Summary
For on-line government services that involve sensitive information, such as financial or personal information, it is important to be able to confirm the identity of potential users. This confirmation process, known as authentication, is crucial for security and user confidence. The General Services Administration (GSA) is developing an "e-Authentication gateway," which is to provide a consolidated electronic authentication service to support the e-government initiatives sponsored by the Office of Management and Budget (OMB). The figure depicts schematically how the gateway process would work. GAO was asked to (1) assess GSA's progress in implementing the proposed initiative and (2) identify the challenges associated with implementing the gateway.
Although the original goal was for the e-Authentication gateway to be operational by September 2003, GSA has achieved few of its project objectives and recently extended the milestone for completing a fully operational system to March 2004. GSA has completed several important tasks, such as issuing a request for information and fielding a demonstration prototype of the gateway. However, other essential activities, such as developing authentication profiles--requirements summaries that address the needs of the other 24 OMB e-government initiatives--have not yet been fully addressed. Further, to meet the new milestone, GSA plans to compress the acquisition process for the operational gateway by awarding a contract by December 2003 for delivery of an operational gateway by March 2004. This accelerated schedule may be difficult to achieve. The modest progress achieved to date calls into question the likelihood that the project can successfully field an operational gateway, even within the revised schedule. The challenges facing the e-Authentication gateway project make it difficult for GSA to achieve the kind of rapid results envisioned for the initiative. For example, procedures and guidance have not yet been completed defining the specific technologies to support different authentication requirements. In addition, technical standards have not yet been agreed upon to provide a basis for ensuring interoperability among different authentication products and systems. Further, GSA has not taken full measures to ensure that the gateway system is adequately secured and that privacy information is adequately protected. Addressing these and other challenges is essential to the successful deployment of a gateway that can effectively support the authentication requirements of OMB's e-government initiatives.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To address the issues associated with GSA's attempts to meet near-term milestones for implementing the e-Authentication gateway, the Administrator of GSA should revise the schedule for deploying a fully operational version of the gateway, based on realistic milestones for development of the gateway using a competitively awarded contract, development of authentication profiles for each of the other 24 e-government initiatives, and completion of revisions to GSA's governmentwide PKI-related services contract.
Agency Affected: General Services Administration
Status: Not Implemented
Comments: The e-authentication initiative is no longer aimed at developing a cetnralized gateway, and thus this recommendation no longer pertains. Based on the results of a GSA internal technical advisory board review convened in September 2003 as well as the findings from our report, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative dropped plans to implement a centralized e-Authentication gateway and instead focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs. The technical architecture for e-Authentication in the federal government has also been revised to promote a "federated approach" rather than a centralized gateway.
Recommendation: To ensure that e-Authentication gateway implementation challenges are fully addressed, the Administrator of GSA should, in conjunction with the Director of OMB, ensure that a comprehensive framework of authentication policies and procedures related to gateway operations is developed and implemented, in conjunction with the National Institute of Standards and Technology, the Chief Information Officers Council, and other federal agencies (the framework should include policies and standards for auditing agencies and nongovernment organizations that will be linked to the gateway for compliance with applicable security, privacy, and credential requirements).
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our report, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs. In addition, the technical architecture for e-Authentication in the federal government has been revised to promote a "federated approach." In December 2003, OMB issued policy guidance to federal agencies on electronic authentication that establishes and describes four levels of identity assurance for electronic transactions requiring authentication, and directs agencies to conduct electronic authentication risk assessments on electronic transactions to ensure that there is a consistent approach across the government. OMB's policy is a key component in developing a framework for moving toward a governmentwide standardization of federal identity credentialing and electronic authentication that includes technical guidelines and specifications to support federal agencies in their implementation of electronic authentication systems, and to support the implementation of a governmentwide electronic authentication infrastructure that accomodates various credentials such as PINs, passwords, and PKI digital certificates.
