Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FPKI Policy and Compliance Audit

This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors.

  • It includes the FPKI policies and profiles as well as annual FPKI annual review schedule.
  • It can help auditors assess certification authorities (CAs) operated as part of the FPKI.
  • It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations.

For any questions, please contact fpki at gsa.gov.

FPKI Policies and Profiles

The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI and PIV, go to the:

The FPKI Policy Authority (FPKIPA) maintains two certificate policies (the Common Policy Framework and the Federal Bridge). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.

FPKI Initiatve Policy Name Profile Change Proposals
Federal Common Policy X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.4 Common Policy X.509 Certificate and CRL Profiles v2.2 Common Change Proposals
Federal Bridge X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.1 Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0 Bridge Change Proposals
Federal Bridge PIV-I X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.1 and
PIV-I for Federal Agencies
Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0 Bridge Change Proposals
Federal Public Trust TLS Updating Policy. Archived Copies available in archived documents. Updating Profiles No change proposals

The FPKI has the following supplementary guidance:

Annual Review Requirements for All Certification Authorities

Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.

Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki at gsa.gov.

Annual Review Schedule

Entity Type Annual Review Package Due Date
CertiPath Bridge June 30
Drug Enforcement Agency (DEA) Trust Partner September 30
DigiCert (ECPS) Affiliate PKI July 31
DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) Affiliate PKI July 31
DigiCert (Formerly Symantec Shared Service Provider [SSP]) SSP July 31
Department of Defense (DoD) Affiliate PKI November 30
Department of State (DOS) Affiliate PKI October 31
Department of the Treasury SSP July 31
Entrust NFI Affiliate PKI November 30
Entrust Federal SSP SSP November 30
Exostar Affiliate PKI June 10
Government Publishing Office (GPO) Affiliate PKI October 31
IdenTrust NFI Affiliate PKI August 31
Patent and Trademark Office (PTO) Affiliate PKI October 31
SAFE Identity Bridge October 31
Southwest Texas Regional Advisory Council (STRAC) Bridge November 30
Transglobal Secure Collaboration Program (TSCP) Bridge July 31
Verizon SSP SSP August 31
WidePoint NFI Affiliate PKI May 31
WidePoint SSP SSP May 31

Audit Information for the FPKI Management Authority

This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.

  • The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy.
  • The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.

The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below.

Reporting Incidents

To report a potential key compromise, security incident, or fraud, waste, or abuse involving FPKI certificates, please contact fpki-help at gsa.gov with supporting evidence of the incident.

IDManagement.gov

An official website of the General Services Administration

Looking for U.S. government information and services?
Visit USA.gov Edit this page