diff --git a/.bundler-version b/.bundler-version index c346e7a04..b38513792 100644 --- a/.bundler-version +++ b/.bundler-version @@ -1 +1 @@ -2.1.4 \ No newline at end of file +2.4.12 \ No newline at end of file diff --git a/.circleci/config.yml b/.circleci/config.yml index 1e19be772..c6738d576 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -2,7 +2,8 @@ version: 2 jobs: build: docker: - - image: cimg/ruby:2.7.5-browsers + # - image: cimg/ruby:2.7.5-browsers (older ruby) + - image: cimg/ruby:3.1.3-browsers steps: - checkout - restore_cache: diff --git a/.github/ISSUE_TEMPLATE/fpki-system-notification.md b/.github/ISSUE_TEMPLATE/fpki-system-notification.md new file mode 100644 index 000000000..6f9c20fbb --- /dev/null +++ b/.github/ISSUE_TEMPLATE/fpki-system-notification.md @@ -0,0 +1,23 @@ +--- +name: FPKI System Notification +about: Create a report on system changes and outages in the Federal PKI. +title: 'System Notification for: ' +labels: Federal PKI - System Notification +assignees: '' + +--- + +notice_date: +system: +change_type: CA Certificate Issuance, CA Certificate Revocation, New CA, URI Change, System Outage, Intent to Issue/Revoke CA Certificate +change_description: Include start and end dates if applicable +contact: +ca_certificate_issuer: +ca_certificate_subject: +ca_certificate_hash: +ca_cdp_uri: Certificate Revocation List +ca_aia_uri: +ca_sia_uri: +ca_ocsp_uri: +ee_cdp_uri: +ee_ocsp_uri: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a5c0562fa..f7b52048d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,7 +43,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v2 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/.pa11yci b/.pa11yci new file mode 100644 index 000000000..0f8b03717 --- /dev/null +++ b/.pa11yci @@ -0,0 +1,7 @@ +{ + "defaults": { + "concurrency": 4, + "standard": "WCAG2AA", + "runners": ["axe"] + } +} \ No newline at end of file diff --git a/.ruby-version b/.ruby-version index a603bb50a..ff365e06b 100644 --- a/.ruby-version +++ b/.ruby-version @@ -1 +1 @@ -2.7.5 +3.1.3 diff --git a/Dockerfile b/Dockerfile index 14547a599..3825bbbb3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,8 @@ RUN apt-get update && \ sed -i 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ locale-gen en_US.UTF-8 +RUN apt-get install nodejs -y + ENV LANG en_US.UTF-8 ENV LANGUAGE en_US ENV LC_ALL en_US.UTF-8 diff --git a/Gemfile b/Gemfile index 593f9f8de..2cc254029 100644 --- a/Gemfile +++ b/Gemfile @@ -1,9 +1,9 @@ source "https://rubygems.org" -ruby '>= 2.7.4' -gem "jekyll", "~> 4.0" +gem "jekyll", "4.2.2" # pinned awaiting release of https://github.com/jekyll/jekyll/pull/9304 gem "execjs", "2.7.0" # https://github.com/rails/execjs/issues/99 gem "autoprefixer-rails" +gem "webrick" # not included in jekyll directly until 4.3.0 https://github.com/jekyll/jekyll/pull/8524 group :jekyll_plugins do gem "jekyll-feed", "~> 0.15" @@ -11,7 +11,7 @@ group :jekyll_plugins do gem 'jekyll-paginate-v2', "3.0.0" gem 'jekyll-sitemap' gem 'jekyll-seo-tag' - gem 'jekyll-assets', git: "https://github.com/envygeeks/jekyll-assets" + gem 'jekyll-datapage-generator' end # Windows does not include zoneinfo files, so bundle the tzinfo-data gem @@ -20,4 +20,7 @@ gem "tzinfo-data", platforms: [:mingw, :mswin, :x64_mingw, :jruby] # Performance-booster for watching directories on Windows gem "wdm", "~> 0.1.0" if Gem.win_platform? -gem "html-proofer", "~> 3.19", ">= 3.19.4" +#gem "html-proofer", "~> 3.19", ">= 3.19.4" +gem "html-proofer", "~> 3.18" + + diff --git a/Gemfile.lock b/Gemfile.lock index 9b466e1aa..f55111f5c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,45 +1,19 @@ -GIT - remote: https://github.com/envygeeks/jekyll-assets - revision: 056d2c88719ef3b1f90967a606dd1441581dd832 - specs: - jekyll-assets (4.0.0.alpha) - activesupport (>= 5, < 7) - execjs (~> 2.7) - extras (~> 0.2) - fastimage (~> 2.0, >= 1.8) - jekyll (>= 3.5, < 5.0) - jekyll-sanity (~> 1.2) - liquid-tag-parser (>= 1, < 3) - nokogiri (~> 1.10) - pathutil (~> 0.16) - sassc (>= 1.11, < 3.0) - sprockets (~> 4.0.beta7) - GEM remote: https://rubygems.org/ specs: - activesupport (6.1.7.3) - concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 1.6, < 2) - minitest (>= 5.1) - tzinfo (~> 2.0) - zeitwerk (~> 2.3) - addressable (2.8.1) + addressable (2.8.4) public_suffix (>= 2.0.2, < 6.0) - autoprefixer-rails (10.4.2.0) + autoprefixer-rails (10.4.13.0) execjs (~> 2) colorator (1.1.0) concurrent-ruby (1.2.2) em-websocket (0.5.3) eventmachine (>= 0.12.9) http_parser.rb (~> 0) - ethon (0.15.0) + ethon (0.16.0) ffi (>= 1.15.0) eventmachine (1.2.7) execjs (2.7.0) - extras (0.3.0) - forwardable-extended (~> 2.5) - fastimage (2.2.6) ffi (1.15.5) forwardable-extended (2.6.0) html-proofer (3.19.4) @@ -51,9 +25,9 @@ GEM typhoeus (~> 1.3) yell (~> 2.0) http_parser.rb (0.8.0) - i18n (1.12.0) + i18n (1.13.0) concurrent-ruby (~> 1.0) - jekyll (4.2.1) + jekyll (4.2.2) addressable (~> 2.4) colorator (~> 1.0) em-websocket (~> 0.5) @@ -68,16 +42,14 @@ GEM rouge (~> 3.0) safe_yaml (~> 1.0) terminal-table (~> 2.0) - jekyll-feed (0.16.0) + jekyll-datapage-generator (1.4.0) + jekyll-feed (0.17.0) jekyll (>= 3.7, < 5.0) jekyll-paginate-v2 (3.0.0) jekyll (>= 3.0, < 5.0) jekyll-redirect-from (0.16.0) jekyll (>= 3.3, < 5.0) - jekyll-sanity (1.6.0) - jekyll (>= 3.1, < 5.0) - pathutil (~> 0.16) - jekyll-sass-converter (2.1.0) + jekyll-sass-converter (2.2.0) sassc (> 2.0.1, < 3.0) jekyll-seo-tag (2.8.0) jekyll (>= 3.8, < 5.0) @@ -85,50 +57,40 @@ GEM jekyll (>= 3.7, < 5.0) jekyll-watch (2.2.1) listen (~> 3.0) - kramdown (2.3.1) + kramdown (2.4.0) rexml kramdown-parser-gfm (1.1.0) kramdown (~> 2.0) - liquid (4.0.3) - liquid-tag-parser (2.0.2) - extras (~> 0.3) - liquid (>= 3.0, < 5.0) - listen (3.7.1) + liquid (4.0.4) + listen (3.8.0) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) mercenary (0.4.0) - mini_portile2 (2.8.1) - minitest (5.18.0) + mini_portile2 (2.8.2) nokogiri (1.14.3) mini_portile2 (~> 2.8.0) racc (~> 1.4) - parallel (1.22.1) + parallel (1.23.0) pathutil (0.16.2) forwardable-extended (~> 2.6) - public_suffix (5.0.0) + public_suffix (5.0.1) racc (1.6.2) - rack (3.0.6.1) rainbow (3.1.1) - rb-fsevent (0.11.1) + rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) rexml (3.2.5) - rouge (3.28.0) + rouge (3.30.0) safe_yaml (1.0.5) sassc (2.4.0) ffi (~> 1.9) - sprockets (4.2.0) - concurrent-ruby (~> 1.0) - rack (>= 2.2.4, < 4) terminal-table (2.0.0) unicode-display_width (~> 1.1, >= 1.1.1) typhoeus (1.4.0) ethon (>= 0.9.0) - tzinfo (2.0.6) - concurrent-ruby (~> 1.0) unicode-display_width (1.8.0) + webrick (1.8.1) yell (2.2.2) - zeitwerk (2.6.7) PLATFORMS ruby @@ -136,18 +98,16 @@ PLATFORMS DEPENDENCIES autoprefixer-rails execjs (= 2.7.0) - html-proofer (~> 3.19, >= 3.19.4) - jekyll (~> 4.0) - jekyll-assets! + html-proofer (~> 3.18) + jekyll (= 4.2.2) + jekyll-datapage-generator jekyll-feed (~> 0.15) jekyll-paginate-v2 (= 3.0.0) jekyll-redirect-from jekyll-seo-tag jekyll-sitemap tzinfo-data - -RUBY VERSION - ruby 2.7.4p191 + webrick BUNDLED WITH - 2.1.4 + 2.4.17 diff --git a/README.md b/README.md index 64107a818..2274626c8 100644 --- a/README.md +++ b/README.md @@ -35,9 +35,7 @@ $ npm start OR -` -$ bundle exec jekyll serve -` +`$ bundle exec jekyll serve` To build but not serve the site, run diff --git a/_arch/architecture.md b/_arch/architecture.md new file mode 100644 index 000000000..cf641a549 --- /dev/null +++ b/_arch/architecture.md @@ -0,0 +1,882 @@ +--- +layout: page +collection: arch +title: FICAM Architecture +permalink: /arch/ +sidenav: arch +sticky_sidenav: true + +subnav: + - text: Introduction + href: '#introduction' + - text: Goals and Objectives + href: '#goals-and-objectives' + - text: Services Framework and Service Descriptions + href: '#services-framework-and-service-descriptions' + - text: Use Cases + href: '#use-cases' + - text: Reference Example + href: '#reference-example' + - text: Policies and Standards + href: '#policies-and-standards' + +--- + + + +U.S. General Services Administration Logo +U.S. Federal Chief Information Officer Council Logo

+ + + +
+
+

+ +

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ FICAM Architecture version table +
Version NumberDateChange Description
3.36/20/2023Combined separate architecture pages into a single web page. Updated change table to reflect all version updates.
3.29/30/2022Editorial updates.
  • 1. Consolidated use cases into a table format.
  • Combined services framework and services description.
  • Updated access management services description to differentiate authentication from authorization and include an overview of difference access models.

Map FICAM playbooks to FICAM Roadmap Part B content. **Version 3.2 sunsets FICAM Roadmap Part B content**.

3.11/6/2021FICAM Architecture v3.1 incorporates updates proposed by the Federal CISO Council ICAM Subcommittee.
  • Clarified introduction, goals, and objectives section.
  • Added Privileged Access Management as Access Management Service.
  • Added Identity Governance as Governance Services.
  • Streamlined use case language and order.
  • Updated system component examples.
  • Updated standards and policies.
  • Updated graphics.
3.011/27/2019Version 3.0 for the Architecture represents the baseline changes to FICAM Roadmap Part A released in 2016. Version 3.0 sunsets FICAM Roadmap Part A content.
2.012/2/2011Revised to include new Part B:Implementation Guidance
  • Chapter 6: ICAM Implementation Planning
  • Chapter 7: Initiative 5: Streamline Collection and Sharing of Digital Identity Data
  • Chapter 8: Initiative 6: Fully Leverage PIV and PIV-I Credentials
  • Chapter 9: Access Control Convergence
  • Chapter 10: Initiative 7: Modernize PACS Infrastructure
  • Chapter 11: Initiative 8: Modernize LACS Infrastructure
  • Chapter 12: Initiative 9: Implement Federated Identity Capability
  • Inclusion of Glossary appendix
  • Editorial and formatting corrections
  • Terminology updates to maintain consistency between Parts A and B
  • Updates to content related to the Federal Public Key Infrastructure to reflect infrastructure upgrades since original publication.
1.011/10/2009Initial publication of the document, including:
  • Chapter 1: Introduction
  • Chapter 2: Overview of ICAM
  • Part A: ICAM Segment Architecture
  • Chapter 3: ICAM Segment Architecture
  • Chapter 4: ICAM Use Cases
  • Chapter 5: Transition Roadmap and Milestones
+ +
+
+ + +# Introduction + +FICAM is the federal government’s implementation of Identity, Credential, and Access Management (ICAM). + +> **_ICAM_** is the set of tools, policies, and systems that an agency uses to enable the **_right individual_** to access the **_right resource_**, at the **_right time_**, for the **_right reason_** in support of **_federal business objectives_**. + +This version of the FICAM Architecture encompasses the **enterprise** ICAM policies, technologies, and system approaches for government employees, contractors, and authorized partners. Citizen interactions with the federal government - or consumer ICAM - are not covered under this version of the FICAM Architecture. + +The following diagram is a high-level view of the ICAM practice areas and supporting elements. + +A diagram with definitions and icons for identity, credential, and access management and definitions for federation and governance. + +The FICAM Architecture includes government-wide enterprise architecture views with the flexibility to support each agency’s unique business or mission needs. Use the FICAM Architecture as a tool to continuously improve upon your agency’s approach and align with federal security and privacy initiatives. + +Copy the graphics and text throughout this playbook to use at your agency to drive ICAM awareness, strategy developments, and communications. + +## What Is ICAM? + +ICAM is the set of tools, policies, and systems that an agency uses to enable the right individual to access the right resource, at the right time, for the right reason in support of federal business objectives. + +Agencies implement ICAM services and solutions to unify their IT services, improve physical access control, and improve information security and decisions. Understanding the building blocks of ICAM is key to understanding the FICAM Architecture. ICAM has three practice areas and two supporting elements. The supporting elements enhance the capabilities of the practice areas. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +## What Is the FICAM Architecture? +FICAM is the federal government’s enterprise approach to design, plan, and execute common ICAM processes. + +The FICAM Architecture is a framework for an agency to use in ICAM program and solution roadmap planning. The FICAM Architecture focuses on enterprise identity processes, practices, policies, and information security disciplines. + +> A federal enterprise identity is the unique representation of an employee, contractor, or enterprise user, which could be a mission or business partner, or even a device or technology managed by a Federal agency to achieve its mission and business goals [(OMB Memorandum 19-17)](https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf){:target="_blank"}{:rel="noopener noreferrer"}. + +## Who Is the FICAM Architecture for? +The FICAM Architecture is for agency personnel. An enterprise architecture is primarily used by: +- **Senior Federal IT and Agency Stakeholders** to understand the concepts for identity and access management services and the basic use cases supporting business objectives. +- **Program Managers** to find common definitions and frameworks for use in planning. +- **Enterprise and Application Architects** to use a common framework for designing and governing IT systems, applications, and implementations. + +There are four main governmentwide initiatives to help agencies implement and manage an Agency ICAM program and technology. + + 1. **Planning and Configuration Guidance** The FICAM Architecture and accompanying [playbooks]({{site.baseurl}}/playbooks/) provides an overall guide for meeting federal ICAM requirements in an efficient and secure way. It focuses on enterprise identity processes, practices, policies, and information security disciplines. Playbooks offer stakeholders overarching strategies and tactical approaches for implementing technical FICAM topics. + 2. [Interagency Forum and Subcommittee]({{site.baseurl}}/ficam/#icam-governance-bodies): The Federal Chief Information Security Officer (CISO) Council is a primary resource for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management. The ICAM Subcommittee aligns identity management activities of the federal government and supports collaborative government-wide efforts. + 3. [Approved Products Lists (APL)]({{site.baseurl}}/fips201/): The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program not only tests commercial products for use in Personal Identity Verification (PIV) credentialing systems, physical access control systems (PACS), and public key infrastructures but also publish APLs. Federal acquisition professionals rely on these APLs to purchase commercial products that fully comply with federal ICAM mandates. + 4. [Federal Public Key Infrastructure (PKI)]({{site.baseurl}}/university/fpki/): The Federal PKI is a network of certification authorities (CAs) that issue PIV credentials and person identity certificates; PIV-Interoperable credentials and person identity certificates; and other person identity certificates. CA-issued digital certificates, which employ cryptography, close security gaps in user identification and authentication, encryption of sensitive data, and data integrity. + +## What Is the History of the FICAM Architecture? +The FICAM Architecture was created in 2009 to provide a common ICAM segment architecture for federal agencies. The FICAM Architecture was the primary foundation of what later became the _FICAM Roadmap and Implementation Plan_ enhanced with complementary implementation sections. + +In 2015, ICAM experts from across the federal government collaborated on an updated FICAM Architecture. This update was intended to be more concise, easy to understand, and visually appealing while reflecting the latest updates in cybersecurity, enterprise architecture, and ICAM policy and technology. + +This site contains the current version for the FICAM Architecture. The FICAM Roadmap and Implementation Guidance v2.0 is superseded by both the FICAM Architecture updates and other complementary modernized playbooks developed by ICAM committees across government. + +# Goals and Objectives + +The Goals and Objectives identify the aims and outcomes of a federal agency enterprise ICAM program. The goals and objectives align with ICAM functions and map to government-wide policies, cross-agency priorities, and strategic government initiatives. + +**Goals** are aspirational statements designed for senior government leaders, agency executives, and agency ICAM program leadership responsible for setting program strategy. **Objectives** are action areas where agency execution strategies, action plans, and performance metrics can be developed based on alignment with mission needs. + +The visual below presents the three goals, each with its own objectives. + + + Three boxes that define the goals and their corresponding objectives. + + +**Goal 1: Modernize security policies and solutions to make risk-based decisions, automate identity and access management processes, and move access protections closer to government data.** + +- 1.1 Review, update, and maintain comprehensive ICAM policies and technology solution roadmaps to inform and enforce enterprise strategic planning, risk management, and modernization. +- 1.2 Adopt and use cloud-ready systems that provide an efficient and secure way to access resources. +- 1.3 Monitor and respond to user behavior and events by using data as a strategic asset to make adaptive and risk-based decisions. + +**Goal 2: Enable missions to efficiently deliver services to federal and contractor employees and resources.** + +- 2.1 Establish and manage identities for all enterprise users and resources. +- 2.2 Design enterprise solutions to manage access to information and resources. +- 2.3 Use enterprise identity information discovery and enterprise centralized access management. +- 2.4 Leverage federated solutions to accept identity and authentication assertions made by other agency and mission partners when efficient. + +**Goal 3: Provide enterprise-level solutions within agencies to improve operations and promote cost-effective and efficient use of resources.** + +- 3.1 Streamline ICAM governance and program management within each agency to optimize execution, ensure consistency, and align intent across the enterprise. +- 3.2 Evaluate, rationalize, and migrate to modern, cloud-smart solutions for ICAM services. +- 3.3 Promote interoperability and efficiency across the federal government by buying and building ICAM solutions that use open, commercially adopted standards. + +# Services Framework and Service Descriptions + +The Services Framework is a tool designed for ICAM program managers and information technology enterprise architects. It identifies the services that provide functionality within the scope of ICAM and assists in distinguishing between business requirements and technical solutions. The services framework includes the five practice areas and services within. + +## Practice Area Visual + +The graphic below illustrates the five ICAM practice areas and provides a list of services that fall within each area. + +Five boxes that each correspond to a FICAM practice area or supporting element. Each box lists the agency services that correspond to that area. You can find the services and definitions in the following pages. + +## Identity Management + +An orange box with the list of Identity Management services defined later in the body text of this page. + +Identity Management is how an agency collects, verifies, manages attributes, and entitlements to establish and maintain enterprise identities for federal government employees, contractors, and authorized mission partners. This service does not apply to public or consumer identity management. + +An enterprise identity record is the set of attributes or characteristics that describes a person within a given context: + +- Your identity within your agency’s Human Resources (HR) system is different from your personal identity at your bank. +- A person’s identity as a government contractor is different from their identity as an Army Reservist. + +Although your identity remains the same over time, it evolves as your attributes change, such as when you get a promotion, change your name, receive additional training, or retire. + +Agencies should manage identity attributes as centrally as possible and distribute them as needed. Examples of identity attributes include: + +- *Core identity attributes* - First name, last name, and address of record. +- *Contact attributes* - Physical location, government phone number, and government email address. +- *Authorization attributes* - Clearance, training, and job codes. + +An entitlement is a specific type of authorization attribute that refers to an application permission. Entitlements management is the act of managing those permissions. An agency may group multiple entitlements into a specific role or group to streamline provision and de-provision activities as well as for auditing and reporting purposes. For example, a new employee may require access to ten core enterprise applications on the first day of work. An agency can create a new employee group with new employee entitlements and automate provisioning of the ten core applications rather than treat them as individual access requests. +Attributes and entitlements are created or aggregated through a number of manual and automated mechanisms. Mechanisms may include: + +Attributes and entitlements are created or aggregated through a number of manual and automated mechanisms. Mechanisms may include: + +- Use a single sign-on tool to aggregate application access entitlements. +- Allow employees to update contact attributes in an employee record. +- Automate integration between a training system and an identity governance and administration tool to create and update annual security training. + +Identity proofing is how an agency verifies an enterprise identity. The complexity of this process depends on the Identity Assurance Level (IAL) required for an identity. Federal agencies require a minimum IAL3 for employees and contractors. For example, a federal employee or contractor presents identity attributes via a driver’s license or utility bill. The agency verifies the identity documents and the individual’s photo (biometric). + +An identifier is a unique attribute used to locate an identity in a system: + +- While your agency may issue Personal Identification Verification (PIV) cards to multiple people named John Smith, each individual has a different PIV card number. +- While your agency may have more than one employee named Jane Smith, each employee has a unique email address tied only to their identity. + +The Identity Management services in the Federal ICAM architecture include Creation, Identity Proofing, Provisioning, Maintenance, Identity Aggregation, and Deactivation. These services are sometimes collectively known as **Identity Lifecycle Management**. + +| Service | Description | Keywords | +| --- | ------ | -----| +| Creation | Establish an identity made of attributes that define a person or entity. | Identity Record, Authoritative Source | +| Identity Proofing | Use identity attributes to connect a digital identity to a real-world entity. | Source Document Validation, Remote Proofing, In-Person Proofing| +| Provisioning | Create, manage, and delete accounts and entitlements. | Identity Lifecycle Management, Workflow, Deprovisioning, Account Management, Account Creation, Entitlements Management | +| Maintenance | Maintain accurate and current attributes in an identity record over its lifecycle. | Identity Lifecycle Management, Updating, Attribute Management | +| Identity Aggregation | Find and connect disparate identity records for the same person or entity. | Identity Reconciliation, Identity Resolution, Account Linking| +| Deactivation | Deactivate or remove enterprise identity records. | Identity Lifecycle Management, Suspension, Archiving, Deletion | + +## Credential Management + +A green box with the list of Credential Management services defined later in the body text of this page. + +Credential Management is how an agency issues, manages, and revokes credentials bound to enterprise identities. + +A credential is a data structure that authoritatively binds an authenticator to an existing identity using one or more identifiers. + +Types of authenticators include: + +- Something you know, like a password or PIN. +- Something you have, like a private key or One-Time Password (OTP) generator. +- Something you are, like a fingerprint or an iris. + +The Authenticator Assurance Level (AAL) determines the authenticators associated with a credential. Federal government-wide policy requires a minimum AAL2 for employees and contractors. + +Examples of credentials include: + +- An agency-issued smart card, such as a PIV or Common Access Card (CAC), that includes a picture and cryptographic key pairs to assert your identity at a federal facility. +- A combination of credentials, such as a username/password with an OTP generated by a mobile application, to assert your identity to a federal web application. + +Unlike identities, credentials can expire. If an enterprise identity continues past a credential’s expiration date, the issuing agency can issue a new credential. + +The Credential Management services in the FICAM architecture include Sponsorship, Registration, Generation & Issuance, Maintenance, and Revocation. + +| Service | Description | Keywords | +| --- | ------ | -----| +| Sponsorship | Formally establish that a person or entity requires a credential. | Sponsor, Authorizing Official, Affiliation, Request | +| Registration | Collect the information needed from a person or entity to issue them a credential. | Enrollment | +| Generation & Issuance | Assign a credential to a person or entity. | Activation, Token, Authenticator | +| Maintenance | Maintain a credential throughout its lifecycle. | Renewal, Reset, Suspension, Reissuance | +| Revocation | Revoke a credential from a person or entity, or deactivate an authenticator. | Termination | + +## Access Management + +A blue box with the list of Access Management services defined later in the body text of this page. + +Access Management is how an agency authenticates enterprise identities and authorizes appropriate access to protected services. + +Policy administration is a combination of laws, regulations, rules, and agency policies that secures access to agency services. Your agency determines the requirements for an individual to access each resource category; they can be as simple or as complex as needed. + +Examples of access requirements include: + +- “Grant access to anyone on this list of people.” +- “Grant access to any agency employee or contractor with an authenticated PIV card.” +- “Grant access to anyone who is a federal employee, GS-12 or higher, cleared Top Secret, trained in first aid, and certified as a project manager.” + +In providing access services, it can be challenging to conduct an application discovery and inventory for both physical and logical access. For logical access, see the [Application Inventory and Identity Risk Analysis section of the Enterprise Single Sign-On Playbook.]({{site.baseurl}}/playbooks/sso/#step-2-plan-application-integration){:target="_blank"}{:rel="noopener noreferrer"} + +### Authentication + +Authentication is how you verify the claimed identity of someone trying to access an agency resource. Typically, you’ll verify an identity using an authenticator associated with a credential. To determine the appropriate authenticator level, use the [Digital Identity Risk Assessment Playbook]({{site.baseurl}}/playbooks/dira/){:target="_blank"}{:rel="noopener noreferrer"} + +Authentication is generally a two-step process: + +> *Step 1.* Authenticate the credential: + +- Did a trusted organization issue the credential? +- Has the credential expired? +- Has the credential been revoked, voided, or tampered with? + +> *Step 2.* Ensure the individual to whom the credential was issued is the same individual presenting it: + +- Do the photo and attributes on the credential match the person who presented it? +- Does the person know the PIN for the credential? +- Does the person have the private key on the smart card for the certificate presented to a website? + +### Authorization + +Authorization is how you decide whether you should allow someone to access an agency resource. Access requirements usually dictate whether you’ll allow someone to: + +- Read or modify a certain document. +- Access an agency website. +- Enter an agency facility or location. + +Usually, authorization occurs immediately after authentication. When you log in to a service, you present your credentials. The service then confirms that your credentials are valid (authentication) and grants or denies you access based on your assigned permissions (authorization). + +Authorizations are based on progressive, fine-grained access models. Most agencies implement role-based access and move toward more fine-grained access such as attribute-based or risk adaptive access control, as outlined in the [Federal Zero Trust Strategy](https://zerotrust.cyber.gov/federal-zero-trust-strategy/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:class="usa-link usa-link--external"}. While there are defined access models, vendors may implement them in different or overlapping ways. Ensure your agency develops use cases and understands how a vendor meets the use case. + +| | Less Fine-Grained | --> | --> | More Fine-Grained | +| |:----:|:----:|:----:|:----:| +| Access Model | Access Control Lists (ACLs) | Role-Based Access Control (RBAC) | Attribute-Based Access Control (ABAC)| Risk Adaptive Access Control (RAAC) | +| Description | A static list of entities with their access rights. | Access based on a user's static pre-defined role. | Access based on a user's assigned attributes which may be static or dynamic. | Access based on dynamic risk factors. | +| Example | Allow Jane Doe access to email application | Jane Doe is assigned the user role "New Employee" which grants access to email and sharepoint. | Allow Jane Doe to access email if on a government device (device attribute) and in the United States (location attribute). | If Jane Doe is in assigned work location, allow email access from any managed device. If Jane Doe is not in assigned work location, only allow email access from a government device. | + +Each authorization model has benefits and limitations. The policies and access requirements defined by agency business owners help define the model that best suits their needs. More robust access control models, such as ABAC, can help agencies with improved automation, and they are increasingly adopted by cloud-native and cloud-friendly services. + +The Access Management services in the FICAM architecture include Policy Administration, Authentication, Authorization, and Privileged Access Management. + +| Service | Description | Keywords | +| --- | ------ | -----| +| Digital Policy Administration | Create and maintain the technical access requirements that govern access to protected agency services. | Policy Decision, Policy Enforcement | +| Authentication | Verify that a claimed identity is genuine based on valid credentials. | Validation, Two-Factor, Multi-Factor | +| Authorization | Grant or deny access requests to protected agency services based on access requirements, identity attributes, and entitlements. | Policy Decision, Policy Enforcement | +| Privileged Access Management | Protect access to accounts that have access permissions that can affect IT system configurations and data security (e.g., superusers, domain administrators, or global administrators). | Privileged Identity Management, Privileged Account Management, Administration, Superuser | + +## Federation + +A gray box with the list of Federation services defined later in the body text of this page. + +Federation is the technology, policies, standards, and processes that allow an agency to accept digital identities, attributes, and credentials managed by other agencies. + +Federation has many different applications, including: + +- *Accepting an authentication transaction from another organization:* + +> Agency A authenticates one of its users and passes identity attributes and transaction details to Agency B. Agency B grants access to an application for that identity. + +- *Accepting specific characteristics (i.e., attributes such as identifiers) describing an individual from another organization:* + +> An individual can use their agency-issued credential containing an internal identifier(s) to directly log in to a different agency’s online service. The online service registers the identifier(s) in its system for future use. + +The Federation services in the FICAM architecture include Policy Alignment, Authentication Broker, and Attribute Exchange. + +| Service | Description | Keywords | +| --- | ------ | -----| +| Policy Alignment | Develop relationships and a common understanding between parties by establishing authorities, policies, standards, and principles. | Trust Relationship | +| Authentication Broker | Transform an authentication event into an alternative format, such as an assertion, containing claims about the entity and the authentication transaction, to grant access to a resource. | Assertion Service, Federation Assertion, Security Token Service | +| Attribute Exchange | Discover and acquire identity or other attributes between different systems to promote access decisions and interoperability. | Attribute Definition | + +## Governance + +A navy box with the list of Governance services defined later in the body text of this page. + +Governance is the set of practices and systems that guides ICAM functions, activities, and outcomes. + +To perform effective governance, agencies must collect data about ICAM functions from many sources, such as policies and entitlements stores, and analyze this data. Proper data analytics help agencies monitor compliance with established information security policies. + +If your agency identifies problems during data collection and analysis, you should remediate these issues as quickly as possible. Real-time monitoring and risk mitigation are crucial to ensure employees and contractors have only the appropriate access, following the principle of least privilege. + +The Governance services in the FICAM architecture include Identity Governance, Analytics, and Mitigation. + +| Service | Description | Keywords | +| --- | ------ | -----| +| Identity Governance | The systems, solutions, and rules that link enterprise personnel, applications, and data to help agencies manage access and risk. | Management Framework, Rules and Procedures, Access Reviews and Recertifications | +| Analytics | Leverage continuous analytics data to identify if someone has entitlements that conflict with access requirements. | Data collection, Monitoring, Review, Data Certification, Auditing and Reporting | +| Mitigation | Correct the problems and address risks, discovered by analysis, that may occur during standard operations. | Redress, Remediation | + +# Use Cases + +These use cases are designed for ICAM Enterprise Architects and business owners and describe some of the most common ICAM business processes. + +Each use case includes a high-level summary of the scenario, individuals and systems involved in the use case, illustrations that show the required steps to achieve the end goal, and an icon that indicates the practice area and the service with which the use case most closely aligns. + +For details about ICAM services, see the [Services Framework](#services-framework-and-service-descriptions). + +While each use case describes a particular ICAM business process, the use cases are all interrelated. The use cases generalize the activities and technologies to make sure they apply across many agencies. + +You can combine or build upon the ICAM use cases to support your agency’s scenarios and needs. +
+ + +
+

+ +

+
+

Three hexagons with the letters I, C, and A. The I is highlighted in red for Identity Management, with a red banner for the Creation service.

+

When you onboard an employee or contractor at your agency, you collect identity information from the individual and store parts of that information as identity attributes. These attributes serve as a digital proxy for the individual’s identity, also known as an enterprise identity.

+
+

Use Case

+

In this use case, an administrator needs to collect or manage identity data for an employee or contractor for the purpose of creating an enterprise identity record and maintaining it throughout its lifecycle.

+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + + + + + + + + + + + + + +
1. Collect information
A diagram showing an employee or contractor providing identity information to an administrator with the authoritative source.		The administrator collects identity information from the employee or contractor.

This identity information may come from the individual, onboarding documents, or HR systems.
2. Create an enterprise identity
A diagram showing the authoritative source populating the identity information into a data repository, creating an enterprise identity in the authoritative source.		The administrator adds the identity information to the authoritative source, a data repository.

Result: An enterprise identity in the authoritative source for the employee or contractor.
3. Maintain the enterprise identityThe following steps describe identity maintenance your agency should perform on a regular basis.
3a. Identify and aggregate identity data
A diagram showing the data repository with multiple enterprise identities for one individual, and an arrow indicating the change to a single consolidated enterprise identity.		Query your data repositories for any existing identities for an individual. Aggregate these attributes as a single enterprise identity for the individual.
3b. Update the enterprise identity
A diagram showing two paths to update an identity. Path 1 is the administrator updating the enterprise identity directly in the authoritative source. Path 2 is the employee or contractor updating their personal information in an agency application, and the application updating the enterprise identity in the authoritative source.		If an individual has updated personal information, there are two ways to update the enterprise identity:

  • The administrator updates the individual’s enterprise identity attributes directly in the authoritative sources.
  • The individual uses an agency application to update their personal information, and the application updates the individual’s enterprise identity attributes in the authoritative sources.
3c. Delete the enterprise identity
A diagram showing an administrator deleting an enterprise identity.		When you need to delete an enterprise identity, delete the identity attributes in the authoritative source.
+
+

Example

+

I want to create a new enterprise identity so that an individual may be established as a federal employee or contractor that will need to be identity proofed, credentialed, and granted access to agency services.


+
+

+ +

+
+

Three hexagons with the letters I, C, and A. The I is highlighted in orange for Identity Management, with an orange banner for the Identity Proofing service.

+

Before you can create a credential and assign it to an individual, that person must provide proof of their claimed identity. Identity proofing is the process by which a federal agency collects and verifies information about a person to establish an enterprise identity.

+

The location or information that a person needs to access informs the Identity Assurance Level (IAL), which determines the elements you should require from that person for identity proofing. There are three IALs; however, federal agencies require a minimum of IAL2 for employees or contractors with recurring access to government resources, so these use cases do not include IAL1.

+

This use case describes the high-level steps to proof an identity at IAL2 or IAL3. Depending on the required IAL, you may require increasingly more information from an employee or contractor or partner along with additional verification steps. The information provided by the employee or contractor is also known as identity evidence. Identity evidence may be physical, such as passports, driver’s licenses, and birth certificates.

+
    +
  • IAL2 - first and last name, email address, and address of record, supported by appropriate identity documentation and verified as strong.
    • +
  • IAL3 - first and last name, email address, address of record, and fingerprints, supported by appropriate identity documentation and verified as superior.
    • +
+

For more information about identity proofing and IALs, see NIST SP 800-63A (Section 2.2).

+
+

Use Case

+

In this use case, an administrator needs to collect or manage identity data for an employee or contractor for the purpose of creating an enterprise identity record and maintaining it throughout its lifecycle.

+

Icon Key for the diagrams that follow.

+ + + + + + + + + +
1. Collect identity information
A diagram showing an employee or contractor presenting information or data to an administrator.		IAL2 (In-person or remote) - The employee or contractor presents identity information, like first name, last name, and address of record.

IAL3 (In-person or supervised remote) - The employee or contractor presents identity information, like first name, last name, and address of record, and biometric data like fingerprints.
2. Verify the identity information
A diagram showing an administrator verifying information presented by an employee or contractor.		IAL2 - The administrator confirms the information provided is valid and current by comparing photo identification to the individual, or confirming contact information, ensuring it matches the provided documentation.

IAL3 - The administrator verifies all information with the issuing organization.
Result: The individual’s identity has been successfully proofed at IAL2, or IAL3.
+
+

Examples

+
    +
  • I want to proof the identity of an employee or contractor to verify that the individual is who she says she is so that she can be issued a unique enterprise credential.
    • +
  • A prospective employee or contractor has filled out their information in an HR system and requires IAL3 proofing and minimum background investigations. The prospective employee/contractor is then scheduled for in-person proofing. The prospective employee/contractor brings required identity documentation; the information is verified using approved documentation and biometrics are captured.
    • +

+
+

+ +

+
+

Three hexagons with the letters I, C, and A. The I is highlighted in orange for Identity Management, with an orange banner for the Provisioning service.

+

You can assign access entitlements to individuals, roles, and groups. These entitlements define an employee or contractor’s access to agency services, so you’ll need to assign entitlements before an employee or contractor can access an agency service.

+
+

Use Case

+

In this use case, an administrator needs to assign entitlements to an employee or contractor.

+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor requesting entitlements from an administrator.		An individual requests entitlements, or joins a team with specific access requirements.

The requestor may be the employee or contractor, their supervisor, HR, or a security team member.
2. Review the request
A diagram showing an administrator comparing an entitlement request with access requirements.		 The administrator compares the employee or contractor’s requested entitlements with the relevant access requirements.

If the employee or contractor qualifies for the requested entitlements and has a mission need for access, the administrator approves the request.
3. Assign the entitlements
A diagram showing an administrator assigning entitlements to the employee or contractor.		 The administrator assigns the entitlements to the employee or contractor.

Any time the employee or contractor’s role or relationship changes, the administrator updates the entitlements accordingly, including removing entitlements as needed.
+
+

Examples

+
    +
  • I want to indicate that an employee or contractor requires and is allowed access to an agency service so that they can access the service when needed.
    • +
  • An employee is hired to be part of the financial review team and requires access to financial applications. The employee has a role assigned to their enterprise identity record and associated with their identity attributes.
    • +

+
+

+ +

+
+

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Issuance service.

+

After you identity proof an individual, you’ll issue some proof of that individual’s claimed identity. A credential (like a physical card) is a type of authenticator that serves as a tool for an employee or contractor to gain access to agency services.

+
+

Use Case

+

In this use case, an administrator needs to issue a credential to an employee or contractor.

+

Note: The preferred credential for employees and contractors is a PIV card. For cases where you cannot issue a PIV card, you must use a combination of factors to reach at least an Authenticator Assurance Level 2 (AAL2) credential.

+

For more information about authentication and AALs, see NIST SP 800-63B (Section 4).

+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor and a sponsor or supervisor initiating a credential request with an administrator.		An individual presents a valid government issued ID.
2. Review the request
A diagram showing an administrator verifying the presented credential with the organization that issued it.		The government ID is verified with the organization that issued it.
3. Generate and assign the authenticator(s)
A diagram showing an administrator generating and assigning an authenticator to the employee or contractor.		Generate and assign the authenticator to the individual.
+
+

Example

+

I want to issue an enterprise credential, unique to an employee or contractor, so that they are able to access federal buildings and protected resources to which they require access.


+
+

+ +

+
+

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Maintenance service.

+

A derived credential is a credential derived from an existing credential, with a different form factor, such as a credential on a mobile device. Derived credentials have the same IAL as the existing credential and the same or lower AAL.

+

When an employee or contractor requires authentication but cannot leverage an existing credential, they can use a derived credential. To be eligible for a derived credential, the employee or contractor must already have a valid credential with Authenticator Assurance Level (AAL) 2 or 3.

+
+

Use Case

+

In this use case, an employee or contractor interacts with the agency services to register or request a derived credential.

+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor initiating a derived credential request to an enterprise identity management system.		A request for identity data is initiated to the identity manager.

This identity manager could be a person or system, depending on the organization.
2. Authenticate the existing credential
A diagram showing an employee or contractor authenticating an existing credential to an enterprise identity management system.		The identity manager identifies relevant sources of data on the individual.

Sources could include HR systems, security data, and personal databases.
3. Generate the derived credential
A diagram showing an enterprise identity management system generating a derived credential for an employee or contracter.		Generate the derived authenticator and note the change in the user's enterprise identity record.
+
+

Examples

+
    +
  • I want to provide an employee or contractor, who has already been issued an enterprise credential, a derived credential so that they can authenticate to enterprise applications.
    • +
  • An employee or contractor travels quite a bit as part of their job. Accordingly, they are frequently limited to using a small tablet or their phone to stay connected while on the go. In this case, a derived credential is needed for purposes such as accessing secure agency websites or an agency VPN from their mobile device.
    • +

+
+

+ +

+
+

Three hexagons with the letters I, C, and A. The C is highlighted in green for Credential Management, with a green banner for the Maintenance and Revocation services.

+

Active credentials require regular maintenance. This use case describes the most common credential maintenance activities:

+
    +
  • Reset a credential - An employee or contractor forgets the password or PIN associated with a credential and requests a reset.
    • +
  • Renew a credential - An employee or contractor’s credential is expiring or their identity information changes, so they request a replacement credential. You must renew a credential prior to the expiration date; otherwise, the employee or contractor must go through the issuance process again.
    • +
  • Revoke a credential - An employee or contractor is no longer eligible for their credential (like separating from the issuing agency). The sponsor, supervisor, or administrator requests a revocation of all associated credentials and enterprise accounts.
    • +
+

You should periodically review your employee or contractors’ eligibility for credentials to identify potential orphaned data.

+
+

Use Cases

+

Icon Key for the diagrams that follow.

+

Reset a Credential

+

In this use case, an administrator needs to reset a password or PIN for an employee or contractor credential.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor initiating a password or pin reset request to an enterprise identity management system.		An employee or contractor forgets their password or PIN, and requests a reset.

If the request is valid, the identity management system approves the request.
2. Issue a reset
A diagram showing an enterprise identity management system issueing a password or pin reset to an employee or contracter.		The system issues a password/PIN reset, which may be a temporary password or a link to a web-based reset form.
3. Reset the credential
A diagram showing an employee or contractor resetting a password or PIN.		The employee or contractor resets their password or PIN.
+

Renew a Credential

+

In this use case, an administrator needs to issue a new credential to replace one that will expire soon or has outdated identity information.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor initiating a credential renewal request to an enterprise identity management system.		An individual requests a renewal for an employee or contractor’s credential.

This individual may be the employee or contractor, their supervisor, or an administrator with approval authority.

This could also be an automated process triggered by schedules or specific events.
2. Review the request
A diagram showing an enterprise identity management system reviewing a credential renewal request for an employee or contracter.		The identity management system reviews the request and verifies that the employee or contractor qualifies for a renewed credential. If so, approve the request.
3. Replace the credential
A diagram showing an enterprise identity management system issueing a new credential to an employee or contracter.		The system issues a new credential to the employee or contractor, and updates the associated enterprise identity record.
+

Revoke a Credential

+

In this use case, an administrator needs to revoke an active credential.

+ + + + + + + + + + + + + +
1. Initiate the request
A diagram showing an employee or contractor or a sponsor or supervisor initiating a credential revocation request to an enterprise identity management system.		An individual sends a separation notification or a notice of a lost or compromised credential, requesting revocation.

This individual may be the employee or contractor, their supervisor, HR, or a security team member.
2. Disable the credential
A diagram showing an administrator of an enterprise identity management system invalidates the credential.		The administrator invalidates the credential.
Depending on your agency, an individual or a system may perform this task.
3. Return the credential
A diagram showing an administrator returning the invalidated hardware or physical credential to the supervisor or sponsor.		If the revoked credential is physical or hardware-based, the administrator returns the credential to the appropriate individual.

This individual may be a supervisor, HR, or security team member.
+
+

Examples

+
    +
  • An employee or contractor may have attempted to use a credential and input the PIN information incorrectly several times up to an agency-defined limit and has locked their account or credential. The employee or contractor requests a PIN reset. The employee or contractor is directed to an unlock service; has to verify information again to prove they are the same person issued the original credential; and follows prompts to unlock their credential, generating a new PIN in the process.
    • +
  • Reset - I want to verify the identity of an employee or contractor that has already been issued a credential and reset their PIN or password so that they can continue to access enterprise resources.
    • +
  • Renew - I want to verify the identity and eligibility of an employee or contractor, who has a previously issued credential that is near expiration, so that they may be issued a new enterprise credential to maintain their ability to access enterprise resources.
    • +
  • Revoke - I want to remove access to enterprise resources for an employee or contractor so that they can no longer use the protected resource.
    • +

+
+

+ +

+
+

This use case corresponds to the Authentication and Authorization service areas of Access Management.

+

+ This use case describes the steps to authenticate individuals and authorize access to agency services. Agency services can be anything from applications and files to physical facilities. +


+

+
+

Use Case

+

In this use case, an Access Control System (ACS) Administrator needs to grant access to an employee or contractor who has an enterprise identity and active credential and needs to access a logical or physical resource. These steps assume the employee or contractor already has credentials to support authentication as well as the access entitlements to support authorization decisions.

+
    +
  • Authentication - I want to verify the claimed unique identity of a given employee or contractor so that the system can verify the right individual is attempting to access an agency service.
    • +
  • Authorization - I want to allow access for only employees and contractors that meet established requirements so that only the people who should have access do have access.
    • +
+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + + + + + + + + + +
1. Access Attempt
A diagram showing an employee or contractor attempting to access a agency service through an access control system.		An employee or contractor attempts to access an agency service.
2. Authenticate the employee or contractor
A diagram showing an employee or contractor presenting either an IAL2 or IAL3 authenticator to an access control system.		The employee or contractor presents an authenticator to the ACS that meets the protected resource’s minimum assurance requirements:
  • AAL2 (two-factor) - Something you know + something you have, like a one-time passcode.
  • AAL3 (two-factor + hardware) - Something you know + something you have, like a one-time passcode generated by a hardware-based authenticator; or a PIV credential. For more information about AAL values, see NIST SP 800-63B Section 5: Authenticator and Verifier Requirements.
3. Determine the access entitlements and access requirements
A diagram showing an access control system determining the access entitlements and access requirements.		Upon successful authentication, the ACS identifies 1) The employee or contractor's access entitlements associated with the protected resource, and 2) The protected resource's access requirements.
4. Process the access information
A diagram showing an access control system processing the employee or contractor access entitlements to the protected resources's access requirements.		The ACS compares the employee or contractor’s access entitlements to the protected resource’s access requirements to decide whether to authorize access.
5. Grant access
A diagram showing an access control system granting access to an employee or contractor.		 If the employee or contractor meets the protected resource’s access requirements, the ACS grants access to the protected resource.

The ACS logs the access attempt and decision for auditing purposes.
+
+

Example

+

An employee on the financial review team attempts to access a government financial application that is secured by a single sign-on (SSO) solution. The employee clicks a link to the financial application and is redirected to the SSO portal. The employee authenticates using his/her provided credential, which the SSO determines to be valid. The SSO solution or the financial application system finds the employee’s enterprise identity account and compares the roles assigned to those allowed by the financial application. The resulting determination is that the employee has authenticated to the required assurance level and has the appropriate entitlements to access the system and is subsequently logged on.


+
+

+ +

+
+

Three hexagons with the letters I in red, C in green, and A in blue, with a gray banner for the Attribute Exchange service in Federation.

+

Federal employees and contractors often need to access protected services managed by other federal agencies. Federation is the means by which an agency can accept authentication assertions and associated identity attributes from systems within their agency and at other agencies. This allows federal employees and contractors from across agencies to access protected resources and streamlines the user’s experience.

+

Agencies can pass assertions to share attributes about employees and contractors.

+
+

Use Case

+

In this use case, an employee or contractor from Agency A attempts to access a federated service at Agency B. This use case assumes the employee or contractor already has an account or entitlements to access resources at Agency B, or that they will be provisioned.

+

For more information about granting access to protected resources, see Use Case 7. Grant Access.

+

Icon Key for the diagrams that follow.

+ + + + + + + + + + + + + + + + + +
1. Request access to federated service
A diagram showing an employee or contractor from Agency A requesting access to a federated service at Agency B.		An Agency A employee or contractor requests access to a federated service at Agency B.

The employee or contractor selects the Agency A authentication service.
2. Redirect to Agency A for authentication
A diagram showing an employee or contractor access request is redirected from Agency B access control system to the Agency A authentication service.		The Agency B system redirects the employee or contractor to the Agency A authentication service.

Agency A authenticates the employee or contractor.
3. Perform transparent transaction
A diagram showing Agency A authentication service passing identity attributes to the Agency B access control system.		Agency A passes identity attributes and transaction data to Agency B via a signed assertion.
4. Agency B grants access
A diagram showing Agency B access control system granting access to an employee or contractor from Agency A.		 Agency B consumes the assertion data, optionally correlating it with an established account or local identity and makes an access control decision.

The Agency B system redirects the employee or contractor to the federated service.
+
+

Examples

+
    +
  • I want to allow other federal agencies’ employees and contractors (who meet specific requirements) to access some of my agency’s resources, which facilitates cross-government collaboration and information sharing.
    • +
  • An employee or contractor from Agency A visits a shared service operated by Agency B to service all federal government users. At the homepage, the employee/contractor selects their Agency A icon and is redirected to their Agency A SSO portal. They log in using their Agency A managed credentials and are redirected back to the Agency B shared service.
    • +
+
+
+
+ +# Reference Example + +This reference example include sample enterprise ICAM tools (e.g., solutions, applications, and software) aligned with ICAM service areas that illustrate ICAM functionality at an agency. The reference examples are designed for enterprise architects, security engineers, and solution architects to facilitate discussions regarding the technology solutions to integrate with enterprise applications and the business requirements. + +The system's components are representative examples only. Some solutions chosen by your agency may span across more than one service area. + +The following figure is an example for a small selection of system components only. You can modify the graphic or incorporate it as is and target state system components for enterprise roadmap planning. + +A diagram that shows example components for each service area, and relationships between practice areas. + +## Authoritative Sources +An authoritative source is a trusted repository of identity attribute data. It’s possible to have multiple authoritative sources for attributes. + +Authoritative sources systems components may include: + +- Human Resource systems such as payroll, time and attendance, and benefits administration +- Agency or government-wide Learning Management Systems +- Agency or government-wide Personnel Security systems for security and suitability +- Directory services, including on-premise or cloud-based directory services +- Other external or internal sources + +## Identity Management Systems +Identity management systems are how an agency manages the identity lifecycle. + +Identity management system components may include: + +- Identity Governance and Administration tool for provisioning and workflow +- Role management or role manager applications +- Identity correlation or aggregation +- Directory management +- Virtual directories + +## Credential Management Systems +Credential management systems are how an agency manages an authentication token bound to an identity. + +Credential management system components may include: + +- PIV credential service provider solutions +- Other non-PKI credential service provider solutions +- Federated certification authorities +- Private certification authorities +- Key management services +- Enterprise certificate manager +- Multi-factor authentication managers for software and hardware tokens +- Password managers + +## Access Management Systems +Access management systems are how an agency leverages credentials to authenticate individuals and authorize access to protected resources. + +Access management system components may include: + +- Enterprise Single Sign-On (SSO) applications +- Web access management applications +- Physical or facility access control systems +- Privileged access management applications +- Access policy and access rules repositories +- Policy enforcement points +- Policy decision points +- Virtual private networks +- Cloud access security brokers +- Network access management tools + +## Governance Systems +Governance is the set of components to centralize management, develop insights, and assist in managing ICAM areas and services. Applications across all service areas include auditing such as standard audit logs or configuration of auditable events. Governance includes the aggregation of individual auditing and reporting into centralized tools to perform real-time or near real-time analysis, identify anomalies, and trigger mitigations for anomalous authentication or authorization events. Tools are increasingly incorporating machine learning or adaptive algorithms. + +Governance systems components may include: + +- Identity Governance and Administration (IGA) solutions to perform access re-certifications +- IT Service Management (ITSM) +- Security information and event monitoring (SIEM) + +## Agency Endpoints +Agency endpoints are resources that an agency needs to protect, including physical and digital resources. + +Agency endpoints may include: + +- On-premise applications +- Cloud-based applications and platforms +- Agency private networks +- Government cloud email services +- Government facilities + +# Policies and Standards + +See the [ICAM Policy Matrix]({{site.baseurl}}/university/policy-matrix) for the latest set of ICAM policies and standards. + diff --git a/_arch/icam.md b/_arch/icam.md new file mode 100644 index 000000000..4aa768416 --- /dev/null +++ b/_arch/icam.md @@ -0,0 +1,60 @@ +--- +layout: page +collection: why +title: ICAM +permalink: /why/icam/ +sidenav: why +sticky_sidenav: true + +subnav: + +--- + +The following diagram offers a view of the ICAM practice areas and supporting elements. + +A diagram with definitions and icons for identity, credential, and access management and definitions for federation and governance. + +Action: Copy the graphics and text to use at your agency to drive ICAM awareness, strategy development, and communications. + +ICAM is the set of tools, policies, and systems that an agency uses to enable the right individual to access the right resource, at the right time, for the right reason in support of federal business objectives. + +Agencies implement ICAM services and solutions to unify their IT services, strengthen physical access control, and improve information security. Understanding the ICAM building blocks is key to understanding the FICAM architecture. + +ICAM consists of three practice areas and two supporting elements. The supporting elements enhance practice area capabilities. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/_buy/gsaicamsolutions.md b/_arch/icamsolutions.md similarity index 65% rename from _buy/gsaicamsolutions.md rename to _arch/icamsolutions.md index 175d586ba..eea62c611 100644 --- a/_buy/gsaicamsolutions.md +++ b/_arch/icamsolutions.md @@ -1,9 +1,9 @@ --- layout: page -collection: buy -title: GSA ICAM Solutions and Shared Services -permalink: buy/icamsolutions/ -sidenav: buy +collection: arch +title: GSA ICAM Solutions and Shared Services Roadmap +permalink: /icamsolutions/ +sidenav: arch sticky_sidenav: true lastupdate: 05/21/2021 @@ -18,17 +18,17 @@ subnav: href: '#additional-resources' --- -This page contains information on the GSA ICAM Solutions Catalog and GSA ICAM Solutions and Shared Services Roadmap in response to [OMB Memo 19-17](https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf){:target="_blank"}{:rel="noopener noreferrer"}. +This section contains information on the GSA ICAM Solutions Catalog and GSA ICAM Solutions and Shared Services Roadmap in response to [OMB Memorandum 19-17](https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. This roadmap is maintained by the GSA Federal Acquisition Service in collaboration with the ICAM Subcommittee. - [GSA Solutions and Shared Services Roadmap](#gsa-icam-solutions-and-shared-services-roadmap) - A roadmap for providing or updating GSA Multiple Award Schedule solutions and shared services that allow agencies to achieve the outcomes in OMB ICAM policy and NIST standards and guidelines. -- [GSA Solutions Catalog](#gsa-icam-solutions-catalog) - A a consolidated catalog of existing GSA Multiple Award Schedule ICAM solutions and shared services. +- [GSA Solutions Catalog](#gsa-icam-solutions-catalog) - A consolidated catalog of existing GSA Multiple Award Schedule ICAM solutions and shared services. -## GSA ICAM Solutions and Shared Services Roadmap +# GSA ICAM Solutions and Shared Services Roadmap -[This document](../../docs/gsa-icam-roadmap.pdf){:target="_blank"}{:rel="noopener noreferrer"} provides a response to the Office of Management and Budget (OMB) memorandum M-19-17, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.” The memorandum outlines the federal government's Identity, Credential, and Access Management (ICAM) policy and establishes government-wide responsibilities that include the General Services Administration (GSA). GSA is specifically tasked with developing and maintaining "a roadmap for providing or updating GSA solutions and shared services that allow agencies to achieve the outcomes in OMB ICAM policy and NIST standards and guidelines.” GSA analyzed the current state of ICAM solutions and shared services and developed activities to address identified gaps based on the ICAM Services Framework. +[This document]({{site.baseurl}}/docs/gsa-icam-roadmap.pdf){:target="_blank"}{:rel="noopener noreferrer"} provides a response to the Office of Management and Budget (OMB) memorandum M-19-17, “Enabling Mission Delivery through Improved Identity, Credential, and Access Management.” The memorandum outlines the federal government's Identity, Credential, and Access Management (ICAM) policy and establishes government-wide responsibilities that include the General Services Administration (GSA). GSA is specifically tasked with developing and maintaining "a roadmap for providing or updating GSA solutions and shared services that allow agencies to achieve the outcomes in OMB ICAM policy and NIST standards and guidelines.” GSA analyzed the current state of ICAM solutions and shared services and developed activities to address identified gaps based on the ICAM Services Framework. The roadmap aligns actions to the following three phases: 1. **Foundation** focuses on modifications to the existing services catalog to address critical gaps. -2. **Federation** focuses on enhancing federation capabilities for government to government, government to constituent, and government to mission partner interactions. +2. **Federation** focuses on enhancing federation capabilities for government-to-government, government-to-constituent, and government-to-mission partner interactions. 3. **Emerging Trends** focuses on recognizing and preparing for emerging trends and expanding support. The roadmap also identifies five areas that align with GSA's vision: @@ -39,7 +39,7 @@ The roadmap also identifies five areas that align with GSA's vision: 4. **Shared Services** provided so that agencies don't duplicate efforts. 5. **Third-Party Validation** for vendors offering ICAM related services. -The following table provides a summary of the roadmap activities. This roadmap is considered a living document; this first iteration is designed to gain leadership support and endorsement. Foundation activities are targeted for completion in the next one to two years. Federation activities are targeted for three to four years. Emerging trend activities are likely to require more than four years to complete, as they may depend on earlier phase activities or require further definition before they can begin. +The following table provides a summary of the roadmap activities. This roadmap is considered a living document; this first iteration is designed to gain leadership support and endorsement. Foundation activities are targeted for completion in the next one to two years. Federation activities are targeted for three to four years. Emerging trends activities are likely to require more than four years to complete, as they may depend on earlier phase activities or require further definition before they can begin. @@ -137,7 +137,7 @@ The following table provides a summary of the roadmap activities. This roadmap i @@ -163,11 +163,11 @@ The following table provides a summary of the roadmap activities. This roadmap i
    -
  1. Implement cloud services to support non person entity (NPE).
    2. +
  2. Implement cloud services to support non-person entity (NPE).
  3. Evaluate demand and feasibility for implementation of an attribute mapping service.
-## GSA ICAM Solutions Catalog +# GSA ICAM Solutions Catalog -On May 21, 2019, the Office of Management and Budget (OMB) released a new Identity, Credential and Access Management (ICAM) policy (M-19-17). This memo mandated that GSA publish “a consolidated catalog of existing ICAM solutions and shared services.” The attached catalog includes several special item numbers (SINs) within the Multiple Award Schedules (MAS). Please note that MAS has recently gone through a consolidation; therefore, new SIN designations have been included. +On May 21, 2019, the Office of Management and Budget (OMB) released a new Identity, Credential, and Access Management (ICAM) policy (M-19-17). This memo mandated that GSA publish “a consolidated catalog of existing ICAM solutions and shared services.” The attached catalog includes several special item numbers (SINs) within the Multiple Award Schedules (MAS). Please note that MAS has recently gone through a consolidation; therefore, new SIN designations have been included. -Most MAS ICAM solutions can be purchased on GSA eBuy, an online Request for Quotation (RFQ) tool designed to facilitate the request for submission of quotations for a wide range of products and services. Non-MAS solutions, shared services, have also been included such as login.gov and max.gov. For convenience and clarity, the corresponding practice area and services provided by the ICAM Services Framework are identified for each solution. The ICAM Services Framework is designed to help agencies translate between requirements and technical solutions. Agencies can leverage these solutions now to begin meeting the requirements of the OMB ICAM policy. +Most MAS ICAM solutions can be purchased on GSA eBuy, an online Request for Quotation (RFQ) tool designed to facilitate the request for submission of quotations for a wide range of products and services. Non-MAS solutions, shared services, have also been included such as login.gov and Max.gov. For convenience and clarity, the corresponding practice area and services provided by the ICAM Services Framework are identified for each solution. The ICAM Services Framework helps agencies translate between requirements and technical solutions. Agencies can leverage these solutions now to begin meeting the requirements of the OMB ICAM policy. @@ -182,49 +182,49 @@ Most MAS ICAM solutions can be purchased on GSA eBuy, an online Request for Quot - + - + - + - + - + - + - + - - + + - - - + + + - + - + @@ -235,34 +235,34 @@ Most MAS ICAM solutions can be purchased on GSA eBuy, an online Request for Quot - + - - - - + + + + - - - + + +
Homeland Security Information Network (HSIN) Identity Proofing Service HSIN is a user-driven, web-based, information-sharing platform that connects all homeland security mission partners within a wide spectrum of homeland security mission areas. HSIN is an Identity Provider within the National Information Exchange Federation (NIEF), a collection of U.S. agencies that have come together to share sensitive law enforcement information. Identity ProofingHow to Join HSINHow to Join HSIN
Identity Management

Access Management

Federation		 Login.govOffers the public secure and private online access to participating government programs. With one login.gov account, users can sign in to multiple government agencies.Offers the public secure and private online access to participating government programs. With one login.gov account, users can sign into multiple government agencies. Account Linking

Authentication		login.govlogin.gov
Access Management

Federation		 MAX AuthenticationAuthentication as a Service (AaaS) Automatic registration for federal users by email domain. HSPD – 12 PIV /DoD CAC cards and SMS 2-factor authentication for sensitive activities. Enterprise Federated Partner Automated Login (i.e., single sign-on) with agencies.Authentication as a Service (AaaS) Automatic registration for federal users by email domain. HSPD-12-PIV /DoD CAC cards and SMS 2-factor authentication for sensitive activities. Enterprise Federated Partner Automated Login (i.e., single sign-on) with agencies. Authentication Services

Federation		Max.govMax.gov
Credential Management USAccessThe GSA HSPD-12 Managed Service Office (MSO) established the USAccess program as an efficient way for federal agencies to issue common HSPD-12 approved credentials to their employees and contractors.The GSA HSPD-12 Managed Service Office (MSO) established the USAccess program as an efficient way for federal agencies to issue common, HSPD-12-approved credentials to their employees and contractors. PIV cardfedidcard.govfedidcard.gov
Credential Management SIN 517312: Wireless Mobility SolutionsIncludes a variety of services that address the mobility needs of government agencies to include: Subcategory #9 – Mobile Identity Management (MIM) is the secure integration of the attributes that unerringly identify a person in the physical and online environments, within the mobile device. MIM is a set of complementary products and solutions that issue and maintain certificates, which may include Derived PIV Credential (DPC) usage. A valid PIV card is required to issue a DPC.Digital Certifcates

Derived PIV

Other mobility offerings on this SIN		Includes a variety of services that address the mobility needs of government agencies. Subcategory #9 – Mobile Identity Management (MIM) is the secure integration of the attributes that unerringly identify a person in the physical and online environments, within the mobile device. MIM is a set of complementary products and solutions that issue and maintain certificates, which may include Derived PIV Credential (DPC) usage. A valid PIV card is required to issue a DPC.Digital Certificates

Derived PIV

Other mobility offerings on this SIN		 Acquisition Gateway RFQ Generator
Access Management SIN 541519CDM: Continuous Diagnostics and Mitigation (CDM) ToolsIncludes Department of Homeland Security (DHS) approved hardware and software products. The full complement of CDM Tools SIN products and services includes tools, associated maintenance, and other related activities such as training.ICAM tools on CDM Approved Products List (APL) maintained and updated monthly by DHSCDM Tools SIN Information for Ordering OrganizationsIncludes DHS approved hardware and software products. The full complement of CDM Tools SIN products and services includes tools, associated maintenance, and other related activities such as training.ICAM tools on CDM Approved Products List (APL) maintained and updated monthly by the Department of Homeland Security (DHS)CDM Tools SIN Information for Ordering Organizations
Identity Management

Access Management

Credential Management		SIN 541519ICAM: Identity, Credentialing and Access Management (ICAM)SIN 541519ICAM: Identity, Credential, and Access Management (ICAM) Managed service offerings for electronic credentials, identity and access management, authentication, and identity and access management professional services. Digital credentials

