21 January 1999. Thanks to AO.
Source: Excerpted from full RFP at: http://www.gsa.gov/aces/final/fin_rfp.html


Access Certificates for Electronic Services (ACES)

Request For Proposals

TIBA98003A



Section C

Descriptions/Specifications/Work Statement

GSA
U.S. General Services Administration
Federal Telecommunications Service
Office of Information Security

January 4, 1999


Section C

Table of Contents

C.1 Overview of Acquisition

C.1.1 Background

C.1.2 Objectives

C.2 ACES Functional Description and Scope

C.2.1 ACES Functional Description

C.2.2 Scope

C.3 System Requirements

C.3.1 General Requirements and Coverage

C.3.2 Service Specifications and Requirements Summary

C.3.3 Certificate Application Process

C.3.4 Certificate Issuance

C.3.5 Certificate Validation

C.3.6 Certificate Suspension and Revocation

C.3.7 Certificate Renewal

C.3.8 Replacement of Lost Certificates

C.3.9 Certificate Interoperability

C.4 Certificate Arbitrator Module (CAM)

C.4.1 Operating System Support Information

C.4.2 CAM Interfaces

C.4.3 CAM Certificate Status Function Processing Information

C.5 Supplemental PKI Services to Agency Applications

C.5.1 System Integration of CAM

C.5.2 CAM Maintenance and Utility Support

C.5.3 Other System Integration Requirements

C.5.4 Telecommunications Interface Integration

C.6 Additional ACES Requirements

C.6.1 Internet Communication and Standards

C.6.2 Cryptographic Algorithms and Standards

C.6.3 Certification Practices Statement

C.6.4 Performance

C.6.5 Failure of Verification Checks

C.6.6 Scalability

C.6.7 Allowance for Technology Changes

C.6.8 CA Key Changeover

C.6.9 Support

C.7 Management and Operations

C.7.1 Customer Service Center

C.7.2 Promotion of ACES

C.7.3 Access Controls and Restrictions

C.7.4 Computer Security Act Requirements

C.7.5 Security Certification, Accreditation, and Re-Accreditation

C.7.6 Annual Independent Quality Assurance and Inspection Requirements

C.7.7 Paperwork Reduction Act Requirements

C.7.8 Privacy Act Requirements

C.7.10 Personnel Training and Assurance

C.7.11 Date/Time Synchronization

C.7.12 Data Transfer

List of Tables

Table C.2 Summary of ACES Certificates

Table C.3.2 Summary List and Description of Services Provided by ACES Contractor

Table C.3.4.2 Required Certificate Fields

Table C.3.4.2 Required Certificate Fields (Continued)

Table C.3.4.2 Required Certificate Fields (Continued)

Table C.6.4.3 Response Time Requirements

List of Figures

Figure C.4.2 Conceptual Depiction of CAM Interfaces



Section C

Descriptions/Specifications/Work Statement

C.1 Overview of Acquisition

C.1.1 Background

Within the United States General Services Administration (GSA), the Federal Technology Service (FTS) is charged with responsibility for making cost-effective, state-of-the-art, user-friendly information technology services available to Federal agencies and their clients. The Office of Governmentwide Policy (OGP) is the focal point for electronic commerce, government collaboration, shared systems, acquisition, and regulatory information. GSA supports Federal agencies in achieving the goals of the emerging Government Services Information Infrastructure (GSII) by assisting with implementation of the information technology recommendations of the National Partnership for Reinventing Government (NPR) and Access with Trust. In turn, the GSII supports the goals of the National Information Infrastructure (NII).

One of the primary goals of the GSII is to facilitate public access to the services offered by government agencies through use of information technologies, including on-line access to computers for purposes of reviewing, retrieving, providing, and exchanging information. By law, access to some government computer systems can be granted only when the agency is provided with assurance that the individual attempting access has been properly identified and authenticated as being authorized to access the computer system and the information requested. In face-to-face transactions between an agency and the public, the agency can require proof of identity and can use a representative of the agency to ensure that the requesting individual is given access only to that information for which access is legally authorized. In arms-length transactions not involving the use of on-line access (e.g., telephone requests, letter requests, etc.), the agency can require alternative methods of identification (e.g., a Notary, signature of witnesses, etc.) and can limit access through the intervention of an agency representative. Arms-length transactions involving on-line access to agency computers require new methods of identification and authentication that are not readily available to government agencies or the public they serve.

To assist in addressing the need for new methods of identification and authentication, the FTS Office of Information Security (OIS) is seeking support from qualified contractors in the establishment of a Proof of Concept (POC) for Access Certificates for Electronic Services (ACES).

Use of these certificates is intended to provide identification and authentication, and non-repudiation via the use of digital signature technology. ACES certificates are intended for use by Federal authorized agencies and entities.

Refer to Section J, Glossary, for definition of terms.

C.1.2 Objectives

The objectives of this acquisition are to:

Award multiple contracts for ACES

Achieve best value for ACES by aggregating Government requirements

Provide members of the general public and government agencies with robust electronic digital signature services

Achieve maximum efficiency by procuring ACES from existing commercially available products, systems, and services, to the extent possible

Achieve maximum efficiency in procuring ACES by encouraging partnership arrangements among commercial entities

Provide the Government the opportunity to promote and evaluate the following concepts:

Implementation of a trust model which features
Use of a single certificate policy by all ACES contractors

Quality assurance and inspection of ACES contractor's practices for adherence to terms of both the contract and the ACES Certificate Policy

Implementation of a validation transactional model with both certificate-based and transaction-based validation payment schemes

Determination of the viability, validity, and reliability of identity verification via cross-checking of multiple, independent-sourced databases when identity verification is performed with this method

C.2 ACES Functional Description and Scope

C.2.1 ACES Functional Description

Establishment and operation of an ACES-based system to support electronic communication between the government and members of the general public are founded on the capability to authenticate both the individual and the government agency application. Members of the general public, individuals authorized to act on behalf of business entities, and agency applications that choose to use ACES will receive digital certificates, after first proving their identity as part of the registration process. These certificates can then be used for authentication as well as signature verification.

ACES contractors will provide applicant registration and certificate manufacturing, issuance, maintenance, and validation for Government agency applications participating in ACES. ACES contractors will provide these functions as Certification Authorities (CAs), however, the some of these functions may also be provided by entities authorized by the ACES contractors as follows:

Applicant registration and verification of identity may performed by Registration Authorities (RAs). Registration and identity proofing of certificate applicants will be the responsibility of the ACES contractors, except when registration and identity proofing are provided by the Government, as agreed between GSA, the agency application, and the ACES contractors

A Certificate Manufacturing Authority (CMA) may perform the functions of manufacturing, issuance, and maintenance of ACES certificates

ACES contractors will undergo security certification and accreditation prior to being authorized to collect identification information, issue ACES Certificates, and process certificate validation requests, as required by the Computer Security Act of 1987, Appendix III to (OMB) Office of Management Budget Circular A-130, and Federal Information Processing Standards Publication (FIPS PUB) 102. GSA will act as the approving authority.

An applicant for a certificate generates a public/private key pair prior to initiating the registration process or at the time of registration. The applicant may use his/her own capability to generate a key pair or may use key generation software and/or hardware offered by ACES contractors. The private key remains in the sole control of the applicant. The applicant's identity information is then used to initiate the certificate registration process. The certificate issued binds the applicant's public key with his/her Common Name and indicates that the holder of the certificate has established his/her identity to the satisfaction of an RA. When the certificate holder (subscriber) later attempts to access a government agency application, the agency application will authenticate the identity of the subscriber, validate his/her certificate with the ACES contractor that issued the certificate, and then grant access privileges as determined appropriate by the agency application.

Certificate applicants will be informed of the advantages and potential risks associated with using ACES certificates to access agency applications electronically. Those applicants completing registration, identity proofing, and receiving certificates will be choosing to participate. After initially receiving a certificate, subscribers may request revocation of their own certificate(s).

