Federal Public Key Infrastructure (FPKI)

Federal Public Key Infrastructure (FPKI)

The Federal Public Key Infrastructure (FPKI) Program provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.

You can find Auditing information here.

Federal Trust Framework

The Federal PKI is a network of hundreds of Certification Authorities (CAs) that issue:

  • PIV credentials and person identity certificates
  • PIV-Interoperable credentials and person identity certificates
  • Other person identity certificates
  • Enterprise device identity certificates

The participating Certification Authorities and the Policies, Processes, and Auditing of all the participants is referred to as the Federal Public Key Infrastructure (FPKI).

The FPKI includes U.S. Federal, State, Local, Tribal, Territorial, international governments and commercial organizations who work together to provide services for the benefit of the Federal Government.

Certificate Policies

The Federal PKI Policy Authority (FPKIPA) maintains two Certificate Policies that all Certification Authorities map their policies to.

Common Policy Framework Certificate Policies

The document below contains the certificate and certificate revocation list (CRL) profiles for the Federal PKI Common Policy:

To operate a Certification Authority used in the Federal Government and that contains federal data requires the application of NIST Special Publication (SP) 800-53 security controls. Review the controls overlay document to understand the requirements and details of each applicable control.

Federal Bridge Policies

There are two documents that contain the certificate and Certificate Revocation List (CRL) profiles for the Certificate Policies:

FPKI Key Recovery Policy

The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.

Certification Authorities

The Federal PKI Management Authority operates the primary Certification Authorities that serve as the trust infrastructure and root for the Federal Government.

  • US Federal Common Policy Certification Authority – The system operates and is audited to the Federal Common Policy Framework Certificate Policy
  • Federal Bridge Certification Authority – The system operates and is audited to the Federal Bridge Certificate Policy

PIV-Interoperable Information

The updated PIV-Interoperable guidance (2017) has been approved and is now available.

The Federal Government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies.  All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications.  These credentials conform to both the NIST Standards and the FPKI Certificate Policies.  PIV and CAC credentials assert minimum suitability assurance (investigations).

PIV-Interoperable credentials were defined by the Federal Government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems.  PIV-Interoperable credentials do not assert any suitability assurance.

Organization Information

Three offices within General Services Administration (GSA) maintain and govern Certificate Policies:

  • The Federal Acquisition Service leads the FPKI Management Authority (FPKIMA), which is responsible for operating the Federal Bridge and Federal Root Certificate Authorities
  • The Office of Government-wide Policy co-chairs the FPKI Policy Authority (FPKIPA) and manages the governance and oversight of federal shared service providers, policy creation, and compliance audit reviews.
  • The Office of Chief Information Officer (OCIO) is responsible for security and compliance validation and performs vulnerability scans and penetration testing.

Page Reviewed/Updated:  October 16, 2017