Authentication

Professional Services		GSA eBuyGSA eBuy
Credential Management
Credential ManagementSIN 541519IPIV: Homeland Security Presidential Directive 12 Product and Service ComponentsSIN 541519IPIV: Homeland Security Presidential Directive-12 Product and Service Components PIV products and PIV services to implement the requirements of HSPD-12, FIPS-201, and associated NIST special publications. Implementation components specified under this SIN are:
  • PIV enrollment and registration services
  • PIV systems infrastructure
  • PIV card management and production services
  • PIV card finalization services
  • Logical access control products and services
  • PIV system integration services. Installation services and FIPS 201 compliant PACS (Physical Access Control System) products.
 PKI Shared Service Provider for PIV and additional products support GSA eBuy
Access ManagementSIN 334290L: Physical Access Control Systems (PACS)Includes physical access control systems (PACS), such as card-controlled access, biometrics, security barriers, etc.Physical Access Control Systems (PACS) componentsGSA eBuySIN 334290L: Physical Access Control System (PACS)Includes PACS, such as card-controlled access, biometrics, security barriers, etc.PACS componentsGSA eBuy
Access Management SIN 541330SEC: Security System Integration, Design, Management, and Life Cycle SupportIncludes services related to PACS design, integration, and implementation, and installation/testing. Offerors under this SIN have at least one employee who is CSEIP (Certified System Engineer ICAM PACS) certified and such certification can be verified at IDmanagment.gov.Physical Access Control Systems (PACS) integration (installation and configuration)GSA eBuyIncludes services related to PACS design, integration, implementation, and installation/testing. Offerors under this SIN have at least one employee who is CSEIP (Certified System Engineer ICAM PACS) certified and such certification can be verified at IDmanagment.gov.PACS integration (installation and configuration)GSA eBuy
-## GSA eBuy Ordering Instructions For Agencies +# GSA eBuy Ordering Instructions For Agencies Buyers are required to register on GSA Advantage. Buyers can use the same User ID and Password on GSA eBuy and GSA Advantage. Vendor listings change regularly and are available in eBuy. Below are modified steps to access the GSA eBuy Buyer website: -1. Go to [http://www.ebuy.gsa.gov](http://www.ebuy.gsa.gov/){:target="_blank"}{:rel="noopener noreferrer"}. +1. Go to [http://www.ebuy.gsa.gov](http://www.ebuy.gsa.gov/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. 2. At the top of the page, the buyer will see “Sign in as a …. Buyer.” Click **Buyer** to display the Sign In. -3. Enter the buyer’s official email address and password in the boxes provided and click **Sign In**. +3. Enter the buyer’s official email address and password and click **Sign In**. 4. The buyer will be prompted to request and enter a verification code. GSA Advantage will send the buyer an email with the single-use verification code. 5. Enter the verification code from the email (please note that the buyer’s verification code is only valid for 10 minutes). Then do the following: 6. Search – Find the solution to post your requirements. A search can be conducted using the SIN designations from this catalog or by using keywords. @@ -271,8 +271,8 @@ Buyers are required to register on GSA Advantage. Buyers can use the same User I 9. Submit – Review and submit the RFQ/RFI. -## Additional Resources +# Additional Resources -- [GSA eBuy Job Aid](https://www.ebuy.gsa.gov/ebuy/assets/content/eBuy-Buyer_jobaid.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [GSA ICAM](https://www.gsa.gov/technology/government-it-initiatives/identity-credentials-and-access-management){:target="_blank"}{:rel="noopener noreferrer"} -- [MAS Consolidation Newsletter](https://interact.gsa.gov/sites/default/files/mas_quarterly_summer_2019_508.pdf){:target="_blank"}{:rel="noopener noreferrer"} +- [GSA eBuy Job Aid](https://www.ebuy.gsa.gov/ebuy/assets/content/eBuy-Buyer_jobaid.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- [GSA ICAM](https://www.gsa.gov/technology/government-it-initiatives/identity-credentials-and-access-management){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- [MAS Consolidation Newsletter](https://interact.gsa.gov/sites/default/files/mas_quarterly_summer_2019_508.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_arch/zero-trust.md b/_arch/zero-trust.md new file mode 100644 index 000000000..5a560025d --- /dev/null +++ b/_arch/zero-trust.md @@ -0,0 +1,126 @@ +--- +layout: page +collection: arch +title: FICAM is the foundation for ZT adoption +permalink: /zero-trust/ +sidenav: arch +sticky_sidenav: true + +subnav: + - text: Defined + href: '#defined' + - text: FICAM areas aligned to M-22-09 + href: '#ficam-areas-aligned-to-m-22-09' + - text: FICAM alignment to CISA Zero Trust Maturity Model + href: '#ficam-alignment-to-cisa-zero-trust-maturity-model' + +--- + +FICAM is the foundation for U.S. Government agencies to mature towards Zero Trust cyber security architecture. Implementing identity credentials and access management concepts, policies, procedures and playbooks provides agencies a Zero Trust implementation strategy framework. The FICAM Key ICAM components directly help implement Zero Trust Architecture with: + + - Person and non-person entities - authenticate all users before providing access. Managing identities and providing secure MFA credentials is the first step in knowing who is requesting access. + - Endpoints - in addition to authenticating users, Zero Trust requires authenticating and approving endpoints, such as workstations, mobile devices, or internet of things devices. + - Data, assets, applications, and services - definition and implementation of access policies are needed to implement the continuous evaluation aspect of Zero Trust. + +Zero Trust cannot be achieved without strong identity management and mature ICAM capabilities for person and non person entities. OMB M-22-09, the Federal Zero Trust Strategy and CISA Zero Trust Maturity Model version 2.0 are a comprehensive set of access control policies and guidelines, setting the foundation for agencies to implement a Zero Trust architecture and related initiatives for your agency. + +## Definition +Zero Trust concepts assume there is no implicit trust granted to assets or user accounts based on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. + +## FICAM areas aligned to M-22-09 +**Privileged user** is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users cannot perform—also known as a privileged IT user, privileged network user, or superuser. FICAM [Privileged Identity Playbook]({{site.baseurl}}/playbooks/pam/){:target="_blank"}{:rel="noopener noreferrer"} is a great place to start with ensuring robust management of privileged users and identities. + +**Phishing resistant authenticator** is a form of authentication that is not susceptible to interception or replay attacks. The FICAM team has created a [Phishing Resistant Authenticator Criteria]({{site.baseurl}}/phish-criteria/) to help agencies accelerate adoption of phishing resistant authenticators. This criteria is a starting point for agencies to get started in their journey towards phishing resistant authenticators as they enhance their identity management systems. In addition, phishing resistant playbook helps agencies get a head start in implementing the concepts, saving agencies time and money. + +**Single Sign On** centralizes application access for agency employees and contractors, or federate access with other federal executive agencies. Leveraging the [Enterprise Single Sign On Playbook]({{site.baseurl}}/playbooks/sso/) will help agencies with enhanced management control of identities in a consolidated manner. Agencies are encouraged to use this playbook to centralize application access for agency employees and contractors, or federate access with other federal executive agencies. + +**User authorization** is a decision whether to grant access to a user or machine account following authentication. Authorization to resources can be fine grained to help achieve attribute based access vs the traditional role based access. FICAM has resources to help agencies with user authorization management activities as part of their ICAM solutions. Agencies can get started by leveraging [Cloud Identity Playbook]({{site.baseurl}}/playbooks/cloud/){:target="_blank"}{:rel="noopener noreferrer"} as a starting point. This playbook provides practical guidance to assist federal agencies startor further expand their use of workforce identity credential, and access management services in a cloud operating model. + +**Identity lifecycle management** encompasses the activities of creating, identity proofing, vetting, provisioning, aggregating, maintaining, and deactivating digital identities on an agency’s enterprise ICAM systems. The FICAM team provides a detailed [Identity Lifecycle Management Playbook]({{site.baseurl}}/playbooks/ilm/){:target="_blank"}{:rel="noopener noreferrer"} to help shift the focus from managing the access based on credentials to managing the entire lifecycle of identities. + + +## FICAM alignment to CISA Zero Trust Maturity Model + +The [CISA Zero Trust Maturity Model](https://www.cisa.gov/sites/default/files/2023-04/zero_trust_maturity_model_v2_508.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is a good place to start while agencies plan their Zero Trust implementation journey. This model has five pillars that complement each other as part of the overall objective to achieve continued modernization efforts related to Zero Trust within a rapidly evolving technology landscape. One of the main pillars of this model is Identity that is in line with the FICAM framework. Even though this maturity model is one of the many paths to zero trust, it leads agencies to success by providing guidance. Use [IDManagement]({{site.baseurl}}){:target="_blank"}{:rel="noopener noreferrer"} resources to achieve Identity pillar objectives defined within this maturity model efficiently. + +## Functions and guidance + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Identity functionFICAM guidance
Authentication - agency continuously validates identity with phishing-resistant MFA, not just when access is initially granted. + +
    +
  • Phishing-resistant authenticator playbook (coming soon)
    • +
  • WHfB Configuration Guide
    • +
  • Azure CBA Configuration Guide (coming soon)
    • +
  • PIV Implementation Guide
    • +
  • CISA Hybrid Identity Playbook
    • +
+
Identity stores - agencies securely integrate their identity stores across all partners and environments as appropriate. +
    +
  • ILM Playbook
    • +
  • CDM MUR Architecture
    • +
  • Privileged Identity Playbook
    • +
+
Risk assessments - agencies determine identity risk in real time based on continuous analysis and dynamic rules to deliver ongoing protection. +
    +
  • DIRA Playbook
    • +
  • Cloud Identity Playbook
    • +
+
Access management - agency uses automation to authorize just-in-time and just-enough access tailored to individual actions and individual resource needs. +
    +
  • CISA Hybrid Identity Playbook
    • +
  • Cloud Identity Playbook
    • +
  • SSO Playbook
    • +
+
Visibility and analytics capability - agencies maintain comprehensive visibility and situational awareness across enterprises by performing automated analysis over user activity log types, including behavior-based analytics. +
    +
  • SSO playbook
    • +
  • ILM Playbook
    • +
  • Privileged Identity Playbook
    • +
  • NIST NCCOE PAM Guide
    • +
+
Automation and orchestration capability - agencies automate orchestration of all identities with full integration across all environments based on behaviors, enrollments, and deployment needs. +
    +
  • SSO Playbook
    • +
  • ILM Playbook
    • +
+
Governance capability - agencies implement and fully automates enterprise-wide identity policies for all users and entities across all systems with continuous enforcement and dynamic updates. +
    +
  • CISA Hybrid Identity Playbook
    • +
  • Cloud Identity Playbook
    • +
  • SSO Playbook
    • +
  • Privileged Identity Playbook
    • +
+
\ No newline at end of file diff --git a/_assets/css/index.scss b/_assets/css/index.scss deleted file mode 100644 index 8a81437fb..000000000 --- a/_assets/css/index.scss +++ /dev/null @@ -1,48 +0,0 @@ -// Import the US Web Design System SASS. - -@import "uswds"; - -// Add your SASS/CSS here -.usa-hero { - background-image: asset_url("hero-image.png"); - background-position: 50%; - background-size: cover; -} - -.usa-sticky-sidenav { - position: -webkit-sticky !important; - position: sticky !important; - top: 0 !important; -} - -// default mode hide banner -.usa-banner__content { - display: hidden; -} - -@media screen and (min-width: 640px) { - .tablet\:width-1\/3 { - width: 33%; - } - .tablet\:float-left { - float: left; - } -} - -@media screen and (min-width: 640px) { - .paginate-link { - display: initial; - } - .paginate-button { - display: none; - } -} - -@media screen and (max-width: 640px) { - .paginate-link { - display: none; - } - .paginate-button { - display: block; - } -} diff --git a/_assets/favicons/favicon-114.png b/_assets/favicons/favicon-114.png deleted file mode 100644 index 6624a21a4..000000000 Binary files a/_assets/favicons/favicon-114.png and /dev/null differ diff --git a/_assets/favicons/favicon-144.png b/_assets/favicons/favicon-144.png deleted file mode 100644 index 438a74f4d..000000000 Binary files a/_assets/favicons/favicon-144.png and /dev/null differ diff --git a/_assets/favicons/favicon-16.png b/_assets/favicons/favicon-16.png deleted file mode 100644 index 0be93b357..000000000 Binary files a/_assets/favicons/favicon-16.png and /dev/null differ diff --git a/_assets/favicons/favicon-192.png b/_assets/favicons/favicon-192.png deleted file mode 100644 index 417fe35e7..000000000 Binary files a/_assets/favicons/favicon-192.png and /dev/null differ diff --git a/_assets/favicons/favicon-57.png b/_assets/favicons/favicon-57.png deleted file mode 100644 index d836578ae..000000000 Binary files a/_assets/favicons/favicon-57.png and /dev/null differ diff --git a/_assets/favicons/favicon-72.png b/_assets/favicons/favicon-72.png deleted file mode 100644 index 9f8dd53ba..000000000 Binary files a/_assets/favicons/favicon-72.png and /dev/null differ diff --git a/_assets/favicons/favicon.png b/_assets/favicons/favicon.png deleted file mode 100644 index 5d7961edf..000000000 Binary files a/_assets/favicons/favicon.png and /dev/null differ diff --git a/_assets/images/hero-image.png b/_assets/images/hero-image.png deleted file mode 100644 index 3a4a41274..000000000 Binary files a/_assets/images/hero-image.png and /dev/null differ diff --git a/_assets/js/app.js b/_assets/js/app.js deleted file mode 100644 index ca4f1709c..000000000 --- a/_assets/js/app.js +++ /dev/null @@ -1,2 +0,0 @@ -// Add your custom javascript here -console.log("Hi from Federalist"); diff --git a/_assets/js/guides.js b/_assets/js/guides.js deleted file mode 100644 index 12862e685..000000000 --- a/_assets/js/guides.js +++ /dev/null @@ -1,78 +0,0 @@ -$(document).ready(function () { - /** - * @returns {(string|Array)} A list of selected categories from persistence - */ - function retrieveSelectedCategories() { - var hash = window.location.hash.substring(1); - var categories = []; - if (hash === "") { - categories = getCategoryList(); - } else { - categories = deserializeCategories(hash); - } - return categories; - } - - /** - * @param {(string|Array)} categories - A list of selected categories to persist - */ - function persistSelectedCategories(categories) { - history.replaceState(undefined, undefined, "#" + serializeCategories(categories)); - } - - /** - * @param {(string|Array)} categories - A list of categories - * @returns {string} Serialized categories - */ - function serializeCategories(categories) { - var serialized = ""; - for (var i = 0; i < categories.length; i++) { - if (i !== 0) { - serialized += "+"; - } - serialized += categories[i]; - } - return serialized; - } - - /** - * @param {string} serializedCategories - A string representing a list of categories - * @returns {(string|Array)} A list of categories - */ - function deserializeCategories(serializedCategories) { - return serializedCategories.split("+"); - } - - /** - * @returns {(string|Array)} A list of all available categories - */ - function getCategoryList() { - return $(".guides-filter-category").map(function () { return $(this).val(); }).get(); - } - - /** - * Event handler for when the user changes filtering options. - */ - function filtersUpdated() { - var selectedCategories = $(".guides-filter-category:checked").map(function () { return $(this).val(); }).get(); - persistSelectedCategories(selectedCategories); - $(".guides-table-row, .guides-table-category-heading").each(function () { - var categorySelected = selectedCategories.indexOf($(this).data("category")) !== -1; - $(this).toggle(categorySelected); - }); - } - - function init() { - $(".guides-filter").change(filtersUpdated); - var selectedCategories = retrieveSelectedCategories(); - if (selectedCategories !== null) { - $(".guides-filter-category").each(function () { - var categorySelected = selectedCategories.indexOf($(this).val()) !== -1; - $(this).prop("checked", categorySelected); - }); - } - filtersUpdated(); - } - - init(); -}); diff --git a/_buy/fips201apl-cards.md b/_buy/fips201apl-cards.md deleted file mode 100644 index 05199e003..000000000 --- a/_buy/fips201apl-cards.md +++ /dev/null @@ -1,78 +0,0 @@ ---- -layout: page -title: FIPS 201 Approved Products List - PIV Cards -permalink: approved-products-list-piv/ -collection: buy -sticky_sidenav: true -sidenav: buy - -subnav: - - text: How to Purchase PIV Cards - href: '#how-to-purchase' - - text: Approved PIV Cards - href: '#approved-piv-cards' - - text: Legacy PIV Cards - href: '#legacy-piv-cards' ---- - -The Personal Identity Verification (PIV) cards listed below are approved for FICAM implementation under the FIPS 201 Evaluation Program. These are blank PIV cards available for purchase. A PIV service provider will personalize these blank cards for federal agencies and contractors. PIV service providers are required to use PIV cardstock from the Approved Products List (APL). - -If you do not see a card below, it's possible it's on the [Removed Product List](../buy/removed-products-list/). - -Please note: - -- Tri-Interface cards are not approved for federal government PIV or CAC card use. Agencies should not procure them. They are listed on the APL for industry-only acquisition. -- Manufacturers may call Tri-Interface cards by different names (for example, Dual Hybrid). The prohibited feature of Tri-Interface cards is a prox interface (a 125 kHz antenna). -- Agencies should procure only cards validated by the NIST Personal Identity Verification Program (NPIVP). - -## How To Purchase - -Visit the [Buy Page](../buy/) to view FICAM products, services, and purchasing guidance. - -## Approved PIV Cards - - - - - - - - - - - {% for apl in site.data.fips201apl %} - - - - - - {% endfor %} - -
APL NumberProduct NameValid Date
{{ apl.aplnumber }}{{ apl.productname }}{{ apl.validdate }}
- -## Legacy PIV Cards - -Legacy PIV cards are no longer approved for purchase by the FIPS 201 Evaluation Program. Any cardstock designated as “legacy” is placed on this legacy list and on the [Removed Product List](../buy/removed-products-list/). However, some federal agencies still need to procure the legacy cardstock to use while existing systems are being upgraded. Agencies must stop using cardstock on the legacy list by **June 30, 2024**. - -Legacy PIV cards include the following: - -- Gemalto IDCore 3020 v1, 128k dual-interface with ActivIdentity Digital Identity Applet Suite – APL# 1244 -- Giesecke & Devrient StarSign(R) SmartCafe(R) Expert 144K with PIV Applet – APL# 525 -- IDEMIA ID-One (Type A) Large D – APL# 587 - -Agencies procuring cardstock from the legacy list assume all risks associated with its use from now until the NIST-mandated deadline of June 30, 2024. - -If your agency needs to purchase cardstock from this legacy list, you must submit an Assumption of Risk Memorandum (memo) from the agency Chief Information Officer(s) to the General Services Administration (GSA). The memo must contain the following information: - -- Acknowledgement of the assumption of all associated security risks; -- Acknowledgement of non-compliance with NIST standards; -- A transition plan specifying major milestones to achieve full compliance by the 2024 deadline; and -- Implications resulting from non-compliance with federal policy related to this purchase. - -Submit the memo to [GSA’s Associate Administrator for Government-wide Policy (OGP)](https://www.gsa.gov/about-us/organization/gsa-leadership-directory){:target="_blank"}{:rel="noopener noreferrer"} (regardless of the acquisition vehicle used). If using [GSA Multiple Award Schedule](../../buy#gsa-multiple-award-schedule) as the acquisition vehicle, also submit a copy of the memo to the Commissioner of GSA’s Federal Acquisition Service. - -Note that GSA will provide the Office of the Federal Chief Information Officer (OFCIO) at the Office of Management and Budget (OMB) with copies of all memos submitted. - -Based on agency-provided transition plans, GSA OGP will review the products on the legacy list in 12 months (May 2020) for removal. - -Please email fips201ep at gsa.gov with questions. diff --git a/_buy/fips201apl-pacs.md b/_buy/fips201apl-pacs.md deleted file mode 100644 index 60e8dee47..000000000 --- a/_buy/fips201apl-pacs.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -layout: page -title: FIPS 201 Approved Products List - Physical Access Control System Components -permalink: approved-products-list-pacs-products/ -collection: buy -sticky_sidenav: true -sidenav: buy - -subnav: - - text: How to Purchase - href: '#how-to-purchase' - - text: Approved PACS - 13.01 - href: '#approved-1301-topology-pacs-products' - - text: Approved PACS - 13.02 - href: '#approved-1302-topology-pacs-products' - - text: PACS Readers - href: '#pacs-readers' - - text: PACS Solutions Awaiting Approval - href: '#pacs-solutions-awaiting-approval' - ---- - -The Physical Access Control System (PACS) products listed under the “Approved” section below have met the security and functional requirements set by GSA’s FIPS 201 Evaluation Program, and have been approved for use by the Federal Government. Note that the Approved PACS Products below are grouped by either 13.01 or 13.02 topologies: - -- [13.01 Topology](#approved-1301-topology-pacs-products) – end-to-end systems which integrate components from three categories (PACS Infrastructure; Validation System; and PIV Reader) together through software (SDK or API). -- [13.02 Topology](#approved-1302-topology-pacs-products) – end-to-end systems which integrate the first two components (PACS Infrastructure; Validation System) into a “PACS Validation Infrastructure,” which is then integrated with the third component category (PIV Reader). - -## How To Purchase - -Visit the [Buy Page](../buy/) to view FICAM products, services and purchasing guidance. - -## Approved 13.01 Topology PACS Products - - - - - - - - - - - - - - {% for guide in site.data.fips201pacs %} - - - - - - - {% endfor %} - -
PACS InfrastructurePACS APL #Validation SystemValidation APL #
{{ guide.infrastructure }}{{ guide.infraapl }}{{ guide.validation}}{{ guide.valapl }}
- -**NOTE:** APL listings 10027 and 10028 are consolidated into APL listings 10112 and 10113, respectively. - - -## Approved 13.02 Topology PACS Products - - - - - - - - - - {% for guide in site.data.fips2011302 %} - - - - - {% endfor %} - -
PACS Infrastructure and Validation System APL #
{{ guide.infrastructure }}{{ guide.infraapl }}
- -## PACS Readers -**NOTE:** PACS readers are approved as part of a complete solution. The list below represents the readers that have been tested and verified as part of a solution (e.g., Infrastructure + Validation Engine + Reader). Each of the linked approval letters lists the approved reader types, associated APL#, and tested PACS solution. -- [Allegion Schlage Smart Card Readers]({{site.baseurl}}/docs/apl-10128-10129-10133-allegion.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [ASSA ABLOY integrated Signo Readers]({{site.baseurl}}/docs/apl-10138-10141-ASSA.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [ASSA ABLOY integrated pivCLASS Readers]({{site.baseurl}}/docs/apl-10142-HES.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [Gallagher T Series PIV Readers]({{site.baseurl}}/docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [HID pivCLASS Series Readers]({{site.baseurl}}/docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [HID Signo Series Readers]({{site.baseurl}}/docs/apl-10134-10137-Signo.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [Identiv uTrust Series Readers]({{site.baseurl}}/docs/apl-10104-5-6-7-19-identiv.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [Innometriks Cheetah Series Readers]({{site.baseurl}}/docs/apl-10109-130-cheetah.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [Veridt Series Readers]({{site.baseurl}}/docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [XTec X Series Readers]({{site.baseurl}}/docs/apl-10078-79-80-81-82-xtec.pdf){:target="_blank"}{:rel="noopener noreferrer"} - -## PACS Solutions Awaiting Approval - -| Position | Solution | APL Numbers | New/Update | Testing Status | -|----------|--------------------------------------------------------------|-------------------|--------------|----------------------| -| 1 | LenelS2 OnGuard with Embedded Authentication (TI Entry Point) + uTrust Reader addition | 10126 & 10127 | New Reader add| In queue| -| 2 | LenelS2 OnGuard with Embedded Authentication with HID Global Validation System | 10112 & 10113 | Update | In queue| -| 3 | Gallagher Command Center PACS 13.02 | 10114 | Update | In queue| -| 4 | Gallagher PIV Command Center with HID Global Validation System| 10019 & 10020 | Update | In queue| -| 5 | ReconaSense + HID Global Validation System | 10131 & 10132 | Update | In queue| -| 6 | AMAG Symmetry Professional + HID Global Validation System | 10047 & 10048 | Update | In queue| -| 7 | AMAG Symmetry Professional + Identity One Validation System | 10143 & 10144 | Update | In queue| -| 8 | Genetec Security Center – Synergis with HID Global Validation System | 10061 & 10062 | Update | In queue| -| 9 | Software House C●CURE-9000 V2.9 PACS 13.02 | New | New | In queue| -| 10 | Identiv Velocity + HID Global Validation System | 10013 & 10014 | Update | In queue| -| 11 | Identiv Velocity Security Management System 13.02 | 10103 | Update | In queue| -| 12 | Identiv + Allegion Wireless Reader 20.01 | New | New Reader add| In queue| -| 13 | Datawatch + HID pivCLASS | 10117 & 10118 | Update | In queue| -| 14 | Tyco Security Products C-CURE 9000 with Innometriks Validation System | 10115 & 10108 | Update | On hold pending vendor action| - -Cycle 2 and 3 updates are moved to the front of the test queue once they are installed. While between cycles, solutions may not appear here. \ No newline at end of file diff --git a/_buy/fips201rpl.md b/_buy/fips201rpl.md deleted file mode 100644 index c174836b4..000000000 --- a/_buy/fips201rpl.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -layout: page -title: FIPS 201 Removed Product List -permalink: buy/removed-products-list/ -collection: buy -sticky_sidenav: true -sidenav: buy - ---- - -{% assign categories = "" | split: "" %} -{% for rpl in site.data.fips201rpl %} - {% assign category = rpl.category | strip %} - {% assign categories = categories | push: category | uniq | sort %} -{% endfor %} -{% assign categories = categories | uniq | sort %} - -The FIPS 201 Evaluation Program’s Removed Products List (RPL) displays products and services that were at one time on the Approved Products List but are no longer approved for government use. Due to security concerns, products on the RPL are not recommended for government acquisition. Products will be removed from the RPL after 3 years. - - - - - - - - - - - - - - {% for category in categories %} - - - - {% for rpl in site.data.fips201rpl %} - {% if rpl.category == category %} - - - - - - - - - {% endif %} - {% endfor %} - {% endfor %} - -
APL #SupplierProduct Name(s)Product NumberRemoval DateReason For Removal
{{ category }} Category
{{ rpl.numberApl }}{{ rpl.supplier }}{{ rpl.nameProduct}}{{ rpl.numberProduct }}{{ rpl.dateRemoval}}{{ rpl.reason}}
diff --git a/_buy/trust-services.md b/_buy/trust-services.md deleted file mode 100644 index 3f70e0703..000000000 --- a/_buy/trust-services.md +++ /dev/null @@ -1,108 +0,0 @@ ---- -layout: page -collection: buy -title: Trust Services -permalink: buy/trust-services/ -sidenav: buy -sticky_sidenav: true -lastupdate: 05/23/2023 - -subnav: - - text: Overview - href: '#overview' - - text: Government Identity Services - href: '#government-identity-services' - - text: Business Identity Services - href: '#business-identity-services' - - text: Non-Government PKI Trust Framework - href: '#non-government-pki-trust-framework' ---- - -
-
-

DigiCert PKI Shared Services Decommission and Transition

-

- DigiCert announced it is decommissiong it's federal shared services platform and transitioning out of the PKI Shared Service Provider program by 2024. They will transition existing customers and not accept any new customers. For transition information, contact FPKI at GSA.gov. -

-
-
- -This page is for agencies to view the current service providers that have an identity federation agreement with the U.S. government. - -The services provided rely upon a level of trust to be established with the U.S. government. This trust is managed through legal agreements; technology agreements; and regular auditing of the services, procedures, and practices. These agreements and audits are managed by the Federal Public Key Infrastructure (FPKI). - -If you are looking for a list of all possible Certification Authorities in the FPKI, please review the [list of PIV CAs and Agencies](https://playbooks.idmanagement.gov/fpki/pivcas-and-agencies/){:target="_blank"}{:rel="noopener noreferrer"} or the [FPKI Graph](https://playbooks.idmanagement.gov/fpki/tools/fpkigraph/){:target="_blank"}{:rel="noopener noreferrer"}. - -## Overview - -Trust Services providers offer services related to identity and credentialing of persons and operate within identity federations. These provider services specifically include: - -- Issuing and managing person identity and device identity certificates using PKI. -- Issuing and managing person identity credentials for PIV and Common Access Card (CAC) hardware credentials that are tied to PKI. -- Issuing and managing person identity credentials using other identity federation technologies (for example, a person may be identity-proofed, have an account in the service, and use one-time password credentials to authenticate). - -We’ve categorized the service providers given below by type of identity and credential and what population is served: - -- [Government Identity Services](#government-identity-services) – Issue PKI-based credentials to government employees or contractors. Credential types include PIV and federal PIV-Interoperable. -- [Business Identity Services](#business-identity-services) – Issue PKI-based credentials for organizations doing business with the government, but the personnel do not qualify for a PIV card. Credential types include PIV-Interoperable and other PKI certificates. -- [Non-Government PKI Trust Framework](#non-government-pki-trust-framework) – Certify private organization PKI to interoperate with the Federal PKI. - -## Government Identity Services - -There are two two categories of government identity services. -1. Federal PKI Shared Service Provider of digital certificates. -2. Card Managment System for issuing PIV cards. - -### Federal PKI Shared Service Provider -These organizations operate as Federal PKI Shared Service Providers (SSPs) for federal agencies. A subset of Federal PKI SSPs are commercial service providers managed by GSA. These SSPs are called [GSA PKI SSPs](https://idmanagement.gov/buy/gsapkissp/). A GSA PKI SSP is a commercial PKI provider who has completed Federal PKI compliance activities to receive a certification authority certificate and is listed on the GSA Multiple Award Schedule. All SSPs operate Certification Authorities, are audited, and have and maintain a FISMA Authorization To Operate (ATO). To request a copy of a specific system’s ATO, please contact FPKI at GSA.gov. - -All of the Certification Authorities operated by these FPKI SSPs [issue certificates](https://playbooks.idmanagement.gov/fpki/ca/#certificate-types-within-the-federal-pki){:target="_blank"}{:rel="noopener noreferrer"} for federal workforce identity, including for PIV credentials. A subset of the FPKI SSPs also issue and manage government enterprise device certificates. - -Information on publicly trusted device certificates used for TLS (HTTPS) on the internet, recommendations on government configurations, and which PKI providers/Certification Authorities to use can be found at this [HTTPS guidance website](https://https.cio.gov/){:target="_blank"}{:rel="noopener noreferrer"}. - -| SSP Type | Organization | Customer Service | Tech Support| -|------ | -----|:-----------:|:-----------:| -| FPKI SSP | Department of the Treasury| Daniel Wood
(202) 622-5144 | Joe Gribble
(304) 480-7608 | -| GSA PKI SSP | Entrust Federal Shared Service Provider | Patrick Garritty
(703) 901-1388 | support at entrust.com | -| GSA PKI SSP | Verizon/Cybertrust Federal Shared Service Provider | Wesley Lippman
(984) 364-7540 | Subbu Peddibhotla
(301) 679-2425 | -| GSA PKI SSP | WidePoint Federal Shared Service Provider | Jason Holloway, Caroline Godfrey
(800) 816-5548
WCSC-Info at ORC.com | Jim Manchester
(800) 816-5548
PKIPolicy at ORC.com | - -### Card Management System -These organizations operate Card or Certificate Management Systems to issue PIV Cards. They may offer other types of digital certificate services. - -| Organization | Customer Service | Tech Support| -| ------ |:-----------:|:-----------:| -| Department of the Treasury| Daniel Wood
(202) 622-5144 | Joe Gribble
(304) 480-7608 | -| GSA USAccess | [GSA USAccess Ordering Page](https://www.gsa.gov/technology/technology-purchasing-programs/federal-credentialing-services){:target="_blank"}{:rel="noopener noreferrer"} | - -## Business Identity Services - -These organizations operate services for persons who are affiliated with a business; state, local, tribal, or territorial government; or non-profit organization. These services are often used by a business person to digitally sign documents with the U.S. government as a business representative or to authenticate to a small number of government applications. - -For each, we identify whether the services include: - -- Person identity using PKI, including PIV-I credentials -- Person identity using other PKI certificates for business-to-government digital signatures - -| Organization | Customer Service | Tech Support | Type of Person Identity Credentials | -|-----------|:-----------:|:-----------:|:-----------:| -| [Carillon Information Security](https://www.carillon.ca/){:target="_blank"}{:rel="noopener noreferrer"} | Marc St-Jacques
(844) 754-7484 x125 | Marc St-Jacques
(844) 754-7484 x125 | PIV-I Credentials | -| [DigiCert](https://www.digicert.com/){:target="_blank"}{:rel="noopener noreferrer"} | ts_managers at digicert dot com | fpki_support at digicert dot com| Other PKI Credentials | -| Entrust | Patrick Garritty
(703) 901-1388 | support at entrust.com | PIV-I Credentials
Other PKI Credentials | -| [Exostar](https://www.exostar.com/Identity_Access/Managed_PKI/){:target="_blank"}{:rel="noopener noreferrer"} | info at exostar.com | (703) 793-7800
[Open a case online](https://www.myexostar.com/?page_id=32){:target="_blank"}{:rel="noopener noreferrer"} | Other PKI Credentials | -| [Foundation for Trusted Identity (FTI)](https://www.foundationfortrustedidentity.org/){:target="_blank"}{:rel="noopener noreferrer"} | Kenneth Boley
(210) 704-1650
info at fti.org | Sam Dibrell, Jr.
(210) 704-1650 | PIV-I Credentials | -| [IdenTrust](https://www.identrust.com/igc/){:target="_blank"}{:rel="noopener noreferrer"} | IdenTrust Customer Support
Support at IdenTrust.com
(800) 748-5360 | IdenTrust Customer Support
Support at IdenTrust.com
(800) 748-5360 | PIV-I Credentials
Other PKI Credentials -| [WidePoint](https://www.orc.com/nfi/){:target="_blank"}{:rel="noopener noreferrer"} | Jason Holloway, Caroline Godfrey
(800) 816-5548
WCSC-Info at ORC.com | Jim Manchester
(800) 816-5548
PKIPolicy at ORC.com | PIV-I Credentials
Other PKI Credentials | - -## Non-Government PKI Trust Framework - -The FPKI Policy Authority reviews the PKI trust frameworks of a small number of non-government organizations to determine whether the policies, processes, legal agreements, privacy protections, security controls, and audit requirements are comparable with the U.S. government Federal PKI requirements. If comparable, the organizations that manage their communities’ rules act as a PKI bridge. - -These organizations do not manage identities or credentials for their community directly. Services that are certified and audited by these organizations provide federated PKI identity and credentials. These services are listed above the Business credentials section. - -| Trust Framework | Customer Service | Tech Support | Community | -|:-----------:|:-----------:|:-----------:|:-----------:| -| [CertiPath](https://certipath.com/services/federated-trust/){:target="_blank"}{:rel="noopener noreferrer"} | Judith Spencer
(301) 974-4227 | support at certipath.com
(855) 758-0075 | Aerospace and Defense
International | -| [DirectTrust](https://directtrust.org/identity){:target="_blank"}{:rel="noopener noreferrer"}| Kyle Neuman
(301) 943-7583 | admin at directtrust.org | Healthcare
International | -| [STRAC](https://pki.strac.org/STRACBridge.html){:target="_blank"}{:rel="noopener noreferrer"}| Eric Epley
(210) 233-5850 | Ryan Ahlfors
(210) 233-5850 | State and Local | -| [TSCP, Inc.](https://www.tscp.org/){:target="_blank"}{:rel="noopener noreferrer"} | Shauna Russell
(202) 769-9114 | Steve Race
(703) 980-8915 | Aerospace and Defense
International | diff --git a/_config.yml b/_config.yml index e0e749fd3..d4ed0b937 100644 --- a/_config.yml +++ b/_config.yml @@ -8,7 +8,8 @@ # Be sure to edit the values below ########################################################################################## -title: IDManagement.gov +# title: IDManagement.gov (changed to use just IDManagement without the .gov) +title: IDManagement email: icam@gsa.gov description: IDManagement.gov is a collaboration between the Federal CIO Council and GSA to develop and share leading practices in protecting federal IT systems. baseurl: "" @@ -41,18 +42,67 @@ ga: # Site Navigation primary_navigation: - name: Home - description: IDmanagement.gov url: / + - name: Why FICAM + children: + - name: FICAM Architecture + url: /arch/ + - name: Zero Trust + url: /zero-trust/ + - name: GSA ICAM Solutions Roadmap + url: /icamsolutions/ - name: Partners children: - name: Vendors - url: /sell/ + url: /vendors/ - name: Acquisition Professionals - url: /buy/ + url: /acquisition-professionals/ - name: Program Managers - url: /governance/ - - name: Approved Product List - url: /buy#products + url: /program-managers/ + - name: Implement + children: + - name: ICAM Configuration Guides + url: /implement/ + - name: Enterprise Trust of the FCPCA + url: /implement/trust-fcpca/ + - name: Smart Card Logon for Operating Systems + url: /implement/scl-windows/ + - name: Certificate-based Authentication for Cloud + url: /implement/whfb/ + - name: Use Smart Cards with Applications + url: /implement/outlook/ + - name: FIDO2 and Web Authentication (Coming Soon!) + url: /home/ + - name: FPKI Ecosystem Changes + url: /fpki/notifications/ + - name: Coordination Functions + children: + - name: FICAM Program + url: /ficam/ + - name: Federal PKI Program + url: /fpki/ + - name: FIPS 201 Evaluation Program + url: /fips201ep/ + - name: GSA PKI SSP Program + url: /pkissp/ + - name: Playbooks + url: /playbooks/ + - name: University + children: + - name: Introduction + url: /university/ + - name: PKI 101 + url: /university/pki/ + - name: FPKI 101 + url: /university/fpki/ + - name: PIV 101 + url: /university/piv/ + - name: PIV-I 101 + url: /university/pivi/ + - name: PACS 101 + url: /university/pacs/ + - name: ICAM Policy Matrix + url: /university/policymatrix/ secondary_navigation: - name: Contact Us @@ -68,16 +118,9 @@ secondary_navigation: # 2. Add a new site. # 3. Add your site/affiliate name here. searchgov: - - # You should not change this. endpoint: https://search.usa.gov - - # replace this with your search.gov account affiliate: idmprod - - # replace with your access key access_key: zCEoL5u4U5XFzfFSxy8y4Iz6vdtTjsb4U539L_rgDTM= - # this renders the results within the page instead of sending to user to search.gov inline: false @@ -87,15 +130,41 @@ searchgov: ########################################################################################## collections: - buy: + why: + output: true + permalink: /why/:path/ + arch: + output: true + permalink: /arch/:path/ + implement: + output: true + permalink: /implement/:path/ + partners: output: true - permalink: /buy/:path/ - sell: + permalink: /partners/:path/ + university: output: true - permalink: /sell/:path/ - governance: + permalink: /university/:path/ + rss: output: true - permalink: /governance/:path/ + permalink: /rss/:path/ + playbooks: + output: true + permalink: /playbooks/:path/ + ficampmo: + output: true + permalink: /ficam/:path/ + + +# Leaving in place: +# Unsure of placement in new site. + + # sell: + # output: true + # permalink: /sell/:path/ + + # Turned on for visibility until Combined 743 Playbook on Governance is complete + pages: output: true permalink: /:path/ @@ -165,6 +234,7 @@ exclude: - Gemfile - Gemfile.lock - docker-compose.yml + assets: autoprefixer: browsers: @@ -172,18 +242,26 @@ assets: - "last 2 versions" - "IE 11" - "not dead" - sources: - ## Updated to @uswds 3.0 - - node_modules/@uswds/uswds/dist/css - - node_modules/@uswds/uswds/dist/fonts - - node_modules/@uswds/uswds/dist/img - - node_modules/@uswds/uswds/dist/img/favicons - - node_modules/@uswds/uswds/dist/img/material-icons - - node_modules/@uswds/uswds/dist/img/usa-icons - - node_modules/@uswds/uswds/dist/img/usa-icons-bg - - node_modules/@uswds/uswds/dist/img/uswds-icons - - node_modules/@uswds/uswds/dist/js - - node_modules/@uswds/uswds/dist/scss - - node_modules/@uswds/uswds/dist/theme - - node_modules/@uswds/uswds/packages - - node_modules/netlify-cms/dist + +sass: + source_dir: _sass + load_paths: + - node_modules/@uswds/uswds/dist/ + sourcemap: development + quiet_deps: true + style: compressed + verbose: true + +# For page generator +page_gen-dirs: true + +page_gen: + - data: "laws-policies-standards" + template: "standards_detail" + name: "shortName" + directory: "policies" + #debug: true + - data: "ficam-services" + template: "services_detail" + name: "shortName" + directory: "ficam_services" \ No newline at end of file diff --git a/_data/faqs.yml b/_data/faqs.yml new file mode 100644 index 000000000..9e9c1aaa8 --- /dev/null +++ b/_data/faqs.yml @@ -0,0 +1,33 @@ +# GSA: IDManagement.gov +# Description: FAQ for the website +# Messages for _faq/faqs.md, /faqs/ +# Jekyll access: site.data.faqs +# Format: YAML +# Note: +# +# Legend: +# question: the faq question. +# answer: the answer to the faq +# expanded: if the faq's inital state is expanded. Default: false +# link: link to content + +- question: First faq question for website. + answer: Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. + expanded: false + link: # + +- question: Second faq question for website. + answer: A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed. + link: # + +- question: Third faq question for website. + answer: No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law. + link: # + +- question: Fourth faq question for website. + answer: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. + link: # + +- question: Fifth faq question for website. + answer: No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation. + link: # \ No newline at end of file diff --git a/_data/ficam-services.yml b/_data/ficam-services.yml new file mode 100644 index 000000000..8aa1a3da6 --- /dev/null +++ b/_data/ficam-services.yml @@ -0,0 +1,116 @@ +- &IDM + shortName: "Identity Management" + description: > + Identity Management is how an agency collects, verifies, and manages attributes + and entitlements to establish and maintain enterprise identities for federal government + employees, contractors, and authorized mission partners. +- &IDM-CREATION + shortName: "Identity Management - Creation" + description: > + Establish an identity made of attributes that define a person or entity. +- &IDM-PROOFING + shortName: "Identity Management - Identity Proofing" + description: > + Use identity attributes to connect a digital identity to a real-world entity. +- &IDM-PROVISIONING + shortName: "Identity Management - Provisioning" + description: > + Create, manage, and delete accounts and entitlements. +- &IDM-MAINTENANCE + shortName: "Identity Management - Maintenance" + description: > + Maintain accurate and current attributes in an identity record over its lifecycle. +- &IDM-AGGREGATION + shortName: "Identity Management - Identity Aggregation" + description: > + Find and connect disparate identity records for the same person or entity. +- &IDM-DEACTIVATION + shortName: "Identity Management - Deactivation" + description: > + Deactivate or remove enterprise identity records. +- &CRED + shortName: "Credential Management" + description: > + Credential Management is how an agency issues, manages, and revokes credentials bound to + enterprise identities. +- &CRED-SPONSORSHIP + shortName: "Credential Management - Sponsorship" + description: > + Formally establish that a person or entity requires a credential. +- &CRED-REGISTRATION + shortName: "Credential Management - Registration" + description: > + Collect the information needed from a person or entity to issue them a credential. +- &CRED-ISSUANCE + shortName: "Credential Management - Generation & Issuance" + description: > + Assign a credential to a person or entity. +- &CRED-MAINTENANCE + shortName: "Credential Management - Maintenance" + description: > + Maintain a credential throughout its lifecycle. +- &CRED-REVOCATION + shortName: "Credential Management - Revocation" + description: > + Revoke a credential from a person or entity, or deactivate an authenticator. +- &ACCESS + shortName: "Access Management" + description: > + Access Management is how an agency authenticates enterprise identities and authorizes appropriate + access to protected services. +- &ACCESS-POLICY + shortName: "Access Management - Digital Policy Administration" + description: > + Create and maintain the technical access requirements that govern access to protected agency services. +- &ACCESS-AUTHENTICATION + shortName: "Access Management - Authentication" + description: > + Verify that a claimed identity is genuine based on valid credentials. +- &ACCESS-AUTHORIZATION + shortName: "Access Management - Authorization" + description: > + Grant or deny access requests to protected agency services based on access requirements, + identity attributes, and entitlements. +- &ACCESS-PAM + shortName: "Access Management - Privileged Access Management" + description: > + Protect access to accounts that have access permissions that can affect IT system + configurations and data security (e.g., superusers, domain administrators, or global administrators). +- &FEDERATION + shortName: "Federation" + description: > + Federation is the technology, policies, standards, and processes that allow an agency to accept digital + identities, attributes, and credentials managed by other agencies. +- &FEDERATION-POLICY + shortName: "Federation - Policy Alignment" + description: > + Develop relationships and a common understanding between parties by establishing authorities, policies, + standards, and principles. +- &FEDERATION-BROKER + shortName: "Federation - Authentication Broker" + description: > + Transform an authentication event into an alternative format, such as an assertion, containing claims + about the entity and the authentication transaction, to grant access to a resource. +- &FEDERATION-ATTRIBUTE + shortName: "Federation - Attribute Exchange" + description: > + Discover and acquire identity or other attributes between different systems to promote access + decisions and interoperability. +- &GOVERNANCE + shortName: "Governance" + description: > + Governance is the set of practices and systems that guides ICAM functions, activities, and outcomes. +- &GOVERNANCE-IDENTITY + shortName: "Governance - Identity Governance" + description: > + The systems, solutions, and rules that link enterprise personnel, applications, and data to help + agencies manage access and risk. +- &GOVERNANCE-ANALYTICS + shortName: "Governance - Analytics" + description: > + Leverage continuous analytics data to identify if someone has entitlements that conflict with access + requirements. +- &GOVERNANCE-MITIGATION + shortName: "Governance - Mitigation" + description: > + Correct the problems and address risks, discovered by analysis, that may occur during standard operations. diff --git a/_data/fips201announcements.yml b/_data/fips201announcements.yml new file mode 100644 index 000000000..97e45e92b --- /dev/null +++ b/_data/fips201announcements.yml @@ -0,0 +1,231 @@ +# announcements for FIPS 201 Evaluation Program +# Set status to Archive after 4 years. +# If announcement content is full summary, leave 'url' blank, set soure to 'IDManagement.gov' and doctype = 'Announcement' +# HTML tags can be included inline with summary information. + +- name: GSA FIPS 201 Testing Lab Re-opening + summary: It is our great pleasure to announce the reopening of the FIPS201 Evaluation Program's compliance testing lab. An email announcing the reopening of the lab was sent out to the community on Wednesday, July 20, 2022. Due to a recent change in contract vehicles the lab had to physically move to a new location. Even though the distance was not far, the move itself was time consuming. We would like to thank those PACS vendors who took the time to certify their current installations prior to the move, and you may be called upon to verify that everything moved over is in working order. You will be contacted by the lab team if further assistance is needed. For those of you who have been waiting to submit new applications, or conduct updates, we appreciate your patience. You are now free to send the paperwork to our group email address fips201ep at gsa dot gov. + pubdate: July 27, 2022 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Active + +- name: GSA FIPS 201 Testing Lab Transition Planning + summary: GSA FICAM Testing Program Vendor - The current contract with the testing services provider for the GSA FICAM Testing Lab concludes on June 15, 2022. We are working to ensure a smooth transition for all our Vendors as we onboard a new provider.During the transition period, please note the following
  1. Vendor Verification of System Health - We ask that each Vendor schedule an in-person appointment with the Lab prior to June 3, 2022, to verify the health of its installed system. Each Vendor representative may test its system during the visit, but updating software and hardware will not be permitted. The Lab will perform a small number of tests from the FRTC during the visit. Results will be documented, signed by Vendor and Lab representatives, and submitted to GSA. For any Vendor that is unable to go to the Lab in person prior to June 3, 2022, the Lab will issue a status report to GSA reflecting the system’s state as “unknown.” Until an in-person visit with the new Lab provider occurs to establish system status, no new applications will be accepted.
  2. Testing in Progress - The Lab is making every effort to complete as much testing as possible before we enter the transition phase. Testing for Vendor systems in process will conclude by May 27, 2022.
  3. New Vendor Applications - Applications received before May 31, 2022, will be reviewed by the existing Lab provider. Applications received after May 31, 2022, will be paused until the new provider is in place.
  4. System Updates and New Installations - System updates and new installations will not be processed until the new Lab provider is in place.

    We will issue an announcement in June detailing next steps in the transition process, including the process of moving existing systems to a new physical location.
+ pubdate: May 11, 2022 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Active + +- name: PACS APL Application Form Revision + summary: PACS APL testing form has undergone a major revision. The new testing APL Application form consolidates multiple documents and reduces redundant information across those forms. All submissions for upgrade will only need to submit a completed new APL Application form unless a significant change to architecture requires new FRTC per the lab's discretion. + pubdate: April 14, 2022 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Active + +- name: PACS FRTC v1.4.2 Rev B Released + summary: PACS FRTC v1.4.2 Rev B has been published and is in effect immediately. This revision includes the following updates.
- Mobile / Handheld FRTC Test Cases (Section 8) are re-instated.
- Corrections and clarifications to existing test cases. + pubdate: October 15, 2021 + url: https://IDManagement.gov/docs/fips201-frtc-142-revb-change-log.pdf + source: IDManagement.gov + target: _blank + expanded: false + doctype: PDF + status: Active + +- name: PACS FRTC v1.4.2 Update Released + summary: PACS FRTC v1.4.2 Revision A has been published and is in effect immediately. This update includes optional test cases associated with the following functionalities.Additionally, a new testing procedure called the FRTC Express has been published and will be enacted for those solutions that have previously undergone full testing. The FRTC Express is aimed at streamlining testing associated with solution updates. + pubdate: March 31, 2021 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Active + +- name: APL Category Removal -- Card Holders + summary: The FIPS 201 Evaluation Program will be removing card holders (also known as badge holders or electromagnetically opaque sleeves) from the Approved Products List on January 31st, 2021. GSA will no longer accept applications to certify card holders. Card holders and related products are still commercially available off-the-shelf; however, the use of these products is optional and testing is no longer in the best interests of the government.

Please note the removal of this category should not impact any existing acquisitions. Product categories not identified by the Program have no requirement for FIPS 201 conformance and available products should be able to satisfy the agency defined security requirements provided direct testing. + pubdate: December 11, 2020 + url: /fips201/ + source: IDManagement.gov + target: _blank + expanded: false + doctype: Website + status: Active + +- name: APL Category Removal - OCSP and SCVP + summary: The FIPS 201 Evaluation program has removed the following categories from the Approved Products List. After analyzing the Approved Products List categories, the program found the following.

- OCSP Responders are mature. OCSP responders and related products are available as commercial off the shelf products and open source software products. They are part of a stable landscape and vetted thousands of times daily by various relying party applications. It is not in the government’s or commercial best interests to continue to test these products prior to acquisition and/or installation.

- SCVP Client and SCVP Client (without auth) are not widely used in U.S. federal agencies. It is not in the government’s or commercial best interests to continue to maintain testing scenarios for these products.

Please note the removal of these categories should not impact any acquisition. Categories not identified by the program have no requirement for FIPS 201 conformance. Products on the market should be reviewed for adherence to standard U.S. federal cryptographic conformance requirements (i.e., FIPS 140-2) and trade laws (i.e., country of origin and Trade Agreements Act). Products are available to satisfy federal agency’s needs and requirements. + pubdate: April 30, 2019 + url: /fips201/ + source: IDManagement.gov + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: FRTC 1.3.3 Rev. G Errata + summary: The information below will be incorporated into the next FRTC revision. Please use these requirements. Note that Topology Mapping Worksheets are protected so you will not be able to remove rows.

- No updates

Certificate policy and keyPurposeID OIDs are configured one time – at the start of testing. All 269 test cases are run with those same OIDs configured unless a test case specifically calls for a bogus OID to be substituted. Systems should be able to handle production and test certificate policy OIDs concurrently. See 6.1.1 (c), “user-initial-policy-set” in RFC 5280 for more information. + pubdate: February 21, 2019 + url: https://tools.ietf.org/html/rfc5280#section-6.1.1 + source: https://tools.ietf.org/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: PACS FRTC v1.3.3 Update Released + summary: PACS FRTC v1.3.3 Rev. G has been published and is in effect immediately. Section 2 of the FRTC states that the FRTC is a living document and is expected to be updated over time as new or revised functional requirements are identified. In addition, this document will be updated in accordance with the following schedule.

1. A new version will be published no less than one year from issuance of the current version.
2. If security or infrastructure risks are identified, an interim release may occur.

All new versions are effective immediately. New or revised requirements and their test cases will include an effective date, commensurate with their assigned severity level (see paragraphs 7.1, 7.2, and 7.3. + pubdate: February 2, 2018 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Archive + +- name: APL Category Removal - RNG-Based PIV Cards + summary: In the past, the FIPS 201 Evaluation Program has granted extensions for allowing RNG-based PIV cards to continue being listed on the APL. In alignment with NIST’s decision, the FIPS 201 Evaluation Program has also decided to not grant another extension and has removed all RNG-based PIV cards from the APL and added them to our Removed Products List. + pubdate: February 2, 2018 + url: https://csrc.nist.gov/Projects/NIST-Personal-Identity-Verification-Program/Announcements + source: https://csrc.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: Now Testing Derived PIV Credentials + summary: The FIPS 201 Evaluation Program has established the criteria for testing derived PIV credentials. See the FIPS 201 Evaluation Program page for information about the testing process or to submit a credential for testing. + pubdate: August 18, 2017 + url: + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Archive + +- name: Extension for Random Number Generator (RNG)-based PIV Cards + summary: NIST’s PIV Validation Program has provided an extension on migrating away from RNG-based PIV cards to Deterministic Random Bit Generator (DRBG)-based PIV cards. See the NIST announcement for additional details and recommended guidance. The FIPS 201 Evaluation Program’s Approved Products List (APL) will continue to list RNG-based PIV cards until June 30, 2018. + pubdate: May 24, 2017 + url: http://csrc.nist.gov/groups/SNS/piv/npivp/announcements.html + source: http://csrc.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - Card Printer Station, Electronic Personalization, Facial Image Capturing Camera and Middleware, and Graphical Representation. + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by FPKIPA Annual PIV Credential Issuer Testing.

- Card Printer Station
- Electronic Personalization
- Facial Image Capturing Camera
-Facial Image Capturing Camera (Middleware)
- Graphical Representation. + pubdate: October 29, 2016 + url: /fpki/ + source: IDManagement.gov + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - PIV Middleware + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by NIST PIV Middleware Certification List.

- PIV Middleware + pubdate: October 29, 2016 + url: https://csrc.nist.gov/Projects/NIST-Personal-Identity-Verification-Program/Validation-Lists/SP-800-73-4-PIV-Middleware-Validation-List + source: https://csrc.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - Template Generator and Matcher + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by NIST MINEX Participation Chart.

- Template Generator
- Template Matcher + pubdate: October 29, 2016 + url: https://www.nist.gov/itl/iad/image-group/minutiae-interoperability-exchange-minex-iii-results + source: https://www.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - Single Fingerprint Capture Device + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by FBI Certified Products List.

- Single Fingerprint Capture Device + pubdate: October 29, 2016 + url: https://fbibiospecs.fbi.gov/certifications-1/cpl + external: true + source: https://fbibiospecs.fbi.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - Cryptographic Module + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by NIST FIPS 140-2 Validation List.

- Cryptographic Module + pubdate: October 29, 2016 + url: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm + external: true + source: http://csrc.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - LACS Transparent and Mobile Transparent Readers + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by FICAM Playbooks.

- LACS Mobile Transparent Reader
- LACS Transparent Reader + pubdate: October 29, 2016 + url: university/piv/#card-readers + external: false + source: IDManagement.gov/university/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - LACS Caching Status Proxy and Certificate Validator + summary: The FIPS 201 Evaluation Program has removed the following categories. After analyzing the Approved Products List categories, the Program found the following.

- Many products on the APL are not for sale anymore.
- Most testing and approval procedures were outdated.
- Testing was already being conducted by some other Program (NIST, FBI, FPKI).

Please note that the removal of these categories should not impact any acquisitions. Categories not identified by the Program have no requirement for FIPS 201 conformance and any product on the market should be able to satisfy the agency’s needs/requirements. The following categories are removed and replaced by SCVP Validation Protocol Category.