Digital certificates will be issued, renewed, suspended, and revoked at no cost to individual members of the general public who choose to use ACES certificates. ACES contractors may charge for certificates issued to agency applications and, if authorized by law, ACES contractors, may charge a fee for certificates when acting on behalf of the agency applications. To the extent any such fee is collected for business representative certificates, it will be used to offset the agency application payments to the ACES contractors.

Agency applications will be required to generate and store their private keys on hardware tokens. ACES contractors will offer to agency applications the required tokens, readers, software, and documentation, which may have an associated cost to the agency.

Each agency application will validate every certificate it requests. If a certificate status is reported to the agency as invalid, the agency applications may "cache" the certificate status information for later reference without requesting validation again. A certificate requested by an agency application is not considered valid until the issuing ACES contractor has notified the agency application of the certificate status. Each agency application requiring the use of certificates issued by ACES will be accepting certificates issued by all ACES contractors.

ACES contractors will be paid a "certificate based" fee (one-time fee with unlimited number of validation transactions for each certificate) or a "validation transaction-based" fee (a fee is generated for each validation transaction) for each certificate validated, as agreed between the agency application, GSA, and the ACES contractors. Aggregations of agency applications that share a common subscriber base may choose to purchase an alternative certificate-based fee, as agreed between the agency applications, GSA, and the ACES contractors.

Since all agency applications participating in ACES will accept certificates issued by all ACES contractors, the agency applications require a mechanism to route each certificate efficiently and consistently to the issuing ACES contractor for validation. This functionality will be provided by the ACES Certificate Arbitrate Module (CAM) that interfaces with the agency application and all ACES contractors. The CAM will be provided as Government furnished equipment (GFE).

All subscribers may request that their certificate(s) be revoked (e.g., due to subscriber's suspicion of loss or compromise of private key). The ACES contractor will immediately change the status of the appropriate certificate(s) to suspended. After verification of the revocation request has been completed by the ACES contractor, the status of the certificate(s) will be changed to invalid or valid, depending upon the results of the request verification.

Successful interaction among subscribers, agency applications, and ACES contractors will require interoperability of certain components of the ACES program. ACES contractors may issue individual and business representative subscriber certificates using any of the digital signature algorithms specified in Section C.6.2. As a result, agency applications must have the capability of supporting multiple digital signature algorithms for these certificates. In addition, each participating agency application will be required to have an ACES certificate, which may be issued by any ACES contractor.

ACES certificates may be used to authenticate subscribers accessing agency applications for individual and/or business purposes and for authentication of agency applications by subscribers and ACES contractors. Table C.2 summarizes ACES certificates and functional uses.

Table C.2 Summary of ACES Certificates
Certificate Type Subscriber Use of Certificate
Individual Individual To enable an individual to authenticate itself to agency applications electronically for information and transactions and to verify digitally signed documents/transactions
Business Representative Individual authorized to act on behalf of a business entity To enable a business representative to authenticate itself to agency applications to conduct business-related activities electronically and to verify digitally signed documents/transactions
Agency Application Agency application To enable the agency application to authenticate itself to individuals, business representatives, and ACES contractors and to verify digitally signed documents/transactions

C.2.2 Scope

The scope of the ACES acquisition and general descriptions of the services to be provided by ACES contractors are as follows:

Key Generation: The ACES contractors will offer key generation software to certificate applicants

Registration: Registration occurs at (or with) the ACES contractors, or the registration information is provided to the ACES contractors by the Government

Identity Proofing: The ACES contractors will complete identity proofing of a certificate applicant's credentials, or will be provided with the required identity information by the Government

Certificate Issuance: ACES contractors will issue certificates to certificate applicants that choose to participate in ACES and whose identity proofing has been successfully completed by the ACES contractor, or provided to the ACES contractor by the Government

Certificate Validation: Agency applications will check the validity of individual and business representative certificates with the ACES contractor that issued the certificate whenever the agency application requires authentication of the individual or business representative attempting access. The ACES contractor will return a message to the agency application that contains the validity status of the individual's or business representative's certificate (i.e., valid, invalid, or suspended)

Certificate Suspension: ACES contractors will immediately suspend certificates at the time a request for revocation is received from a subscriber (i.e., individual, business representative, or agency application). The suspension shall remain in effect until completion of the required verification of the request

Certificate Revocation: Certificates will be revoked when requested by a subscriber (i.e., individual, business representative, or agency application), or the issuing ACES contractor (e.g., compromise or suspicion of fraud) any time during the lifetime of the certificate

Certificate Renewal: Certificates will be renewed when requested by subscribers (within 90 days of certificate expiration)

Certificate Replacement: Lost valid certificates will be replaced when requested by subscribers

Interoperability: ACES contractors will support agency interoperability with ACES contractors by integrating their systems with the ACES CAM. In addition, ACES contractors will provide certificate interoperability by supporting the cryptographic algorithms specified in Section C.6.2, providing authentication of all agency application ACES certificates, and making their own ACES CA certificates available to all ACES participants

Agency Application Interface: ACES contractors will complete their interface to the ACES CAM to support certificate validation transaction processing

Supplemental PKI-Related Services: Upon request, ACES contractors will provide PKI-related programming, systems integration, and telecommunications interface support to requesting agency applications

Standards Compliance: ACES contractors will provide compliance with specified Internet communication standards and cryptographic standards

Performance and Scalability: ACES contractors will provide a robust PKI infrastructure to provide scalability and performance to support the PKI service requirements of the participating agency applications

Allowance for Technology Changes: ACES contractors will create and provide a robust infrastructure with sufficient flexibility to incorporate appropriate evolving technology

Customer Service Center: ACES contractors will provide a customer service center to support subscribers and agency applications, to include promotion of ACES, service ordering, and billing processes

Compliance: ACES contractors will comply with requirements of the Computer Security Act, Paperwork Reduction Act and Privacy Act

Certification, Accreditation, and Re-Accreditation: ACES contractors will be certified and accredited by GSA prior to initial operation and thereafter re-accredited annually and subsequent to major changes

Data Collection, Analysis, and Dissemination: ACES contractors will collect and provide access to information and data as agreed upon and required by GSA to ensure the ACES contractor's adherence to the awarded contract and the ACES Certificate Policy (CP), including annual and independent quality assurance and inspection requirements and ad hoc reports as requested

C.3 System Requirements

ACES contractors shall provide ACES as specified below in this work statement.

C.3.1 General Requirements and Coverage

ACES contractors shall provide services to government agencies that choose to use ACES.

C.3.2 Service Specifications and Requirements Summary

ACES specifications and required services are defined according to the following types:

Basic Services: Mandatory for offeror to propose/price and will be evaluated during Source Selection; participating agencies will receive these basic services, as a minimum, as a task order under the ACES contract

Additional Services: Services mandatory for offeror to propose and price and will be evaluated during Source Selection; optional for participating agencies to select as task orders under the ACES contract

Table C.3.2 provides a summary list and description of services ACES contractors shall provide and indicates the Section B, Supplies or Services and Prices, and Section C, Description/Specifications/Work Statement, section references for each item.

C.3.3 Certificate Application Process

ACES contractors shall provide a certificate application process that includes support for public/private key pair generation and registration and identity proofing of individuals, business representatives, and agency applications in accordance with (IAW) the following requirements.

