United States General Accounting Office GAO Report to the Committee on Government Reform and the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House of Representatives September 2003 ELECTRONIC GOVERNMENT Planned e-Authentication Gateway Faces Formidable Development Challenges GAO-03-952 a September 2003 ELECTRONIC GOVERNMENT Planned e-Authentication Gateway Faces Highlights of GAO-03-952, a report to the Formidable Development Challenges Committee on Government Reform and the Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census, House of Representatives For on-line government services Although the original goal was for the e-Authentication gateway to be that involve sensitive information, operational by September 2003, GSA has achieved few of its project such as financial or personal objectives and recently extended the milestone for completing a fully information, it is important to be operational system to March 2004. GSA has completed several important able to confirm the identity of tasks, such as issuing a request for information and fielding a demonstration potential users. This confirmation process, known as authentication, prototype of the gateway. However, other essential activities, such as is crucial for security and user developing authentication profiles—requirements summaries that address confidence. The General Services the needs of the other 24 OMB e-government initiatives—have not yet been Administration (GSA) is developing fully addressed. Further, to meet the new milestone, GSA plans to compress an “e-Authentication gateway,” the acquisition process for the operational gateway by awarding a contract which is to provide a consolidated by December 2003 for delivery of an operational gateway by March 2004. electronic authentication service to This accelerated schedule may be difficult to achieve. The modest progress support the e-government achieved to date calls into question the likelihood that the project can initiatives sponsored by the Office successfully field an operational gateway, even within the revised schedule. of Management and Budget (OMB). The figure depicts schematically The challenges facing the e-Authentication gateway project make it difficult how the gateway process would work. GAO was asked to (1) assess for GSA to achieve the kind of rapid results envisioned for the initiative. For GSA’s progress in implementing the example, procedures and guidance have not yet been completed defining the proposed initiative and (2) identify specific technologies to support different authentication requirements. In the challenges associated with addition, technical standards have not yet been agreed upon to provide a implementing the gateway. basis for ensuring interoperability among different authentication products and systems. Further, GSA has not taken full measures to ensure that the gateway system is adequately secured and that privacy information is adequately protected. Addressing these and other challenges is essential to GAO recommends that the the successful deployment of a gateway that can effectively support the Administrator of GSA, in conjunction with OMB, take steps authentication requirements of OMB’s e-government initiatives. to ensure that e-Authentication gateway implementation challenges Overview of e-Authentication Gateway Process are fully addressed, including, among other things, revising the schedule for deploying a fully operational version of the gateway and working to define key technical interfaces to promote interoperability with commercial products. In commenting on a draft of this report, agency officials requested that we include updated information, which has been incorporated in this report. www.gao.gov/cgi-bin/getrpt?GAO-03-952. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512-6240 or firstname.lastname@example.org. Contents Letter 1 Results in Brief 2 Background 4 Objectives, Scope, and Methodology 10 Important Objectives and Milestones Have Not Been Fully Met 11 Formidable Challenges Hinder Speedy Deployment of an Operational Gateway 15 Conclusions 24 Recommendations for Executive Action 24 Agency Comments and Our Evaluation 25 Appendixes Appendix I: Comments from the General Services Administration 27 Appendix II: Comments from the Department of Commerce 29 Glossary 32 Figure Figure 1: Using the e-Authentication Gateway 9 Abbreviations API application-programming interface CIO chief information officer e-RA e-Authentication requirements and risk analysis ECP electronic credential provider FBCA Federal Bridge Certification Authority GPEA Government Paperwork Elimination Act GSA General Services Administration MOU memorandum of understanding NIST National Institute of Standards and Technology OMB Office of Management and Budget PIN personal identification number PKI public-key infrastructure RFI request for information RFP request for proposal Page i GAO-03-952 e-Authentication Initiative Contents This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-03-952 e-Authentication Initiative A United States General Accounting Office Washington, D.C. 20548 September 12, 2003 The Honorable Tom Davis Chairman, Committee on Government Reform House of Representatives The Honorable Adam H. Putnam Chairman, Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census Committee on Government Reform House of Representatives Many government services depend on transactions that exchange sensitive information, such as financial or personal information. As the federal government strives to deliver more services on-line, it increases the need to safeguard electronic transactions involving such information. Both the electronic system and the user need assurance that the user’s identity can be confirmed: the system needs to know that the user is authorized to exchange the information, which in turn allows the user to have some confidence that the system will not release sensitive information to unauthorized users. This confirmation of user identity is known as authentication. Systems perform authentication by examining electronic credentials1 provided by users and determining their trustworthiness. Such credentials can be generated through a variety of technologies and provide differing levels of assurance, depending on the type of technology used and whether the system is properly implemented and maintained. Establishing an on- line environment of systems with the capability to verify a wide range of credentials is essential to maintaining public confidence in the government’s ability to conduct business over the Internet and protect confidential information from unauthorized access. 1 Electronic credentials are the electronic equivalent of traditional paper-based credentials— documents that vouch for an individual’s identity. Page 1 GAO-03-952 e-Authentication Initiative This report responds to your request that we assess the progress of the General Services Administration (GSA) in implementing its e-Authentication initiative and the challenges associated with developing the e-Authentication gateway, which is the centerpiece of the initiative. The e-Authentication gateway is being developed to provide a consolidated electronic authentication service to support 24 major electronic government (e-government)2 initiatives sponsored by the Office of Management and Budget (OMB). All these initiatives, including e-Authentication, were originally chosen by OMB in part because of the likelihood of their being deployed within 18 to 24 months. In this regard, we agreed to (1) assess GSA’s progress in implementing the proposed initiative and (2) identify the challenges associated with implementing the gateway. Results in Brief OMB originally set a goal for the e-Authentication gateway to be operational by September 2003, but GSA has thus far achieved few of its project objectives, and OMB recently extended the milestone for completing a fully operational system to March 2004. While important tasks—such as issuing a request for information (RFI) and fielding a demonstration prototype of the gateway—were completed, other activities essential to the successful deployment of an operational gateway, such as establishing authentication profiles for the 24 e-government initiatives, have not yet been fully addressed. Further, to meet the new milestone, GSA plans to compress the acquisition process for the operational gateway by awarding a contract by December 2003 for delivery of an operational gateway by March 2004. This accelerated schedule may be difficult to achieve. Fielding a fully operational gateway without a full consideration of technical options increases the risk that the gateway will not work as intended, support user requirements, or receive financial support from partner agencies. The modest progress achieved to date calls into question the likelihood that the project can successfully field an operational gateway, even within the revised schedule. While the gateway has the potential to provide multiple benefits to the other 24 e-government initiatives and the public, several formidable challenges will make it difficult for GSA to achieve the kind of rapid results 2 E-government refers to the use of technology, particularly Web-based Internet applications, to enhance the access to and delivery of government