- LACS Caching Status Proxy
- Certificate Validator + pubdate: October 29, 2016 + url: /fips201ep/#program-announcements + external: true + source: IDManagement.gov + target: _blank + expanded: false + doctype: Page + status: Archive + +- name: APL Category Removal - RNG--based PIV cards + summary: In-line with the DRBG PIV credential transition plan from NIST, the FIPS 201 Evaluation Program will be removing legacy RNG PIV credential listed on the Approved Products List on July 31, 2017. According to this transition plan, agencies may continue to procure and issue credentials using implementations marked as “legacy” on the NPIVP validation list until June 30, 2017. However, the agencies should migrate to fully compliant credentials implementing approved DRBGs as soon as DRBG PIV credential and the compatible credential management software are commercially available. Once issued, these “legacy” RNG PIV credentials may be used until their expiration date – up to June 30, 2023. + pubdate: June 23, 2016 + url: http://csrc.nist.gov/groups/SNS/piv/npivp/validation_lists/PIVCardApplicationValidationList.htm + external: true + source: http://csrc.nist.gov/ + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: GSA Document Signing Tool + summary: We’d like to announce that the GSA Document Signing Tool (aka PKCS#7 Tool) source code is now available on GitHub. Moving forward, the community may contribute to enhancements, bug fixes, and new features for the GSA Document Signing Tool directly. Community members may clone the source code from the GSA GitHub repository and submit any additions via new branches and pull requests. If you have any questions, comments, or issues with the GSA Document Signing Tool, feel free to email fips201ep at gsa.gov. + pubdate: April 12, 2016 + url: https://github.com/GSA/gsa-doc-digital-signature + external: true + source: https://github.com + target: _blank + expanded: false + doctype: Website + status: Archive + +- name: APL Category Removal - Tri-Interface PIV card + summary: The FIPS 201 Evaluation Program received and analyzed multiple comments on the removal of tri-interface credentials from the Approved Products List. To provide further clarification, tri-interface credentials refers to PIV credentials that have additional non-PIV authentication features such as a mag stripe and 125 kHz antenna. The Program has been asked to remove these types of credentials from the APL because they have become an enabler for some buildings to postpone or altogether avoid deploying compliant Physical Access Control Systems (PACS); our intent was to close this loophole. Two years ago, the Program removed transparent readers from the APL to align products with policy and standards by utilizing PKI for PACS and LACS. We are now removing tri-interface credentials from the APL so buildings can migrate away from legacy forms of access control and align with policy and directives. While we received mostly very positive feedback about this decision, we have received feedback that highlighted a number of legitimate use cases that we would be negatively impacting agencies. The Program is going to delay the removal of the tri-interface credentials from the APL from 6 to 18 months. In 18 months the FIPS 201 Evaluation Program will no longer test or list tri-interface credentials on the APL. Note that PIV Issuers are required to use APL approved credential stock, so beginning in 18 months issuance of tri-interface PIV credentials will not be allowed. + pubdate: June 13, 2014 + url: + external: true + source: IDManagement.gov + target: _blank + expanded: false + doctype: Announcement + status: Archive \ No newline at end of file diff --git a/_data/fips201pacs1301.yml b/_data/fips201pacs1301.yml new file mode 100644 index 000000000..245eadb45 --- /dev/null +++ b/_data/fips201pacs1301.yml @@ -0,0 +1,613 @@ +# List of PACS Systems for PACS List + +- category: 13.01 + fipsstatus: Approved + infrastructure: AMAG Symmetry Professional v9.3 + infraurl: /docs/apl-10047-symmetry.pdf + infraapl: 10047 + validation: HID Global Validation System for AMAG Symmetry Professional v9.3 + valurl: /docs/apl-10048-amag.pdf + valapl: 10048 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + reader10: Veridt Bio Dual Contact/Contactless Keypad Reader + reader10url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader10apl: 10031 + reader11: Veridt Stealth Contactless Keypad Reader + reader11url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader11apl: 10034 + reader12: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader12url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader12apl: 10032 + reader13: Veridt Stealth Lite Contactless Reader + reader13url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader13apl: 10035 + reader14: Veridt Stealth Lite Dual Contact/Contactless Reader + reader14url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader14apl: 10033 + +- category: 13.01 + fipsstatus: Approved + infrastructure: AMAG Symmetry Professional v9.3 + infraurl: /docs/apl-10143-Amag-IDOne.pdf + infraapl: 10143 + validation: Identity One Validation System for AMAG Symmetry Professional v9.3 + valurl: /docs/apl-10144-Amag-IDOne-validation.pdf + valapl: 10144 + reader1: Veridt Bio Dual Contact/Contactless Keypad Reader + reader1url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader1apl: 10031 + reader2: Veridt Stealth Contactless Keypad Reader + reader2url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader2apl: 10034 + reader3: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader3url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader3apl: 10032 + reader4: Veridt Stealth Lite Contactless Reader + reader4url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader4apl: 10035 + reader5: Veridt Stealth Lite Dual Contact/Contactless Reader + reader5url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader5apl: 10033 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Avigilon ACM + infraurl: /docs/apl-10122-avigilon.pdf + infraapl: 10122 + validation: HID Global Validation System for Avigilon + valurl: /docs/apl-10123-hid-avigilon.pdf + valapl: 10123 + reader1: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10007 + reader2: pivCLASS RK40 Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10004 + reader3: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10008 + reader4: pivCLASS RPK40 Contactless Reader + PIN + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10005 + reader5: pivCLASS RP40 Contactless Reader + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10003 + reader6: pivCLASS R10 Contactless Reader + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10085 + reader7: pivCLASS R40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Datawatch Systems Site Controller + infraurl: /docs/apl-10117-datawatch.pdf + infraapl: 10117 + validation: Validation System for Datawatch + valurl: /docs/apl-10118-datawatch-validation.pdf + valapl: 10118 + reader1: pivCLASS RP40 Contactless Reader + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10003 + +- category: 13.01 + fipsstatus: Approved + infrastructure: DAQ Starwatch + infraurl: /docs/apl-10071-daq-starwatch.pdf + infraapl: 10071 + validation: HID Global Validation System for DAQ Starwatch with Embedded Authentication + valurl: /docs/apl-10072-daq-validation.pdf + valapl: 10072 + reader1: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10007 + reader2: pivCLASS RK40 Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10004 + reader3: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10008 + reader4: pivCLASS RPK40 Contactless Reader + PIN + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10005 + reader5: pivCLASS RP40 Contactless Reader + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10003 + reader6: pivCLASS R40 Contactless Reader + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10006 + reader7: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN +BIO + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10026 + reader8: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10052 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Feenics Keep V3 + infraurl: /docs/apl-10120-feenics.pdf + infraapl: 10120 + validation: HID Global Validation System for Feenics Keep V3 with Embedded Authentication + valurl: /docs/apl-10121-feenics-validation.pdf + valapl: 10121 + reader8: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10052 + reader2: pivCLASS RK40 Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10004 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Gallagher PIV Command Centre + infraurl: /docs/apl-10019-gallagher.pdf + infraapl: 10019 + validation: HID Global Validation System for Gallagher Command Centre + valurl: /docs/apl-10020-gallagher-validation.pdf + valapl: 10020 + reader1: Gallagher High Sec T10 Reader + reader1url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader1apl: 10021 + reader2: Gallagher High Sec T11 Reader - Multi-Tech + reader2url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader2apl: 10023 + reader3: Gallagher High Sec T11 Reader + reader3url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader3apl: 10022 + reader4: Gallagher High Sec T15 Reader – Multi-Tech + reader4url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader4apl: 10102 + reader5: Gallagher High Sec T15 Reader + reader5url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader5apl: 10101 + reader6: Gallagher High Sec T20 Reader - Multi-Tech + reader6url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader6apl: 10039 + reader7: Gallagher High Sec T20 Reader + reader7url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader7apl: 10038 + reader8: Gallagher High Sec T21 Reader - Multi-Tech + reader8rul: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader8apl: 10100 + reader9: Gallagher High Sec T21 Reader Rev 1 + reader9rul: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader9apl: 10143 + reader10: Gallagher High Sec T21 Reader + reader10url: /docs/apl-10021-10023-10038-10039-10099-10102-10143-gallagher.pdf + reader10apl: 10099 + reader11: Veridt Bio Dual Contact/Contactless Keypad Reader + reader11url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader11apl: 10092 + reader12: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader12url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader12apl: 10093 + reader13: Veridt Stealth Lite Dual Contact /Contactless Reader + reader13url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader13apl: 10094 + reader14: Veridt Stealth Contactless Keypad Reader + reader14url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader14apl: 10095 + reader15: Veridt Stealth Lite Contactless Reader + reader15url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader15apl: 10096 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Genetec Security Center – Synergis + infraurl: /docs/apl-10061-genetec.pdf + infraapl: 10061 + validation: HID Global Validation System for Genetec Security Center – Synergis + valurl: /docs/apl-10062-genetec-validation.pdf + valapl: 10062 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Honeywell Pro-Watch + infraurl: /docs/apl-10063-honeywell.pdf + infraapl: 10063 + validation: HID Global Validation System for Pro-Watch + valurl: /docs/apl-10064-honeywell-validation.pdf + valapl: 10064 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R40 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Identiv Velocity + infraurl: /docs/apl-10013-hirsch.pdf + infraapl: 10013 + validation: HID Global Validation System for Hirsch-Identiv Velocity + valurl: /docs/apl-10014-hirsch-validation.pdf + valapl: 10014 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R40 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: LenelS2 OnGuard with Embedded Authentication + infraurl: /docs/apl-10112-lenel.pdf + infraapl: 10112 + validation: HID Global Validation System for LenelS2 OnGuard with Embedded Authentication + valurl: /docs/apl-10113-level-validation.pdf + valapl: 10113 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + reader10: Veridt Bio Dual Contact/Contactless Keypad Reader + reader10url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader10apl: 10092 + reader11: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader11url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader11apl: 10093 + reader12: Veridt Stealth Lite Dual Contact /Contactless Reader + reader12url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader12apl: 10094 + reader13: Veridt Stealth Contactless Keypad Reader + reader13url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader13apl: 10095 + reader14: Veridt Stealth Lite Contactless Reader + reader14url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader14apl: 10096 + +- category: 13.01 + fipsstatus: Approved + infrastructure: LenelS2 OnGuard with Embedded Authentication + infraurl: /docs/apl-10126-lenel.pdf + infraapl: 10126 + validation: TI Entry Point Validation System for LenelS2 OnGuard + valurl: /docs/apl-10127-lenel-validation.pdf + valapl: 10127 + reader1: Allegion Schlage Mullion/ Single Gang Reader + reader1url: /docs/apl-10128-29-allegion.pdf + reader1apl: 10128 + reader2: Veridt Bio Dual Contact/Contactless Keypad Reader + reader2url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader2apl: 10092 + reader3: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader3url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader3apl: 10093 + reader4: Veridt Stealth Lite Dual Contact /Contactless Reader + reader4url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader4apl: 10094 + reader5: Veridt Stealth Contactless Keypad Reader + reader5url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader5apl: 10095 + reader6: Veridt Stealth Lite Contactless Reader + reader6url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader6apl: 10096 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Open Options DNA Fusion + infraurl: /docs/apl-10075-open-options.pdf + infraapl: 10075 + validation: ID Global Validation System for Open Options DNA Fusion + valurl: /docs/apl-10076-open-options-validation.pdf + valapl: 10076 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: ReconaSense + infraurl: /docs/apl-10131-reconaSense.pdf + infraapl: 10131 + validation: HID Global Validation System for ReconaSense + valurl: /docs/apl-10132-reconaSense-validation.pdf + valapl: 10132 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: RS2 Technologies Access It! + infraurl: /docs/apl-10036-rs2.pdf + infraapl: 10036 + validation: HID Global Validation System for RS2 Access It! + valurl: /docs/apl-10037-rs2-validation.pdf + valapl: 10037 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + +- category: 13.01 + fipsstatus: Approved + infrastructure: System Galaxy Software + infraurl: /docs/apl-10083-galaxy.pdf + infraapl: 10083 + validation: Entrypoint Validation System for Galaxy Control Systems + valurl: /docs/apl-10084-galaxy-validation.pdf + valapl: 10084 + reader1: Veridt Bio Dual Contact/Contactless Keypad Reader + reader1url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader1apl: 10031 + reader2: Veridt Stealth Contactless Keypad Reader + reader2url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader2apl: 10034 + reader3: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader3url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader3apl: 10032 + reader4: Veridt Stealth Lite Contactless Reader + reader4url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader4apl: 10035 + reader5: Veridt Stealth Lite Dual Contact/Contactless Reader + reader5url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader5apl: 10033 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Tyco Security Products C-CURE 9000 + infraurl: /docs/apl-10001-tyco.pdf + infraapl: 10001 + validation: HID Global Validation System for Tyco Security Products C-CURE 9000 + valurl: /docs/apl-10002-tyco-validation.pdf + valapl: 10002 + reader1: pivCLASS RKCLB40 Contact/Contactless Reader + PIN + BIO + reader1url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader1apl: 10052 + reader2: pivCLASS RKCL40 Contact/Contactless Reader + PIN + reader2url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader2apl: 10007 + reader3: pivCLASS RK40 Contactless Reader + PIN + reader3url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader3apl: 10004 + reader4: pivCLASS RPKCLB40 Contact/Contactless Reader + PIN + BIO + reader4url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader4apl: 10026 + reader5: pivCLASS RPKCL40 Contact/Contactless Reader + PIN + reader5url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader5apl: 10008 + reader6: pivCLASS RPK40 Contactless Reader + PIN + reader6url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader6apl: 10005 + reader7: pivCLASS RP40 Contactless Reader + reader7url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader7apl: 10003 + reader8: pivCLASS R10 Contactless Reader + reader8url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader8apl: 10085 + reader9: pivCLASS R40 Contactless Reader + reader9url: /docs/apl-10003-4-5-6-7-8-26-52-85-pivclass.pdf + reader9apl: 10006 + reader10: Veridt Bio Dual Contact/Contactless Keypad Reader + reader10url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader10apl: 10031 + reader11: Veridt Stealth Contactless Keypad Reader + reader11url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader11apl: 10034 + reader12: Veridt Stealth Dual Contact/Contactless Keypad Reader + reader12url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader12apl: 10032 + reader13: Veridt Stealth Lite Contactless Reader + reader13url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader13apl: 10035 + reader14: Veridt Stealth Lite Dual Contact/Contactless Reader + reader14url: /docs/apl-10031-32-33-34-35-92-93-94-95-96-veridt.pdf + reader14apl: 10033 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Tyco Security Products CCURE 9000 + infraurl: /docs/apl-10115-tyco.pdf + infraapl: 10115 + validation: Innometriks Validation System for Tyco/Software House CCURE 9000 + valurl: /docs/apl-10108-tyco-validation.pdf + valapl: 10108 + reader1: Cheetah Reader + reader1url: /docs/apl-10109-130-cheetah.pdf + reader1apl: 10109 + reader2: Cheetah SE Reader + reader2url: /docs/apl-10109-130-cheetah.pdf + reader2apl: 10130 + +- category: 13.01 + fipsstatus: Approved + infrastructure: Genetec Security Center - Synergis 10145 + infraurl: /docs/apl-10145-genetec.pdf + infraapl: 10145 + validation: TI Entry Point Validation System for Genetec Security Center - Synergis 10146 + valurl: /docs/apl-10146-genetec-ti-validation.pdf + valapl: 10146 + + + diff --git a/_data/fips2011302.yml b/_data/fips201pacs1302.yml similarity index 100% rename from _data/fips2011302.yml rename to _data/fips201pacs1302.yml diff --git a/_data/fips201piv.yml b/_data/fips201piv.yml new file mode 100644 index 000000000..6f806b137 --- /dev/null +++ b/_data/fips201piv.yml @@ -0,0 +1,119 @@ +# list of APL PIV Cards products + +- productname: ID-One PIV v 2.4.2 on Cosmo V8.2 + productnumber: 1759285 + category: PIV Card + supplier: IDEMIA + aplnumber: 1512 + validdate: 11/16/2021 + compliantwithtaa: Yes + url: /docs/apl-1512-IDOne-cosmo8_2.pdf + +- productname: ID-One PIV v 2.4.0 on Cosmo V8.1 (EEPROM) + productnumber: 1501381 (applet in EEPROM) + category: PIV Card + supplier: IDEMIA + aplnumber: 1428 + validdate: 08/15/2017 + compliantwithtaa: Yes + url: /docs/apl-1428-idone-piv-240.pdf + +- productname: ID-One PIV v 2.4.1 on Cosmo V8.1 (ROM) + productnumber: 1585242 (applet in ROM) + category: PIV Card + supplier: IDEMIA + aplnumber: 1428 + validdate: 11/13/2017 + compliantwithtaa: Yes + url: /docs/apl-1428-idone-piv.pdf + +- productname: ID-One PIV v 2.4.1 on Cosmo V8.1 (EEPROM) + productnumber: 1501381 (applet in EEPROM) + category: PIV Card + supplier: IDEMIA + aplnumber: 1428 + validdate: 11/13/2017 + compliantwithtaa: Yes + url: /docs/apl-1428-idone-piv.pdf + +- productname: ID-One PIV v 2.3.5 on Cosmo V8 (High Speed) + productnumber: 1276885-XS + category: PIV Card + supplier: Oberthur Technologies + aplnumber: 1355 + validdate: 06/17/2015 + compliantwithtaa: Yes + url: /docs/apl-1355-idone-piv.pdf + +- productname: ID-One PIV v 2.3.5 on Cosmo V8 + productnumber: 1276885 + category: PIV Card + supplier: Oberthur Technologies + aplnumber: 1354 + validdate: 06/17/2015 + compliantwithtaa: Yes + url: /docs/apl-1354-idone-piv.pdf + +- productname: IDEMIA Cosmo V8.0 + productnumber: 1340074 + category: PIV Card + supplier: HID Global + aplnumber: 1511 + validdate: 11/13/2019 + compliantwithtaa: Yes + url: /docs/apl-1511-idemia-cosmo.pdf + +- productname: HID Global Crescendo PIV + productnumber: 40030M-D14 + category: PIV Card + supplier: HID Global + aplnumber: 1431 + validdate: 01/24/2018 + compliantwithtaa: Yes + url: /docs/apl-1431-hid-global.pdf + +- productname: Gemalto TOP DL v2.1 with HID Global ActivID Applet Suite v2.7.4 + productnumber: O1115095 + category: PIV Card + supplier: Gemalto, Inc. + aplnumber: 1500 + validdate: 08/03/2018 + compliantwithtaa: Yes + url: /docs/apl-1500-gemalto-top.pdf + +- productname: Safenet IDPrime PIV v3.0 + productnumber: O1138439 + category: PIV Card + supplier: Gemalto, Inc. + aplnumber: 1510 + validdate: 08/01/2019 + compliantwithtaa: Yes + url: /docs/apl-1510-safenet-idprime.pdf + +- productname: Gemalto IDPrime PIV v2.1 + productnumber: O1110994 + category: PIV Card + supplier: Gemalto, Inc. + aplnumber: 1430 + validdate: 01/10/2018 + compliantwithtaa: Yes + url: /docs/apl-1430-gemalto-idprime.pdf + +- productname: Giesecke+Devrient Mobile Security SmartCafe Expert 7.0 with HID Global ActivID Applet v2.7.5 + productnumber: 50192769 + category: PIV Card + supplier: Giesecke+Devrient + aplnumber: 1429 + validdate: 11/09/2017 + compliantwithtaa: Yes + url: /docs/apl-1429-gd-with-hid-applet.pdf + +- productname: Giesecke+Devrient Mobile Security SmartCafe Expert 7.0 with StarSign Applet v1.0 + productnumber: 50254711 + category: PIV Card + supplier: Giesecke+Devrient + aplnumber: 1502 + validdate: 12/13/2018 + compliantwithtaa: Yes + url: /docs/apl-1502-gd-mobile.pdf + diff --git a/_data/fpkiannouncements.yml b/_data/fpkiannouncements.yml new file mode 100644 index 000000000..344deab81 --- /dev/null +++ b/_data/fpkiannouncements.yml @@ -0,0 +1,79 @@ +## FPKI announcements + +- title: Public Trust PKI Certificate Policy + pubDate: February 10, 2023 + url: /implement/announcements/PT-TLS-CP/ + description: The US Federal Public Trust PKI Certificate Policy v1.0 is now archived and undergoing revision. + status: Active + +- title: CPCT Tool Update + pubDate: January 12, 2023 + url: /implement/announcements/cpct-update101/ + description: The Certificate Profile Conformance Tool (CPCT) has been updated to account for Common Profiles v2.2. + status: Active + +- title: CPCT Tool transition from Cloud.gov + pubDate: October 21, 2022 + url: /implement/announcements/cpct-transition/ + description: The Certificate Profile Conformance Tool (CPCT) will transition from Cloud.gov. + status: Active + +- title: FCPCA SIA LDAP Decommissioning + pubDate: October 11, 2022 + url: /implement/announcements/ldap-removal/ + description: The FPKIMA will be decommissioning the LDAP service associated with the old FCPCA root's SIA repository. + status: Active + +- title: New FPKI Tools Available + pubDate: May 18, 2021 + url: /implement/announcements/test-tools/ + description: Release announcement for the Federal PKI Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT). + status: Active + +- title: Federal Common
Policy CA G2 Update + pubDate: October 12, 2020 + url: /implement/announcements/common-g2-update/ + description: This announcement details the FCPCA update timeline and actions agencies need to perform. + status: Active + +- title: Upcoming Migration of Federal PKI Certificate Repository Services + pubDate: April 1, 2019 + url: /implement/announcements/2019fpkimigration/ + description: On April 22, 2019, the Federal Public Key Infrastructure Management Authority will migrate the hosting of HyperText Transfer Protocol (HTTP) repository services to a cloud-based solution. + status: Removed + +- title: DigiCert CA Decommissioning + pubDate: April 1, 2019 + url: /implement/announcements/2019digicert/ + description: DigiCert Incorporated is planning on decommissioning several certification authorities (CAs) from the Federal PKI. These CAs are no longer active or required, and there is no expected impact from these changes. + status: Removed + +- title: Removal of Health CAs from Federal PKI + pubDate: March 5, 2019 + url: /implement/announcements/2019removal/ + description: Federal PKI teams recently performed two actions to remove fifty-nine (59) certification authorities (CAs) related to health IT use cases from the Federal PKI trust framework. This change is not a distrust action. + status: Removed + +- title: Federal Common Policy CA Removal from Apple Trust Stores Impact + pubDate: September 13, 2018 + url: implement/announcements/2018applepkichanges/ + description: This change will impact government users of Apple iOS, macOS, and tvOS, starting in **September 2018**. This change will cause government users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and government-furnished equipment. + status: Removed + +- title: Chrome Certificate Transparency Requirements + pubDate: August 10, 2018 + url: /implement/announcements/2018chromect/ + description: As of **July 24, 2018**, Google is now enforcing Certificate Transparency (CT) for Chrome 68 and above. This change could affect your agency. This means that all TLS/SSL certificates issued after **April 30, 2018**, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log in order to be trusted by Chrome 68 and above. Users browsing to non-CT compliant, federal intranet websites will encounter connection errors. + status: Removed + +- title: Federal Common Policy CA Removal from Microsoft Trust Store Impact + pubDate: May 18, 2018 + url: /implement/announcements/2018mspkichanges/ + description: This change will cause Windows users to receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for the government intranets and government-furnished equipment by using configuration management tools for federal devices. + status: Removed + +- title: Chrome TLS Certificate Lifetime Requirement + pubDate: May 10, 2018 + url: /implement/announcements/2018tlslifetime/ + description: Recent changes to Chrome could affect your agency. Chrome users may receive errors when browsing to government intranet websites and applications. Starting **March 1, 2018**, Chrome requires all TLS/SSL certificates to have a maximum lifetime of 825 days. You can mitigate the impact for government intranets, applications, and government-furnished equipment by using these procedures. + status: Removed diff --git a/_data/fpkicustomers.yml b/_data/fpkicustomers.yml new file mode 100644 index 000000000..e8756332c --- /dev/null +++ b/_data/fpkicustomers.yml @@ -0,0 +1,793 @@ +# data file for piv customers list + +- + branch: Executive + agency: Executive Office of the President + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Agriculture + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Commerce + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Commerce - National Oceanic and Atmospheric Administration + credentialProvider: Defense Manpower Data Center + ssp: Defense Information Systems Agency + ca: DoD Issuing CAs +- + branch: Executive + agency: Department of Commerce - United States Patent and Trademark Office + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: USPTO_INTR_CA1 +- + branch: Executive + agency: Department of Education + credentialProvider: Internal (migrating to USAccess) + ssp: DigiCert Federal SSP and Entrust Federal SSP + ca: U.S. Department of Education Agency CA - G4 and Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Energy + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Energy - Naval Reactors + credentialProvider: Naval Reactors + ssp: DigiCert Federal SSP + ca: Naval Reactors SSP Agency CA G3 +- + branch: Executive + agency: Department of Health and Human Services + credentialProvider: Health and Human Services + ssp: Entrust Federal SSP + ca: HHS-FPKI-Intermediate-CA-E1 +- + branch: Executive + agency: Department of Health and Human Services - Office of Inspector General + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Homeland Security + credentialProvider: Department of Homeland Security + ssp: Treasury + ca: DHS CA4 +- + branch: Executive + agency: Department of Homeland Security - US Coast Guard + credentialProvider: Defense Manpower Data Center + ssp: Defense Information Systems Agency + ca: DoD Issuing CAs +- + branch: Executive + agency: Department of Housing and Urban Development + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of the Interior + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Justice + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Labor + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of State + credentialProvider: Department of State + ssp: Department of State + ca: U.S. Department of State PIV CA2 +- + branch: Executive + agency: Department of State - Office of Inspector General + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of Transportation + credentialProvider: FAA Custom + ssp: DigiCert Federal SSP and WidePoint SSP + ca: U.S. Department of Transportation Agency CA G5 and U.S. Department of Transportation Agency CA G6 +- + branch: Executive + agency: Surface Transportation Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Department of the Treasury + credentialProvider: USAccess + ssp: Treasury + ca: Treasury OCIO CA +- + branch: Executive + agency: Department of Veterans Affairs + credentialProvider: Internal and USAccess + ssp: Verizon Federal SSP and Treasury + ca: Veterans Affairs User CA B1 and Department of Veterans Affairs CA +- + branch: Executive + agency: Department of Defense + credentialProvider: Defense Manpower Data Center + ssp: Defense Information Systems Agency + ca: DoD Issuing CAs +- + branch: Executive + agency: Environmental Protection Agency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Reserve Board + credentialProvider: USAccess and Xtec + ssp: Entrust Federal SSP and WidePoint ORC NFI 4 + ca: Entrust Managed Services SSP CA and WidePoint ORC NFI 4 +- + branch: Executive + agency: General Services Administration + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Aeronautics and Space Administration + credentialProvider: NASA + ssp: Treasury + ca: NASA Operational CA +- + branch: Executive + agency: Nuclear Regulatory Commission + credentialProvider: Internal + ssp: DigiCert Federal SSP + ca: NRC SSP Agency CA G4 +- + branch: Executive + agency: National Science Foundation + credentialProvider: USAccess and XTec + ssp: Entrust Federal SSP and WidePoint ORC NFI + ca: Entrust Managed Services SSP CA and WidePoint ORC NFI 4 +- + branch: Executive + agency: Office of Personnel Management + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Small Business Administration + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Social Security Administration + credentialProvider: SSA + ssp: Treasury + ca: Social Security Administration Certification Authority +- + branch: Executive + agency: United States Agency for International Development + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: U.S. Department of State PIV CA2 +- + branch: Executive + agency: Administrative Conference of the United States + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Advisory Council on Historic Preservation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: American Battle Monuments Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Armed Forces Retirement Home + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Broadcasting Board of Governors + credentialProvider: XTec + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Commission on Civil Rights + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Consumer Financial Protection Bureau + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Commodity Futures Trading Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Consumer Product Safety Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Corporation for National & Community Service + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Council of the Inspectors General on Integrity and Efficiency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Court Services and Offender Supervision Agency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Defense Nuclear Facilities Safety Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Denali Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Equal Employment Opportunity Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Export-Import Bank of the United States + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Farm Credit Administration + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Farm Credit System Insurance Corporation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Communications Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Deposit Insurance Corporation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Election Commission + credentialProvider: Internal + ssp: WidePoint Federal SSP + ca: ORC SSP 4 +- + branch: Executive + agency: Federal Energy Regulatory Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Financial Institutions Examination Council + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Housing Finance Agency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Labor Relations Authority + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Maritime Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Mediation and Conciliation Service + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Mine Safety and Health Review Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Retirement Thrift Investment Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Federal Trade Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Gulf Coast Ecosystem Restoration Council + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Harry S. Truman Scholarship Fund + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Institute of Museum and Library Services + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Inter-American Foundation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: International Boundary and Water Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: James Madison Fellowship Foundation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Marine Mammal Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Merit Systems Protection Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Morris K. Udall and Stewart L. Udall Foundation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Archives and Records Administration + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Capital Planning Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Council on Disability + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Credit Union Administration + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Endowment for the Arts + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Endowment for the Humanities + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Gallery of Art + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Indian Gaming Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Labor Relations Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Mediation Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: National Transportation Safety Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Nuclear Waste Technical Review Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Occupational Safety and Health Review Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Office of Navajo and Hopi Indian Relocation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Office of Special Counsel + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Office of Government Ethics + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Overseas Private Investment Corporation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Peace Corps + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Pension Benefit Guaranty Corporation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Postal Regulatory Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Privacy and Civil Liberties Oversight Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Railroad Retirement Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Securities and Exchange Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Selective Service System + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Smithsonian Institution + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Tennessee Valley Authority + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: AbilityOne Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: United States Access Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: African Development Foundation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: United States Arctic Research Program + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Chemical Safety Board + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Election Assistance Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Holocaust Memorial Museum + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Institute of Peace + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: International Trade Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Trade and Development Agency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Vietnam Education Foundation + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: United States Interagency Council on Homelessness + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Appalachian Regional Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Commission for Preservation of Americas History Abroad + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Dwight D. Eisenhower Memorial Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Japan-US Friendship Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Northern Border Regional Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: Pretrial Services Agency + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: US Commission on International Religious Freedom + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Executive + agency: WWI Centennial Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: Senate + credentialProvider: Xtec + ssp: Symantec Non-Federal and WidePoint ORC NFI + ca: Senate PIV-I CA G4 and Senate PIV-I CA G5 PROD and Senate PIV-I CA G6 +- + branch: Legislative + agency: General Accounting Office + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: Comptroller General + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: GAO + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: US Tax Court + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: Woodrow Wilson International Center for Scholars + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Legislative + agency: Medicaid and CHIP Payment and Access Commission + credentialProvider: USAccess + ssp: Entrust Federal SSP + ca: Entrust Managed Services SSP CA +- + branch: Judicial + agency: U.S. Courts of Appeals-Judicial Circuits + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 +- + branch: Judicial + agency: U.S. Court of Appeals for the Federal Circuit + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 + branch: Judicial + agency: U.S. Court of International Trade + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 +- + branch: Judicial + agency: U.S. Court of Federal Claims + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 +- + branch: Judicial + agency: U.S. District and Territorial Courts + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 +- + branch: Judicial + agency: U.S. Judicial Panel on Multidistrict Litigation + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 +- + branch: Judicial + agency: Administrative Office of the U.S. Courts + credentialProvider: Xtec + ssp: Entrust Non-Federal and WidePoint ORC NFI + ca: Entrust NFI Medium Assurance SSP CA and WidePoint ORC NFI 4 diff --git a/_data/fpkidocs.yml b/_data/fpkidocs.yml index e443d2cae..6812aeedb 100644 --- a/_data/fpkidocs.yml +++ b/_data/fpkidocs.yml @@ -5,6 +5,48 @@ # Status Archive - Document is three years old or no longer valid. The document is actually retained in this repository, but not posted to the website. # Remove - Date to change status from post to archive. This could be three years for change proposals or three years from when a document was replaced. +- category: FPKI Trust Infrastructure Certificate Practice Statement + numberProposal: 6.2 + name: X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v6.2 + date: 12/14/2022 + url: /docs/archived/fpki-fpkima-cps-v62.pdf + status: post + remove: 7/31/2026 + +- category: Federal Bridge Certificate Policy + numberProposal: 3.1 + name: X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.1 + date: 08/01/2023 + url: /docs/archived/fpki-x509-cert-policy-fbca-31.pdf + status: post + remove: 08/01/2026 + +- category: Federal Bridge Change Proposal + numberProposal: 2023-03 + name: Proposal 2023-03 | Appointment of Trusted Roles and updates in Section 6.3.2 + description: Clarify the requirements for the appointment of Trusted Roles, increase Root CA certificate private key and certificate lifetimes, and remove incorrect restriction on private keys associated with cross-certificates. + date: 08/01/2023 + url: /docs/archived/fpki-fbca-cp-2303.pdf + status: post + remove: 08/01/2026 + +- category: Common Certificate Policy + numberProposal: 2.4 + name: X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.4 + date: 08/01/2023 + url: /docs/archived/fpki-x509-cert-policy-common-24.pdf + status: post + remove: 08/01/2026 + +- category: Common Change Proposal + numberProposal: 2023-04 + name: Proposal 2023-04 | Appointment of Trusted Roles + description: Clarify the requirements for the appointment of Trusted Roles. + date: 08/01/2023 + url: /docs/archived/fpki-common-cp-2304.pdf + status: post + remove: 08/01/2026 + - category: Federal Bridge Certificate Policy numberProposal: 3.0 name: X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.0 @@ -73,7 +115,7 @@ - category: Federal Bridge Change Proposal numberProposal: 2022-04 - name: Proposal 2022-04 | Consolidated update to the Federal Bridge Certification Authority Certificate Policy and associated profiles + name: Proposal 2022-04 | Consolidated Update to the Federal Bridge Certification Authority Certificate Policy and Associated Profiles description: Consolidates CPWG policy recommendations dating back to 2018 and aligns to Common Policy where applicable. It also cleans-up outdated references and requirements, clarifies existing requirements, aligns policy with observed agency practices (e.g., certificate naming), and improves readability. date: 05/06/2022 url: /docs/archived/fpki-fbca-cp-2204.pdf @@ -90,12 +132,12 @@ - category: Common Change Proposal numberProposal: 2022-05 - name: Proposal 2022-05 | Consolidated changes to the Common Policy Certificate and CRL Profiles + name: Proposal 2022-05 | Consolidated Changes to the Common Policy Certificate and CRL Profiles description: This proposal incorporates multiple change to the Common Policy Certificate and CRL Profiles for the purpose of alignment to RFC 5280, FIPS 201-3, increased interoperability, and to account for known and acceptable certificate practices. date: 9/13/2022 url: /docs/archived/fpki-common-cp-2205.pdf status: post - remove: 10/17/2025 + remove: "*10/17/2025" - category: FPKIMA Audit Letter numberProposal: 2021 @@ -225,7 +267,7 @@ - category: Common Change Proposal numberProposal: 2020-01 - name: Proposal 2020-01 | PIV-I credentials issued under COMMON requirements + name: Proposal 2020-01 | PIV-I Credentials Issued Under COMMON Requirements description: Support federally issued and managed PIV-I smart cards issued to non-PIV users under COMMON. date: 03/10/2020 url: /docs/archived/fpki-common-cp-2001.pdf @@ -426,7 +468,7 @@ date: 02/28/2019 url: /docs/archived/fpki-fbca-cp-1901.pdf status: post - remove: 02/28/2022 + remove: "*02/28/2022" - category: Federal Bridge Change Proposal numberProposal: 2018-06 @@ -647,7 +689,7 @@ date: 02/08/2019 url: /docs/archived/fpki-x509-cert-policy-common-131.pdf status: post - remove: 04/14/2023 + remove: "*04/14/2023" - category: Common Certificate Policy numberProposal: 1.30 @@ -655,7 +697,7 @@ date: 10/4/2018 url: /docs/archived/fpki-x509-cert-policy-common-130.pdf status: post - remove: 02/08/2022 + remove: "*02/08/2022" - category: Common Certificate Policy numberProposal: 1.29 @@ -706,7 +748,7 @@ date: 10/04/2018 url: /docs/archived/fpki-x509-cert-policy-fbca-234.pdf status: post - remove: 04/15/2023 + remove: "*04/15/2023" - category: Federal Bridge Certificate Policy numberProposal: 2.33 diff --git a/_data/fpkinotifications.yml b/_data/fpkinotifications.yml new file mode 100644 index 000000000..51eb66841 --- /dev/null +++ b/_data/fpkinotifications.yml @@ -0,0 +1,5658 @@ +#data file for fpki-guides change notification + +# Instructions to directly add the notifications to the yml file. Please follow the guidelines in this document to insert a system change or planned outage notification into the FPKI system change notifications. _fpki/7_fpki_notifications.md processes the data in the notifications.yml for display. The latest notification entry in notification.yml will be displayed at the top of the notification list. The other notifications are displayed in the descending order of the notification time. The notification data can be provided as a GitHub issue or via email. Once the notification data is received, a member of the FPKI team OR the submitting organization should follow the instructions below to add the notification to the list. + +# Retrieve notification from GitHub Issue: Access the FPKI-Guide issues list at https://github.com/GSA/fpki-guides/issues. Select 'System Notification' tag. Retrieve the latest issues under 'System Notification'. Add an Issue comment to each that you are updating the System Notifications + +# Retrieve notification from an email: Retrieve the notification data from the email. + +# Add the Notification to GitHub: Click on the edit icon. Copy/paste the notification content to the end of _data/notifications.yml file. Add a dash "-" at the beginning of what you added (refer to existing notification entries for position and spacing). Submit a Pull Request, OR commit directly to the staging branch if you have permissions In your commit, add the comment "fixes " and the Issue number that you are adding to the notifications page + +# View the new item at https://demo.idmanagement.gov + +#notice_date: notice date in +#change_type: < CA Certificate Issuance, CA Certificate Revocation, New CA, CA Termination, New URI in Certificates, OCSP Outage, CRL Outage > +#system: +#change_description: +#contact: +### The following are all optional fields based on the change type +# ca_certificate_hash: +# ca_certificate_issuer: +# ca_certificate_subject: +# cdp_uri: +# aia_uri: +# sia_uri: +# ocsp_uri: +# ee_cdp_uri: +# ee_ocsp_uri: + +- notice_date: July 21, 2023 + change_type: Intent to Issue a CA Certificate + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 plans to issue a renewed cross certificate to the Raytheon Technologies Medium Assurance CA. + contact: support at certipath dot com +### The following are all optional fields based on the change type + ca_certificate_hash: TBD + ca_certificate_issuer: OCN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Raytheon Technologies Medium Assurance CA, OU=Class3-G3, O=cas, DC=rtx, DC=com + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://pki.treasury.gov/vaca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.rtx.com/G3/CRLs/Class3-G3_Full.crl + ee_ocsp_uri: N/A + +- notice_date: June 28, 2023 + change_type: CA Certificate Issuance + system: US Treasury Root CA + change_description: The Veterans Affairs CA underwent a key update and a new CA certificate was issued from the US Treasury Root CA on 05/20/2023. Valid until 5/20/2033. + contact: pki underscore ops at fiscal dot treasury dot gov +### The following are all optional fields based on the change type + ca_certificate_hash: d81577f94652b7a9eb9d0d4602060f7d16492413 + ca_certificate_issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + ca_certificate_subject: OU = Department of Veterans Affairs CA, OU = Certification Authorities, OU = Department of Veterans Affairs, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/vaca_aia.p7c + sia_uri: http://pki.treasury.gov/vaca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/VA_CA3.crl + ee_ocsp_uri: N/A + +- notice_date: June 28, 2023 + change_type: CA Certificate Issuance + system: US Treasury Root CA + change_description: The Treasury OCIO CA underwent a key update and a new CA certificate was issued from the US Treasury Root CA on 05/20/2023. Valid until 5/20/2033. + contact: pki underscore ops at fiscal dot treasury dot gov + ca_certificate_hash: 3f3a62c0d4b5a2d70054ea7de33c9a691937ec02 + ca_certificate_issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + ca_certificate_subject: OU = OCIO CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/toca_aia.p7c + sia_uri: http://pki.treasury.gov/toca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/OCIO_CA6.crl + ee_ocsp_uri: N/A + +- notice_date: June 28, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the DoD Interoperability Root CA2 on 6/8/2023. Valid until 2/7/2026. + contact: fpki dash help at gsa.gov + ca_certificate_hash: eacd48fc71861e25223deea1815f49483fc1b07d + ca_certificate_issuer: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US + ca_certificate_subject: CN = DoD Interoperability Root CA 2, , OU = PKI, OU = DoD, O = U.S. Government, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://crl.disa.mil/issuedby/DODINTEROPERABILITYROOTCA2_IB.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: June 13, 2023 + change_type: Intent to Issue CA Certificate + system: Entrust Managed Services Root CA + change_description: Entrust intends to issue a new Production Entrust Managed Services Root CA certificate on June 28, 2023. + contact: support at entrust dot com +### The following are all optional fields based on the change type + ca_certificate_hash: N/A + ca_certificate_issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US + ca_certificate_subject: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US + cdp_uri: http://rootweb.managed.entrust.com/CRLs/EMSRootCA3.crl + aia_uri: http://rootweb.managed.entrust.com/AIA/CertsIssuedToEMSRootCA.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CAcertsIssuedByEMSRootCA.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: June 13, 2023 + change_type: Intent to Issue CA Certificate + system: Entrust Managed Services Root CA + change_description: Entrust intends to issue a new Production Entrust Managed Services SSP CA certificate on June 28, 2023. + contact: support at entrust dot com +### The following are all optional fields based on the change type + ca_certificate_hash: N/A + ca_certificate_issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US + ca_certificate_subject: OU = Entrust Managed Services SSP CA, OU = Certification Authorities, O = Entrust, C = US + cdp_uri: http://rootweb.managed.entrust.com/CRLs/EMSRootCA3.crl + aia_uri: http://rootweb.managed.entrust.com/AIA/CertsIssuedToEMSRootCA.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: May 30, 2023 + change_type: Intent to issue CA Certificate + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DoD Interoperability Root CA2 between 6/8/2023 and 6/14/2023. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU = PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: May 26, 2023 + change_type: CA Certificate Issuance + system: US Treasury Root CA + change_description: A new DHS CA4 certificate has been issued from US Treasury Root CA, valid from 4/29/2023 to 4/29/2033. + contact: pki underscore ops at fiscal dot treasury dot gov + ca_certificate_hash: d8624442ccc91753aca89698f2cbcdf59f32d3f1 + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: OU = DHS CA4, OU = Certification Authorities, OU = Department of Homeland Security, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/dhsca_aia.p7c + sia_uri: http://pki.treasury.gov/dhsca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/DHS_CA4.crl + ee_ocsp_uri: N/A + +- notice_date: May 10, 2023 + change_type: CA Certificate Issuance + system: WidePoint SSP + change_description: WidePoint has created a new CA under the WidePoint SSP Intermediate CA, the U.S. Department of Transportation Agency CA G6 valid from 5/4/2023 to 3/7/2033. + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: 7b6dcb34ab284ec897f0ffe1a2f8f95082f09c74 + ca_certificate_issuer: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US + ca_certificate_subject: CN=U.S. Department of Transportation Agency CA G6, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WPSSPIntCA.crl + aia_uri: http://crl-server.orc.com/caCerts/caCertsIssuedToWPSSPIntCA.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: http://crl-server.orc.com/CRLs/DoTAgencyCAG6.crl + ee_ocsp_uri: http://dotagencyg6.eva.orc.com/ + +- notice_date: May 10, 2023 + change_type: CA Certificate Issuance + system: WidePoint SSP + change_description: WidePoint has created a new CA under the WidePoint SSP Intermediate CA, the U.S. Department of Transportation Device CA G6 valid from 5/4/2023 to 3/7/2033. + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: e0f1bd791fe607a6a3b1f5528eab4687dbbb9dce + ca_certificate_issuer: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US + ca_certificate_subject: CN=U.S. Department of Transportation Device CA G6, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WPSSPIntCA.crl + aia_uri: http://crl-server.orc.com/caCerts/caCertsIssuedToWPSSPIntCA.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: http://crl-server.orc.com/CRLs/DoTDeviceCAG6.crl + ee_ocsp_uri: http://dotdeviceg6.eva.orc.com/ + +- notice_date: May 10, 2023 + change_type: CA Certificate Issuance + system: WidePoint NFI Root 2 + change_description: WidePoint has created a new CA under the WidePoint NFI Root 2, the Senate PIV-I CA G6 valid from 5/5/2023 to 12/31/2030 + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: 1d946c2a1724ed576e436604f02dbfc3f2dccff0 + ca_certificate_issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US + ca_certificate_subject: CN = Senate PIV-I CA G6, OU = Office of the Sergeant at Arms, OU = U.S. Senate, O = U.S. Government, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: http://crl-server.orc.com/CRLs/SenatePIVICAG6.crl + ee_ocsp_uri: http://senatepivig6.eva.orc.com/ + +- notice_date: May 8, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the DigiCert Class 3 SSP Intermediate CA – G4, valid from 5/2/2023 to 5/2/2026. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 527bc6165aa93e38853714675e2a452e1437a522 + ca_certificate_issuer: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US + ca_certificate_subject: CN = DigiCert Class 3 SSP Intermediate CA - G4, O = DigiCert, Inc., C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://sspsia.digicert.com/STNSSP/Certs_Issued_by_Class3SSPCA-G4.p7c + ocsp_uri: N/A + ee_cdp_uri: http://ssp-crl.digicert.com/NFSSP/Class3SSPCAG4.crl + ee_ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: April 18, 2023 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: ertiPath issued a new CertiPath Bridge CA - G3 to Lockheed Martin Root CA 2 certificate + contact: support at certipath dot com +### The following are all optional fields based on the change type + ca_certificate_hash: a9c08f9c7e6472d3f5be84271639d4538ba1722b + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Lockheed Martin Root Certification Authority 2, OU = Certification Authority, O = Lockheed Martin Corporation, L = Denver, S = Colorado, C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://crl.external.lmco.com/crl/certupd/issuedby-lmrca2.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 18, 2023 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath issued a new CertiPath Bridge CA - G3 to Lockheed Martin Root CA 6 certificate + contact: support at certipath dot com +### The following are all optional fields based on the change type + ca_certificate_hash: 86c79b00a7f54bc5d31931b0c14fdd627a5d9eb1 + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Lockheed Martin Root Certification Authority 6, OU = Certification Authority, O = Lockheed Martin Corporation, L = Denver, S = Colorado, C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://crl.external.lmco.com/crl/certupd/issuedby-lmrca6.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 18, 2023 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath issued a new CertiPath Bridge CA - G3 to Boeing PCA G3 certificate + contact: support at certipath dot com +### The following are all optional fields based on the change type + ca_certificate_hash: a4ae8e8ba28f56b5aa62e30e13f5c58c3f1c3e03 + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Boeing PCA G3, OU = certservers, O = Boeing, C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://crl.boeing.com/crl/IssuedByBoeingPCAG3.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 17, 2023 + change_type: Intent to Issue CA Certificate + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DigiCert Class 3 SSP Intermediate CA – G4 between 5/2/2023 and 5/4/2023. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN = DigiCert Class 3 SSP Intermediate CA – G4 + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 11, 2023 + change_type: Intent to Issue CA Certificate + system: US Treasury Root CA + change_description: The DHS CA4 will undergo a key update and a new CA certificate will be issued from the US Treasury Root CA on 04/29/2023. The new CA key will begin to be used on 05/20/2023 to sign new end-entity certificates. + contact: pki underscore ops at fiscal dot treasury dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: OU = DHS CA4, OU = Certification Authorities, OU = Department of Homeland Security, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/dhsca_aia.p7c + sia_uri: http://pki.treasury.gov/dhsca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/DHS_CA4.crl + ee_ocsp_uri: N/A + +- notice_date: April 11, 2023 + change_type: Intent to Issue CA Certificate + system: US Treasury Root CA + change_description: The Treasury OCIO CA will undergo a key update and a new CA certificate will be issued from the US Treasury Root CA on 05/20/2023. The new CA key will begin to be used on 06/24/2023 to sign new end-entity certificates. + contact: pki underscore ops at fiscal dot treasury dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: OU = OCIO CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/cacertsissuedtotrca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/OCIO_CA6.crl + ee_ocsp_uri: N/A + +- notice_date: April 11, 2023 + change_type: Intent to Issue CA Certificate + system: US Treasury Root CA + change_description: The Veterans Affairs CA will undergo a key update and a new CA certificate will be issued from the US Treasury Root CA on 05/20/2023. The new CA key will begin to be used on 06/24/2023 to sign new end-entity certificates. + contact: pki underscore ops at fiscal dot treasury dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: OU = Department of Veterans Affairs CA, OU = Certification Authorities, OU = Department of Veterans Affairs, O = U.S. Government, C = US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/vaca_aia.p7c + sia_uri: http://pki.treasury.gov/vaca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: http://pki.treasury.gov/VA_CA3.crl + ee_ocsp_uri: N/A + +- notice_date: April 10, 2023 + change_type: Intent to Issue CA Certificate + system: CertiPath Bridge CA - G3 + change_description: CertiPath intends to issue a new cross certificate to Lockheed Martin Root CA 6 on or about April 19, 2023. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 6, OU=Certification Authorities , O=Lockheed Martin Corporation, L=Denver, S=Colorado C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 10, 2023 + change_type: Intent to Issue CA Certificate + system: CertiPath Bridge CA - G3 + change_description: CertiPath intends to issue a new cross certificate to Lockheed Martin Root CA 2 on or about April 19, 2023. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 2, OU=Certification Authorities , O=Lockheed Martin Corporation, L=Denver, S=Colorado C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 10, 2023 + change_type: Intent to Issue CA Certificate + system: CertiPath Bridge CA - G3 + change_description: CertiPath intends to issue a new cross certificate to the Boeing Company on or about April 19, 2023. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Boeing PCA G3, OU = certservers, O = Boeing, C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 6, 2023 + change_type: Intent to Issue CA Certificate + system: WidePoint SSP + change_description: On or after 21 April 2023 WidePoint will create U.S. Department of Transportation Agency CA G6 signed by WidePoint SSP Intermediate CA which was recently issued by Federal Common Policy CA G2. + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US + ca_certificate_subject: CN=U.S. Department of Transportation Agency CA G6, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 6, 2023 + change_type: Intent to Issue CA Certificate + system: WidePoint SSP + change_description: On or after 21 April 2023 WidePoint will create U.S. Department of Transportation Device CA G6 signed by WidePoint SSP Intermediate CA which was recently issued by Federal Common Policy CA G2. + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US + ca_certificate_subject: CN=U.S. Department of Transportation Device CA G6, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 6, 2023 + change_type: Intent to Issue CA Certificate + system: WidePoint NFI Root 2 + change_description: On or after 21 April 2023 WidePoint will create the Senate PIV-I CA G6 signed by WidePoint NFI Root 2 which is signed by Federal Bridge CA G4. + contact: WCSC-PKIPolicy at widepoint dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US + ca_certificate_subject: CN = Senate PIV-I CA G6, OU = Office of the Sergeant at Arms, OU = U.S. Senate, O = U.S. Government, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: April 3, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The FCPCAG2 issued a new cross certificate to the WidePoint SSP Intermediate CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: eef5180a852b044483a138bcb30ad9548463e09b + ca_certificate_issuer: CN = Federal Common Policy CA G2, OU = FPKI, O = U.S. Government, C = US + ca_certificate_subject: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://crl-server.orc.com/caCerts/caCertsIssuedByWPSSPIntCA.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: March 21, 2023 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: The CertiPath Bridge CA – G3 has published a new cross certificate to Ministerie van Defensie PKIoverheid Organisatie Persoon CA – G3, expiring February 28, 2024. + contact: support at certipath dot com + ca_certificate_hash: f87fe5f500992ece3530423719694b390d116e6e + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, 2.5.4.97 = NTRNL-27370985, O = Ministerie van Defensie, C = NL + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: March 21, 2023 + change_type: CA Certificate Issuance + system: Certipath Bridge CA - G3 + change_description: The CertiPath Bridge CA – G3 has published a new cross certificate to Northrop Grumman Corporate Root CA-G2, expiring February 28, 2024. + contact: support at certipath dot com + ca_certificate_hash: 3d2c9322e8ed28ae12531b1c526f3e0e164f617c + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Northrop Grumman Corporate Root CA-G2, OU = Northrop Grumman Information Technology, O = Northrop Grumman Corporation, C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: March 17, 2023 + change_type: Intent to Issue CA Certificate + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The FCPCAG2 intends to issue a new cross certificate to the WidePoint SSP Intermediate CA between 4/3/2023 and 4/5/2023. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN = Federal Common Policy CA G2 + ca_certificate_subject: CN = WidePoint SSP Intermediate CA + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: March 10, 2023 + change_type: CA Certificate Issuance + system: Certipath Bridge CA - G3 + change_description: CertiPath is now requiring SIA in all CA certificates. The CertiPath Bridge CA – G3 has published new cross certificates to Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: c5eb76e58dae6041cafd005b322d69d2a910a3a9 + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Carillon Federal Services PIV-I CA1, OU = Certification Authorities, O = Carillon Federal Services Inc., C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: http://pub.carillonfedserv.com/CRL/CFSCA1.crl + ee_ocsp_uri: http://pub.carillonfedserv.com/ocsp + +- notice_date: March 10, 2023 + change_type: CA Certificate Issuance + system: Certipath Bridge CA - G3 + change_description: CertiPath is now requiring SIA in all CA certificates. The CertiPath Bridge CA – G3 has published new cross certificates to Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: c5eb76e58dae6041cafd005b322d69d2a910a3a9 + ca_certificate_issuer: CN = CertiPath Bridge CA - G3, OU = Certification Authorities, O = CertiPath, C = US + ca_certificate_subject: CN = Carillon Federal Services PIV-I CA1, OU = Certification Authorities, O = Carillon Federal Services Inc., C = US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: http://pub.carillonfedserv.com/CRL/CFSCA1.crl + ee_ocsp_uri: http://pub.carillonfedserv.com/ocsp + +- notice_date: March 7, 2023 + change_type: Intent to Issue CA Certificate + system: US Treasury Root CA + change_description: The NASA Operational CA will undergo a key update and a new CA certificate will be issued from the US Treasury Root CA on 04/08/2023. The new CA key will begin to be used on 04/29/2023 to sign new end-entity certificates. + contact: pki_ops at fiscal dot treasury dot gov + ca_certificate_hash: Certificate will be available on https://pki.treasury.gov following the key update. + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: OU = NASA Operational CA, OU = Certification Authorities, OU = NASA, O = U.S. Government, C = US + cdp_uri: N/A + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: February 21, 2023 + change_type: Intent to Issue CA Certificate + system: US Treasury Root CA + change_description: The SSA CA will undergo a key update and a new CA certificate will be issued from the US Treasury Root CA on 03/04/2023. The new CA key will begin to be used on 04/01/2023 to sign new end-entity certificates. + contact: pki_ops at fiscal.treasury dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: ou=US Treasury Root CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + ca_certificate_subject: ou=Social Security Administration Certification Authority, ou=SSA, o=U.S. Government, c=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/ssaca_aia.p7c + sia_uri: http://pki.treasury.gov/ssaca_sia.p7c + ocsp_uri: N/A + ee_cdp_uri: https://pki.treasury.gov/SSA_CA4.crl + ee_ocsp_uri: http://ocsp.treasury.gov + +- notice_date: February 21, 2023 + change_type: CA Certificate Revocation + system: Treasury SSP + change_description: The Treasury Fiscal Service CA was decommissioned on February 15, 2023. + contact: pki_ops at fiscal.treasury dot gov + ca_certificate_hash: ed3fb316118257a44ea11a493da1415beb3012d7 + ca_certificate_issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + ca_certificate_subject: OU = Fiscal Service, OU = Department of the Treasury, O = U.S. Government, C = US + cdp_uri: N/A + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: February 10, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the Exostar Federated Identity Service Root CA 2 + contact: fpki dash help at gsa.gov + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN = Exostar Federated Identity Service Root CA 2, OU = Certification Authorities, O = Exostar LLC, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.fis.evincible.com/fis/public/ExostarFederatedIdentityServiceRootCA2.p7c + ocsp_uri: N/A + ee_cdp_uri: Multiple + ee_ocsp_uri: N/A + +- notice_date: January 23, 2023 + change_type: CA Certificate Revocation intent + start_datetime: February 7, 2023 + system: Treasury SSP + change_description: The Treasury Fiscal Service CA will be decommissioned. The revocation is planned for completion by April 4, 2023. + contact: pki_ops at fiscal dot treasury dot gov + ca_certificate_hash: ed3fb316118257a44ea11a493da1415beb3012d7 + ca_certificate_issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US + ca_certificate_subject: OU = Fiscal Service, OU = Department of the Treasury, O = U.S. Government, C = US + cdp_uri: N/A + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: January 23, 2023 + change_type: Intent to Perform CA Certificate Renewal Issuance + start_datetime: Between February 7, 2023 and February 9, 2023 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the Exostar Federated Identity Service Root CA 2 + contact: fpki dash help at gsa.gov + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN = Exostar Federated Identity Service Root CA 2, OU = Certification Authorities, O = Exostar LLC, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: January 13, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the CertiPath Bridge CA - G3. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 6f9f85401ac97654fa815206ebdbc0656c7903bc + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + ee_cdp_uri: N/A + ee_ocsp_uri: N/A + +- notice_date: January 13, 2023 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the WidePoint NFI Root 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: fadaf283e8839c5f296b9eebb00bc6cf848646f2 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + ee_cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + ee_ocsp_uri: N/A + +- notice_date: January 12, 2023 + change_type: CA Certificate Issuance + system: STRAC Bridge Root Certification Authority + change_description: The STRAC Bridge Root Certification Authority issued a renewed cross certificate to the FTI Certification Authority. + contact: pki at strac dot org + ca_certificate_hash: cbbc028fae9da429e1b34a4ccadd9cd815b40d9c + ca_certificate_issuer: CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US + ca_certificate_subject: CN=FTI Certification Authority, OU=FTI PKI Trust Infrastructure, O=Foundation for Trusted Identity, C=US + cdp_uri: http://pki.strac.org/bridge/crl/STRACBridgeRootCA.crl + aia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + sia_uri: http://pki.fti.org/fti_ca/certificates/FTICA.p7c + ocsp_uri: http://certstatus.strac.org + ee_cdp_uri: http://pki.fti.org/fti_ca/crl/FTICA.crl + ee_ocsp_uri: http://certstatus.fti.org/ + +- notice_date: January 2, 2023 + change_type: CA Certificate Issuance + start_datetime: December 6. 2022 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD SW CA-75. + contact: dodpke at mail dot mil + ca_certificate_hash: a3ab50e1786d4f58746d235bb6849943a82623f1 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD SW CA-75, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + ee_cdp_uri: http://crl.disa.mil/crl/DODIDSWCA_75.crl + +- notice_date: January 2, 2023 + change_type: CA Certificate Issuance + start_datetime: December 6. 2022 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD ID CA-71. + contact: dodpke at mail dot mil + ca_certificate_hash: 1cc9a190866963444e1aed4547f26a61f288f13b + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD ID CA-71, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + ee_cdp_uri: http://crl.disa.mil/crl/DODIDCA_71.crl + +- notice_date: January 2, 2023 + change_type: CA Certificate Issuance + start_datetime: December 6. 2022 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD EMAIL CA-71. + contact: dodpke at mail dot mil + ca_certificate_hash: 02ed392be1eb3efb03a138f5ca827108994501d0 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD EMAIL CA-71, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + ee_cdp_uri: http://crl.disa.mil/crl/DODEMAILCA_71.crl + +- notice_date: December 14, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the CertiPath Bridge CA - G3 between 01/09/2022 and 01/13/2022. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN= CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: December 14, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the WidePoint NFI Root 2 between 01/09/2022 and 01/13/2022. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: December 13, 2022 + change_type: CA Certificate Issuance + system: SAFE Identity Bridge + change_description: The SAFE Identity Bridge issued a new cross certificate to the Trans Sped Mobile eIDAS QCA G2. + contact: Camelia Ivan + ca_certificate_hash: 103bb602cd5fa6b13dfd61ec9f15ee6a0b8fc800 + ca_certificate_issuer: CN = SAFE Identity Bridge CA, OU = Certification Authorities, O = SAFE Identity, C = US + ca_certificate_subject: CN = Trans Sped Mobile eIDAS QCA G2, OU = Individual Subscriber CA, O = Trans Sped SRL, C = RO + cdp_uri: http://www.transsped.ro/crl/ts_mobile_eidas_qca_g2.crl + aia_uri: http://www.transsped.ro/cacerts/ts_mobile_eidas_qca_g2.p7c + sia_uri: None + ocsp_uri: http://ocsp.transsped.ro/ + +- notice_date: November 23, 2022 + change_type: CRL and OCSP Outage + system: Entrust Federal CRL and OCSP Service + change_description: On Wendnesday, Novebmer 23, 2022, Entrust reported intermittent availabiltiy issues their CRL and Federal OCSP Service between 11 AM ET and 4:45 PM ET. + contact: support at entrust dot com + cdp_uri: Multiple, http://sspweb.managed.entrust.com/CRLs/EMSSSPCA3.crl, http://feddcsweb.managed.entrust.com/CRLs/FedDCSCA1.crl + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com, nfiocsp.managed.entrust.com, doesspocsp.managed.entrust.com, hhspkiocsp.managed.entrust.com, feddcsocsp.managed.entrust.com + +- notice_date: November 21, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the USPTO_INTR_CA1. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: e35da05374246a6d0a892f5eec31f74cdbd794b0 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: http://ocsp.uspto.gov + +- notice_date: November 14, 2022 + change_type: CA Certificate Issuance + system: IdenTrust Global Common Root CA 1 + change_description: The IdenTrust Global Common CA has issued a CA certificate to IGC Device CA 2 + contact: product at IdenTrust dot com + ca_certificate_hash: 5d1da5f9ba664efb7ae3a1a157904aae60ad16d8 + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1.O = IdenTrust,C = US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: http://validation.identrust.com/crl/igcdeviceca2.crl + aia_uri: http://validation.identrust.com/certs/igcdeviceca2.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: November 14, 2022 + change_type: CA Certificate Issuance + system: IdenTrust Global Common Root CA 1 + change_description: The Identrust Global Common CA has issued a cross-certificate to the SAIC FBCA Cloud PKI CA 1 + contact: product at IdenTrust dot com + ca_certificate_hash: 4e3d57c0aab1be949569c3ffc7439b035acd3cff + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1.O = IdenTrust,C = US + ca_certificate_subject: CN=SAIC FBCA Cloud PKI CA 1,OU=IdenTrust Global Common,O=SAIC LLC,C=US + cdp_uri: http://validation.identrust.com/crl/igcsaicCA1.crl + aia_uri: http://validation.identrust.com/roots/igcsaicCA1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: October 24, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the USPTO_INTR_CA1 between 11/07/2022 and 11/11/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: N/A + +- notice_date: October 18, 2022 + change_type: OCSP Outage + system: Entrust Managed Services SSP OCSP Service + change_description: Between approximately 10 P.M ET on October 17, 2022 and 10:00 A.M on October 18, 2022, the Entrust Managed Services SSP OCSP Service was presenting "unknown,' responses; however, the OCSP proofs were regenerated and are now functioning as expected. + contact: support at entrust dot com + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com + +- notice_date: October 11, 2022 + change_type: URI Decommission + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The FPKIMA will be decommissioning the LDAP service associated with the old root's SIA repository; there should be no impacts to relying parties since the migration from the FCPCA to the FCPCA2 (impacted URI - ldap://ldap.fpki.gov/cn=Federal Common Policy CA,ou=FPKI,o=U.S. Government,c=US?cACertificate;binary,crossCertificatePair;binary). + contact: fpki dash help at gsa dot gov + ca_certificate_hash: 905f942fd9f28f679b378180fd4f846347f645c1 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: N/A + aia_uri: N/A + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c (still available) + ocsp_uri: N/A + +- notice_date: September 6, 2022 + change_type: CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The TSCP Bridge CA issued a cross-certificate to the DocuSign Root CA. + contact: info at tscp dot org + ca_certificate_hash: 7b729847af9734b8a1781db400337a09d5ff3163a79a4f80adb6c4df506d90f0 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: July 27, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The TSCP Bridge CA plans to reissued a certificate to DocuSign Root CA. + contact: info at tscp dot org + ca_certificate_hash: N/A + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: July 27, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The TSCP Bridge CA plans to reissued a certificate to Carillon Federal Services PIV-I CA2. + contact: info at tscp dot org + ca_certificate_hash: N/A + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: July 27, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the Raytheon Technologies Medium Assurance CA. + contact: support at certipath dot com + ca_certificate_hash: 776dc2662d503198e00c63bc25c7d57d06499273 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Raytheon Technologies Medium Assurance CA, OU=Class3-G3, O=cas, DC=rtx, DC=com + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: July 27, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the Raytheon Class 3 MASCA. + contact: support at certipath dot com + ca_certificate_hash: 55f3ac9fc4834cac88e5da4f53954ced9fec1892 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Raytheon Class 3 MASCA, OU=Class3-g2, O=cas, DC=raytheon, DC=com + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: July 13, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the DoD Interoperability Root CA. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: 0136b2be0a25e807fdd90300c695ab58de214dfb + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: July 8, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the TSCP SHA256 Bridge CA. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: dd68894ac1ae380449190487a5ff24f9fdbcd82f + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: June 24, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DoD Interoperability Root CA between 7/11/2022 and 7/15/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: June 13, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the TSCP SHA256 Bridge CA between 6/20/2022 and 6/24/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: May 30, 2022 + change_type: CA Certificate Issuance + system: Entrust PKI Shared Service Provider + change_description: The Entrust SSP rekeyed the HHS FPKI Intermediate CA E1 to include Common-PIV-I OIDs. + contact: support at entrust dot com + ca_certificate_hash: 492a40e6477eed5c39a58c24d6f3d5bffb0e1083 + ca_certificate_issuer: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + ca_certificate_subject: OU=HHS-FPKI-Intermediate-CA-E1, OU=Certification Authorities, OU=HHS, O=U.S. Government, C=US + cdp_uri: http://feddcsweb.managed.entrust.com/CRLs/EMSRootCA2.crl + aia_uri: http://rootweb.managed.entrust.com/AIA/CertsIssuedToEMSRootCA.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: May 30, 2022 + change_type: CA Certificate Issuance + system: Entrust PKI Shared Service Provider + change_description: The Entrust SSP rekeyed their Entrust Derived Credential SSP CA. + contact: support at entrust dot com + ca_certificate_hash: b3ddc2d8bc6c88883ef4c292a1175b1a267e7c23 + ca_certificate_issuer: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + ca_certificate_subject: CN=Entrust Derived Credential SSP CA, OU=Certification Authorities , O=Entrust, C=US + cdp_uri: http://feddcsweb.managed.entrust.com/CRLs/EMSRootCA2.crl + aia_uri: http://rootweb.managed.entrust.com/AIA/CertsIssuedToEMSRootCA.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 29, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the Lockheed Martin Root Certification Authority 2. + contact: support at certipath dot com + ca_certificate_hash: a39ee9934283324631efb314f183be743fb2b8a1 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 2, OU=Certification Authorities , O=Lockheed Martin Corporation, L=Denver, S=Colorado C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 29, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the Boeing PCA G3. + contact: support at certipath dot com + ca_certificate_hash: 3bc0d426d437ff806f094a69210042516f96678b + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Boeing PCA G3, OU=certservers, O=Boeing, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 19, 2022 + change_type: CA Certificate Issuance + system: DigiCert Federal Shared Service Provider + change_description: DigiCert Federal SSP Intermediate CA - G6 issued a new CA certificate to U.S. Nuclear Regulatory Commission + contact: pkiops at digicert dot com + ca_certificate_hash: 1F060CE528BDDFB3B429B7C76EEEB0F8B0FBC60A + ca_certificate_issuer: CN = DigiCert Federal SSP Intermediate CA - G6, O = DigiCert, Inc., C = US + ca_certificate_subject: CN = NRC PROD G6 Fed SSP CA, OU = U.S. Nuclear Regulatory Commission, O = U.S. Government, C = US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG6.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG6.p7c + sia_uri: http://ssp-sia.digicert.com/SSP/Certs_issued_by_SSPCAG6.p7c + ocsp_uri: http://ssp-ocsp.digicert.com/ + +- notice_date: April 18, 2022 + change_type: CA Certificate Issuance + system: ECA Root CA 4 + change_description: The ECA Root CA 4 issued a new certificate to the IdenTrust ECA Component S23. + contact: dodpke at mail dot mil + ca_certificate_hash: 4b074f5286880e7b4026edb7b63f1ac0282ef202 + ca_certificate_issuer: CN = ECA Root CA 4, OU = ECA, O=U.S. Government, O = U.S. Government, C = US + ca_certificate_subject: CN = IdenTrust ECA Component S23, OU = Certification Authorities, OU = ECA, O = U.S. Government, C = US + cdp_uri: http://crl.disa.mil/crl/ECAROOTCA4.crl + aia_uri: http://crl.disa.mil/issuedto/ECAROOTCA4_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: April 18, 2022 + change_type: CA Certificate Issuance + system: ECA Root CA 4 + change_description: The ECA Root CA 4 issued a new certificate to the IdenTrust ECA S23. + contact: dodpke at mail dot mil + ca_certificate_hash: 89cbc32b7db10e7d0a70069969c3784aba29bfd9 + ca_certificate_issuer: CN = ECA Root CA 4, OU = ECA, O=U.S. Government, O = U.S. Government, C = US + ca_certificate_subject: CN = IdenTrust ECA S23, OU = Certification Authorities, OU = ECA, O = U.S. Government, C = US + cdp_uri: http://crl.disa.mil/crl/ECAROOTCA4.crl + aia_uri: http://crl.disa.mil/issuedto/ECAROOTCA4_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: April 8, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a new certificate to the US Treasury Root CA. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: 52de6628d8c70a9df9e1df94fcd84728b33c05ec + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: N/A + +- notice_date: March 24, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 intends to issue a new certificate to the US Treasury Root CA between 4/04/2022 and 4/07/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: N/A + +- notice_date: March 22, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a new certificate to the DigiCert Federal SSP Intermediate CA - G6. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: 0dd44fd015c1f76327be46661456ce8f6fb346ec + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G6, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://ssp-sia.digicert.com/SSP/Certs_issued_by_SSPCAG6.p7c + ocsp_uri: N/A + +- notice_date: March 22, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a new cross certificate to the DigiCert Federated ID CA - G2. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: a2cadce934df370609b30c42e31c5d2b682ca7b3 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID CA - G2, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 28, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the to the Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: 61663be2cce5eb458d612700e19ddd93f9aec2f1 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 28, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the to the Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: 8b75c5feb03e6d6d0aeb45693380edb0fdeff283 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 28, 2022 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 issued a renewed cross certificate to the Northrop Grumman Corporate Root CA-G2. + contact: support at certipath dot com + ca_certificate_hash: e4bb5c48aace30ab810fad4fad0bed35041c6ec1 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://certdata.northropgrumman.com/certdata/p7c/IssuedByNorthropGrummanCorporateRootCA-G2.p7c + ocsp_uri: N/A + +- notice_date: February 28, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 intends to issue a new certificate to the DigiCert Federal SSP Intermediate CA - G6 between 3/14/2022 and 3/21/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G6, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: N/A + sia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c + ocsp_uri: N/A + +- notice_date: February 28, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DigiCert Federated ID CA - G2 between 3/14/2022 and 3/21/2022. + contact: fpki dash help at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID CA - G2, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: February 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 intends to issue a renewed cross certificate to the to the Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 intends to issue a renewed cross certificate to the to the Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 intends to issue a renewed cross certificate to the to the Netherlands Ministry of Defence. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, OU=NTRNL-27370985, O=Ministerie van Defensie, C=NL + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: February 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA + change_description: The CertiPath Bridge CA-G3 intends to issue a renewed cross certificate to the Northrop Grumman Corporate Root CA-G2. + contact: support at certipath dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://certdata.northropgrumman.com/certdata/p7c/IssuedByNorthropGrummanCorporateRootCA-G2.p7c + ocsp_uri: N/A + +- notice_date: February 11, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 reissued a cross certificate to the DigiCert Federated ID L3 CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: db41e72d1f5e1bd5349d4c9f45375fe01afbf2b6 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID L3 CA, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: February 11, 2022 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the STRAC Bridge Root Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 4a1cfa5661875b476a0c0ed57516181a67a191ca + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN = STRAC Bridge Root Certification Authority, OU = STRAC PKI Trust Infrastructure, O = STRAC, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: January 28, 2022 + change_type: CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The TSCP SHA256 Bridge CA issued a cross certificate to the Alexion Pharmaceuticals Certification Authority. + contact: steve.race at tscp dot org + ca_certificate_hash: 1dbd511e19f04a58c38d603b7919c2d421f65166 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=U.S. TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: January 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The TSCP SHA256 Bridge CA intends to issue a cross certificate to the Alexion Pharmaceuticals Certification Authority prior to its expiration on 1/27/2022. + contact: steve.race at tscp dot org + ca_certificate_hash: N/A + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=U.S. TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: January 21, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 intends to issue a new certificate to the DigiCert Federal SSP Intermediate CA - G6. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G6, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: N/A + sia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c + ocsp_uri: N/A + +- notice_date: January 20, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a new cross certificate to the DigiCert Federated ID CA - G2 by 2/28/2022. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID CA - G2, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: January 20, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to reissue a cross certificate to the DigiCert Federated ID L3 CA between 2/07/2022 and 2/14/2022 to replace the one that is expiring on 2/28/2022. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID L3 CA, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: January 18, 2022 + change_type: CRL Outage + start_datetime: + end_datetime: + system: Department of Defense PKI + change_description: Starting Friday, January 15, 2022 and continuing through January 18, 2022, relying parties have reported receiving intermittent 404 errors when attempting to connect to DoD PKI CRL distribution point for DoD Root CA 3 at the URL below. + contact: dodpke at mail dot mil + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: N/A + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil/ + +- notice_date: January 18, 2022 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the STRAC Bridge Root Certification Authority between 2/07/2022 and 2/14/2022. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN = STRAC Bridge Root Certification Authority, OU = STRAC PKI Trust Infrastructure, O = STRAC, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: N/A + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: December 13, 2021 + change_type: CA Certificate Issuance + start_datetime: + end_datetime: + system: DoD Interoperability Root CA 2 + change_description: The DoD Interoperability Root CA 2 issued a certificate to the DoD Root CA 3; however, it will not be published in public repositories until January 14. + contact: dodpke at mail dot mil + ca_certificate_hash: 49:cb:e9:33:15:18:72:e1:7c:8e:ae:7f:0a:ba:97:fb:61:0f:64:77 + ca_certificate_issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US + cdp_uri: http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl + aia_uri: http://crl.disa.mil/issuedto/DODINTEROPERABILITYROOTCA2_IT.p7c + sia_uri: http://crl.disa.mil/issuedby/DODINTEROPERABILITYROOTCA2_IB.p7c + ocsp_uri: http://ocsp.disa.mil/ + +- notice_date: November 22, 2021 + change_type: CRL Outage + start_datetime: + end_datetime: + system: Department of State PKI + change_description: The CRL available at the http distribution point listed below and issued by the U.S Department of State AD High Assurance CA became stagnant between 10 AM ET on Sunday, November 21st and 1 PM ET on Monday November 22nd. During this time, the associated OCSP and LDAP CRL were still valid for current revocation information. + contact: fpki at gsa dot gov + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: CN = U.S. Department of State AD High Assurance CA, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = state, DC = sbu + cdp_uri: http://crls.pki.state.gov/crls/DoSADPKIHACA-1.crl + aia_uri: N/A + sia_uri: N/A + ocsp_uri: http://ocsp.pki.state.gov/OCSP/DoSOCSPResponder + +- notice_date: November 15, 2021 + change_type: CA Certificate Issuance + start_datetime: + end_datetime: + system: Entrust Managed Services NFI Root CA + change_description: Entrust Managed Services NFI Root CA issued a certificate to the Entrust NFI Medium Assurance SSP CA + contact: support at entrust dot com + ca_certificate_hash: 31ef454001a9162cbc0498866f8d49070b799191 + ca_certificate_issuer: OU = Entrust Managed Services NFI Root CA, OU = Certification Authorities, O = Entrust, C = US + ca_certificate_subject: OU = Entrust NFI Medium Assurance SSP CA, OU = Certification Authorities, O = Entrust, C = US + cdp_uri: http://nfirootweb.managed.entrust.com/CRLs/NFIRootCA3.crl + aia_uri: http://nfirootweb.managed.entrust.com/AIA/CertsIssuedToNFIRootCA.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: http://nfiocsp.managed.entrust.com + +- notice_date: November 15, 2021 + change_type: CA Certificate Issuance + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the Entrust Managed Services NFI Root CA + contact: fpki dash help at gsa.gov + ca_certificate_hash: d128ecd1972497423e1356f5a6a5522caea6458e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Entrust Managed Services NFI Root CA, OU=Certification Authorities O=Entrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: N/A + +- notice_date: November 10, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The TSCP Bridge CA reissued a certificate to Carillon Federal Services PIV-I CA2. + contact: info at tscp dot org + ca_certificate_hash: 323a07c5c7d59bc9c5e24282fc06393456827e3a + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: N/A + +- notice_date: October 25, 2021 + change_type: OCSP Outage + system: Entrust Managed Services SSP OCSP Service + change_description: Between approximately 9 A.M ON October 24, 2021 and 10:00 A.M on October 25, 2021, users reported errors with the Entrust Managed Services SSP OCSP Service (OCSP response Next Update time was in the past.) + contact: support at entrust dot com + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com + +- notice_date: October 18, 2021 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the Entrust Managed Services NFI Root CA between 11/1/2021 and 11/11/2021. + contact: fpki dash help at gsa.gov + ca_certificate_hash: N/A + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Entrust Managed Services NFI Root CA, OU=Certification Authorities O=Entrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: N/A + +- notice_date: August 17, 2021 + change_type: CRL Outage + system: Department of Defense PKI + change_description: Between Friday, August 13, 2021 and Tuesday, August 17, 2021, external relying parties connecting from devices outside the Non-classified Internet Protocol (IP) Router Network (NIPRNet) received stale CRLs when attempting to connect to DoD PKI CRL distribution point HTTP URIs. + contact: dodpke at mail dot mil + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: N/A + cdp_uri: Several of DoD's issuing CA CRL URIs. + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: August 5, 2021 + change_type: CRL Outage + system: DigiCert Federal Shared Service Provider + change_description: Between approximately 4:30 AM (ET) on July 31, 2021 and 11:00 AM (ET) on August 4, 2021, DigiCert PIV users reported issues with authentication to some relying party applications; it was determined that this was the result of an expired CRL being served by the Symantec SSP Intermediate CA G4, DigiCert Federal SSP Intermediate CA - G5, and their issuing CAs. + contact: fpki_support at digicert dot com + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: N/A + cdp_uri: http://ssp-crl.symauth.com/SSP/SSPG4.crl, http://ssp-crl.digicert.com/SSP/SSPG5.crl, and several of DigiCert's issuing CA CRL URIs + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: July 30, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: DoD Interoperability Root CA 2 + change_description: The DoD Interoperability Root CA 2 reissued a certificate to ECA Root CA 4. + contact: dodpke at mail dot mil + ca_certificate_hash: 2554e552c7a54664fd0d34b20ff8b6cdcc9c1970 + ca_certificate_issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl + aia_uri: http://crl.disa.mil/issuedto/DODINTEROPERABILITYROOTCA2_IT.p7c + sia_uri: http://crl.disa.mil/issuedby/ECAROOTCA4_IB.p7c + ocsp_uri: http://ocsp.disa.mil/ + +- notice_date: July 28, 2021 + change_type: CA Decommissioning + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority decommissioned the Federal Common Policy CA. Valid CA certificates issued by the Federal Common Policy CA were revoked prior to decommissioning. A long-lived CRL is available at http://http.fpki.gov/fcpca/fcpca.crl. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 905f942fd9f28f679b378180fd4f846347f645c1 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: N/A + aia_uri: N/A + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: N/A + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 8, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD EMAIL CA-62. + contact: dodpke at mail dot mil + ca_certificate_hash: cc04a4f733b767761de8935d4c745eb25524b505 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD EMAIL CA-62, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 1, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD EMAIL CA-63. + contact: dodpke at mail dot mil + ca_certificate_hash: 1b977e3104f27cd4afb47d502e09037a956ab126 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD EMAIL CA-63, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 1, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD EMAIL CA-64. + contact: dodpke at mail dot mil + ca_certificate_hash: 8ca4fcf4d1186f52e243be7b8cccfeb0ec7d4f4e + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD EMAIL CA-64, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 8, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD EMAIL CA-65. + contact: dodpke at mail dot mil + ca_certificate_hash: 671288d3adbb5909aa2858e3f86498ded6fd85a0 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD EMAIL CA-65, OU=PKI ,OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 1, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD ID CA-62. + contact: dodpke at mail dot mil + ca_certificate_hash: 14f4cfd8364412a6a27e5bba82c5342ff9b337a7 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD ID CA-62, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 1, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD ID CA-64. + contact: dodpke at mail dot mil + ca_certificate_hash: d9991bd1e89ae5a8b1143c3c37f01103779b8db7 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD ID CA-64, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 1, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD ID CA-65. + contact: dodpke at mail dot mil + ca_certificate_hash: 2838d25ae351654a094f00348f4bd0ea3178d871 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD ID CA-65, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 8, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD SW CA-66. + contact: dodpke at mail dot mil + ca_certificate_hash: 8f9d91c33d4b4e4e6fd7690c053048a7aabbd3a2 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD SW CA-66, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: June 8, 2021 + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to DOD SW CA-67. + contact: dodpke at mail dot mil + ca_certificate_hash: 7b38aa22d6f76a8ff48b23d2485e7d2520f99cab + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD SW CA-67, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 19, 2021 + change_type: CA Certificate Issuance + start_datetime: July 6, 2021 + system: ECA Root CA 4 + change_description: ECA Root CA 4 issued a certificate to WidePoint ECA 8. + contact: dodpke at mail dot mil + ca_certificate_hash: 334707684fe4bccfb4dbf50ed3c463ed9ea77467 + ca_certificate_issuer: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint ECA 8, OU=Certification Authorities, OU=ECA, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/ECAROOTCA4.crl + aia_uri: http://crl.disa.mil/issuedto/ECAROOTCA4_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: July 16, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: DoD Interoperability Root CA 2 + change_description: The DoD Interoperability Root CA 2 intends to reissue a certificate to ECA Root CA 4. The existing certificate expires on July 31, 2021. + contact: dodpke at mail dot mil + ca_certificate_hash: N/A + ca_certificate_issuer: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=ECA Root CA 4, OU=ECA, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl + aia_uri: http://crl.disa.mil/issuedto/DODINTEROPERABILITYROOTCA2_IT.p7c + sia_uri: http://crl.disa.mil/issuedby/ECAROOTCA4_IB.p7c + ocsp_uri: http://ocsp.disa.mil/ + +- notice_date: June 17, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the Entrust Managed Services Root CA from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: a09655170c87d0fbfe0328b99a7baf4a1cf0b5d9 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: N/A + +- notice_date: June 17, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the Entrust Managed Services Root CA from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 39c1d3b64e756a3267bfe5fecb103da892ca0611 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: N/A + +- notice_date: June 16, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust issued a CA certificate from IdenTrust Global Common Root CA 1 to the VA Patient Direct CA 2. + contact: support at identrust dot com + ca_certificate_hash: 213f095678a167e1d87d22edcf4df537ba5c6ac9 + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=VA Patient Direct CA 2, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl + aia_uri: http://validation.identrust.com/roots/igcrootca1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: June 16, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust issued a CA certificate from IdenTrust Global Common Root CA 1 to the VA Provider Direct CA 2. + contact: support at identrust dot com + ca_certificate_hash: c9a554ab021a099feae39710a41f90c8b3783c37 + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=VA Provider Direct CA 2, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl + aia_uri: http://validation.identrust.com/roots/igcrootca1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: June 10, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the US Treasury Root CA from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5a87922b5eaf1d63198a951b2ab6f59b2f16c131 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: N/A + +- notice_date: June 10, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the US Treasury Root CA from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 48ce02a99ae2cc4f790f2989aa153ed565b7e4d2 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: N/A + +- notice_date: June 2, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust issued a new CA certificate from IdenTrust Global Common Root CA 1 to replace the IGC Server CA 1 certificate expiring 4/14/2024. + contact: support at identrust dot com + ca_certificate_hash: d21a5bedf6ab09a419cb8a07bcff2e609765a81f + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=IGC Device CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl + aia_uri: http://validation.identrust.com/roots/igcrootca1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: May 28, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust intends to issue a new CA certificate from IdenTrust Global Common Root CA 1 to replace the VA Patient Direct CA 1 certificate expiring 6/12/2021. + contact: support at identrust dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=VA Patient Direct CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl + aia_uri: http://validation.identrust.com/roots/igcrootca1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: May 28, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust intends to issue a new CA certificate from IdenTrust Global Common Root CA 1 to replace the VA Provider Direct CA 1 certificate expiring 6/12/2021. + contact: support at identrust dot com + ca_certificate_hash: N/A + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=VA Provider Direct CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://validation.identrust.com/crl/igcrootca1.crl + aia_uri: http://validation.identrust.com/roots/igcrootca1.p7c + sia_uri: N/A + ocsp_uri: http://igc.ocsp.identrust.com + +- notice_date: May 3, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a certificate to the DoD ID CA-63. + contact: dodpke at mail dot mil + ca_certificate_hash: 67b75160bd8299e2342f46cc8ac634b2afb33768 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD ID CA-63, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.disa.mil + +- notice_date: May 3, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a renewed cross certificate to the Lockheed Martin Root Certification Authority 2. + contact: support at certipath dot com + ca_certificate_hash: ad7a60e254e6aa4bf187cda40f7af928cf18d82d + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 2, OU=Certification Authorities, O=Lockheed Martin Corporation, L=Denver, S=Colorado, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: May 3, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a renewed cross certificate to the Boeing PCA G3. + contact: support at certipath dot com + ca_certificate_hash: b0cb311c63c57c0cba33ca192ebd28cec0325fc4 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Boeing PCA G3, OU=certservers, O=Boeing, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 29, 2021 + change_type: CRL Outage + start_datetime: + system: DigiCert Federal Shared Service Provider + change_description: Between approximately 3:30 P.M (EDT) on April 28 and 6:30 P.M (EDT) on April 29, 2021, users reported the Symantec SSP Intermediate CA G4 was serving an expired CRL. + contact: enterprise dash pkisupport at digicert dotcom + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: N/A + cdp_uri: http://ssp-crl.symauth.com/SSP/SSPG4.crl + aia_uri: N/A + sia_uri: N/A + ocsp_uri: N/A + +- notice_date: April 28, 2021 + change_type: Repository Outage + start_datetime: + system: WidePoint Non-Federal Issuer + change_description: Between approximately 9:30 P.M (EDT) on April 27 and 7:00 P.M (EDT) on April 28, 2021, users reported errors with the availability of the WidePoint ORC NFI 4 repositories. + contact: PKIPolicy at ORC dot com + ca_certificate_hash: N/A + ca_certificate_issuer: N/A + ca_certificate_subject: N/A + cdp_uri: http://crl.xca.xpki.com/CRLs/XTec_PIVI_CA1.crl + aia_uri: http://aia.xca.xpki.com/AIA/IssuedCertsforXTec_PIVI_CA1.p7c + sia_uri: N/A + ocsp_uri: http://ocsp.xca.xpki.com/ocsp + +- notice_date: April 28, 2021 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority issued a cross certificate to the IdenTrust Global Common Root CA 1 from the Federal Bridge CA G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 1657e746682699afe77e4f8d89cea6263ccb1f95 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the Federal Bridge CA G4 from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on October 15, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: e836f3016bfb6e8df274f27fd8a4a5054517b0f1 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the U.S. Department of State AD Root CA from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ce11590010562a39ad8b1455acf76c03737aebf6 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://crls.pki.state.gov/SIA/CertsIssuedByADRootCA.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the Verizon SSP CA A2 from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 477bf4017d25cde276cdddf756d40ca591d76f6d + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://sia1.ssp-strong-id.net/CA/VZ-SSP-CA-A2-SIA.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the ORC SSP 4 from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3a70323069a4c41bc95663152e9ccc7111bb0623 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC SSP 4, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://crlserver.orc.com/caCerts/ORCSSP4.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the Symantec SSP Intermediate CA - G4 from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 6a382438fd21037018daf3f422a2132bea2be817 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec SSP Intermediate CA - G4, O=Symantec Corporation, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://ssp-sia.symauth.com/SSP/Certs_issued_by_SYMCSSPCAG4.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority revoked the certificate issued to the DigiCert Federal SSP Intermediate CA - G5 from the Federal Common Policy CA. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 98b58247ac8a2bc6f348f03e8d22884d8345fc0f + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://ssp-sia.digicert.com/SSP/Certs_issued_by_SSPCAG5.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority revoked the certificate issued to the Federal Common Policy CA from the Federal Bridge CA G4. An updated certificate was issued to the Federal Common Policy CA G2 on October 15, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: fb3f5e09cac4fe4066f6c48cce31feca02fea677 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: N/A + +- notice_date: April 26, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a modified cross certificate to the Federal Bridge CA G4. + contact: support at certipath dot com + ca_certificate_hash: 8c2fc3a433f84cb36fc48317fae89cff38831dee + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: N/A + +- notice_date: April 20, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: DigiCert Non-Federal Shared Service Provider + change_description: DigiCert Class 3 SSP Intermediate CA - G4 issued a CA certificate to Senate PIV-I CA G5 PROD. + contact: tammy dot green at digicert dot com + ca_certificate_hash: 816a2c18db2e5673205d17a98d0fffef8bf4777e + ca_certificate_issuer: CN=DigiCert Class 3 SSP Intermediate CA - G4, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=Senate PIV-I CA G5 PROD, OU=Office of the Sergeant at Arms, OU=U.S. Senate, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/NFSSP/Class3SSPCAG4.crl + aia_uri: http://ssp-aia.digicert.com/NFSSP/Certs_issued_to_Class3SSPCA-G4.p7c + sia_uri: N/A + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: April 20, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: DigiCert Non-Federal Shared Service Provider + change_description: DigiCert Class 3 SSP Intermediate CA - G4 issued a CA certificate to Senate PIV-I Device CA G5 PROD. + contact: tammy dot green at digicert dot com + ca_certificate_hash: f75045d06ebf20aafb81dd08a9061ce7e7cece29 + ca_certificate_issuer: CN=DigiCert Class 3 SSP Intermediate CA - G4, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=Senate PIV-I Device CA G5 PROD, OU=Office of the Sergeant at Arms, OU=U.S. Senate, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/NFSSP/Class3SSPCAG4.crl + aia_uri: http://ssp-aia.digicert.com/NFSSP/Certs_issued_to_Class3SSPCA-G4.p7c + sia_uri: N/A + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: April 12, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 intends to issue a modified cross certificate to the Federal Bridge CA G4. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: April 2, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the IdenTrust Global Common Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://validation.identrust.com/roots/IssuedbyIGCRootCA1.p7c + ocsp_uri: + +- notice_date: April 2, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Carillon Federal Services. + contact: steve.race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C= US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 2, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority revoked the certificate issued to the SAFE Bridge CA 02 from the Federal Bridge CA G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 600319e6c322229f88e0f434ba96fb0dfd00252e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + ocsp_uri: + +- notice_date: March 29, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the US Treasury Root CA from the Federal Common Policy CA on June 10, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5a87922b5eaf1d63198a951b2ab6f59b2f16c131 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: + +- notice_date: March 29, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the US Treasury Root CA from the Federal Common Policy CA on June 10, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 48ce02a99ae2cc4f790f2989aa153ed565b7e4d2 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: + +- notice_date: March 29, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the Entrust Managed Services Root CA from the Federal Common Policy CA on June 17, 2021. This revocation was originally planned for April 22, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: a09655170c87d0fbfe0328b99a7baf4a1cf0b5d9 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: + +- notice_date: March 29, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the Entrust Managed Services Root CA from the Federal Common Policy CA on June 17, 2021. This revocation was originally planned for April 22, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 39c1d3b64e756a3267bfe5fecb103da892ca0611 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: + +- notice_date: March 29, 2021 + change_type: OCSP Outage + system: Entrust Federal OCSP Service + change_description: Between approximately 5 A.M and 9:30 A.M on March 29, 2021, users reported errors with the Entrust Federal OCSP Service (OCSP response Next Update time was in the past.) + contact: support at entrustdatacard dot com + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com, nfiocsp.managed.entrust.com, doesspocsp.managed.entrust.com, hhspkiocsp.managed.entrust.com, feddcsocsp.managed.entrust.com + +- notice_date: March 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: SAFE Bridge CA 02 + change_description: The SAFE Bridge CA 02 revoked the cross certificate issued to IdenTrust SAFE-BioPharma CA 1. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: 245f753f8a315a83bd0be8cf70833503f99fd2d2 + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=IdenTrust SAFE-BioPharma CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://sbca2.safe-biopharma.org/sbca/SBCA02.crl + aia_uri: http://sbca2.safe-biopharma.org/sbca/issuedtoSBCA02.p7c + sia_uri: + ocsp_uri: + +- notice_date: March 26, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: SAFE Bridge CA 02 + change_description: The SAFE Bridge CA 02 revoked the cross certificate issued to Trans Sped Mobile eIDAS QCA G2. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: c1a2b6bb919d104065a2c0c550b27dcdfe12ce96 + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=Trans Sped Mobile eIDAS QCA G2, OU=Individual Subscriber CA, O=Trans Sped SRL, C=RO + cdp_uri: http://sbca2.safe-biopharma.org/sbca/SBCA02.crl + aia_uri: http://sbca2.safe-biopharma.org/sbca/issuedtoSBCA02.p7c + sia_uri: + ocsp_uri: + +- notice_date: March 18, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority revoked the certificate issued to the CertiPath Bridge CA - G2 from the Federal Bridge CA G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3bfc4df881682f8846bff486d422025aee7494d8 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://certipath-sia.symauth.com/IssuedBy-CertiPathBridgeCA-G2.p7c + ocsp_uri: + +- notice_date: March 10, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the U.S. Department of State AD Root CA from the Federal Common Policy CA on April 22, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ce11590010562a39ad8b1455acf76c03737aebf6 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://crls.pki.state.gov/SIA/CertsIssuedByADRootCA.p7c + ocsp_uri: + +- notice_date: March 9, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to Verizon SSP CA A2 from the Federal Common Policy CA on April 22, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 477bf4017d25cde276cdddf756d40ca591d76f6d + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://sia1.ssp-strong-id.net/CA/VZ-SSP-CA-A2-SIA.p7c + ocsp_uri: + +- notice_date: March 9, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to ORC SSP 4 from the Federal Common Policy CA on April 22, 2021. An updated certificate was issued by the Federal Common Policy CA G2 on November 18, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3a70323069a4c41bc95663152e9ccc7111bb0623 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC SSP 4, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://crlserver.orc.com/caCerts/ORCSSP4.p7c + ocsp_uri: + +- notice_date: March 5, 2021 + change_type: Intent to Decommission CA + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority is preparing to decommission the Federal Common Policy CA (planned for May 2021). Valid CA certificates issued by the Federal Common Policy CA will be revoked prior to decommissioning. This notice was first posted on September 25, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 905f942fd9f28f679b378180fd4f846347f645c1 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: + +- notice_date: March 2, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the Federal Common Policy CA from the Federal Bridge CA G4. The revocation is planned for mid-May. + contact: fpki dash help at gsa.gov + ca_certificate_hash: fb3f5e09cac4fe4066f6c48cce31feca02fea677 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: + +- notice_date: March 2, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the SAFE Bridge CA 02 from the Federal Bridge CA G4. The revocation is planned to take place on or around March 18, 2021. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 600319e6c322229f88e0f434ba96fb0dfd00252e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + ocsp_uri: + +- notice_date: March 2, 2021 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to the CertiPath Bridge CA - G2 from the Federal Bridge CA G4. The revocation is planned to take place on or around March 18, 2021. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3bfc4df881682f8846bff486d422025aee7494d8 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://certipath-sia.symauth.com/IssuedBy-CertiPathBridgeCA-G2.p7c + ocsp_uri: + +- notice_date: February 25, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: IdenTrust Global Common Root CA 1 + change_description: IdenTrust intends to issue a new CA certificate from IdenTrust Global Common Root CA 1 to replace the IGC Server CA 1 certificate expiring 4/14/2024. + contact: support at identrust dot com + ca_certificate_hash: + ca_certificate_issuer: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + ca_certificate_subject: CN=IGC Device CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 24, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Northrop Grumman. + contact: support at certipath dot com + ca_certificate_hash: 9ac306e3369858456ec83128dd1daef5cb4a0061 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 24, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a cross certificate to the Netherlands Ministry of Defence. + contact: support at certipath dot com + ca_certificate_hash: 64b24bf2fdfd1a8aabe432ac332fdbbc4a76ff30 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, 2.5.4.97=NTRNL-27370985, O=Ministerie van Defensie, C=NL + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 23, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: DoD Root CA 3 + change_description: DoD Root CA 3 issued a new CA certificate to DOD DERILITY CA-1. + contact: disa dot meade dot mae dot list dot pkieca at mail dot mil + ca_certificate_hash: 6b250683b996e2581696f499061b5581a7867c89 + ca_certificate_issuer: CN=DoD Root CA 3, OU=PKI, OU=DoD, O=U.S. Government, C=US + ca_certificate_subject: CN=DOD DERILITY CA-1, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://crl.disa.mil/crl/DODROOTCA3.crl + aia_uri: http://crl.disa.mil/issuedto/DODROOTCA3_IT.p7c + sia_uri: + ocsp_uri: http://ocsp.disa.mil + +- notice_date: February 23, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: 648bf4c20d5d6733f0355cee3c32036b31a63589 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 23, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: 1693fefa54d5e46a0e6e1c3e576085b5ee51b6bd + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 12, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Northrop Grumman Corporate Root CA-G2. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 12, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to the Netherlands Ministry of Defence. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, 2.5.4.97=NTRNL-27370985, O=Ministerie van Defensie, C=NL + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 12, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 12, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: CertiPath Bridge CA + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 3, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 issued a modified certificate to WidePoint NFI CA 6. + contact: pkipolicy at orc dot com + ca_certificate_hash: 8a17d236acb45af809c0a4555f7142d82ae08736 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint NFI CA 6, O=ORC PKI, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: http://widepointnfiroot2.eva.orc.com + +- notice_date: February 3, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 revoked the certificate issued to WidePoint NFI CA 6. + contact: pkipolicy at orc dot com + ca_certificate_hash: b2bfadc0603d42feb84d9b1cfd488227b16f21e3 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint NFI CA 6, O=ORC PKI, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: http://widepointnfiroot2.eva.orc.com + +- notice_date: February 1, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 issued a certificate to WidePoint NFI CA 6. + contact: pkipolicy at orc dot com + ca_certificate_hash: b2bfadc0603d42feb84d9b1cfd488227b16f21e3 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint NFI CA 6, O=ORC PKI, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: http://widepointnfiroot2.eva.orc.com + +- notice_date: January 21, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to Alexion Pharmaceuticals Issue 2 CA. + contact: steve.race at tscp dot org + ca_certificate_hash: e1cae944beea7470bf05f6da809a0ecf2a8a5c1b + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: January 21, 2021 + change_type: CA Certificate Revocation + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA revoked a cross certificate issued to Carillon Federal Services PIV-I CA2. TSCP previously issued a modified certificate with an updated CA subject name. + contact: steve.race at tscp dot org + ca_certificate_hash: 352f268667640942e57f834f3691372a24109e2e + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certificate Authorities, O=Carillon Federal Services Inc., C= US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: January 11, 2021 + change_type: CA Certificate Issuance + start_datetime: + system: U.S. Department of State AD Root CA + change_description: The Department of State issued a new CA certificate. + contact: shanleyrj at state dot gov + ca_certificate_hash: a6e9c11ad29fc006ed65b06db32e36a927cb3a48 + ca_certificate_issuer: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + ca_certificate_subject: CN=U.S.-Department-of-State-DPC-CA, DC=derived, DC=state, DC=sbu + cdp_uri: http://crls.pki.state.gov/crls/DoSADPKIRootCA1.crl + aia_uri: http://crls.pki.state.gov/AIA/CertsIssuedToDoSADRootCA.p7c + sia_uri: + ocsp_uri: http://ocsp.pki.state.gov/OCSP/DoSOCSPResponder + +- notice_date: January 8, 2021 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 intends to issue a cross certificate to WidePoint NFI CA 6. + contact: pkipolicy at orc dot com + ca_certificate_hash: + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint NFI CA 6, O=ORC PKI, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 22, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Alexion Pharmaceuticals Issue 2 CA. + contact: steve.race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: December 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority revoked the certificate issued to USPTO_INTR_CA1 from the Federal Bridge CA G4. An updated certificate was issued on November 12, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 978ec2f323452f8f46932b8550663d68b6e96af7 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to the U.S. Department of State AD Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 9b3849f7047964a6654988054956e478ccb75ded + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://crls.pki.state.gov/SIA/CertsIssuedByADRootCA.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to the US Treasury Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: d7d298927d339efa414f2565923e28b98acd970a + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to DigiCert Federal SSP Intermediate CA - G5. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 9aecfbe2de8aea49d220bbf799172c00527fe756 + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://ssp-sia.digicert.com/SSP/Certs_issued_by_SSPCAG5.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to Symantec SSP Intermediate CA - G4 (operated by DigiCert). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 4c40f62b5c3f13533a8f8a1d44f8b027aaa0fd3d + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec SSP Intermediate CA - G4, O=Symantec Corporation, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://ssp-sia.symauth.com/SSP/Certs_issued_by_SYMCSSPCAG4.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to the Entrust Managed Services Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 07f5dc58f83778d5b5738a988292c00a674a0f40 + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to Verizon SSP CA A2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b2167fd38ff47bb910d8dcc32fcc3b7b63a09ff7 + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://sia1.ssp-strong-id.net/CA/VZ-SSP-CA-A2-SIA.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to ORC SSP 4 (operated by WidePoint). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3e6610b03daca9fa07e1093b60ccb8927c42d83b + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC SSP 4, O=ORC PKI, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://crlserver.orc.com/caCerts/ORCSSP4.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to WidePoint ORC SSP 5. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 80f4731a60fd5f2eb0468d0629310daa50ad210d + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint ORC SSP 5, O=ORC PKI, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://crl-server.orc.com/caCerts/WidePointORCSSP5.p7c + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + start_datetime: October 27, 2020 + system: SAFE Identity Bridge CA + change_description: The SAFE Identity Bridge CA issued a cross certificate to Trans Sped Mobile eIDAS QCA G2. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: 8a70668ca59a7da20681cf5ec4a6383c75ad8ade + ca_certificate_issuer: CN=SAFE Identity Bridge CA, OU=Certification Authorities, O=SAFE Identity, C=US + ca_certificate_subject: CN=Trans Sped Mobile eIDAS QCA G2, OU=Individual Subscriber CA, O=Trans Sped SRL, C=RO + cdp_uri: http://crl.makeidentitysafe.com/sibca.crl + aia_uri: http://aia.makeidentitysafe.com/sibca.p7c + sia_uri: + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + start_datetime: October 27, 2020 + system: SAFE Identity Bridge CA + change_description: The SAFE Identity Bridge CA issued a cross certificate to IdenTrust SAFE-BioPharma CA 1. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: cb023ddee100c9040c7a9ad60717ebf34ab2106b + ca_certificate_issuer: CN=SAFE Identity Bridge CA, OU=Certification Authorities, O=SAFE Identity, C=US + ca_certificate_subject: CN=IdenTrust SAFE-BioPharma CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://crl.makeidentitysafe.com/sibca.crl + aia_uri: http://aia.makeidentitysafe.com/sibca.p7c + sia_uri: + ocsp_uri: + +- notice_date: November 30, 2020 + change_type: CA Certificate Issuance + start_datetime: October 27, 2020 + system: SAFE Identity Bridge CA + change_description: The SAFE Identity Bridge CA issued a cross certificate to Carillon PKI Services G2 Root CA 3. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: 2df9d20203cfb0ce1ef48cdc03a16fe7b46e0aca + ca_certificate_issuer: CN=SAFE Identity Bridge CA, OU=Certification Authorities, O=SAFE Identity, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 3, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://crl.makeidentitysafe.com/sibca.crl + aia_uri: http://aia.makeidentitysafe.com/sibca.p7c + sia_uri: + ocsp_uri: + +- notice_date: November 25, 2020 + change_type: URI Change, System Outage + start_datetime: + end_datetime: + system: Entrust Shared Service Provider CA + change_description: Certificate Revocation List(s) were unavailable for PIV certificates that contain a Certificate Revocation List Distribution Point (CDP) Hypertext Transfer Protocol (HTTP) Uniform Resource Identifier (URI) pointing to an xpki.com domain. The revocation lists were unavailable for at least five (5) days. The primary authoritative source for the revocation lists served from entrust.com domains were available. Entrust Managed Services has updated configurations to include only the entrust.com URIs in the CDPs for all end entity certificates issued or renewed from 11/25/2020 forward. + contact: fpki at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: November 24, 2020 + change_type: CA Certificate Revocation + start_datetime: + system: US Treasury Public CA + change_description: Treasury decommissioned the US Treasury Public CA and revoked its certificate issued by the US Treasury Root CA. + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: 14d4454152a6a1384052186adbb944fb2e1a768d + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Public CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://pki.treas.gov/US_Treasury_Root_CA.crl + aia_uri: http://pki.treas.gov/teca_aia.p7c + sia_uri: + ocsp_uri: + +- notice_date: November 23, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to revoke the certificate issued to USPTO_INTR_CA1 from the Federal Bridge CA G4. An updated certificate was issued on November 12, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 978ec2f323452f8f46932b8550663d68b6e96af7 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: + +- notice_date: November 17, 2020 + change_type: CA Certificate Issuance + start_datetime: November 12, 2020 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the United States Patent and Trademark Office. + contact: fpki dash help at gsa.gov + ca_certificate_hash: edd7e56da5147cf98ea580a176a27bc990b243ce + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: + +- notice_date: November 17, 2020 + change_type: CA Certificate Issuance + start_datetime: November 12, 2020 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to SAFE Identity Bridge CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: cba35a94b7460a9e86ff7c95123a849ccd7be1ab + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Identity Bridge CA, OU=Certification Authorities, O=SAFE Identity, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://aia.makeidentitysafe.com/issuedby-sibca.p7c + ocsp_uri: + +- notice_date: October 29, 2020 + change_type: CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the Entrust Managed Services NFI Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: d45ccedd462a2e2718627eeb6e013fc0a0dc6940 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: + +- notice_date: October 26, 2020 + change_type: Intent to Decommission CA + start_datetime: + system: US Treasury Public CA + change_description: Treasury is scheduled to decommission the US Treasury Public CA on November 18, 2020. Previously, the CA's certificate was set to expire on December 5, 2020. Treasury does not anticipate negative impacts on the FPKI community due to this change. + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: 14d4454152a6a1384052186adbb944fb2e1a768d + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=US Treasury Public CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://pki.treas.gov/US_Treasury_Root_CA.crl + aia_uri: http://pki.treas.gov/teca_aia.p7c + sia_uri: + ocsp_uri: + +- notice_date: October 26, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the United States Patent and Trademark Office. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: October 23, 2020 + change_type: CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to Symantec Class 3 SSP Intermediate CA – G3 (operated by DigiCert). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 2e0140b2b72765ab0f266f57562c3cfd33fd5eb2 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec Class 3 SSP Intermediate CA – G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: + +- notice_date: October 19, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to SAFE Identity Bridge CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Identity Bridge CA, OU=Certification Authorities, O=SAFE Identity, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: October 15, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 issued a cross certificate to the Federal Bridge CA G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 97db351e069964297a82040eb760c9cc1d74ba33 + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/fcpca/fcpcag2.crl + aia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedTofcpcag2.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: October 15, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: The Federal Common Policy CA G2 intends to issue a cross certificate to WidePoint ORC SSP 5. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint ORC SSP 5, O=ORC PKI, C = US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: October 14, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the Entrust Managed Services NFI Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: October 14, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 (FCPCAG2) + change_description: The Federal PKI Management Authority established a new root certification authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 99b4251e2eee05d8292e8397a90165293d116028 + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c + ocsp_uri: + +- notice_date: October 13, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4 and in preparation for the Federal Bridge CA 2016 decommissioning, the Federal Bridge CA 2016 revoked the certificate issued to the Federal Common Policy CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 38341412caa3d72ade61022240411444d21b1de9 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: + +- notice_date: October 13, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: As part of the migration to the Federal Bridge CA G4 and in preparation for the Federal Bridge CA 2016 decommissioning, the Federal Common Policy CA revoked the certificate issued to Federal Bridge CA 2016. + contact: fpki dash help at gsa.gov + ca_certificate_hash: bd38b7e253cfc5dd278a927f88833fb44c6af03a + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: + +- notice_date: October 13, 2020 + change_type: CA Certificate Issuance + start_datetime: September 30, 2020 + system: Exostar Federated Identity Service Root CA 2 + change_description: Exostar stood-up a new issuing CA named "Exostar Federated Identity Service Signing CA 4." + contact: info at exostar dot com + ca_certificate_hash: d5f180db664ec80be77d9bfd5484a50cece5a58d + ca_certificate_issuer: CN=Exostar Federated Identity Service Root CA 2, OU=Certification Authorities, O=Exostar LLC, C=US + ca_certificate_subject: CN=Exostar Federated Identity Service Signing CA 4, DC=evincible, DC=com + cdp_uri: http://www.fis.evincible.com/fis/public/ERCA2.crl + aia_uri: http://www.fis.evincible.com/fis/public/issuedtoERCA2.p7c + sia_uri: + ocsp_uri: + +- notice_date: September 30, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to Symantec Class 3 SSP Intermediate CA – G3 (operated by DigiCert). + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec Class 3 SSP Intermediate CA – G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 28, 2020 + change_type: CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to Carillon Federal Services. + contact: steve.race at tscp dot org + ca_certificate_hash: 97ff543ab95bd5e3a065834f240ad6b3c6b7d985 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C= US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: September 25, 2020 + change_type: Intent to Decommission CA + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority is preparing to decommission the Federal Common Policy CA (planned for May 2021). Valid CA certificates issued by the Federal Common Policy CA will be revoked prior to decommissioning. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 25, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 + change_description: As part of the migration from the Federal Common Policy CA to the planned Federal Common Policy CA G2, the Federal PKI Management Authority is preparing to issue several CA certificates. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Several certificates will be issued. Comma-separated list of CA Common Names - Federal Bridge CA G4, DigiCert Federal SSP Intermediate CA - G5, Entrust Managed Services Root CA, ORC SSP 4, Symantec SSP Intermediate CA - G4, U.S. Department of State AD Root CA, US Treasury Root CA, and Verizon SSP CA A2. + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 25, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Common Policy CA G2 (FCPCAG2) + change_description: The Federal PKI Management Authority is preparing to rekey the Federal Common Policy Certification Authority (FCPCA) by establishing a new certification authority, FCPCAG2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA G2, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 25, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to issue a cross certificate to the Federal Common Policy CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 16, 2020 + change_type: CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to DocuSign, Inc. + contact: steve.race at tscp dot org + ca_certificate_hash: e515aa068b003bee83f8d7e15b5f25165a456941 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: September 15, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: As part of the migration to the Federal Bridge CA G4 and in preparation for the Federal Bridge CA 2016 decommissioning, the Federal Common Policy CA will revoke the certificate issued to Federal Bridge CA 2016. + contact: fpki dash help at gsa.gov + ca_certificate_hash: bd38b7e253cfc5dd278a927f88833fb44c6af03a + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: + +- notice_date: September 15, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4 and in preparation for the Federal Bridge CA 2016 decommissioning, the Federal Bridge CA 2016 will revoke the certificate issued to Federal Common Policy CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 38341412caa3d72ade61022240411444d21b1de9 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: + +- notice_date: September 14, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Carillon Federal Services. + contact: steve.race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certification Authorities, O=Carillon Federal Services Inc., C= US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: September 14, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to revoke the cross certificate issued to Carillon Federal Services PIV-I CA2. TSCP intends to issue a new certificate with a modified CA subject name. + contact: steve.race at tscp dot org + ca_certificate_hash: 352f268667640942e57f834f3691372a24109e2e + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certificate Authorities, O=Carillon Federal Services Inc., C= US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: September 3, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: Exostar Federated Identity Service Root CA 2 + change_description: Exostar intends to issue a new CA certificate. + contact: info at exostar dot com + ca_certificate_hash: + ca_certificate_issuer: CN=Exostar Federated Identity Service Root CA 2, OU=Certification Authorities, O=Exostar LLC, C=US + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: August 18, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: As part of the Access Certificates for Electronic Services (ACES) program sunset, the Federal PKI Management Authority revoked the certificate issued from Federal Bridge CA G4 to IdenTrust ACES CA 2. + contact: fpki at gsa.gov + ca_certificate_hash: 1e5a60b592dfdbeea3d99a5225abc5e2239b987e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://validation.identrust.com/certs/issuedbyacesca2.p7c + +- notice_date: July 30, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: As part of the Access Certificates for Electronic Services (ACES) program sunset, the Federal PKI Management Authority intends to revoke the certificate issued from Federal Bridge CA G4 to IdenTrust ACES CA 2. + contact: fpki at gsa.gov + ca_certificate_hash: 1e5a60b592dfdbeea3d99a5225abc5e2239b987e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C = US + +- notice_date: July 16, 2020 + change_type: CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to SAFE Bridge CA 02 Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5c654219972bac887bea9f1309eb9e052fb7757e + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + +- notice_date: July 16, 2020 + change_type: CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to GPO PCA Root Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b8eabb18ed544c9fcfb299bd5d322127e6f48d90 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + ocsp_uri: + +- notice_date: July 16, 2020 + change_type: CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The certificate issued from the Federal Bridge CA G4 to GPO PCA that was set to expire on August 3, 2020 has been revoked. A new, three-year cross certificate was issued from the Federal Bridge CA G4 to GPO PCA on June 25, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: de8171556288add44e16d631653c46adab4dcf79 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + +- notice_date: July 14, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: U.S. Department of State AD Root CA + change_description: The Department of State intends to deploy a Derived PIV credential CA. + contact: shanleyrj at state dot gov + ca_certificate_hash: + ca_certificate_issuer: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + ca_certificate_subject: CN=U.S. Department of State DPC CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: July 10, 2020 + change_type: OCSP Outage + system: Entrust Federal OCSP Service + change_description: On July 8, 2020 at approximately 4:00 PM CDT, Entrust Datacard performed a service failover of all Entrust Federal OCSP traffic including ocsp.managed.entrust.com from the Dallas primary site to the Denver alternate site due to ISP routing issues. On Friday, July 10, 2020 at 4:00 PM CDT, all Entrust Federal OCSP traffic failed back to the Dallas primary site. Entrust customers were notified of this issue via email. + contact: support at entrustdatacard dot com + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com, nfiocsp.managed.entrust.com, doesspocsp.managed.entrust.com, hhspkiocsp.managed.entrust.com, feddcsocsp.managed.entrust.com + +- notice_date: July 7, 2020 + change_type: CA Certificate Issuance + start_datetime: June 9, 2020 + system: DigiCert Federal Shared Service Provider + change_description: The DigiCert Federal SSP Intermediate CA - G5 issued a CA certificate on behalf of the U.S. Department of Education. + contact: aaron dot poulsen at digicert dot com + ca_certificate_hash: 6f48424ae8a01c2a77213a9d34f5761daacd9eac + ca_certificate_issuer: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=U.S. Department of Education Agency CA - G5, OU=U.S. Department of Education, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + sia_uri: + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: June 29, 2020 + change_type: CA Certificate Issuance + start_datetime: June 23, 2020 + system: CertiPath Bridge + change_description: CertiPath Bridge CA – G3 issued a cross certificate to Raytheon. + contact: support at certipath dot com + ca_certificate_hash: 4f28171d4a30679edea7f3271c6cfdb924241f0e + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Raytheon Class 3 MASCA, OU=Class3-g2, O=cas, DC=raytheon, DC=com + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 26, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 will revoke the cross certificate issued to SAFE Bridge CA 02 Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5c654219972bac887bea9f1309eb9e052fb7757e + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + +- notice_date: June 26, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 will revoke the cross certificate issued to GPO PCA Root Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b8eabb18ed544c9fcfb299bd5d322127e6f48d90 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + ocsp_uri: + +- notice_date: June 26, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + end_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The new three-year cross certificate issued to the Government Publishing Office (GPO) will result in the revocation of the certificate issued to GPO PCA that was set to expire on August 3, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: de8171556288add44e16d631653c46adab4dcf79 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + +- notice_date: June 26, 2020 + change_type: CA Certificate Issuance + start_datetime: June 25, 2020 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to GPO PCA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 52db35c57036a5641bb8dd6b552391a7815681dd + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to Entrust Managed Services NFI Root CA on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 220508b0ab72e2ee3acaa6a9ef5001c87c523ea4 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to WidePoint NFI Root 1 on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 92bc06fe6b27cbe4723f309f34681fc57c8166ce + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 1, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT1.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to Symantec Class 3 SSP Intermediate CA - G3 on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 914531f5a610914005422e56d6711218133b1048 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec Class 3 SSP Intermediate CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to STRAC Bridge Root Certification Authority on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 1f92eb3654f60a9092811f7948afff45c09a6ca9 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to ORC NFI CA 3 on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b625da07302016d2837023bab94b6e0d76fc2e45 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC NFI CA 3, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI3_SIA.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to DoD Interoperability Root CA 2 on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 73050d5b629cf6286be972afddfa31d2864b4f35 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl.disa.mil/issuedby/DODINTEROPERABILITYROOTCA2_IB.p7c + ocsp_uri: + +- notice_date: June 15, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to DigiCert Federated ID L3 CA on June 9, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 33514b5b7c0616724d9e174f59d7aa080740b8c3 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID L3 CA, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 8, 2020 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: On June 4, 2020, the Federal PKI Management Authority revoked the certificate issued by the Federal Common Policy CA to VeriSign SSP Intermediate CA - G3 (operated by DigiCert Federal Shared Service Provider). All CA certificates issued by VeriSign SSP Intermediate CA - G3 have expired and the CA is no longer in use. + contact: fpki dash help at gsa.gov + ca_certificate_hash: e9c8715b871db1d87bb65ba2a5bbfa8000df7861 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=VeriSign SSP Intermediate CA - G3, O=VeriSign, Inc., C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://ssp-sia.verisign.com/SSP/Certs_issued_by_VRSNSSPCAG3.p7c + ocsp_uri: + +- notice_date: June 4, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to GPO PCA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: June 1, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to renew the cross certificate issued to DocuSign, Inc. + contact: steve.race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: May 29, 2020 + change_type: CA Certificate Issuance + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 issued a certificate to WidePoint NFI CA 5. + contact: pkipolicy at orc dot com + ca_certificate_hash: 52a2b89934a8f53719d620697496a6eb82a06e13 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint NFI CA 5, O=ORC PKI, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: + +- notice_date: May 29, 2020 + change_type: CA Certificate Issuance + system: WidePoint Non-Federal Issuer + change_description: WidePoint NFI Root 2 issued a certificate to WidePoint ORC NFI 4. + contact: pkipolicy at orc dot com + ca_certificate_hash: 5a95aea990a7aec492134a5b437cf3324f260793 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=WidePoint ORC NFI 4, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: + +- notice_date: May 21, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the new DigiCert Class 3 SSP Intermediate CA – G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 8a8e06a378289206a64c85ad7dd37846b1ed3aad + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Class 3 SSP Intermediate CA – G4, O=DigiCert, Inc., C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://sspsia.digicert.com/STNSSP/Certs_Issued_by_Class3SSPCA-G4.p7c + ocsp_uri: + +- notice_date: May 12, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal PKI Management Authority intends to revoke the certificate issued by the Federal Common Policy CA to VeriSign SSP Intermediate CA - G3 (operated by DigiCert Federal Shared Service Provider). All CA certificates issued by VeriSign SSP Intermediate CA - G3 have expired and the CA is no longer in use. + contact: fpki dash help at gsa.gov + ca_certificate_hash: e9c8715b871db1d87bb65ba2a5bbfa8000df7861 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=VeriSign SSP Intermediate CA - G3, O=VeriSign, Inc., C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://ssp-sia.verisign.com/SSP/Certs_issued_by_VRSNSSPCAG3.p7c + ocsp_uri: + +- notice_date: May 4, 2020 + change_type: CA Certificate Issuance + start_datetime: April 21, 2020 + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to Carillon Federal Services PIV-I CA2. + contact: steve dot race at tscp dot org + ca_certificate_hash: 352f268667640942e57f834f3691372a24109e2e + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA2, OU=Certificate Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 29, 2020 + change_type: CA Certificate Issuance + start_datetime: April 21, 2020 + system: CertiPath Bridge + change_description: CertiPath Bridge CA – G3 issued a cross certificate to Lockheed Martin Root Certification Authority 2. + contact: support at certipath dot com + ca_certificate_hash: f72ec29d98caa8eefc330848d0d31235bd088ea0 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 2, OU=Certification Authorities, O=Lockheed Martin Corporation, L=Denver, S=Colorado, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 29, 2020 + change_type: CA Certificate Issuance + start_datetime: April 21, 2020 + system: CertiPath Bridge + change_description: CertiPath Bridge CA – G3 issued a cross certificate to Boeing PCA G3. + contact: support at certipath dot com + ca_certificate_hash: f062bfcc913dfd1362ececce82e17fbf6fbaee83 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Boeing PCA G3, OU=certservers, O=Boeing, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 6, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the new DigiCert Class 3 SSP Intermediate CA – G4. DigiCert plans to migrate CAs signed by the Symantec Class 3 SSP Intermediate CA - G3 to DigiCert Class 3 SSP Intermediate CA – G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Class 3 SSP Intermediate CA – G4, O=DigiCert, Inc., C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: March 17, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G2 + change_description: CertiPath Bridge CA - G2 issued a cross certificate to the Federal Bridge CA G4. + contact: support at certipath dot com + ca_certificate_hash: 6f9830730374438b333d78876c1f830304d49451 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G2.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G2.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: March 4, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to Exostar Federated Identity Service Root CA 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3930a7c9ce718d0994394feea49a4ada1ebf665d + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Exostar Federated Identity Service Root CA 2, OU=Certification Authorities, O=Exostar LLC, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.fis.evincible.com/fis/public/ExostarFederatedIdentityServiceRootCA2.p7c + ocsp_uri: + +- notice_date: March 04, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to IdenTrust ACES CA 2 on March 03, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ab973a75fa594f5a97c53e3c50244ae06ca610a8 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C=US + +- notice_date: March 04, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to IdenTrust Global Common Root CA 1 on March 03, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 052454753d53ff2376737fa7798ec72fab82833c + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + +- notice_date: March 04, 2020 + change_type: CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 revoked the cross certificate issued to the TSCP SHA256 Bridge CA on March 03, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 874007002a4a2fff3edcf90eb41adce7c2fb4915 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + +- notice_date: March 2, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to the Netherlands Ministry of Defence. + contact: support at certipath dot com + ca_certificate_hash: 7d0fb042df05a08fa7b2303346a3f1758f314a41 + ca_certificate_subject: CN=Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, 2.5.4.97=NTRNL-27370985, O=Ministerie van Defensie, C=NL + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: March 2, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: 5283e2ea0ee49b1deb93841e81b1b5b524b1e0b5 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: March 2, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Northrop Grumman Corporate Root CA-G2. + contact: support at certipath dot com + ca_certificate_hash: 14f222f9da0bed89beff0028bb0724a66515efc0 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://certdata.northropgrumman.com/certdata/p7c/IssuedByNorthropGrummanCorporateRootCA-G2.p7c + ocsp_uri: + +- notice_date: March 2, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to NextgenIDRootCA1. + contact: support at certipath dot com + ca_certificate_hash: 7c96f349497d7abf22b83fa9768fee257848e8a8 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=NextgenIDRootCA1, OU=Certification Authorities, O=NextgenID, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://www.nextgenidtrust.com/PKI/certs/IssuedByNextgenIDRootCA1.p7c + ocsp_uri: + +- notice_date: March 2, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to Carillon Federal Services PIV-I CA1. + contact: support at certipath dot com + ca_certificate_hash: aff439f001ebdbe7f4a53dc4805cffc78d1e7c63 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 24, 2020 + change_type: CA Certificate Issuance + system: WidePoint NFI Root 2 + change_description: WidePoint NFI Root 2 issued a certificate to ORC NFI CA 3. + contact: pkipolicy at orc dot com + ca_certificate_hash: 84262340df40dadba0206efecf4211b45f7d88c2 + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=ORC NFI CA 3, O=ORC PKI, C=US + cdp_uri: http://crl-server.orc.com/CRLs/WIDEPOINTNFIROOT2.crl + aia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 24, 2020 + change_type: CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 issued a cross certificate to the Federal Bridge CA G4. + contact: support at certipath dot com + ca_certificate_hash: f01f590afc18706240ebeab75b5c3e6defd67fb0 + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://crl.certipath.com/CertiPathBridgeCA-G3.crl + aia_uri: http://aia.certipath.com/CertiPathBridgeCA-G3.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: February 24, 2020 + change_type: CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the CertiPath Bridge CA - G3. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 77d6cf512ec6054e9ddf37a37d83c4955228e21c + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://aia.certipath.com/IssuedBy-CertiPathBridgeCA-G3.p7c + ocsp_uri: + +- notice_date: February 24, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: SAFE Bridge CA 02 + change_description: SAFE Bridge CA 02 intends to revoke the cross certificate issued to Exostar Federated Identity Service Root CA 2. + contact: kyle dot neuman at makeidentitysafe dot com + ca_certificate_hash: 534d0225dd69aae7a1820a493156ed1c852c73e4 + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=Exostar Federated Identity Service Root CA 2, OU=Certification Authorities, O=Exostar LLC, C=US + +- notice_date: February 20, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to the Netherlands Ministry of Defence. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_subject: CN=Ministerie van Defensie PKIoverheid Organisatie Persoon CA - G3, 2.5.4.97=NTRNL-27370985, O=Ministerie van Defensie, C=NL + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 20, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Carillon PKI Services G2 Root CA 2. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon PKI Services G2 Root CA 2, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 20, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Northrop Grumman Corporate Root CA-G2. This certificate will replace the certificate issued by CertiPath Bridge CA - G2 expiring on February 29, 2020. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 20, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to NextgenIDRootCA1. This certificate will replace the certificate issued by CertiPath Bridge CA - G2 expiring on February 29, 2020. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=NextgenIDRootCA1, OU=Certification Authorities, O=NextgenID, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 20, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: CertiPath Bridge CA - G3 + change_description: CertiPath Bridge CA - G3 intends to issue a cross certificate to Carillon Federal Services PIV-I CA1. This certificate will replace the certificate issued by CertiPath Bridge CA - G2 expiring on February 29, 2020. + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 12, 2020 + change_type: CA Certificate Issuance + start_datetime: February 4, 2020 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the new WidePoint NFI Root 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b0b49b217bce1b18fb374dc629d5f100ba9dde49 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT2.p7c + ocsp_uri: + +- notice_date: February 12, 2020 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the planned CertiPath Bridge CA - G3. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G3, OU=Certification Authorities, O=CertiPath, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 11, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 intends to revoke the cross certificate issued to the Entrust Managed Services NFI Root CA on or around March 17, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 220508b0ab72e2ee3acaa6a9ef5001c87c523ea4 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + +- notice_date: February 11, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 intends to revoke the cross certificate issued to IdenTrust ACES CA 2 on or around February 27, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ab973a75fa594f5a97c53e3c50244ae06ca610a8 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C=US + +- notice_date: February 11, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 intends to revoke the cross certificate issued to IdenTrust Global Common Root CA 1 on or around February 27, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 052454753d53ff2376737fa7798ec72fab82833c + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + +- notice_date: February 11, 2020 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: As part of the migration to the Federal Bridge CA G4, the Federal Bridge CA 2016 intends to revoke the cross certificate issued to the TSCP SHA256 Bridge CA on or around February 27, 2020. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 874007002a4a2fff3edcf90eb41adce7c2fb4915 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + +- notice_date: February 11, 2020 + change_type: CA Certificate Issuance + start_datetime: January 8, 2020 + system: STRAC Bridge Root Certification Authority + change_description: The STRAC Bridge Root Certification Authority issued a cross certificate to the Federal Bridge CA G4. + contact: pki at strac dot org + ca_certificate_hash: c5229a1bc85e3d6a0b75442cd8b4a91182b6fe14 + ca_certificate_issuer: CN = STRAC Bridge Root Certification Authority, OU = STRAC PKI Trust Infrastructure, O = STRAC, C = US + ca_certificate_subject: CN = Federal Bridge CA G4, OU = FPKI, O = U.S. Government, C = US + cdp_uri: http://pki.strac.org/bridge/crl/STRACBridgeRootCA.crl + aia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: http://certstatus.strac.org + +- notice_date: January 28, 2020 + change_type: CA Certificate Issuance + start_datetime: January 15, 2020 + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to the Federal Bridge CA G4. + contact: steve dot race at tscp dot org + ca_certificate_hash: cc2f344b6c6965073129342f761dc9d55f6ae3fe + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: January 28, 2020 + change_type: CA Certificate Issuance + start_datetime: January 22, 2020 + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to Alexion Pharmaceuticals, Inc. This is a renewal for the cross certificate from the TSCP SHA256 Bridge CA to the Alexion Pharmaceuticals Issue 2 CA that expired on January 23, 2020. + contact: steve dot race at tscp dot org + ca_certificate_hash: 2d7b753e7aee8a31ccf77fc6b1f6ff48a15debba + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: January 28, 2020 + change_type: CA Certificate Issuance + start_datetime: January 28, 2020 + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA issued a cross certificate to Fortior Solutions. This is a renewal for the cross certificate from the TSCP SHA256 Bridge CA to Fortior Solutions Intermediate CA 2018, expiring February 11, 2020. + contact: steve dot race at tscp dot org + ca_certificate_hash: 000ea5b4b63f39d083bd5a0777ca334d6ff58c94 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Fortior Solutions Intermediate CA 2018, OU=Certificate Authorities, O=Fortior Solutions, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: January 27, 2020 + change_type: CA Certificate Issuance + start_datetime: January 24, 2020 + system: U.S. Department of State AD Root CA + change_description: The Department of State re-keyed U.S. Department of State PIV CA2. + contact: shomolp at state dot gov or shanleyrj at state dot gov + ca_certificate_hash: 68a4e9ab7a1fb8fb85316a770ff9ca874c020724 + ca_certificate_issuer: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + ca_certificate_subject: OU=U.S. Department of State PIV CA2, OU=Certification Authorities, OU=PIV, OU=Department of State, O=U.S. Government, C=US + cdp_uri: http://crls.pki.state.gov/crls/DoSADPKIRootCA1.crl + aia_uri: http://crls.pki.state.gov/AIA/CertsIssuedToDoSADRootCA.p7c + sia_uri: + ocsp_uri: http://ocsp.pki.state.gov/OCSP/DoSOCSPResponder + +- notice_date: January 23, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: U.S. Department of State AD Root CA + change_description: The Department of State intends to re-key U.S. Department of State PIV CA2. The CA signing key length will be changed from its current 2048-bit key size to 3072-bits. The re-keyed U.S. Department of State PIV CA2 certificate will be issued from the 4096-bit U.S. Department of State AD Root CA. + contact: shomolp at state dot gov or shanleyrj at state dot gov + ca_certificate_hash: + ca_certificate_issuer: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + ca_certificate_subject: OU=U.S. Department of State PIV CA2, OU=Certification Authorities, OU=PIV, OU=Department of State, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 21, 2020 + change_type: CA Certificate Issuance + start_datetime: January 17, 2020 + system: U.S. Department of State AD Root CA + change_description: The Department of State AD Root CA issued a new link certificate. The Authority Key Identifier in the new link certificate maps to the Subject Key Identifier found in the 4096-bit certificate issued from the Federal Common Policy CA to the U.S. Department of State AD Root CA. + contact: fpki at gsa.gov + ca_certificate_hash: 9805f8a8c80be8f691122550d7f5fc163830d751 + ca_certificate_issuer: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: http://crls.pki.state.gov/crls/DoSADPKIRootCA1.crl + aia_uri: http://crls.pki.state.gov/AIA/CertsIssuedToDoSADRootCA.p7c + sia_uri: + ocsp_uri: http://ocsp.pki.state.gov/OCSP/DoSOCSPResponder + +- notice_date: January 18, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 intends to issue a cross certificate to the planned WidePoint NFI Root 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 18, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: WidePoint NFI Root 2 + change_description: The planned WidePoint NFI Root 2 intends to issue a certificate to ORC NFI CA 3. + contact: pkipolicy at orc dot com + ca_certificate_hash: + ca_certificate_issuer: CN=WidePoint NFI Root 2, OU=Certification Authorities, O=WidePoint, C=US + ca_certificate_subject: CN=ORC NFI CA 3, O=ORC PKI, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 18, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal Bridge CA 2016 intends to revoke the cross certificate issued to WidePoint NFI Root 1. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 92bc06fe6b27cbe4723f309f34681fc57c8166ce + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 1, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT1.p7c + ocsp_uri: + +- notice_date: January 18, 2020 + change_type: Intent to Decommission CA + start_datetime: + system: WidePoint NFI Root 1 + change_description: WidePoint intends to decommission WidePoint NFI Root 1. All certificates issued by WidePoint NFI Root 1 will be revoked before the CA is decommissioned. + contact: pkipolicy at orc dot com + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 18, 2020 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: ORC NFI CA 3 + change_description: WidePoint intends to revoke the cross certificate issued by ORC NFI CA 3 to the Federal Bridge CA 2016. + contact: pkipolicy at orc dot com + ca_certificate_hash: 739425b5e2fd18cc84efb67415bafacb67e0d3a8 + ca_certificate_issuer: CN=ORC NFI CA 3, O=ORC PKI, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://crl-server.orc.com/CRLs/ORCNFI3.crl + aia_uri: http://crl-server.orc.com/caCerts/ORCNFI3.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: http://nfi3.eva.orc.com/ + +- notice_date: January 15, 2020 + change_type: CA Certificate Issuance + start_datetime: January 8, 2020 + system: STRAC Bridge Root Certification Authority + change_description: The STRAC Bridge Root Certification Authority issued a cross certificate to the FTI Certification Authority. + contact: pki at strac dot org + ca_certificate_hash: f012c16cfeda614c5ca43e464c91e316f5067933 + ca_certificate_issuer: CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US + ca_certificate_subject: CN=FTI Certification Authority, OU=FTI PKI Trust Infrastructure, O=Foundation for Trusted Identity, C=US + cdp_uri: http://pki.strac.org/bridge/crl/STRACBridgeRootCA.crl + aia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + sia_uri: http://pki.fti.org/fti_ca/certificates/FTICA.p7c + ocsp_uri: http://certstatus.strac.org + +- notice_date: January 7, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Alexion Pharmaceuticals, Inc. This is a renewal for the cross certificate from the TSCP SHA256 Bridge CA to the Alexion Pharmaceuticals Issue 2 CA, expiring January 23, 2020. + contact: steve dot race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 7, 2020 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Fortior Solutions. This is a renewal for the cross certificate from the TSCP SHA256 Bridge CA to Fortior Solutions Intermediate CA 2018, expiring February 11, 2020. + contact: steve dot race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Fortior Solutions Intermediate CA 2018, OU=Certificate Authorities, O=Fortior Solutions, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: January 2, 2020 + change_type: CA Certificate Expiration + start_datetime: January 9, 2017 + system: FPKI Trust Infrastructure + change_description: The certificate issued by the Federal Common Policy CA to SHA-1 Federal Root CA G2 expired on December 31, 2019. The expiration of this certificate marks the complete deprecation of SHA-1 certificates in the Federal PKI. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 27c589ff2853bd1949cfa433f36a5e285b2e2c7c + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SHA-1 Federal Root CA G2, OU = FPKI, O = U.S. Government, C = US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://http.fpki.gov/sha1frca/caCertsIssuedBysha1frcaG2.p7c + ocsp_uri: + +- notice_date: January 2, 2020 + change_type: CA Certificate Issuance + start_datetime: December 18, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA issued a cross certificate to the U.S. Department of State AD Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ce11590010562a39ad8b1455acf76c03737aebf6 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA,CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://crls.pki.state.gov/SIA/CertsIssuedByADRootCA.p7c + ocsp_uri: + +- notice_date: January 2, 2020 + change_type: CA Certificate Issuance + start_datetime: December 18, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to Symantec Class 3 SSP Intermediate CA - G3. + contact: fpki dash help at gsa.gov + ca_certificate_hash: a99a0d6510b59b6dc92270eae1f24fbc21d2dcce + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Symantec Class 3 SSP Intermediate CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7 + ocsp_uri: + +- notice_date: January 2, 2020 + change_type: CA Certificate Issuance + start_datetime: December 17, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the STRAC Bridge Root Certification Authority. + contact: fpki dash help at gsa.gov + ca_certificate_hash: c6d4d588000e823cfaf2ecf551ebcd3827fd71b6 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 18, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the TSCP SHA256 Bridge CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: db3f9cceb6c6be4c03e0997070d09e7e0e7ee38a + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 17, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the SAFE Bridge CA 02. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 600319e6c322229f88e0f434ba96fb0dfd00252e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 17, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the IdenTrust Global Common Root CA 1. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 2800ea6ecdeb8efc1cf4c042d712e8622e0cbb1a + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://validation.identrust.com/roots/IssuedbyIGCRootCA1.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 17, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the IdenTrust ACES CA 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 1e5a60b592dfdbeea3d99a5225abc5e2239b987e + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C = US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://validation.identrust.com/certs/issuedbyacesca2.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 16, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the GPO PCA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: de8171556288add44e16d631653c46adab4dcf79 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 16, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the Entrust Managed Services NFI Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 313f87f0eb4f8e6c658f5e66f58764282c54fba4 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 16, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the DoD Interoperability Root CA 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: ad9f51f8030956e9b85423256911868fd7a370cb + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://crl.disa.mil/issuedby/DODINTEROPERABILITYROOTCA2_IB.p7c + ocsp_uri: + +- notice_date: December 23, 2019 + change_type: CA Certificate Issuance + start_datetime: December 16, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the DigiCert Federated ID L3 CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 28f059e2dffac9de78fb7a1670c082dad2522d3b + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federated ID L3 CA, OU=www.digicert.com, O=DigiCert Inc, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: + ocsp_uri: + +- notice_date: December 20, 2019 + change_type: CA Certificate Issuance + start_datetime: December 18, 2019 + system: DigiCert Federal Shared Service Provider + change_description: The DigiCert Federal SSP Intermediate CA intends to issue a new issuing CA certificates on behalf of the U.S. Department of Education. + contact: aaron dot poulsen at digicert dot com + ca_certificate_hash: b44b95f6f4d382b8b2c85e9cfc020ec72458ed70 + ca_certificate_issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US + ca_certificate_subject: CN = U.S. Department of Education Device CA - G5, OU = U.S. Department of Education, O = U.S. Government, C = US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + sia_uri: + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: December 17, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: DigiCert Federal Shared Service Provider + change_description: The DigiCert Federal SSP Intermediate CA intends to issue a new issuing CA certificates on behalf of the U.S. Department of Education. + ca_certificate_hash: + ca_certificate_issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US + ca_certificate_subject: CN = U.S. Department of Education Device CA - G5, OU = U.S. Department of Education, O = U.S. Government, C = US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 16, 2019 + change_type: CA Certificate Issuance + start_datetime: December 12, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the United States Patent and Trademark Office's USPTO_INTR_CA1. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 978ec2f323452f8f46932b8550663d68b6e96af7 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + ocsp_uri: + +- notice_date: December 16, 2019 + change_type: CA Certificate Issuance + start_datetime: December 12, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the CertiPath Bridge CA - G2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 3bfc4df881682f8846bff486d422025aee7494d8 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://certipath-sia.symauth.com/IssuedBy-CertiPathBridgeCA-G2.p7c + ocsp_uri: + +- notice_date: December 16, 2019 + change_type: CA Decommission + start_datetime: + system: Federal PKI Trust Infrastructure - SHA-1 Federal Root CA + change_description: The SHA-1 Federal Root CA was decommissioned. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + +- notice_date: December 16, 2019 + change_type: CA Certificate Issuance + start_datetime: December 12, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal Bridge CA G4 issued a cross certificate to the Federal Common Policy CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 4ac107ee2151f0cb6b54ef350759f7bb51a3fca2 + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://repo.fpki.gov/bridge/fbcag4.crl + aia_uri: http://repo.fpki.gov/bridge/caCertsIssuedTofbcag4.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + ocsp_uri: + +- notice_date: December 16, 2019 + change_type: CA Certificate Issuance + start_datetime: December 12, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA issued a cross certificate to the new Federal Bridge CA G4. + contact: fpki dash help at gsa.gov + ca_certificate_hash: e836f3016bfb6e8df274f27fd8a4a5054517b0f1 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://repo.fpki.gov/bridge/caCertsIssuedByfbcag4.p7c + ocsp_uri: + +- notice_date: December 9, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The Federal PKI Management Authority intends to migrate CAs currently cross-certified by the Federal Bridge CA 2016 to the planned Federal Bridge CA G4. Certificate expiration dates will be the same as those in the valid certificates issued by the Federal Bridge CA 2016. Once all CA certificates have migrated, all active certificates issued by the Federal Bridge CA 2016 will be revoked and the Federal Bridge CA 2016 will be decommissioned (estimated to take place in March 2020). + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Comma-separated list of the eleven (11) CA Subject Names planned for issuance - 1. OU=GPO PCA, OU=Certification Authorities, OU=Government Printing Office, O=U.S. Government, C=US, 2. CN=Symantec Class 3 SSP Intermediate CA - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US, 3. OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US, 4. CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US, 5. CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C=US, 6. CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US, 7. CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US, 8. CN=DigiCert Federated ID L3 CA, OU=www.digicert.com, O=DigiCert Inc, C=US, 9. CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US, 10. CN=WidePoint NFI Root 1, OU=Certification Authorities, O=WidePoint, C=US, 11. CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 9, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The planned Federal Bridge CA G4 intends to issue a cross certificate to the Exostar Federated Identity Service Root CA 2. The new certificate will replace the existing certificate issued by the Federal Bridge CA 2016 (expires April 30, 2020). + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 9, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA intends to issue a certificate to the U.S. Department of State AD Root CA. The new certificate will replace the existing certificate (expires on January 27, 2020). + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 9, 2019 + change_type: Intent to Perform CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal PKI Management Authority intends to revoke the certificate issued by the Federal Bridge CA 2016 to ORC NFI CA 3 (operated by WidePoint). + contact: fpki at gsa.gov + ca_certificate_hash: b625da07302016d2837023bab94b6e0d76fc2e45 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC NFI CA 3, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI3_SIA.p7c + ocsp_uri: + +- notice_date: December 5, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The planned Federal Bridge CA G4 intends to issue a cross certificate to the CertiPath Bridge CA - G2. The new certificate will replace the existing certificate issued by the Federal Bridge CA 2016 (expires December 15, 2019) + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: December 5, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA G4 + change_description: The planned Federal Bridge CA G4 intends to issue a cross certificate to the United States Patent and Trademark Office's USPTO_INTR_CA1. The new certificate issued to USPTO_INTR_CA1 will replace the existing certificate issued by the Federal Bridge CA 2016 (expires December 15, 2019) + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=USPTO_INTR_CA1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=uspto, DC=gov + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: November 29, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: TSCP SHA256 Bridge CA + change_description: The Transglobal Secure Collaboration Program (TSCP) SHA256 Bridge CA intends to issue a cross certificate to Carillon Federal Services. + contact: steve dot race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: November 4, 2019 + change_type: Intent to Decommission CA + system: Federal PKI Management Authority - SHA-1 Federal Root CA + change_description: The Federal PKI Management Authority intends to decommission the SHA-1 Federal Root CA in December 2019 after the expiration of all remaining valid CA certificates it issued (DoD Interoperability Root CA 1 and CertiPath Bridge CA). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 27C589FF2853BD1949CFA433F36A5E285B2E2C7C + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SHA-1 Federal Root CA G2, OU=FPKI, O=U.S. Government, C=US + +- notice_date: October 28, 2019 + change_type: CA Certificate Issuance + start_datetime: October 28, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal Bridge CA 2016 issued a cross certificate to the Federal Common Policy CA. The certificate has a validity period of one year. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 38341412caa3d72ade61022240411444d21b1de9 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: Federal Common Policy CA + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c + +- notice_date: October 28, 2019 + change_type: CA Certificate Issuance + start_datetime: October 28, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA issued a cross certificate to the Federal Bridge CA 2016. The certificate has a validity period of one year. + contact: fpki dash help at gsa.gov + ca_certificate_hash: bd38b7e253cfc5dd278a927f88833fb44c6af03a + ca_certificate_issuer: Federal Common Policy CA + ca_certificate_subject: Federal Bridge CA 2016 + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + +- notice_date: September 30, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The FPKIMA intends to issue a certificate from the Federal Common Policy CA to the planned Federal Bridge CA G4. CAs with valid certificates issued by the Federal Bridge CA 2016 will be migrated to the Federal Bridge CA G4, allowing for the Federal Bridge CA 2016 to be decommissioned. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: September 30, 2019 + change_type: CA Certificate Revocation + system: Federal Bridge CA 2016 + change_description: The FPKIMA revoked the certificate issued from the Federal Bridge CA 2016 to the decommissioned ORC ACES 4 CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5573FCC5E6FFFF2B710181ACCAA2EFDADB8F0F4E + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC ACES 4, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCACES4_SIA.p7c + ocsp_uri: + +- notice_date: September 3, 2019 + change_type: Intent to Perform CA Certificate Revocation + system: GSA ACES and Federal Bridge CA 2016 + change_description: WidePoint has decommissioned the ORC ACES 4 CA. The FPKIMA intends to revoke the certificate issued from the Federal Bridge CA to the ORC ACES 4 CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5573FCC5E6FFFF2B710181ACCAA2EFDADB8F0F4E + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC ACES 4, O=ORC PKI, C=US + +- notice_date: August 14, 2019 + change_type: CA Certificate Issuance + start_datetime: August 14, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA issued an updated certificate to the US Treasury Root CA. The updated certificate adds the following certificate policy object identifiers to the US Treasury Root CA certificate's existing set - id-fpki-certpcy-pivi-hardware (2.16.840.1.101.3.2.1.3.18), id-fpki-certpcy-pivi-cardAuth (2.16.840.1.101.3.2.1.3.19), and id-fpki-certpcy-pivi-contentSigning (2.16.840.1.101.3.2.1.3.20). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 48ce02a99ae2cc4f790f2989aa153ed565b7e4d2 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + ocsp_uri: + +- notice_date: August 14, 2019 + change_type: CA Certificate Issuance + start_datetime: August 14, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA issued a certificate to the re-keyed Entrust Managed Services Root CA. Entrust will cut over to and begin issuance from the re-keyed Entrust Managed Services Root and SSP CA certificates on Friday, September 27, 2019, between 6:00 PM Eastern – 10:00 PM Eastern. + contact: fpki dash help at gsa.gov + ca_certificate_hash: a09655170c87d0fbfe0328b99a7baf4a1cf0b5d9 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://rootweb.managed.entrust.com/SIA/CertsIssuedByEMSRootCA.p7c + ocsp_uri: + +- notice_date: August 14, 2019 + change_type: CA Certificate Issuance + start_datetime: August 13, 2019 + system: Entrust Federal Shared Service Provider + change_description: The recently re-keyed Entrust Managed Services Root CA issued a certificate to the re-keyed Entrust Managed Services SSP CA. Entrust will publish and begin issuance from the re-keyed Entrust Managed Services SSP CA on Friday, September 27, 2019, between 6:00 PM Eastern – 10:00 PM Eastern. In the meantime, the certificate is available at https://enrollwebfed.managed.entrust.com/fssp/cda-docs/html/FedCertsoverviewfed.html. + contact: Cris dot TenEyck at entrustdatacard dot com and Howard dot Freitag at entrustdatacard dot com + ca_certificate_hash: 722e8abbe6b66e47d1bcec3c7ec47aa5bbe4d3c5 + ca_certificate_issuer: OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US + ca_certificate_subject: OU=Entrust Managed Services SSP CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://rootweb.managed.entrust.com/CRLs/EMSRootCA3.crl + aia_uri: http://rootweb.managed.entrust.com/AIA/CertsIssuedToEMSRootCA.p7c + sia_uri: + ocsp_uri: http://ocsp.managed.entrust.com/OCSP/EMSRootCAResponder + +- notice_date: August 14, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: On August 14, 2019, the Federal Bridge CA 2016 revoked the cross certificate issued to ORC NFI CA 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: b055c6ee104e01eb688c8fb4f87cf77ca376afdb + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC NFI CA 2, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI2_SIA.p7c + ocsp_uri: + +- notice_date: August 09, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA intends to issue an updated certificate to the US Treasury Root CA. The updated certificate will add the following certificate policy object identifiers to the US Treasury Root CA certificate's existing set - id-fpki-certpcy-pivi-hardware (2.16.840.1.101.3.2.1.3.18), id-fpki-certpcy-pivi-cardAuth (2.16.840.1.101.3.2.1.3.19), and id-fpki-certpcy-pivi-contentSigning (2.16.840.1.101.3.2.1.3.20). + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: August 08, 2019 + change_type: CA Certificate Issuance + start_datetime: August 06, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal Bridge CA 2016 issued a cross certificate to the TSCP SHA256 Bridge CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 874007002a4a2fff3edcf90eb41adce7c2fb4915 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://tscp-sia.symauth.com/IssuedBy-tscpbcasha256.p7c + ocsp_uri: + +- notice_date: August 08, 2019 + change_type: CA Certificate Issuance + start_datetime: August 06, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal Bridge CA 2016 issued a cross certificate to WidePoint NFI Root 1. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 92bc06fe6b27cbe4723f309f34681fc57c8166ce + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=WidePoint NFI Root 1, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/WIDEPOINTNFIROOT1.p7c + ocsp_uri: + +- notice_date: August 08, 2019 + change_type: CA Certificate Issuance + start_datetime: August 06, 2019 + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: The Federal Bridge CA 2016 issued a cross certificate to DoD Interoperability Root CA 2. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 73050d5b629cf6286be972afddfa31d2864b4f35 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl.disa.mil/issuedby/DODINTEROPERABILITYROOTCA2_IB.p7c + ocsp_uri: + +- notice_date: August 08, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: Verizon NFI + change_description: On August 08, 2019, Verizon NFI revoked the certificate issued from CT-CSSP-CA-A1 to the Federal Bridge CA 2016. + contact: andre dot varacka at verizon dot com + ca_certificate_hash: 73dccf6418522b69a50a96721aeb96441e6ef3c0 + ca_certificate_issuer: CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://cdp1.com-strong-id.net/CDP/CT-CSSP-CA-A1.cr + aia_uri: http://aia1.com-strong-id.net/CA/CT-CSSP-CA-A1.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: http://ocsp1.com-strong-id.net/CT-CSSP-CA-A1 + +- notice_date: August 08, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge CA 2016 + change_description: On August 06, 2019, the Federal Bridge CA 2016 revoked the cross certificate issued to CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US (operated by Verizon NFI). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 687066bce56b6e20aea0c605b9b6679342269f21 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://sia1.com-strong-id.net/CA/CT-CSSP-CA-A1-SIA.p7c + ocsp_uri: + +- notice_date: August 07, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: The Federal Common Policy CA intends to issue a certificate to the Entrust Managed Services Root CA, pending the Entrust Managed Services Root CA re-key. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: ou=Entrust Managed Services Root CA, ou=Certification Authorities, o=Entrust, c=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: July 26, 2019 + change_type: Intent to Perform CA Certificate Revocation + system: Verizon Non-Federal Issuer (NFI) + change_description: Verizon NFI intends to revoke the cross certificate issued from CT-CSSP-CA-A1 to the Federal Bridge CA 2016. + contact: andre dot varacka at verizon dot com + ca_certificate_hash: 73 dc cf 64 18 52 2b 69 a5 0a 96 72 1a eb 96 44 1e 6e f3 c0 + ca_certificate_issuer: CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + +- notice_date: July 25, 2019 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: The Federal Bridge CA 2016 intends to revoke the cross certificate issued to CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US (operated by Verizon NFI). + contact: fpki dash help at gsa.gov + ca_certificate_hash: 68 70 66 bc e5 6b 6e 20 ae a0 c6 05 b9 b6 67 93 42 26 9f 21 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=CT-CSSP-CA-A1, OU=PKI, OU=Services, O=Cybertrust, C=US + +- notice_date: July 24, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: The Federal Bridge CA 2016 intends to issue cross certificates to DoD Interoperability Root CA 2, TSCP SHA256 Bridge CA, and WidePoint NFI Root CA 1. Certificate issuance is expected to take place before August 15, 2019. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Three certificates are planned for issuance. (1) CN=DoD Interoperability Root CA 2, OU=PKI, OU=DoD, O=U.S. Government, C=US, (2) CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US, and (3) CN=WidePoint NFI Root 1, OU=Certification Authorities, O=WidePoint, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: July 23, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: Entrust Federal Shared Service Provider + change_description: Entrust intends to re-key both the Entrust Managed Services Root CA and the Entrust Managed Services SSP CA. The Entrust Managed Services Root CA re-key event is planned for August 13, 2019. Entrust also communicated intent to request a new cross certificate from the Federal Common Policy CA to the Entrust Managed Services Root CA, once the re-key is complete. This notification will be updated as Entrust communicates the finalized event timeline with the Federal PKI Support Team. + contact: Cris dot TenEyck at entrustdatacard dot com and Howard dot Freitag at entrustdatacard dot com + ca_certificate_hash: + ca_certificate_issuer: ou=Entrust Managed Services Root CA, ou=Certification Authorities, o=Entrust, c=US + ca_certificate_subject: Two certificates are planned for issuance (1) ou=Entrust Managed Services Root CA, ou=Certification Authorities and (2) o=Entrust, c=US and ou=Entrust Managed Services SSP CA, ou=Certification Authorities, o=Entrust, c=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: July 11, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: Symantec Class 3 SSP Intermediate CA - G3 (DigiCert) + change_description: On July 10, 2019, DigiCert decommissioned the CSRA FBCA C3 CA. Previously active end entity certificates issued from CSRA FBCA C3 CA were revoked before CA decommissioning. + contact: steve dot medin at digicert dot com + ca_certificate_hash: faed5b3aa85bfea0ba8ba884689706044dfc0ec9 + ca_certificate_issuer: Symantec Class 3 SSP Intermediate CA - G3 + ca_certificate_subject: CSRA FBCA C3 CA + cdp_uri: http://ssp-crl.symauth.com/STNSSP/Class3SSPCAG3.crl + aia_uri: http://ssp-aia.symauth.com/STNSSP/Certs_issued_to_Class3SSPCA-G3.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: http://ssp-ocsp.symauth.com + +- notice_date: July 8, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: Symantec Class 3 SSP Intermediate CA - G3 (DigiCert) + change_description: On July 3, 2019, DigiCert decommissioned several CAs chaining to Symantec Class 3 SSP Intermediate CA - G3. Previously active end entity certificates issued from the CAs listed below were revoked before CA decommissioning. + contact: steve dot medin at digicert dot com + ca_certificate_hash: Multiple CA certificates were revoked. Comma-separated list of CA hashes - 3DFB1CB09BE5D1430DF9CE8E04F501ADB86CA176, 1EC98449B18472D6C2F516A4D0976350D5DD829A, CF9229CB50BF5DC25C156C4F825A67E2964236C8, D4C786468511920E538C24384B3132D07DBACAF0, D514632CE34BF94C816A565DBB8FBB6BAD5FF335, 82E6536172F69E30786C9670840DB37077B5C08C, and F8912B3C9F3EB30F8A8D5A14E8038BD9BC6B771D + ca_certificate_issuer: Symantec Class 3 SSP Intermediate CA - G3 + ca_certificate_subject: Multiple CA certificates were revoked. Comma-separated list of CA Subject Names - CSRA FBCA C4 Device CA, CSRA FBCA C4 CA, CSRA FBCA C3 Device CA, SureID Inc. CA2, SureID Inc. Device CA1, Eid Passport LRA Content Signer CA 3, and Eid Passport LRA Device 2 CA + cdp_uri: http://ssp-crl.symauth.com/STNSSP/Class3SSPCAG3.crl + aia_uri: http://ssp-aia.symauth.com/STNSSP/Certs_issued_to_Class3SSPCA-G3.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: http://ssp-ocsp.symauth.com + +- notice_date: July 2, 2019 + change_type: CA Certificate Revocation + start_datetime: + system: Verizon NFI + change_description: On July 1, 2019, Verizon decommissioned Trans Sped Mobile QCA and VZ-SMC-CA-B2. Previously active end entity certificates issued from the CAs were revoked before CA decommissioning. + contact: abdul dot nur at verizon dot com + ca_certificate_hash: 8EF17043FAD28004F407BABECE21A7C42BE4F275 and A4108B1D93D4F8837584FAEA8496847914606C29 + ca_certificate_issuer: CT-CSSP-CA-A1 + ca_certificate_subject: Trans Sped Mobile QCA and VZ-SMC-CA-B2 + cdp_uri: http://cdp1.com-strong-id.net/CDP/CT-CSSP-CA-A1.crl + aia_uri: http://aia1.com-strong-id.net/CA/CT-CSSP-CA-A1.p7c + sia_uri: + ocsp_uri: http://ocsp1.com-strong-id.net/CT-CSSP-CA-A1 + +- notice_date: June 25, 2019 + change_type: CA Certificate Issuance + start_datetime: June 22, 2019 + system: US Treasury Root CA + change_description: Treasury re-keyed the OCIO CA. Treasury communicated the intent to re-key this CA on March 13, 2019. Although the re-keyed certificate has been published, its private key will not be used for signing end entity certificates until June 29, 2019. The new certificate is available at https://pki.treasury.gov/crl_certs.htm + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: e651a5dc6a1305613a22e46548e1666650c2825f + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=OCIO CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/toca_aia.p7c + sia_uri: http://pki.treasury.gov/toca_sia.p7c + ocsp_uri: + +- notice_date: June 25, 2019 + change_type: CA Certificate Issuance + start_datetime: June 22, 2019 + system: US Treasury Root CA + change_description: Treasury re-keyed the Department of Veterans Affairs CA. Treasury communicated the intent to re-key this CA on March 13, 2019. Although the re-keyed certificate has been published, its private key will not be used for signing end entity certificates until June 29, 2019. The new certificate is available at https://pki.treasury.gov/crl_certs.htm + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: 76cc898f03eb0fc7e0877aac30a0c1340bb34879 + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=Department of Veterans Affairs CA, OU=Certification Authorities, OU=Department of Veterans Affairs, O=U.S. Government, C=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/vaca_aia.p7c + sia_uri: http://pki.treasury.gov/vaca_sia.p7c + ocsp_uri: + +- notice_date: June 25, 2019 + change_type: CA Certificate Issuance + start_datetime: June 19, 2019 + system: CertiPath Bridge CA - G2 + change_description: CertiPath Bridge CA - G2 issued a new cross certificate to the Ministerie van Defensie Certificatie Autoriteit - G2 CA. + contact: support at certipath dot com + ca_certificate_hash: b94b710964a6c1d53b3809e45d5805eca1e0c786 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Ministerie van Defensie Certificatie Autoriteit - G2, O=Ministerie van Defensie, C=NL + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 25, 2019 + change_type: CA Certificate Issuance + start_datetime: June 19, 2019 + system: CertiPath Bridge CA - G2 + change_description: CertiPath Bridge CA - G2 issued a new cross certificate to the Raytheon Root CA. + contact: support at certipath dot com + ca_certificate_hash: 3afe40cb546fdec2d0b77454cebe5fb01d3dbb3a + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Raytheon Root CA, OU=RaytheonRoot-g2, O=CAs, DC=raytheon, DC=com + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 14, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: + system: DocuSign Root CA + change_description: The DocuSign Root CA (cross-certified with the TSCP SHA256 Bridge CA) intends to certify an issuing certification authority. + contact: steve dot race at tscp dot org + ca_certificate_hash: + ca_certificate_issuer: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + ca_certificate_subject: + cdp_uri: http://crl.dsf.docusign.net/DocuSignRootCA.crl + aia_uri: http://crt.dsf.docusign.net/DocuSignRootCA.