Table C.3.2 Summary List and Description of Services Provided by ACES Contractor
Requirement Type Description Reference
Basic Service Key pair generation software module and guidelines regarding protection of private key B.2.1, C.3.3.1,
Certificate issuance, delivery, and acceptance to individuals, business representatives, and agency applications B.2.1, C.3.4.2, C.3.4.3
Certificate validation on-line, near real-time B.2.1, C.3.5
Certificate suspension B.2.1, C.3.6
Certificate revocation B.2.1, C.3.6
Certificate renewal B.2.1, C.3.7
Lost certificate replacement B.2.1, C.8
Certificate interoperability as specified B.2.1, C.3.9
Interface with the ACES CAM B.2.1, C.4
Compliance with Internet communication standards and cryptographic algorithms and standards B.2.1, C.6.1, C.6.2
Compliance with Certification Practices Statement B.2.1, C.6.3
Compliance with performance requirements B.2.1, B.2.2, C.6.4
Processing of failed verification and validation transactions B.2.1, C.6.5
Scalability to support varying level of workload B.2.1, C.6.6
Allowance for technology changes B.2.1, C.6.7
Mechanisms for providing a CA key changeover B.2.1, C.6.8
Support for specified platforms and interfaces for key generation and telecommunications interfaces B.2.1, C.6.9
Customer service center and support B.2.1,C.7.1
Promotion of ACES B.2.1, C.7.2
Service ordering and billing systems B.2.1, G.2, G.5
Access Control and Restrictions B.2.1, B.2.2, C.7.3
Compliance with Computer Security Act, Paperwork Reduction Act , and Privacy Act requirements B.2.1, C.7.4, C.7.7, C.7.8
Certification, accreditation, and re-accreditation B.2.1, C.7.5
Quality assurance inspection, data collection, and reports B.2.1, C.7.6, C.7.9, C.7.10
Personnel training and assurance B.2.1, C.7.11
Date/time synchronization B.2.1, C.7.12
Data transfer B.2.1, C.7.13
Additional Services Registration of individuals and business representatives B.2.1, C.3.3.2.1, C.3.3.2.2
Identity proofing (successful and failed) of individuals and business representatives B.2.1, C.3.3.3
Agency application ACES certificate registration and identity proofing B.2.6, C.3.3.2.3, C.3.3.3
Government requested evolving technology changes B.2.2, C.6.1, C.6.7
Ad hoc data collection, analysis, and dissemination B.2.3, C.7.10.1
Supplemental PKI services B.2.4, C.5
Hardware tokens, readers, software, and documentation for agency applications B.2.7, C.3.3.1

C.3.3.1 Public/Private Key Pair Generation Support

ACES contractors shall make a validated Federal Information Processing Standard Publication (FIPS PUB) 140-1, [Security Requirements for Cryptographic Modules, NIST, January 1994], key generation module available to certificate applicants. In addition, ACES contractors shall provide instructions, guidelines, and recommendations for use of the module. ACES contractors shall provide guidelines to subscribers regarding due diligence and prudence for protection of the private key and IAW the requirements specified in Section H.

ACES contractors shall provide and support the following methods for key pair generation and private key storage:

Applicant using applicant's software and/or hardware for key generation. The resulting private key may be stored as follows:
Software token stored by the applicant on a floppy disk and/or hard drive

Hardware token supplied by the applicant. ACES contractors shall support the applicant's use of any hardware token that meets the ACES contractor's requirements

If the ACES contractor participates with or assists the applicant with key pair generation, the applicant's private key shall remain only in volatile memory (only when necessary) until delivered to the applicant. ACES contractors shall not retain any copies of the applicant's private key

ACES contractors shall propose hardware selections for use by the agency applications, including the token, reader/writer, software, and documentation. ACES contractors shall offer replacement tokens for use by the agency applications.

ACES contractors shall request and accept the applicant's public key as part of the certificate issuance process at the time of registration, at the time of certificate issuance, or at a time determined by the ACES contractor. ACES contractors shall verify that the applicant has possession of the corresponding private key.

C.3.3.2 Registration

ACES contractors shall provide registration for individuals and business representatives, except when the Government provides registration of individuals and business representatives. The ACES contractors shall provide registration for agency applications that chose to participate in ACES. If the Government provides RA functions, or if the ACES contractor has delegated registration functions to subcontractor RA(s), all information shall be transmitted via a network between the ACES contractor and/or subcontractors and/or government RA(s) using mutual authentication.

ACES contractors shall provide registration as specified in Sections C.3.3.2.1, C.3.3.2.2, and C.3.3.2.3.

C.3.3.2.1 Individual Registration

At the time the individual applies for an ACES certificate, an ACES contractor shall:

Authenticate itself to the applicant prior to collecting any identity credentials

Inform the individual presenting the identity credentials that independent verification of the identity credentials will be performed by the ACES contractor

Obtain permission from the individual for the independent verification of the identity credentials

Provide confidentiality of all information transmitted/submitted by the individual during the registration process

C.3.3.2.2 Business Representative Registration

At the time the business representative requests an ACES certificate, an ACES contractor shall:

Authenticate itself to the business representative prior to collecting any identity credentials

Inform the business representative presenting the identity credentials that independent verification of the identity credentials will be performed by the ACES contractor

Obtain permission from the business representative for the independent verification of the identity credentials

Provide confidentiality of all information transmitted/submitted by the business representative during the registration process

If authorized by law, ACES contractors, acting on behalf of the agency applications, may charge businesses a fee for certificates. To the extent any such fee is collected, it will be used to offset the agency application payments to the ACES contractors.

C.3.3.2.3 Agency Application Registration

At the time the individual acting on behalf of the agency application requests an ACES certificate, an ACES contractor shall:

Authenticate itself to the individual acting on behalf of the agency application prior to collecting any identity credentials

Inform the individual acting on behalf of the agency application presenting the identity credentials that independent verification of the identity credentials will be performed by the ACES contractor

Obtain permission from the individual acting on behalf of the agency application for the independent verification of the identity credentials

Provide confidentiality of all information transmitted/submitted by the agency application representative during the registration process

C.3.3.3 Identity Proofing

ACES contractors shall provide verification of identity data submitted by individuals and business representatives, except when identity proofing is provided by the Government. The ACES contractors shall provide identity proofing of certificate applicants for agency applications.

After the certificate applicant has submitted identity credentials, ACES contractors shall verify the identity of the applicant IAW the requirements specified in Sections H and C.

ACES contractors shall verify the identity of all certificate applicants based on the following:

Cross-checking of identity credentials across multiple, independent-sourced databases

ACES contractors shall verify all of the following certificate applicant-supplied items:

First name, middle initial, last name

Place of birth

Date of birth

Current address (number and street, town, zip code) and telephone number

The ACES contractors shall verify at least three applicant supplied items from the following list, at least one of which shall be based on an antecedent in-person identity verification process:

Currently-valid credit card number

Alien Registration Number

Passport Number

Current employer name, address (number and street, town, zip code), and telephone number

Currently valid state-issued driver's license number or state-issued identification card number

Social Security Number

If the applicant is requesting a certificate for a business representative, ACES contractors shall verify the applicant's individual identity as specified above and further verify that the applicant is a duly authorized representative of the organization as an employee, partner, member, agent, or other association.

The ACES contractor shall verify the following items related to the business entity's identity:

Organization's current address (number and street, town, zip code) and telephone number

Legal company name

Type of entity

Year of formation

Names of directors and officers

Good Standing

If the applicant is requesting a certificate as an agency application, ACES contractors shall verify:

The applicant's individual identity as specified above

That the applicant is authorized to act on behalf of the agency application

The association of the certificate applicant with the agency application.

