28 July 1998
Thanks to DS

Date: Tue, 28 Jul 1998 12:40:21 -0400



CLASSCOD: D--Information Technology Services, including
  Services--Potential Sources Sought

OFFADD: DISA/D211, 5113 Leesburg Pike, Room 428, Falls Church,
  VA 22041


POC Ms. Happy Barranco, DISA INFOSEC Program Management Office,
  (703) 681-7943 or Mr. Peter G. Smingler, Contracting Officer,
  (703) 681-0526

DESC: The Defense Information Systems Agency (DISA)/Defense Information
  Technology Contracting Organization (DITCO) herewith issue
  a Request for Information (RFI) for potential pilots of an
  RECEIVED IN RESPONSE TO THE RFI. Interested parties should
  respond with comments no later than 27 August 1998. Subsequently,
  the DOD will determine a date to begin accepting applications.

    INTRODUCTION: For external business transactions using a
  PKI, the DOD must operate with non-DOD entities and establish
  a policy for third party trust relationships. In a public key
  system, the public key must be freely accessible and the user
  must have a reliable way of verifying the authenticity of public
  keys. An infrastructure for managing and certifying public
  keys can be based on a hierarchy or network of mutually "trusted"
  certification authorities.   PURPOSE: This document focuses
  on the DOD's current implementation of the medium assurance
  PKI and the plan to operate with parties outside the DOD. Non-DOD
  entities doing business electronically with DOD must take steps
  to ensure that any use of the PKI achieves a level of assurance
  equivalent to the DOD PKI medium assurance, as defined in the
  draft U.S. DOD Certificate Policy, thereby ensuring a satisfactory
  trust relationship for DOD and non-DOD electronic transactions.
  Non-DOD entities, including DOD contractors, vendors, and other
  government organizations, achieve this level of assurance,
  in part, by utilizing the services of ECAs to ensure the integrity
  of their electronic business.  

    EXTERNAL CERTIFICATE AUTHORITY: In the near-term, DOD's intention 
  is to support interoperability by making available to the ECA community 
  a test and certification process. This process will ensure that ECAs 
  using the DOD's PKI on behalf of Non-DOD subscribers will operate at 
  a level of assurance equivalent to the DOD PKI medium assurance. The
  DOD will certify ECAs to support interoperability with users
  outside the DOD. The DOD will maintain, continuously update,
  and publish a list of all certified ECAs so that contractors
  and vendors may make informed decisions for ECAs to employ
  for their electronic business transactions. ECAs are not required
  to be certified. However, non-DOD entities who use uncertified
  ECAs face a risk that the integrity of electronic transactions
  will be compromised thereby. Contract clauses will be developed
  to ensure that contractors are aware that any damages incurred
  as a result of using an ECA, certified or not, cannot be shifted
  to the Government. This document describes procedures for testing
  and certifying an ECA, including assurances that must be provided
  by such organizations. To permit secure interoperability between
  DOD and non-DOD users, a common certification path must exist.

    BECOMING A DOD-RECOGNIZED ECA: The establishment of a DOD-certified
  ECA will be based on compliance with DOD policy and certification
  criteria. Testing and certification will be performed by or
  under the direction and control of the DOD. Since users of
  the DOD PKI already trust the Root, certificates issued by
  the ECA will be trusted and verifiable by DOD relying parties.
  Non-DOD relying parties will also need to trust the DOD Root
  in order to recognize certificates issued by the DOD PKI. ECAs
  that meet the established DOD requirements will receive certificates
  digitally signed by the DOD Medium Assurance Root. The DOD
  Medium Assurance Root will also maintain an accurate and current
  list of all certified ECAs. This listing will be publicly available
  to any current or prospective DOD contractor or vendor. Acceptance
  of a candidate ECA by the DOD will be based primarily, but
  not exclusively, on the applicant's ability, at a minimum,
  to meet the medium assurance level criteria defined in the
  Draft U.S. DOD Certificate Policy, 9 March 1998. Adherence
  to this policy is required as a condition of continued acceptance
  of ECA issued certificates by the DOD. ECAs are required to
  meet certain technical and procedural criteria as defined in
  the DOD PKI Draft Functional Specification (11 May 98). This
  specification references the profile of the DOD certificate.
  It is essential that certificates issued by ECAs comply with
  the DOD certificate profile requirements. The ECA will also
  provide directory services for its clients and a Lightweight
  Directory Access Protocol (LDAP) interface to its repository.
  The ECA must demonstrate adequate arrangements to protect private
  encryption of keys held by the ECA from improper disclosure
  and use. The ECA must demonstrate adequate arrangements for
  protecting the hierarchical keys upon which the secrecy of
  client keys or system keys are dependent. Each potential ECA
  will submit an application in the form of a Certification Practice
  Statement (CPS) in the Internet Engineering Task Force Public
  Key Infrastructure X.509 (IETF/PKIX) part 4 format to the DOD
  PKI Policy Management Authority (PMA) Sub-Committee for approval.
  Prospective ECAs can visit the IETF web site at 
  to reference the format.  