information and services to citizens, business partners, employees, and other entities. Page 2 GAO-03-952 e-Authentication Initiative envisioned by OMB for the initiative. These challenges include the following: • Establishing comprehensive policies and guidance. Comprehensive policies and procedures to promote consistency and interoperability among disparate authentication systems operating across the federal government have not yet been completed, making it difficult for federal agencies developing the 24 e-government initiatives to make decisions on what types of authentication technologies and systems to implement. • Defining user authentication requirements. User requirements have not yet been fully defined, and as of August 2003, assessments had been conducted for 12 of the 24 e-government initiatives to determine their authentication needs and appropriate assurance levels. GSA has not been considering the results of these risk assessments in designing the gateway. • Achieving interoperability3 among available authentication products. Technical standards have not yet been agreed upon to provide a basis for ensuring interoperability among different authentication products and systems. • Fully addressing funding, security, and privacy issues. GSA has not developed an effective investment strategy to support full-scale development of the gateway or taken full measures to ensure that the gateway system is adequately secured and that privacy information is adequately protected. Addressing these challenges is essential to the successful deployment of a gateway that can effectively support the authentication requirements of the 24 e-government initiatives. In light of these challenges, we are making recommendations to the Administrator of GSA aimed at improving planning and systems development activities now under way and at coordinating activities with other federal agencies to better ensure that the gateway provides robust support for multiple authentication requirements based on a range of commercial products. We also are making recommendations that OMB work with GSA, in conjunction with the National Institute of Standards and Technology (NIST) and the federal 3 Interoperability is the ability of two or more systems or components to exchange information and to use the information that has been exchanged. Page 3 GAO-03-952 e-Authentication Initiative Chief Information Officers (CIO) Council, to expand and improve e-Authentication policies and guidance to meet the needs of an operational gateway. We received written comments on a draft of this report from the Administrator of GSA and from the Secretary of Commerce. We also received oral comments from staff of OMB’s Office of General Counsel. GSA generally agreed with our discussion of the challenges hindering speedy deployment of the e-Authentication gateway, as well as our recommendations aimed at addressing these challenges. The agency requested that we include more information on recent developments, which we have incorporated in this report. OMB staff said the agency agreed with GSA’s comments. NIST officials generally agreed with the content of information and recommendations in the draft report and requested that we update information on recently drafted authentication guidance. We updated this report accordingly. Background To deliver complete on-line services to citizens, business partners, employees, and other entities, the government needs to authenticate the identity of users who wish to conduct transactions involving sensitive information, such as financial or personal information. A variety of authentication technologies are in use, providing differing levels of assurance, depending on the type of technology and whether the system is properly implemented and maintained. Establishing an electronic gateway with the capability to verify a wide range of credentials is a critical element in the federal government’s strategy for maintaining public confidence in the conduct of public business over the Internet and protecting confidential information from unauthorized access. It is also consistent with the government’s effort to integrate information technology investments across agencies and to streamline services. A Variety of Techniques Are The electronic authentication process can involve a range of different Used to Perform technologies and electronic credentials, each with varying strengths and weaknesses in ensuring that parties are who they claim to be when Authentication conducting electronic transactions. The types of identifying factors used by these different technologies can generally be grouped into three basic categories: (1) “something you know,” such as a password; (2) “something you have,” such as a smart card or other token; and (3) “something you are,” including biometric identifiers such as fingerprints or retina scans. Page 4 GAO-03-952 e-Authentication Initiative • Something you know: An authentication process based on “something you know” relies on information known by both the user and the system—a “shared secret”—and offers some advantages and disadvantages. The most common types of shared secrets are passwords and personal identification numbers (PIN), which are used by systems to confirm the identity of individuals accessing computers. Users wishing to access such a system are required to enter a password when they first turn on and log into the system, confirming the shared secret. Systems that support password-based authentication processes are relatively easy to implement, because they do not require external products or specialized devices. However, they provide only relatively limited confidence in the identity of users, because users often share their secret codes with others or select common phrases and dates that others can easily identify or guess. • Something you have: An authentication system based on “something you have” relies on physical devices—such as smart cards or other physical tokens—or tamper-resistant electronic credentials, such as digital certificates. Physical devices are encoded with information that can verify the identity of the device’s owner. To initiate the authentication process, a user inserts a token or smart card into an electronic reader, and the system verifies information stored on the device. Electronic credentials, such as digital certificates, can be either stored on a smart card or token and accessed through a reader or stored in a user’s computer. Digital certificates are small electronic files containing identifying information that is encrypted to be tamper- resistant. Public-key infrastructure (PKI) is a prominent security technology that makes use of digital certificates for authentication and may also involve the use of a physical device or token.4 4 A PKI is a system of hardware, software, policies, and people that can provide a set of information assurances, including authentication, that are important in conducting electronic transactions. For more information on PKI, see U.S. General Accounting Office, Information Security: Advances and Remaining Challenges to Adoption of Public Key Infrastructure Technology, GAO-01-277 (Washington, D.C.: Feb. 26, 2001). Page 5 GAO-03-952 e-Authentication Initiative • Something you are: Authentication systems based on “something you are” use biometric technologies to capture measurements of personal characteristics—such as fingerprints, hands, or facial features—to authenticate users. Characteristics from individuals are measured and averaged to create unique digital representations of these characteristics, called templates, that are stored centrally in a database or locally in a user’s token, such as a smart card. The user must present the characteristic, such as a finger or hand, to the authentication device to gain access to the system. The device then compares the stored template to the live characteristic of the individual for verification. If the characteristics match, the user is authenticated and allowed to access the system. Biometric technologies have the advantage of not requiring that an individual remember a shared secret or keep track of a physical authentication device, although biometrics are often used in combination with at least one of the other factors.5 The technologies used to exploit these three authentication factors can be combined and implemented in many different ways to provide different levels of assurance. For example, a Web site that requires users to enter a password provides only very limited assurance of the identity of individuals who successfully log on with a correct password. A more sophisticated system that requires users to insert a smart card and also enter a PIN likely will provide a greater level of assurance, because it would be much harder for an imposter to gain access to both the smart card and the PIN required to successfully impersonate a legitimate user. A system requiring users to provide a biometric identifier in addition to a smart card and PIN would arguably offer an even higher level of assurance that users were indeed who they claimed to be.6 5 For more information on biometrics, see U.S. General Accounting Office, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002). 