Federal Public Key Infrastructure
The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.
The FPKI is a network of hundreds of Certification Authorities (CAs) that issue:
- Personal Identity Verification (PIV) credentials and person identity certificates
- PIV-Interoperable credentials and person identity certificates
- Other person identity certificates
- Enterprise device identity certificates
The participating CAs and the policies, processes, and auditing of all the participants are referred to as the Federal Public Key Infrastructure (FPKI).
The FPKI includes US federal, state, local, tribal, and territorial governments, as well as international governments and commercial organizations that work together to provide services for the benefit of the federal government.
The FPKI Policy Authority (FPKIPA) maintains two certificate policies (Common Policy Framework and Federal Bridge). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.
Common Policy Framework
- Review the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
- FPKI Common Policy Framework Certificate Policy Change Proposals – archival list of proposed changes (updated September 2020)
- Common Policy X.509 Certificate and Certificate Revocation List (CRL) Profiles (PDF, September 2020)
The application of NIST Special Publication (SP) 800-53 security controls is required to operate a Certification Authority that is used in the FPKI and contains federal data. Review the controls overlay document below to understand the requirements and details of each applicable control.
- FPKI Security Controls Overlay of Special Publication 800-53 Security Controls for PKI Systems (PDF, April 2014) – contains additional security controls that all Certificate Practice Statements (CPSs) must address
- Review the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA)
- FBCA Certificate Policy Change Proposals – archival list of proposed changes (updated April 2019)
- FBCA Supplementary Antecedent, In-Person Definition (PDF, July 2009) – working group document superseded by NIST SP 800-63-3A
The documents below contain the certificate and CRL extensions profiles for the X.509 Certificate Policy for the FBCA:
- X.509 Certificate and CRL Extensions Profile (PDF, May 2018)
- X.509 Certificate and CRL Extensions Profile for Personal Identity Verification Interoperable (PIV-I) Cards (PDF, May 2018)
FPKI Key Recovery Policy
The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.
- FPKI Key Recovery Policy (PDF, October 2017)
The FPKI Management Authority (FPKIMA) operates the primary Certification Authorities (CAs) that serve as the common root CA and the bridge CA for the federal government:
- The U.S. Federal Common Policy Certification Authority system operates as the Root CA for the federal government’s PKI services and is audited to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
- The Federal Bridge Certification Authority operates as a PKI bridge that enables interoperability between PKIs participating in the FPKI and is audited to the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA).
The federal government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies. All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications. These credentials conform to both the NIST Standards and the FPKI Certificate Policies. PIV and CAC credentials assert minimum suitability assurance (investigations). PIV-Interoperable credentials were defined by the federal government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems. PIV-Interoperable credentials do not assert any suitability assurance.
- PIV Interoperability for Issuers – CIO Council-approved PIV-Interoperable guidance for issuers (PDF, July 2017)
Three offices within General Services Administration maintain and govern Certificate Policies:
- The Federal Acquisition Service leads the FPKI Management Authority (FPKIMA), which is responsible for operating the Federal Bridge and Federal Root Certificate Authorities.
- The Office of Government-wide Policy co-chairs the FPKI Policy Authority (FPKIPA) and manages the governance and oversight of the certificate policies, federal shared service providers, and compliance audit reviews.
- The Office of the Chief Information Officer (OCIO) is responsible for security authorizations and continuous monitoring for commercially-operated PKI shared service providers.
Page Reviewed/Updated: November 16, 2020