Federal PKI Governance and Compliance Audit Information
This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors.
- It includes the FPKI policies and profiles as well as annual FPKI annual review schedule.
- It can help auditors assess certification authorities (CAs) operated as part of the FPKI.
- It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations.
For any questions, please contact fpki at gsa.gov.
Federal PKI Policies and Profiles
The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI, PIV, and PIV-I visit the following links:
The FPKI Policy Authority (FPKIPA) maintains three certificate policies (the Common Policy Framework, the Federal Bridge Certification Authority Certificate Policy, and the Federal Public Trust TLS Certificate Policy). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.
|Federal PKI Policy
|Federal Common Policy
|X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.6
|Common Policy X.509 Certificate and CRL Profiles v2.2
|Common Change Proposals
|X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.3
and PIV-I for Federal Agencies
|Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0
|Bridge Change Proposals
|Federal Public Trust TLS
|U.S. Federal Public Trust TLS PKI Certificate Policy v1.1
|Profiles are included in Section 7 of the Policy
|No change proposals
The FPKI has the following supplementary guidance:
- Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021) – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a CA that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control.
- Registration Authority Agreement Template v1.0 (Word, April 2017) - The purpose of this document is to identify and explain the roles and responsibilities of an enrollment/registration agent under the Federal PKI COMMON Policy Framework.
- FPKI Incident Management Plan (PDF, September 2020) - This document provides guidance on the roles and responsibilities applicable to the FPKI Policy Authority (FPKIPA), FPKI Management Authority (FPKIMA), and FPKI affiliates in the event of an incident.
- Archived copies of Certificate Polices, Profiles, and other FPKI-related documents - This pages contains three years of FPKI-related documents.
- FPKI Key Recovery Policy (Subsumed, October 2017)) - for reference only, original consolidated key recovery policy. All requirements and controls have been mapped and subsumed into other FPKI Certificate Policy documents.
Annual Review Requirements for All Certification Authorities
Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.
Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki at gsa.gov.
- FPKI Annual Review Requirements (PDF, May 2022) – This document includes requirements for performing and reporting annual compliance audits.
- RA Audit Guidance Memorandum (PDF, October 2022 – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers.
- PIV and PIV-I Annual Testing - supports FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 Lab or using available tools such as the Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT)
- Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016) - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations.
Annual Review Schedule
|Annual Review Package Due Date
|DigiCert (Formerly Symantec Non-Federal Issuer [NFI])
|DigiCert (Formerly Symantec Shared Service Provider [SSP])
|Department of Defense (DoD)
|Department of State (DOS)
|Department of the Treasury
|Entrust Federal SSP
|Patent and Trademark Office (PTO)
|Southwest Texas Regional Advisory Council (STRAC)
|Transglobal Secure Collaboration Program (TSCP)
Compliance Test Tools for Annual Reviews
The FPKI Program support two remote PIV, PIV-I and digital certificate test tools to support FPKI annual reviews.
- The Card Conformance Tool (CCT) is a GSA managed, Java tool hosted on GitHub that can verify that a Personal Identity Verification (PIV) or PIV-Interoperable (PIV-I) conforms to the PIV data model.
- The Certificate Profile Conformance Tool (CPCT) is an self-hosted application that analyzes public X.509 certificates for conformance to a specified FPKI profile.
To request an official report on your CPCT and CCT results, fill out the Annual PIV Credential Issuer (PCI) Testing Application Form and send it with outputs and testing artifacts to fips201ep at gsa.gov.
Submitting a Test Results Package
If you are running the Card Conformance Tool as part of the annual requirement to undergo PIV/PIV-I testing, you must email the artifacts listed below to fips201ep at gsa.gov.
- A completed testing application for each PCI configuration evaluated (See Section 1 of the application for more information).
- All accompanying Card Conformance Tool Log files, these reside in the same directory as the extracted package after the tests have been run:
- logs (directory)
- piv-artifacts (directory)
- x509-artifacts (directory)
- x509-certs (directory)
- the test database used for the evaluation (e.g., PIV_Production_Cards.db)
- The card’s Answer-to-Rest value presented within the “Reader Status” text box (e.g., 3bd6970081b1fe451f078031c1521118f9), which is displayed on the CCT landing page provided a card is available to the test system.
- A report (PDF or XLSX) for each certificate found on the card (use the Certificate Profile Conformance Tool (web application) to generate the reports.
- High-resolution card photos of the front and back of each card tested.
Collecting all accompanying Card Conformance Tool Log files is most easily achieved by zipping the fips201-card-conformance-tool-[Release-Version]-[Release-Date] directory; this is the same directory where you had extracted the tool.
Failure to submit a complete CCT Package may delay review of your testing results and completion of your annual FPKI PIV/PIV-I testing requirement.
Audit Information for the FPKI Management Authority
This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.
- The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy.
- The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.
The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below.
- U.S. FPKI Certification Practice Statement (PDF, November 2023) – Version 6.4
- U.S. FPKI Audit Letter of Compliance (PDF, October 2023) – Results of the August 2022-August 2023 Compliance Audit for the FPKI Trust Infrastructure Systems.
- FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)
Report an Incident
FPKI affiliates include federal agencies and commercial service providers operating a certification authority certified by the Federal PKI Policy Authority. FPKI affiliate responsibilities related to the incident management process include:
- Communicating security incidents involving infrastructures or services to the FPKI Authorities, users/customers, and known relying parties.
- Providing additional investigation support and/or information about incidents to the FPKI Authorities as they become known, and
- Conducting remediation activities once an incident is confirmed.
To report a security incident, such as a key compromise, data breach, or other fraud waste or abuse regarding FPKI CAs or certificates, please contact both fpki at gsa dot gov and fpki-help at gsa dot gov, and include any relevant known information on the incident up to that point. Further information will be requested from the affiliate per the FPKI Incident Management Plan.
Federal PKI Document Archive
A Federal PKI document may be needed for three years for compliance review purposes. This pages contains three years of FPKI documents, including:
- Certificate Policies
- Certificate Profiles
- Supplementary Guidance
- Change Proposals
A blank category indicates no updates in the previous three years. If you seek a document that is older than three years or is not listed here, please contact fpki at gsa.gov or look in the archived document repository on github.