GAO Faults 'Inconsistent' Online Security ProgramsGAO Faults 'Inconsistent' Online Security Programs

The federal government has spent about $1 billion on 89 public key infrastructure programs among 20 major agencies in recent years, but the results of those programs are mixed, according to a report issued by the General Accounting Office.

PKI is a secure method for exchanging information within an organization, within an industry, nationwide, or worldwide.

Implementing PKI poses a major challenge for agencies, Linda Koontz, GAO's director of information management issues, wrote in a letter to Reps. Tom Davis and Adam Putnam, who chair House panels with oversight on governmental IT use. The letter was dated Dec. 15, but released Thursday.

GAO, the investigative arm of Congress, identified four major challenges:

• Policy and guidance. Both are lacking or ill-defined in a number of areas, including technical standards and legal issues.

• Funding. Besides the high costs associated with the technology, cost models are lacking, making accurate budgeting more difficult. In addition, costs are increased when systems must be designed to accommodate the uncertainty associated with undefined standards.

• Interoperability. Integrating PKI systems with others such as network, security, and operating systems often requires significant changes or even replacement of systems.

• Training and administration. Training is required for personnel to use and manage public key infrastructure, and basic PKI requirements and processes impose significant administrative burdens.

Still, the GAO notes, the governmentwide Federal Bridge Certification Authority and Access Certificates for Electronic Services programs continue to promote the adoption and implementation of PKI, though the results of these programs have been inconsistent. The level of participation in the certification authority, which provides a way to link independent agency public key infrastructures into a broader network, is the same as in 2001, the last time the GAO examined the matter. Only four agencies are certified to operate through the network. Additional agencies plan to participate in the future, as well as nonfederal organizations, such as the state of Illinois, the Canadian government, and educational consortiums, GAO says.

Similarly, the agency says, the electronic-services program, which offers agencies various PKI services through the General Services Administration, has garnered lower-than-expected participation among federal agencies. GSA plans to revise the pricing structure associated with the electronic-services program to improve participation levels.