  certification shall submit to the DOD PKI  Policy Management 
  Authority (PMA) Sub-Committee the application consisting of a CPS 
  in the IETF/PKIX part 4 format (reference the IETF web site for 
  the format) and a system design/architecture, in particular, 
  CA configuration parameters. The applications will be processed 
  and reviewed individually in the order in which they are received 
  by the DOD PKI PMA Sub-Committee, composed of representatives 
  from the National Security Agency (NSA), the Defense Information 
  Systems Agency (DISA), the military services, and the DOD agencies. 
  If the application is determined unacceptable, the DOD PKI PMA 
  Sub-Committee will provide written notice with the reason for the 
  rejection. At its discretion, the DOD PKI PMA Sub-Committee may 
  allow subsequent modifications or corrections from the candidate 
  ECA for immediate reconsideration or may require the candidate to 
  resubmit an application to be processed after the applications on 
  hand at the time of resubmission. If the application is determined 
  acceptable, the DOD PKI PMA Sub-Committee will conduct site inspections
  and interviews. Following the site inspections and interviews,
  the DOD PKI PMA Sub-Committee will either submit comments in
  writing to the candidate ECA for re-evaluation or will recommend
  the candidate ECA to the DOD PKI PMA. The DOD PKI PMA reserves
  the right to grant exceptions for approval at any stage in
  the process. The DOD PKI PMA, with senior representatives from
  NSA and DISA, will review the findings and recommendations
  of the DOD PKI PMA Sub-Committee and will approve or disapprove
  the candidate ECA. Following approval by the DOD PKI PMA, a
  Memorandum of Agreement will be generated between the DOD and
  the ECA. A list of approved ECAs will be published for public
  information. This procedure is not intended to create any rights
  or privileges for candidate ECAs, adverse decisions may not
  be appealed above the DOD PKI PMA, and judicial review is not
  available. Since use of a certified ECA will not be required
  by contract, certification does not create any right of action
  against the Government in the contractors or vendors who subscribe
  to the services of an ECA.  

    LIABILITY: It is DOD's intent
  to provide a service for non-DOD entities wishing to use PKI
  for business transactions. In the case of private industry
  users, specifically DOD Contractors, the Contractors must be
  informed in the contract that the ECA testing and certification
  process does not create any rights in the candidate ECA or
  the non-DOD entity. Matters of liability for damages from a
  failure of the ECA's PKI service are properly to be covered
  in the agreement between the private industry users and the
  ECAs.  The point of contact for technical issues concerning
  this announcement is Ms. Happy Barranco, DISA at (703) 681-7943,
  . DOD PKI documents referenced in this
  RFI can be obtained by sending an electronic request to Ms.
  Barranco. The point of contact for contractual issues is Mr.
  Peter G. Smingler, Contracting Officer, DISA/D211 at (703)
  681-0526.***** LLLL 

EMAILADD: barranch@ncr.disa.mil

EMAILDESC: Click here to contract the DISA INFOSEC Program Management
  Office via e-mail.

CITE: (W-208 SN228891)