Federal Public Key Infrastructure (FPKI)

Federal Public Key Infrastructure (FPKI)

The Federal Public Key Infrastructure (FPKI) Program provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.

You can find Auditing information here.

Federal Trust Framework

The FPKI is a network of hundreds of Certification Authorities (CAs) that issue:

  • PIV credentials and person identity certificates
  • PIV-Interoperable credentials and person identity certificates
  • Other person identity certificates
  • Enterprise device identity certificates

The participating CAs and the Policies, Processes, and Auditing of all the participants are referred to as the Federal Public Key Infrastructure (FPKI).

The FPKI includes the U.S. Federal, State, Local, Tribal, Territorial, international governments and commercial organizations that work together to provide services for the benefit of the Federal Government.

Certificate Policies

The FPKI Policy Authority (FPKIPA) maintains two Certificate Policies to which all Certification Authorities map their policies.

Common Policy Framework Certificate Policy and Profiles

The document below contains the certificate and Certificate Revocation List (CRL) extensions profile for the U.S. Federal PKI Common Policy:

To operate a Certification Authority used in the Federal Government and that contains federal data requires the application of NIST Special Publication (SP) 800-53 security controls. The following document contains the additional security controls that all Certificate Practice Statements (CPSs) must address. Review the controls overlay document to understand the requirements and details of each applicable control.

Federal Bridge Certificate Policy and Profiles

The documents below contain the certificate and CRL extensions profile for the FBCA Certificate Policy:

FPKI Key Recovery Policy

The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.

Certification Authorities

The FPKI Management Authority (FPKIMA) operates the primary Certification Authorities that serve as the trust infrastructure for the Federal Government:

  • U.S. Federal Common Policy Certification Authority – This system operates as the Root CA for the Federal Government’s PKI services and is audited to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework.
  • Federal Bridge Certification Authority – This system operates as a PKI bridge that enables interoperability between PKIs participating in the FPKI and is audited to the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA).

PIV-Interoperable Information

The document below contains the approved PIV-Interoperable guidance for issuers:

The Federal Government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies.  All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications.  These credentials conform to both the NIST Standards and the FPKI Certificate Policies.  PIV and CAC credentials assert minimum suitability assurance (investigations).

PIV-Interoperable credentials were defined by the Federal Government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems.  PIV-Interoperable credentials do not assert any suitability assurance.

Organization Information

Three offices within General Services Administration maintain and govern Certificate Policies:

Page Reviewed/Updated:  November 6, 2018