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 14, 2019 + change_type: CA Certificate Issuance + start_datetime: June 12, 2019 + system: TSCP SHA256 Bridge CA + change_description: The TSCP SHA256 Bridge CA issued a cross certificate to the DocuSign Root CA + contact: steve dot race at tscp dot org + ca_certificate_hash: D1382AE6DACA5A69FE75B34635F529C79D5E2D90 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=DocuSign Root CA, OU=TSCP, O=DocuSign Inc., C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + sia_uri: + ocsp_uri: + +- notice_date: June 6, 2019 + change_type: CA Certificate Issuance + start_datetime: June 6, 2019 + system: Department of Homeland Security Certification Authority (DHSCA) + change_description: DHS re-keyed the DHSCA on June 6, 2019. DHS communicated the intent to re-key this CA on April 20, 2019. The new certificate is available at https://pki.treasury.gov/crl_certs.htm + contact: gladys dot garcia at hq dot dhs dot gov + ca_certificate_hash: 58085a64e181573f4fd917c5c021eb1cf344dd5f + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/dhsca_aia.p7c + sia_uri: http://pki.treasury.gov/dhsca_sia.p7c + ocsp_uri: + +- notice_date: June 3, 2019 + change_type: CA Certificate Issuance + start_datetime: May 7, 2019 + system: ECA Root CA 4 + change_description: ECA Root CA 4 issued a certificate to the new IdenTrust ECA S22C CA + contact: disa dot meade dot mae dot list dot pkieca at mail dot mil + ca_certificate_hash: 858169080268C6473EC59293A412224659F1AC7B + ca_certificate_issuer: CN=ECA Root CA 4,OU=ECA,O=U.S. Government,C=US + ca_certificate_subject: CN=IdenTrust ECA S22C,OU=Certification Authorities,OU=ECA,O=U.S. Government,C=US + cdp_uri: http://crl.disa.mil/crl/ECAROOTCA4.crl + aia_uri: http://crl.disa.mil/issuedto/ECAROOTCA4_IT.p7c + sia_uri: + ocsp_uri: http://ocsp.disa.mil + +- notice_date: June 3, 2019 + change_type: CA Certificate Issuance + start_datetime: May 7, 2019 + system: ECA Root CA 4 + change_description: ECA Root CA 4 issued a certificate to the new IdenTrust ECA S22 CA + contact: disa dot meade dot mae dot list dot pkieca at mail dot mil + ca_certificate_hash: A7BCFC00C818D2697D49C9407A5C7C2EEE250F00 + ca_certificate_issuer: CN=ECA Root CA 4,OU=ECA,O=U.S. Government,C=US + ca_certificate_subject: CN=IdenTrust ECA S22,OU=Certification Authorities,OU=ECA,O=U.S. Government,C=US + cdp_uri: http://crl.disa.mil/crl/ECAROOTCA4.crl + aia_uri: http://crl.disa.mil/issuedto/ECAROOTCA4_IT.p7c + sia_uri: + ocsp_uri: http://ocsp.disa.mil + +- notice_date: May 15, 2019 + change_type: CA Certificate Revocation + start_datetime: May 28, 2019 + system: Federal Common Policy CA + change_description: ORC SSP 3 CA has been decommissioned and the CA certificate from the Federal Common Policy CA revoked + contact: fpki dash help at gsa.gov + ca_certificate_hash: BBFA5ABD8A09D73BE1FA30363F87402FEC5316F9 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC SSP 3, O=ORC PKI, C=US + +- notice_date: May 9, 2019 + change_type: Intent to Decommission CA + start_datetime: + system: SAFE-BioPharma + change_description: Synchronoss has informed SAFE-BioPharma that it will decommission the Zentry Certificate Authority that is currently cross-certified with the SAFE-BioPharma Bridge CA on July 1, 2019. Synchronoss will perform the following actions on this date - 1) Revoke all unexpired certificates issued from this CA, 2) Issue a long-term CRL, and 3) Destroy the CA signing keys. Synchronoss confirms that a long-term data archive is being implemented in accordance with SAFE-BioPharma archive requirements. + contact: dsimonetti at safe-biopharma dot org + ca_certificate_hash: 833D2A24326C8EA10B60FD0FEB4AA0811B1747DD + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=Trans Sped SAFE CA III, OU=Individual Subscriber CA, O=Trans Sped SRL, C=RO + cdp_uri: http://sbca2.safe-biopharma.org/sbca/SBCA02.crl + aia_uri: http://sbca2.safe-biopharma.org/sbca/issuedtoSBCA02.p7c + sia_uri: + ocsp_uri: + +- notice_date: May 6, 2019 + change_type: CA Certificate Issuance + start_datetime: May 4, 2019 + system: US Treasury Root CA + change_description: Treasury re-keyed the NASA Operational Certification Authority. + contact: pki dot pmo at fiscal dot treasury dot gov. + ca_certificate_hash: f504012b1fe57b4381e3bf5ba9f491144ed76ee1 + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=NASA Operational CA, OU=Certification Authorities, OU=NASA, O=U.S. Government, C=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/noca_aia.p7c + sia_uri: http://pki.treasury.gov/noca_sia.p7c + ocsp_uri: + +- notice_date: April 29, 2019 + change_type: Infrastructure Change + start_datetime: April 29, 2019 + system: FPKI Trust Infrastructure + change_description: The Federal Public Key Infrastructure Management Authority has completed its implementation of a Content Delivery Network for HyperText Transfer Protocol (HTTP) artifacts of the Federal Bridge CA 2016, Federal Common Policy CA, and SHA1 Federal Root CA. See https://fpki.idmanagement.gov/announcements/fpki-repository-migration/ for more information. + contact: fpki dash help at gsa.gov + +- notice_date: April 26, 2019 + change_type: CA Certificate Issuance + start_datetime: April 21, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA–G2 to Lockheed Martin Root Certification Authority 2. + contact: support at certipath dot com + ca_certificate_hash: 90c55c1fa32a82c6e8f44e3e4ad8e4c08ade150f + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Lockheed Martin Root Certification Authority 2, OU=Certification Authorities, O=Lockheed Martin Corporation, L=Denver, S=Colorado, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 26, 2019 + change_type: CA Certificate Issuance + start_datetime: April 21, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA–G2 to Federal Bridge CA 2016. + contact: support at certipath dot com + ca_certificate_hash: fce64c867d1af8e1c1ff5b07a869af5f3e6f823f + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: + +- notice_date: April 26, 2019 + change_type: CA Certificate Issuance + start_datetime: April 21, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA–G2 to Boeing PCA G3. + contact: support at certipath dot com + ca_certificate_hash: de7b8e78b8866caac3af1fb871be49369cdd6c5c + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Boeing PCA G3, OU=certservers, O=Boeing, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 26, 2019 + change_type: CA Certificate Issuance + start_datetime: April 21, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA to Boeing PCA G2. + contact: support at certipath dot com + ca_certificate_hash: e88050f8628bc42cae691fd96c3bb676411e2c24 + ca_certificate_issuer: CN=CertiPath Bridge CA, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Boeing PCA G2, OU=certservers, O=Boeing, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathLLCCertiPathBridgeCA.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeRootCA.p7c + sia_uri: + ocsp_uri: + +- notice_date: April 26, 2019 + change_type: Intent to Decommission Multiple CAs + start_datetime: + system: Verizon Non-Federal Issuer (NFI) + change_description: Verizon is planning to decommission several CAs. Any valid end entity certificates will be revoked; the CAs will be decommissioned and archived; and then the CA certificate issued to CT-CSSP-CA-A1 from the Federal Bridge CA will be revoked. + contact: abdul dot nur at verizon dot com + ca_certificate_hash: Comma-separated list of CA hashes planned for revocation/decommissioning - 687066BCE56B6E20AEA0C605B9B6679342269F21, 8EF17043FAD28004F407BABECE21A7C42BE4F275, and A4108B1D93D4F8837584FAEA8496847914606C29 + ca_certificate_issuer: CT-CSSP-CA-A1 (issuer of Trans Sped Mobile QCA and VZ-SMC-CA-B2) and Federal Bridge CA 2016 (issuer of CT-CSSP-CA-A1) + ca_certificate_subject: Comma-separated list of CA Subject Names planned for revocation/decommissioning - CN=Trans Sped Mobile QCA,OU=Individual Subscriber CA,O=Trans Sped SRL,C=RO, CN=VZ-SMC-CA-B2,OU=PKI,OU=Services,O=Cybertrust,C=US, and CN=CT-CSSP-CA-A1,OU=PKI,OU=Services,O=Cybertrust,C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: April 20, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: June 6, 2019 + system: Department of Homeland Security Certification Authority (DHSCA) + change_description: DHS intends to re-key the DHSCA on 6/6/2019. Certificates will be available following the key update at https://pki.treasury.gov/crl_certs.htm + contact: gladys dot garcia at hq dot dhs dot gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: OU=DHS CA4, OU=Certification Authorities, OU=Department of Homeland Security, O=U.S. Government, C=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: April 12, 2019 + change_type: Infrastructure Change + start_datetime: On or around April 22, 2019 + system: Federal PKI Trust Infrastructure + change_description: The Federal Public Key Infrastructure Management Authority is implementing a Content Delivery Network for HyperText Transfer Protocol (HTTP) artifacts of the Federal Bridge CA 2016, Federal Common Policy CA, SHA1 Federal Root CA, and the soon to be commissioned TLS Root CA. The HTTP artifacts include certificate revocation lists, certificates, and certificate bundles (P7C files). No URLs will change with this migration. See https://fpki.idmanagement.gov/announcements/fpki-repository-migration/ for more information. + contact: fpki dash help at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: April 7, 2019 + change_type: CA Certificate Issuance + start_datetime: April 7, 2019 + system: US Treasury Root CA + change_description: Treasury re-keyed the Social Security Administration Certification Authority. Treasury communicated the intent to re-key this CA on February 26, 2019. + contact: pki dot pmo at fiscal dot treasury dot gov. + ca_certificate_hash: 897A79FD488D426D6C50D0BA026F698BCA3334F4 + ca_certificate_issuer: OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + ca_certificate_subject: OU=Social Security Administration Certification Authority, OU=SSA, O=U.S. Government, C=US + cdp_uri: http://pki.treasury.gov/US_Treasury_Root_CA1.crl + aia_uri: http://pki.treasury.gov/ssaca_aia.p7c + sia_uri: http://pki.treasury.gov/ssaca_sia.p7c + ocsp_uri: + +- notice_date: April 2, 2019 + change_type: CA Certificate Issuance + start_datetime: April 2, 2019 + system: Federal Common Policy CA + change_description: CA certificate issuance from Federal Common Policy CA to Treasury Root CA + contact: fpki dash help at gsa.gov + ca_certificate_hash: fa392ea2972eb4edd1929932602a1909ac9558bc + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Treasury Root CA + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + +- notice_date: April 2, 2019 + change_type: CA Certificate Revocation + start_datetime: April 2, 2019 + system: Federal Common Policy CA + change_description: The Verizon SSP CA A2 was issued a new CA certificate on December 5, 2018. This notification communicates the revocation of the prior certificate. + contact: fpki dash help at gsa.gov + ca_certificate_hash: a9d3a8ac016dba9fa12685bf59dcc39f5dcaf781 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Verizon SSP CA A2 + +- notice_date: March 25, 2019 + change_type: Intent to Decommission Multiple CAs + start_datetime: + system: Symantec Class 3 SSP Intermediate CA - G3 (DigiCert) + change_description: DigiCert is planning to decommission several CAs chaining to Symantec Class 3 SSP Intermediate CA - G3. Any remaining active certificates issued from the CAs listed below will be revoked before CA decommissioning. + contact: steve dot medin at digicert dot com + ca_certificate_hash: Multiple CA certificates will be revoked before decommissioning. Comma-separated list of CA hashes planned for revocation/decommissioning - 2938CC1B586C8B1A76832973389AB25C53F3658F, 3DFB1CB09BE5D1430DF9CE8E04F501ADB86CA176, 1EC98449B18472D6C2F516A4D0976350D5DD829A, CF9229CB50BF5DC25C156C4F825A67E2964236C8, FAED5B3AA85BFEA0BA8BA884689706044DFC0EC9, D4C786468511920E538C24384B3132D07DBACAF0, D514632CE34BF94C816A565DBB8FBB6BAD5FF335, 82E6536172F69E30786C9670840DB37077B5C08C, and F8912B3C9F3EB30F8A8D5A14E8038BD9BC6B771D + ca_certificate_issuer: Symantec Class 3 SSP Intermediate CA - G3 + ca_certificate_subject: Multiple CA certificates will be revoked before decommissioning. Comma-separated list of CA Subject Names planned for revocation/decommissioning - CSC CA - 2, CSRA FBCA C4 Device CA, CSRA FBCA C4 CA, CSRA FBCA C3 Device CA, CSRA FBCA C3 CA, SureID Inc. CA2, SureID Inc. Device CA1, Eid Passport LRA Content Signer CA 3, and Eid Passport LRA Device 2 CA + cdp_uri: http://ssp-crl.symauth.com/STNSSP/Class3SSPCAG3.crl + aia_uri: http://ssp-aia.symauth.com/STNSSP/Certs_issued_to_Class3SSPCA-G3.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: http://ssp-ocsp.symauth.com + +- notice_date: March 13, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: June 29, 2019 + system: US Treasury + change_description: Treasury intends to re-key the Treasury OCIO CA (TOCA) on 6/29/2019. Certificates will be available following the key update at https://pki.treasury.gov. + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: ou=OCIO CA, ou=Certification Authorities, ou=Department of the Treasury, o=U.S. Government, c=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: March 6, 2019 + change_type: CA Certificate Issuance + start_datetime: March 4, 2019 + system: DigiCert Federal SSP Intermediate CA - G5 + change_description: DigiCert Federal SSP Intermediate CA - G5 issued a certificate to U.S. Department of Transportation Agency CA G5. + contact: steve dot medin at digicert dot com + ca_certificate_hash: b1d05e5b9e025ea4b3b3e30dc3f45a19f9ec51f6 + ca_certificate_issuer: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=U.S. Department of Transportation Agency CA G5, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + sia_uri: + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: March 6, 2019 + change_type: CA Certificate Issuance + start_datetime: March 4, 2019 + system: DigiCert Federal SSP Intermediate CA - G5 + change_description: DigiCert Federal SSP Intermediate CA - G5 issued a certificate to U.S. Department of Transportation Device CA G5. + contact: steve dot medin at digicert dot com + ca_certificate_hash: 263a035b50fc26368dd9a38894764b3f3592fb17 + ca_certificate_issuer: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=U.S. Department of Transportation Device CA G5, OU=U.S. Department of Transportation, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + sia_uri: + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: March 5, 2019 + change_type: CA Certificate Revocation + start_datetime: March 4, 2019 + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: Revocation performed on the certificate issued from the Federal Bridge CA 2016 to DigiCert Federated ID CA-1 + contact: fpki dash help at gsa.gov + ca_certificate_hash: e8 0b dd c6 1e d8 c4 3a d0 95 fc 94 62 17 be 45 bd d3 47 c1 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: DigiCert Federated ID CA-1 + +- notice_date: March 5, 2019 + change_type: CA Certificate Revocation + start_datetime: March 4, 2019 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: Revocation performed on the certificate issued from the Federal Common Policy CA to the Verizon Betrusted Production SSP CA A1 + contact: fpki dash help at gsa.gov + ca_certificate_hash: 06 01 bb da d5 a2 82 31 bc 94 36 75 0b 4f 3a 48 4b ab 06 c3 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Betrusted Production SSP CA A1 + +- notice_date: March 5, 2019 + change_type: CA Certificate Issuance + start_datetime: February 28, 2019 + system: FPKI Trust Infrastructure - Federal Bridga CA + change_description: New cross certificate issued from Federal Bridge CA 2016 to DigiCert Federated ID L3 CA + contact: fpki dash help at gsa.gov + ca_certificate_hash: 11E615170E4862535762EC128565377F1A813B51 + ca_certificate_issuer: cn=Federal Bridge CA 2016,ou=FPKI,o=U.S. Government,c=US + ca_certificate_subject: cn=DigiCert Federated ID L3 CA,ou=www.digicert.com,o=DigiCert Inc,c=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + +- notice_date: February 28, 2019 + change_type: CA Certificate Issuance + start_datetime: February 25, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to Northrop Grumman Corporate Root CA-G2 + contact: judith dot spencer at certipath dot com + ca_certificate_hash: 6F14FDA78D34B603ABE060D9FD16331DAC646878 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 28, 2019 + change_type: CA Certificate Issuance + start_datetime: February 25, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to NextgenIDRootCA1 + contact: judith dot spencer at certipath dot com + ca_certificate_hash: C8EC9DAB6354FA4E2BF292B0A542F37436965723 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=NextgenIDRootCA1, OU=Certification Authorities, O=NextgenID, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 28, 2019 + change_type: CA Certificate Issuance + start_datetime: February 25, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to Carillon Federal Services PIV-I CA1 + contact: judith dot spencer at certipath dot com + ca_certificate_hash: FA75A4149838AFE4DEF18BAD39B5EFD6187D1A8B + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 28, 2019 + change_type: CA Certificate Issuance + start_datetime: February 25, 2019 + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to CISRCA1 + contact: judith dot spencer at certipath dot com + ca_certificate_hash: EB23C015A0B4037738D54A088A653498D394F050 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=CISRCA1, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: + ocsp_uri: + +- notice_date: February 26, 2019 + change_type: Intent to Perform CA Certificate Issuance + start_datetime: April 7, 2019 + system: US Treasury + change_description: Treasury intends to re-key the Social Security Administration CA on 4/7/2019. Certificates will be available following the key update at https://pki.treasury.gov. + contact: pki dot pmo at fiscal dot treasury dot gov + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: ou=Social Security Administration Certification Authority, ou=SSA, o=U.S. Government, c=US + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 21, 2019 + change_type: CA Certificate Issuance + start_datetime: February 20, 2019 + system: STRAC Bridge Root Certification Authority + change_description: New cross certificate issued from STRAC Bridge Root Certification Authority to Federal Bridge 2016 + contact: pki at strac dot org + ca_certificate_hash: EE02BDB684AB4714C5F25300C41C5B8F328B0CD9 + ca_certificate_issuer: C=US, O=STRAC, OU=STRAC PKI Trust Infrastructure, CN=STRAC Bridge Root Certification Authority + ca_certificate_subject: C=US, O=STRAC, OU=STRAC PKI Trust Infrastructure, CN=STRAC Bridge Root Certification Authority + cdp_uri: http://pki.strac.org/bridge/crl/STRACBridgeRootCA.crl + aia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: http://certstatus.strac.org + +- notice_date: February 15, 2019 + change_type: CA Certificate Issuance + start_datetime: February 14, 2019 + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: New cross certificate issued from Federal Bridge CA 2016 to STRAC Bridge Root Certification Authority + contact: fpki at gsa.gov + ca_certificate_hash: 1f92eb3654f60a9092811f7948afff45c09a6ca9 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=STRAC Bridge Root Certification Authority, OU=STRAC PKI Trust Infrastructure, O=STRAC, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://pki.strac.org/bridge/certificates/STRACBridgeRootCA.p7c + +- notice_date: February 13, 2019 + change_type: CA Certificate Issuance + start_datetime: December 18, 2018 + system: DigiCert Federal SSP Intermediate CA - G5 + change_description: Certificate issuance to NRC SSP Device CA G4 + contact: steve dot medin at digicert dot com + ca_certificate_hash: 81f4fdb9f5dca2940416d483f011111984116ba9 + ca_certificate_issuer: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=NRC SSP Device CA G4, OU=U.S. Nuclear Regulatory Commission, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: February 13, 2019 + change_type: CA Certificate Issuance + start_datetime: December 18, 2018 + system: DigiCert Federal SSP Intermediate CA - G5 + change_description: Certificate issuance to NRC SSP Agency CA G4 + contact: steve dot medin at digicert dot com + ca_certificate_hash: 1a03581dcf159d206accd7bdd176c788a0862353 + ca_certificate_issuer: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + ca_certificate_subject: CN=NRC SSP Agency CA G4, OU=U.S. Nuclear Regulatory Commission, O=U.S. Government, C=US + cdp_uri: http://ssp-crl.digicert.com/SSP/SSPG5.crl + aia_uri: http://ssp-aia.digicert.com/SSP/Certs_issued_to_SSPCAG5.p7c + ocsp_uri: http://ssp-ocsp.digicert.com + +- notice_date: February 12, 2019 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: Revocation planned for the certificate issued from the Federal Common Policy CA to the Verizon Betrusted Production SSP CA A1 + contact: fpki dash help at gsa.gov + ca_certificate_hash: 06 01 bb da d5 a2 82 31 bc 94 36 75 0b 4f 3a 48 4b ab 06 c3 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: Betrusted Production SSP CA A1 + +- notice_date: February 11, 2019 + change_type: URI Change (IP addresses) + start_datetime: April 6, 2019 + system: Symantec Managed PKI + change_description: DigiCert will be moving the federal PKI shared service provider CAs (government) and other managed PKI to new data centers. The address ranges in the new data centers will be as follows - 216.168.245.0/24, 216.168.246.0/24, 216.168.248.0/24, and 216.168.249.0/24. Be prepared to update network configurations as necessary. This activity is planned to take place between 15:30 UTC, April 6, 2019 and 3:30 UTC, April 7, 2019. See https://knowledge.digicert.com/generalinformation/digicert-symantec-managed-pki-data-center-migration-information-.html for more information. + contact: steve dot medin at digicert dot com + ca_certificate_hash: + ca_certificate_issuer: + ca_certificate_subject: + cdp_uri: + aia_uri: + sia_uri: + ocsp_uri: + +- notice_date: February 11, 2019 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: New cross certificate planned for issuance from Federal Bridge CA 2016 to DigiCert Federated ID L3 CA + contact: fpki at gsa.gov + +- notice_date: February 11, 2019 + change_type: Intent to Perform CA Certificate Revocation + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: Revocation planned for the certificate issued from the Federal Bridge CA 2016 to DigiCert Federated ID CA-1 + contact: fpki at gsa.gov + ca_certificate_hash: e8 0b dd c6 1e d8 c4 3a d0 95 fc 94 62 17 be 45 bd d3 47 c1 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: DigiCert Federated ID CA-1 + +- notice_date: February 11, 2019 + change_type: Intent to Perform CA Certificate Issuance + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: New cross certificate planned for issuance from Federal Bridge CA 2016 to STRAC Bridge Root Certification Authority + contact: fpki at gsa.gov + +- notice_date: February 4, 2019 + change_type: CA Certificate Issuance + start_datetime: January 23, 2019 + system: TSCP SHA256 Bridge CA + change_description: Issuance of a cross certificate to Alexion Pharmaceuticals, Inc + contact: steve dot race at tscp dot org + ca_certificate_hash: 692a53fa725e5581a5b1db1c3d7b27e6feb9cae8 + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Alexion Pharmaceuticals Issue 2 CA, OU=CAs, O=Alexion Pharmaceuticals, C=US + cdp_uri: http://pki-crl.symauth.com/ca_1e66febad947306a6a338bb6f7971bca/LatestCRL.crl + aia_uri: http://cacer.symauth.com/mpki/AlexionIssuingCA2.p7c + +- notice_date: January 3, 2019 + change_type: CA Certificate Issuance + start_datetime: February 11, 2019 + system: Fortior Solutions Intermediate CA 2018 + change_description: Issuance of a cross certificate to TSCP Bridge + contact: steve dot race at tscp dot org + ca_certificate_hash: dc4b77d79b815187f5e0e73d13f6fe41cab86fab + ca_certificate_issuer: CN=Fortior Solutions Intermediate CA 2018, OU=Certificate Authorities, O=Fortior Solutions, C=US + ca_certificate_subject: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + cdp_uri: http://pki-crl.symauth.com/FortiorSolutions/FortiorSolutionsICA2018.crl + aia_uri: http://cacer.symauth.com/mpki/FortiorSolutionsICA2018.p7c + +- notice_date: January 3, 2019 + change_type: CA Certificate Issuance + start_datetime: February 11, 2019 + system: TSCP SHA256 Bridge CA + change_description: Issuance of a cross certificate to Fortior Solutions, Inc. + contact: steve dot race at tscp dot org + ca_certificate_hash: aebdf407b44afd431d8364012e096aea2a32a55d + ca_certificate_issuer: CN=TSCP SHA256 Bridge CA, OU=CAs, O=TSCP Inc., C=US + ca_certificate_subject: CN=Fortior Solutions Intermediate CA 2018, OU=Certificate Authorities, O=Fortior Solutions, C=US + cdp_uri: http://tscp-crl.symauth.com/tscpbcasha256.crl + aia_uri: http://tscp-aia.symauth.com/IssuedTo-tscpbcasha256.p7c + +- notice_date: December 19, 2018 + change_type: CA Certificate Issuance + start_datetime: December 19, 2018 + system: SAFE-BioPharma Bridge CA + change_description: Issuance of a new cross certificate from the SAFE BioPharma Bridge CA to IdenTrust SAFE-BioPharma CA 1 + contact: dsimonetti at safe-biopharma dot org + ca_certificate_hash: 245f753f8a315a83bd0be8cf70833503f99fd2d2 + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=IdenTrust SAFE-BioPharma CA 1, OU=IdenTrust Global Common, O=IdenTrust, C=US + cdp_uri: http://sbca2.safe-biopharma.org/sbca/SBCA02.crl + aia_uri: http://sbca2.safe-biopharma.org/sbca/issuedtoSBCA02.p7c + +- notice_date: December 11, 2018 + change_type: CA Certificate Issuance + start_datetime: December 13, 2018 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: Issuance of a new CA certificate from the Federal Common Policy CA to Digicert Federal SSP Intermediate CA - G5. This CA certificate is new but intended as a rekey for the Symantec SSP Intermediate CA – G4 CA certificate. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 98 b5 82 47 ac 8a 2b c6 f3 48 f0 3e 8d 22 88 4d 83 45 fc 0f + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://ssp-sia.digicert.com/SSP/Certs_issued_by_SSPCAG5.p7c + +- notice_date: December 12, 2018 + change_type: CA Certificate Issuance + start_datetime: December 5, 2018 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: Certificate issuance from the Federal Common Policy CA to the Verizon SSP CA A2 to add the Derived PIV OID + contact: fpki dash help at gsa.gov + ca_certificate_hash: 47 7b f4 01 7d 25 cd e2 76 cd dd f7 56 d4 0c a5 91 d7 6f 6d + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://sia1.ssp-strong-id.net/CA/VZ-SSP-CA-A2-SIA.p7c + +- notice_date: November 9, 2018 + change_type: URI Change + start_datetime: November 16, 2018 + system: Entrust PKI Shared Service Provider, Entrust NFI Shared Services + change_description: A new IP address will be added to the IP range for the OCSP services. Federal agencies should review firewall rules and internet gateway whitelists and adjust any rules to encompass the new IP address. Users may experience sporadic PIV authentication errors to the federal networks if firewall rules or whitelists are blocking this new IP address. There are no changes to the URIs in the end entity certificates. Please email the contact to request the new IP address as needed. + contact: fpki at gsa.gov + ocsp_uri: ocsp.managed.entrust.com, ocspproofs.managed.entrust.com, nfiocsp.managed.entrust.com, doesspocsp.managed.entrust.com, hhspkiocsp.managed.entrust.com, feddcsocsp.managed.entrust.com + +- notice_date: September 7, 2018 + change_type: CA Certificate Issuance + start_datetime: August 29, 2018 + system: FPKI Trust Infrastructure - Federal Common Policy CA + change_description: Issuance of a cross certificate from the Federal Common Policy CA to the US Treasury Root CA. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5a 87 92 2b 5e af 1d 63 19 8a 95 1b 2a b6 f5 9b 2f 16 c1 31 + ca_certificate_issuer: CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US + cdp_uri: http://http.fpki.gov/fcpca/fcpca.crl + aia_uri: http://http.fpki.gov/fcpca/caCertsIssuedTofcpca.p7c + sia_uri: http://pki.treasury.gov/root_sia.p7c + +- notice_date: August 23, 2018 + change_type: CA Certificate Issuance + start_datetime: August 30, 2018 + system: SAFE Biopharma Bridge CA + change_description: A new cross certificate was issued from the SAFE Biopharma Bridge CA to the Federal Bridge 2016 CA + contact: + ca_certificate_hash: 54 0c 2a c5 9f 8b 5b ab 1b 6a df 42 1a 7c 50 f0 90 1e 3d 54 + ca_certificate_issuer: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + ca_certificate_subject: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + cdp_uri: http://sbca2.safe-biopharma.org/sbca/SBCA02.crl + aia_uri: http://sbca2.safe-biopharma.org/sbca/issuedtoSBCA02.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + +- notice_date: August 23, 2018 + change_type: CA Certificate Issuance + start_datetime: August 21, 2018 + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: A new cross certificate was issued from the Federal Bridge 2016 to the IdenTrust ACES CA 2 + contact: FPKI dash help at gsa.gov + ca_certificate_hash: ab 97 3a 75 fa 59 4f 5a 97 c5 3e 3c 50 24 4a e0 6c a6 10 a8 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust ACES CA 2, OU=IdenTrust Public Sector, O=IdenTrust, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://validation.identrust.com/certs/issuedbyacesca2.p7c + +- notice_date: August 23, 2018 + change_type: CA Certificate Issuance + start_datetime: August 21, 2018 + system: FPKI Trust Infrastructure - Federal Bridge 2016 + change_description: A new cross certificate was issued from the Federal Bridge 2016 to the IdenTrust IGC Root CA 1 + contact: FPKI dash help at gsa.gov + ca_certificate_hash: 05 24 54 75 3d 53 ff 23 76 73 7f a7 79 8e c7 2f ab 82 83 3c + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=IdenTrust Global Common Root CA 1, O=IdenTrust, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://validation.identrust.com/roots/IssuedbyIGCRootCA1.p7c + +- notice_date: July 19, 2018 + change_type: CA Certificate Issuance + start_datetime: July 17, 2018 + system: Federal PKI Trust Infrastructure + change_description: A new cross certificate was issued from the Federal Bridge CA 2016 to the ORC NFI CA 3 + contact: fpki dash help at gsa.gov + ca_certificate_hash: b6 25 da 07 30 20 16 d2 83 70 23 ba b9 4b 6e 0d 76 fc 2e 45 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=ORC NFI CA 3, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI3_SIA.p7c + +- notice_date: July 5, 2018 + change_type: CA Certificate Issuance + start_datetime: July 17, 2018 + system: CertiPath Bridge + change_description: A cross certificate was issued from Certipath Bridge CA-G2 to Air Canada Enterprise Root CA1 + contact: support at certipath dot com + ca_certificate_hash: + ca_certificate_issuer: C=US, O=CertiPath LLC, OU=Certification Authorities, CN=CertiPath Bridge CA - G2 + ca_certificate_subject: C=CA, O=Air Canada, OU=Certification Authorities, CN=Air Canada Enterprise Root CA1 + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + ocsp_uri: + +- notice_date: June 13, 2018 + change_type: CA Certificate Issuance Intent + system: CertiPath Bridge + change_description: CerithPath Bridge intends to renew the cross certificates from the CertiPath Bridge G1 and G2 to Raytheon prior to the end of this month. No changes are being made to certificate policies or policy mappings. + contact: support at certipath dot com + +- notice_date: June 7, 2018 + change_type: CA Certificate Issuance + start_datetime: June 7, 2018 + system: Federal PKI Trust Infrastructure + change_description: A new cross certificate was issued from the Federal Bridge CA 2016 to the SAFE BioPharma Bridge CA 02 + contact: fpki dash help at gsa.gov + ca_certificate_hash: 5c 65 42 19 97 2b ac 88 7b ea 9f 13 09 eb 9e 05 2f b7 75 7e + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: CN=SAFE Bridge CA 02, OU=Certification Authorities, O=SAFE-Biopharma, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://sbca2.safe-biopharma.org/sbca/issuedbySBCA02.p7c + +- notice_date: June 6, 2018 + change_type: CA Decommission + start_datetime: N/A + system: Federal PKI Trust Infrastructure + change_description: The Federal Bridge CA 2013 was decommissioned. + contact: fpki dash help at gsa.gov + ca_certificate_hash: 80 39 c3 23 4c 27 2c 80 c6 de 3b 13 0f 72 cc 4f be e1 38 18 + ca_certificate_issuer: cn= Federal Bridge 2013, ou= FPKI, o=U.S. Government, c=US + ca_certificate_subject: cn= Federal Bridge 2013, ou= FPKI, o=U.S. Government, c=US + cdp_uri: http://http.fpki.gov/fbca2013.crl + aia_uri: N/A + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2013.p7c + +- notice_date: May 16, 2018 + change_type: CA Decommission + start_datetime: May 18, 2018 + system: Digicert / Verisign / Symantec federal shared service provider + change_description: The Railroad Retirement Board CA was decommissioned and a long-term CRL issued on May 18, 2018 + contact: fpki at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=VeriSign SSP Intermediate CA - G3,O=VeriSign,Inc.,C=US + ca_certificate_subject: CN=RRB Device CA,OU=U.S. Railroad Retirement Board,OU=U.S. Railroad Retirement Board,O=U.S. Government,C=US + +- notice_date: April 25, 2018 + change_type: CA Certificate Issuance + start_datetime: April 23, 2018 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge 2016 to US Patent and Trademark CA due to PTO Re-Key + contact: fpki at gsa.gov + ca_certificate_hash: 07 04 ea 96 33 a4 5a 9a 39 12 3b ac 28 be 01 07 8c 6b fd 3a + ca_certificate_issuer: CN=Federal Bridge CA 2016 OU=FPKI O=U.S. Government C=US + ca_certificate_subject: CN=USPTO_INTR_CA1 CN=AIA CN=Public Key Services CN=Services CN=Configuration DC=uspto DC=gov + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://ipki.uspto.gov/IPKI/Certs/IPKICACerts.p7c + +- notice_date: April 4, 2018 + change_type: CA Certificate Revocation + start_datetime: March 26, 2018 12:15 PM + system: SAFE Biopharma Bridge Opera tional Authority + change_description: The cross certificate from SAFE Biopharma Bridge CA [SBCA 02] to FBCA 2013 has been revoked. The CRL was published shortly thereafter. + contact: Matthew dot Williams at exostar dot com + +- notice_date: February 6th, 2018 + change_type: CA Certificate Issuance + start_datetime: February 25, 2018 7:00:00 PM + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to CISRCA1 + contact: support at certipath dot com + ca_certificate_hash: c466cb26e2c9a1a483a6f81701f208b5ff522ec4 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=CISRCA1, OU=Certification Authorities, O=Carillon Information Security Inc., C=CA + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + +- notice_date: February 6th, 2018 + change_type: CA Certificate Issuance + start_datetime: February 19, 2018 7:00:00 PM + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to Northrop Grumman Corporation Root CA + contact: support at certipath dot com + ca_certificate_hash: 9bb7b4bfd188b99e10431bf5ac56a493dfd66978 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Northrop Grumman Corporate Root CA-G2, OU=Northrop Grumman Information Technology, O=Northrop Grumman Corporation, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: http://certdata.northropgrumman.com/certdata/p7c/IssuedByNorthropGrummanCorporateRootCA-G2.p7c + +- notice_date: February 6th, 2018 + change_type: CA Certificate Issuance + start_datetime: February 19, 2018 7:00:00 PM + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA - G2 to Carillon Federal Services PIV-I CA1 + contact: support at certipath dot com + ca_certificate_hash: 198271eee4689be1ff746e1a03cf205f4b2d518e + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Carillon Federal Services PIV-I CA1, OU=Certification Authorities, O=Carillon Federal Services Inc., C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + +- notice_date: February 6th, 2018 + change_type: CA Certificate Issuance + start_datetime: February 19, 2018 7:00:00 PM + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA to Northrop Grumman Corporate Root CA + contact: support at certipath dot com + ca_certificate_hash: 8f98b196e6b9aed7a31522efae5bf5954da744c0 + ca_certificate_issuer: CN=CertiPath Bridge CA, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=Northrop Grumman Corporation Root CA, O=Northrop Grumman Corporation, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathLLCCertiPathBridgeCA.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeRootCA.p7c + +- notice_date: January 25, 2018 + change_type: CA Certificate Issuance + start_datetime: January 22, 2018 7:00:00 PM + system: CertiPath Bridge + change_description: Issuance of cross certificate from CertiPath Bridge CA–G2 to NextgenID Root CA1. + contact: support at certipath dot com + ca_certificate_hash: 50a2bf7afe08edf3877854f6d0a6e59127f68a94 + ca_certificate_issuer: CN=CertiPath Bridge CA - G2, OU=Certification Authorities, O=CertiPath LLC, C=US + ca_certificate_subject: CN=NextgenIDRootCA1, OU=Certification Authorities, O=NextgenID, C=US + cdp_uri: http://certipath-crl.symauth.com/CertiPathBridgeCA-G2.crl + aia_uri: http://certipath-aia.symauth.com/CertiPathBridgeCA-G2.p7c + sia_uri: http://www.nextgenidtrust.com/PKI/certs/IssuedByNextgenIDRootCA1.p7c + ocsp_uri: N/A + +- notice_date: November 16, 2017 + change_type: CA Certificate Issuance + start_datetime: November 16, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge 2016 to Entrust Non-Federal Root CA + contact: fpki at gsa.gov + ca_certificate_hash: 22 05 08 b0 ab 72 e2 ee 3a ca a6 a9 ef 50 01 c8 7c 52 3e a4 + ca_certificate_issuer: CN=Federal Bridge CA 2016, OU=FPKI, O=U.S. Government, C=US + ca_certificate_subject: OU=Entrust Managed Services NFI Root CA, OU=Certification Authorities, O=Entrust, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://nfirootweb.managed.entrust.com/SIA/CAcertsIssuedByNFIRootCA.p7c + ocsp_uri: N/A + +- notice_date: November 16, 2017 + change_type: CA Certificate Issuance + start_datetime: October 25, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Symantec + contact: fpki at gsa.gov + ca_certificate_hash: 91 45 31 f5 a6 10 91 40 05 42 2e 56 d6 71 12 18 13 3b 10 48 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: CN=Symantec Class 3 SSP Intermediate CA - G3 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://ssp-sia.symauth.com/STNSSP/Certs_Issued_by_Class3SSPCA-G3.p7c + ocsp_uri: N/A + +- notice_date: November 16, 2017 + change_type: CA Certificate Issuance + start_datetime: October 4, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Verizon Non-Federal Issuer CA + contact: fpki at gsa.gov + ca_certificate_hash: 68 70 66 bc e5 6b 6e 20 ae a0 c6 05 b9 b6 67 93 42 26 9f 21 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: CT-CSSP-CA-A1 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://sia1.com-strong-id.net/CA/CT-CSSP-CA-A1-SIA.p7c + ocsp_uri: N/A + +- notice_date: November 16, 2017 + change_type: CA Certificate Issuance + start_datetime: October 4, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to ORC (Widepoint) Non-Federal Issuer CA + contact: fpki at gsa.gov + ca_certificate_hash: b0 55 c6 ee 10 4e 01 eb 68 8c 8f b4 f8 7c f7 7c a3 76 af db + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: CN=ORC NFI CA 2, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI2_SIA.p7c + ocsp_uri: N/A + +- notice_date: November 16, 2017 + change_type: CA Certificate Issuance + start_datetime: August 21, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to ORC (Widepoint) ACES + contact: fpki at gsa.gov + ca_certificate_hash: 55 73 fc c5 e6 ff ff 2b 71 01 81 ac ca a2 ef da db 8f 0f 4e + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: CN=ORC ACES 4, O=ORC PKI, C=US + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCACES4_SIA.p7c + ocsp_uri: N/A + +- notice_date: October 20, 2017 + change_type: CA Certificate Issuance + start_datetime: November 3, 2017 + system: TSCP SHA256 Bridge CA + change_description: Issuance of a cross certificate to Alexion Pharmaceuticals, Inc + contact: shauna dot russell at tscp dot org, fpki at gsa.gov + +- notice_date: September 30, 2017 + change_type: CA Certificate Issuance + start_datetime: September 28, 2017 + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to DigiCert + contact: fpki at gsa.gov + ca_certificate_hash: e8 0b dd c6 1e d8 c4 3a d0 95 fc 94 62 17 be 45 bd d3 47 c1 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: DigiCert Federated ID CA-1 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://cacerts.digicert.com/siaDigiCertFederatedIDCA-1.p7c + ocsp_uri: N/A + +- notice_date: September 14, 2017 + change_type: CA Certificate Issuance + start_datetime: August 24, 2017 + system: DigiCert Federated ID CA-1 + change_description: A new CA certificate was issued for a subordinate CA under Digicert Federated Trust CA-1. The CA certificate is for Trinity Health Direct CA. + contact: ben.wilson at digicert dot com + ca_certificate_hash: 91:C3:74:48:0A:BA:3B:B9:B4:6C:8A:87:0F:95:E0:CA:98:CF:0C:70 + ca_certificate_issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Federated Trust CA-1 + ca_certificate_subject: C=US, O=Trinity Health, CN=Trinity Health Direct CA + cdp_uri: http://crl4.digicert.com/DigiCertFederatedTrustCA-1.crl, http://crl3.digicert.com/DigiCertFederatedTrustCA-1.crl + aia_uri: http://cacerts.digicert.com/aiaTrinityHealthDirectCA.p7c + sia_uri: + ocsp_uri: http://ocsp.digicert.com + +- notice_date: September 14, 2017 + change_type: CA Certificate Issuance + start_datetime: August 24, 2017 + system: DigiCert Federated ID CA-1 + change_description: A new CA certificate was issued for a subordinate CA under Digicert Federated ID CA-1. The CA certificate is for DigiCert Federated Trust CA-1. + contact: ben.wilson at digicert dot com + ca_certificate_hash: E2:9C:44:38:7F:7B:AA:9F:49:EF:CC:AE:A6:54:BC:E2:0C:FF:5F:D3 + ca_certificate_issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Federated ID CA-1 + ca_certificate_subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Federated Trust CA-1 + cdp_uri: http://crl3.digicert.com/DigiCertFederatedIDCA-1.crl, http://crl4.digicert.com/DigiCertFederatedIDCA-1.crl + aia_uri: http://cacerts.digicert.com/aiaDigiCertFederatedTrustCA-1.p7c + sia_uri: + ocsp_uri: http://ocsp.digicert.com + +- notice_date: August 22, 2017 + change_type: CA Certificate Revocation + start_datetime: August 25, 2017 + system: Verizon Federal PKI Shared Service Provider + change_description: The CA certificate for the issuing CA named Executive Office of the President CA-B8 will be revoked on August 25th and a long term CRL will be published. This CA is no longer active. + contact: vziamssp at verizon dot com, fpki at gsa.gov + ca_certificate_hash: + ca_certificate_issuer: CN=Betrusted Production SSP CA A1,OU=Betrusted Production SSP CA A1,OU=SSP,O=Betrusted US Inc,C=US + ca_certificate_subject: CN=Executive Office of the President CA-B8,OU=PKI,OU=Services,DC=ssp,DC=eop,DC=gov + +- notice_date: August 4, 2017 + change_type: CA Certificate Issuance + start_datetime: August 4, 2017 3:28:27 PM + system: US Government Publishing Office CAs + change_description: Issuance of cross certificate from US Government Publishing Office to Federal Bridge + contact: fpki at gsa.gov + ca_certificate_hash: b5 d4 0b e9 4f 2e 01 4f 51 0b 29 64 36 6f 10 13 f4 1a f3 0e + ca_certificate_issuer: GPO PCA + ca_certificate_subject: Federal Bridge CA 2016 + cdp_uri: http://www.gpo-fbca-crls.ois.gpo.gov/GPO-PCA-CRLa4.crl + aia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/GPO-PCA-CACertificates.p7c + sia_uri: http://http.fpki.gov/bridge/caCertsIssuedByfbca2016.p7c + ocsp_uri: http://www.ocsp.gpo.gov + +- notice_date: August 3, 2017 + change_type: CA Certificate Issuance + start_datetime: August 3, 2017 1:33:41 PM + system: N/A + change_description: Issuance of cross certificate from Federal Bridge to US Government Publishing Office + contact: fpki at gsa.gov + ca_certificate_hash: b8 ea bb 18 ed 54 4c 9f cf b2 99 bd 5d 32 21 27 e6 f4 8d 90 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: GPO PCA + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://www.gpo-fbca-crls.ois.gpo.gov/caCertsIssuedByGPO.p7c + ocsp_uri: N/A + +- notice_date: July 25, 2017 + change_type: CA Certificate Issuance + start_datetime: July 25, 2017 12:57:21 PM + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Symantec + contact: fpki at gsa.gov + ca_certificate_hash: 63 3b 29 78 0d 72 f9 b6 e6 52 f8 58 6b 13 87 02 19 5a 2c cd + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: VeriSign Class 3 SSP Intermediate CA - G2 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://ssp-sia.symauth.com/VTNSSP/Certs_issued_by_Class3SSPCA-G2.p7c + ocsp_uri: N/A + +- notice_date: July 12, 2017 + change_type: CA Certificate Issuance + start_datetime: July 12, 2017 10:59:26 AM + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Widepoint + contact: fpki at gsa.gov + ca_certificate_hash: 8a 0a 15 2e f9 36 74 72 c8 83 28 e7 b8 18 a5 7a ed ea 33 ef + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: ORC NFI CA 3 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://crl-server.orc.com/caCerts/ORCNFI3_SIA.p7c + ocsp_uri: N/A + +- notice_date: June 20, 2017 + change_type: CA Certificate Issuance + start_datetime: June 20, 2017 12:56:58 PM + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Identrust + contact: fpki at gsa.gov + ca_certificate_hash: 8f 0c 18 76 9e 9e 6d 48 c5 8e 41 8e 9b d5 79 84 a7 ae 49 f4 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: IdenTrust Global Common Root CA 1 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://validation.identrust.com/roots/IssuedbyIGCRootCA1.p7c + ocsp_uri: N/A + +- notice_date: June 20, 2017 + change_type: CA Certificate Issuance + start_datetime: June 20, 2017 12:26:12 PM + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Identrust + contact: fpki at gsa.gov + ca_certificate_hash: f2 82 e5 05 30 11 13 e7 36 8a 26 2e 4e 3d fe 23 ed 39 c9 54 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: IdenTrust ACES CA 2 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://validation.identrust.com/certs/issuedbyacesca2.p7c + ocsp_uri: N/A + +- notice_date: June 20, 2017 + change_type: CA Certificate Issuance + start_datetime: June 20, 2017 12:15:44 PM + system: Federal PKI Trust Infrastructure + change_description: Issuance of cross certificate from Federal Bridge to Identrust + contact: fpki at gsa.gov + ca_certificate_hash: 8c 7a 33 76 da 95 e2 be 52 da bc 03 21 56 f4 c4 78 74 e4 c4 + ca_certificate_issuer: Federal Bridge CA 2016 + ca_certificate_subject: IdenTrust ACES CA 1 + cdp_uri: http://http.fpki.gov/bridge/fbca2016.crl + aia_uri: http://http.fpki.gov/bridge/caCertsIssuedTofbca2016.p7c + sia_uri: http://apps.identrust.com/roots/publicsectorroot.p7c + ocsp_uri: N/A diff --git a/_data/gsacarousel.yml b/_data/gsacarousel.yml new file mode 100644 index 000000000..15274219c --- /dev/null +++ b/_data/gsacarousel.yml @@ -0,0 +1,81 @@ +# GSA Carousel Config +# Date: 03-22-2023 +# File: _data/gsacarousel.yml +# File used in: _includes/hero.html +# Developer: Clayton Barnette +# Purpose: Drives Carousel data on the homepage of New IDManagement.gov +# +# - orderNumber: Sequential numbering of each carousel item, starts at 0 - n +# initialState: set to active active or leave blank (Note: only one carousel item should be set to active or it breaks the carousel) +# delay(default: 5000): number of milliseconds to display the carousel item on the page, before changing +# heroHeading: text for the main hero section of the carousel, keep text length short 1 - 3 words depending on length +# heroText: secondary text for the hero section of the carousel, keep text length short as action statements +# actionButtonText: text for action button, normally 1 - 3 words, no more than 5 +# actionLocation: # desired destination of the user after reading action statement, URLs, local URIs or permilinks. Local links (No leading forward slash) +# actionTarget(default: _blank): target window, options: _blank or _self if link is internal to site + +# Memo: If a link is internal to the site, actionTarget should be set to "_self" if the lint is external or a PDF or Document of somekind, the "_blank" should be used. +# Note: leave the / off the internal urls for 'actionLocation:' + +- orderNumber: 0 + initialState: active + delay: 10000 + heroHeading: FICAM + heroText: helps the U.S Government agencies achieve Zero Trust cyber maturity quickly. + actionButtonText: Learn more about + actionLocation: arch/ + actionTarget: _self + +- orderNumber: 1 + initialState: + delay: 10000 + heroHeading: Zero Trust + heroText: concept assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. + actionButtonText: Learn more about + actionLocation: zero-trust/ + actionTarget: _blank + +- orderNumber: 2 + initialState: + delay: 10000 + heroHeading: Privileged user + heroText: is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users cannot perform—also known as a privileged IT user, privileged network user, or superuser. + actionButtonText: Learn more about + actionLocation: playbooks/pam/ + actionTarget: _self + +- orderNumber: 3 + initialState: + delay: 10000 + heroHeading: Phishing resistant authenticators (Coming Soon) + heroText: are not susceptible to common interception and replay attacks. Phishing-resistant MFA protects users from sophisticated online attacks. + actionButtonText: Coming Soon! + actionLocation: / + actionTarget: _blank + +- orderNumber: 4 + initialState: + delay: 10000 + heroHeading: Single sign on + heroText: centralizes application access for agency employees and contractors or federate access with other federal executive agencies. + actionButtonText: Learn more about + actionLocation: playbooks/sso/ + actionTarget: _self + +- orderNumber: 5 + initialState: + delay: 10000 + heroHeading: User authorization + heroText: is a decision whether to grant access to a user or machine account following authentication. Authorization to resources can be fine grained to help achieve attribute based access vs the traditional role based access. + actionButtonText: Learn more about + actionLocation: playbooks/cloud/ + actionTarget: _self + +- orderNumber: 6 + initialState: + delay: 10000 + heroHeading: Identity lifecycle management + heroText: encompasses the activities of creating, identity proofing, vetting, provisioning, aggregating, maintaining, and deactivating digital identities on an agency’s enterprise identity, credential, and access management (ICAM) system. + actionButtonText: Learn more about + actionLocation: playbooks/ilm/ + actionTarget: _self \ No newline at end of file diff --git a/_data/gsafeeds.yml b/_data/gsafeeds.yml new file mode 100644 index 000000000..4c914d2e7 --- /dev/null +++ b/_data/gsafeeds.yml @@ -0,0 +1,15 @@ +- feedid: 001 + name: CISA Feeds + website: https://www.cisa.gov + description: CISA Website RSS, I added a long description for text formatting and to see how text looks is the description is long. + source: https://www.cisa.gov/news.xml + expanded: true + status: active + +- feedid: 002 + name: Fake Feeds 2 + website: https://www.fakewebsite.gov + description: Fake Website RSS Feeds, which are feed from a .yml file located in the data folder. This code loops through each rss feed listed there and displays it on the page. + expanded: false + source: https://www.cisa.gov/news.xml + status: active \ No newline at end of file diff --git a/_data/highlights.yml b/_data/highlights.yml new file mode 100644 index 000000000..332b537ab --- /dev/null +++ b/_data/highlights.yml @@ -0,0 +1,28 @@ + +- heading: This is a normal message + message: This is the first carousel message, no link(Normal) + importance: info + linkto: # + linktext: + seconds: 50000 + +- heading: This is a link to a PDF + message: This is the second message linked to a PDF.(Notice) + importance: warning + linkto: # + linktext: Get the PDF Here. + seconds: 50000 + +- heading: This is a warning... + message: This is a third carousel message which is a warning.(Warning) + importance: important + linkto: # + linktext: Visit IRS.gov + seconds: 100000 + +- heading: This is a success message + message: This is the fourth carousel message.(Success) + importance: success + linkto: https://playbooks.idmanagement.gov + linktext: Go to Playbooks Website + seconds: 50000 \ No newline at end of file diff --git a/_data/laws-policies-standards.yml b/_data/laws-policies-standards.yml new file mode 100644 index 000000000..80f5b3dc2 --- /dev/null +++ b/_data/laws-policies-standards.yml @@ -0,0 +1,1551 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/GSA/idmanagement.gov/0512-identity-policy-matrix/assets/schemas/laws-policies-standards-schema.json +# CORE AUTHORITIES - White House and Congress - these are authorized by the constitution +- &WH + type: Authority + shortName: "White House" + longName: "The Office of the President of the United States of America" + externalURL: "https://www.whitehouse.gov/" +- &CONGRESS + type: Authority + shortName: "U.S. Congress" + longName: "United States Congress" + externalURL: "https://www.congress.gov/" +# +# LAWS and Executive Orders (Authorized by WH and Congress) +# +- &HSPD12 + type: Law + shortName: "HSPD-12" + longName: "Homeland Security Presidential Directive 12" + published: 2004-08-27 + description: >- + Directive requires the development and agency implementation of a mandatory, government-wide standard + for secure and reliable forms of identification for Federal employees and contractors. + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/final-credentialing-standards.pdf" + authored-by: + - *WH + scope: + - "Workforce Identity" + ficam-services: + - "Identity Management - Identity Proofing" +- &FISMA2014 + type: Law + shortName: "FISMA 2014" + longName: "Federal Information Security Modernization Act of 2014" + description: >- + Directed NIST and OMB to provide updated guidance for the modernization of Federal IT Systems, and established + the Federal CIO Council. + published: 2014-12-18 + externalURL: "https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf" + ficam-services: + - "Governance - Identity Governance" + authored-by: + - *CONGRESS +- &FITARA2017 + type: Law + shortName: "FITARA Enhancement Act of 2017" + longName: "Federal Information Technology Acquisition Reform Enhancement Act of 2017" + description: >- + Extended the authorization for the Data Center Consolidation Act, which encourages the use + of Cloud Services by Federal Agencies where appropriate. We continue to update our guidance + to address the requirements of cloud implementation of federal services. + published: 2017-11-21 + externalURL: "https://www.congress.gov/bill/115th-congress/house-bill/3243/text" + authored-by: + - *CONGRESS +- &EO13467 + type: Law + shortName: "E.O. 13467" + longName: "Executive Order 13467: Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information" + description: >- + This Executive Order mandates a common background check process across the civilian, unclassified + federal government, leading to acceptance of PIV cards across agency boundaries. + published: 2008-06-30 + externalURL: "https://www.federalregister.gov/documents/2008/07/02/08-1409/reforming-processes-related-to-suitability-for-government-employment-fitness-for-contractor" + authored-by: + - *WH + ficam-services: + - Identity Management + - Credential Management + - Access Management + - Governance +- &PRIVACYACT1974 + type: Law + shortName: "Privacy Act of 1974" + longName: "USC Title 5, Part I, Chapter 5, Subchapter II, §552a" + description: >- + This Act protects certain federal government records pertaining to individuals. + In particular, the Act covers systems of records that an agency maintains and + retrieves by an individual's name or other personal identifier, such as a Social + Security Number. + published: 1974-12-31 + externalURL: "https://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim" + authored-by: + - *CONGRESS + ficam-services: + - Identity Management + - Governance +- &ESIGN2000 + type: Law + shortName: "E-SIGN Act of 2000" + longName: "Electronic Signatures in Global and National Commerce Act" + description: >- + This Act facilitates the use of electronic records and electronic signatures in interstate and + foreign commerce by ensuring the validity and legal effect of electronic contracts. This act led to the + creation of the Federal PKI. + published: 2000-06-30 + externalURL: "https://www.govinfo.gov/content/pkg/USCODE-2021-title15/html/USCODE-2021-title15-chap96.htm" + authored-by: + - *CONGRESS + ficam-services: + - Federation + - Governance +- &GPEA1998 + type: Law + shortName: "Government Paperwork Elimination Act" + longName: "Government Paperwork Elimination Act of 1998" + description: >- + This Act requires federal agencies to allow individuals or entities that deal with the agencies the + option to submit information or transact with the agency electronically when possible and to maintain + records electronically when possible. This Act specifically states that electronic records and their + related electronic signatures cannot be denied legal effect, validity, or enforceability just because + they are in electronic form. This Act also encourages federal government use of a range of electronic + signature alternatives. + published: 1998-10-21 + externalURL: "https://www.govinfo.gov/content/pkg/PLAW-105publ277/html/PLAW-105publ277.htm" + authored-by: + - *CONGRESS + ficam-services: + - Governance +- &EO13681 + type: Law + shortName: "E.O. 13681" + longName: "Executive Order 13681: Improving the Security of Consumer Financial Transactions" + description: >- + Proposes improved security for government payments and identity theft remediation, encouraging deployment + of better citizen authentication technologies for financial transactions. + published: 2014-10-17 + externalURL: "https://www.govinfo.gov/content/pkg/FR-2014-10-23/pdf/2014-25439.pdf" + authored-by: + - *WH + ficam-services: + - Identity Management + - Federation + - Governance +- &EO13556 + type: Law + shortName: E.O. 13556 + longName: "Executive Order 13556: Controlled Unclassified Information" + description: >- + This order establishes an open and uniform program for managing information that requires safeguarding + but is not classified. The program includes standards for Identity and Access Management for Controlled + Unclassified Information (CUI) + published: 2010-11-09 + externalURL: "https://www.federalregister.gov/documents/2010/11/09/2010-28360/controlled-unclassified-information" + authored-by: + - *WH + ficam-services: + - Federation + - Governance +- &EO13286 + type: Law + shortName: E.O. 13286 + longName: "Executive Order 13286: Amendment of Executive Orders, and Other Actions, in Connection With the Transfer of Certain Functions to the Secretary of Homeland Security" + description: >- + Amends an earlier Executive Order (E.O. 12977). Defines a central federal function to define security for + physical access to federal facilities. Because physical access often involves PIV Cards, ICAMSC coordinates + closely with the federal Physical Access Control System (PACS) community. + externalURL: "https://www.federalregister.gov/documents/2003/03/05/03-5343/amendment-of-executive-orders-and-other-actions-in-connection-with-the-transfer-of-certain-functions" + published: 2003-05-03 + authored-by: + - *WH +- &EO14028 + type: Law + shortName: "E.O. 14028" + longName: "Executive Order 14028: Improving the Nation's Cybersecurity" + description: >- + Directs federal agencies to develop a plan to implement a Zero Trust Architecture, and Multi-Factor + Authentication. + published: 2021-05-17 + externalURL: "https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity" + authored-by: + - *WH + ficam-services: + - Governance +# +# Secondary Authorities - established by a Law or Executive Order +# +- &NIST + type: Authority + shortName: "NIST" + longName: "National Institute of Standards and Technology" + description: "Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life." + externalURL: "https://www.nist.gov" +- &GSA + type: Authority + shortName: "GSA" + longName: "General Services Administration" + description: "Mission: To deliver the best customer experience and value in real estate, acquisition, and technology services to the government and the American people." + externalURL: "https://www.gsa.gov" +- &OMB + type: Authority + shortName: "OMB" + longName: "Office of Management and Budget" + description: "The Office of Management and Budget oversees the implementation of the President's vision across the Executive Branch." + externalURL: "https://www.whitehouse.gov/omb/" +- &OPM + type: Authority + shortName: OPM + longName: "U.S. Office of Personnel Management" + description: >- + OPM works in several broad categories to lead and serve the Federal Government in enterprise human + resource management by delivering policies and services to achieve a trusted effective civilian workforce. +- &DNI + type: Authority + shortName: DNI + longName: "Director of National Intelligence" + description: >- + Our mission is to lead intelligence integration and forge an intelligence community that delivers the most + insightful intelligence possible +- &CIOCOUNCIL + type: Authority + shortName: "Federal CIO Council" + longName: "Federal CIO Council" + description: "The Federal CIO Council is the principal interagency forum to improve agency practices related to the design, acquisition, development, modernization, sustainment, use, sharing, and performance of Federal Government information technology (IT)." + externalURL: "https://www.cio.gov/" + authorized-by: + - *FISMA2014 +- &CISOCOUNCIL + type: Authority + shortName: "Federal CISO Council" + longName: "Federal CISO Council" + description: "The Federal Chief Information Security Officer (CISO) Council is the primary body for inter-agency CISO collaboration and communication. The Council is led by the Federal CISO, who works in the White House Office of Management and Budget (OMB), and a co-chair who's a member of the Council, elected to serve in that role." + externalURL: "https://www.cio.gov/about/members-and-leadership/ciso-council/" + subgroup-of: + - *CIOCOUNCIL +- &ICAMSC + type: Authority + shortName: "ICAMSC" + longName: "Identity, Credential, and Access Management Subcommittee" + description: "The Identity, Credential, and Access Management Subcommittee (ICAMSC) is the principal interagency forum for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management." + externalURL: "https://community.max.gov/pages/viewpage.action?pageId=234815732" + subgroup-of: + - *CISOCOUNCIL +- &PACSMODWG + type: Authority + shortName: "PACSmod WG" + longName: "PACS Modernization Working Group" + description: >- + The Physical Access Control System Modernization Working Group (PACSMod WG) is chartered + under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council + (FCIOC), Identity, Credentialing and Access Management Subcommittee (ICAMSC), and the Program + Director of the Department of Homeland Security (DHS), Interagency Security Committee (ISC). + The purpose of the PACSMod WG is to facilitate the implementation and use of technology and + processes related to modernizing enterprise PACS within the Federal Government (USG), thereby + increasing security, coordination, and compliance with national-level policies and standards. + subgroup-of: + - *ICAMSC +- &FPKIPA + type: Authority + shortName: "FPKI PA" + longName: "Federal Public Key Infrastructure Policy Authority" + description: "In 2002, the Federal Public Key Infrastructure (FPKI) Policy Authority (PA) was created by the Federal Chief Information Officers (CIO) Council to serve as the Federal Public Key Infrastructure governance body." + externalURL: "https://www.idmanagement.gov/docs/fpkipa-charter.pdf" + subgroup-of: + - *ICAMSC +- &DHS + type: Authority + shortName: "DHS" + longName: "Department of Homeland Security" + description: >- + The Department of Homeland Security has a vital mission: to secure the nation from the many threats + we face. This requires the hard work of more than 260,000 employees in jobs that range from aviation + and border security to emergency response, from cybersecurity analyst to chemical facility inspector. + Our duties are wide-ranging, and our goal is clear - keeping America safe. + externalURL: "https://www.dhs.gov/" +- &CISA + type: Authority + shortName: "CISA" + longName: "Cybersecurity & Infrastruture Security Agency" + description: >- + CISA is the operational lead for federal cybersecurity and the national coordinator for critical + infrastructure security and resilience. + externalURL: "https://www.cisa.gov/" + subgroup-of: + - *DHS +- &ISC + type: Authority + shortName: ISC + longName: Interagency Security Committee + description: >- + The Interagency Security Committee (ISC) is a collaborative organization that provides leadership to the + nonmilitary federal community supporting physical security programs that are comprehensive and risk based. + externalURL: "https://www.cisa.gov/resources-tools/groups/interagency-security-committee-isc" + authorized-by: + - *EO13286 +- &USDS + type: Authority + shortName: "USDS" + longName: "United States Digital Service" + description: >- + To deliver better government services to the American people through technology and design. + subgroup-of: + - *WH +- &DOD + type: Authority + shortName: "DoD" + longName: "Department of Defense" + description: >- + The Department of Defense provides the military forces needed to deter war and ensure our nation's security. +- &FEDRAMP + type: Authority + shortName: "FedRAMP" + longName: "Federal Risk and Automation Management Program" + description: >- + The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to + provide a cost-effective, risk-based approach for the adoption and use of cloud services by + the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an + emphasis on security and protection of federal information. + subgroup-of: + - *GSA + - *DHS + - *DOD +- &NSA + type: Authority + shortName: "NSA" + longName: "National Security Agency" + description: >- + We leverage our advantages in technology and cybersecurity consistent with our authorities to strengthen + national defense and secure national security systems. +- &CMU + type: Authority + shortName: "CMU" + longName: "Carnegie Mellon University" + externalURL: "https://www.cmu.edu/" +# +# POLICIES - Directives issued by the executive branch, excluding the president, to the executive branch +# +- &M0524 + type: Policy + shortName: "M-05-24" + longName: "OMB Memo 05-24: Implementation of Homeland Security Presidential Directive (HSPD) 12 - Policy for a Common Identification Standard for Federal Employees and Contractors" + published: 2005-08-05 + description: "This memorandum provides implementing instructions for the Directive (HSPD-12) and the Standard (FIPS-201)." + externalURL: "https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2005/m05-24.pdf" + scope: + - "Workforce Identity" + authorized-by: + - *HSPD12 + authored-by: + - *OMB + ficam-services: + - "Identity Management - Identity Proofing" +- &FBCACP + type: Policy + shortName: "FBCA CP" + longName: "X.509 Certificate Policy for the Federal Bridge Certification Authority" + description: "The FBCA exists to facilitate trusted electronic business transactions for Federal organizations. To facilitate the missions of the organizations, interoperability is offered to non-Federal entities." + published: 2023-04-17 + externalURL: "https://www.idmanagement.gov/docs/fpki-x509-cert-policy-fbca.pdf" + scope: + - Workforce Identity + ficam-services: + - "Identity Management - Identity Proofing" + - "Credential Management - Generation & Issuance" + - "Credential Management - Revocation" + - "Federation - Policy Alignment" + authored-by: + - *FPKIPA +- &COMMONCP + type: Policy + shortName: "Common CP" + longName: "X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework" + description: "The scope of this U.S. Federal PKI Common Policy Framework CP includes the Certification Authorities used for issuing and managing certificates that are valid to the Federal Common Policy CA on behalf of federal executive branch agencies. This CP applies to certificates issued to CAs, devices, and federal employees, contractors and other affiliated personnel." + published: 2023-04-17 + externalURL: "https://www.idmanagement.gov/docs/fpki-x509-cert-policy-common.pdf" + scope: + - Workforce Identity + ficam-services: + - "Identity Management - Identity Proofing" + - "Credential Management - Generation & Issuance" + - "Credential Management - Revocation" + - "Federation - Policy Alignment" + authored-by: + - *FPKIPA +- &M1917 + type: Policy + shortName: "M-19-17" + longName: "OMB Memo 19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management" + description: "This memorandum sets forth the Federal Government's1 Identity, Credential, and Access Management (ICAM) policy" + published: 2019-05-21 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf" + authored-by: + - *OMB + scope: + - Workforce Identity + - Public Identity + ficam-services: + - "Identity Management - Identity Proofing" + - "Credential Management - Generation & Issuance" + - "Credential Management - Revocation" + - "Federation - Policy Alignment" +- &M1919 + type: Policy + shortName: M-19-19 + longName: "OMB Memo 19-19: Update to Data Center Optimization Initiative (DCOI)" + description: >- + This Memorandum contains requirements for the consolidation and optimization of Federal data + centers in accordance with FITARA. It establishes consolidation and optimization targets and + metrics for Federal agencies, as well as requirements for reporting on their progress. For FICAM, + this suggests use of Identity as a Service Providers and Shared Service Providers for PKI, as + discussed in the Cloud Identity Playbook. + published: 2019-06-25 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/2019/06/M-19-19-Data-Centers.pdf" + authored-by: + - *OMB + authorized-by: + - *FITARA2017 +- &A130 + type: Policy + shortName: "OMB Circular A-130" + longName: "CIRCULAR NO. A-130 - Managing Information as a Strategic Resource" + description: >- + This Circular is designed to help drive the transformation of the Federal Government and + the way it builds, buys, and delivers technology by institutionalizing more agile approaches + intended to facilitate the rapid adoption of changing technologies, in a way that enhances + information security, privacy, and management of information resources across all Federal + programs and services. + published: 2016-07-28 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf" + authored-by: + - *OMB + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Access Management - Authentication + - Federation - Policy Alignment +- &M1513 + type: Policy + shortName: "M-15-13" + longName: "OMB Memo 15-13: Policy to Require Secure Connections across Federal Websites and Web Services" + description: >- + This Memorandum requires that all publicly accessible Federal websites and web services only provide + service through a secure connection. The strongest privacy and integrity protection currently available + for public web connections is Hypertext Transfer Protocol Secure (HTTPS). + Agencies must utilize PKI device certificates to protect their web servers. + published: 2015-07-08 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2015/m-15-13.pdf" + authored-by: + - *OMB +- &M1916 + type: Policy + shortName: "M-19-16" + longName: "OMB Memo 19-16: Centralized Mission Support Capabilities for the Federal Government" + description: >- + This memorandum describes the process and desired outcomes for shared services such as PKI + Shared Service Providers (SSPs). + published: 2019-04-26 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/2019/04/M-19-16.pdf" + authored-by: + - *OMB +- &SPRINGERMEMO + type: Policy + shortName: "Springer Memo" + longName: "Final Credentialing Standards for Issuing Personal Identity Verification Cards under HSPD-12" + description: >- + This memorandum provides final government-wide credentialing standards to be used by all + Federal departments and agencies in determining whether to issue or revoke personal identity + verification (PIV) cards to their employees and contractor personnel, including those who are + non-United States citizens. + published: 2008-07-31 + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/final-credentialing-standards.pdf" + authorized-by: + - *EO13467 + authored-by: + - *OPM + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Access Management - Authentication + - Federation - Policy Alignment +- &PIVISSUANCESUSPENSION + type: Policy + shortName: "Guidance on Executive Branch-Wide Requirements for Issuing Personal Identity Verification (PIV) Credentials and Suspension Mechanism" + longName: "Guidance on Executive Branch-Wide Requirements for Issuing Personal Identity Verification (PIV) Credentials and Suspension Mechanism" + description: >- + Accordingly, effective immediately, all Executive departments and agencies will apply both + the basic and supplemental credentialing standards specified in the 2008 Credentialing Memo to + determine initial eligibility for a PIV credential of all personnel who require a PIV, but who are not + otherwise subject to a suitability determination or a determination of eligibility for access to + classified information or assignment to a sensitive national security position. + published: 2016-03-02 + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/memo-issuing-piv-credentials-and-suspension-criteria.pdf" + authored-by: + - *OMB + - *OPM + - *DNI + authorized-by: + - *SPRINGERMEMO + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Credential Management - Revocation + - Federation - Policy Alignment +- &CREDSTANDARDS + type: Policy + shortName: "Credentialing Standards Memo 2020" + longName: "Credentialing Standards Procedures for Issuing Personal Identity Verification Cards under HSPD-12 and New Requirement for Suspension or Revocation of Eligibility for Personal Identity Verification Credentials" + description: >- + [T]he following credentialing standards procedures [...] + promote defined goals in agency eligibility determinations to issue HSPD-12 personal + identity verification (PIV) credentials for access to federally controlled facilities and + information systems: the protection of the life, safety, property, or health of employees, + contractors, vendors or visitors to Federal facilities; the protection of the Government's + physical assets, information systems, records, including privileged, proprietary, + financial or medical records; and the privacy of the individuals whose data the + Government holds in its systems. + published: 2020-12-15 + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/cred-standards.pdf" + authored-by: + - *OPM + authorized-by: + - *HSPD12 + amends: + - *SPRINGERMEMO + - *PIVISSUANCESUSPENSION + ficam-services: + - Identity Management + - Credential Management + - Access Management +- &CSSCDM + type: Policy + shortName: "Clearance Decision-Making Guide" + longName: "INTRODUCTION OF CREDENTIALING, SUITABILITY, AND SECURITY CLEARANCE DECISION-MAKING GUIDE" + description: >- + As a result of an initiative to create a more simplified system of Federal Government + investigative and adjudicative procedures that applies to all persons, including contract + personnel, who perform work on behalf of the government, we are providing the attached + Credentialing, Suitability, and Security Clearance Decision-Making Guide. + This tool is for use in adjudicative decisions for HSPD-12 credentialing [and] + suitability determinations. + published: 2008-01-14 + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/decision-making-guide.pdf" + authored-by: + - *OPM + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance +- &M1903 + type: Policy + shortName: "M-19-03" + longName: "OMB Memo 19-03: Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program" + description: >- + Federal law and policy establish requirements for the proper handling of PII. To both ensure compliance + with those requirements and to manage privacy risks, SAOPs are required to review agency [High Value Assets] + and identify those that create, collect, use, process, store, maintain, disseminate, disclose, or dispose of PII. + published: 2018-12-10 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf" + authored-by: + - *OMB + ficam-services: + - Access Management - Authentication + - Access Management - Privileged Access Management + - Credential Management - Generation & Issuance + - Federation - Attribute Exchange +- &A108 + type: Policy + shortName: "OMB Circular A-108" + longName: "OMB Circular A-108: Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act" + description: >- + This circular describes agency responsibilities for implementing the review, reporting, and + publication requirements of the Privacy Act of 1974 and related OMB policies. + published: 2016-12-23 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A108/omb_circular_a-108.pdf" + authored-by: + - *OMB + authorized-by: + - *PRIVACYACT1974 + - *FISMA2014 + ficam-services: + - Federation + - Governance +- &M2209 + type: Policy + shortName: "M-22-09" + longName: "OMB Memo 22-09: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles" + description: >- + This strategy places significant emphasis on stronger enterprise identity and access controls, + including multi-factor authentication (MFA). + published: 2022-01-26 + externalURL: "https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf" + authored-by: + - *OMB + authorized-by: + - *EO14028 + ficam-services: + - Identity Management + - Access Management + - Credential Management + - Governance +- &5CFR731 + type: Policy + shortName: "5 CFR 731" + longName: "Code of Federal Regulations Chapter 5, Part 731" + description: >- + Establish criteria and procedures for making determinations of suitability and for taking suitability + actions during the onboarding of employmees in covered positions. + published: 2008-04-15 + externalURL: "https://www.ecfr.gov/current/title-5/chapter-I/subchapter-B/part-731" + authored-by: + - *OPM + authorized-by: + - *EO13467 + ficam-services: + - Identity Management + - Credential Management + - Federation +# +# SECTION: GUIDANCE +# +- &SP800207 + type: Guidance + shortName: "NIST SP 800-207" + longName: "NIST Special Publication 800-207: Zero Trust Architecture" + description: >- + This document is intended to describe zero trust for enterprise security architects. Zero trust + architecture depends on well strong authentication of all entities within the the environment, and + well defined authorization rules. + published: 2020-08-11 + externalURL: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf" + authored-by: + - *NIST + ficam-services: + - Identity Management + - Credential Management +- &CLOUDSECREFARCH + type: Guidance + shortName: "Cloud Security Architecture" + longName: "Cloud Security Technical Reference Architecture" + description: >- + [The] Cloud Security Technical Reference Architecture [illustrates] recommended approaches + to cloud migration and data protection for agency data collection and reporting that leverages + Cloud Security Posture Management (CSPM). Provides specific guidance on implementation of ICAM + controls for policy enforcement. + published: 2022-06-01 + externalURL: "https://www.cisa.gov/sites/default/files/2023-05/Cloud%20Security%20Technical%20Reference%20Architecture%20v2.pdf" + authored-by: + - *CISA + - *USDS + - *FEDRAMP + authorized-by: + - *EO14028 +- &ZEROTRUSTMATURITY + type: Guidance + shortName: "Zero Trust Maturity Model" + longName: "Zero Trust Maturity Model" + description: >- + CISA's Zero Trust Maturity Model (ZTMM) provides an approach to achieve continued modernization + efforts related to zero trust within a rapidly evolving environment and technology landscape. Section + 5.1, Identity, presents a maturity model for Identity Management in the context of Zero Trust. + published: 2023-04-11 + externalURL: "https://www.cisa.gov/sites/default/files/2023-04/CISA_Zero_Trust_Maturity_Model_Version_2_508c.pdf" + authored-by: + - *CISA + authorized-by: + - *EO14028 +- &SSOPLAYBOOK + type: Guidance + shortName: "SSO Playbook" + longName: "Enterprise Single Sign-On Playbook" + description: >- + The Enterprise Single Sign-On (SSO) Playbook is a practical guide to help federal agencies + implement or modernize an SSO service for federal employee access to government applications. + published: 2021-02-12 + externalURL: "https://playbooks.idmanagement.gov/playbooks/sso/" + authored-by: + - *ICAMSC + - *GSA + ficam-services: + - Federation +- &ICAMGOVFRAMEWORK + type: Guidance + shortName: "ICAM Governance Framework" + longName: "Identity, Credential, and Access Management Governance Framework" + description: >- + The ICAM Governance Frameowork Working Group, composed of ICAM practitioners from + several federal agencies, developed this ICAM Governance Framework as a tool to help + agencies build and improve ICAM governance structures, processes, and policies. + published: 2021-09-01 + externalURL: "https://playbooks.idmanagement.gov/docs/playbook-identity-governance-framework.pdf" + authored-by: + - *ICAMSC + ficam-services: + - Governance +- &NISTIR8149 + type: Guidance + shortName: "NISTIR 8149" + longName: "NIST Interagency Report 8149: Developing Trust Frameworks to Support Identity Federations" + description: >- + Desecribes trust frameworks for identity federations, which provide a secure method for leveraging shared + identity credentials across communities of similarly-focused online service providers. + published: 2018-01-12 + externalURL: "https://csrc.nist.gov/publications/detail/nistir/8149/final" + authored-by: + - *NIST + ficam-services: + - Federation - Policy Alignment +- &NISTIR8335 + type: Guidance + shortName: "NISTIR 8335" + longName: "NIST Interagency Report 8335: Identity as a Service for Public Safety Organizations" + description: >- + This report informs [Public Safety Organizations] about [Identity as a Service] and how they can + benefit from it. + published: 2021-06-16 + externalURL: "https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST.IR.8335-draft.pdf" + authored-by: + - *NIST + ficam-services: + - Access Management - Authentication +- &SP180013 + type: Guidance + shortName: "NIST SP 1800-13" + longName: "NIST SPECIAL PUBLICATION 1800-13A Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders" + description: >- + This NIST Cybersecurity Practice Guide describes how organizations can implement Mobile SSO + technologies to enhance public safety mission capabilities by using standards-based + commercially available or open-source products. + published: 2021-08-25 + authored-by: + - *NIST + ficam-services: + - Identity Management + - Credential Management +- &CLOUDVULN + type: Guidance + shortName: "Mitigating Cloud Vulnerabilities" + longName: "National Security Agency - Cybersecurity Information: Mitigating Cloud Vulnerabilities" + description: >- + This document contains specific recommendations for improving ICAM practices to reduce cloud + vulnerabilities. + published: 2020-01-22 + externalURL: "https://media.defense.gov/2020/Jan/22/2002237484/-1/-1/0/CSI-MITIGATING-CLOUD-VULNERABILITIES_20200121.PDF" + authored-by: + - *NSA + ficam-services: + - Access Management - Authentication + - Access Management - Authorization +- &NISTIR7966 + type: Guidance + shortName: "NISTIR 7966" + longName: "NIST Interagency Report 7966: Security of Interactive and Automated Access Management Using Secure Shell (SSH)" + description: >- + The purpose of this document is to assist organizations in understanding the basics of Secure Shell (SSH) + and SSH access management in an enterprise, focusing on the management of SSH user keys. + published: 2015-10-15 + externalURL: "http://dx.doi.org/10.6028/NIST.IR.7966" + authored-by: + - *NIST + ficam-services: + - Credential Management - Generation & Issuance + - Credential Management - Maintenance + - Access Management - Privileged Access Management + - Access Management - Authentication +- &GUIDEINSIDERTHREAT + type: Guidance + shortName: "Common Sense Guide to Mitigating Insider Threats, Sixth Edition" + longName: "Common Sense Guide to Mitigating Insider Threats, Sixth Edition" + description: >- + This sixth edition of the Common Sense Guide to Mitigating Insider Threats provides the current + recommendations of the CERT Division (part of Carnegie Mellon University's Software Engineering + Institute), based on an expanded corpus of more than 1,500 insider threat cases and continued + research and analysis. It introduces the topic of insider threats, describes its intended audience, + outlines changes for this edition, defines insider threats, and outlines current trends. The guide + then describes 21 practices that organizations should implement to prevent and detect insider + threats, as well as case studies of organizations that failed to do so. + published: 2019-02-01 + externalURL: "https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=540644" + authored-by: + - *CMU + ficam-services: + - Access Management - Privileged Access Management +- &SOFAB + type: Guidance + shortName: "SOFA-B" + longName: "Strength of Function for Authenticators (SOFA) Biometrics" + description: >- + This paper [...] outlines a process intended to support the evaluation of biometric authenticators + and—ultimately—multiple authentication mechanisms. + published: 2016-08-11 + externalURL: "https://pages.nist.gov/SOFA/SOFA.html" + authored-by: + - *NIST + ficam-services: + - Credential Management +- &TRANSITIONMFA + type: Guidance + shortName: "Transition to Multi-factor Authentication" + longName: "Transition to Multi-factor Authentication" + description: >- + These guidelines provide technical requirements for federal agencies implementing digital + identity services and are not intended to constrain the development or use of standards outside + of this purpose. The guidelines cover identity proofing and authentication of users (such as + employees, contractors, or private individuals) interacting with government IT systems over + open networks. They define technical requirements in each of the areas of identity proofing, + registration, authenticators, management processes, authentication protocols, federation, and + related assertions. + published: 2019-08-30 + externalURL: "https://media.defense.gov/2019/Sep/09/2002180346/-1/-1/0/Transition%20to%20Multi-factor%20Authentication%20-%20Copy.pdf" + authored-by: + - *NSA + ficam-services: + - Access Management - Authentication +- &FICAMARCH + type: Guidance + shortName: "FICAM Architecture" + longName: "Federal Identity, Credential, and Access Management (FICAM) Architecture" + description: "This version of the FICAM Architecture encompasses the enterprise ICAM policies, technologies, and system approaches for government employees, contractors, and authorized partners." + published: 2021-01-06 + externalURL: "https://playbooks.idmanagement.gov/arch/" + authored-by: + - *ICAMSC + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Credential Management - Revocation + - Access Management - Authentication + - Federation - Policy Alignment +- &ICAMPMPLAYBOOK + type: Guidance + shortName: "ICAM PM Playbook" + longName: "Identity, Credential, and Access Management Program Management Playbook" + description: "The ICAM Program Management Playbook explains how to plan and implement an Identity, Credential, and Access Management (ICAM) Program, as outlined in the Federal Identity, Credential, and Access Management (FICAM) Architecture." + published: 2022-06-10 + externalURL: "https://playbooks.idmanagement.gov/pm/" + authored-by: + - *ICAMSC + ficam-services: + - Federation - Policy Alignment +- &FPKIGUIDE + type: Guidance + shortName: "FPKI Guide" + longName: "Federal Public Key Infrastructure Guide" + description: "This guide describes the structure, purpose, and current operational status of the FPKI." + externalURL: "https://playbooks.idmanagement.gov/fpki/" + authored-by: + - *ICAMSC + ficam-services: + - Credential Management +- &PACSGUIDE + type: Guidance + shortName: "PACS Guide" + longName: "Physical Access Control System Guide" + description: >- + The Physical Access Control System (PACS) Guides will help you understand concepts related + to Federal Identity, Credential, and Access Management-compliant PACSs. + externalURL: "https://playbooks.idmanagement.gov/pacs/" + authored-by: + - *ICAMSC + ficam-services: + - Access Management +- &PIVGUIDE + type: Guidance + shortName: "PIV Guides" + longName: "Personal Identity Verification Guides" + description: >- + These Personal Identity Verification (PIV) Guides are intended to help you implement common + PIV configurations at your organization. The guides focus on using PIV credentials for logical + access such as authenticating to networks or applications or digitally signing and encrypting. + externalURL: "https://playbooks.idmanagement.gov/piv/" + authored-by: + - *ICAMSC + ficam-services: + - Access Management - Authentication +- &PLAYBOOKS + type: Guidance + shortName: "FICAM Playboks" + longName: "FICAM Playbooks" + description: >- + A playbook is a comprehensive guide on a technical topic, describing both overarching strategy + and tactical approaches. These playbooks cover a variety of FICAM relevant subjects. + externalURL: "https://playbooks.idmanagement.gov/playbooks/" + authored-by: + - *ICAMSC +- &FBCAPROF + type: Guidance + shortName: "FBCA Profiles" + longName: "Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile" + description: >- + This document specifies the profiles for X.509 certificates and certificate revocation lists (CRLs) + associated with CAs cross-certified with the Federal Bridge Certification Authority (FBCA). + published: 2022-10-18 + authored-by: + - *FPKIPA +- &COMMONPROF + type: Guidance + shortName: "Common Profiles" + longName: "Common Policy X.509 Certificate and Certificate Revocation List (CRL) Profiles" + description: >- + This document specifies the profiles for certificates and CRLs issued under the X.509 + Certificate Policy for the U.S. Federal PKI Common Policy Framework [COMMON] + and that have a trust path to the Federal Common Policy CA operated by the Federal PKI + Management Authority. + published: 2022-09-30 + authored-by: + - *FPKIPA +- &IAMROADMAP + type: Guidance + shortName: "NIST IAM Roadmap" + longName: "National Institute of Standards and Technology Identity and Access Management Roadmap" + description: "[A] roadmap for developing new and updating existing NIST guidance related to Identity and Access Management (ICAM)." + externalURL: "https://www.nist.gov/identity-access-management/identity-and-access-management-roadmap" + published: 2023-04-21 + authored-by: + - *NIST + authorized-by: + - *M1917 + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Credential Management - Revocation + - Federation - Policy Alignment +- &SP80063 + type: Guidance + shortName: "NIST SP 800-63" + longName: "NIST Special Publication 800-63-4: Digital Identity Guidelines" + description: >- + These guidelines provide technical requirements for federal agencies implementing digital identity + services and are not intended to constrain the development or use of standards outside of this purpose. + The guidelines cover identity proofing and authentication of users (such as employees, contractors, or + private individuals) interacting with government IT systems over open networks. They define technical + requirements in each of the areas of identity proofing, registration, authenticators, management + processes, authentication protocols, federation, and related assertions. + externalURL: "https://pages.nist.gov/800-63-4/sp800-63/abstract/" + published: 2022-12-16 + authored-by: + - *NIST + authorized-by: + - *M1917 + - *FISMA2014 + - *A130 + ficam-services: + - Identity Management - Identity Proofing + - Credential Management + - Federation + - Governance +- &SP80063A + type: Guidance + shortName: "NIST SP 800-63A" + longName: "NIST Special Publication 800-63A-4: Enrollment and Identity Proofing" + description: >- + This guideline focuses on the enrollment and verification of an identity for use in digital services. + Central to this is a process known as identity proofing in which an applicant provides evidence to a + credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert + that identification at an Identity Assurance Level (IAL). This document defines technical requirements + for each of the three IALs. + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-63a/4/draft" + published: 2022-12-16 + authored-by: + - *NIST + authorized-by: + - *M1917 + - *FISMA2014 + - *A130 + ficam-services: + - Identity Management + - Credential Management +- &SP80063B + type: Guidance + shortName: "NIST SP 800-63B" + longName: "NIST Special Publication 800-63B-4: Authentication and Lifecycle Management" + description: >- + These guidelines focus on the authentication of subjects interacting with government systems over open + networks, establishing that a given claimant is a subscriber who has been previously authenticated. The + result of the authentication process may be used locally by the system performing the authentication or + may be asserted elsewhere in a federated identity system. This document defines technical requirements + for each of the three Authentication Assurance Levels (AALs). + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-63b/4/draft" + published: 2022-12-16 + authored-by: + - *NIST + authorized-by: + - *M1917 + - *FISMA2014 + - *A130 + ficam-services: + - Access Management - Authentication +- &SP80063C + type: Guidance + shortName: "NIST SP 800-63C" + longName: "NIST Special Publication 800-63C-4: Federation and Assertions" + description: >- + These guidelines provide technical requirements for federal agencies implementing digital identity services + and are not intended to constrain the development or use of standards outside of this purpose. This guideline + focuses on the use of federated identity and the use of assertions to implement identity federations. + Federation allows a given CSP to provide authentication and (optionally) subscriber attributes to a number + of separately-administered relying parties. Similarly, relying parties may use more than one CSP. + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-63c/4/draft" + published: 2022-12-16 + authored-by: + - *NIST + authorized-by: + - *M1917 + - *FISMA2014 + - *A130 + ficam-services: + - Federation +- &FEDRAMPDIDREQS + type: Guidance + shortName: "FedRamp Digital Identity Requirements" + longName: "FedRamp Digital Identity Requirements" + description: >- + This document provides revised guidance and requirements on digital identity capabilities in support of + achieving and maintaining a Federal Risk and Authorization Management Program (FedRAMP) security + authorization. + published: 2018-01-31 + externalURL: "https://s3.amazonaws.com/sitesusa/wp-content/uploads/var/www/html/sites/www/app/wordpress/wp-content/blogs.dir/482/files/2016/06/FedRAMP_Digital_Identity_Requirements_v1.0.pdf" + authored-by: + - *FEDRAMP + subspec-of: + - *SP80063 + ficam-services: + - Identity Management +- &SP800116 + type: Guidance + shortName: "NIST SP 800-116" + longName: "NIST Special Publication 800-116 Rev. 1: Guidelines for the Use of PIV Credentials in Facility Access" + description: "This recommendation provides a technical guideline to use Personal Identity Verification (PIV) Cards in facility access; enabling federal agencies to operate as government-wide interoperable enterprises." