Federal Public Key Infrastructure (FPKI)
The Federal Public Key Infrastructure (FPKI) Program provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.
- Federal Trust Framework
- Certificate Policies
- FPKI Key Recovery Policy
- Certification Authorities
- PIV-Interoperable Information
- Organization Information
You can find Auditing information here.
Federal Trust Framework
The FPKI is a network of hundreds of Certification Authorities (CAs) that issue:
- PIV credentials and person identity certificates
- PIV-Interoperable credentials and person identity certificates
- Other person identity certificates
- Enterprise device identity certificates
The participating CAs and the Policies, Processes, and Auditing of all the participants is referred to as the Federal Public Key Infrastructure (FPKI).
The FPKI includes U.S. Federal, State, Local, Tribal, Territorial, international governments and commercial organizations who work together to provide services for the benefit of the Federal Government.
The FPKI Policy Authority (FPKIPA) maintains two Certificate Policies to which all Certification Authorities map their policies.
Common Policy Framework Certificate Policies
- X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework (FCPF) (PDF, June 2017)
- FPKI Common Policy Framework Certificate Policy Change Proposals (updated January 2018)
The document below contains the certificate and certificate revocation list (CRL) profiles for the Federal PKI Common Policy:
- X.509 Certificate and CRL Extensions Profile for the Shared Service Provider (SSP) Program (PDF, July 2017)
To operate a Certification Authority used in the Federal Government and that contains federal data requires the application of NIST Special Publication (SP) 800-53 security controls. The following document contains the additional security controls that all Certificate Practice Statements must address. Review the controls overlay document to understand the requirements and details of each applicable control.
- FPKI Security Controls Overlay of Special Publication 800-53 Security Controls for PKI Systems (PDF, April 2014)
Federal Bridge Policies
- Certificate Policy for the Federal Bridge Certification Authority (FBCA) (PDF, June 2017)
- Federal Bridge Certificate Authority Certificate Policy Change Proposals (updated January 2018)
There are two documents that contain the certificate and Certificate Revocation List (CRL) profiles for the Certificate Policies:
- X.509 Certificate and CRL Extensions Profile (PDF, July 2017)
- X.509 Certificate and CRL Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Credentials (PDF, July 2017)
FPKI Key Recovery Policy
The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.
- FPKI Key Recovery Policy (PDF, October 2017)
The FPKI Management Authority (FPKIMA) operates the primary Certification Authorities that serve as the trust infrastructure for the Federal Government:
- U.S. Federal Common Policy Certification Authority – The system operates as the Root CA for the Federal Government’s PKI services and is audited to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework.
- Federal Bridge Certification Authority – The system operates as a PKI bridge that enables interoperability between PKIs participating in the FPKI and is audited to the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA).
The updated PIV-Interoperable guidance has been approved and is now available.
- PIV Interoperability for Issuers (PDF, July 2017)
The Federal Government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies. All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications. These credentials conform to both the NIST Standards and the FPKI Certificate Policies. PIV and CAC credentials assert minimum suitability assurance (investigations).
PIV-Interoperable credentials were defined by the Federal Government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems. PIV-Interoperable credentials do not assert any suitability assurance.
Three offices within General Services Administration (GSA) maintain and govern Certificate Policies:
- The Federal Acquisition Service leads the FPKI Management Authority (FPKIMA), which is responsible for operating the Federal Bridge and Federal Root Certificate Authorities
- The Office of Government-wide Policy co-chairs the FPKI Policy Authority (FPKIPA) and manages the governance and oversight of federal shared service providers, policy creation, and compliance audit reviews.
- The Office of Chief Information Officer (OCIO) is responsible for security and compliance validation and performs vulnerability scans and penetration testing.
Page Reviewed/Updated: January 12, 2018