6 This discussion assumes that each of these hypothetical systems has been properly implemented and maintained. The level of assurance provided by any specific system is dependent on how well the system has been implemented and maintained. Further, a system’s ability to successfully authenticate a given user does not provide direct assurance that the user’s data are secure and reliable, because the user’s system could have security weaknesses unrelated to user authentication. Page 6 GAO-03-952 e-Authentication Initiative More sophisticated authentication techniques can have some drawbacks. For example, biometric devices tend to be expensive and must be deployed at all locations where users need to access systems. Further, as we reported previously,7 users tend to resist having to present physical characteristics for authentication. As a result, care must be taken to choose an appropriate level of authentication for any given system, based on an examination of the costs of the systems and the risks of information being compromised. Federal government systems can be expected to include a broad range of applications requiring a variety of assurance levels. Gateway Established to In October 2001, the President’s Management Council, working with OMB, Provide Common, endorsed the development of 24 e-government initiatives8 to significantly improve the delivery of services to citizens across government. OMB set a Governmentwide goal for initial capabilities to be achieved for each of the initiatives by Authentication Services September 2003. The objective of the e-Authentication initiative was to provide a centralized gateway to verify the identity of users, based on multiple types of credentials, in support of the other e-government initiatives. By accommodating different and multiple authentication mechanisms—such as passwords, tokens, digital certificates, and biometrics—the gateway was intended to support the different levels of assurance that are likely to be required for conducting personal or financially sensitive government transactions. In October 2001, OMB tasked GSA to be the managing partner for the e-Authentication initiative. As managing partner, GSA was given responsibility for spearheading the e-Authentication initiative, identifying the authentication requirements of the other 24 e-government initiatives, and completing an operational gateway by September 30, 2003. GSA also was tasked with working with NIST, which is responsible for setting technical standards for the federal government, to develop authentication assurance policies and guidelines, as well as with the federal CIO Council on issues related to the Federal Bridge Certification Authority.9 As envisioned, the gateway offers multiple 7 U.S. General Accounting Office, Technology Assessment: Using Biometrics for Border Security, GAO-03-174 (Washington, D.C.: Nov. 15, 2002), p. 68. 8 The OMB-sponsored e-government initiatives now number 25. In 2002, a decision was made to separate the e-Clearance initiative from the Integrated Human Resources initiative, resulting in an increase in the number of initiatives from 24 to 25. 9 The Federal Bridge Certification Authority, which became operational in June 2001, facilitates PKI-based transactions across agencies. Page 7 GAO-03-952 e-Authentication Initiative benefits to citizens and federal agencies conducting on-line transactions, including simplified access to government applications and services and cost savings to agencies through the deployment of common authentication technologies and services. One of the primary goals of the gateway is to promote secure, easy-to-use methods for users to prove their identity to federal agencies and obtain personal or financially sensitive on-line information and services from these agencies. Other goals include establishing uniform standards for accessing government services while protecting against fraud as much as possible and reducing the need to maintain duplicate credentials and user registration information for multiple government applications and services. In support of these goals, the gateway is to provide what is known as “single sign-on” capability: that is, using one authentication method to verify the identity of a user while granting access to multiple applications and services. Providing single sign-on capability simplifies the authentication process by using the same identification method to verify the identity of users from application to application. Further, the intention is to extend this benefit beyond the 24 e-government initiatives: although the gateway was established to support these initiatives, upon completion, it is intended to be used to support other applications and services across government. As envisioned, the gateway will provide authentication services through a governmentwide portal and links to agency-level applications. The plan is for users to rely on a governmentwide portal—such as the FirstGov.gov site—to direct them to authentication services offered by the gateway. Users would then be able to present credentials for authentication. Alternatively, users could be directed to the gateway from within specific agency applications to verify their identities before they can access information or services. Once a user’s credential has been successfully authenticated, the user will then be granted appropriate access to the application. After being authorized to use a specific application, a user may request access to another application that is also linked to the gateway. If the second application accepts credentials from the user and the first application, no additional authentication will be required. If the second application requires a credential with a higher level of security, the user will have to provide new credentials. Figure 1 provides a schematic diagram of the gateway’s planned authentication services. Page 8 GAO-03-952 e-Authentication Initiative Figure 1: Using the e-Authentication Gateway Although the gateway will serve as a central point for authentication, it will not issue, maintain, or store credentials. Instead, the gateway will rely on a network of electronic credential providers (ECP), which are to include both government agencies and private sector companies. ECPs will issue credentials after verifying the identities of users based on traditional means—such as the presentation of passports, drivers’ licenses, and other identification documents—or by checking standardized databases, such as credit history databases. Users seeking authentication from the gateway Page 9 GAO-03-952 e-Authentication Initiative will be directed to appropriate ECPs to obtain credentials if they do not already have them. Delegating the issuing of credentials to ECPs allows the gateway to support a range of credentials and eliminates the need for the gateway to maintain a repository of identification information for all credentialed users. ECPs are to be responsible for all aspects of managing user credentials, including replacing lost or expired credentials and maintaining the identification information associated with the credentials. Agency applications will retain the responsibility to authorize users to conduct specific transactions, such as creating or approving information, based on authenticated credentials. The gateway has the potential to provide multiple benefits to the other 24 e-government initiatives and to the public. Some of these benefits include standardizing credentials and authentication technologies across government, improving cost savings by eliminating redundant purchases and authentication services, and simplifying public access to multiple government applications and services. The cost savings could be substantial. In its fiscal year 2004 budget plan, GSA estimated that over a 5-year period, gateway costs would total about $73 million, while over the same period, costs for separate authentication systems at individual agencies are estimated to total approximately $460 million. Much of the cost savings from centralizing authentication would also come from reducing the number of passwords that need to be administered from agency to agency and application to application. An official with Gartner,10 a market research company, provided an indication of the costs associated with resetting lost passwords: in a privately funded study, these were found to total about $50 per event. Finally, the federal government could enhance the willingness of citizens to conduct business electronically by providing centralized authentication services that reduce the burden on citizens of negotiating multiple credentials and authentication systems to access disparate government electronic services. Objectives, Scope, and Our objectives were to (1) assess the progress GSA has made in implementing the e-Authentication gateway and (2) identify key challenges Methodology associated with implementing the gateway. To assess GSA’s progress in implementing the gateway, we reviewed project plans, cost estimates, funding strategies, contracting activities, testing results, performance 10 Gartner, Inc., is a research and advisory firm that provides technology-related consulting, research, and other services. Page 10 GAO-03-952 e-Authentication Initiative metrics, and other project documentation, including studies completed by GSA, OMB, NIST, and other