C.3.3.3.1 Successful Identity Proofing Verification

If the certificate applicant passes identity proofing verification performed by the ACES contractor, the ACES contractor shall notify the applicant of the successful completion of the verification process IAW with requirements specified in Section C.3.4.3. ACES contractors shall, at a minimum, record the following transaction data:

Applicant's name as it appears in the certificate's "Common Name" field

Method of application (i.e., on-line, in-person)

For each data element accepted for proofing, including electronic forms:

Name of document presented for identity proofing

Issuing authority

Date of issuance

Date of expiration

All fields verified

Source of verification (i.e., which databases used for cross-checks)

Method of verification (i.e., on-line, in-person)

Date/time of verification

Names of the ACES contractor, including subcontractors, if any

All associated error messages and codes

Date/time of process completion

Names (IDs) of ACES contractor's processes, including subcontractors' processes, if any

C.3.3.3.2 Failed Identity Verification

If the applicant fails identity proofing verification performed by the ACES contractor, the ACES contractors shall notify the applicant of the verification failure via out-of-band notification as specified in Section C.3.4.3. ACES contractors shall suspend or end the current applicant registration process, as determined by the ACES contractor, and shall at a minimum, provide the following verification information to the certificate applicant:

Indicate failure of identity verification process

Inform the applicant of the process necessary to resume processing

Record the following transaction data:

Applicant's name as it appears in the certificate's "Common Name" field

Method of application (i.e., on-line, in-person)

For each data element accepted for proofing, including electronic forms:

Name of document presented for identity proofing

Issuing authority

Date of issuance

Date of expiration

All fields verified

Source of verification (i.e., which databases used for cross-checks)

Method of verification (i.e., on-line, in-person)

Date/time of verification

Names of ACES contractor and subcontractors, if any

Fields that failed verification

Status of current registration process (suspended or ended)

All identity verification data

All associated error messages and codes

Date/time of process completion or suspension

Names (IDs) of ACES contractor's processes, including subcontractors' processes, if any

C.3.4 Certificate Issuance

For purposes of specifying requirements relating to the issuance of ACES certificates, requirements associated with RA, CA, and Certificate Management Authority (CMA) functions are specified separately, when necessary. The ACES contractor shall be responsible for performance of all RA, CA, and CMA functions, except when RA (registration and identity proofing) functions are provided by the Government.

C.3.4.1 ACES Contractor Certificates

The ACES contractor shall self-sign its ACES CA certificate IAW with the hashing algorithms and Rivest, Shamir, and Adleman (RSA) digital signature algorithm specified in Section C.6 and C.3.4.2.

The ACES CA's certificate shall be delivered to ACES participants in a way that allows for integrity validation and authentication.

C.3.4.2 Issuance of Individual, Business Representative, and Agency Application Certificates

After successful registration and identity proofing has been completed, ACES contractors shall issue and maintain certificates for individuals, business representatives, and agency applications. Before issuing an ACES certificate, the ACES contractors shall receive acknowledgement from the subscriber relating to the subscribers responsibility:

Assure the ACES contractor that a key pair was generated using a reasonably trustworthy system and that reasonable precautions will be taken to prevent any loss, disclosure, or unauthorized use of the private key

Provides that complete and accurate information was provided as requested during the certificate application process

Acknowledge that by accepting the certificate, the subscriber is warranting that all information and representations made by the subscriber that are included in the certificate are true

Use the certificate exclusively for purposes of authentication of identity enabling access to agency applications for electronic information and transactions

Instruct the ACES contractor to revoke a business representative certificate whenever the subscriber is no longer affiliated with the business entity

Instruct the ACES contractor to revoke the certificate promptly upon any actual or suspected loss, disclosure, or other compromise of the subscriber's private key

Respond as required to notices issued by the ACES contractor

Acknowledge that the ACES contractor will revoke the certificate if the subscriber does not meet these responsibilities

ACES contractors shall be responsible for performing all certificate manufacturing and issuing functions. ACES contractors may delegate performance of these obligations to a subcontractor(s). If the ACES contractor has delegated certificate-manufacturing functions to subcontractor CMA(s), and the request to generate a certificate is transmitted via a network from subcontractor or Government RAs, the messages shall be transmitted using mutual authentication.

A Certificate Request message may be transmitted by an applicant or by an RA on behalf of an applicant. This message is sent to an ACES contractor will contain applicant and key pair data necessary to create an ACES certificate. If it is transmitted via a network from subcontractor or Government RAs, the message shall be transmitted using mutual authentication. Upon receipt of a valid Certificate Request message, ACES contractors shall:

Verify the signature on the certificate request message

Verify that the individual or business representative has possession of the private key and accept the public key provided by the individual as part of the certificate issuance process

Verify that the individual acting on behalf of the agency application has possession of the private key and that the private key was generated and stored on a hardware token

Accept the associated public key provided as part of the certificate issuance in a manner that ensures:

The key has not been changed during transit

The sender possesses the private key that corresponds to the transferred public key

The sender of the public key is the legitimate user claimed in the certificate application

Generate an ACES contractor-specific, unique certificate serial number

Generate/issue a certificate with a nominal lifetime of two years that conforms to the X.509v3 certificate format according to Table C.3.4.2, Required Certificate Fields

Sign individual and business representative certificates IAW the cryptographic algorithms specified in Section C.6.2

Sign agency application certificates in IAW hashing algorithms and RSA digital signature algorithm specified in Section C.6.2

The CMA function shall record the following transaction data:

Name of ACES contractor, including subcontractors, if any

Date/time Certificate Request message received

Copy of certificate

All issuance data

All associated error messages and codes

Date/time of certificate creation

Names (IDs) of ACES contractor and subcontractor, if any, processes

The CA function shall record the following transaction data:

Name of ACES contractor, including subcontractors, if any

Name of RA, if any

Date/time of Certificate Request message from RA, if any

Date/time certificate received from CMA, if any

Copy of certificate

Method of delivery to the subscriber

Method of receipt and acceptance by the subscriber

Date/time of completion of certificate issuance

All associated error messages and codes

Names (IDs) of ACES contractor and subcontractor, if any, processes

C.3.4.3 Certificate Delivery, Acceptance, and Activation

ACES contractors shall use an out-of-band notification process linked to the certificate applicant's physical postal mail address and deliver to only the subscriber and/or make the certificate available for delivery to only the subscriber. The ACES contractor shall provide the subscriber with a human-readable, plain-language copy of the certificate or the information contained in the certificate. The ACES contractor shall not activate a certificate without the consent of the applicant.

ACES contractors shall record a certificate receipt and acceptance or rejection acknowledgement of the ACES certificate by the subscriber. Upon receipt of subscriber certificate acceptance, ACES contractors shall indicate the subscriber's certificate as currently valid.

Table C.3.4.2 Required Certificate Fields

Object/Attribute

Type

Requirement

Comment

Basic Certificate

Version INTEGER ACES shall require v3 or later; i.e., version=2. 0 = v1, 1 = v2, 2 = v3.
SerialNumber INTEGER SerialNumber shall be unique for each certificate issued by a given ACES contractor.
Signature SEQUENCE Note that the "parameters" field shall not be used. Information re: the Issuer's (ACES contractor's) signature.
AlgorithmIdentifier AlgorithmIdentifier
Issuer SEQUENCE of RelativeDistinguishedName Reference for Distinguished Name: ITU-T Recommendation X.501 | ISO/IEC 9594-2:1997, Information Technology Ø Open Systems Interconnection Ø The Directory: Models, 1997.
Validity SEQUENCE
NotBefore Time Time fields shall use Coordinated Universal Time as the reference time base. Time shall be synchronized within one second of the Master Clock at the U.S. Naval Observatory. The Distinguished Encoding Rules (DERs) allow several methods for formatting time. To ensure that "time" fields are consistently formatted, ACES certificates shall follow the Federal PKI Working Group recommendation (Federal PKI Version 1 Technical Specifications: Part E Ø X.509 Certificate and CRL Extensions Profile) that all "UTCTime" fields that are encoded using DERs in the "Z" format and must never omit the "seconds" field (even when it is "00") (i.e., the format shall be YYMMDDHHMMSSZ). Further, the system shall interpret the year field, YY, as 19YY when YY is greater than or equal to 50, and 20YY when YY is less than 50. ITU-T Recommendation X.690, Information Technology Ø ASN.1 Encoding Rules Ø Specification of Basic Encoding Rules, Canonical Encoding Rules and Distinguished Encoding Rules, 1994.
NotAfter Time See above cell.
Subject SEQUENCE of RelativeDistinguishedName Reference for subject: ITU-T Recommendation X.500 | ISO/IEC 9594-1:1997, Information Technology Ø Open Systems Interconnection Ø The Directory: Overview of Concepts, Models, and Services, 1997.