Agency Affected: General Services Administration
Status: Implemented
Comments: Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our review, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative will no longer implement a centralized e-Authentication gateway and is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs, and the technical architecture for e-Authentication in the federal government has been revised to promote a "federated approach." As part of the e-Authentication initiative, GSA, in conjunction with OMB, NIST, the Federal Identity Credentialing Committee (FICC), and other federal agencies have developed a federal authentication policy franework that applies to all authentication services and processes. The policy documents currently issued include (1) OMB E-Authentication Guidance for Federal Agencies (December 2003), (2) NIST Electronic Authentication Guideline (June 2004), (3) GSA E-Authentication Interim Credential Assessment Framework (December 2003), (4) FICC Authentication and Identity Policy Framework for Federal Agencies (July 2004), (5) FICC Guidance Regarding Smart Cards Systems for Identification and Credentialing Employees (March 2004). These documents provide guidance to federal agencies in their implementation of electronic authentication systems and support the implementation of a governmentwide electronic authentication infrastructure intended to accomodate various credentials such as PINs, passwords, and PKI digital certificates.
Recommendation: To ensure that e-Authentication gateway implementation challenges are fully addressed, the Administrator of GSA should, in conjunction with the Director of OMB, establish a process to complete risk assessments for the OMB e-government initiatives that require authentication services and define associated authentication requirements to ensure that the gateway's design can support the range of authentication technologies that will be needed by the e-government initiatives.
Agency Affected: General Services Administration
Status: Implemented
Comments: Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our review, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. However, as part of the e-Authentication initiative, GSA has established a methodology for conducting risk assessments to determine authentication requirements for agency e-government initiatives. This methodology consists of an automated risk assessment tool (e-RA) and associated guidance documents such as the e-Authentication Risk and Requirements Assessment: e-RA Tool Activity Guide, which was updated in May 2004. The e-RA tool addresses the potential range of authentication requirements needed by e-government initiatives by mapping to the authentication assurance levels defined in the December 2003 OMB policy on electronic authentication--which establishes and describes four levels of identity assurance for electronic transactions requiring authentication, and directs agencies to conduct electronic authentication risk assessments on electronic transactions to ensure that there is a consistent approach across government.
Recommendation: To ensure that e-Authentication gateway implementation challenges are fully addressed, the Administrator of GSA should, in conjunction with the Director of OMB, define key technical interfaces to promote interoperability with commercial products and facilitate interconnection with electronic credential providers.
Agency Affected: General Services Administration
Status: Implemented
Comments: The e-Authentication initiative will no longer implement a centralized e-Authentication gateway and is now focused on setting a framework of policies and standards for agencies to use in procuring commercial products to meet their authentication needs. As part of the new strategy, GSA, in conjunction with NIST and the Federal Identity Credentialing Committee, has developed a framework for moving toward a governmentwide standardization of federal identity credentialing and electronic authentication that includes a technical architecture with guidelines and interface specifications--such as the "E-Authentication Interface Specification for the SAML Artifact Profile, Version 1.0, June 28, 2004"--to promote interoperability with commercial products and support federal agencies in their implementation of electronic authentication systems that interconnect with trusted credential service providers. In addition, GSA has established and will continue to operate an interoperability lab to test commercial products for technical interoperability.
Recommendation: To ensure that e-Authentication gateway implementation challenges are fully addressed, the Administrator of GSA should, in conjunction with the Director of OMB, enhance the effectiveness of the gateway's funding strategy by defining specific contributions from federal agencies and obtaining their commitment to support the initiative, based on the project's implementation and maintenance schedule, which addresses costs through 2008.
Agency Affected: General Services Administration
Status: Not Implemented
Comments: Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our report, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. The work on the planned centralized e-Authentication gateway was cancelled. As a result, our recommendation to enhance the project's fundng strategy in order to develop the gateway in a timely manner is no longer pertinent.
Recommendation: To ensure that e-Authentication gateway implementation challenges are fully addressed, the Administrator of GSA should, in conjunction with the Director of OMB, establish and implement security and privacy policies for the gateway, based on input from stakeholders and potential users, to ensure that all privacy requirements are considered and addressed--including the development and completion of a privacy impact assessment that involves key stakeholders.
Agency Affected: General Services Administration
Status: Not Implemented
Comments: Based on the results of a GSA internal technical advisory board review convened in September 2003 and the findings from our report, the planned centralized gateway was found to be neither technically feasible nor an appropriate solution to the authentication challenge. As a result, the e-Authentication initiative will no longer implement a centralized e-Authentication gateway. Accordingly, the need for security and privacy policies for the gateway is no longer pertinent.
