Federal PKI Governance and Compliance Audit Information
This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors.
- It includes the FPKI policies and profiles as well as the FPKI annual review schedule.
- It can help auditors assess certification authorities (CAs) operated as part of the FPKI.
- It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations.
For any questions, please contact fpki@gsa.gov.
Federal PKI Policies and Profiles
The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI, PIV, and PIV-I visit the following links:
The FPKI Policy Authority (FPKIPA) maintains three certificate policies (the Common Policy Framework, the Federal Bridge Certification Authority Certificate Policy, and the Federal Public Trust TLS Certificate Policy). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.
| Federal PKI Policy | Policy Name | Profile | Change Proposals |
|---|---|---|---|
| Federal Common Policy | X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.8 | Common Policy X.509 Certificate and CRL Profiles v2.2 | Common Change Proposals |
| Federal Bridge | X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.5 and PIV-I for Federal Agencies |
Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0 | Bridge Change Proposals |
| Federal Public Trust TLS | U.S. Federal Public Trust TLS PKI Certificate Policy v1.1 | Profiles are included in Section 7 of the Policy | No change proposals |
The FPKI has the following supplementary guidance:
- CPWG Cloud PKI Tiger Team Report (PDF, October 2024) – A final report including a summary and equivalent controls guidance as developed by the CPWG PKI in the Cloud Tiger Team. This docment includes the history of the Cloud PKI Tiger Team and provides equivalent control guidance to define cloud PKI design characteristics that meet the intent of FPKI policies.
- Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021) – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a CA that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control.
- FBCA: Cross-Certification Evaluation Framework v5.0 (PDF, September 2024) - This document provides a general framework for conducting FPKI cross-certification. This framework includes pre-conditions for being considered as an applicant, the cross-certification process, maintenance of the cross-certified status, and circumstances for terminating the cross-certification relationship.
- Registration Authority Agreement Template v1.0 (Word, April 2017) - The purpose of this document is to identify and explain the roles and responsibilities of an enrollment/registration agent under the Federal PKI COMMON Policy Framework.
- FPKI Incident Management Plan (PDF, September 2020) - This document provides guidance on the roles and responsibilities applicable to the FPKI Policy Authority (FPKIPA), FPKI Management Authority (FPKIMA), and FPKI affiliates in the event of an incident.
- Archived copies of Certificate Policies, Profiles, and other FPKI-related documents - This page contains three years of FPKI-related documents.
- FPKI Key Recovery Policy (PDF, Subsumed, October 2017) - for reference only, original consolidated key recovery policy. All requirements and controls have been mapped and subsumed into other FPKI Certificate Policy documents.
Annual Review Requirements for All Certification Authorities
Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.
Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki@gsa.gov.
- FPKI Annual Review Requirements (PDF, September 2024) – This document includes requirements for performing and reporting annual compliance audits.
- RA Audit Guidance Memorandum (PDF, October 2022 – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers.
- Annual PIV and PIV-I Credential Issuer (PCI) Test Report: This test report supports the FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 lab or remotely by the package submitter. Further details related to the Annual PCI Testing are located here.
- Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016) - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations.
Annual Review Schedule
| Entity | Type | Annual Review Package Due Date |
|---|---|---|
| CertiPath | Bridge | June 30 |
| DigiCert (ECPS) | Affiliate PKI | July 31 |
| DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) | Affiliate PKI | July 31 |
| DigiCert (Formerly Symantec Shared Service Provider [SSP]) | SSP | July 31 |
| Department of Defense (DoD) | Affiliate PKI | November 30 |
| Department of State (DOS) | Affiliate PKI | October 31 |
| Department of the Treasury | SSP | July 31 |
| Entrust NFI | Affiliate PKI | November 30 |
| Entrust Federal SSP | SSP | November 30 |
| Exostar | Affiliate PKI | June 30 |
| IdenTrust NFI | Affiliate PKI | August 31 |
| Patent and Trademark Office (PTO) | Affiliate PKI | October 31 |
| SAFE Identity | Bridge | June 30 |
| Southwest Texas Regional Advisory Council (STRAC) | Bridge | November 30 |
| Transglobal Secure Collaboration Program (TSCP) | Bridge | July 31 |
| Verizon SSP | SSP | August 31 |
| WidePoint NFI | Affiliate PKI | May 31 |
| WidePoint SSP | SSP | May 31 |
Compliance Test Tools for Annual Reviews
The FPKI Program supports three remote PIV, PIV-I, and digital certificate test tools to support FPKI annual reviews as listed below:
- The Card Conformance Tool (CCT) is a GSA managed, Java tool hosted on GitHub that can verify that a Personal Identity Verification (PIV) or PIV-Interoperable (PIV-I) conforms to the PIV data model.