Reference for Distinguished Name: ITU-T Recommendation X.501 | ISO/IEC 9594-2:1997, Information Technology Ø Open Systems Interconnection Ø The Directory: Models, 1997.

Reference for CommonName: ITU-T Rec. X.521 | ISO/IEC 9594-6:1994, Information technology Ø Open Systems Interconnection ØThe Directory: Selected Object Classes, 1994.

Organization Directory String Every ACES Business Representative Subscriber certificate shall contain an Organization field wherein O=the name of the business.

Every ACES Agency Application Subscriber certificate shall contain an Organization field wherein O=U.S. Government.

OrganizationalUnit DirectoryString Every ACES Agency Application certificate shall contain an OrganizationalUnit field wherein OU=as listed in the AB Codelist.
Person CommonName
CommonName DirectoryString Every ACES Individual Subscriber certificate shall contain the CommonName field wherein CN=name of applicant.

Every ACES Business Representative Subscriber certificate shall contain a CommonName field wherein CN=the name of the applicant.

Every ACES Agency Application certificate shall contain CN, the CommonName field wherein CN=the name of the agency application.

A common name is not a directory name; it is an attribute of the object person; ex: CN=John Doe.
SubjectPublicKeyInfo SEQUENCE
Algorithm AlgorithmIdentifier
AlgorithmIdentifier
Parameters Note that the use of the "parameters" field is allowed, but not required, in subject PublicKeyInfo (depending upon algorithmIdentifier).
SubjectPublicKey BIT STRING
SubjectUniqueIdentifier UniqueIdentifier Note that this field is required in all ACES certificates; it shall contain TBD (to be determined).

Extensions

KeyUsage EXTENSION The "critical" Boolean shall be TRUE. "Critical" indicates that any using system that does not recognize this field type or does not implement the semantics of the extension shall consider the certificate invalid.
KeyUsage BIT STRING The ""digitalSignature" bit shall be set to "1," the "nonRepudiation" bit shall be set to "1," and all other bits shall be set to "0". This setting indicates key is used for digital signature (e.g., ephemeral authentication) and non-repudiation only.
Object/Attribute

Type

Requirement

Comment

basicConstraints EXTENSION The basicConstraints extension shall be required in all ACES certificates, marked as "critical" (i.e., criticality flag set to "true"), and set to indicate that, aside from ACES Contractors, no other ACES subscribers are trusted to issue ACES certificates. That is, ACES Contractor certificates shall have the CA Boolean set to "true," and all other ACES certificates shall have the CA Boolean set to "false.".
CertificatePolicies EXTENSION The "critical" Boolean shall be FALSE. "Critical" indicates that any using system that does not recognize this field type or does not implement the semantics of the extension shall consider the certificate invalid.
CertPolicyId ObjectIdentifier ACES CertPolicyId OIDs shall be TBD. OBJECT IDENTIFIER's for ACES policy for 1) Individual Subscriber and 2) Business and Agency Application Subscriber certificates will be assigned in near future by the Computer Security Objects Register at the National Institute of Standards and Technology.
Signed Macro
Signature SIGNED SEQUENCE Note that the "parameters" field shall not be used. Issuer's signature, applied over all certificate fields.
AlgorithmIdentifier AlgorithmIdentifier
ENCRYPTED-HASH BIT STRING

C.3.5 Certificate Validation

ACES contractors shall validate on-line, near-real-time the status of the certificate indicated in a Certificate Validation Request message. Upon receipt of a signed Certificate Validation Request message from an agency application, ACES contractors shall:

Verify the signature on the Certificate Validation Request

Generate and return a signed Certificate Status Response message

Indicate the certificate status as one of the following:

Valid. Indicates that the certificate is usable

Invalid. Indicates that the certificate either has been revoked or is beyond its operational period

Suspended. Indicates that the certificate has been placed in a temporary, unusable state

Record the following transaction data:

Certificate serial number

Certificate status with reason code

Requesting agency application certificate serial number

All validation data

All associated error messages and codes

Date/time of all certificate validation requests

Date/time of transmission of certificate status request responses

Name (ID) of ACES contractor's process(es)

C.3.6 Certificate Suspension and Revocation

ACES contractors shall provide for the revocation of certificates when requested, at any time for any reason. If the Government provides RA functions, or if the ACES contractor has delegated revocation functions to subcontractor RA(s), all information shall be transmitted via a network between the ACES contractor and/or subcontractors and/or government RA(s) using mutual authentication. The ACES contractor shall revoke an ACES certificate:

Upon receiving a request to revoke a certificate from an authorized RA, a subscriber, (i.e., individual, business representative, or agency application), or an authorized official of a business entity for a business representative

Upon failure of the subscriber to meets its responsibilities agreed upon at the time of certificate issuance, or under any other agreement, regulation, or law applicable to the certificate that may be in force

If the ACES contractor reasonably suspects that the subscriber's private key has been compromised

If the ACES contractor determines that the certificate was not properly issued

Upon receiving a request to revoke a certificate from a subscriber (i.e., individual, business representative, or agency application) or an authorized official of a business entity for a business representative, the ACES contractor shall:

Revoke only certificates it has issued

Supply a list of all certificates issued to the requester, as appropriate, and assist the requester in identifying the specific certificate(s) to be revoked (e.g., individual, business representative, or agency application)

Immediately change the certificate status to "suspended"

Verify the request

Change the status of the certificate to invalid or valid, depending upon the results of the verification

Notify the subscriber of the certificate status using an out-of-band notification process linked to the subscriber's physical postal mail address. In the case of suspected fraud or compromise of a certificate, ACES contractors shall include information regarding the possibility of unauthorized use of the certificate and include instructions for the applicant to receive a new certificate

The ACES contractor shall record the following revocation transaction data:

Date/time

Names of ACES contractor and RA, if any

Subscriber's common name

Certificate policy Object Identifier (OID)

Status of certificate at end of suspension

Reason code for revocation request

Certificate serial number

All associated verification request, suspension, and revocation data

The ACES contractor shall revoke it's own self-signed certificate and all ACES certificates it has issued, in the event the ACES contractor learns, or reasonably suspects, that its private key used to sign ACES certificates has been compromised.

C.3.6.1 Replacement of Revoked Certificates

ACES contractors shall not renew a revoked certificate. ACES contractors shall provide an application process for subscribers whose certificates are revoked or expired (invalid status).

C.3.7 Certificate Renewal

ACES contractors shall notify subscribers of the impending certificate expiration no later than 90 days prior to the expiration date of the certificate.

ACES contractors shall accept Certificate Renewal Requests from its subscribers within 90 days from the scheduled end of the operational period (expiration date) of the certificate, provided the certificate has not been revoked or suspended (i.e., certificate is valid). ACES contractors shall authenticate the subscriber's renewal request using the subscriber's current certificate for authentication in the renewal process. ACES contractors shall renew certificates in 2-year increments.

ACES contractors shall not renew invalid or suspended certificates. ACES contractors shall process certificate renewals, except where notices of the common name and/or key pair change are made by the subscriber. In the event of subject information and/or the key pair change, ACES contractors shall require the subscriber to request a new certificate IAW Section C.3.3.

ACES contractors shall record the following certificate renewal transaction data:

Certificate serial number

Certificate common name

Certificate policy OID

New operational period dates

Date/time of completion of renewal process

Name (ID) of ACES contractor process(es)

All associated renewal data

ACES contractors shall change the certificate status to "invalid" when a certificate is not renewed by the end of the certificate operational period (expiration date).

