federal E-Authentication architecture, said Peter Alterman, assistant CIO for e-authentication at NIH.'The HHS PKI is the first agency infrastructure that is following right down the groove what the Office of Management and Budget is trying to do' with e-authentication, Alterman said. He is HHS' representative to the E-Authentication Executive Steering Committee and the Federal Identity Coordinating Committee.'E-Authentication is in flux right now,' Alterman said. What was called the E-Authentication Gateway is undergoing a makeover.Revised plans for a more distributed authentication system will come out next month, he said.In the meantime, the HHS infrastructure will work with the Federal Bridge Certification Authority, the sole operational e-authentication element. Using a Certificate Authorization Module, HHS connects to the federal bridge to OK certificates issued by other trusted authorities that are cross-certified with the bridge.'We have had our version of CAM 4.0 up and running' at NIH for a year, Alterman said. It has received and validated digitally signed documents from four universities in the Higher Education Bridge Certification Authority, which is cross-certified with the federal bridge.As the rest of the E-Authentication architecture develops, 'HHS is ready to link up with every piece of it,' Alterman said.