federal agencies on related authentication and security issues. We also interviewed GSA project managers and officials from other agencies involved in the initiative, such as Agriculture, the Treasury, and the National Aeronautics and Space Administration. Contract employees involved in developing and testing the prototype were also interviewed. To assess key challenges associated with implementing the proposed e-Authentication gateway, we reviewed and analyzed relevant technical reports and evaluations of authentication technologies and services completed by industry experts and research groups to identify key management and technology issues. We also held discussions with officials responsible for managing the project within GSA, as well as other agency officials involved in development of the prototype. We conducted these discussions with officials from Agriculture’s National Finance Center and two large federal agencies—the Departments of Defense and Commerce— to obtain information on funding and technical issues related to the gateway. We performed our review in accordance with generally accepted government auditing standards, working from November 2002 through July 2003, at various locations, including GSA Headquarters in Washington, D.C; NIST Headquarters in Gaithersburg, Maryland; and the National Finance Center in New Orleans, Louisiana. Important Objectives GSA’s drive to make the e-Authentication gateway operational quickly has resulted in few objectives being achieved and changes to planned tasks that and Milestones Have have increased project risks. While GSA has completed several important Not Been Fully Met tasks—such as issuing an RFI and fielding a demonstration prototype of the gateway—it has not yet fully addressed objectives essential to the successful deployment of an operational gateway, and it has extended the milestone for making the gateway fully operational from September 2003 to March 2004. To meet the new milestone, GSA plans to compress the acquisition process for making the gateway fully operational by issuing a request for proposal (RFP) and awarding a contract in December 2003. According to the project manager, the contractor will be expected to have a fully operational gateway up and running by the March 2004 milestone. However, this accelerated schedule may be difficult to achieve because it is based on an extremely short time frame, which allows the selected Page 11 GAO-03-952 e-Authentication Initiative contractor only 3 months to develop, test, and deploy a fully operational gateway. In December 2001, GSA developed its original plan for implementing a fully operational e-Authentication gateway. Major tasks included 1. developing and issuing an RFI and RFP to obtain industry input on technical approaches to authentication for potential incorporation into the e-Authentication gateway, 2. assisting e-government initiatives and other federal agencies in identifying their authentication requirements, 3. developing authentication profiles that address the needs of the other 24 e-government initiatives by linking their requirements to a set of standard authentication technologies, 4. enabling three multiuse applications to interoperate with the gateway, and 5. revising existing governmentwide contracting mechanisms for PKI- related services to promote broader use by federal agencies. To date, GSA has partially addressed four of these five tasks. The first major task—to develop and issue an RFI and RFP—was partially completed in July 2002 with the issuance of an RFI. GSA obtained input from 54 industry representatives on potential technical approaches to implementing e-Authentication in response to the RFI. This information was used to help design the prototype gateway and a framework for delivering authentication services. However, in April 2003, GSA decided to use its existing contractor—builder of the prototype version of the gateway—to continue work aimed at deploying an “interim” operational version of the gateway, and to delay the milestone for the fully operational version of the gateway from September 2003 to March 2004. According to an April 2003 letter from GSA’s Chief Information Officer to OMB, the anticipated delay was due to the lack of receipt of funds from federal agency partners. In commenting on a draft of this report, GSA officials further stated that the delay was due to a lack of demand for authentication services from the 24 other e-government initiatives, as well as industry’s lack of readiness to provide interoperable gateway services. The e-Authentication project manager told us in July 2003 that GSA planned to compress the acquisition process for the operational gateway by issuing an Page 12 GAO-03-952 e-Authentication Initiative RFP, selecting a contractor, and awarding a contract by December 2003. According to the project manager, the contractor would be expected to deploy a fully operational gateway by the March 2004 milestone. (Originally GSA had planned to issue an RFP in September 2002 to have an operational gateway in place a full year later.) Awarding a competitively selected contract is important because it allows a range of alternatives to be considered before a final technical approach is selected. However, the accelerated schedule contemplated by GSA may be difficult to achieve because it is based on an extremely short time frame, which allows the selected contractor only 3 months to develop and deploy a fully operational gateway. In addition, GSA will need time to complete the required certification and accreditation process in order to obtain full authority to operate the gateway. GSA also partially completed the second task of assisting e-government initiatives and other federal agencies in identifying their authentication requirements. Identifying requirements is important because they represent the blueprint that system developers and program managers use to design, develop, and acquire a system. GSA worked with the Software Engineering Institute11 to develop an assessment tool to identify authentication requirements by helping agencies determine appropriate assurance levels for their planned electronic transactions. However, the process of identifying requirements is still under way. Thus far, only 12 of the 24 e-government initiatives have completed assessments and shared this information with GSA. Officials plan to conduct assessments for 5 of the other initiatives. According to GSA officials, assessments are not planned for the other 7 initiatives, because those initiatives have no requirements for electronic authentication at this time. Without fully defined requirements, the gateway project faces the risk that extensive or costly changes may be needed before it will meet the needs of all the e-government initiatives. GSA has also taken steps to address its fourth major task, enabling three e-government applications to interoperate through the gateway. A prototype version of the gateway was fielded on schedule in September 2002. However, the prototype gateway accommodated just one demonstration version of a multiuse application managed by the 11 The Software Engineering Institute at Carnegie Mellon University is a federally funded research and development center that provides services intended to improve the quality of automated systems and software development and maintenance practices. Page 13 GAO-03-952 e-Authentication Initiative Department of Agriculture’s National Finance Center. It did not support any of the 24 e-government initiatives. The gateway’s project manager said that as of June 30, 2003, the gateway had achieved initial operational capability and was supporting vital records transactions from state and local governments to the Social Security Administration. Approximately 400 transactions had been supported as of July 25, 2003. However, these transactions were also not associated with any of the OMB-sponsored e-government initiatives. Officials said that work was under way to develop a link for the Disaster Management initiative, although no milestone had been set for making that link operational. According to GSA officials, action has also been taken to address the fifth task—to revise mechanisms for governmentwide contracting for PKI- related services, as a means to promote broader use by federal agencies. Specifically, GSA officials reported that policy for use of its Access Certificates for Electronic Services program had been modified in June 2003 to provide for broader use. The remaining task (task 3), establishing authentication profiles for the 24 e-government initiatives, has not been addressed, because not all e-government initiatives have yet identified their authentication requirements and because technical guidance for linking those requirements to specific technologies has not yet been finalized by NIST. In its updated e-government strategy plan, released in April 2003,12 OMB set milestones for several ongoing gateway-related tasks. These interim milestones included issuing governmentwide authentication guidance by April 2003, deploying the first applications linked to the gateway by May 2003, and establishing a list of credential providers by August 2003. However, these interim tasks have not yet been fully addressed. For example, governmentwide authentication