- The Certificate Profile Conformance Tool (CPCT) is a self-hosted application that analyzes public X.509 certificates for conformance to a specified FPKI profile.
- The KSJavaAPI is Java API hosted on GitHub and used to leverage that the information stored in the PIV/ PIV-I applets conform to NIST SP 800-73.
To request the annual testing report for PIV/PIV-I cards, fill out the Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020) and send it with Compliance Test Tool outputs and testing artifacts (for remote testing) to fips201ep@gsa.gov.
Submitting a Test Results Package
If you are running the Card Conformance Tool as part of the annual requirement to undergo PIV/PIV-I testing, you must email the artifacts listed below to fips201ep@gsa.gov.
- A completed testing application for each PCI configuration evaluated (See Section 1 of the application for more information).
- All accompanying Card Conformance Tool Log files, these reside in the same directory as the extracted package after the tests have been run:
- logs (directory)
- piv-artifacts (directory)
- x509-artifacts (directory)
- x509-certs (directory)
- the test database used for the evaluation (e.g., PIV_Production_Cards.db)
- The card’s Answer-to-Rest value presented within the “Reader Status” text box (e.g., 3bd6970081b1fe451f078031c1521118f9), which is displayed on the CCT landing page provided a card is available to the test system.
- A report (PDF or XLSX) for each certificate found on the card (use the Certificate Profile Conformance Tool (web application) to generate the reports.
- High-resolution card photos of the front and back of each card tested.
Helpful Hint
Collecting all accompanying Card Conformance Tool Log files is most easily achieved by zipping the fips201-card-conformance-tool-[Release-Version]-[Release-Date] directory; this is the same directory where you had extracted the tool.
Note
Failure to submit a complete CCT Package may delay review of your testing results and completion of your annual FPKI PIV/PIV-I testing requirement.
Audit Information for the FPKI Management Authority
This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.
- The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy.
- The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.
The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below.
- U.S. FPKI Certification Practice Statement (PDF, November 2023) – Version 6.4
- U.S. FPKI Audit Letter of Compliance (PDF, August 2024) – Results of the August 2023-August 2024 Compliance Audit for the FPKI Trust Infrastructure Systems.
- FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)
Report an Incident
FPKI affiliates include federal agencies and commercial service providers operating a certification authority certified by the Federal PKI Policy Authority. FPKI affiliate responsibilities related to the incident management process include:
- Communicating security incidents involving infrastructures or services to the FPKI Authorities, users/customers, and known relying parties.
- Providing additional investigation support and/or information about incidents to the FPKI Authorities as they become known, and
- Conducting remediation activities once an incident is confirmed.
To report a security incident, such as a key compromise, data breach, or other fraud waste or abuse regarding FPKI CAs or certificates, please contact both fpki@gsa.gov and fpki-help@gsa.gov, and include any relevant known information on the incident up to that point. Further information will be requested from the affiliate per the FPKI Incident Management Plan.
Federal PKI Document Archive
A Federal PKI document may be needed for three years for compliance review purposes. This pages contains three years of FPKI documents, including:
- Certificate Policies
- Certificate Profiles
- Supplementary Guidance
- Change Proposals
A blank category indicates no updates in the previous three years. If you seek a document that is older than three years or is not listed here, please contact fpki@gsa.gov or look in the archived document repository on github.