C.3.7.1 Agency Application Certificate Renewal

ACES contractors shall renew certificates issued to agency applications only after completing successful identity proofing verification IAW requirements for identity proofing of individuals authorized to act on behalf of agency applications specified in Section C.3.3.3 of this solicitation.

C.3.8 Replacement of Lost Certificates

ACES contractors shall provide for the replacement of lost certificates. Upon receiving a signed request to replace a lost certificate from a subscriber (i.e., individual, business representative, or agency application) or an authorized official of a business entity for a business representative subscriber, the ACES contractors shall record the following certificate replacement transaction data:

Certificate serial number

Certificate common name

Certificate policy OID

Date/time of completion of replacement process

Name (ID) of ACES contractor process(es)

All associated replacement data

C.3.9 Certificate Interoperability

ACES contractors shall support ACES interoperability, at a minimum, as follows:

If an ACES certificate is signed by the ACES CA with any algorithm other than the RSA digital signature algorithm as specified in Section C.3.2, ACES contractors shall provide cryptographic modules and support to the agency applications for interoperability with these certificates

All ACES contractors shall support authentication of all agency application certificates

All ACES contractors shall make their own ACES CA certificates available to all ACES participants

C.4 Certificate Arbitrator Module (CAM)

GSA will provide the CAM to agency applications participating in ACES. ACES contractors shall interface with the CAM as specified. Descriptions of CAM functional processes and are provided for information purposes.

C.4.1 Operating System Support Information

The CAM will, at a minimum, support Unix-based and Microsoft operating systems. In addition, the CAM will support the Internet and individual interface standards specified in Section C.6.1 of this solicitation.

C.4.2 CAM Interfaces

As shown in Figure C.4.2, the CAM will offer these interfaces:

An Agency Application Interface (Agency Application-side API) which will support the following for multiple agency applications:
A Certificate Status function that will accept a certificate for verification and validation, and will return the fields parsed from the certificate and the status of the certificate (i.e., valid, invalid, or suspended)

A CA Interface (CA-side APIs) which will support the following:

A Certificate Validation function that will pass a Certificate Validation Request (or a pointer thereto) signed with the requesting agency application's private key to the "CA Interface Module" for the appropriate CA (i.e., the CA which issued the certificate). This function will also receive the Certificate Validation Request Response returned from the CA

A Cryptographic Library interface that will support functions necessary to support CAM processing. This library will include support for all RSA, Digital Signature Algorithms (DSAs), and Elliptic Curve Digital Signature Algorithms (ECDSAs) listed in Sections C.6.2.3 and C.6.2.4.

A "CA-side" CAM API will be made publicly available to ACES contractors. Each ACES contractors shall create a "CA Interface Module" and shall complete the interface with the CA-side CAM API and their own "CA Interface Module" (see Figure C.4.2).

Figure C.4.2 Conceptual Depiction of CAM Interfaces


C.4.3 CAM Certificate Status Function Processing Information

The CAM will perform the following processes:

Process certificates for each issuing CA within the same number of processing cycles

Verify the issuing CA's signature on the certificate

Check that the presented certificate is within its operational period

Check the certificate against the locally-stored list of invalid certificates

Verify that the presented certificate is a certificate which can be accepted by the agency application for validation by checking the locally-stored list of issuing CAs

If the certificate passes all the above checks, the CAM will:

Determine the validation route ("path") to the appropriate issuing CA

Generate Certificate Validation Request message, which will consist of at least the following elements:

Certificate serial number

Issuing CA

Time/date stamp

Agency application identifier

Transmit the Certificate Validation Request message to the requesting agency application's hardware token for digital signature

Forward the digitally-signed (with the appropriate agency application's private key) Certificate Validation Request message (or a pointer thereto) to the appropriate CA-side CAM Interface Module

When the signed Certificate Status Response has been received from the issuing CA, the CAM will:

Verify the signature on the Certificate Status Response message

If the Certificate Status Response indicates the certificate is invalid, add appropriate information to the locally-stored list of invalid certificates, along with the certificate's expiration date

Return the following outputs to the agency application initiating the validation request:

Information contained in all certificate fields specified in Table C.3.4.2, Required Certificate Fields

Certificate status (valid, invalid, or suspended), to include a reason code for an "invalid" status

Time/date of validation check

C.5 Supplemental PKI Services to Agency Applications

C.5.1 System Integration of CAM

ACES contractors shall provide, at an agency's request, under terms of a task order issued hereunder and upon GSA approval, programming and/or other integration support required to interface the agency application with the CAM. ACES contractors shall provide support for completion of the interface between the CAM APIs and the agency application.

C.5.2 CAM Maintenance and Utility Support

The ACES contractors shall provide, at an agency's request, under terms of a task order issued hereunder and upon GSA approval, support for administration, maintenance, and support of the CAM as specified.

C.5.3 Other System Integration Requirements

ACES contractors shall provide, at an agency's request, under terms of a task order issued hereunder, and upon GSA approval, such programming and other systems integration support as may be required to enable the agency application to participate in the ACES program (e.g., support for modifications to existing applications and access controls required for on-line access by subscribers). This support shall include, but is not limited to, assessments to determine PKI requirements, integration of applications with the PKI services specified in this solicitation and modifications of the PKI services specified in this solicitation to meet unique agency application requirements.

C.5.4 Telecommunications Interface Integration

ACES contractors shall provide, at an agency's request, under terms of a task order issued hereunder, and upon GSA approval, such support for integration and completion of the telecommunications interface necessary to establish and maintain a communications link between the ACES contractor and the agency application. The ACES contractor shall provide, at the agency's request, technical support for completing the connectivity from the agency application to the telecommunications service.

C.6 Additional ACES Requirements

C.6.1 Internet Communication and Standards

Compliance with the latest versions of the Internet Engineering Task Force (IETF) and World Wide Web Consortium (W3C) standards is required throughout the duration of the contract. ACES contractors shall stay in conformity with evolving standards as they impact this contract, at no additional cost to the Government. Government requested changes related to evolving technologies may have an associated cost. Considering the rapidly evolving nature of industry standards and technology changes, ACES contractors shall hold ongoing discussions with the Government to assess the impact of those changes; meeting, at a minimum, semi-annually. A mutually-agreed upon schedule shall be established for changes, as specified in Section G.

ACES contractors shall provide support for Internet-based communication with ACES subscribers (e.g., World Wide Web (WWW) browsing (navigation), e-mail, File Transfer Protocol (FTP), or telnet logon).

C.6.2 Cryptographic Algorithms and Standards

ACES contractors shall support the standards listed below (including de facto and Government-approved standards) which are cited either to provide assurance that sufficiently robust cryptography is being used, or to enhance the potential of an agency application to process certificates from different ACES contractors in the same manner.

C.6.2.1 Key Length Requirements

ACES contractors shall support one or more of the following key length requirements:

Each RSA and DSA public key associated with a certificate shall have a minimum length of 1024 bits

Each ECDSA public key associated with a certificate shall have a minimum length of 163 bits

For alternate algorithms, only Government-approved key lengths shall be used

C.6.2.2 Key Generation Methods

ACES contractors shall support one or more of the following key generation methods:

For keys used in DSA, IAW FIPS PUB 186, Digital Signature Standard (DSS), National Institute of Standards and Technology (NIST), May 1994, Appendix 3, Random Number Generation for the DSA, or using other FIPS approved security methods

For keys used in RSA, IAW PKCS#1: RSA Encryption Standard, Version 1.5, November 1993, Section 6, Key generation

For keys used in ECDSA, IAW ANSI X9.62, "American National Standard for Financial Services Public Key Cryptography Using Irreversible Algorithms for the Financial Services Industry The Elliptic Curve Digital Signature Algorithm (ECDSA)," draft, ASC X9 Secretariat American Bankers Association, 1997

For alternate algorithms, only Government-approved key generation mechanisms shall be used