guidance was not issued as planned in April 2003, although OMB partially addressed this objective by issuing a draft version of the guidance for comment in March. No revised time frame has been established for finalizing this guidance. Nor were applications deployed and linked to the gateway in May 2003. The project’s milestones were extended because of funding limitations and technical problems, according to the gateway program manager. GSA, which was tasked by OMB to lead the gateway implementation effort, now plans to 12 Office of Management and Budget, Implementing the President’s Management Agenda for E-Government—E-Government Strategy (April 2003). Page 14 GAO-03-952 e-Authentication Initiative link the first of the 24 e-government initiatives to the gateway in July 2003 rather than May 2003. In addition, GSA now plans to complete the remaining tasks to make the gateway fully operational by March 2004, rather than September 2003. Formidable Challenges Developing the e-Authentication gateway has been a challenging undertaking. A variety of technical and management challenges have Hinder Speedy hindered GSA’s progress in developing and deploying the gateway as Deployment of an originally planned. These challenges include establishing comprehensive policies and guidance, fully defining user requirements, achieving Operational Gateway interoperability among commercial authentication products, and addressing resource, security, and privacy issues. Addressing these challenges will require the cooperation of federal agencies developing the 24 e-government initiatives, as well as commitment by GSA to making the gateway a fully operational cross-agency resource. Policies and Guidance Are While GSA has drafted guidance to assist federal agencies in deciding on Not Yet Complete what types of authentication technologies and systems to implement, policies and procedures to promote consistency and interoperability among disparate authentication systems operating across the federal government have not yet been completed. Policies and procedures are needed to specify such things as the range of standard assurance levels to be supported; the types of authentication technologies appropriate for each of those levels; processes for issuing, maintaining, and revoking electronic credentials; and procedures for ensuring that individual agencies and credential providers are meeting security standards in operating and maintaining their separate systems. Without such standard policies and procedures, agencies are unlikely to develop systems that provide consistent levels of security, which would make it difficult to achieve interoperability across agencies and could lead to security vulnerabilities if authentication systems are not properly designed and implemented. Page 15 GAO-03-952 e-Authentication Initiative OMB is responsible for establishing policies, standards, and guidelines for information management, including e-government. In March 2003, OMB published draft guidance on electronic authentication to promote consistent authentication processes across government.13 The draft guidance proposes four standard assurance levels for authentication, termed “minimal,” “low,” “substantial,” and “high.” Examples were provided that were intended to assist agencies in identifying the levels of assurance that would be appropriate for specific applications, based on an assessment of the risks and consequences if transactions were completed in error. According to OMB, the purpose of the guidance, when finalized, is to help federal agencies make consistent decisions about authentication risks, reduce authentication system development and acquisition costs, and minimize the number and type of electronic credentials that federal employees, citizens, and businesses need to conduct electronic transactions with the government. No date has yet been set for completing the draft guidance.14 Further, guidance has not been provided to agencies on how to identify appropriate technologies to address their authentication requirements. According to OMB, agencies must first identify the assurance levels associated with their planned e-government transactions and then refer to additional technical guidance to identify appropriate technical implementations. NIST has been tasked with developing this guidance, which would specify the types of technologies that could be used to conduct transactions at each of the OMB-defined assurance levels. A NIST official indicated that an initial draft of this guidance would be available for comment by September 2003. However, until the NIST guidance is completed, technical requirements for the gateway may be difficult to identify, and agencies will be at risk of choosing authentication systems that may need to be changed at a later date to conform to NIST’s guidance. 13 Office of Management and Budget, Procedures and Guidance on Implementing E-Authentication for Federal Agencies, Draft Version 15 (Washington, D.C.: Mar. 28, 2003). 14 For electronic authentication based on PKI technology, in 2000, OMB issued implementation guidance for the Government Paperwork Elimination Act, Public Law 105- 277, Div. C, tit. XVII, directing agencies to consider using PKI for (1) transactions in which parties commit to actions or contracts that may give rise to financial or legal liability and (2) transactions that involve the transfer of funds. See Office of Management and Budget, Procedures and Guidance on Implementing the Government Paperwork Elimination Act, Memorandum M-00-10 (Apr. 25, 2000), pp. 19–20. Page 16 GAO-03-952 e-Authentication Initiative In addition to OMB and NIST guidance setting standard authentication levels and associated technology alternatives, additional policy and procedures covering other aspects of administering e-Authentication consistently across the government have not been completed. In July 2003, GSA issued a draft framework for evaluating the processes used by ECPs to issue credentials to users for conducting transactions at each of the four assurance levels. Agencies need to be able to assess compliance with standard policies and procedures in order to be able to determine whether the credentials issued and managed by specific ECPs have an adequate degree of trustworthiness. GSA also drafted guidance in July 2003 for the use of passwords, PINs, and PKI. However, no milestones have been set for finalizing this guidance. In other areas, no guidance has been developed. Guidance concerning authorization—the process of granting appropriate access privileges to authenticated users—is an example. A GSA official indicated that such guidance could help ensure that agencies perform authorization consistently across government. However, GSA officials said they had no plans to develop authorization guidance, because they considered authorization to be the responsibility of the agencies that control the software applications being supported. User Authentication In addition to the lack of complete policies and procedures, Requirements Have Not implementation of the e-Authentication gateway is also impeded by the lack of defined authentication requirements from the other 24 Been Fully Defined e-government initiatives and agencies expected to use the gateway. Improperly defined or incomplete requirements have often been identified as a root cause of the failure of systems to meet their cost, schedule, or performance goals.15 Key stakeholders and other federal agencies responsible for e-government initiatives and for contributing funding for the gateway have not been involved in assessing the prototype and determining whether it is suitable for operational deployment.16 According to a GSA project official, the 24 e-government initiatives have played a 15 See U.S. General Accounting Office, D.C. Courts: Disciplined Processes Critical to Successful System Acquisition, GAO-02-316 (Washington, D.C.: Feb. 28, 2002), p. 10. 