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final" + published: 2018-07-29 + authored-by: + - *NIST + authorized-by: + - *HSPD12 + ficam-services: + - Identity Management - Identity Proofing + - Credential Management + - Access Management + - Governance +- &PIVPRIV + type: Guidance + shortName: "PIV Privileged User Guide" + longName: "Best Practices for Privileged User PIV Authentication" + description: >- + This white paper further explains the need for multi-factor PIV-based user authentication to take the place of password-based + single-factor authentication for privileged users. It also provides best practices for agencies implementing PIV authentication + for privileged users + published: 2016-04-21 + externalURL: "https://doi.org/10.6028/NIST.CSWP.04212016" + authored-by: + - *NIST + authorized-by: + - *M1916 + ficam-services: + - Access Management - Privileged Access Management + - Credential Management + - Identity Management +- &SP800205 + type: Guidance + shortName: "NIST SP 800-205" + longName: "NIST Special Publication 800-205: Attribute Considerations for Access Control Systems" + description: >- + This document aims to provide federal agencies with a guide to attribute + considerations with Attribute Evaluation Scheme examples for access control. + published: 2019-06-18 + externalURL: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-205.pdf" + authored-by: + - *NIST + authorized-by: + - *FISMA2014 + ficam-services: + - Access Management +- &SP80053 + type: Guidance + shortName: "NIST SP 800-53" + longName: "NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations" + description: >- + This guideline provides a catalog of security and privacy controls for federal information systems and + organizations and a process for selecting controls to protect organizational operations, assets, + individuals, other organizations, and the Nation from a diverse set of threats. + published: 2020-12-10 + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final" + authored-by: + - *NIST + authorized-by: + - *FISMA2014 + ficam-services: + - Identity Management +- &SP80053A + type: Guidance + shortName: "NIST SP 800-53A" + longName: "NIST Special Publication 800-53 Revision 5: Security and Privacy Controls for Information Systems and Organizations" + description: >- + This guideline provides a set of procedures for conducting assessments of security controls and privacy + controls employed within federal information systems and organizations. The assessment procedures, + executed at various phases of the system development life cycle, are consistent with the security and + privacy controls in NIST Special Publication 800-53, Revision 5. + published: 2022-01-25 + authored-by: + - *NIST + authorized-by: + - *FISMA2014 +- &SP800162 + type: Guidance + shortName: "NIST SP 800-162" + longName: "NIST Special Publication 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations" + description: >- + This guideline provides federal agencies with a definition of ABAC. ABAC is a logical access control + methodology in which authorization to perform a set of operations is determined by evaluating attributes + associated with the subject, object, requested operations, and, in some cases, environment conditions + against policy, rules, or relationships that describe the allowable operations for a given set of attributes. + externalURL: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-162.pdf" + published: 2019-08-02 + authored-by: + - *NIST + authorized-by: + - *FISMA2014 + ficam-services: + - Access Management +- &SP800122 + type: Guidance + shortName: "NIST SP 800-122" + longName: "NIST Special Publication 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" + description: >- + This guideline assists federal agencies in protecting the confidentiality of a specific category of data + commonly known as PII. This document provides practical, context-based guidance for identifying PII and + determining what level of protection is appropriate for each instance of PII. The document also suggests + safeguards that may offer appropriate levels of protection for PII and provides recommendations for + developing response plans for breaches involving PII. + externalURL: "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf" + published: 2010-04-06 + authored-by: + - *NIST + authorized-by: + - *FISMA2014 + ficam-services: + - Identity Management + - Credential Management +- &NISTRMF + type: Guidance + shortName: "NIST RMF" + longName: "NIST Risk Management Framework" + description: >- + The Risk Management Framework provides a process that integrates security, privacy, and cyber supply + chain risk management activities into the system development life cycle. The risk-based approach to + control selection and specification considers effectiveness, efficiency, and constraints due to + applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing + organizational risk is paramount to effective information security and privacy programs; the RMF approach + can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), + and within any type of organization regardless of size or sector. + externalURL: "https://csrc.nist.gov/projects/risk-management" + published: 2023-02-23 + authored-by: + - *NIST +- &SP80037 + type: Guidance + shortName: SP 800-37 + longName: "NIST Special Publication 800-37 Revision 2: Risk Management Framework for Information Systems and Organizations" + description: >- + This publication describes the Risk Management Framework (RMF) and provides guidelines for + applying the RMF to information systems and organizations. The RMF provides a disciplined, + structured, and flexible process for managing security and privacy risk that includes information + security categorization; control selection, implementation, and assessment; system and + common control authorizations; and continuous monitoring. The RMF includes activities to + prepare organizations to execute the framework at appropriate risk management levels. The + RMF also promotes near real-time risk management and ongoing information system and + common control authorization through the implementation of continuous monitoring + processes; provides senior leaders and executives with the necessary information to make + efficient, cost-effective, risk management decisions about the systems supporting their missions + and business functions; and incorporates security and privacy into the system development life + cycle. Executing the RMF tasks links essential risk management processes at the system level to + risk management processes at the organization level. In addition, it establishes responsibility + and accountability for the controls implemented within an organization's information systems + and inherited by those systems. + externalURL: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf" + published: 2018-12-20 + authored-by: + - *NIST + authorized-by: + - *FISMA2014 +- &PRIVACYFRAMEWORK + type: Guidance + shortName: "NIST Privacy Framework" + longName: "The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management" + description: >- + The Privacy Framework is a voluntary tool intended to help organizations identify and manage + privacy risk to build innovative products and services while protecting individuals' privacy. + The Privacy Framework approach to privacy risk is to consider privacy events as potential problems + individuals could experience arising from system, product, or service operations with data, whether + in digital or non-digital form, through a complete lifecycle from data collection through disposal. + published: 2020-01-08 + externalURL: "https://www.nist.gov/privacy-framework/privacy-framework" + authored-by: + - *NIST +- &APPRATIONALIZATION + type: Guidance + shortName: "Application Rationalization Playbook" + longName: "The Application Rationalization Playbook: An Agency Guide to Portfolio Management" + description: >- + This playbook is a practical guide for application rationalization and IT portfolio management under + the federal government's Cloud Smart initiatives. Application rationalization will help federal agencies + mature IT portfolio management capabilities, empower leaders to make informed decisions, and improve + the delivery of key mission and business services. It requires buy-in from stakeholders across the + enterprise, including senior leaders, technology staff members, cybersecurity experts, business leads, + financial practitioners, acquisition and procurement experts, and end user communities. Rationalization + efforts rely on leadership support and continual engagement with stakeholders to deliver sustainable + change. + published: 2019-06-01 + externalURL: "https://www.cio.gov/assets/files/Application-Rationalization-Playbook.pdf" + authored-by: + - *CIOCOUNCIL + authorized-by: + - *M1919 +- &SP800171 + type: Guidance + shortName: SP 800-171 + longName: "NIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" + description: >- + This publication provides guidance for operators of non-federal (e.g. commercial) systems hosting Controlled + Unclassified Information (CUI). It includes several FICAM relevant requirements. + published: 2021-01-28 + externalURL: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf" + authored-by: + - *NIST + authorized-by: + - *EO13556 + ficam-services: + - Access Management + - Credential Management +- &HTTPSGUIDE + type: Guidance + shortName: HTTPS Compliance Guide + longName: "Compliance Guide: The HTTPS-Only Standard" + description: >- + This site contains a web-friendly version of the White House Office of Management and Budget memorandum + M-15-13, “A Policy to Require Secure Connections across Federal Websites and Web Services”, and provides + technical guidance and best practices to assist in its implementation. It requires use of a publicly + trusted certificate for federal web services. + externalURL: "https://https.cio.gov/guide/#are-federally-operated-certificate-revocation-services-crl-ocsp-also-required-to-move-to-https" + authored-by: + - *CIOCOUNCIL + authorized-by: + - *M1513 +- &PIVEPACS + type: Guidance + shortName: "PIV in E-PACS" + longName: "Personal Identity Verification (PIV) in Enterprise Physical Access Control Systems (E-PACS)" + description: >- + The sole purpose of this document is to provide detailed technical and security guidance for leveraging + PIV and PIV-I authentication mechanisms in a federal agency PACS to comply with directives such as + [OMB M-11-11] and to provide interoperability across the federal enterprise, respectively. + published: 2014-03-26 + externalURL: "https://www.idmanagement.gov/docs/pacs-piv-epacs.pdf" + authored-by: + - *ICAMSC +- &RISKMANAGEMENTFACILITIES + type: Guidance + shortName: "Risk Management Process for Federal Facilities" + longName: "The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard" + description: >- + The Risk Management Process for Federal Facilities: An Interagency Security Committee + Standard (Standard), 2nd Edition defines the criteria and processes that those responsible for the + security of a facility should use to determine its facility security level (FSL) and provides an + integrated, single source of physical security countermeasures for all Federal facilities. + published: 2016-11-01 + externalURL: "https://www.cisa.gov/sites/default/files/publications/isc-risk-management-process-2016-508.pdf" + authored-by: + - *ISC + authorized-by: + - *EO13286 + ficam-services: + - Access Management +- &80053PACSOVERLAY + type: Guidance + shortName: "ePACS 800-53 Overlay" + longName: "Security Control Overlay of Special Publication 800-53 Revision 5: Security Controls for electronic Physical Access Control Systems (ePACS)" + description: >- + [T]he purpose of this document is to assist those entities responsible for physical and cyber security: + 1. Provide minimum applicable IT security controls and related supplemental guidance to + appropriately secure and administer ePACS + 2. Establish a relationship between IT system security controls and ePACS operational + configurations using a standardized risk-based approach + 3. Develop an initial foundation for an ePACS operational assessment by providing + supplemental guidance for the implementation of authentication mechanisms in ePACS + as defined in NIST [SP 800-116] + 4. Define initial responsibilities for implementation and use of this overlay + published: 2020-12-24 + externalURL: "https://www.idmanagement.gov/docs/pacs-800-53-overlay.pdf" + authored-by: + - *PACSMODWG + authorized-by: + - *M1917 +- &80053FPKIOVERLAY + type: Guidance + shortName: "FPKI 800-53 Overlay" + longName: "Security Control Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for Federal PKI Systems" + description: >- + While many NIST [SP 800-53] controls apply to FPKI service operators as written, some controls require + specific interpretation or augmentation. This overlay leverages [COMMON] to tailor appropriate [SP 800- + 53] controls to facilitate implementation. + published: 2021-02-26 + externalURL: "https://www.idmanagement.gov/docs/fpki-overlay-sp-800-53.pdf" + authored-by: + - *FPKIPA +- &FIPS201 + type: Guidance + shortName: "FIPS 201" + longName: "Personal Identity Verification (PIV) of Federal Employees and Contractors" + published: 2022-01-01 + description: >- + This document establishes a standard for a Personal Identity Verification (PIV) system that meets the + control and security objectives of Homeland Security Presidential Directive-12. + externalURL: "https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-3.pdf" + scope: + - "Workforce Identity" + ficam-services: + - "Identity Management - Identity Proofing" + authorized-by: + - *HSPD12 + authored-by: + - *NIST +- &SP80087 + type: Guidance + shortName: "NIST SP 800-87" + longName: "NIST Special Publication 800-87: Codes for Identification of Federal and Federally-Assisted Organizations" + description: >- + This document provides the organizational codes for federal agencies to establish the Federal Agency Smart + Credential Number (FASC-N) that is required to be included in the FIPS 201 Card Holder Unique Identifier. + SP 800-87 is a companion document to FIPS 201. + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-87/rev-2/final" + published: 2018-04-19 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + authorized-by: + - *HSPD12 + ficam-services: + - Identity Management + - Governance - Identity Governance +- &SP80096 + type: Guidance + shortName: "NIST SP 800-96" + longName: "NIST Special Publication 800-96: PIV Card to Reader Interoperability Guidelines" + description: "The purpose of this document is to present recommendations for Personal Identity Verification (PIV) card readers in the area of performance and communications characteristics to foster interoperability." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-96/final" + published: 2006-12-29 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Identity Management + - Governance - Identity Governance +- &SP80073 + type: Guidance + shortName: "NIST SP 800-73" + longName: "NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification" + description: "This document, SP 800-73, contains the technical specifications to interface with the smart card to retrieve and use the PIV identity credentials." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-73/4/final" + published: 2016-02-12 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Identity Management - Maintenance + - Governance - Identity Governance + - Federation - Attribute Exchange +- &SP80079 + type: Guidance + shortName: "NIST SP 800-79" + longName: "NIST Special Publication 800-79-2: Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)" + description: "The purpose of this SP is to provide appropriate and useful guidelines for assessing the reliability of issuers of PIV Cards and Derived PIV Credentials." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-79/2/final" + published: 2016-02-12 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Federation - Policy Alignment +- &SP80085 + type: Guidance + shortName: "NIST SP 800-85" + longName: "NIST Special Publication 800-85B: PIV Data Model Test Guidelines" + description: "In order to build the necessary PIV infrastructure to support common unified processes and government-wide use of identity credentials, NIST developed this test guidance document that ensures interoperability of PIV data." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-85b/final" + published: 2006-07-31 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Governance - Identity Governance + - Federation - Policy Alignment + - Identity Management +- &SP800157 + type: Guidance + shortName: "NIST SP 800-157" + longName: "NIST Special Publication 800-157: Guidelines for Derived Personal Identity Verification (PIV) Credentials" + description: "This recommendation provides technical guidelines for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by Federal departments and agencies to individuals who possess and prove control over a valid PIV Card." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-157/final" + published: 2014-12-19 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Identity Management - Identity Proofing + - Credential Management - Generation & Issuance + - Credential Management - Revocation + - Federation - Policy Alignment +- &SP80076 + type: Guidance + shortName: "NIST SP 800-76" + longName: "NIST Special Publication 800-76-2: Biometric Specifications for Personal Identity Verification" + description: "This document [...] describes technical acquisition and formatting specifications for the PIV system, including the PIV Card itself. It also establishes minimum accuracy specifications for deployed biometric authentication processes." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-76/2/final" + published: 2013-07-11 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + ficam-services: + - Identity Management - Maintenance + - Governance - Identity Governance + - Federation - Attribute Exchange +- &SP80078 + type: Guidance + shortName: "NIST SP 800-78" + longName: "NIST Special Publication 800-78: Cryptographic Algorithms and Key Sizes for Personal Identity Verification" + description: "This document contains the technical specifications needed for the mandatory and optional cryptographic keys specified in FIPS 201-2 as well as the supporting infrastructure specified in FIPS 201-2 and the related NIST Special Publication 800-73-4, Interfaces for Personal Identity Verification [SP800-73], and NIST SP 800-76-2, Biometric Specifications for Personal Identity Verification [SP800-76], that rely on cryptographic functions." + externalURL: "https://csrc.nist.gov/publications/detail/sp/800-78/4/final" + published: 2015-05-29 + authored-by: + - *NIST + subspec-of: + - *FIPS201 + - *SP80073 + - *SP80076 + ficam-services: + - Identity Management - Maintenance + - Governance - Identity Governance + - Federation - Attribute Exchange +- &ICAMACQUISITION + type: Guidance + shortName: "ICAM Acquisition Guide" + longName: "Identity, Credential, and Access Management (ICAM) Acquisition Guidance" + description: >- + The goal of this document is to enable any organization, including the SLTT Community, to spend + its resources wisely on thoughtful and well-specified ICAM procurement activities that result in + an ICAM enabled system that includes multifactor authentication. + published: 2019-02-01 + externalURL: "https://www.dhs.gov/sites/default/files/publications/icam_acquisition_guidance_final_version_-_092019.pdf" + authored-by: + - *DHS +- &NISTIR8344 + type: Guidance + shortName: "NISTIR 8344" + longName: "Draft NIST Interagency Report (NISTIR) 8344: Ontology for Authentication" + description: >- + This document includes a survey of authentication mechanisms, establishing the need and + basis for authentication metrology (quantification), as well as key factors in + determining strength and management requirements when assessing an authentication + system in a given environment. + published: 2021-02-08 + externalURL: "https://doi.org/10.6028/NIST.IR.8344-draft" + authored-by: + - *NIST + ficam-services: + - Access Management - Authentication +- &SUITABILITYFAQ + type: Guidance + shortName: "HSPD-12/PIV Suspension and Revocation FAQ" + longName: "Frequently Asked Questions (FAQs) for Credentialing Standards Procedures for Issuing Personnel Identity Verification Cards under HSPD-12 and New Requirements for Suspension or Revocation of Eligibility for PIV Credentials" + description: >- + Attached are answers to some anticipated Frequently Asked Questions to assist you in + successfully implementing the Credentialing Procedures guidance. In particular, we call + your attention FAQ No. 13, which reminds agencies of their obligation to report HSPD-12 + fields into CVS. + published: 2021-01-01 + externalURL: "https://www.opm.gov/suitability/suitability-executive-agent/policy/faqs-january-2021.pdf" + authored-by: + - *OPM + authorized-by: + - *CREDSTANDARDS + ficam-services: + - Identity Management - Deactivation +- &SELECTINGMFA + type: Guidance + shortName: "Selecting Secure MFA" + longName: "Selecting Secure Multi-factor Authentication Solutions" + description: >- + U.S. Government Agencies and their partners who want to integrate secure alternatives to + PIV-based authentication need to support authorized users who will be employing personally + owned or partner-owned devices, such as smart phones and home or non-government office computers, + to access government or partner information systems containing sensitive information. By using + the objective criteria in this guidance, government organizations can make better informed + decisions about which multi-factor solutions meet their particular needs. And by following + the practical guidelines, users can reduce their risk exposure and become harder targets for + malicious threat actors. + published: 2020-10-01 + externalURL: "https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF" + authored-by: + - *DOD + authorized-by: + - *SP80063 + ficam-services: + - Access Management - Authentication +- &PACSBESTPRACTICES + type: Guidance + shortName: "Best Practices for Planning and Managing Physical Security Resources" + longName: "Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide" + description: >- + The Best Practices for Planning and Managing Physical Security Resources is a guide intended + to provide an introduction and understanding of the most efficient processes and procedures to + effectively allocate resources to implement physical security programs within Federal + departments and agencies. + published: 2015-12-01 + externalURL: "https://www.cisa.gov/sites/default/files/publications/isc-planning-managing-physical-security-resources-dec-2015-508.pdf" + authored-by: + - *ISC +- &PACSRFP + type: Guidance + shortName: "Enterprise Physical Access Control Systems (E-PACS) Recommended Procurement Language for RFPs" + longName: "Enabling Strong Authentication with Personal Identification Verification Cards: Public Key Infrastructure (PKI) in Enterprise Physical Access Control Systems (E-PACS) Recommended Procurement Language for RFPs" + description: >- + This document provides language for E-PACS related procurements to ensure compliance with applicable policies + published: 2015-02-24 + externalURL: "https://www.idmanagement.gov/docs/pacs-pki-epacs-procurement.pdf" + authored-by: + - *GSA + authorized-by: + - *M1917 +- &FACILITYACCESSCONTROL + type: Guidance + shortName: "FACILITY ACCESS CONTROL" + longName: "FACILITY ACCESS CONTROL: An Interagency Security Committee Best Practice" + description: >- + This document provides guidance for federal Executive Branch departments and agencies regarding + access control requirements and options for individuals entering federally occupied space + published: 2020-12-17 + externalURL: "https://www.cisa.gov/sites/default/files/publications/Facility%20Access%20Control%20-%20An%20Interagency%20Security%20Committee%20Best%20Practice.pdf" + authored-by: + - *ISC + ficam-services: + - Access Management - Authentication + - Access Management - Authorization +- &APL + type: Guidance + shortName: "FICAM APL" + longName: "FICAM Approved Products List" + description: >- + The Approved Products List (APL) contains the official list of products tested for conformance to PIV Standards. + externalURL: "https://www.idmanagement.gov/buy/#products" + authored-by: + - *GSA + authorized-by: + - *FIPS201 + ficam-services: + - Governance diff --git a/_data/laws.yml b/_data/laws.yml new file mode 100644 index 000000000..d68263b5c --- /dev/null +++ b/_data/laws.yml @@ -0,0 +1,74 @@ +# GSA: IDManagement.gov +# Laws for _university/laws.md +# Jekyll access: site.data.laws +# Format: YAML +# +# Legend: +# name: name of law +# pubdate: the year(YYYY) or full name of month and Year(M YYYY) +# url: address on the document or site +# target: options(_blank|_self) _blank = new browser window, _self = replace current page content +# summary: description of the law +# source: web address of website, name of site, governing orgainzation, or regulatory body +# expanded: options(true|false) default is false, which means the accordion is closed in it's initial state +# +# See: Blank Law Template at the end of this file to create a new entry +# General Rule: if the desired default display state of the accordion is `expanded`, set the expanded property to `true` (default is `false`) to keep the page condensed. +# Note: default setting are listed last, not to get in the way of data entry + +# Laws +- name: The Privacy Act of 1974 + summary: This Act protects certain federal government records pertaining to individuals. In particular, the Act covers systems of records that an agency maintains and retrieves by an individual’s name or other personal identifier, such as a Social Security Number. + pubdate: 2018 + url: https://www.govinfo.gov/content/pkg/USCODE-2018-title5/pdf/USCODE-2018-title5-partI-chap5-subchapII-sec552a.pdf + source: https://www.govinfo.gov + target: _blank + expanded: false + doctype: PDF + +- name: Federal Information Security Modernization Act (FISMA) of 2014 + summary: This Act provides a framework for measuring the effectiveness of federal information systems, and it calls for the development and implementation of continuous monitoring oversight mechanisms. It also acknowledges federal agencies should take advantage of commercially available security products (including software, hardware, etc.) that often provide robust information security solutions. + pubdate: December 2014 + url: http://www.gpo.gov/fdsys/pkg/PLAW-113publ283 + source: http://www.gpo.gov + target: _blank + expanded: false + doctype: Website + +- name: E-Government Act of 2002 + summary: This Act enhances the management and promotion of electronic federal services and processes by establishing a Federal CIO within the Office of Management and Budget (OMB) and by establishing a broad framework of measures that require using Internet-based information technology (IT) to enhance citizen access to government information and services and for other purposes. + pubdate: December 2002 + url: https://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm + source: https://www.gpo.gov + target: _blank + expanded: false + doctype: Website + +- name: Electronic Signatures in Global and National (ESIGN) Commerce Act of 2000 + summary: This Act facilitates the use of electronic records and electronic signatures in interstate and foreign commerce by ensuring the validity and legal effect of electronic contracts. + pubdate: June 2000 + url: https://www.gpo.gov/fdsys/pkg/PLAW-106publ229/html/PLAW-106publ229.htm + source: https://www.gpo.gov + target: _blank + expanded: false + doctype: Website + +- name: Government Paperwork Elimination Act of 1998 (GPEA) + summary: This Act requires federal agencies to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically when possible and to maintain records electronically when possible. This Act specifically states that electronic records and their related electronic signatures cannot be denied legal effect, validity, or enforceability just because they are in electronic form. This Act also encourages federal government use of a range of electronic signature alternatives. + pubdate: October 1998 + url: https://www.gpo.gov/fdsys/pkg/PLAW-105publ277/html/PLAW-105publ277.htm + source: https://www.gpo.gov + target: _blank + expanded: false + doctype: Website + + +# Blank Law template for new content/data +#- name: +# summary: +# pubdate: +# url: +# source: +# target: _blank +# expanded: false + diff --git a/_data/messagecenter.yml b/_data/messagecenter.yml new file mode 100644 index 000000000..f575b1f82 --- /dev/null +++ b/_data/messagecenter.yml @@ -0,0 +1,50 @@ +# GSA: IDManagement.gov +# Description: Displays different types of messages in header of website to user, if more than one set, they rotate. +# Messages for _include/message-center.html +# Jekyll access: site.data.messagecenter.yml +# Format: YAML +# Note: To make a messge first, make it the first message in the yaml list below. +# +# Legend: +# type: the type of message you want to display: options(info, warning, error, success) +# heading: Bolded heading text for the message +# content: The actual message you want to display +# description:(not displayed) descriptive note for this message +# displaytime: amount of time in milliseconds message displays if more than one message is set to display (default: 10000 = 10 sec) +# active:(not displayed) if message is active = true, if not active false +# date:(not displayed) date this message was posted +# by:(not displayed) for record keeping of who posted message + +- type: info + heading: Info + content: Operational Status - Open, normal operations. + description: Information Message + displaytime: 10000 + active: true + date: 04/04/2023 + +- type: success + heading: Success + content: Successful operational Status - Open, normal operations. + description: + displaytime: 10000 + active: true + date: 04/04/2023 + + +- type: warning + heading: Warning + content: Website is under development and content being updated. + description: Error Messag + displaytime: 10000 + active: true + date: 04/04/2023 + + +- type: error + heading: Error + content: No errors reported. + description: Error message for site + displaytime: 10000 + active: true + date: 04/04/2023 diff --git a/_data/mostviewed.yml b/_data/mostviewed.yml new file mode 100644 index 000000000..d7e0abc9e --- /dev/null +++ b/_data/mostviewed.yml @@ -0,0 +1,45 @@ +# Most Viewed YAML +# for Most viewed section on front page of IDManagement.gov +# File: mostviewed.yml +# +# Legend: +# +# linktext: text to describe the page or resource +# linkurl: +# + +# The following links are required to be posted on the website for user access +# These links were added to the home page during the Arch Redesign 2023 + +- mvtext: GSA PKI Shared Service Provider Program Guide + mvurl: docs/roadmap-ficam.pdf + +- mvtext: Federal Zero Trust Strategy (M-22-09) + mvurl: https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf + +- mvtext: "Enabling Mission Delivery through Improved Identity, Credential, and Access" + mvurl: https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf + +- mvtext: Managing Information as a Strategic Resource (OMB Circular A-130) + mvurl: https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf + + +# Links below this level can change and be updated on a regular weekly basis +# Top 5 page data from the GSA's Google Analytics is used to poulate this section. +# +# - mvtext: Most visited site 1 +# mvurl: # + +# - mvtext: Most visited site 2 +# mvurl: # + +# - mvtext: Most visited site 3 +# mvurl: # + +# - mvtext: Most visited site 4 +# mvurl: # + +# - mvtext: Most visited site 5 +# mvurl: # + + diff --git a/_data/navigation.yml b/_data/navigation.yml index 1755237db..110b3f184 100644 --- a/_data/navigation.yml +++ b/_data/navigation.yml @@ -1,45 +1,125 @@ -## Buy +## sidenav yaml +arch: + - text: FICAM Architecture + href: /arch/ + - text: Zero Trust Alignment + href: /zero-trust/ + - text: GSA ICAM Solutions and Shared Services Roadmap + href: /icamsolutions/ -buy: - - text: Acquisition Overview - href: /buy/ - - text: Trust Services - href: /buy/trust-services/ - - text: GSA ICAM Solutions and Shared Services - href: /buy/icamsolutions/ - - text: GSA PKI Shared Service Provider Program - href: /buy/gsapkissp/ - - text: FIPS 201 Approved Product List - PIV Cards - href: /approved-products-list-piv/ - - text: FIPS 201 Approved Product List - PACS - href: /approved-products-list-pacs-products/ - - text: FIPS 201 Removed Product list - href: /buy/removed-products-list/ - -## Sell - -sell: - - text: Vendor Overview - href: /sell/ +partners: + - text: Vendors + href: /vendors/ + - text: Acquisition Professionals + href: /acquisition-professionals/ + - text: Program Managers + href: /program-managers/ + - text: FIPS 201 - Approved Product List + href: /fips201/#approved-products---physical-access-control-systems # url updated to list everywhere? + - text: Phishing-Resistant Product Criteria + href: /phish-criteria/ + - text: Federal Workforce Identity Services + href: /trust-services/ + +implement: + - text: Introduction + href: /implement/ + - text: Enable Trust for the FCPCA + href: /implement/trust-fcpca/ + - text: Smart Card Logon For Windows Domains + href: /implement/scl-windows/ + - text: Smart Card Logon for MacOS + href: /implement/scl-macos/ + - text: Smart Card Logon for SSH + href: /implement/scl-ssh/ + - text: Smart Card Logon for Firefox + href: /implement/scl-firefox/ + - text: Windows Hello for Business on Azure AD + href: /implement/whfb/ + - text: Certificate-Based Authentication on Azure AD (Coming Soon!) + href: '/' + - text: Sign and Encrypt Email in Outlook + href: /implement/outlook/ + - text: FPKI Ecosystem Changes + href: /fpki/notifications/ + - text: FPKI Test Environment + href: /implement/fpkicite/ + +functions: + - text: FICAM Program + href: /ficam/ + - text: Federal PKI Governance + href: /fpki/ - text: FIPS 201 Evaluation Program - href: /fips201/ - - text: FIPS 201 Announcements - href: /sell/fipsannouncements/ - -## Governance + href: /fips201ep/ + - text: GSA PKI Shared Service Provider Program + href: /pkissp/ + +university: + - text: Introduction + href: /university/ + - text: PKI 101 + href: /university/pki/ + - text: Federal PKI 101 + href: /university/fpki/ + - text: PACS 101 + href: /university/pacs/ + - text: PIV 101 + href: /university/piv/ + - text: PIV Interoperable 101 + href: /university/pivi/ + - text: ICAM PM 101 + href: /university/pm/ + # - text: ICAM Policy Matrix - Laws, Policies, and Standards + # href: /university/policy-matrix/ + - text: ICAM Policy Matrix - Laws, Policies, and Standards + href: /university/policymatrix/ + - text: ICAM Policy Matrix - Map + href: /university/policymap/ + +playbooks: + - text: Introduction + href: /playbooks/ + - text: Cloud Identity Playbook + href: /playbooks/cloud/ + - text: Digital Autopen Playbook + href: /playbooks/autopen/ + - text: Digital Identity Risk Assessment Playbook + href: /playbooks/dira/ + - text: Digital Worker Identity Playbook + href: /playbooks/dw/ + - text: Enterprise Single Sign-On Playbook + href: /playbooks/sso/ + - text: ICAM Governance Framework Version 1.0 + href: /docs/playbook-identity-governance-framework.pdf + - text: Identity Lifecycle Management Playbook + href: /playbooks/ilm/ + - text: Privileged Identity Playbook + href: /playbooks/pam/ + - text: Digitally Sign a Word Document + href: /playbooks/signword/ + - text: Digitally Sign a Federal Register Notice + href: /playbooks/signfedregister/ + - text: Windows Hello for Business Playbook + href: /playbooks/whfb/ -governance: - - text: Governance Overview - href: /governance/ - - text: FICAM Governance - href: /governance/ficam/ - - text: FPKI Policy and Compliance Audit - href: /governance/fpkiaudit/ - - text: FPKI Archived Documents - href: /governance/fpkiarchive/ - -## Main Site - +# Announcements moved to internal page see: /fpki/notifications/#fpki-announcements +# fpkiannouncements: +# - text: Back to FPKI Page +# href: /fpki/notifications +# - text: Public Trust TLS PKI CP +# href: /fpki/announcements/PT-TLS-CP/ +# - text: CPCT Tool Update +# href: /fpki/announcements/cpct-update101/ +# - text: FCPCA SIA LDAP Decommissioning (2022) ## Oct 2023 +# href: /fpki/announcements/ldap-removal/ +# - text: CPCT Tool Transition +# href: /fpki/announcements/cpct-transition/ +# - text: New Test Tools Available (2021) ## May 2024 +# href: /fpki/announcements/test-tools/ +# - text: Federal Common Policy CA G2 Update (2020) ## Oct 2023 +# href: /fpki/announcements/common-g2-update/ + policy: - text: Contact Us href: /contact-us/ diff --git a/_data/overlay_pam.yml b/_data/overlay_pam.yml new file mode 100644 index 000000000..d76c8258f --- /dev/null +++ b/_data/overlay_pam.yml @@ -0,0 +1,275 @@ +## Access Control +- + category: 'Access Control' + countermeasure: 'Dynamic Privilege Management' + control: 'AC-2(6)' + explanation: '
  • In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.
' + resource: '
  • Applications
  • Web services
  • Network
  • Infrastructure
' +- + category: 'Access Control' + countermeasure: 'Privileged User Accounts' + control: 'AC-2(7)' + explanation: '
  • Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
' + resource: '
  • Applications
  • Web services
  • Network
  • Infrastructure
' +- + category: 'Access Control' + countermeasure: 'Separation of Duties' + control: 'AC-5' + explanation: '
  • Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2, access control mechanisms in AC-3, and identity management activities in IA-2, IA-4, and IA-12.
' + resource: '
  • Applications and Web services
  • Network and Infrastructure
' +- + category: 'Access Control' + countermeasure: 'Least Privilege' + control: 'AC-6' + explanation: '
  • Organizations employ least privilege for specific duties and systems. The principle of least privilege is also applied to system processes, ensuring that the processes have access to systems and operate at privilege levels no higher than necessary to accomplish organizational missions or business functions. Organizations consider the creation of additional processes, roles, and accounts as necessary to achieve least privilege. Organizations apply least privilege to the development, implementation, and operation of organizational systems.
' + resource: '
  • Applications and Web services
  • Network and Infrastructure
' +- + category: 'Access Control' + countermeasure: 'Remote Access' + control: 'AC-17' + explanation: '
  • Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3. Enforcing access restrictions for remote access is addressed via AC-3.
' + resource: '
  • Applications and web services
  • Network and infrastructure
' + +## Literacy Training and Awareness +- + category: 'Awareness and Training' + countermeasure: 'Literacy training and awareness' + control: 'AT-2' + explanation: '
  • Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.
  • Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
' + resource: '
  • Content and data
  • Applications and Web Services
  • Networks and Infrastructure
  • Facilities
' +- + category: 'Literacy and Training' + countermeasure: 'Role-based training' + control: 'AT-3' + explanation: 'Organizations determine the content of training based on the assigned roles and responsibilities of individuals as well as the security and privacy requirements of organizations and the systems to which personnel have authorized access, including technical training specifically tailored for assigned duties. Roles that may require role-based training include senior leaders or management officials (e.g., head of agency/chief executive officer, chief information officer, senior accountable official for risk management, senior agency information security officer, senior agency official for privacy), system owners; authorizing officials; system security officers; privacy officers; acquisition and procurement officials; enterprise architects; systems engineers; software developers; systems security engineers; privacy engineers; system, network, and database administrators; auditors; personnel conducting configuration management activities; personnel performing verification and validation activities; personnel with access to system-level software; control assessors; personnel with contingency planning and incident response duties; personnel with privacy management responsibilities; and personnel with access to personally identifiable information. Comprehensive role-based training addresses management, operational, and technical roles and responsibilities covering physical, personnel, and technical controls. Role-based training also includes policies, procedures, tools, methods, and artifacts for the security and privacy roles defined. Organizations provide the training necessary for individuals to fulfill their responsibilities related to operations and supply chain risk management within the context of organizational security and privacy programs. Role-based training also applies to contractors who provide Services to federal agencies. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Updating role-based training on a regular basis helps to ensure that the content remains relevant and effective. Events that may precipitate an update to role-based training content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.' + resource: '
  • Content and data
  • Applications and Web Services
  • Networks and Infrastructure
  • Facilities
' + +## Audit and Accountability +- + category: 'Audit and Accountability' + countermeasure: 'Event Logging' + control: 'AU-2' + explanation: 'An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system. To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage. Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3.b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8), and SI-10(1). Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' +- + category: 'Audit and Accountability' + countermeasure: 'Content of audit records' + control: 'AU-3' + explanation: 'Audit record content that may be necessary to support the auditing function includes event descriptions (item a), time stamps (item b), source and destination addresses (item c), user or process identifiers (items d and f), success or fail indications (item e), and filenames involved (items a, c, e, and f) . Event outcomes include indicators of event success or failure and event-specific results, such as the system security and privacy posture after the event occurred. Organizations consider how audit records can reveal information about individuals that may give rise to privacy risks and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the trail records inputs or is based on patterns or time of usage.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' +- + category: 'Audit and Accountability' + countermeasure: 'Audit record review, analysis, and reporting' + control: 'AU-6' + explanation: 'Audit record review, analysis, and reporting covers information security- and privacy-related logging performed by organizations, including logging that results from the monitoring of account usage, remote access, wireless connectivity, mobile device connection, configuration settings, system component inventory, use of maintenance tools and non-local maintenance, physical access, temperature and humidity, equipment delivery and removal, communications at system interfaces, and use of mobile code or Voice over Internet Protocol (VoIP). Findings can be reported to organizational entities that include the incident response team, help desk, and security or privacy offices. If organizations are prohibited from reviewing and analyzing audit records or unable to conduct such activities, the review or analysis may be carried out by other organizations granted such authority. The frequency, scope, and/or depth of the audit record review, analysis, and reporting may be adjusted to meet organizational needs based on new information received' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' +- + category: 'Audit and Accountability' + countermeasure: 'Protection of audit information' + control: 'AU-9' + explanation: 'Audit information includes all information needed to successfully audit system activity, such as audit records, audit log settings, audit reports, and personally identifiable information. Audit logging tools are those programs and devices used to conduct system audit and logging activities. Protection of audit information focuses on technical protection and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by both media protection controls and physical and environmental protection controls.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' + +## Configuration Management +- + category: 'Configuration Management' + countermeasure: 'Develop and configuration baselines for information systems' + control: 'CM-2' + explanation: 'By establishing baseline configurations for information systems and their components, an agency can help prevent privileged users from incorrectly assuming a role in altering the information system. Even though baseline configurations must change over time to reflect the current enterprise architecture, this countermeasure centralizes information about the information system components and network topology. This centralization can delineate parameters around the role of privileged users to provide guidance on configurations management so the system performs as intended. Documenting the configurations of all assets allows the agency to audit for anomalies, possible signs of insider activity from the privileged users in relevant roles.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Configuration Management' + countermeasure: 'Change configuration baselines in a secure, systematic manner' + control: 'CM-3' + explanation: 'Unwanted changes to configuration baselines can create severe vulnerabilities for information system components. An agency should use Configuration Change Boards to approve major changes to the baseline configuration to reflect the current enterprise architecture. Since this is a privileged function, changes should be conducted by a group of people to maintain accountability and avoid abuse by one individual. An agency should have a clearly defined system of proposal, justification, implementation, testing, review, and disposition for system upgrades and modifications.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Configuration Management' + countermeasure: 'Appropriately restrict privileged users ability to modify information systems' + control: 'CM-5' + explanation: 'An agency should limit the privileges for modifying the hardware and software or firmware components of an information system because these changes have such a significant impact on the security of protected resources. The individuals who perform these duties are privileged users because of these changes require elevated access. An agency should maintain access records to confirm these privileged users appropriately carry out their duties. In addition, an agency can institute processes like dual authorization and code authentication for installed components to restrict the privileged users ability to misuse or abuse their trusted position of modifying the information system.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' +- + category: 'Configuration Management' + countermeasure: 'Establish, document, and monitor configuration settings' + control: 'CM-6' + explanation: 'Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors. Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB] and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Configuration Management' + countermeasure: 'Ensure information system components are fitted for least functionality' + control: 'CM-7' + explanation: 'By limiting functionality of information system components to only those that are necessary, an agency can protect the enterprise against unwanted data exfiltration by employees. For example, physical or logical ports, fire-sharing capabilities, or instant messaging can be disabled when the component does not require its use or is not necessary to support essential organizational missions, functions, or operations. An agency can employ blacklisting (list of unwanted software) or whitelisting (list of authorized software) to further inhibit unwanted actions. Implementing these controls allows the agency an extra layer of protection against abuse or misuse of its systems by privileged users, as well as standards users.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Configuration Management' + countermeasure: 'Create a centralized inventory of information system components' + control: 'CM-8' + explanation: 'System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.' + resource: '
  • Applications and web services
  • Network and infrastructure
' + +## Contingency Planning +- + category: 'Contingency Planning' + countermeasure: 'Explanation Relevant Protected Resources Use an alternate storage site' + control: 'CP-6' + explanation: 'An alternative storage site for information system backup information, geographically distinct from the primary site, increases complexity for a malicious privileged user to purposefully inflict damage on an agency. By housing information in two or more distinct places, an individual would have to destroy or modify the information housed in both sites to permanently cripple the information systems backup capabilities. An agency should carefully monitor and implement stringent processes for the privileged users who have access to both sites content and data.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Contingency Planning' + countermeasure: 'System Backup' + control: 'CP-9' + explanation: 'System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8. System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'Contingency Planning' + countermeasure: 'System recovery and reconstitution' + control: 'CP-10' + explanation: 'Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.' + resource: '
  • Applications and web services
  • Network and infrastructure
' + +## Identification and Authentication +- + category: 'Identification and Authentication' + countermeasure: 'Require the use of PIV credential or Multi-Factor Authentication' + control: 'IA-2' + explanation: 'All agencies should be leveraging PIV card credentials for employee access to physical and logical resources per HSPD-12 and alignment with the ICAM target state. Information systems need to uniquely identify and authenticate its users to maintain security. However, to manage privileged users, an agency could require an additional layer of authentication, in addition to the standard multifactor authentication used for local and network access. Namely, an agency should consider implementing unique identification of individuals using shared privileged accounts and detailed accountability of individual privileged user activity.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' + +## Incident Response +- + category: 'Incident Response' + countermeasure: 'Develop and implement incident handling capability commensurate to inherent risk of privileged user abuse' + control: 'IR-4' + explanation: 'Organizations recognize that incident response capabilities are dependent on the capabilities of organizational systems and the mission and business processes being supported by those systems. Organizations consider incident response as part of the definition, design, and development of mission and business processes and systems. Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events. An effective incident handling capability includes coordination among many organizational entities (e.g., mission or business owners, system owners, authorizing officials, human resources offices, physical security offices, personnel security offices, legal departments, risk executive [function], operations personnel, procurement offices). Suspected security incidents include the receipt of suspicious email communications that can contain malicious code. Suspected supply chain incidents include the insertion of counterfeit hardware or malicious code into organizational systems or system components. For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in unauthorized disclosure, the loss of control, unauthorized acquisition, compromise, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes.' + resource: '
  • Content and data
  • Applications and web services
  • Network and infrastructure
  • Facilities
' +- + category: 'Incident Response' + countermeasure: 'Information spillage response plan' + control: 'IR-9' + explanation: 'Information spillage refers to instances where information is placed on systems that are not authorized to process such information. Information spills occur when information that is thought to be a certain classification or impact level is transmitted to a system and subsequently is determined to be of a higher classification or impact level. At that point, corrective action is required. The nature of the response is based on the classification or impact level of the spilled information, the security capabilities of the system, the specific nature of the contaminated storage media, and the access authorizations of individuals with authorized access to the contaminated system. The methods used to communicate information about the spill after the fact do not involve methods directly associated with the actual spill to minimize the risk of further spreading the contamination before such contamination is isolated and eradicate.' + resource: '
  • Content and data
' + +## Maintenance +- + category: 'Maintenance' + countermeasure: 'Exercise strict supervision and access procedures for maintenance personnel' + control: 'MA-5' + explanation: 'Maintenance personnel can be considered privileged users due to their trusted position with information systems and the extraordinary access granted to them. Software and hardware require maintenance often on short notice. As such, an agency might have to bring in individuals not previously identified as authorized maintenance personnel. An agency should maintain a list of individuals authorized to carry out this type of maintenance. For those individuals who are not escorted throughout the facility, the agency should verify these maintenance personnel have the necessary and required authorizations. For those individuals who do not possess required authorizations and must be escorted, supervisory personnel must possess the technical expertise to oversee the maintenance activities. This measure can detect or deter harmful activity on the part of the maintenance personnel. Temporary credentials (e.g., visitor badge, password) granted to maintenance personnel must be terminated as soon as maintenance concludes.' + resource: '
  • Applications and web services
  • Network and infrastructure
  • Facilities
' + +## Media Protection +- + category: 'Media Protection' + countermeasure: 'Restrict media use for privileged users' + control: 'MP-7' + explanation: 'System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2, which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.' + resource: '
  • Content and data
  • Networks and infrastructure
' + +## Personnel Security +- + category: 'Personnel Security' + countermeasure: 'Develop, document, and disseminate clear policies on personnel security' + control: 'PS-1' + explanation: 'An agency should monitor employees with elevated access beginning with the hiring process. In managing components of a workforce, clearly documented personnel policies are important. The privileged user should be aware of all facets of the agencys duties and abilities to determine access rights for, adjust responsibilities of, and monitor its privileged user population. This not only provides legal protection for the agency, but the ramifications of misuse or abuse serve as a deterrent to unwanted behavior by privileged users.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Position risk designation' + control: 'PS-2' + explanation: 'Position risk designations reflect Office of Personnel Management (OPM) policy and guidance. Proper position designation is the foundation of an effective and consistent suitability and personnel security program. The Position Designation System (PDS) assesses the duties and responsibilities of a position to determine the degree of potential damage to the efficiency or integrity of the service due to misconduct of an incumbent of a position and establishes the risk level of that position. The PDS assessment also determines if the duties and responsibilities of the position present the potential for position incumbents to bring about a material adverse effect on national security and the degree of that potential effect, which establishes the sensitivity level of a position. The results of the assessment determine what level of investigation is conducted for a position. Risk designations can guide and inform the types of authorizations that individuals receive when accessing organizational information and information systems. Position screening criteria include explicit information security role appointment requirements. Parts 1400 and 731 of Title 5, Code of Federal Regulations, establish the requirements for organizations to evaluate relevant covered positions for a position sensitivity and position risk designation commensurate with the duties and responsibilities of those positions.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Screen privileged users based on type of risk designation' + control: 'PS-3' + explanation: 'Personnel screening criteria hinge on an individual’s risk designation. However, an agency is free to define different screening conditions and frequencies based on the information processed, stored, or transmitted by information systems. If a user has elevated access to manage a critical information system, an agency can enforce stricter screening procedures. Screening involves coordination with personnel security (e.g., background investigation status, reinvestigation).' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Follow secure and comprehensive personnel termination procedures' + control: 'PS-4' + explanation: 'Termination procedures are especially important if the departing employee had been granted elevated access, because a disgruntled, privileged user poses an even greater risk to an agencys protected resources than a disgruntled user with standard access. When terminating an employee, the agency should:
  • Immediately terminate the employees physical and logical access (i.e., PIV card, keys, system administration manuals), especially if the termination occurred under unfavorable circumstances, to prevent unwanted access to protected resources once termination is finalized.
  • Notify security personnel and the departing employees colleagues of the departure, so these individuals do not assist the departed employee in accessing the protected resources because of their familiarity.
Definition can be found in 5 C.F.R. 731.106.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Continuously evaluate authorizations granted to the privileged user population' + control: 'PS-5' + explanation: 'If a privileged user transfers to a different department within the agency, the individual might be granted additional physical and logical access associated with new job duties. Failing to terminate privileges from an individual’s prior assignment risks inadvertently empowering the privileged user with a greater collection of authorizations than is explicitly needed. Maintaining access authorizations in line with Human Resources records is critical to mitigating the threat a privileged user can pose to an agency. An agency should conduct continuous evaluation on its privileged users to confirm these individuals have an ongoing operational need for their privileges.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Confirm employees sign access agreements prior to granting them access' + control: 'PS-6' + explanation: 'Prior to granting access, an agency should develop, distribute, and document signed access agreements for employees who use agency information systems. Through non-disclosure agreements, acceptable use agreements, and rules of behavior agreements an agency can hold its employees accountable. An agency should consider tailoring these agreements to privileged users where necessary, as the nature of their access is very different than that of standard users.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Personnel Security' + countermeasure: 'Institute a formal personnel sanctions process' + control: 'PS-8' + explanation: 'Access agreements should explain the ramifications of employees violating the terms of agreement, including any personnel sanctions involved. By instituting a formal sanctions process the agency can protect its resources from privileged users who exhibit tendencies towards unwanted behavior.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' + +## Physical and Environmental Protection +- + category: 'Physical and Environmental Protection' + countermeasure: 'Monitor physical access of privileged users' + control: 'PE-6' + explanation: 'Monitoring physical access is fundamental to conducting continuous evaluation activities, which determine on an ongoing basis that all users, including privileged users, are granted the proper access to the protected resources their job roles require. Continuous evaluation is a central component to privileged user management, as the scope of these individuals elevated access should be constantly validated because of the inherent risk of harm to protected resources. If an organization’s physical access monitoring detects suspicious activity, like access for unusual lengths of time, the user could present an insider threat. Robust physical monitoring capabilities serve as a deterrent to malicious insider activity.' + resource: '
  • Networks and infrastructure
  • Facilities
' + +## Planning +- + category: 'Planning' + countermeasure: 'Resources Rules of behavior' + control: 'PL-4' + explanation: 'Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8. The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b, the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgments for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Risk Assessment' + countermeasure: 'Risk Assessment' + control: 'RA-3' + explanation: '
  • Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities.
  • Organizations can conduct risk assessments at all three levels in the risk management hierarchy (i.e., organization level, mission/business process level, or information system level) and at any stage in the system development life cycle.
  • Risk assessments can also be conducted at various steps in the Risk Management Framework, including preparation, categorization, control selection, control implementation, control assessment, authorization, and control monitoring. Risk assessment is an ongoing activity carried out throughout the system development life cycle. Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Risk assessments can play an important role in control selection processes, particularly during the application of tailoring guidance and in the earliest phases of capability determination.
' + resource: '
  • Content and data
  • Applications and web services
  • Networks and infrastructure
  • Facilities
' +- + category: 'Security Assessment and Authorization' + countermeasure: 'Information Exchange' + control: 'CA-3' + explanation: 'System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2), may help to communicate and reduce risk. Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.' + resource: '
  • Network and infrastructure
' +- + category: 'System and Communications Protection' + countermeasure: 'Boundary protection' + control: 'SC-7' + explanation: 'Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Sub-networks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. [SP 800-189] provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).' + resource: '
  • Network and infrastructure
' +- + category: 'System and Communications Protection' + countermeasure: 'Protection of Information at Rest' + control: 'SC-28' + explanation: 'An agency should implement measures to protect the confidentiality and integrity of system and user information while located on storage devices. This information can be protected through cryptographic means, file sharing scanning, etc. Since privileged users job functions may entail performing administrative and security related functions on this information, enhanced protection increases an agency’s privileged user management capabilities.' + resource: '
  • Content and data
  • Network and infrastructure
' +- + category: 'System and Information Integrity' + countermeasure: 'System Monitoring' + control: 'SI-4' + explanation: 'System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software. Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.' + resource: '
  • Network and infrastructure
' +- + category: 'System and Services Acquisition' + countermeasure: 'system development life cycle' + control: 'SA-3' + explanation: 'A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities. The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'System and Services Acquisition' + countermeasure: 'System Documentation' + control: 'SA-5' + explanation: 'System documentation helps personnel understand the implementation and operation of controls. Organizations consider establishing specific measures to determine the quality and completeness of the content provided. System documentation may be used to support the management of supply chain risk, incident response, and other functions. Personnel or roles that require documentation include system owners, system security officers, and system administrators. Attempts to obtain documentation include contacting manufacturers or suppliers and conducting web-based searches. The inability to obtain documentation may occur due to the age of the system or component or the lack of support from developers and contractors. When documentation cannot be obtained, organizations may need to recreate the documentation if it is essential to the implementation or operation of the controls. The protection provided for the documentation is commensurate with the security category or classification of the system. Documentation that addresses system vulnerabilities may require an increased level of protection. Secure operation of the system includes initially starting the system and resuming secure system operation after a lapse in system operation.' + resource: '
  • Applications and web services
  • Network and infrastructure
' +- + category: 'System and Services Acquisition' + countermeasure: 'Developer security and privacy architecture and design' + control: 'SA-17' + explanation: 'Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. [ISO 15408-2], [ISO 15408-3], and [SP 800-160-1] provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.' + resource: '
  • Network and infrastructure
' diff --git a/_data/playbooks.yml b/_data/playbooks.yml new file mode 100644 index 000000000..ff2f85938 --- /dev/null +++ b/_data/playbooks.yml @@ -0,0 +1,113 @@ +# The 11 FICAM Playbooks +# From: https://playbooks.idmanagement.gov/playbooks/ +# Date: 04/18/2023 +# Data used on site's front page, lower half titled Playbooks. + +# This file drives the Playbooks listing on the PoC IDManagement.gov front page lower half. +# - 05-15--2023: Added the 'header' property for the header graphic for each playbook. +# +# +# title: name of the playbook +# type: type of data the playbook is presented example: PDF, Markdown, HTML, Word Document +# description: description of the playbook +# url: internal url to playbook +# header: internal url to a graphic assect to serve as a header graphic +# target: _self (replaces page), _blank (opens in a new window) +# external: yes or no, if yes: logic uses full url of this property, if no: uses internal relative url to domain name +# Note: If external, the 'header' graphic will still expect a relative path to a graphic located in the assets folder +# + +- title: Cloud Identity Playbook + type: Webpage + pubdate: 2022-12 + description: The Cloud Identity Playbook is a four-step playbook to start or further expand the use of Workforce ICAM Services delivered in a cloud operating model. + url: "/playbooks/cloud/" + header: "/assets/playbooks/headers/playbook_04.png" + target: _self + +- title: Digital Autopen Playbook + type: Webpage + pubdate: 2023-03 + description: This playbook outlines the process for an agency to implement a Digital Autopen for Federal Register documents. + url: "/playbooks/autopen/" + header: "/assets/playbooks/headers/playbook_02.png" + target: _self + +- title: Digital Identity Risk Assessment Playbook + type: Webpage + pubdate: 2020-09 + description: The Digital Identity Risk Assessment playbook is a six-step playbook for completing a digital identity risk assessment as described in OMB Memo 19-17 and NIST Special Publication 800-63-3. + url: "/playbooks/dira/" + header: "/assets/playbooks/headers/playbook_03.png" + target: _self + +- title: Digital Worker Identity Playbook + type: Webpage + pubdate: 2022-12 + description: The Digital Worker Identity Playbook is a practical guide for managing digital worker identities. + url: "/playbooks/dw/" + header: "/assets/playbooks/headers/playbook_05.png" + target: _self + +- title: Enterprise Single Sign-On Playbook + type: Webpage + pubdate: 2021-11 + description: The Enterprise SSO Playbook is a five-step playbook to aid agencies in planning an SSO or Identity Federation service. + url: "/playbooks/sso/" + header: "/assets/playbooks/headers/playbook_09.png" + target: _self + +- title: ICAM Governance Framework Version 1.0 + type: PDF + pubdate: 2021-09 + description: The ICAM Governance Framework is a tool to help agencies build and improve agency ICAM governance structures, processes, and policies. + url: "/docs/playbook-identity-governance-framework.pdf" + header: "/assets/playbooks/headers/playbook_07.png" + target: _self + +- title: Identity Lifecycle Management Playbook + type: Webpage + pubdate: 2022-12 + description: This playbook can aid agencies in understanding how to shift the focus from managing the lifecycle of credentials to the lifecycle of identities outlined in section III of OMB Memo 19-17. + url: "/playbooks/ilm/" + header: "/assets/playbooks/headers/playbook_08.png" + target: _self + +- title: Privileged Identity Playbook + type: Webpage + pubdate: 2022-12 + description: This Playbook provides federal agencies with best practices in managing its privileged user population. + url: "/playbooks/pam/" + header: "/assets/playbooks/headers/playbook_11.png" + target: _self + +- title: Digitally Sign a Word Document + type: Webpage + pubdate: 2018-03 + description: This playbook will walk you through the steps for digitally signing a Microsoft Word document with your PIV credential or similar digital certificate. + url: "/playbooks/signword/" + header: "/assets/playbooks/headers/playbook_01.png" + target: _self + +- title: Digitally Sign a Federal Register Document + type: Webpage + pubdate: 2022-08 + description: This playbook will walk you through the procedures for digitally signing a Microsoft Word document for submission to the Office of the Federal Register using your PIV credential or similar digital certificate. + url: "/playbooks/signfedregister/" + header: "/assets/playbooks/headers/playbook_06.png" + target: _self + +- title: Windows Hello for Business Playbook + type: Webpage + pubdate: 2022-12 + description: Windows Hello for Business (WHfB) is a playbook to guide administrators through planning, configuring, testing, and implemention. + url: "/playbooks/whfb/" + header: "/assets/playbooks/headers/playbook_05.png" + target: _self + +# Removed because it has a status of archived +# - title: Federal Identity, Credential, and Access Management Roadmap Version 2.0 (Archived) +# type: PDF +# pubdate: 2011-12 +# description: "The FICAM Roadmap contains processes, procedures, and considerations for planning and managing identity, credential, and access management programs. Note: This document has been superseded by the FICAM Architecture." +# url: "docs/roadmap-ficam.pdf" diff --git a/_data/policies.yml b/_data/policies.yml new file mode 100644 index 000000000..0dd96b1bc --- /dev/null +++ b/_data/policies.yml @@ -0,0 +1,154 @@ +# GSA: IDManagement.gov +# Polices for _university/policies.md +# Jekyll access: site.data.policies +# Format: YAML +# +# Legend: +# name: name of policy +# pubdate: the year(YYYY) or full name of month and Year(M YYYY) +# url: address on the document or site +# target: options(_blank|_self) _blank = new browser window, _self = replace current page content +# summary: description of the policy +# source: web address of website, name of site, governing orgainzation, or regulatory body +# expanded: options(true|false) default is false, which means the accordion is closed in it's initial state +# +# See: Blank Policy Template at the end of this file to create a new entry +# General Rule: if the desired default display state of the accordion is `expanded`, set the expanded property to `true` (default is `false`) to keep the page condensed. +# Note: default setting are listed last, not to get in the way of data entry +# + +- name: "Office of Personnel Management Memorandum: Temporary Procedures for Personnel Vetting and Appointment of New Employees during Maximum Telework Period due to Coronavirus COVID-19." + summary: This memorandum sets forth _temporary procedures_ for the vetting and appointment of federal personnel, collection of biometrics for federal employment, and employment authorization and eligibility. + pubdate: March 2020 + url: https://www.opm.gov/policy-data-oversight/covid-19/temporary-procedures-for-personnel-vetting-and-appointment-of-new-employees-during-maximum-telework-period-due-to-coronavirus-covid-19/ + source: Office of Personnel Management Memorandum + target: _blank + expanded: false + doctype: Website + +- name: "M 20-19: Harnessing Technology to Support Mission Continuity" + summary: This memorandum directs that agencies utilize technology to the greatest extent practicable to support mission continuity during the national emergency. By aggressively embracing technology to support business processes, the federal government is better positioned to maintain the safety and well-being of the federal workforce and the American public while supporting the continued delivery of vital mission services. The set of _frequently asked questions_ are intended to provide additional guidance and further assist the IT workforce as it addresses impacts. + pubdate: March 2020 + url: https://www.whitehouse.gov/wp-content/uploads/2020/03/M-20-19.pdf + source: The Whitehouse + target: _blank + expanded: false + doctype: PDF + +- name: "M-19-17: Enabling Mission Delivery through Improved Identity, Credential, and Access Management (ICAM)" + summary: This memorandum sets forth the federal government’s ICAM policy. To ensure secure and efficient operations, agencies of the federal government must be able to identify, credential, monitor, and manage subjects that access federal resources. This includes information, information systems, facilities, and secured areas across their respective enterprises. In particular, how agencies conduct identity proofing, establish enterprise digital identities, and adopt sound processes for authentication and access control significantly affects the security and delivery of their services as well as individuals’ privacy. + pubdate: May 2019 + url: https://www.whitehouse.gov/wp-content/uploads/2019/05/M-19-17.pdf + source: The Whitehouse + target: _blank + expanded: false + doctype: PDF + +- name: "M-19-03: Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset (HVA) Program" + summary: "With the creation of the HVA initiative in 2015, the federal government's CFO Act agencies took a pivotal step toward the identification of its most critical assets. DHS, in coordination with OMB, established a capability to assess agency HVAs, resulting in the identification of critical areas of weakness and plans to remediate those areas of weakness. It established three possible categories for designating federal information or a federal information system as an HVA: Informational Value, Mission Essential, or Federal Civilian Enterprise Essential (FCEE). It also updates the required approach for agencies to report, assess, and remediate HVAs to protect against cyberattacks." + pubdate: December 2018 + url: https://www.whitehouse.gov/wp-content/uploads/2018/12/M-19-03.pdf + source: The Whitehouse + target: _blank + expanded: false + doctype: PDF + +- name: "Executive Order 13833: Enhancing the Effectiveness of Agency Chief Information Officers (CIOs)" + summary: This executive order authorizes federal agency CIOs to ensure that agency IT systems are as modern, secure, and well-managed as possible to reduce costs, mitigate cybersecurity risks, and deliver improved services to the American people. + pubdate: May 2018 + url: https://www.federalregister.gov/documents/2018/05/18/2018-10855/enhancing-the-effectiveness-of-agency-chief-information-officers + source: https://www.federalregister.gov + target: _blank + expanded: false + doctype: Website + +- name: "Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" + summary: This executive order places an emphasis on modernizing and securing federal networks and critical infrastructure from the ever-growing threat of cyberattacks. + pubdate: May 2017 + url: https://www.federalregister.gov/documents/2017/05/16/2017-10004/strengthening-the-cybersecurity-of-federal-networks-and-critical-infrastructure + source: Federal Register + target: _blank + expanded: false + doctype: Website + +- name: OMB Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act + summary: This circular describes agency responsibilities for implementing the review, reporting, and publication requirements of the Privacy Act of 1974 and related OMB policies. + pubdate: December 2016 + url: https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A108/omb_circular_a-108.pdf?msclkid=45a0e506c7f611ecad177ad1de1c33fa + source: The Whitehouse + target: _blank + expanded: false + doctype: Website + +- name: "Circular A-130: Managing Federal Information as a Strategic Resource" + summary: Information and IT resources are critical to the U.S. social, political, and economic well-being. They enable the federal government to provide quality services to citizens, generate and disseminate knowledge, and facilitate greater productivity and advancement as a nation. It is important for the federal government to maximize the quality and security of federal information systems and to develop and implement uniform and consistent information resources management policies in order to inform the public and improve the productivity, efficiency, and effectiveness of agency programs. Additionally, as technology evolves, it is important that agencies manage information systems in a way that addresses and mitigates security and privacy risks associated with new IT resources and new information processing capabilities. + pubdate: July 2016 + url: https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf?msclkid=b1259175c7f211ec8144311a36ca5067 + source: The Whitehouse Archives + target: _blank + expanded: false + doctype: Website + +- name: "M-16-17: OMB Circular A-123: Management's Responsibility for Enterprise Risk Management (ERM) and Internal Control" + summary: The policy changes in this circular modernize existing efforts by requiring agencies to implement an ERM capability coordinated with the strategic planning and strategic review process established by the Government Performance and Results Act Modernization Act (GPRAMA) and the internal control processes required by the Federal Managers' Financial Integrity Act (FMFIA) and the Government Accountability Office (GAO)'s Green Book. This integrated governance structure will improve mission delivery, reduce costs, and focus corrective actions toward key risks. + pubdate: July 2016 + url: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m-16-17.pdf?msclkid=89a7abddc7f811ec9e7f926ad72d3be3 + source: The Whitehouse Archives + target: _blank + expanded: false + doctype: Website + +- name: "M-15-13: Policy to Require Secure Connections Across Federal Websites and Web Services" + summary: OMB M-15-13 calls for all publicly accessible Federal websites and web services to only provide service through a secure connection (Hypertext Transfer Protocol Secure; HTTPS) and to use <a href="https://https.cio.gov/hsts/" target="_blank" rel="noopener noreferrer">HTTP Strict Transport Security (HSTS)</a> to ensure this. The requirement applies to all public domains and subdomains operated by the federal government, regardless of the domain suffix, as long as they are reachable over HTTP/HTTPS on the public internet. The <a href="https://https.cio.gov/guide/#are-federally-operated-certificate-revocation-services-crl-ocsp-also-required-to-move-to-https" target="_blank" rel="noopener noreferrer">Compliance Guide":" HTTPS-Only Standard</a> provides implementation guidance from the White House Office of Management and Budget for agencies as they manage their transition to HTTPS. + pubdate: June 2015 + url: https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf + source: The Whitehouse Archives + target: _blank + expanded: false + doctype: PDF + +- name: "Executive Order 13681: Improving the Security of Consumer Financial Transactions" + summary: This executive order requires agencies to strengthen the security of consumer data and encourage the adoption of enhanced safeguards nationwide in a manner that protects privacy and confidentiality while maintaining an efficient and innovative financial system. + pubdate: October 2014 + url: https://www.gpo.gov/fdsys/pkg/FR-2014-10-23/pdf/2014-25439.pdf + source: https://www.gpo.gov + target: _blank + expanded: false + doctype: PDF + +- name: Final Credentialing Standards for Issuing Personal Identity Verification (PIV) Cards under HSPD-12 + summary: This memorandum provides final government-wide credentialing standards to be used by all federal departments and agencies in determining whether to issue or revoke PIV credentials to their employees and contractor personnel, including those who are non-United States citizens. + pubdate: July 2008 + url: https://www.opm.gov/investigations/suitability-executive-agent/policy/final-credentialing-standards.pdf + source: https://www.opm.gov + target: _blank + expanded: false + doctype: PDF + +- name: "M-05-24: Implementation of HSPD-12 Policy for a Common Identification Standard for Federal Employees and Contractors" + summary: This memorandum provides implementation instructions for HSPD-12 and Federal Information Processing Standards (FIPS) 201. + pubdate: August 2005 + url: https://georgewbush-whitehouse.archives.gov/omb/memoranda/fy2005/m05-24.pdf?msclkid=c536f001c7f811ecaed4fea27a3c8d47 + source: The Whitehouse Archives + target: _blank + expanded: false + doctype: Website + +- name: "HSPD-12: Policy for a Common Identification Standard for Federal Employees and Contractors" + summary: HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of identification issued by the federal government to its employees and employees of federal contractors for access to federally controlled facilities and networks. + pubdate: August 2004 + url: http://www.dhs.gov/homeland-security-presidential-directive-12 + source: http://www.dhs.gov + target: _blank + expanded: false + doctype: Website + +# Policies Blank Template +# - name: +# summary: +# pubdate: +# url: +# source: +# target: _blank +# expanded: false +# doctype: PDF \ No newline at end of file diff --git a/_data/resources.yml b/_data/resources.yml new file mode 100644 index 000000000..ac3e254df --- /dev/null +++ b/_data/resources.yml @@ -0,0 +1,91 @@ +# GSA: IDManagement.gov +# Polices for _university/resources.md +# Jekyll access: site.data.resources +# Format: YAML +# +# Legend: +# name: name of resource +# pubdate: the year(YYYY) or full name of month and Year(M YYYY) +# url: address on the document or site +# target: options(_blank|_self) _blank = new browser window, _self = replace current page content +# summary: description of the additional resource +# source: web address of website, name of site, governing orgainzation, or regulatory body +# expanded: options(true|false) default is false, which means the accordion is closed in it's initial state +# +# See: Blank Resource Template at the end of this file to create a new entry +# General Rule: if the desired default display state of the accordion is `expanded`, set the expanded property to `true` (default is `false`) to keep the page condensed. +# Note: default setting are listed last, not to get in the way of data entry +# + +- name: "NIST FISMA Implementation Project: Risk Management Framework Overview" + summary: The selection and specification of security controls for a system is accomplished as part of an organization-wide information security program that involves the management of organizational risk (that is, the risk to the organization or to individuals associated with the operation of a system). The management of organizational risk is a key element in the organization's information security program and provides an effective framework for selecting the appropriate security controls for a system (the security controls necessary to protect individuals and the operations and assets of the organization). + pubdate: August 2020 + url: https://csrc.nist.gov/projects/risk-management/rmf-overview + source: National Institute of Standards and Technology + target: _blank + expanded: false + doctype: Website + +- name: "NIST SP 800-63 Frequently Asked Questions (FAQs)" + summary: "The Frequently Asked Questions for NIST SP 800-63-3: Digital Identity Guidelines answers recurring questions to provide additional clarification." + pubdate: July 2020 + url: https://pages.nist.gov/800-63-FAQ/ + source: National Institute of Standards and Technology + target: _blank + expanded: false + doctype: Website + +- name: "NIST SP 800-63-3 Implementation Resources" + summary: "These resources are intended as informative implementation guidance for NIST SP 800-63-3. These implementation resources provide guidance for SP 800-63-3 in three parts: Part A addresses SP 800-63A, Part B addresses SP 800-63B, and Part C addresses SP 800-63C." + pubdate: July 2020 + url: https://www.nist.gov/system/files/documents/2020/07/02/SP-800-63-3-Implementation-Resources_07012020.pdf + source: National Institute of Standards and Technology + target: _blank + expanded: false + doctype: PDF + +- name: "NIST: Privacy Framework" + summary: The Privacy Framework is a voluntary tool intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy. The Privacy Framework approach to privacy risk is to consider privacy events as potential problems individuals could experience arising from system, product, or service operations with data, whether in digital or non-digital form, through a complete lifecycle from data collection through disposal. + pubdate: January 2020 + url: https://www.nist.gov/privacy-framework/new-framework + source: National Institute of Standards and Technology + target: _blank + expanded: false + doctype: Website + +- name: "NIST White Paper: Best Practices for Privileged User PIV Authentication" + summary: This white paper was developed in response to the Cybersecurity Strategy and Implementation Plan to explain the need for multifactor PIV-based user authentication for privileged users. It provides best practices for agencies implementing PIV authentication for privileged users. + pubdate: April 2016 + url: https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final + source: National Institute of Standards and Technology + target: _blank + expanded: false + doctype: Website + +- name: "Continuous Diagnostics and Mitigation" + summary: "The Continuous Diagnostics and Mitigation (CDM) Program is an approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to support them in improving their respective security posture. The CDM approach focuses on five areas for the federal enterprise: Data Protection Management, Network Security Management, Identity and Access Management, Asset Management, and Monitoring and Dashboards. " + pubdate: + url: https://www.cisa.gov/cdm + source: CISA Central + target: _blank + expanded: false + doctype: Website + +- name: "Application Rationalization Playbook" + summary: This playbook is a practical guide for application rationalization and IT portfolio management under the federal government's Cloud Smart initiatives. Application rationalization will help federal agencies mature IT portfolio management capabilities, empower leaders to make informed decisions, and improve the delivery of key mission and business services. It requires buy-in from stakeholders across the enterprise, including senior leaders, technology staff members, cybersecurity experts, business leads, financial practitioners, acquisition and procurement experts, and end user communities. Rationalization efforts rely on leadership support and continual engagement with stakeholders to deliver sustainable change. + pubdate: June 2019 + url: https://www.cio.gov/assets/files/Application-Rationalization-Playbook.pdf + source: CIO Council + target: _blank + expanded: false + doctype: PDF + +# Additional Resource Blank Template +# - name: +# summary: +# pubdate: +# url: +# source: +# target: _blank +# expanded: false +# doctype: PDF \ No newline at end of file diff --git a/_data/rssfeed.yml b/_data/rssfeed.yml new file mode 100644 index 000000000..ba2134c06 --- /dev/null +++ b/_data/rssfeed.yml @@ -0,0 +1,42 @@ +# rss: +# channel: +# title: CISA News +# link: https://www.cisa.gov/ +# description: '' +# language: en +# item: + +- title: Joint Statement on the Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression + link: https://www.cisa.gov/news-events/news/joint-statement-strategic-dialogue-cybersecurity-civil-society-under-threat-transnational-repression + description: The following is the text of a joint statement committed to by the governments of Australia, Canada, Denmark, Estonia, France, Japan, New Zealand, Norway, the United Kingdom, and the United States. + pubDate: Thu, 30 Mar 23 12:00:00 +0000 + creator: CISA + guid: /node/17798 + +- title: Readout from CISA's Sixth Cybersecurity Advisory Committee Meeting + link: https://www.cisa.gov/news-events/news/readout-cisas-sixth-cybersecurity-advisory-committee-meeting + description: Today, the Cybersecurity and Infrastructure Security Agency (CISA) held its sixth Cybersecurity Advisory Committee meeting, the first quarterly meeting of 2023. + pubDate: Tue, 21 Mar 23 12:00:00 +0000 + creator: CISA + guid: /node/17729 + +- title: Director Easterly Announces New Members to Join CISA's Cybersecurity Advisory Committee + link: https://www.cisa.gov/news-events/news/director-easterly-announces-new-members-join-cisas-cybersecurity-advisory-committee + description: Today, the Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly announced the appointment of additional members to the CISA Cybersecurity Advisory Committee (CSAC), bringing onboard additional experts from the public and private sectors. + pubDate: Mon, 20 Mar 23 12:00:00 +0000 + creator: CISA + guid: /node/17698 + +- title: CISA Establishes Ransomware Vulnerability Warning Pilot Program + link: https://www.cisa.gov/news-events/news/cisa-establishes-ransomware-vulnerability-warning-pilot-program + description: 'Cybersecurity and Infrastructure Security Agency (CISA) announces today the establishment of the Ransomware Vulnerability Warning Pilot (RVWP) as authorized by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022.' + pubDate: Mon, 13 Mar 23 12:00:00 +0000 + creator: CISA + guid: /node/17610 + +- title: Director Easterly Visits Carnegie Mellon University, Calls for Radical Change for Technology Product Safety in Major Address + link: https://www.cisa.gov/news-events/news/readout-director-easterly-visits-carnegie-mellon-university-calls-radical-change-technology-product + description: 'Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly travels to Carnegie Mellon University (CMU) to deliver a speech that called on technology providers to do more to prioritize security.' + pubDate: Mon, 27 Feb 23 12:00:00 +0000 + creator: CISA + guid: /node/17480 diff --git a/_data/standards.yml b/_data/standards.yml new file mode 100644 index 000000000..bb4c6b981 --- /dev/null +++ b/_data/standards.yml @@ -0,0 +1,163 @@ +# GSA: IDManagement.gov +# Polices for _university/standards.md +# Jekyll access: site.data.standards +# Format: YAML +# +# Legend: +# name: name of standard +# pubdate: the year(YYYY) or full name of month and Year(M YYYY) +# url: address on the document or site +# target: options(_blank|_self) _blank = new browser window, _self = replace current page content +# summary: description of the policy +# source: web address of website, name of site, governing orgainzation, or regulatory body +# expanded: options(true|false) default is false, which means the accordion is closed in it's initial state +# +# See: Blank Standard Template at the end of this file to create a new entry +# General Rule: if the desired default display state of the accordion is `expanded`, set the expanded property to `true` (default is `false`) to keep the page condensed. +# Note: default setting are listed last, not to get in the way of data entry +# + +- name: "NIST SP 800-205: Attribute Considerations for Access Control Systems" + summary: This guideline provides federal agencies with information for implementing attributes in access control systems. Attributes enable a logical access control methodology where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. This document outlines factors which influence attributes that an authoritative body must address when standardizing an attribute system and proposes some notional implementation suggestions for consideration. + pubdate: June 2019 + url: https://csrc.nist.gov/publications/detail/sp/800-205/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-116 Rev. 1: Guidelines for the Use of PIV Credentials in Facility Access" + summary: This guideline provides resources for using PIV credentials in facility access, enabling federal agencies to operate as government-wide interoperable enterprises. This guideline covers the risk-based strategy to select appropriate PIV authentication mechanisms as expressed within FIPS 201. + pubdate: June 2018 + url: https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-63-3: Digital Identity Guidelines" + summary: Agencies use these guidelines as part of the risk assessment and implementation of their digital service(s). These guidelines provide mitigations for an authentication error's negative impacts by separating the individual elements of identity assurance into its component parts. + pubdate: June 2017 + url: https://csrc.nist.gov/publications/detail/sp/800-63/3/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-63A: Digital Identity Guidelines - Enrollment and Identity Proofing" + summary: This guideline focuses on the enrollment and verification of an identity for use in digital services. Central to this is a process known as identity proofing in which an applicant provides evidence to a credential service provider (CSP) reliably identifying themselves, thereby allowing the CSP to assert that identification at an Identity Assurance Level (IAL). This document defines technical requirements for each of the three IALs. + pubdate: June 2017 + url: https://csrc.nist.gov/publications/detail/sp/800-63a/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-63B: Digital Identity Guidelines - Authentication and Lifecycle Management" + summary: These guidelines focus on the authentication of subjects interacting with government systems over open networks, establishing that a given claimant is a subscriber who has been previously authenticated. The result of the authentication process may be used locally by the system performing the authentication or may be asserted elsewhere in a federated identity system. This document defines technical requirements for each of the three Authentication Assurance Levels (AALs). + pubdate: June 2017 + url: https://csrc.nist.gov/publications/detail/sp/800-63b/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-63C: Digital Identity Guidelines - Federation and Assertions" + summary: These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose. This guideline focuses on the use of federated identity and the use of assertions to implement identity federations. Federation allows a given CSP to provide authentication and (optionally) subscriber attributes to a number of separately-administered relying parties. Similarly, relying parties may use more than one CSP. + pubdate: June 2017 + url: https://csrc.nist.gov/publications/detail/sp/800-63c/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-73-4: Interfaces for PIV" + summary: This guideline specifies the PIV data model, command interface, client application programming interface (API), and references to transitional interface specifications. + pubdate: February 2016 + url: https://csrc.nist.gov/publications/detail/sp/800-73/4/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-79-2: Guidelines for the Authorization of PIV Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI)" + summary: The guideline specifies the assessment for the reliability of issuers of PIV credentials and Derived PIV credentials. The reliability of an issuer is of utmost importance when a federal agency is required to trust the identity credentials of individuals that were created and issued by another federal agency. + pubdate: July 2015 + url: https://csrc.nist.gov/publications/detail/sp/800-79/2/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-53 Rev. 5: Security and Privacy Controls for Federal Information Systems and Organizations" + summary: This guideline provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations, assets, individuals, other organizations, and the Nation from a diverse set of threats. + pubdate: December 2020 + url: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-53A Rev. 5: Assessing Security and Privacy Controls in Information Systems and Organizations" + summary: This guideline provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 5. + pubdate: January 2022 + url: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-157: Guidelines for Derived PIV Credentials" + summary: This guideline provides technical instructions for the implementation of standards-based, secure, reliable, interoperable public key infrastructure (PKI) based identity credentials that are issued by federal departments and agencies to individuals who possess and prove control over a valid PIV credential. + pubdate: December 2014 + url: https://csrc.nist.gov/publications/detail/sp/800-157/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-162: Guide to Attribute Based Access Control (ABAC) Definition and Considerations" + summary: This guideline provides federal agencies with a definition of ABAC. ABAC is a logical access control methodology in which authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes. + pubdate: January 2014 + url: https://csrc.nist.gov/publications/detail/sp/800-162/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "FIPS 201-3: Personal Identity Verification (PIV) of Federal Employees and Contractors" + summary: This standard specifies the architecture and technical requirements for a common identification standard for federal employees and contractors. The overall goal is to achieve appropriate security assurance for multiple applications by efficiently verifying the claimed identity of individuals seeking physical access to federally controlled government facilities and electronic access to government information systems. + pubdate: January 2022 + url: https://csrc.nist.gov/publications/detail/fips/201/3/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-76-2: Biometric Data Specification for PIV" + summary: This guideline contains technical specifications for biometric data mandated in FIPS. These specifications reflect the design goals of interoperability and performance of the PIV credential. This specification addresses image acquisition to support the background check, fingerprint template creation, retention, and authentication. The biometric data specification in this document is the mandatory format for biometric data carried in the PIV Data Model (SP 800-73-1, Appendix A). Biometric data used only outside the PIV Data Model is not within the scope of this standard. + pubdate: July 2013 + url: https://csrc.nist.gov/publications/detail/sp/800-76/2/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +- name: "NIST SP 800-122: Guide for Protecting the Confidentiality of Personally Identifiable Information (PII)" + summary: This guideline assists federal agencies in protecting the confidentiality of a specific category of data commonly known as PII. This document provides practical, context-based guidance for identifying PII and determining what level of protection is appropriate for each instance of PII. The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for breaches involving PII. + pubdate: April 2010 + url: https://csrc.nist.gov/publications/detail/sp/800-122/final + source: National Institute of Standards and Technology (NIST) + target: _blank + expanded: false + doctype: PDF + +# Standard Blank Template +# - name: +# summary: +# pubdate: +# url: +# source: +# target: _blank +# expanded: false +# doctype: PDF \ No newline at end of file diff --git a/_faq/faqs.md b/_faq/faqs.md new file mode 100644 index 000000000..34936c42b --- /dev/null +++ b/_faq/faqs.md @@ -0,0 +1,48 @@ +--- +layout: page +collection: faq +title: Frequently Asked Questions +permalink: /faq/ +sidenav: faq +sticky_sidenav: true + +subnav: + # - text: FAQ Section 1 + # href: '#faq-1' + # - text: FAQ Section 2 + # href: '#faq-2' + # - text: FAQ Section 3 + # href: '#faq-3' + # - text: FAQ Section 4 + # href: '#faq-4' + +--- + +{% assign lcount = 0 %} +{% for faq in site.data.faqs %} +
+
    +
  • -
    • +
  • +
    • +
+
+