C.6.2.3 Hashing Algorithms

ACES contractors shall support the following hashing algorithms:

Standard Hash Algorithm (SHA) IAW FIPS PUB 180-1, Secure Hash Standard (SHS), NIST, April 1995

For alternate algorithms, only Government-approved algorithms shall be used

C.6.2.4 Signature Algorithms

ACES contractors shall support, at a minimum, the RSA IAW "PKCS#1: RSA Encryption Standards," Version 1.5, RSADSI, November 1993 signature algorithm. The following signature algorithms may be supported, at ACES contractor's option:

DSA IAW FIPS PUB 186, DSS, NIST, May 1994

ECDSA IAW Draft ANSI Standard X9.62

For alternate algorithms, only Government-approved signature algorithms shall be used

C.6.2.5 Certificate Format

ACES contractors shall create and maintain certificates that conform to the following:

ITU-T Recommendation X.509, "The Directory: Authentication Framework," June 1997

Requirements specified and standards referenced in Section C.3.4.2, Table C.3.4.2, Required Certificate Fields

C.6.2.6 Hardware

ACES contractors shall propose hardware tokens and readers for use by agency applications that shall conform to and support the Public Key Cryptography Standard (PKCS) #11: "Cryptographic Token Interface Standard," Version 1, RSADSI, April 1997.

ACES offerors shall propose hardware tokens, software, readers, and documentation to be provided to agency applications. For use as part of "customer workstations" maintained at government locations to enable individual members of the public and business representatives to apply for ACES certificates.

C.6.2.7 Date/Time Stamp

ACES date/time stamps shall conform to the ITU-T Recommendation C.690 and X.690 v2, "Information Technology Ø ASN.1 Encoding Rules," 1994. ACES contractors shall use Coordinated Universal Time as the reference time base. ACES contractor's time shall be synchronized within one second of the clock at the U.S. Naval Observatory; granularity of time expressed shall be at least to the granularity of one minute.

C.6.2.8 Cryptographic Module Protection

ACES contractors shall use FIPS PUB 140-1, validated cryptographic modules that adhere, as a minimum, to the following requirements referencing FIPS PUB 140-1:

Level 3 - 4 (identity-based operator authentication) for "Roles and Services"

Level 3 (tamper protection and response envelope for covers and doors) for "Physical Security" for CA private key storage in hardware

Upon request, ACES contractors shall provide at least Level 2 FIPS PUB 140-1 validated cryptographic modules or key pair generation storage of private keys to agency applications.

C.6.3 Certification Practices Statement

ACES contractors shall provide a Certification Practices Statement (CPS) which supports the published ACES Certificate Policy and relevant specifications for services as described in this solicitation.

C.6.4 Performance

ACES contractors shall meet, at a minimum, the performance standards as specified for the following:

Hours of operation

Availability of services

Response time for services

C.6.4.1 Hours of Operation

ACES contractors shall operate the following on-line services 24 hours per day, seven days per week, including Federal holidays:

Certificate application acceptance and renewal services

Certificate validation services

Immediate certificate suspension services

Problem reporting

Change reporting

All of the remaining services and products specified shall, at a minimum, be operated on the basis of a 5-day, 40-hour work week, Monday through Friday, except Federal holidays.

C.6.4.2 Availability of Services

All of the on-line services and products specified shall, at a minimum, be in operation and available for use during the required hours of operation, not less than 99.5 percent of the time.

C.6.4.3 Response Time for Services

ACES contractors shall, at a minimum, provide the specified services according to the response times set forth in Table C.6.4.3. All response times shall be measured from the time the ACES contractor receives an initiation message in its inbound queue until the time the ACES contractor's response leaves its outbound queue.

Table C.6.4.3 Response Time Requirements

Transaction/Process

Response

Constraints

Registration and identity proofing 3 days >= 95% of all transactions within response
Certificate delivery or identity proofing failure notice, from completion of identity proofing 3 days >= 95% of all transactions within response
Certificate Validation, from receipt of request 30 sec. >= 95% of all transactions within response
Renewal of a certificate 10 min. >= 95% of all transactions within response
Certificate Revocation Request message 3 days >= 95% of all transactions within response
Suspension of Certificate following Certificate Revocation Request message 10 min. >= 95% of all transactions within response
Replacement of lost certificate 10 min. >= 95% of all transactions within response
Ad hoc Billing/Quality Assurance and Inspections 48 hrs. >=95% of all transactions within response

C.6.5 Failure of Verification Checks

ACES contractors shall provide methods for processing failed verification checks and message responses (i.e., verification of digital signatures, failed Certificate Status response) as specified in this solicitation.

C.6.6 Scalability

ACES contractors shall design their architectures to support varying levels of workload, as set forth in Sections B, J, and L of this solicitation. The Government anticipates that varying architectures may be required to process varying workloads and will, therefore, ACES contractors shall define their proposed architectures in their responses to Sections B, J, L, and M of this solicitation.

C.6.7 Allowance for Technology Changes

The ACES program shall be able to incorporate new algorithms, formats, technologies, mechanisms, and media after contract award, as appropriate and approved by GSA. The Government recognizes that technologies are rapidly evolving and advancing. The Government wishes ACES services, features, etc. to remain up-to-date with commercial equivalents. Accordingly, the Government anticipates that services, features, etc., available under this contract will be increased, enhanced, and upgraded as these improvements become available.

ACES contractor shall propose enhancements which reduce the Government's risk, meet new or changed Government needs, improve performance, or otherwise present a service advantage to the Government.

C.6.8 CA Key Changeover

No minimum requirements for CA key changeover are specified in this solicitation. Methods for facilitating a CA key changeover shall be proposed by ACES offerors and included in the System Security Plan (SSP) provided after contract award.

C.6.9 Support

C.6.9.1 Key Generation Support

The key generation module shall support, at a minimum, Unix-based Operating System (OS), Microsoft OS, and Macintosh OS.

C.6.9.2 Interface Support

To support communications with agency applications, ACES contractors shall, at a minimum, support the following network access interfaces for telecommunications services between the agency applications and the ACES contractor:

Dial-up access via analog voice (ITU-TSS V.34 and standards for higher speeds as they become available) and ISDN BRI using the Point-to-Point Protocol (PPP) and the Multilink-PPP in conformance with RFC 1055 and 1331

Dedicated access interfaces to terminate Government transmission lines:

DS0

Frac-T1

T1

T3

C.7 Management and Operations

C.7.1 Customer Service Center

ACES contractors shall implement and maintain an ACES Customer Service Center to provide assistance and services to agency applications and subscribers.

C.7.1.1 Services for Agency Applications

The ACES Customer Service Center shall assist authorized representatives of participating agency applications as specified, including, but not limited to:

Services, features, and options

Task order development

Troubleshooting and problem reporting

Billing questions and issues

Implementation of services

C.7.1.2 Services for Subscribers

The ACES Customer Service Center shall assist individual, business representative, and agency application subscribers in areas including, but not limited to:

Application process

Requirements and options for proving identity

Key pair generation, use, and options

Private key protection mechanisms and methods

Certificate purposes and options

Certificate issuance

Certificate suspension and revocation

Certificate renewal

Problem reporting

Report of changes (e.g., subscriber name changes)

Accessing subscriber information

C.7.1.3 Hours of Operation

The ACES Customer Service Center shall be operational on the basis of a, 5-day, 40-hour work week, Monday through Friday, except Federal holidays.

C.7.1.4 Toll-free Telephone Service

The ACES Customer Service Center shall provide toll-free telephone service for use by all subscribers in communicating with the ACES Customer Service Center.

Voice mail capabilities shall be provided for handling incoming calls received at times when assigned staff is unavailable.

C.7.1.5 E-Mail Service

The ACES Customer Service Center shall provide an e-mail address for use by all subscribers in communicating with the ACES Customer Service Center.

