Federal Public Key Infrastructure (FPKI)

Federal Public Key Infrastructure (FPKI)

The Federal Public Key Infrastructure (FPKI) Program provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.

You can find Auditing information here.

Federal Trust Framework

The FPKI is a network of hundreds of Certification Authorities (CAs) that issue:

  • PIV credentials and person identity certificates
  • PIV-Interoperable credentials and person identity certificates
  • Other person identity certificates
  • Enterprise device identity certificates

The participating CAs and the Policies, Processes, and Auditing of all the participants are referred to as the Federal Public Key Infrastructure (FPKI).

The FPKI includes the U.S. Federal, State, Local, Tribal, Territorial, international governments and commercial organizations that work together to provide services for the benefit of the Federal Government.

Certificate Policies

The FPKI Policy Authority (FPKIPA) maintains two Certificate Policies to which all Certification Authorities map their policies.

Common Policy Framework Certificate Policies

The document below contains the certificate and certificate revocation list (CRL) profiles for the Federal PKI Common Policy:

To operate a Certification Authority used in the Federal Government and that contains federal data requires the application of NIST Special Publication (SP) 800-53 security controls. The following document contains the additional security controls that all Certificate Practice Statements must address. Review the controls overlay document to understand the requirements and details of each applicable control.

Federal Bridge Policies

There are two documents that contain the certificate and Certificate Revocation List (CRL) profiles for the Certificate Policies:

FPKI Key Recovery Policy

The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.

Certification Authorities

The FPKI Management Authority (FPKIMA) operates the primary Certification Authorities that serve as the trust infrastructure for the Federal Government:

  • U.S. Federal Common Policy Certification Authority – This system operates as the Root CA for the Federal Government’s PKI services and is audited to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework.
  • Federal Bridge Certification Authority – This system operates as a PKI bridge that enables interoperability between PKIs participating in the FPKI and is audited to the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA).

PIV-Interoperable Information

The updated PIV-Interoperable guidance has been approved and is now available:

The Federal Government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies.  All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications.  These credentials conform to both the NIST Standards and the FPKI Certificate Policies.  PIV and CAC credentials assert minimum suitability assurance (investigations).

PIV-Interoperable credentials were defined by the Federal Government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems.  PIV-Interoperable credentials do not assert any suitability assurance.

Organization Information

Three offices within General Services Administration (GSA) maintain and govern Certificate Policies:

  • The Federal Acquisition Service leads the FPKI Management Authority (FPKIMA), which is responsible for operating the Federal Bridge and Federal Root Certificate Authorities.
  • The Office of Government-wide Policy co-chairs the FPKI Policy Authority (FPKIPA) and manages the governance and oversight of federal shared service providers, policy creation, and compliance audit reviews.
  • The Office of Chief Information Officer (OCIO) is responsible for security and compliance validation and performs vulnerability scans and penetration testing.

Page Reviewed/Updated:  August 21, 2018