Federal Public Key Infrastructure (FPKI)

Home » Manage » Federal Public Key Infrastructure (FPKI)

Federal Public Key Infrastructure

The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs.

The FPKI is a network of hundreds of Certification Authorities (CAs) that issue:

  • Personal Identity Verification (PIV) credentials and person identity certificates
  • PIV-Interoperable credentials and person identity certificates
  • Other person identity certificates
  • Enterprise device identity certificates

The participating CAs and the policies, processes, and auditing of all the participants are referred to as the Federal Public Key Infrastructure (FPKI).

The FPKI includes US federal, state, local, tribal, and territorial governments, as well as international governments and commercial organizations that work together to provide services for the benefit of the federal government.

Certificate Policies

The FPKI Policy Authority (FPKIPA) maintains two certificate policies (Common Policy Framework, and Federal Bridge). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.

Common Policy Framework

The application of NIST Special Publication (SP) 800-53 security controls is required to operate a Certification Authority that is used in the FPKI and contains federal data. Review the controls overlay document below to understand the requirements and details of each applicable control.

Federal Bridge

The documents below contain the certificate and CRL extensions profiles for the X.509 Certificate Policy for the FBCA:

Common Policy Framework and Federal Bridge Archive

Three years of certificate policies and profiles are maintained on idmanagement.gov. For older versions, please contact icam@gsa.gov.

FPKI Key Recovery Policy

The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements.

Certification Authorities

The FPKI Management Authority (FPKIMA) operates the primary Certification Authorities (CAs) that serve as the common root CA and the bridge CA for the federal government:

  • The U.S. Federal Common Policy Certification Authority system operates as the Root CA for the federal government’s PKI services and is audited to the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
  • The Federal Bridge Certification Authority operates as a PKI bridge that enables interoperability between PKIs participating in the FPKI and is audited to the X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA).

PIV-Interoperable Information

The federal government uses PIV and CAC credentials to identify employees and contractors affiliated with agencies.  All PIV and CAC credentials are issued with the same processes and technology to provide a common baseline for authenticating to government networks, accessing government facilities, and authenticating to cross-government applications.  These credentials conform to both the NIST Standards and the FPKI Certificate Policies.  PIV and CAC credentials assert minimum suitability assurance (investigations). PIV-Interoperable credentials were defined by the federal government to be issued to affiliates that are not employees and contractors but who may require access to limited government systems.  PIV-Interoperable credentials do not assert any suitability assurance.

PIV Interoperability for Issuers – CIO Council-approved PIV-Interoperable guidance for issuers (PDF, July 2017)

Organizational Information

Three offices within General Services Administration maintain and govern Certificate Policies:

  • The Federal Acquisition Service leads the FPKI Management Authority (FPKIMA), which is responsible for operating the Federal Bridge and Federal Root Certificate Authorities.
  • The Office of Government-wide Policy co-chairs the FPKI Policy Authority (FPKIPA) and manages the governance and oversight of the certificate policies, federal shared service providers, and compliance audit reviews.

The Office of the Chief Information Officer (OCIO) is responsible for security authorizations and continuous monitoring for commercially-operated PKI shared service providers.

Page Reviewed/Updated: February 24, 2021