16 Leading companies use a disciplined review process during prototyping to assess design maturity and stability, as well as to ensure that user requirements are addressed. Stakeholder agreements are used to document user involvement in designing and evaluating prototypes and to better ensure that products work as intended. For more information, see U.S. General Accounting Office, Best Practices: Capturing Design and Manufacturing Knowledge Early Improves Acquisition Outcomes, GAO-02-701 (Washington, D.C.: July 15, 2002). Page 17 GAO-03-952 e-Authentication Initiative limited role in the gateway project by completing risk assessments and identifying technical approaches to authentication for their individual projects; they have not been involved in determining the technologies to be incorporated in the gateway. Although the gateway is intended to deliver common, interoperable authentication services in support of the other e-government initiatives, it will be difficult to develop and operate such a system until user requirements are better defined. Identifying authentication requirements for the other 24 e-government initiatives has been slow because deployment phases for the projects vary widely, and many are still in their early phases—making it difficult to define robust information assurance and authentication requirements. In May 2002, GSA and the Software Engineering Institute established a joint project to develop and apply a risk-based process to identify the authentication requirements for transactions associated with the other 24 e-government initiatives. Project objectives were to (1) document and characterize the transactions and data associated with each of the e-government initiatives; (2) identify the risks associated with conducting these transactions and authenticating users involved in them; (3) define associated authentication requirements; and (4) analyze the identified authentication requirements in aggregate to help define standard levels of authentication for the gateway. The result of this project was the development of a standardized e-Authentication requirements and risk analysis (e-RA) process. Subsequently, the Software Engineering Institute developed a self-directed tool, based on the e-RA process, for the agency officials to use in assessing the requirements of their own initiatives. Because authentication requirements have been identified through the e-RA process for only 12 of the e-government initiatives (as of August 2003), the gateway risks not being able to address the wider authentication requirements that may be identified in the future for the other e-government initiatives. After participating in pilot risk assessments for four of the initiatives, the Software Engineering Institute reported that the transactions assessed in these pilot efforts were not representative of other e-government initiatives, and that no conclusion could be drawn about the extent to which the identified authentication requirements were representative of the other e-government initiatives. Altogether, as of August 2003, risk assessments had been completed for 12 e-government initiatives, including the 4 pilot risk assessments that the Software Engineering Institute participated in conducting. However, the results of these assessments were not used as input into the design of the prototype and interim gateways, and they have not been used to establish functional Page 18 GAO-03-952 e-Authentication Initiative requirements for the gateway. Despite the Software Engineering Institute’s conclusion to the contrary, project officials said they believed the results of the four pilot risk assessments validated the assurance levels proposed by OMB and thus were sufficient as the basis for designing the gateway. GSA project officials further stated that the risk assessments were to be used to identify assurance levels for transactions, not functional requirements for the gateway. Officials indicated that functional requirements have not yet been identified, though the gateway achieved initial operating capability in June 2003. Commercial Authentication Agencies generally use commercial off-the-shelf products to implement Products Generally Are Not authentication for their individual applications, and many of these products are based on unique proprietary approaches, making it difficult for them to Interoperable interoperate. In January 2003, GSA analyzed data that it received from over 50 vendors in response to the RFI it issued in 2002. Vendors indicated that a wide variety of standards and protocols were being used to design and develop authentication products and services, including the Security Assertions Markup Language, the Simple Object Access Protocol, the Secure Sockets Layer protocol, the X.509 digital certificates standard, the Lightweight Directory Access Protocol, and others. Because so many different and incompatible approaches had been used to design authentication products and services, GSA officials stated that, at that time, they were unable to identify a single standard or small number of standards that would be suitable for the gateway, which must interoperate with many agency systems. Many vendors suggested that the government develop a common methodology to link divergent applications and authentication products to the gateway. One approach to doing this would be to develop an application-programming interface (API) based on open, nonproprietary standards that would serve to connect agency applications to gateway services. Using a standard API to connect applications to use the gateway could eliminate the need to define unique interfaces for each application, and reduce development costs and implementation time frames. However, a common methodology or API to link authentication products and applications to the gateway would likely take considerable time to develop—too long to meet the gateway’s planned operational milestone— and would be difficult, given that the gateway’s user requirements are not yet fully defined. A technical specialist working with Mitretek, the contractor GSA hired to assist in prototype development, stated that custom software interfaces would have to be developed for each Page 19 GAO-03-952 e-Authentication Initiative authentication product intended to interoperate with the gateway, including customized software links between agency applications, electronic credential providers, and the gateway. According to this official, a considerable amount of time likely would be needed to develop customized APIs for each of the 24 e-government initiatives. This official further noted that the gateway prototype was tailored specifically to interoperate with two authentication systems managed by the Department of Agriculture’s National Finance Center and that it took several months to develop the software interfaces for these two systems. In its attempt to reduce the number of software custom interfaces needed to link e-government initiatives to the gateway, in April 2003, GSA drafted technical guidance that encourages the use of the Security Assertions Markup Language as a standard way to interface with the gateway. However, this guidance has not yet been issued. Further, because currently available commercial authentication products are not designed to interoperate with other products across multiple systems, developing a stable and reliable system that depends on interconnecting these technologies may prove difficult. Several commercial vendors stated that the technologies needed to support single sign-on capabilities across multiple platforms, applications, and databases have not yet been developed. A Mitretek official further indicated that commercial authentication products generally are designed to combine authorization and authentication services, because most existing systems treat both functions as one. The gateway, however, is intended to provide only authentication services, leaving agency applications the responsibility to grant access authorizations based on the authentication results. To support this requirement, vendors will need to make programming changes to “turn off” authorization services in their existing products. These changes could affect product performance and reliability. According to a NIST official, the gateway is a large and challenging project that is trying to cover a broad range of applications with different assurance requirements, in an area where technologies and business models are still evolving. These factors add to the development risk and argue for an extended period of testing before the gateway is made operational. Finally, GSA has not yet addressed how the gateway’s software will interoperate with systems maintained by nongovernment organizations and individual citizens. According to a NIST official, GSA’s concept for delivering gateway services to citizens is heavily dependent on the relationships established between citizens and nongovernment organizations, such as financial institutions, airlines, and Page 20 GAO-03-952 e-Authentication Initiative telecommunications carriers. Under this concept, nongovernment organizations will play a key role in issuing authentication credentials to customers. Integrating the gateway with systems managed by nongovernment organizations as well as validating credentials provided to customers will be challenging, according to this NIST official. GSA officials agreed that it would be a challenge to establish relationships with nongovernment credential service providers and to ensure that credentials are issued and correctly validated. GSA is attempting to establish a consortium of industry and government ECPs to promote information sharing and develop a “trust list” to facilitate the exchange of credentials across organizations. In addition, the consortium would like to adopt processes used by nongovernment organizations to issue credentials and adapt those processes to validate credentials for government transactions. Officials indicated that collaborative partnerships would be needed to ensure that authentication systems and electronic credentials interoperate successfully. As of July 2003, GSA was working with the Liberty Alliance Project and other national organizations, such as the National Automated Clearing House Association, to discuss potential solutions for authentication interoperability problems. Resource, Security, and Addressing funding, security, and privacy issues will be critical to the Privacy Issues Have Not deployment of the e-Authentication gateway and to maintaining public confidence in the government’s ability to provide on-line services. While Been Fully Addressed GSA