The ACES Customer Service Center shall respond to e-mail messages received automatically with a prompt acknowledgement of receipt and respond to content in a reasonable time consistent with industry practices.

C.7.1.6 Problem Identification and Resolution

The ACES Customer Service Center shall implement and maintain a system for receiving, recording, responding to, and reporting ACES problems within its own organization and to GSA.

C.7.1.7 Customer Service Records

The ACES Customer Service Center shall implement and maintain a system of records relating to customer requests for services and the services provided. For each such request, the ACES Customer Service Center shall record:

Date/time initially contacted

Method of contact (e.g., telephone, e-mail, etc.)

Name of individual making the contact

Individual agency application (if applicable)

Type of service requested or problem reported

Action taken

Date/time action completed

Name of person taking the action

Requirements for follow-up action (if any)

Date/time report filed

Name of person filing report

The customer service records shall be made available for Government review or quality assurance inspection upon request.

C.7.2 Promotion of ACES

ACES contractors shall market and promote the ACES program, products, and services. ACES marketing and promotion plans for initial and ongoing marketing during the period of the contract shall be provided by all ACES offerors.

Marketing and promotion materials that contain any and all references to ACES shall not:

Imply Government endorsement of the product or service of one ACES contractor over another

Interpret contract terms or conditions

Use Government official seals and logos, unless otherwise agreed upon in writing by the GSA ACO

All marketing and promotion materials that contain any and all references to ACES shall be submitted to GSA for written approval prior to use. All such materials will be reviewed for content and adherence to specifications (a), (b), and (c) above and written approval/disapproval will be issued within 14 calendar days of receipt. Revisions shall be submitted to allow sufficient time for review.

All travel costs associated with marketing and promotion shall be borne by ACES contractors. Using approved materials, ACES contractors may direct-market agencies, businesses, and members of the general public, after contract award. The ACES contractors shall promote ACES to Government agencies by providing an Internet world wide web site that may be linked to a GSA FTS Internet site.

C.7.3 Access Controls and Restrictions

The ACES contractors shall not impose any access controls on the ACES Certificate Policy, the ACES contractor's certificate, and past and current version of the ACES contractor's CPS. The ACES contractor shall not impose any access controls on subscribers with respect to their own certificate(s) and the status of such certificate(s).

C.7.3.1 Physical Security Controls

The ACES contractors shall implement appropriate physical security controls to restrict access to hardware and software (including servers and server accounts, workstations, and any external cryptographic hardware modules or tokens) used in connection with providing ACES services. Such access controls shall be monitored for unauthorized intrusion at all times.

C.7.3.2 Restrictions on CA's Private Key Use

The private key used by each ACES contractor for issuing ACES certificates shall be used only for signing ACES certificates. A private key held by a CMA, if any, and used for purposes of manufacturing ACES certificates shall be considered the ACES contractor's signing key and shall not be used by the CMA for any other purposes, except as agreed by GSA and the ACES contractor.

C.7.4 Computer Security Act Requirements

Performance of any resultant ACES contract will require the ACES contractor to operate one or more computer and/or telecommunications systems requiring protection under 15 U.S.C. 278 G-3 and G-4. The responding regulations relating to protection of these systems as set forth in Appendix III (Security of Federal Automated Information Resources) to Office of Management and Budget (OMB) Circular Number A-130 (Management of Federal Information Resources). The circular also provides that these security requirements be applied to Government systems being developed, operated, and/or used by the contractors.

The ACES contractor shall meet the minimum systems security requirements for ACES contractors set forth in Section H of this solicitation.

C.7.5 Security Certification, Accreditation, and Re-Accreditation

ACES contractors shall gain ACES Security Certification and Accreditation (C&A) from GSA prior to initial operation, and subsequently on an annual basis and at the time of any major change, as determined by GSA.

C.7.6 Annual Independent Quality Assurance and Inspection Requirements

ACES contractors shall submit to Government-conducted quality assurance inspections, with reasonable notice, and shall schedule, submit to, and pay for an annual quality assurance inspection by an independent organization agreeable to the Government. The annual quality assurance inspection shall be conducted pursuant to the guidance provided in the American Institute of Certified Public Accountants' (AICPA's) Statement on Auditing Standards (SAS) Number 70, Reports on the Processing of Transactions by Service Organizations, as follows:

ACES contractors that have been in operation for one year or less shall undergo a SAS 70 Type One Review -- A Report of Policies and Procedures in Operation, receiving an unqualified opinion

ACES contractors that have been in operation for longer than one year shall undergo a SAS 70 Type Review -- A Report of Policies and Procedures in Operation and Test of Operational Effectiveness, receiving an unqualified opinion

ACES contractors shall submit a plan for the SAS 70 review for Government approval, prior to conducting the quality assurance and inspection. The reports resulting from the quality assurance and inspections shall be submitted to the Government within 30 calendar days of the date of their completion.

The focus of these SAS 70 reviews shall be to provide the Government with independent verification that the ACES contractor is performing IAW its Government-approved CPS and is meeting all of the requirements set forth in the contract.

C.7.7 Paperwork Reduction Act Requirements

Performance of any resultant ACES contract will require the ACES contractor to collect, maintain, and disseminate information covered under Section 3506, Title 44 of the United States Code (44 U.S.C. 3506). The minimum regulatory requirements responding to 44 U.S.C. 3506 are set forth in Office of Management and Budget (OMB) Circular Number A-130 (Management of Federal Information Resources).

The ACES contractor shall meet the minimum OMB Circular Number A-130 requirements for ACES contractors set forth in Section H of this solicitation.

C.7.8 Privacy Act Requirements

Performance of any resultant ACES contract will require the ACES contractor to maintain one or more "systems of records" requiring protection under Section 552a, Title 5 of United States Code (5 U.S.C. 552a). The minimum standards for protecting and reporting on these systems of records are also set forth in 5 U.S.C. 552a. The regulations for protecting and reporting on these systems of records are set forth in Appendix I (Federal Agency Responsibilities for Maintaining Records About Individuals) to Office of Management and Budget (OMB) Circular Number A-130 (Management of Federal Information Resources).

Subsection (m) (1) of 5 U.S.C. 552a and Paragraph 3.a.(1) of Appendix I to OMB Circular Number A-130 provide that the systems of records protection and reporting requirements shall be passed through to any contractor who maintains a system(s) of records on behalf of a Government agency.

The ACES contractors shall meet the minimum systems of records protection and reporting requirements for ACES contractors set forth in Section H of this solicitation.

C.7.9 Ad Hoc Data Collection, Analysis, and Dissemination Requirements

In addition to the scheduled data collection, analysis, and dissemination requirements set forth in the solicitation, the ACES contractor may be tasked by the Government to perform additional data collection, analysis, and/or dissemination functions. These additional requirements, if any, will be procured by the Government through a task order issued under the terms of this contract, as described in Section G of this solicitation.

The ACES contractor shall provide for responding to additional, ad hoc data collection, analysis, and/or dissemination requirements in its proposal.

C.7.10 Personnel Training and Assurance

The ACES contractors shall provide employees with proper training, update briefings, and comprehensive user manuals detailing procedures for performing duties related to providing ACES services. The ACES contractors shall provide reasonable assurance of the trustworthiness and competence of employees and their satisfactory performance of duties relating to provision of ACES services.

C.7.11 Date/Time Synchronization

As a standard for this process, the ACES contractor shall use Coordinated Universal Time as the reference time base. Time shall be synchronized within one second of the clock at the U.S. Naval Observatory; granularity of time expressed shall be at least to the granularity of one minute.

C.7.12 Data Transfer

The ACES contractor shall initiate a complete transfer of all current and archived identity proofing, certificate, validation, revocation/suspension, renewal, policies and practices, billing, and audit data within 24 hours of request, or as otherwise agreed upon, and IAW Section H of this solicitation, and according to Government-approved plans. This data shall not include any non-ACES data.


[End Section C]