+ +

+
+

+ {{faq.answer}} +

+ {% if faq.link != "" %} +
+ + + +
+ {% endif %} +

+
+
+{% endfor %} \ No newline at end of file diff --git a/_governance/ficam.md b/_ficampmo/ficampmo.md similarity index 68% rename from _governance/ficam.md rename to _ficampmo/ficampmo.md index 08f84c5de..ac62331e0 100644 --- a/_governance/ficam.md +++ b/_ficampmo/ficampmo.md @@ -1,31 +1,65 @@ --- layout: page -collection: governance -title: FICAM Governance -permalink: governance/ficam/ -sidenav: governance +collection: ficampmo +title: FICAM Program Office +permalink: /ficam/ +sidenav: functions sticky_sidenav: true subnav: - - text: ICAMSC + - text: Introduction + href: '#introduction' + - text: Federal Workforce Identity Framework + href: '#federal-workforce-identity-framework' + - text: ICAM Governance Bodies + href: '#icam-governance-bodies' + - text: ICAM Subcommittee href: '#identity-credential-and-access-management-subcommittee' - - text: ICAMSC Working Groups - href: '#icamsc-working-groups' - - text: FPKIPA + - text: Federal PKI Policy Authority href: '#federal-public-key-infrastructure-policy-authority' - - text: FPKIMA - href: '#federal-public-key-infrastructure-management-authority' - - text: FPKI Working Groups - href: '#federal-public-key-infrastructure-working-groups' --- +# Introduction + +The GSA Federal ICAM (FICAM) program helps federal agencies plan and manage enterprise identity, credentialing, and access management (ICAM) through collaboration opportunities and guidance on IT policy, standards, implementation, and architecture. Most of the guidance and best practices found on this website are developed through interagency working groups. The FICAM Program is a Federal CIO Council initiative managed by the GSA Office of Government-wide Policy. + +# Federal Workforce Identity Framework + +The FICAM Program governs through a four-part framework for identity federations. + +1. Governance - Sets policies, sign legal agreements, approves members and applicants, and oversees compliance activities. +2. Technical and Security Requirements - Outline technical and security requirements for all members. +3. Recognition - List of members and compliant services. +4. Compliance - Members and services complete 2nd party (OIG) or 3rd party compliance activity to increase trust. + +Through this four-part framework, the GSA FICAM Program leads or coordinates the following governmentwide functions. + +1. Governance + 1. ICAM Governance - Maintain and update idmanagement.gov which includes the FICAM Architecture and accompanying playbooks and configuration guidance as well as secretary/co-chair the Federal CISO Council ICAM Subcommittee. Lead governmentwide ICAM initiatives like the FIDO2 Community of Action and Digital Identity Community of Practice. + 2. [Federal PKI Governance]({{site.baseurl}}/fpki/) - Review Federal PKI 3rd party PKI audits and secretary/co-chair the Federal PKI Policy Authority +2. Technical and Security Requirements + 1. FIPS 201 and accompanying Special Publications + 2. NIST Special Publication 800-63 + 3. GSA FIPS 201 Functional Requirements and Test Cases +3. Recognition + 1. Workforce identity trust services + 2. FIPS 201 Approved Product List + 3. [GSA PKI Shared Service Provider Program]({{site.baseurl}}/ssppki/) - Manage commercial PKI service providers that issue Federally-compliant digital certificates. +4. Compliance + 1. [FIPS 201 Evaluation Program]({{site.baseurl}}/fips201/) - Tests and certify services and commercial products used in PIV credentialing systems and physical access control systems. + 2. Federal PKI Annual Review Process + +# ICAM Governance Bodies + +The GSA FICAM Program coordinates and oversees governmentwide ICAM initiatives as directed by the Federal CISO Council and the Office of Management and Budget. It accomplishes this mission through various governance bodies outlined below. + An organization chart of the FICAM Governance Bodies and Working Groups. ## Identity, Credential, and Access Management Subcommittee -The [Identity, Credential, and Access Management Subcommittee (ICAMSC)](https://community.max.gov/pages/viewpage.action?pageId=234815732){:target="_blank"}{:rel="noopener noreferrer"} is the principal interagency forum for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management. It’s a sub-committee of the [Federal CIO Council’s Chief Information Security Officer (CISO) Council](https://www.cio.gov/about/members-and-leadership/ciso-council/){:target="_blank"}{:rel="noopener noreferrer"}. +The [Identity, Credential, and Access Management Subcommittee (ICAMSC)](https://community.max.gov/pages/viewpage.action?pageId=234815732){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is the principal interagency forum for identity management, secure access, authentication, authorization, credentials, privileges, and access lifecycle management. It’s a sub-committee of the [Federal CIO Council’s Chief Information Security Officer (CISO) Council](https://www.cio.gov/about/members-and-leadership/ciso-council/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. -The ICAMSC is co-chaired by the [GSA Office of Government-wide Policy](https://gsa.gov/portal/category/21399){:target="_blank"}{:rel="noopener noreferrer"} and another volunteer agency (currently the Department of Justice). The ICAMSC aligns the identity management activities of the federal government and supports collaborative government-wide efforts to: +The ICAMSC is co-chaired by the [GSA Office of Government-wide Policy](https://gsa.gov/portal/category/21399){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} and another volunteer agency (currently the Department of Justice). The ICAMSC aligns the identity management activities of the federal government and supports collaborative government-wide efforts to: - Increase agency flexibility in addressing ICAM challenges; - Coordinate interagency efforts to meet agency mission needs; - Identify gaps in policies, procedures, standards, guidance, and services; and @@ -40,15 +74,15 @@ The ICAMSC is co-chaired by the [GSA Office of Government-wide Policy](https://g ### Membership and Meetings -Membership is open to federal agency employees with a .gov or .mil email address. Contractors are permitted to join on a case-by-case basis. See the [ICAMSC Meeting Page on Max.gov](https://login.max.gov/cas/login?service=https%3A%2F%2Fcommunity.max.gov%2Flogin.action%3Fos_destination%3D%252Fpages%252Fviewpage.action%253FpageId%253D234815732){:target="_blank"}{:rel="noopener noreferrer"} for more information. Access to the page requires a multifactor authentication using either Max Secure+ or a PIV/CAC. +Membership is open to federal agency employees with a .gov or .mil email address. Contractors are permitted to join on a case-by-case basis. See the [ICAMSC Meeting Page on Max.gov](https://login.max.gov/cas/login?service=https%3A%2F%2Fcommunity.max.gov%2Flogin.action%3Fos_destination%3D%252Fpages%252Fviewpage.action%253FpageId%253D234815732){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for more information. Access to the page requires a multifactor authentication using either Max Secure+ or a PIV/CAC. ### ICAMSC Working Groups -The ICAMSC charters working groups based on a defined-purpose and timeline. See the complete list of active and inactive working groups at the [ICAMSC Max.gov page](https://community.max.gov/pages/viewpage.action?pageId=234815732){:target="_blank"}{:rel="noopener noreferrer"}. Send an email to icam at gsa.gov for more information and join a working group. +The ICAMSC charters working groups based on a defined-purpose and timeline. See the complete list of active and inactive working groups at the [ICAMSC Max.gov page](https://community.max.gov/pages/viewpage.action?pageId=234815732){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. Send an email to icam at gsa.gov for more information and join a working group. | Working Group Name | Purpose | Activities | Membership Requirements | Meeting Schedule | | --------- | ---- | ---------- | ------- | ----------- | -| [**Physical Access Control Systems Modernization (PACSMod)**](https://community.max.gov/display/Egov/PACSMod+Working+Group){:target="_blank"}{:rel="noopener noreferrer"} | Facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS (ePACS) within the federal government (USG). | By September 30th, 2021, develop a PACS Assessment Toolkit, a self-assessment that agencies can use to assess the FICAM compliance of PACS implementations. | Federal employees and designated contractors operating a PACS. | Monthly | +| [**Physical Access Control Systems Modernization (PACSMod)**](https://community.max.gov/display/Egov/PACSMod+Working+Group){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} | Facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS (ePACS) within the federal government (USG). | By September 30th, 2021, develop a PACS Assessment Toolkit, a self-assessment that agencies can use to assess the FICAM compliance of PACS implementations. | Federal employees and designated contractors operating a PACS. | Monthly | ### Other ICAM Working Groups @@ -56,7 +90,7 @@ Other ICAM working groups may be charted under other committess or subcommittees | Working Group Name | Purpose | Activities | Membership Requirements | Meeting Schedule | | --------- | ---- | ---------- | ------- | ----------- | -| [**Derived-PIV Working Group**](https://community.max.gov/display/Egov/Derived-PIV+Working+Group){:target="_blank"}{:rel="noopener noreferrer"} | Accelerate the implementation of mobile identity management across the federal government. | Document and share PKI and non-PKI uses cases to increase the available technical and information resources. Provide a feedback look to inform policy and standard. | Federal employees and designated contractors | Monthy | +| [**Derived-PIV Working Group**](https://community.max.gov/display/Egov/Derived-PIV+Working+Group){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} | Accelerate the implementation of mobile identity management across the federal government. | Document and share PKI and non-PKI uses cases to increase the available technical and information resources. Provide a feedback look to inform policy and standard. | Federal employees and designated contractors | Monthy | ### ICAM Community Listserv @@ -123,3 +157,4 @@ If you meet the membership criteria and wish to join a working group, email fpki | **Technical (TWG)** | Investigate and resolve complex FPKI technical issues. | Identify and scope technical FPKI issues, address security concerns and vulnerabilities, and identify technical improvements to enhance the security and operational capabilities. | Federal employees, designated contractors, and PKI vendors. | As needed. | + diff --git a/_sell/fips201ep.md b/_ficampmo/fips201ep.md similarity index 73% rename from _sell/fips201ep.md rename to _ficampmo/fips201ep.md index 579efd77c..b1127eb16 100644 --- a/_sell/fips201ep.md +++ b/_ficampmo/fips201ep.md @@ -1,16 +1,16 @@ --- layout: page title: FIPS 201 Evaluation Program -collection: sell -permalink: fips201/ -sidenav: sell +collection: ficampmo +permalink: /fips201ep/ +sidenav: functions sticky_sidenav: true subnav: + - text: Program Announcements + href: '#program-announcements' - text: Testing and Certification href: '#testing-and-certification' - - text: Testing Guidance and Documents - href: '#testing-guidance-and-documents' - text: Personal Identity Verification (PIV) Credentials href: '#personal-identity-verification-credentials' - text: PIV Card Body Application Package Requirements @@ -19,11 +19,49 @@ subnav: href: '#derived-piv-credentials' - text: Physical Access Control System (PACS) href: '#physical-access-control-system' + --- The Federal Information Processing Standard 201 (FIPS 201) Evaluation Program (sometimes called the FICAM Testing Program) tests and certifies services and commercial products used in PIV credentialing systems, physical access control systems (PACS), and public key infrastructures (PKIs). -For the latest testing news, view the [program announcements]({{site.baseurl}}/sell/fipsannouncements/). +## Program Announcements + +Announcements older than four years are removed. [Contact us]({{site.baseurl}}/contact-us) if you have any questions. + +
    +
  • +
    • +
  • -
    • +
+{% assign lcount = 0 %} +{% for announcement in site.data.fips201announcements %} + {% if announcement.status == "Active" %} +
+

+ +

+ {% if announcement.url == null %} +
+ {% else %} +
+ {% endif %} +
+ {{announcement.doctype}} +
+

{{announcement.summary}}

+
+
+ {% if announcement.external == true %} + + Source: {{announcement.source}} + {% else %} + + Source: {{announcement.source}} + {% endif %} +
+
+
+ {% endif %} +{% endfor %} ## Testing and Certification @@ -33,24 +71,24 @@ We test and certify a variety of products and services such as: - Physical access control systems for buildings including readers and infrastructure - Service providers who manage, install, or provide hosted solutions for issuance of Personal Identity Verification (PIV) and CAC credentials -If you’re looking for testing procedures related to products not listed above, review the [announcements]({{site.baseurl}}/sell/fipsannouncements/). Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products. +If you’re looking for testing procedures related to products not listed above, review the [FIPS 201 announcements](#program-announcements). Over the years, some product testing has been deprecated to eliminate redundancy, or the product categories have become stable and represent general commercial use products. -### Product Testing +## Product Testing Product testing is performed by either: - Third-party accredited testing labs, OR - GSA-managed testing labs -If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the [Approved Products List (APL)]({{site.baseurl}}/buy/#products). The APL includes product information, version, date of certification, and special considerations. +If the product passes testing and review, the vendor is granted a letter of certification, and the product is placed on the [Approved Products List (APL)]({{site.baseurl}}/acquisition-professionals/#products). The APL includes product information, version, date of certification, and special considerations. -Visit the [Vendors page]({{site.baseurl}}/sell/) for more on testing and certification. +Visit the [Vendors page]({{site.baseurl}}/vendor/) for more on testing and certification. ## Testing Guidance and Documents Functional requirements for the products are outlined in each test procedure. Review the testing agreements, and the test procedure for your specific product, and submit the agreement and package to fips201ep at gsa.gov. -### Testing Agreements +## Testing Agreements Review the testing agreements, and sign and submit the appropriate agreement with your testing package to fips201ep at gsa.gov. @@ -59,11 +97,11 @@ Review the testing agreements, and sign and submit the appropriate agreement wit - [Approved Product List Application Guidance Document (PDF, April 2022)]({{site.baseurl}}/docs/fips201ep-Application-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Provides a checklist of which documents are required when submitting a new or upgraded solution. - [Removed Products List (RPL) Process Document (PDF, April 2022)]({{site.baseurl}}/docs/fips201ep-rplprocess.pdf){:target="_blank"}{:rel="noopener noreferrer"} – If your product has been removed from the APL, review this document for the procedures. -## Personal Identity Verification Credentials +# Personal Identity Verification Credentials - [Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020)]({{site.baseurl}}/docs/fips201ep-pcitestform.pdf){:target="_blank"}{:rel="noopener noreferrer"} – If you are an agency or organization applying for your Annual Review Audit for the Federal Public Key Infrastructure (FPKI), submit this form to fips201ep at gsa.gov; two testing options are available: - In-person Lab Testing - testing organizations can provide available dates and times to visit the GSA FIPS 201 lab when sending in their application form, or - - Remote Testing - testing organizations can leverage the [Card Conformance Tool (CCT)](https://playbooks.idmanagement.gov/fpki/tools/cct/){:target="_blank"}{:rel="noopener noreferrer"} and [Certificate Profile Conformance Tool (CPCT)](https://playbooks.idmanagement.gov/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"}, [SP 800-73-4-based Test Runner](https://csrc.nist.gov/News/2016/New-SP-800-73-4-based-Test-Runner-Release){:target="_blank"}{:rel="noopener noreferrer"}, and the [KSJavaAPI](https://github.com/grandamp/KSJavaAPI){:target="_blank"}{:rel="noopener noreferrer"} to generate artifacts to be sent along with the testing application form. + - Remote Testing - testing organizations can leverage the [Card Conformance Tool (CCT)](https://github.com/GSA/piv-conformance/releases){:target="_blank"}{:rel="noopener noreferrer"} and [Certificate Profile Conformance Tool (CPCT)](https://github.com/GSA/cpct-tool/releases/){:target="_blank"}{:rel="noopener noreferrer"}, [SP 800-73-4-based Test Runner](https://csrc.nist.gov/News/2016/New-SP-800-73-4-based-Test-Runner-Release){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, and the [KSJavaAPI](https://github.com/grandamp/KSJavaAPI){:target="_blank"}{:rel="noopener noreferrer"} to generate artifacts to be sent along with the testing application form. - [Personal Identity Verification (PIV) Card Body Approval Procedures, V 11.0 (PDF, April 2023)]({{site.baseurl}}/docs/piv-card-body-approval-procedures.pdf){:target="_blank"}{:rel="noopener noreferrer"} – approval procedures that outline the evaluation criteria, approval mechanisms, and validation test reports to be employed and provided by the Evaluation Laboratory based on their evaluation of a vendor/ supplier’s PIV Card body (product), to be provided to the FIPS 201 EP for evaluation to be placed on the Approved Products List (APL). ## PIV Card Body Application Package Requirements @@ -73,7 +111,7 @@ All applicants, please complete the following steps: 1. Review the [Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023)]({{site.baseurl}}/docs/piv-card-body-approval-procedures.pdf){:target="_blank"}{:rel="noopener noreferrer"} – outlining the approval procedures and evaluation criterion for getting the PIV Card body (Product) on the APL and Section 2 Application Package 2. Provide the Product itself (see Section 2) of the [Personal Identity Verification (PIV) Card Body Approval Procedures v11.0 (PDF, April 2023)]({{site.baseurl}}/docs/piv-card-body-approval-procedures.pdf){:target="_blank"}{:rel="noopener noreferrer"} 3. Complete and provide the [PIV Card APL Evaluation Program Application Form]({{site.baseurl}}/docs/piv-card-apl-evaluation-program-application-form.docx){:target="_blank"}{:rel="noopener noreferrer"} (Word, April 2023) – Required for each product submission. -4. Complete and provide the [FIPS 201 Evaluation Program Lab Services Agreement, V3.0.0 (PDF)]({{site.baseurl}}/docs/fips201-evaluation-program-lab-services-agreement.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:download="fips201-evaluation-program-lab-services-agreement.pdf"} – Required for each product submission. +4. Complete and provide the [FIPS 201 Evaluation Program Lab Services Agreement, V3.0.0 (PDF)]({{site.baseurl}}/docs/fips201-evaluation-program-lab-services-agreement.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:download}{:download="fips201-evaluation-program-lab-services-agreement.pdf"} – Required for each product submission. 5. Complete and provide the [FIPS 201 Evaluation Program Attestations to Federal Acquisition Regulations related to the Trade Agreement Act v3.3]({{site.baseurl}}/docs/fips201-evaluation-program-attestations-to-federal-acquisition-regulations-related-to-the-trade-agreement-act.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:download="fips201-evaluation-program-attestations-to-federal-acquisition-regulations-related-to-the-trade-agreement-act.pdf"} – Required for each product submission. 6. Complete and provide the [FIPS 201 Evaluation Program Attestations Form for PIV Card Body Approval v1.0]({{site.baseurl}}/docs/fips201-evaluation-program-attestation-form-for-piv-card-body-approval.docx){:target="_blank"}{:rel="noopener noreferrer"} – Required for each product submission. @@ -82,11 +120,11 @@ All applicants, please complete the following steps: Agencies that wish to issue D-PIV credentials should follow these steps: 1. Perform a NIST SP 800-79 assessment and receive an Authority To Operate (ATO) 2. Work with your Shared Service Provider (SSP) to obtain D-PIV Object Identifiers (OIDs) -3. Submit sample D-PIV public certificates for testing or provide results from the [Certificate Profile Conformance Tool (CPCT)](https://playbooks.idmanagement.gov/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"} to fips201ep at gsa.gov. +3. Submit sample D-PIV public certificates for testing or provide results from the [Certificate Profile Conformance Tool (CPCT)]({{site.baseurl}}/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"} to fips201ep at gsa.gov. Upon successful completion of DPCI testing, the agency or organization will be granted approval to issue D-PIV credentials. -## Physical Access Control System +# Physical Access Control System GSA tests and validates the interoperability of PIV and CAC credentials with the software and hardware used to restrict physical access to government facilities. @@ -100,14 +138,14 @@ Review the test procedures, choose one of the application packages, and submit t - Review this Addendum for help resetting PIN retry counters, and determining the number of remaining PIN retries during Discovery Object testing. -### PACS Application Package for New Systems or for Updates to Previously Approved Systems +## PACS Application Package for New Systems or for Updates to Previously Approved Systems All applicants, please complete the following steps: 1. Review the - [Approved Product List Application Guidance Document (PDF, April 2022)]({{site.baseurl}}/docs/fips201ep-Application-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Instructions for completeing the Approved Product List Application Form. 2. Complete the [Approved Product List Application Form (Word, April 2022)]({{site.baseurl}}/docs/fips201ep-application-form.docx){:target="_blank"}{:rel="noopener noreferrer"} – Required for each solution submission, new or upgrade. 3. Provide the equipment table from the Approved Product List Application as a separate file. [Equipment Table GSA PACS Application v0.1 (XLSX, February 2023)]({{site.baseurl}}/docs/equipment-table-gsa-pacs-application.xlsx){:target="_blank"}{:rel="noopener noreferrer"} -4. [Reseller Acknowledgement Form (MS Word, September 2014)](https://www.idmanagement.gov/docs/fips201ep-resellerform.docx){:target="_blank"}{:rel="noopener noreferrer"} – If you are reselling another product, this must be disclosed, and the signed agreement submitted. +4. [Reseller Acknowledgement Form (MS Word, September 2014)]({{site.baseurl}}/docs/fips201ep-resellerform.docx){:target="_blank"}{:rel="noopener noreferrer"} – If you are reselling another product, this must be disclosed, and the signed agreement submitted. 5. Include the following document when adding a new series, or adding new product to a prior listed series, signed by a C- or VP-level individual: - [Product Series and Licensing Form (MS Word, August 2018)]({{site.baseurl}}/docs/pacsapp-licensingform.docx){:target="_blank"}{:rel="noopener noreferrer"} 6. Provide a solution configuration guide that includes, at a minimum: @@ -127,7 +165,7 @@ All applicants, please complete the following steps: 11. Include all applicable VPAT statements, UL-294, and FIPS 140-2/140-3 listing documents. 12. Submit all completed forms to fips201ep at gsa.gov. -### Test Card Loaners +## Test Card Loaners GSA can loan you test cards to help you pre-test your physical access control system products. diff --git a/_ficampmo/fpki.md b/_ficampmo/fpki.md new file mode 100644 index 000000000..8ed3ed727 --- /dev/null +++ b/_ficampmo/fpki.md @@ -0,0 +1,253 @@ +--- +layout: page +collection: ficampmo +title: Federal PKI Governance and Compliance Audit Information +permalink: /fpki/ +sidenav: functions +sticky_sidenav: true + +subnav: + - text: Federal PKI Policies and Profiles + href: '#federal-pki-policies-and-profiles' + - text: Annual Review Requirements for All Certification Authorities + href: '#annual-review-requirements-for-all-certification-authorities' + - text: Annual Review Schedule + href: '#annual-review-schedule' + - text: Compliance Test Tools for Annual Reviews + href: '#compliance-test-tools-for-annual-reviews' + - text: Audit Information for the FPKI Management Authority + href: '#audit-information-for-the-fpki-management-authority' + - text: Report an Incident + href: '#report-an-incident' + # - text: Federal PKI Monthly Activity Report + # href: '#federal-pki-monthly-activity-report' + - text: Federal PKI Document Archive + href: '#federal-pki-document-archive' +--- + +This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors. +- It includes the FPKI policies and profiles as well as annual FPKI annual review schedule. +- It can help auditors assess certification authorities (CAs) operated as part of the FPKI. +- It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations. + +For any questions, please contact fpki at gsa.gov. + +# Federal PKI Policies and Profiles + +The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI and PIV, go to the: +- [FPKI 101]({{site.baseurl}}/university/fpki/) +- [PIV 101]({{site.baseurl}}/university/piv/) + +The [FPKI Policy Authority (FPKIPA)]({{site.baseurl}}/ficam/#federal-public-key-infrastructure-policy-authority) maintains three certificate policies (the Common Policy Framework, the Federal Bridge Certification Authority Certificate Policy, and the Federal Public Trust TLS Certificate Policy). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy. + +| Federal PKI Policy | Policy Name | Profile | Change Proposals | +| -------------- | ----------- | ------- | ---------------- | +| Federal Common Policy | [X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.5]({{site.baseurl}}/docs/fpki-x509-cert-policy-common.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Common Policy X.509 Certificate and CRL Profiles v2.2]({{site.baseurl}}/docs/fpki-x509-cert-profile-common.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Common Change Proposals]({{site.baseurl}}/fpki/#federal-pki-document-archive) | +| Federal Bridge | [X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.2]({{site.baseurl}}/docs/fpki-x509-cert-policy-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"}

and [PIV-I for Federal Agencies]({{site.baseurl}}/playbooks/pivi/){:target="_blank"}{:rel="noopener noreferrer"} | [Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0]({{site.baseurl}}/docs/fpki-x509-cert-profiles-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Bridge Change Proposals]({{site.baseurl}}/fpki/#federal-pki-document-archive) | +| Federal Public Trust TLS | [U.S. Federal Public Trust TLS PKI Certificate Policy v1.1]({{site.baseurl}}/docs/us-federal-public-trust-tls-cp.pdf){:target="_blank"}{:rel="noopener noreferrer"} | Profiles are included in Section 7 of the Policy | No change proposals | + +The FPKI has the following supplementary guidance: + +- [Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021)]({{site.baseurl}}/docs/fpki-overlay-sp-800-53.pdf){:target="_blank"}{:rel="noopener noreferrer"} – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a CA that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control. +- [FPKI Key Recovery Policy (PDF, October 2017)]({{site.baseurl}}/docs/fpki-key-recovery.pdf){:target="_blank"}{:rel="noopener noreferrer"} - The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements. +- [Registration Authority Agreement Template v1.0 (Word, April 2017)]({{site.baseurl}}/docs/fpki-ssp-raa.docx){:target="_blank"}{:rel="noopener noreferrer"} - The purpose of this document is to identify and explain the roles and responsibilities of an enrollment/registration agent under the Federal PKI COMMON Policy Framework. +- [FPKI Incident Management Plan (PDF, September 2020)]({{site.baseurl}}/docs/fpki-imp.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance on the roles and responsibilities applicable to the FPKI Policy Authority (FPKIPA), FPKI Management Authority (FPKIMA), and FPKI affiliates in the event of an incident. +- [Archived copies of Certificate Polices, Profiles, and other FPKI-related documents]({{site.baseurl}}/fpki/#federal-pki-document-archive) - This pages contains three years of FPKI-related documents. + + +# Annual Review Requirements for All Certification Authorities + +Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements. + +Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki at gsa.gov. + +- [FPKI Annual Review Requirements (PDF, May 2022)]({{site.baseurl}}/docs/fpki-annual-review-requirements.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This document includes requirements for performing and reporting annual compliance audits. +- [RA Audit Guidance Memorandum (PDF, October 2022]({{site.baseurl}}/docs/fpki-ra-audit-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers. +- PIV and PIV-I Annual Testing - supports FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 Lab or using available tools such as the [Card Conformance Tool (CCT)]({{site.baseurl}}/fpki/tools/cct/){:target="_blank"}{:rel="noopener noreferrer"} and [Certificate Profile Conformance Tool (CPCT)]({{site.baseurl}}/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"} +- [Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016)]({{site.baseurl}}/docs/fpki-nmf.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations. + + +## Annual Review Schedule + +| Entity | Type | Annual Review Package Due Date| +| ------- | :-----: | :-----------------------------: | +| CertiPath | Bridge | June 30 | +| DigiCert (ECPS) | Affiliate PKI | July 31 | +| DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) | Affiliate PKI | July 31 | +| DigiCert (Formerly Symantec Shared Service Provider [SSP]) | SSP | July 31 | +| Department of Defense (DoD) | Affiliate PKI | November 30 | +| Department of State (DOS) | Affiliate PKI | October 31 | +| Department of the Treasury | SSP | July 31 | +| Entrust NFI | Affiliate PKI | November 30 | +| Entrust Federal SSP | SSP | November 30 | +| Exostar | Affiliate PKI | June 30 | +| Government Publishing Office (GPO) | Affiliate PKI | October 31 | +| IdenTrust NFI | Affiliate PKI | August 31 | +| Patent and Trademark Office (PTO) | Affiliate PKI | October 31 | +| SAFE Identity | Bridge | June 30 | +| Southwest Texas Regional Advisory Council (STRAC) | Bridge | November 30 | +| Transglobal Secure Collaboration Program (TSCP) | Bridge | July 31 | +| Verizon SSP | SSP | August 31 | +| WidePoint NFI | Affiliate PKI | May 31 | +| WidePoint SSP | SSP | May 31 | + +# Compliance Test Tools for Annual Reviews + +The FPKI Program support two remote PIV, PIV-I and digital certificate test tools to support FPKI annual reviews. + +1. The [Card Conformance Tool (CCT)](https://github.com/GSA/piv-conformance/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is a GSA managed, Java tool hosted on GitHub that can verify that a Personal Identity Verification (PIV) or PIV-Interoperable (PIV-I) conforms to the PIV data model. +2. The [Certificate Profile Conformance Tool (CPCT)](https://github.com/GSA/cpct-tool/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is an self-hosted application that analyzes public X.509 certificates for conformance to a specified FPKI profile. + +To request an official report on your CPCT and CCT results, fill out the [Annual PIV Credential Issuer (PCI) Testing Application Form]({{site.baseurl}}/docs/fips201ep-pcitestform.pdf){:target="_blank"}{:rel="noopener noreferrer"} and send it with outputs and testing artifacts to fips201ep at gsa.gov. + +## Submitting a Test Results Package +If you are running the Card Conformance Tool as part of the annual requirement to undergo PIV/PIV-I testing, you must email the artifacts listed below to fips201ep at gsa.gov. + +1. A completed [testing application]({{site.baseurl}}/docs/fips201ep-pcitestform.pdf){:target="_blank"}{:rel="noopener noreferrer"} for each PCI configuration evaluated (See Section 1 of the application for more information). +2. All accompanying Card Conformance Tool Log files, these reside in the same directory as the extracted package after the tests have been run: + - logs (directory) + - piv-artifacts (directory) + - x509-artifacts (directory) + - x509-certs (directory) + - the test database used for the evaluation (e.g., PIV_Production_Cards.db) +3. The card's Answer-to-Rest value presented within the "Reader Status" text box (e.g., 3bd6970081b1fe451f078031c1521118f9), which is displayed on the CCT landing page provided a card is available to the test system. +4. A report (PDF or XLSX) for each certificate found on the card (use the Certificate Profile Conformance Tool (web application) to generate the reports. +5. High-resolution card photos of the front and back of each card tested. + +{% include alert-success.html heading="Helpful Hint" content="Collecting all accompanying Card Conformance Tool Log files is most easily achieved by zipping the fips201-card-conformance-tool-[Release-Version]-[Release-Date] directory; this is the same directory where you had extracted the tool." %} + +{% include alert-warning.html heading="Note" content="Failure to submit a complete CCT Package may delay review of your testing results and completion of your annual FPKI PIV/PIV-I testing requirement." %} + +# Audit Information for the FPKI Management Authority + +This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority. + +- The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy. +- The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy. + +The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below. + +- [U.S. FPKI Certification Practice Statement (PDF, May 2022) – Version 6.3]({{site.baseurl}}/docs/fpki-fpkima-cps.pdf){:target="_blank"}{:rel="noopener noreferrer"} +- [U.S. FPKI Audit Letter of Compliance (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-audit-letter.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Results of the 2020-2021 Compliance Audit for the FPKI Trust Infrastructure Systems. +- [FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-sitemap.pdf){:target="_blank"}{:rel="noopener noreferrer"} + +# Report an Incident +FPKI affiliates include federal agencies and commercial service providers operating a certification authority certified by the Federal PKI Policy Authority. FPKI affiliate responsibilities related to the incident management process include: +1. Communicating security incidents involving infrastructures or services to the FPKI Authorities, users/customers, and known relying parties. +2. Providing additional investigation support and/or information about incidents to the FPKI Authorities as they become known, and +3. Conducting remediation activities once an incident is confirmed. + +To report a security incident, such as a key compromise, data breach, or other fraud waste or abuse regarding FPKI CAs or certificates, please contact both fpki at gsa dot gov and fpki-help at gsa dot gov, and include any relevant known information on the incident up to that point. Further information will be requested from the affiliate per the [FPKI Incident Management Plan]({{site.baseurl}}/docs/fpki-imp.pdf){:target="_blank"}{:rel="noopener noreferrer"}. + + + +# Federal PKI Document Archive + +{% assign categories = "" | split: "" %} +{% for docs in site.data.fpkidocs %} + {% assign category = docs.category | strip %} + {% assign categories = categories | push: category | uniq | sort %} +{% endfor %} +{% assign categories = categories | uniq | sort %} + +A Federal PKI document may be needed for three years for compliance review purposes. This pages contains three years of FPKI documents, including: +- Certificate Policies +- Certificate Profiles +- Supplementary Guidance +- Change Proposals + +A blank category indicates no updates in the previous three years. If you seek a document that is older than three years or is not listed here, please contact fpki at gsa.gov or look in the [archived document repository on github](https://github.com/GSA/idmanagement.gov/tree/staging/docs/archived){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. + + + + + + + + + + {% for category in categories %} + + + + {% for docs in site.data.fpkidocs %} + {% if docs.status == "post" %} + {% if docs.category == category %} + + + + + {% endif %} + {% endif %} + {% endfor %} + {% endfor %} + +
Document NameRemoval From Archive
{{ category }}
{{ docs.name}}{{ docs.remove }}
diff --git a/_ficampmo/gsapkissp.md b/_ficampmo/gsapkissp.md new file mode 100644 index 000000000..0b92cc10e --- /dev/null +++ b/_ficampmo/gsapkissp.md @@ -0,0 +1,530 @@ +--- +layout: page +collection: ficampmo +title: Shared Service Provider Program Guide +permalink: /pkissp/ +sticky_sidenav: true +sidenav: functions + +version: 1.0 +pubdate: June 30, 2023 +author: GSA SSP PMO + +subnav: + - text: Audience + href: '#audience' + - text: 'Section I: GSA PKI SSP Program' + href: '#section-i-gsa-pki-ssp-program' + - text: 'Section II: SSP Application and Maintenance Activities' + href: '#section-ii-ssp-application-and-maintenance-activities' + - text: Application Process + href: '#application-process' + - text: Maintenance Activities + href: '#maintenance-activities' + - text: 'Section III: Digital Certificate Services' + href: '#section-iii-digital-certificate-services' + - text: Current Services + href: '#current-services' + - text: Conclusion + href: '#conclusion' + - text: Appendix A - Sample MOA + href: '#appendix-a---sample-moa' + +--- + +Version: {{page.version}} +{{page.pubdate}} +Author: {{page.author}} + + + + +U.S. General Services Administration Logo + +


