FPKI Policy and Compliance Audit
This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors.
- Contains the FPKI policies and profiles as well as annual FPKI annual review schedule.
- It can help auditors assess Certification Authorities operated as part of the FPKI.
- It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations.
For any questions, please contact fpki at gsa.gov.
FPKI Policies and Profiles
The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI and PIV, go to the:
The FPKI Policy Authority (FPKIPA) maintains two certificate policies (Common Policy Framework, and Federal Bridge). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.
| FPKI Initiatve | Policy Name | Profile | Change Proposals |
|---|---|---|---|
| Federal Common Policy | X.509 Certificate Policy for the U.S. FPKI Common Policy Framework | Common Policy X.509 Certificate and CRL Profiles | Common Change Proposals |
| Federal Bridge | X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) | X.509 Certificate and CRL Extensions Profile | Bridge Change Proposals |
| Federal Bridge PIV-I | X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) and PIV-I for Federal Issuers | X.509 Certificate and CRL Extensions Profile for PIV-I Cards | Bridge Change Proposals |
| Public Trust TLS | U.S. Federal Public Trust TLS Certificate Policy | The CAs operating under this Certificate Policy are in a new infrastructure which will not have cross-certificates with any other FPKI Certification Authority. |
The FPKI has the following supplementary guidance:
- Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021) – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a Certification Authority that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control.
- FPKI Key Recovery Policy (PDF, October 2017) - The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.
- Registration Authority Agreement Template v1.0 (Word, April 2017)
- FPKI Incident Management Plan (PDF, September 2020)
- Archived copies of Certificate Polices, Profiles, and other FPKI-related documents
Annual Review Requirements for All Certification Authorities
Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that Certification Authorities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.
Audits are required annually for Certification Authorities. Annual review packages should be submitted to fpki at gsa.gov.
- FPKI Annual Review Requirements (PDF, April 2017) – Requirements for performing and reporting annual compliance audits.
- PIV and PIV-I Annual Testing - supports FPKI Annual Reviews and can be done either in-person at the GSA FIPS 201 Lab or using available tools such as the Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT)
- Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016)
Annual Review Schedule
| Entity | Type | Annual Review Package Due Date |
|---|---|---|
| CertiPath | Bridge | Jun 30 |
| Drug Enforcement Agency (DEA) | Trust Partner | Sep 30 |
| DigiCert (DirectTrust) | Affiliate PKI | July 31 |
| DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) | Affiliate PKI | July 31 |
| DigiCert (Formerly Symantec Shared Service Provider [SSP]) | SSP | July 31 |
| Department of Defense (DoD) | Affiliate PKI | Aug 30 |
| Department of State (DOS) | Affiliate PKI | Jun 30 |
| Department of the Treasury | SSP | July 31 |
| Entrust NFI | Affiliate PKI | Nov 22 |
| Entrust Federal SSP | SSP | Nov 22 |
| Exostar | Affiliate PKI | May 31 |
| Government Publishing Office (GPO) | Affiliate PKI | Oct 31 |
| IdenTrust NFI | Affiliate PKI | Aug 31 |
| Patent and Trademark Office (PTO) | Affiliate PKI | April 30 |
| SAFE Identity | Bridge | Oct 31 |
| Southwest Texas Regional Advisory Council (STRAC) | Bridge | Nov 30 |
| Transglobal Secure Collaboration Program (TSCP) | Bridge | May 31 |
| Verizon SSP | SSP | July 31 |
| WidePoint NFI | Affiliate PKI | May 31 |
| WidePoint SSP | SSP | May 31 |
Audit Information for the FPKI Management Authority
This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.
- The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy.
- The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.
The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below.
- U.S. FPKI Certification Practice Statement (PDF, June 2021) – Version 6.0
- U.S. FPKI Audit Letter of Compliance (PDF, October 2020) – Results of the 2019-2020 Compliance Audit for the FPKI Trust Infrastructure Systems.
- FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, October 2020)
Reporting Incidents
To report a potential key compromise, security incident, or fraud, waste, or abuse involving FPKI certificates, please contact fpki-help at gsa.gov with supporting evidence of the incident.