has developed general strategies to address funding, security, and privacy issues related to deployment of the gateway, certain issues remain outstanding. In December 2001, GSA established a multiagency investment strategy for the gateway initiative that called for financial and personnel resource commitments from 14 different federal agencies, not all of which are responsible for leading e-government initiatives. The agencies were asked to contribute about $30 million (50 percent) of the nearly $60 million needed to implement and maintain the gateway through 2006. About $32 million was to be provided during 2002. In August 2002, GSA revised the funding strategy for the gateway and increased its cost projections for linking all 24 e-government initiatives to the gateway to about $73 million through 2008. Under the revised funding plan, 13 of the 14 federal agencies were expected to provide about $25 million beginning in 2003. GSA’s funding strategy for the gateway initiative has depended on contributions that have been less than expected and provided late in the Page 21 GAO-03-952 e-Authentication Initiative fiscal year. In May 2003, only five agencies had agreed to fund the gateway as proposed, contributing about $4.1 million of the nearly $25 million required. GSA drafted memorandums of understanding (MOU) to obtain funding and personnel resource commitments from other agencies on an annual basis, beginning in 2003, and as part of the original funding strategy. The MOUs identified gateway priorities, milestones, partner responsibilities, and the contributions expected from each agency. As of August 2003, GSA had discussed the proposed MOUs with 11 of the 14 agencies (80 percent) included in the initial funding strategy for the gateway and 2 additional agencies. GSA’s project manager stated that 16 agencies are now part of the e-Authentication Steering Committee, and 13 agencies provided a total of $13.5 million to GSA for the gateway as of August 18, 2003, with another $3 million expected from another agency by the end of fiscal year 2003. However, GSA still needed to secure about $5.1 million for the gateway as of August 18, 2003. According to GSA’s project manager, all 16 agencies serving on the Steering Committee pledged individual contributions of $337,000 and $393,000 for 2004 and 2005, respectively. Eight new members may also be added to the Steering Committee, and contributions from agencies may be reduced accordingly. GSA’s project manager further stated that the estimated costs for completing the gateway were reduced to about $55 million through 2008 as part of the fiscal year 2004 budgeting process. Because resources have not been ensured and were provided late in the fiscal year, the funding strategy poses significant risks for the gateway. According to GSA’s project manager, difficulty in obtaining funds for the initiative has contributed to milestone delays and other problems. The project experienced a funding shortfall in 2003 and had to change the acquisition strategy for the initiative and reduce contracting support, according to the project manager. The GSA official added that the project might face similar funding shortfalls beyond 2003, and that GSA planned to charge subscription or service fees to agencies that use the gateway to cover operations and maintenance costs after 2004. However, GSA has not yet determined what these fees would be, and additional funding may be needed to operate and maintain the gateway if agencies do not use it as much as is expected, and service fees fall short of projections. In addition, maintaining adequate security for the e-Authentication gateway may be difficult, because it is intended to connect with so many other systems. As more and more agency applications and ECPs are linked to the gateway, an effective configuration management program will be vital to maintain minimal levels of security for the system. GSA intends to adhere Page 22 GAO-03-952 e-Authentication Initiative to the National Information Assurance Certification and Accreditation Process, which establishes minimum national standards for certifying and accrediting national security systems. In April 2003, the interim gateway was granted authority to operate as part of the certification and accreditation process. The gateway’s use of personal information for identity verification also raises the potential for privacy issues. The E-Government Act of 2002 requires agencies to conduct privacy impact assessments for systems such as the gateway.17 A privacy impact assessment is a process that helps departments and agencies determine whether new technologies, information systems, and initiatives meet privacy requirements. GSA officials stated that they are designing the gateway so that privacy information is not retained within the gateway itself, thus hoping to avoid the potential problems associated with having to adequately protect stored privacy information. However, such a strategy does not provide assurance that all aspects of privacy have been adequately identified and addressed— conducting a privacy impact assessment could provide a more comprehensive view. According to GSA officials, a privacy impact assessment has not yet been completed. In addition, concerns have been raised about the privacy implications of aggregating information collected from multiple sources and the loss of personal privacy if records are shared across government. A recent National Research Council report18 suggests that authentication systems obtain only necessary information from users and for well-defined purposes. According to the report, this information should be retained for a minimal period of time, and a clear policy should be established to articulate what entities will have access to collected data and for what defined purposes. Further, the system should be reviewed and periodically audited to ensure compliance with these policies, and individuals should have the right to check on and correct any personal information collected by the system. OMB recommends that agencies develop measures for ensuring compliance with the Privacy Act and other government security 17 E-Government Act of 2002, Public Law 107-347 (Dec. 17, 2002). 18 National Research Council of the National Academies, Committee on Authentication Technologies and Their Privacy Implications, Who Goes There? Authentication Through the Lens of Privacy, prepublication version (Washington, D.C.: Apr. 8, 2003). Page 23 GAO-03-952 e-Authentication Initiative standards.19 Accordingly, agencies need to assess and plan for appropriate privacy measures when implementing systems, including authentication technologies. Conclusions Developing an e-Authentication gateway capable of supporting the authentication requirements of the OMB-sponsored e-government initiatives is important in ensuring that citizens can safely and securely conduct electronic business with the government. Developing such a system is an ambitious task, involving the interconnection of authentication technologies on a scale that has not been attempted before within government or private industry. In attempting to meet near-term milestones—such as the initial September 2003 deadline—GSA did not adequately address several important implementation objectives. For example, GSA has only partially completed its task of assisting e-government initiatives and other federal agencies in identifying their authentication requirements, and it has not yet enabled any of the e-government initiatives to interoperate with the interim gateway. Nor has it developed authentication profiles that address the needs of the other 24 e-government initiatives or made needed changes to its governmentwide PKI-related services contract. GSA’s modest progress can be understood in light of the significant challenges that the agency faces in attempting to build the e-Authentication gateway. These challenges include a lack of comprehensive administrative polices and guidance, inadequately defined user requirements, a dearth of interoperable commercial authentication products, and important resource, security, and privacy issues. Without addressing these challenges, GSA runs the risk of deploying a system that does not address user needs or operate as required. Recommendations for To address the issues associated with GSA’s attempts to meet near-term milestones for implementing the e-Authentication gateway, we recommend Executive Action that the Administrator of GSA • revise the schedule for deploying a fully operational version of the gateway, based on realistic milestones for development of the gateway 19 Office of Management and Budget, Memorandum—Procedures and Guidance on Implementing the Government Paperwork Elimination Act, M-00-10 (Washington, D.C.: Apr. 25, 2000). Page 24 GAO-03-952 e-Authentication Initiative using a competitively awarded contract, development of authentication profiles for each of the other 24 e-government initiatives, and completion of revisions to GSA’s governmentwide PKI-related services contract. To ensure that e-Authentication gateway implementation challenges are fully addressed, we recommend that the Administrator of GSA, in conjunction with the Director of OMB, • ensure that a comprehensive framework of authentication policies and