Federal PKI Certification Authorities Annual Review Information
This page contains information to help auditors assess Certification Authorities operated as part of the Federal PKI. This page also contains the annual audit reports to help the general public understand how the Federal PKI Management Authority (FPKIMA) provides trusted PKI and CA operations.
- Annual Review Requirements for all Certification Authorities
- Annual Review Schedule for all Certification Authorities
- Audit Information for the FPKIMA
Annual Review Requirements for All Certification Authorities
Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that Certification Authorities participating in the Federal PKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.
Audits are required annually for Certification Authorities. Annual review packages should be submitted to firstname.lastname@example.org.
- FPKI Annual Review Requirements (PDF, April 2017) – Requirements for performing and reporting annual compliance audits.
- FPKI Security Controls Overlay of Special Publication 800-53 Security Controls for PKI Systems (PDF, April 2014) – Additional security controls associated with Federal Information Security Modernization Act (FISMA) compliance.
Annual Review Schedule
|Entity||Type||Annual Review Package
Due Date (2019)
|Access Certificates for Electronic Services (ACES) Program||Affiliate PKI||Sep 30|
|Drug Enforcement Agency (DEA)||Trust Partner||Sep 30|
|Digicert||Affiliate PKI||July 31|
|Digicert (Includes Symantec Non-Federal Issuer [NFI])||Affiliate PKI||July 31|
|Digicert (Includes Symantec Shared Service Provider [SSP])||SSP||July 31|
|Department of Defense (DoD)||Affiliate PKI||Aug 30|
|Department of State (DOS)||Affiliate PKI||Apr 30|
|Department of the Treasury||SSP||May 31|
|Entrust NFI||Affiliate PKI||Nov 22|
|Entrust Federal SSP||SSP||Nov 22|
|Exostar||Affiliate PKI||Apr 30|
|Government Publishing Office (GPO)||Affiliate PKI||Oct 31|
|Identrust NFI||Affiliate PKI||Aug 31|
|Patent and Trademark Office (PTO)||Affiliate PKI||April 1|
|SAFE BioPharma||Bridge||Oct 31|
|Southwest Texas Regional Advisory Council (STRAC)||Bridge||Nov 30|
|Transglobal Secure Collaboration Program (TSCP)||Bridge||Apr 30|
|Verizon NFI||Affiliate PKI||July 31|
|Verizon SSP||SSP||July 31|
|Wide Point NFI||Affiliate PKI||Apr 30|
|Wide Point SSP||SSP||Apr 30|
Audit Information for the Federal PKI Management Authority
This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.
The Federal Common Policy Certification Authority operates in compliance with the Federal Common Certificate Policy. The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.
The Certificate Policies may be found on the Federal PKI page. The associated Certification Practice Statement (CPS) below documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided:
- U.S. Federal PKI Certification Practice Statement (PDF, December 2018) – Redacted Version 4.11
- U.S. Federal PKI Audit Letter of Compliance (PDF, July 2018) – Results of the 2017-2018 Compliance Audit for the FPKI Trust Infrastructure Systems.
- U.S. Federal PKI Microsoft Audit Comparison Letter (PDF, November 2017) – Comparison of the FPKI Audit with the Microsoft CA audit requirements.
To report a potential key compromise, security incident, or fraud, waste, or abuse involving Federal PKI certificates, please contact us with supporting evidence of the incident.
Page Reviewed/Updated: April 18, 2019