procedures related to gateway operations is developed and implemented, in conjunction with NIST, the CIO Council, and other federal agencies (the framework should include policies and standards for auditing agencies and nongovernment organizations that will be linked to the gateway for compliance with applicable security, privacy, and credential requirements); • establish a process to complete risk assessments for the OMB e-government initiatives that require authentication services and define associated authentication requirements to ensure that the gateway’s design can support the range of authentication technologies that will be needed by the e-government initiatives; • define key technical interfaces to promote interoperability with commercial products and facilitate interconnection with ECPs; • enhance the effectiveness of the gateway’s funding strategy by defining specific contributions from federal agencies and obtaining their commitment to support the initiative, based on the project’s implementation and maintenance schedule, which addresses costs through 2008; and • establish and implement security and privacy policies for the gateway, based on input from stakeholders and potential users, to ensure that all privacy requirements are considered and addressed—including the development and completion of a privacy impact assessment that involves key stakeholders. Agency Comments and We received written comments on a draft of this report from the Administrator of GSA and from the Secretary of Commerce. Letters from Our Evaluation these two agencies are reprinted in appendixes I and II. We also received Page 25 GAO-03-952 e-Authentication Initiative oral comments from staff of OMB’s Office of General Counsel. GSA generally agreed with our discussion of the challenges hindering speedy deployment of the e-Authentication gateway, as well as our recommendations aimed at addressing these challenges. Regarding the agency’s progress in developing the gateway, GSA requested that we include more information on recent developments. In response to this concern, we added information to the report to acknowledge these recent developments, as outlined by GSA in an attachment to its comments. OMB staff said the agency agreed with GSA’s comments. Regarding comments from NIST, officials generally agreed with the content of information and recommendations in the draft report. Officials requested that we update information on recently drafted authentication guidance. We updated this report accordingly. Unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the Ranking Minority Member, House Committee on Government Reform; to the Ranking Minority Member, Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, Committee on Government Reform; and to other interested congressional committees. We will also send copies to the Director of OMB and the Administrator of GSA. Copies will be made available to others upon request. In addition, this report will be available at no charge on the GAO Web site at www.gao.gov. If you have any questions concerning this report, please call me at (202) 512-6240 or send E-mail to email@example.com. Other major contributors to this report included Barbara Collier, John de Ferrari, Vijay D’Souza, Steven Law, and Yvonne Vigil. Linda D. Koontz Director, Information Management Issues Page 26 GAO-03-952 e-Authentication Initiative Appendix I Comments from the General Services Administration Page 27 GAO-03-952 e-Authentication Initiative Appendix I Comments from the General Services Administration Page 28 GAO-03-952 e-Authentication Initiative Appendix II Comments from the Department of Commerce Page 29 GAO-03-952 e-Authentication Initiative Appendix II Comments from the Department of Commerce Page 30 GAO-03-952 e-Authentication Initiative Appendix II Comments from the Department of Commerce Page 31 GAO-03-952 e-Authentication Initiative Glossary Authentication The process of confirming an asserted identity with a specified or understood level of confidence. Authorization The granting of appropriate access privileges to authenticated users. Application Programming An interface between the application software and the application platform Interface (i.e., operating system), across which all services are provided. Assurance level In the context of authentication, the level of confidence that the relying party has that an electronic identity credential is being presented by the person whose identity is asserted by the credential. Biometrics Measures of an individual’s unique physical characteristics or the unique ways that an individual performs an activity. Physical biometrics include fingerprints, hand geometry, facial patterns, and iris and retinal scans. Behavioral biometrics include voice patterns, written signatures, and keyboard typing techniques. Certificate A digital representation of information that (1) identifies the certification authority issuing it; (2) names or identifies the person, process, or equipment that is the user of the certificate; (3) contains the user’s public key; (4) identifies its operational period; and (5) is digitally signed by the certification authority issuing it. A certificate is the means by which a user is linked—“bound”—to a public key. Certification Authority An authority trusted by one or more users to issue and manage digital certificates. Confidentiality The assurance that information is not disclosed to unauthorized entities or processes. Page 32 GAO-03-952 e-Authentication Initiative Glossary Digital signature A special encrypted code, attached to an electronic message, that can be used to prove to a third party that the message was, in fact, signed by the originator. Digital signatures may also be attached to other electronic information and programs so that the integrity of the information and programs may be verified at a later time. Electronic credentials The electronic equivalent of traditional paper-based credentials— documents that vouch for an individual’s identity. Electronic credential Organizations, both governmental and nongovernmental, that issue and, in providers some cases, maintain electronic credentials. Electronic government Government’s use of technology, particularly Web-based applications, to enhance the access to and delivery of government information and services to citizens, business partners, employees, and other entities. Federal Bridge Certification A system of certification authorities, directories, certificate policies, and Authority certification practice statements designed to provide interoperability among federal agency certification authorities. Identification The process of determining to what identity a particular individual corresponds. Interoperability The ability of two or more systems or components to exchange information and to use the information that has been exchanged. Privacy The ability of an individual to decide when and on what terms elements of his or her personal information should be revealed. Page 33 GAO-03-952 e-Authentication Initiative Glossary Privacy Impact Assessment A process that helps departments and agencies determine whether new technologies, information systems, and initiatives meet basic privacy requirements. Public key infrastructure A system of hardware, software, policies, and people that, when fully and (PKI) properly implemented, can provide a suite of information security assurances—including confidentiality, data integrity, authentication, and nonrepudiation—that are important in protecting sensitive communications and transactions. Risk The expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability with a particular harmful result. Smart card A tamper-resistant security device—about the size of a credit card—that relies on an integrated circuit chip for information storage and processing. (310354) Page 34 GAO-03-952 e-Authentication Initiative The General Accounting Office, the audit, evaluation and investigative arm of GAO’s Mission Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is Obtaining Copies of through the Internet. GAO’s Web site (www.gao.gov) contains abstracts and full- GAO Reports and text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents Testimony using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as “Today’s Reports,” on its Web site daily. The list contains links to the full-text document files. To have GAO e- mail this list to you every afternoon, go to www.gao.gov and select “Subscribe to e-mail alerts” under the “Order GAO Products” heading. Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061 Contact: To Report Fraud, Web site: www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: firstname.lastname@example.org Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Jeff Nelligan, Managing Director, NelliganJ@gao.gov (202) 512-4800 Public Affairs U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 United States Presorted Standard General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. GI00 Official Business Penalty for Private Use $300 Address Service Requested
Electronic Government: Planned e-Authentication Gateway Faces Formidable Development Challenges
Published by the Government Accountability Office on 2003-09-12.
Below is a raw (and likely hideous) rendition of the original report. (PDF)