+ + +| Version Number | Date | Change Description | +| :----------: | :-------: | -------- | +| 1.0 | 02/14/2023 | Initial draft | + + +# Overview + +The General Services Administration (GSA), Office of Government-wide Policy, manages the Public Key Infrastructure (PKI) Shared Services Provider (SSP) program. The primary program focus is to help agencies meet the policy intent of Homeland Security Presidential Directive 12, as well as achieve digital signature interoperability. + +A GSA PKI SSP is a commercial PKI provider who has completed Federal PKI compliance activities to receive a certification authority certificate and is listed on the GSA Multiple Award Schedule. This document is reviewed annually and has three major sections: + +- [Section 1](#section-i-gsa-pki-ssp-program) -Outlines GSA management and acquisition controls of the PKI SSP Program. +- [Section 2](#section-ii-ssp-application-and-maintenance-activities) -Defines the application and ongoing maintenance process to apply and stay in the GSA PKI SSP Program. +- [Section 3](#section-iii-digital-certificate-services) -Lists available services that a SSP should offer. + +# Audience + +This document is primarily for the following audience: + +1. Commercial PKI vendors who are interested in becoming a GSA PKI SSP. +2. Existing GSA PKI SSP Program members to refresh their knowledge of ongoing maintenance requirements. +3. Federal agency customers who want to understand the GSA PKI SSP program or find contact information for the program management. + +If you have questions about this document or the outlined process, contact [GSAPKISSP@gsa.gov](GSAPKISSP@gsa.gov). + +# Section I: GSA PKI SSP Program + +The GSA SSP Program has a long history of successfully providing digital certificate services for employees, contractors, and affiliates. The program was started in December 2004 when the Office of Management and Budget (OMB) issued a directive, M-05-05, directing federal agencies to buy their digital certificate services through the SSP Program. Almost 20 years later, the program is a cornerstone for some federal agencies despite the drive to expand new services in a thin market. + +In 2019, a new OMB directive, M-19-17, was released that requires shared services such as the SSP Program be updated to enable strong government oversight. In response to this directive, GSA is strengthening its oversight by establishing a framework among its Managing Partners and with approved SSPs. The framework is a Memorandum of Agreement (MOA) that provides clarity of intent and high-level responsibilities and accountability. + +### Who Is a GSA PKI Shared Service Provider? + +A GSA PKI Shared Service Provider is a commercial PKI vendor who has a signed MOA with the GSA PKI SSP Program Office and is listed on the GSA PKI SSP Multiple Award Schedule. + +If a vendor fails to be added to the Multiple Award Schedule, GSA will rescind the Authorization to Operate and the Federal Public Key Infrastructure Policy Authority (FPKIPA) will revoke the certification authority certificate. + +### Should My Company Apply to the Program? +There are multiple advantages to becoming a GSA PKI SSP. They are as follows: + +- You will leverage your existing PKI platform to also offer federal PKI certificates. +- Your Federal Government customers will want to procure your services with a GSA Multiple Award Schedule. +- You will expand your federal customer footprint by marketing your service through the GSA Multiple Award Schedule (MAS). + +In making a business decision to join the SSP Program, it is important to understand what resources are needed to prepare for and keep your information systems in a good security posture. + +### Who Manages the GSA PKI SSP Program? + +The SSP Program is managed by the GSA Office of Government-wide Policy, Office of Technology Policy, Identity Assurance and Trusted Access Division as the Program Office. Other offices within GSA support the Program Office as well. + +### GSA Office of Technology Policy +The SSP Program Office oversees and guides the business and security practices necessary for SSPs to provide digital certificate services to federal agencies. Responsibilities include internal and external coordination for integrating and synchronizing program activities. They are as follows: + +- Internally, the SSP Program Office meets with its GSA counterparts to ensure services are secure and available through the proper contract vehicle. +- Externally, the office meets with federal agencies and SSPs to learn about successes and how processes and service delivery can be improved. + +The GSA, Associate Deputy Administrator in the Office of Government-wide Policy, [Office of Technology](https://www.gsa.gov/policy-regulations/policy/information-technology-policy){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} is the Authorizing Official of GSA PKI SSP vendor systems and is ultimately responsible for their secure operation. The GSA PKI SSP Program Office and Program Manager reside in the [Identity Assurance and Trusted Access Division](https://www.gsa.gov/policy-regulations/policy/information-technology-policy/identity-assurance-and-trusted-access){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} within the Office of Technology Policy. The GSA PKI SSP Program Manager has the following responsibilities: + +- Direct and coordinate activities between the GSA PKI SSPs, the Federal PKI Policy Authority and GSA supporting offices, Office of the Chief Information Security Officer, and the Federal Acquisitions Service. +- Coordinate customer interest meetings to understand customer needs and challenges, plan service enhancements, and remediate issues. +- Invite and coordinate customer agency participation in GSA A&A security meetings. +- Brief interested parties on the latest program activities. +- Regularly report the latest program activity to the Authorizing Official and the Identity Assurance and Trusted Access Division Director. + +### GSA Office of Chief Information Security Officer + +The GSA, Office of Chief Information Security Officer (OCISO) provides security policies and guidance so SSPs can implement security controls in their information systems to guard against cyber-attacks. The security team in the OCISO receives a Security Assessment Report (SAR) from the SSP to review the results of the security control assessment for the authorizing official and system owner. Based on the review, the OCISO makes a recommendation to the GSA Authorizing Official on whether to grant an Authorization to Operate (ATO) to a SSP. The decision is formalized in an ATO letter and provided to the GSA PKI SSP. The OCISO is also responsible for overseeing risk management activities with the GSA PKI SSP. + +### GSA Federal Acquisition Service + +The GSA Federal Acquisition Service (FAS) connects government buyers with the GSA PKI SSPs. The FAS organization captures the GSA PKI SSP services and sets prices, terms, and conditions of the Special Item Number (SIN) on the [GSA Multiple Award Schedule](https://www.gsaelibrary.gsa.gov/ElibMain/sinDetails.do?scheduleNumber=MAS&specialItemNumber=541519PKI&executeQuery=YES){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. The SSP SIN is intended to make it easier for potential buyers to search for the digital certificate services offered by the GSA PKI SSPs. + +# Section II: SSP Application and Maintenance Activities + +Federal agencies requiring digital certificate services from a SSP will send a Request for Quotation or a Request for Proposal based on the SSP SIN—sending alerts to SSPs. Federal agencies can expect a response from the SSPs that reflects the due diligence completed by the Federal Acquisition Service (FAS) to offer SSPs that satisfy federal requirements. + +Federal agencies’ participation in the SSP Program is important. While their purchases through the program help drive revenue, their ultimate participation leads to the Federal Government’s way of using trusted SSPs to issue and manage digital certificates for devices, federal employees, contractors, and other affiliated personnel. Additionally, federal agencies using the program will leverage the SSPs’ infrastructure components for digital certificate services, which can result in cost savings derived from economies of scale through large volume of certificate purchases. + +Federal agencies have the opportunity to share in the risk management activities by providing their security controls or hybrid security controls to GSA for them to populate into a SSP’s security posture for a holistic view. This will help focus on the whole PKI solution rather than focus on the PKI infrastructure. Federal agencies are encouraged to participate in the security meetings with their SSP to jointly address problems related to risk. + +## Application Process + +There are five major steps to apply to become a GSA PKI SSP. They are as follows: + +- Initiate an application with the GSA PKI SSP Program Office and sign the GSA PKI SSP MOA. +- Complete PKI pre-conditions and submit to the FPKIPA through the GSA PKI SSP Program Office for verification. +- Complete the federal PKI certification process and send an executive copy of the FPKIPA MOA to the GSA PKI SSP Program Office. +- Complete GSA Security Assessment & Authorization (SA&A) activity and receive an ATO. +- Apply to the GSA MAS and, after acceptance, the vendor is added to idmanagement.gov government identity trust services and officially listed as a GSA PKI SSP. + +### Step 1 -Initiate an Application and Sign GSA PKI SSP MOA + +The GSA establishes a MOA with a GSA PKI SSP to communicate the mutually accepted actions of all parties involved in the agreement. The MOA indicates the parties in the agreement have reached an understanding of their roles and responsibilities and are moving forward with the acceptance of the SSP participating in the program. See Appendix A for a sample MOA. + +A PKI Vendor will be asked for proof or to provide attestations regarding their systems and technical capabilities. Other pre-conditions may be applied as necessary, such as past performance, degree of experience, organizational maturity, and ability to scale operations to meet expected long-term demand and the rigors in completing the Federal PKI certification process. + +### MOA Procedural Guidance: + +- Send an email to [GSAPKISSP@gsa.gov](mailt0:GSAPKISSP@gsa.gov) requesting admission to the GSA PKI SSP Program. +- SSPs must obtain, review, and sign the MOA from the SSP Program Office. + +Once an MOA is signed, the GSA PKI SSP will sponsor the vendor to apply to the Federal PKI Policy Authority. + +### Step 2 -Complete PKI Pre-Conditions + +A prospective GSA PKI SSP must meet the following basic pre-conditions as outlined in the [X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework [COMMON CP]]({{site.baseurl}}/docs/fpki-x509-cert-policy-common.pdf){:target="_blank"}{:rel="noopener noreferrer"} to demonstrate readiness for the PKI certification process. + +1. Provide Certification Authority (CA), repository, and archive services. The PKI Vendor must operate a self-signed CA instead of relying on a certificate issued from the Federal Common Policy CA. This ensures that if there is an issue with the GSA PKI SSP, the Federal PKI can revoke the certificate from the Federal Common Policy CA without impacting the GSA PKI SSP customer certificates. +2. Develop and maintain a Certification Practice Statement (CPS) covering PKI operations that comply with [COMMON CP] and issue certificates according to the [Common Policy X.509 Certificate and Certificate Revocation List (CRL) +profiles]({{site.baseurl}}/docs/fpki-x509-cert-profile-common.pdf){:target="_blank"}{:rel="noopener noreferrer"}. +3. Work with its customers to ensure registration practices fit smoothly within its overall CPS package and comply with [COMMON CP]. +4. Implement all applicable PIV-related policies, such as common-authentication, common-cardAuth, and common-piv-contentSigning. +5. Ensure it understands and can fulfill its customers’ archive requirements and understands its obligation to do so. +6. Collaborate and exchange information and documents as necessary with any other party performing the Registration Authority (RA) duties. +7. Support federal agency customer audits and assessments as requested. +8. [Optionally] Provide baseline hardware and software to support RA operations. + +Any changes to these pre-conditions will be coordinated through the GSA SSP Program Office, which can amend the conditions any time to ensure the best interests of the Federal Government are met. Once the GSA PKI SSP verifies the pre-conditions, the vendor submits this information to the Federal PKI Policy Authority to begin the Federal PKI Certification process. + +### Step 3 -Apply for Federal PKI Certification + +The PKI Vendor must successfully meet five compliance and conformance activities with the FPKIPA: + +- Sign a memorandum of agreement with the FPKIPA. +- Document conformance with the [COMMON CP], which measures the degree to which the PKI Provider’s CPS conforms with [COMMON CP]. +- Perform a Day Zero Audit to ensure the applicant’s PKI is operating in conformance with applicable [COMMON CP] requirements. +- Demonstrate PKI operational capabilities, which validates the PKI Provider’s ability to operate a PKI compliant with [COMMON CP] and other relevant operating documents. +- Obtain an ATO for its PKI system through GSA, which establishes the extent to which the Applicant’s PKI meets security and privacy requirements defined by the organization, government guidelines, and federal mandates. Findings are documented in a formal authorization package that informs the ATO decision. The ATO is conditional upon the PKI vendor successfully applying to and getting on the GSA PKI SSP MAS. + +If the Federal PKI Policy Authority approves the PKI vendor, both parties execute an MOA to establish roles, responsibilities, and requirements in maintaining the Federal PKI certification. + +### Federal PKI Certification Guidance: + +- The GSA PKI SSP Program Office will coordinate PKI vendor information needs with the GSA supporting offices. +- The PKI vendor shares an executed copy of the Federal PKI Policy Authority MOA with the GSA PKI SSP Program Office. + +After an executed Federal PKI Policy Authority MOA is shared with the GSA PKI SSP Program Office, GSA can verify security activities to issue an ATO. + +### Step 4 -Receive an Authorization to Operate + +A Security Assessment & Authorization (SA&A) at the moderate impact level must be performed on the SSP’s information system by a third-party auditor. Performing an SA&A satisfies government requirements as specified in the Federal Information Security Modernization Act 2014 (FISMA 2014) and other associated documents. An SA&A includes three components—a security assessment, a resulting security authorization, and continuous monitoring. + +The Security Assessment determines that selected controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization. + +The Security Authorization provides organizational accountability by requiring a senior management official to determine if the security and privacy risk to organizational operations and assets, individuals, and other organizations (if applicable) is acceptable. The security team within the GSA, OCISO reviews the SAR along with applicable security documents to recommend a Security Authorization to the GSA senior management official in the SSP Program Office. + +### Security Assessment & Authorization Procedural Guidance: + +- Engage an Assessor or Assessment Team that is an independent third-party competent in Public Key technology. +- Format System Security Plan in Open Source Control Assessment Language. +- Obtain all necessary GSA SA&A guidance documents and security artifact templates from the security team in the GSA Office of Chief Information Office. Documents to be obtained and used include: + + - **Managing Enterprise Risk** - GSA policy detailing annual documentation requirements. + - **SA&A Artifact Templates** - Examples include Incident Response template, System Security Plan template, Penetration Testing and Results template, Plan of Action and Milestones (POA&M) template, and Security Assessment Report template. + - **FPKI 800-53 Overlay (OVERLAY)** - Details security controls applicable to SSP PKI systems and provides supplemental guidance on additional requirements for those controls and enhancements. + +- Perform the Assessment, completing all provided templates and guidance. +- Develop a Plan of Action and Milestones (POA&M) to facilitate remediation of any security findings. +- Provide the Assessment Package to the OCISO’s Information Systems Security Manager (ISSM), who reviews the package to ensure FISMA security requirements are met. +- The Information System Security Management (ISSM) on the security team creates an authorization package and submits it to the Authorizing Official (AO) in the SSP Program Office. +- The AO makes a risk determination that reflects the risk management strategy, including risk tolerance. Responses and mitigations for identified risks are provided by the ISSM. +- The AO decides whether to approve or deny authorization to operate. +- If approved, the AO signs and issues an ATO. +- The SSP performs risk management activities documented in the IT Security Procedural Guide: *Managing Enterprise Cybersecurity Risk CIO-IT Security-06-30 and the SSP Handbook.* + +**NOTE:** The ATO is not a governmentwide risk acceptance. Each federal agency must issue an ATO for its own use of the SSP services and review continuous monitoring deliverables to ensure the security posture remains sufficient for their continued use. + +To avoid significant delays, a SSP should not use their own versions of SA&A-related documents or templates. It is important for the SSP to consider the resources needed for ongoing risk management activities. + +Once a vendor receives an ATO, they apply to the GSA Multiple Award Schedule to complete the process and be recognized as a GSA PKI SSP. + +### Step 5 -Apply to GSA MAS and Get Listed as an Identity Trusted Service + +Upon receiving an ATO and being confirmed as a GSA PKI SSP, the vendor is ready to apply [to the GSA MAS](https://www.gsa.gov/portal/category/100519){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to offer digital certificate services governmentwide. The schedule provides a customer agency with a level of assurance that the SSP has been pre-vetted and is offering the best value. Once a SSP is on a schedule, it affords them access to other GSA schedule opportunities. + +### Acquisition Procedural Guidance: + +- Submit an Information Technology Package for GSA Special Item Number (SIN) 541519PKI on the GSA MAS. For assistance, please visit the GSA’s website: [https://www.gsa.gov/buy-through-us/purchasing-programs/gsa-multiple-award-schedule/mas-roadmap](https://www.gsa.gov/buy-through-us/purchasing-programs/gsa-multiple-award-schedule/mas-roadmap){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- Collaborate with the FAS to clarify or supplement the package for contract determination. + +**NOTE:** If the OCISO and SSP Program Office believe the SAR will be favorable based on preliminary reviews and discussions, the SSP does not have to wait for the ATO letter to submit an Information Technology Package to FAS. These efforts can be worked in parallel to offer digital certificate services on the day of receiving the ATO letter. + +After the vendor is listed on the GSA MAS, the vendor submits a business and technical point of contact to the GSA PKI SSP Program Office. This information is publicly posted on [idmanagement.gov under Government Identity Trust Services]({{site.baseurl}}/partners/trust-services//#government-identity-services){:target="_blank"}{:rel="noopener noreferrer"} to identify the vendor as a GSA PKI SSP and assist agencies in identifying federally-compliant PKI services. GSA will market the Multiple Award Schedule and vendors listed on it as the premier vehicle for Federal Government agencies to acquire federally-compliant PKI services. + +## Maintenance Activities + +A GSA PKI SSP must complete ongoing maintenance activity to remain in the program. If these maintenance activities are not completed, the vendor may lose either its Authorization to Operate or Federal PKI certification. + +### PKI Maintenance + +A GSA PKI SSP must comply with all federal PKI-directed activities by: + +1. Completing annual PKI compliance activities as outlined in the [Federal PKI Annual Review requirements]({{site.baseurl}}/governance/fpkiaudit/#annual-review-requirements-for-all-certification-authorities){:target="_blank"}{:rel="noopener noreferrer"} . +2. Following the [FPKI Incident Management Plan]({{site.baseurl}}/docs/fpki-imp.pdf){:target="_blank"}{:rel="noopener noreferrer"} in the event of a PKI-related incident. + +### SA&A Maintenance + +The GSA PKI SSP Program Office and GSA’s security team perform continuous monitoring, annual checks, monthly scanning, vulnerability management, and other risk management strategies to maintain operational status. Risk management activities are documented in the IT Security Procedural Guide: Managing Enterprise Cybersecurity Risk CIO-IT Security-06-30 and the SSP Handbook. + +### GSA PKI SSP MAS Contract Maintenance + +The vendor must maintain its GSA PKI SSP MAS Contract to stay in compliance with the GSA PKI SSP MOA. If a vendor cannot maintain a GSA PKI SSP MAS Contract, the PKI vendor will coordinate decommission activity through the GSA PKI SSP Program Office with customer agencies, the Federal PKI Policy Authority, and supporting GSA offices. + +# Section III: Digital Certificate Services + +While the SSP Program has primarily focused on digital certificates for Personal Identity Verification (PIV) cards, the [COMMON CP] provides opportunities (and supporting Object Identifiers (OIDs) for SSPs to offer additional services to federal agencies. + +## Current Services + +### PIV Certificates + +A PIV card is a hardware-based smart card that conforms to Federal Information Processing Standard 201. It contains five digital certificates of which four are available to the user. A PIV card is issued to either a federal employee or contractor who has a favorably-adjudicated Tier 1 or higher federal background investigation. PIV certificates issuance is contingent on the agency customer operating a card management system. + +|**Type**|**COMMON OID**| +|--------|--------------| +|Certificates for authentication to logically
and physically access federal assets|id-fpki-common-authentication +|Certificates for encrypted email|id-fpki-common-policy OR
id-fpki-common-hardware +|Certificates to digitally sign emails and documents|id-fpki-common-hardware +|Certificates for Card Authentication|id-fpki-common-cardAuth +|Certificates used by a Card Management System
to digitally sign content embedded in PIV cards|id-fpki-common-pivcontentSigning| + +### Derived PIV Certificates + +A derived PIV certificate is either a software or hardware certificate issued when the user demonstrates ownership of a PIV card. A derived PIV certificate is issued to a mobile device or other form factors such as FIDO USB security keys and device Trusted Platform Module. A derived PIV certificate is issued and used where it is difficult to leverage a smart card form factor such as on devices or platforms that cannot use a smart card reader. + +|**Type**|**COMMON OID**| +|--------|--------------| +|Derived-PIV authentication certificates for use
on mobile devices or other form factors such as FIDO USB security keys and Trusted Platform Modules|id-fpki-common-derived-pivAuth-hardware
or id-fpki-common-derived-pivAuth| +|Derived PIV signature certificates for use
on mobile devices or other form factors such as FIDO USB security keys and Trusted Platform Modules|id-fpki-common-policy,
id-fpki-common-hardware, or
id-fpki-common-high| +|Derived PIV encryption certificates for use
on mobile devices or other form factors such as FIDO USB security keys and Trusted Platform Modules|id-fpki-common-policy,
id-fpki-common-hardware, or
id-fpki-common-high| + +### PIV-I Certificates + +PIV Interoperable(PIV-I) is a hardware-based smart card that follows the same technical standard as the PIV card, can interoperate with the PIV infrastructure, but does not require a favorably adjudicated Tier 1 or higher federal background investigation. A PIV-I card is issued to individuals who do not qualify for a PIV card. See the [PIV-I playbook]({{site.baseurl}}/playbooks/pivi/){:target="_blank"}{:rel="noopener noreferrer"} for more details. + +|**Type**|**COMMON OID**| +|--------|--------------| +|PIV Interoperable authentication certificates|id-fpki-common-pivi-authentication| +|PIV Interoperable digital signature certificates|id-fpki-common-policy,
id-fpki-common-hardware, or
id-fpki-common-high| +|PIV Interoperable encryption certificates|id-fpki-common-policy,
id-fpki-common-hardware, or
id-fpki-common-high| +|PIV Interoperable card authentication certificates|id-fpki-common-pivi-cardAuth| +|PIV Interoperable content signing certificates|id-fpki-common-pivi-contentSigning| + +### Device Certificates + +Device certificates can be issued to devices such as domain controllers, web sites, servers, or other types of devices on which they want to establish secure server-to-server type communications. Note: GSA PKI SSP device certificates are not publicly trusted and should not be used on public-facing websites or on websites with users outside the home agency. + +|**Type**|**COMMON OID**| +|--------|--------------| +|Certificates to support secure HTTP connections with end users and servers providing interagency trust|id-fpki-common-devices or
id-fpki-common-deviceHardware| + +### Digital Signature Certificates + +A digital signature certificate is used to digitally sign documents such as PDFs or Microsoft Word or digitally sign emails. An agency may also request a [Digital Autopen]({{site.baseurl}}/playbooks/autopen/){:target="_blank"}{:rel="noopener noreferrer"} signature certificate to sign documents for the Federal Register. + +|**Type**|**COMMON OID**| +|--------|-------------------| +|Certificates to digitally sign emails and documents|id-fpki-common-hardware| + +### Key Management Services + +Key Management Services store and manage private keys associated with encryption certificates. Examples might include Key Escrow and Recovery, Key History, and Data Decryption Services. + +# Conclusion + +GSA established the GSA PKI SSP Program to help agencies identify and procure federally-compliant PKI services and digital certificates. There may be multiple types of PKI SSPsrs, but only one type of GSA PKI SSP. This clear definition not only helps agencies identify approved services, but also leverage the governmentwide acquisition vehicles for customer agencies to receive consistent pricing, terms, and services. The GSA PKI SSP Program Office maintains the SSP Program and coordinates government activity on behalf of the GSA PKI SSPs. + +# Appendix A - Sample MOA + +

+ + Memorandum of Agreement
+ Federal Public Key Infrastructure
+ Shared Service Provider Program
+ (Commercial Entities Only) + +

+

+This Memorandum of Agreement ("Agreement") is entered into by the General Services Administration, Office of Technology Policy (“OTP”), within the Office of Governmentwide Policy located at 1800 F Street, NW Washington, DC 20405 and the [name of the commercial SSP vendor ("Entity") located at [SSP vendor address], as of the date of OTP’s signature to this Agreement with a term of three years. The OTP and Entity will collectively be referred to as "Party" or the "Parties." +

+
    + +
  1. Definitions. +

    +

      +
    1. Federal Public Key Infrastructure ("FPKI" or " Federal PKl") is an implementation of a set of PKI policies, processes, and information technology systems that provide the U.S. Government with a common baseline to administer certificates and public-private key pairs. Federal PKI is one of several trust frameworks supporting federated trust of government devices and persons used by the U.S. Federal Government.
      2. +
    2. Federal Public Key Infrastructure Policy Authority ("FPKIPA" or " Policy Authority") is the federal trust framework governance body for a set of PKI systems and associated certificates used for federated trust across and between federal agencies and with entities that are not a U.S. Federal Government agency for mission delivery purposes. The Policy Authority is a group of representatives from U.S. Federal Government agencies (including cabinet-level departments) established pursuant to a charter under the Federal CIO council. It manages the policies governing the FPKI trust framework and approves or denies entities for certification into the trust framework.
      3. +
    3. Shared Service Provider (“SSP”) An Entity that adheres to the FPKI set of policies and processes, as well as GSA requirements to provide digital certificate services to federal agencies.
      4. +
    4. Shared Service Program (“SSP Program”)is a GSA program that provides technical support for the FPKI. Specifically, it supports the governmentwide implementation of HSPD-12 and the FICAM Initiative. It is recognized as robust secure PKI services that provide agencies with the capability to implement secure logical and physical access to federal resources through outsourced shared PKI services. By cross-certification, the shared PKI infrastructure is a part of the FPKI’s information technology systems governed by the FPKI. GSA has established a Special Item Number (SIN) 541519PKI that identifies these PKI services that contract holders offer governmentwide.
      5. +
    +

    +
    2. + +

  2. Purpose. The purpose of this Agreement is to agree on the terms and conditions on which the Entity will participate in the SSP Program. The Office of Technology Policy (OTP) manages the SSP Program with managing partners from the following GSA offices:

    +

    +

      +
    1. Office of Chief Information Security Officer (“OCISO”)
      2. +
    2. Federal Acquisition Service, Office of Information Technology Category (“ITC”)
      3. +
    3. Office of Government-wide Policy, Office of Technology Policy (OTP)
      4. +
    +

    +

    + Specifically, the OCISO manages the security posture of the Entity’s information technology systems and the ITC makes the Entity’s shared PKI services available for purchase through a GSA contract vehicle. External to but in concert with GSA, the FPKIPA governs the certificate policies, requirements, and practices for the shared PKI services. This Agreement sets forth the respective responsibilities and obligations of the Parties.

    +
    3. + +

  3. Authority. The basis of this Agreement and the subsequent inclusion of the Entity into the SSP Program aligns with the *Federal Information Security Modernization Act of 2014 (FISMA), GSA’s IT Security Procedural Guide: Managing Enterprise Cybersecurity Risk CIO-IT Security-06-30 GSA Security Policy, the Federal Acquisition Regulation*, the federal PKI certificate policies, and the Entity certificate policy or practices listed in the Entity’s MOA with the FPKIPA. It also complements the *SSP Operations Handbook*.

    +
    4. + +

  4. Roles and Responsibilities of the Parties.

    +

    +

      +
    1. The OTP will do the following: +

      +

        +
      1. Serve as the GSA senior official to grant the Entity’s information technology system authorization to operate.
        2. +
      2. Determine program direction based on Federal Government need.
        3. +
      3. Ensure through the OCISO and ITC proper performance and delivery of PKI shared services.
        4. +
      4. Develop and manage operational processes to effectively deliver the shared PKI services.
        5. +
      5. Represent SSP and SSP Program interests in the FPKIPA.
        6. +
      6. Report quarterly on security posture to the FPKIPA and customer agencies.
        7. +
      7. Coordinate service improvement and feedback from customer agencies to SSP.
        8. +
      8. Collaborate with GSA managing partners to operate and maintain effective, secure, and reliable PKI services.
        9. +
      +

      +
      2. +
    2. The OCISO will do the following: +

      +

        +
      1. Serve as the GSA senior official to recommend the Entity’s information technology system for authorization to operate (ATO).
        2. +
      2. Monitor and report on the Entity’s information technology system security posture.
        3. +
      3. Provide quarterly security reports to the Authorizing Official.
        4. +
      4. Collaborate with the OTP on security management concerns to operate and maintain an effective, secure, and reliable PKI shared service.
        5. +
      +

      +
      3. +
    3. The ITC will do the following: +

      +

        +
      1. Own and manage SIN 541519PKI for the SSP Program on the GSA Multiple Award Schedule (MAS).
        2. +
      2. Review the Entity’s MAS Information Technology Package for a contract determination.
        3. +
      3. Collaborate with OTP and the ITC contract team to make the Entity’s PKI shared service available to purchase.
        4. +
      4. Collaborate with the OTP on contract management concerns to deliver effective, secure, and reliable PKI shared service.
        5. +
      5. Issue and revoke certificates to approved SSPs
        6. +
      +

      +
      4. +
    4. The Entity will do the following: +

      +

        +
      1. Comply with all laws, ordinances, and regulations (Federal, State, or Local) covering work in the SSP Program.
        2. +
      2. Comply with the FPKI policies to the include the X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework (FCPF), hereafter referenced as COMMON and its complementary documents: +

        +

          +
        1. Change proposals
          2. +
        2. Key Recovery Policy
          3. +
        3. U.S. Federal Certificate Profiles: X.509 Certificate and Certificate Revocation List (CRL) Extensions Profile for the Shared Service Providers (SSP) Program
          4. +
        4. Memorandum of Agreements (MOAs) established between the FPKIPA and Entity.
          5. +
        +

        +
        3. +
      3. Obtain an Authorization to Operate (ATO) declaration through GSA’s formal program for information security management before rendering PKI services.
        4. +
      4. Ensure adequate resources to maintain an ATO and comply with binding operational directives, and GSA requirements for protecting GSA IT resources. This includes addressing critical gaps (e.g., multifactor authentication, database encryption, no outdated software, high and critical findings, etc.) in the timeframe specified in GSA guidance.
        5. +
      5. Ensure any certificates, associated certificates, and public key pairs issued to the federal agencies will be owned by the government.
        6. +
      6. Use the SSP Operations Handbook as the program’s established guidelines while complying with regulations and GSA expectations.
        7. +
      7. Prepare for and facilitate monthly Security Dashboard and Plan of Action and Milestones meetings.
        8. +
      8. Attend and/or participate in monthly program, security, and contract meetings to exchange information or provide feedback on proposed changes to the program.
        9. +
      +

      +
      5. +
    +

    +
    5. + +

  5. Third Parties. This Agreement is binding only upon the Parties, by and through their officials, agents, employees, and successors. Entity may not assign its rights or delegate its duties or obligations under this Agreement without prior written consent from OTP. No person or entity is intended to be a third-party beneficiary of the provisions of this Agreement for purposes of any civil, criminal, or administrative action, and accordingly, no third person or entity may assert any claim or right as a beneficiary or protected class under this Agreement in any civil, criminal, or administrative action.

    +

    This Agreement does not authorize, nor shall it be construed to authorize, or add to any systems, documents or other technology, persons or entities not a Party to this Agreement nor intended to have authorization under this Agreement.

    +
    6. + +

  6. Entity Change. If Entity anticipates changes or has changed due to a merger, acquisition, bankruptcy, or other means that modifies the Entity ownership or security boundary, then Entity shall:

    +

    +

      +
    1. Provide written notification to OTP about the intent to change the business relationship in a timely manner not to disrupt any PKI services.
      2. +
    2. Provide a transition plan that includes all activities from transferring a PKI solution to resolution of impacts on end users and the delivery environment. The depth of a transition plan should be appropriate for the type of transition and the criticality of the PKI components going through transition. At minimum, the activities in the transition plan must be compliant with the COMMON and address the following: +
      3. +
    +

    +

    +

      +
    1. The coordination and scheduling of transferring system archives, system inventory and + configuration data, certificate profiles, key recovery databases (if applicable), private + keys, key shares, audit records, hardware security modules, certificate and certificate + revocation list (CRL) databases, and all policy and security documents applicable to the + operations of the PKI solution. +
      2. +
    2. The estimated costs for terminating, transferring, selling, or disposing a PKI + solution must be shared if direct or indirect expenses are transferred to the new approved + SSP and/or the impacted customer agency. +
      3. +
    3. The continued services for all certificates, certificate revocation, and status + checking until the expiration of the longest-lived certificate or transference of the + control for the DNS Names in URLs for these services. +
      4. +
    4. The continued support to collect and review system audit logs for the PKI solution.
      5. +
    5. The continued support required to obtain and provide annual PKI compliance audits until revocation of all issued certificates or the expiration of the longest-lived issue certificate.
      6. +
    +

    +
    7. + +

  7. Compliance with Laws, Regulations and Policies. Entity agrees to comply with all applicable policies listed in Appendix A.

    +

    The following is applicable if Entity is not a U.S. Federal Government agency: Entity shall comply with applicable U.S. Federal laws and regulations including but not limited to trade compliance, economic and trade sanctions, and blocked, denied, and debarred persons lists. If the Entity is not in compliance with these applicable laws and regulations, OTP reserves the right to change or remove the Entity's participation in the SSP Program in the interest of national security.

    +
    8. + +

  8. Updates: The OCISO and OTP are responsible for the maintenance and update of the *IT Security Procedural Guide: Managing Enterprise Cybersecurity Risk CIO-IT Security-06-30 GSA Security Policy and SSP Operations Handbook*respectively.

    +

    Entity shall review the document updates each time they are updated and implement the necessary changes to practices to comply.

    +
    9. + +

  9. MOA Updates and Evolving Security Requirements. This MOA may be updated only by mutual written agreement signed by an authorized representative of each party.

    +

    Notwithstanding the foregoing, due to the nature of evolving national security threats and updates to technology and security, the Parties shall work in good faith to implement required updates to applicable laws, regulations, and policies through the following steps:

    +

    +

      +
    1. OTP, OCISO, or ITC will provide the Entity with written notice of the required updates, the number of days in which the updates must be implemented, and an updated version of Attachment A that incorporates the changes. The updated version of Attachment A will automatically replace the previous version of Attachment A and be deemed incorporated into this Agreement without further actions.
      2. +
    2. Upon notification, the Entity shall have three (3) business days to confirm via written response whether it will be implementing the changes.
      3. +
    3. If the Entity declines to implement the requirements, the OTP, ITC, and OCISO may decide to terminate this agreement, revoke ATO status, notify customer agencies of the situation, or take any such other action necessary to maintain the delivery of secure PKI services.
      4. +
    +

    +
    10. + +

  10. Confidentiality. If Entity is not a U.S. Federal Government agency, the following applies:

    +

    +

      +
    1. Entity assumes full responsibility for and guarantees the security and confidentiality of all documents, data, and other information supplied or gleaned from the customer agency, Federal PKI, and provided, obtained, or accessed through being a party to this Agreement ("Confidential Information").
      2. +
    2. Entity will prevent disclosure of this Confidential Information to any person not authorized by the U.S. Federal Government or Policy Authority to have access to such documents or information.
      3. +
    +

    +
    11. + +

  11. Liability. Neither Party shall be liable to the other for any loss, liability, damage or expense (including attorney fees) arising out of the operation of the PKI services. This Agreement is entered into for the convenience of the Parties and shall not give rise to any cause of action by Entity or by any third party.

    12. + +

  12. Conflict Resolution. If Entity is a private sector entity, the Contract Disputes Act, 41 U.S.C. 7101 et seq, is applicable to all disputes under this Agreement.

    13. + +

  13. Governing Law. This Agreement is governed by the laws of the United States.

    +
    14. + +

  14. Termination. If Entity is not in compliance with this Agreement or applicable security or technical requirements, the OTP shall notify the Entity and may unilaterally suspend participation in the SSP Program. The OTP shall provide the Entity an opportunity to cure the issues and regain its participation if there is a government business need as determined at the sole discretion of OTP. If the Entity does not cure within six months, OTP may terminate this Agreement in entirety. Either party may terminate this Agreement for convenience at its sole discretion with 30 days prior written notice.

    +

    The Entity must provide a transition plan as described in Section 6 if termination is decided.

    +

    This MOA is valid for one year from the last date in the signature section.

    +
    15. + +

  15. System Disruption. If there is a material issue in the operability of the PKI service in accordance with the documents in Section 3 that will have a substantial adverse effect on a customer’s operations, OTP, the customer agency, OCISO, and Entity will determine a planned resolution within 10 days.

    +

    + Entity will promptly notify the OTP: +

      +
    1. In the event of any material problem or inability to operate Entity's certification authorities in accordance with the documents in Section 3.
      2. +
    2. If the Entity becomes aware of a material noncompliance on the part of any other party that the Entity has formed an agreement with to use Entity's certification authorities covered by this agreement.
      3. +
    3. If the Entity becomes aware of a material noncompliance on the part of supporting vendors that the Entity has formed an agreement covered by this agreement.
      4. +
    +

    +

    If the issue is a security incident, the Entity must comply with GSA’s Incident-Response-[CIO-IT-Security-01-02-Rev-19] and report incident to the OTP and OCISO, as well as submit an incident report for follow-on reporting to the Cybersecurity Infrastructure Security Agency (CISA), the Office of Inspector General (OIG), and the United States Congress, as applicable.

    +
    16. + +

  16. Signatures:

    +

    + 

    +      Name: Laura Stanton 
+      Title: Assistant Commissioner 
+      Organization: Federal Acquisition Service 
+      Office: Office of Information Technology Category (ITC)
+
    +
    + 
    +      Name: Dan Pomeroy 
+      Title: Deputy Associate Administrator 
+      Organization: Office of Governmentwide Policy 
+      Office: Office of Technology Policy (OTP) 
+
    +
    + 
    +      Name: Bo Berlas 
+      Title: Chief Information Security Officer 
+      Office: Office of Chief Information Security (OCISO) 
+
    +
    +

    +
    17. +
\ No newline at end of file diff --git a/_governance/fpkiarchive.md b/_governance/fpkiarchive.md deleted file mode 100644 index 211c0a981..000000000 --- a/_governance/fpkiarchive.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -layout: page -collection: governance -title: FPKI Document Archive -permalink: governance/fpkiarchive/ -sidenav: governance -sticky_sidenav: true - ---- - -{% assign categories = "" | split: "" %} -{% for docs in site.data.fpkidocs %} - {% assign category = docs.category | strip %} - {% assign categories = categories | push: category | uniq | sort %} -{% endfor %} -{% assign categories = categories | uniq | sort %} - -An FPKI document may be needed for three years for compliance review purposes. This pages contains three years of FPKI documents, including: -- Certificate Policies -- Certificate Profiles -- Supplementary Guidance -- Change Proposals - -A blank category indicates no updates in the previous three years. If you seek a document that is older than three years or is not listed here, please contact fpki at gsa.gov or look in the [archived document repository on github](https://github.com/GSA/idmanagement.gov/tree/staging/docs/archived){:target="_blank"}{:rel="noopener noreferrer"}. - - - - - - - - - - {% for category in categories %} - - - - {% for docs in site.data.fpkidocs %} - {% if docs.status == "post" %} - {% if docs.category == category %} - - - - - {% endif %} - {% endif %} - {% endfor %} - {% endfor %} - -
Document NameRemoval From Archive
{{ category }}
{{ docs.name}}{{ docs.remove }}
diff --git a/_governance/fpkiaudit.md b/_governance/fpkiaudit.md deleted file mode 100644 index 1cabf4e9c..000000000 --- a/_governance/fpkiaudit.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -layout: page -collection: governance -title: FPKI Policy and Compliance Audit -permalink: governance/fpkiaudit/ -sidenav: governance -sticky_sidenav: true - -subnav: - - text: FPKI Policies and Profiles - href: '#fpki-policies-and-profiles' - - text: Annual Review Requirements for All Certification Authorities - href: '#annual-review-requirements-for-all-certification-authorities' - - text: Annual Review Schedule - href: '#annual-review-schedule' - - text: Audit Information for the FPKI Management Authority - href: '#audit-information-for-the-fpki-management-authority' - - text: Reporting Incidents - href: '#reporting-incidents' ---- - -This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors. -- It includes the FPKI policies and profiles as well as annual FPKI annual review schedule. -- It can help auditors assess certification authorities (CAs) operated as part of the FPKI. -- It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations. - -For any questions, please contact fpki at gsa.gov. - - -## FPKI Policies and Profiles - -The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI and PIV, go to the: -- [FPKI Guide](https://playbooks.idmanagement.gov/fpki/){:target="_blank"}{:rel="noopener noreferrer"} -- [PIV Guide](https://playbooks.idmanagement.gov/piv/){:target="_blank"}{:rel="noopener noreferrer"} - -The [FPKI Policy Authority (FPKIPA)]({{site.baseurl}}/governance/ficam/#federal-public-key-infrastructure-policy-authority) maintains two certificate policies (the Common Policy Framework and the Federal Bridge). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy. - -| FPKI Initiatve | Policy Name | Profile | Change Proposals | -| -------------- | ----------- | ------- | ---------------- | -| Federal Common Policy | [X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.4]({{site.baseurl}}/docs/fpki-x509-cert-policy-common.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Common Policy X.509 Certificate and CRL Profiles v2.2]({{site.baseurl}}/docs/fpki-x509-cert-profile-common.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Common Change Proposals]({{site.baseurl}}/governance/fpkiarchive/) | -| Federal Bridge | [X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.1]({{site.baseurl}}/docs/fpki-x509-cert-policy-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0]({{site.baseurl}}/docs/fpki-x509-cert-profiles-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Bridge Change Proposals]({{site.baseurl}}/governance/fpkiarchive/) | -| Federal Bridge PIV-I | [X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.1]({{site.baseurl}}/docs/fpki-x509-cert-policy-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"} and
[PIV-I for Federal Agencies](https://playbooks.idmanagement.gov/playbooks/pivi/){:target="_blank"}{:rel="noopener noreferrer"} | [Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0]({{site.baseurl}}/docs/fpki-x509-cert-profiles-fbca.pdf){:target="_blank"}{:rel="noopener noreferrer"} | [Bridge Change Proposals]({{site.baseurl}}/governance/fpkiarchive/) | -| Federal Public Trust TLS | [U.S. Federal Public Trust TLS PKI Certificate Policy v1.1]({{site.baseurl}}/docs/us-federal-public-trust-tls-cp.pdf/){:target="_blank"}{:rel="noopener noreferrer"} | See Policy Section 7 and Appendix D | No change proposals | - -The FPKI has the following supplementary guidance: - -- [Security Controls Overlay of NIST Special Publication 800-53 Revision 5 Security Controls for FPKI Systems (PDF, February 2021)]({{site.baseurl}}/docs/fpki-overlay-sp-800-53.pdf){:target="_blank"}{:rel="noopener noreferrer"} – The application of NIST Special Publication (SP) 800-53 security controls is required to operate a CA that is used in the FPKI and contains federal data. Review the controls overlay document to understand the requirements and details of each applicable control. -- [FPKI Key Recovery Policy (PDF, October 2017)]({{site.baseurl}}/docs/fpki-key-recovery.pdf){:target="_blank"}{:rel="noopener noreferrer"} - The FPKI Key Recovery Policy (KRP) supplements the FPKI Certificate Policies and describes the procedural and technical security controls needed to operate a Key Recovery System (KRS) securely, in accordance with FPKIPA requirements. -- [Registration Authority Agreement Template v1.0 (Word, April 2017)]({{site.baseurl}}/docs/fpki-ssp-raa.docx){:target="_blank"}{:rel="noopener noreferrer"} - The purpose of this document is to identify and explain the roles and responsibilities of an enrollment/registration agent under the Federal PKI COMMON Policy Framework. -- [FPKI Incident Management Plan (PDF, September 2020)]({{site.baseurl}}/docs/fpki-imp.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance on the roles and responsibilities applicable to the FPKI Policy Authority (FPKIPA), FPKI Management Authority (FPKIMA), and FPKI affiliates in the event of an incident. -- [Archived copies of Certificate Polices, Profiles, and other FPKI-related documents]({{site.baseurl}}/governance/fpkiarchive/) - This pages contains three years of FPKI-related documents. - - -## Annual Review Requirements for All Certification Authorities - -Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements. - -Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki at gsa.gov. - -- [FPKI Annual Review Requirements (PDF, May 2022)]({{site.baseurl}}/docs/fpki-annual-review-requirements.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This document includes requirements for performing and reporting annual compliance audits. -- [RA Audit Guidance Memorandum (PDF, October 2022]({{site.baseurl}}/docs/fpki-ra-audit-guidance.pdf){:target="_blank"}{:rel="noopener noreferrer"} – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers. -- PIV and PIV-I Annual Testing - supports FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 Lab or using available tools such as the [Card Conformance Tool (CCT)](https://playbooks.idmanagement.gov/fpki/tools/cct/){:target="_blank"}{:rel="noopener noreferrer"} and [Certificate Profile Conformance Tool (CPCT)](https://playbooks.idmanagement.gov/fpki/tools/cpct/){:target="_blank"}{:rel="noopener noreferrer"} -- [Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016)]({{site.baseurl}}/docs/fpki-nmf.pdf){:target="_blank"}{:rel="noopener noreferrer"} - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations. - - -## Annual Review Schedule - -| Entity | Type | Annual Review Package Due Date| -| ------- | :-----: | :-----------------------------: | -| CertiPath | Bridge | June 30 | -| Drug Enforcement Agency (DEA) | Trust Partner | September 30 | -| DigiCert (ECPS) | Affiliate PKI | July 31 | -| DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) | Affiliate PKI | July 31 | -| DigiCert (Formerly Symantec Shared Service Provider [SSP]) | SSP | July 31 | -| Department of Defense (DoD) | Affiliate PKI | November 30 | -| Department of State (DOS) | Affiliate PKI | October 31 | -| Department of the Treasury | SSP | July 31 | -| Entrust NFI | Affiliate PKI | November 30 | -| Entrust Federal SSP | SSP | November 30 | -| Exostar | Affiliate PKI | June 10 | -| Government Publishing Office (GPO) | Affiliate PKI | October 31 | -| IdenTrust NFI | Affiliate PKI | August 31 | -| Patent and Trademark Office (PTO) | Affiliate PKI | October 31 | -| SAFE Identity | Bridge | October 31 | -| Southwest Texas Regional Advisory Council (STRAC) | Bridge | November 30 | -| Transglobal Secure Collaboration Program (TSCP) | Bridge | July 31 | -| Verizon SSP | SSP | August 31 | -| WidePoint NFI | Affiliate PKI | May 31 | -| WidePoint SSP | SSP | May 31 | - - -## Audit Information for the FPKI Management Authority - -This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority. - -- The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy. -- The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy. - -The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below. - -- [U.S. FPKI Certification Practice Statement (PDF, December 2022) – Version 6.2]({{site.baseurl}}/docs/fpki-fpkima-cps.pdf){:target="_blank"}{:rel="noopener noreferrer"} -- [U.S. FPKI Audit Letter of Compliance (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-audit-letter.pdf){:target="_blank"}{:rel="noopener noreferrer"} – Results of the 2020-2021 Compliance Audit for the FPKI Trust Infrastructure Systems. -- [FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-sitemap.pdf){:target="_blank"}{:rel="noopener noreferrer"} - -## Reporting Incidents - -To report a potential key compromise, security incident, or fraud, waste, or abuse involving FPKI certificates, please contact fpki-help at gsa.gov with supporting evidence of the incident. diff --git a/_governance/governance.md b/_governance/governance.md deleted file mode 100644 index 93af2d549..000000000 --- a/_governance/governance.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -layout: page -collection: governance -title: Governance and Compliance -permalink: governance/ -sidenav: governance -sticky_sidenav: true - -subnav: - - text: ICAM PM Guide - href: '#icam-program-management-guide' - - text: FICAM Playbooks - href: '#ficam-playbooks' - - text: Announcements - href: '#announcements' - - text: Training - href: '#training' - - text: Related Information - href: '#related-information' ---- - -The Federal ICAM (FICAM) program helps federal agencies plan and manage enterprise identity, credentialing, and access management (ICAM) through collaboration opportunities and guidance on IT policy, standards, implementation, and architecture. Most of the guidance and best practices found on this website are developed through interagency working groups. - -## ICAM Program Management Guide - -The [ICAM Program Management Guide](https://playbooks.idmanagement.gov/pm/){:target="_blank"}{:rel="noopener noreferrer"} explains how to plan and implement an Identity, Credential, and Access Management (ICAM) Program, as outlined in the [Federal Identity, Credential, and Access Management (FICAM) Architecture](https://playbooks.idmanagement.gov/arch/){:target="_blank"}{:rel="noopener noreferrer"}. In this guide, you’ll find content for ICAM program managers who need agency-level planning guides to drive adoption of ICAM services within their organizations as well as information on how to govern the program, identify and communicate with stakeholders, manage risk, and other related topics. - -This guide answers the most common ICAM program organization and management questions, including: -- How can I establish governance to ensure ICAM alignment at the agency level? -- Who are my key ICAM stakeholders? -- What best practices support ICAM implementation? - -The guide is organized by sections, each of which describes an essential feature of ICAM program management, including recommendations and lessons learned from agencies who have implemented ICAM programs. - -## FICAM Architecture and Playbooks - -The [FICAM Architecture and accompanying guidance](https://playbooks.idmanagement.gov/){:target="_blank"}{:rel="noopener noreferrer"}, maintained by GSA in coordination with OMB and DHS CISA, contains processes, procedures, and considerations for planning and managing logical access, physical access, identity management, and federation within federal agencies. - -These playbooks are hosted on Github and provide common policy and patterns to help you implement and execute ICAM at your agency. The playbooks are a government-wide collaboration based on the needs and interests of individual agencies and government-wide groups. Reach out to icam at gsa.gov to suggest new topics. - -## Announcements - -- [FIPS 201 Evaluation Program Announcements](https://www.idmanagement.gov/sell/fipsannouncements/){:target="_blank"}{:rel="noopener noreferrer"} -- [FPKI Announcements](https://playbooks.idmanagement.gov/fpki/announcements/){:target="_blank"}{:rel="noopener noreferrer"} -- [FPKI System Notifications](https://playbooks.idmanagement.gov/fpki/notifications/){:target="_blank"}{:rel="noopener noreferrer"} - - -## Training - -- [National Initiative for Cybersecurity Education (NICE)](https://www.nist.gov/itl/applied-cybersecurity/nice){:target="_blank"}{:rel="noopener noreferrer"} – A partnership between government, academia, and the private sector focused on cybersecurity education, training, and workforce development. NICE is led by the National Institute of Standards and Technology (NIST). -- [Secure Technology Alliance (STA) Education and Certification Programs](https://www.securetechalliance.org/activities-education-and-certification-programs/){:target="_blank"}{:rel="noopener noreferrer"} – The STA offers educational and certification programs. - - -## Related Information - -- [National Cybersecurity Center of Excellence (NCCoE)](https://nccoe.nist.gov/){:target="_blank"}{:rel="noopener noreferrer"} – Works with experts from industry, government, and academia to address businesses’ most pressing cybersecurity problems with practical, standards-based solutions using commercially available technologies. -- [NIST Identity & Access Management](https://www.nist.gov/identity-access-management){:target="_blank"}{:rel="noopener noreferrer"} – Through the NIST Identity and Access Management Resource Center, we seek to share our efforts that strengthen the security, privacy, usability, and interoperability of solutions that meet an organization’s identity and access management needs throughout the system lifecycle. diff --git a/_implement/FPKIRootG2Detection.bes b/_implement/FPKIRootG2Detection.bes new file mode 100644 index 000000000..06c6add8a --- /dev/null +++ b/_implement/FPKIRootG2Detection.bes @@ -0,0 +1,21 @@ + + + + Federal Common Policy CA G2 Distribution Detection + This analysis will detect whether COMMON has been redistributed via GPO or Active Directory.

+

Depending on how COMMON is redistributed to end-points, one of two pairs of registry keys is created:

+

AD Distribution
- HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\
- HKLM:\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\

+

GPO Distribution
- HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\
- HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\

+

Results: If one of these pairs is detected, the analysis will return a value of "TRUE".

]]> + true + Internal + 2020-10-15 + + x-fixlet-modification-time + Tue, 20 Oct 2020 18:02:27 +0000 + + BES + operating system + ((exists key "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of registry) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of registry)) OR ((exists key "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of native registry) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of native registry)) OR ((exists key "HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry)) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))) OR ((exists key "HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of registry) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of registry)) OR ((exists key "HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of native registry) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of native registry)) OR ((exists key "HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry)) AND (exists key "HKLM\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028" of (if x64 of operating system then (x32 registry; x64 registry) else x32 registry))) + + diff --git a/_implement/announcements/01_chrome_ballot_193.md b/_implement/announcements/01_chrome_ballot_193.md new file mode 100644 index 000000000..fbe11b032 --- /dev/null +++ b/_implement/announcements/01_chrome_ballot_193.md @@ -0,0 +1,48 @@ +--- +layout: page +title: Chrome TLS Certificate Lifetime Requirement +pubDate: 05/10/2018 +archiveDate: 05/09/2019 +removeDate: 05/09/2021 +collection: implement +tag: Chrome +description: Starting March 1, 2018, Chrome requires all TLS/SSL certificates to have a maximum lifetime of 825 days. You can mitigate the impact for government intranets, applications, and government-furnished equipment by using these procedures. +sidenav: implement +sticky_sidenav: true +category: Removed + +subnav: + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: What Other Browsers Enforce This Requirement? + href: '#what-other-browsers-enforce-this-requirement' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Additional Resources + href: '#additional-resources' +--- + +{% include alert-warning.html content="This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained." %} + + +Recent changes to Chrome could affect your agency. Chrome now requires that TLS/SSL certificates issued on or after **March 1, 2018**, have a maximum lifetime of 825 days. Google is enforcing this change for Chrome as a result of the Certification Authority/Browser (CA/B) Forum's Ballot 193 to promote increased web security.[1](#1) + +## What Will Be Impacted? +A government user will receive an "untrusted site" error when browsing to an intranet website or application if all of the following are true: + +1. The intranet website's TLS/SSL certificate was issued by a Federal PKI Certification Authority +2. The TLS/SSL certificate was issued on or after March 1, 2018, with a lifetime greater than 825 days +3. Using the Chrome browser + +![Chrome Error Screen]({{site.baseurl}}/img/google_ballot193_hot_topic_error.png){:style="width:70%;float:center;"} + +## What Other Browsers Enforce This Requirement? +Chrome is the only browser currently enforcing this requirement for TLS/SSL certificates. If other browser vendors decide to enforce this requirement, we will post updates to this announcement. Please also check the [FPKI-Guides' Issues](https://github.com/GSA/fpki-guides/issues){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for in-progress discussions. + +## What Should I Do? +To prevent Chrome browsing errors: +1. Request that your PKI team or Federal Shared Service Provider update the certificate profiles for TLS/SSL device certificates issued by Federal PKI Certification Authorities to require a certificate lifetime of less than 825 days. +2. Re-issue and re-install new TLS/SSL certificates for the impacted intranet websites and applications. + +## Additional Resources +1. In March 2017, the [CA/B Forum](https://cabforum.org/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} passed [Ballot 193](https://cabforum.org/2017/03/17/ballot-193-825-day-certificate-lifetimes/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, which introduced the 825-day maximum lifetime requirement. diff --git a/_implement/announcements/02_microsoft_constraint.md b/_implement/announcements/02_microsoft_constraint.md new file mode 100644 index 000000000..90c9815c2 --- /dev/null +++ b/_implement/announcements/02_microsoft_constraint.md @@ -0,0 +1,148 @@ +--- +layout: page +title: Federal Common Policy CA Removal from Microsoft Trust Store Impact +pubDate: 05/18/2018 +archiveDate: 05/19/2019 +removeDate: 05/19/2021 +collection: implement +category: Microsoft +description: UUpcoming changes regarding Microsoft's remove of the U.S. Government Root CA. +category: Removed +sidenav: implement +sticky_sidenav: true + +subnav: + - text: How Does this Work? + href: '#how-does-this-work' + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: What Should I Do? + href: '#what-should-i-do' + - text: How Can I Test? + href: '#how-can-i-test' + - text: Frequently Asked Questions + href: '#frequently-asked-questions' + - text: Additional Resources + href: '#additional-resources' +--- + +{% include alert-warning.html content="This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained." %} + + +Upcoming changes regarding Microsoft's Trusted Root Program could impact your agency. The Federal PKI Policy Authority has requested that Microsoft **remove** our U.S. Government Root CA certificate (Federal Common Policy CA [COMMON]) from Microsoft's globally distributed Certificate Trust List (CTL). + +{% include alert-info.html content="The Federal PKI Policy Authority is working with Microsoft on the timeline for removing COMMON. As more information and additional procedures become available, this announcement will be updated. Please watch for updates from the Federal PKI listserves, ICAM listservs, and the ICAM Sub-committee." %} + +## How Does This Work? +Today, Microsoft distributes hundreds of trusted root CA certificates, including COMMON, through its _Certificate Trust List (CTL)_. Microsoft distributes two CTLs for Windows operating systems: which root CAs are trusted, and which CAs are untrusted. The _Trusted CTL_ (*authrootstl.cab*) adds certificates to the Microsoft Trusted Root Certification Authorities certificate store, and the _Untrusted CTL_ (*disallowedcertstl.cab*) adds certificates to the Untrusted Certificates store. + +Starting in Windows 10 and Server 2016, Microsoft may also include date-based CTL entries. For example, a date based CTL entry will disallow trusting code-signing or server authentication certificates issued after a specific date. + +Microsoft distributes the Trusted and Untrusted CTLs to the following Windows Operating Systems: + +| **Versions** | +| :-------- | +| Windows 10 | +| Windows 8.1 | +| Windows 8 | +| Windows Vista | +| Windows Server 2016 | +| Windows Server 2012 R2 | +| Windows Server 2008 R2 | + +## What Will Be Impacted? +When Microsoft removes COMMON, government users of Windows will receive errors. Errors will occur in the following scenarios: + +2. Performing smartcard logon to the government networks using PIV credentials +2. Authenticating to the government virtual private network endpoints (VPNs) using PIV credentials +2. Authenticating to the government internet facing authentication and collaboration portals +3. Browsing with Microsoft Internet Explorer, Edge or Chrome browsers to a government **intranet** website that has a TLS/SSL certificate issued by a Federal PKI CA that validates to COMMMON. +4. Opening an email in Microsoft Outlook that was digitally signed using a certificate issued by a Federal PKI CA that validates to COMMON. +5. Opening a Microsoft Office document that was digitally signed with a certificate issued by a Federal PKI CA that validates to COMMON. + +{% include alert-info.html content="If you are unsure whether your applications will be affected, email us at: fpki@gsa.gov." %} + +This change will also impact partner users that rely on COMMON. For example, a Department of Defense employee sending a digitally signed email to a business partner. + +You can mitigate the risk to government missions, intranets, applications, and government-furnished equipment. + +## How Can I Test? + +Testing by government teams did not allow locally administered certificate stores to override the Microsoft CTL distributed settings. The decision was made to remove COMMON entirely from Microsoft's trust store. No further testing on overriding the CTL settings will be conducted. + + +To review the previous testing procedures:  [CTL Testing]({{ site.baseurl }}/ctltestprocedures/){:target="_blank"}{:rel="noopener noreferrer"}. + +## Frequently Asked Questions + +### 1.  Why is COMMMON being removed? +The Federal PKI CAs don't comply with Microsoft's requirements for globally trusted TLS/SSL certificates. Microsoft's requirements include: + +**a.  Requirement for Fully-Qualified Domain Names (FQDNs)**
+Microsoft plans to restrict TLS/SSL certificates to only those certificates using FQDNs ending in .gov, .mil, or fed.us. Some Federal agencies issue TLS/SSL certificates to intranet assets. These certificates either:  don't have FQDNs; contain intranet domains that don't end in .gov, .mil, or fed.us; or use short names (aliases). Under Microsoft's requirements, these agencies would need to reissue, re-install, and reconfigure all "non-compliant" certificates and applications. The Federal PKI community has determined that this would have a negative impact on mission applications on the intranets. + +**b.  Requirement for public audit**
+The Federal PKI follows a government auditing standard, and we have not restricted our issuance of TLS/SSL certificates to only the .gov and .mil domains. Under the requirements, all CAs in Federal PKI that could issue TLS/SSL certificates are required to submit a non-government audit or be technically constrained. Federal PKI has **not** technically constrained our CAs. + +**c.  Requirement to disclose Certificate Practice Statements and Incident Post-Mortem Reports**
+Public trust requires public disclosure and transparency. All Federal PKI CAs would be required to publicly post their Certificate Practice Statements and their Audit Letters. The Federal PKI community has attempted to disclose all Certificate Practice Statements for a number of years. However, some federal agencies include sensitive information in these documents and cannot disclose the documents publicly. + +**d.  Requirement to create new issuing Certification Authorities (CAs)**
+Any Federal PKI CA that issues TLS/SSL, code-signing, or email-signing certificates would have to establish a new CA for each type of certificate. This effort requires time, planning, and funding. + +### 2.  How can I determine which of our intranet websites and applications will be impacted, including those used by cross-agency users? +All Windows-based websites and applications configured with certificates (email, Virtual Private Network, digital signature, etc.) issued by a Federal PKI CA that validates to COMMON will be impacted. For agencies and mission partners that are cross-certified with the FBCA, external users could also be impacted if COMMON is used instead of your root. + +You can run a report on all issued certificates or, if your agency has an agreement with a Federal PKI Shared Service Provider (SSP), you can request that the SSP run the report. + +You can scan your intranet websites in coordination with your CISO teams. There are existing tools to use, or you can use the DHS NCATS "**pshtt**" tool, which will also check for cipher suites and mis-configurations on the intranet websites: + +- DHS NCATS [**pshtt**](https://github.com/dhs-ncats/pshtt){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +**Note:**  This tool will look for not just Federal PKI certificates. Its outputs will include all certificates and information. + +### 3.  How can I determine whether my agency users and government-furnished equipment will be impacted? +Check your enterprise trust store configurations in your Microsoft domain and devices. You must verify how COMMON was installed and managed. + +View where and how a certificate is being installed using the certificates snap-in (certmgr.msc). Under **View -> Options**, click the **Show _Physical certificate stores_** option. + +If COMMON is already in the Trusted Root Certification Authorities or Enterprise Trust store and the _source_ is a group policy object or the enterprise trust domain, you don't need to reinstall or change. + +### 4.  Is PIV network login impacted? + +Yes. See [Install Using Group Policy Objects](#install-using-group-policy-objects) to mitigate this risk. + +### 5.  Do I need to remove the "baked-in" version of COMMON? +No, don't remove COMMON. When Microsoft does the update for the CTL, it will be removed during normal patching cycles. + +You may see two versions of the certificate in Trusted Root Certificate Authorities. You must verify how COMMON was installed and managed. + +View where and how a certificate is being installed using the certificates snap-in (certmgr.msc). Under **View -> Options**, click the **Show _Physical certificate stores_** option. + +### 6.  Do I need to add COMMON to the Trusted Root Certification Authorities store, or should I add it to the Enterprise Trust Store? +Microsoft Operating Systems use different physical containers and logical views of these containers for trust stores. In addition, different tools will have different **names** for the same physical or logical view. For example: + +| **Certificates snap-in (certmgr.msc)** | **Enterprise PKI snap-in** | **certutil** | **Registry** | +| :-------- | :------------------------------- | :--------- | :----------- | +| Trusted Root Certification Authorities | Certificate Authorities Container tab| Root and RootCA | Root | + +It can be confusing--the easiest model is to follow one of the two methods in [What Should I Do?](#what-should-i-do) + +To read detailed information on certificate stores, logical views, physical views, and registry locations: [Managing Certificates with Certificate Stores](https://msdn.microsoft.com/en-us/library/windows/desktop/aa386971(v=vs.85).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +### 7.  Do I need to change any trust property for COMMON managed by group policy objects? +No, trust properties are not set by group policy objects. If your agency currently distributes COMMON through a group policy object, no change is needed. + +### 8.  What Windows versions are affected? +All Windows versions from Vista forward are affected. + +### 9.  Can I create a custom CTL for our enterprise? +Yes, a trusted or untrusted, custom CTL can be created for your agency enterprise: [Creating, Signing, and Storing a CTL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379867(v=vs.85).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. + +However, we don't recommend this. Simplicity can help security, and it can be simpler to manage a group policy object than a custom CTL. + +## Additional Resources + +1. [Certificate Trust List Overview](https://msdn.microsoft.com/en-us/library/windows/desktop/aa376545(v=vs.85).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +1. [Managing Certificates with Certificate Stores](https://msdn.microsoft.com/en-us/library/windows/desktop/aa386971(v=vs.85).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +1. [Configure Trusted Roots and Disallowed Certificates](https://technet.microsoft.com/en-us/library/dn265983.aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/announcements/03_google_ct.md b/_implement/announcements/03_google_ct.md new file mode 100644 index 000000000..a7cf9cda7 --- /dev/null +++ b/_implement/announcements/03_google_ct.md @@ -0,0 +1,190 @@ +--- +layout: page +title: Chrome Certificate Transparency Requirements +pubDate: 08/10/2018 +archiveDate: 08/09/2019 +removeDate: 08/09/2021 +collection: implement +category: Google +description: All TLS/SSL certificates issued after **April 30, 2018**, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log. Users browsing to non-CT compliant, federal intranet websites will encounter connection errors. +sidenav: implement +category: Removed +sticky_sidenav: true + +subnav: + - text: How Does This Work? + href: '#how-does-this-work' + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: When Will This Start? + href: '#when-will-this-start' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Frequently Asked Questions + href: '#frequently-asked-questions' + - text: Additional Resources + href: '#additional-resources' +--- + +{% include alert-warning.html content="This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained." %} + + +As of **July 24, 2018**, Google is now enforcing Certificate Transparency (CT) for Chrome 68 and above. This means that all TLS/SSL certificates issued after **April 30, 2018**, that validate to a publicly trusted Root Certification Authority (CA) certificate must appear in a CT log in order to be trusted by Chrome 68 and above. In addition, websites must serve proof of certificate inclusion in the CT log through a Signed Certificate Timestamp (SCT). Users browsing to non-CT compliant, federal intranet websites will encounter connection errors. + +{% include alert-info.html content="Many popular browsers plan to deploy CT in their product roadmaps. Timelines will be updated on this site as browser deployment dates become known." %} + +## How Does This Work? + +The requirements for CT are built into _browsers_. + +- All roots that have been distributed _by one or more_ of the Microsoft, Android, Apple, or Mozilla trusted root programs are listed here: [Root Stores](https://cs.chromium.org/chromium/src/net/data/ssl/root_stores/README.md){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. +- When a government user browses to an intranet website, the user's workstation or mobile device will build one or more certificate paths to the enterprise or publicly trusted roots. +- The browser will compare the certificate path(s) to the list of roots that have _ever_ been included in the popular trust stores currently in use worldwide. +- If any certificate in the trust chain matches one of the roots in the list, then the CT requirements will be in effect. + +## What Will Be Impacted? + +A government user will receive an error on government-furnished equipment if all of the following are true: + +1. Using Chrome 68 or higher (**Note:** Additional browsers may be affected in the future.) +2. Browsing to an intranet website with a TLS/SSL certificate that validates to the Federal Common Policy CA +3. The TLS/SSL certificate was issued after **April 30, 2018** + +![Chrome Error Screen]({{site.baseurl}}/img/google_ct_hot_topic_error.png){:style="width:55%;float:center;"} + +## When Will This Start? + +CT enforcement has begun. As of **July 24, 2018**, Google is now enforcing CT for Chrome 68 and above. + +## What Should I Do? + +To mitigate the impact on the federal enterprise, you must disable CT enforcement for the affected intranet websites. + +Please see [Disable CT Enforcement for Government-Furnished Equipment](#disable-ct-enforcement-for-government-furnished-equipment). + + +### Disable CT Enforcement for Government-Furnished Equipment +{% include alert-info.html content="Two options are outlined in this section. Additional options may become available for future releases of Chrome. We will continue to update these procedures and post additional information as it becomes available. Please also check the GitHub Issues in the GSA FPKI-Guides repository for in-progress discussions." %} + +#### Option 1:  Disable CT Enforcement for "Legacy" CAs (Recommended Configuration) + +Google Chrome's "CertificateTransparencyEnforcementDisabledForLegacyCas" policy configuration allows you to disable CT enforcement for websites that chain to a user-specified "legacy" CA. Google Chrome categorizes a CA as "legacy" if it meets the following criteria: + +1. The CA has been publicly trusted by default in one or more operating systems supported by Chrome, such as Windows or macOS. +2. The CA isn't currently trusted by the Android Open Source Project or Chrome OS. + +The Federal Common Policy CA meets Google's criteria for a "legacy" CA, so you can disable CT enforcement for intranet websites that chain to it. In some cases, you'll need to create a new registry key tree in the locations specified below: + +**a.  Windows Registry location for Windows clients:**
+ +For _HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas_, add a new string value: + + ``` + Name = 1 | Data = sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= + ``` + +**b.  Windows Registry location for Chrome OS clients:**
+ +For _HKEY_LOCAL_MACHINE\Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas_, add new string value: + + ``` + Name = 1 | Data = sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= + ``` + +**c.  macOS**
+ +For preference name, _CertificateTransparencyEnforcementDisabledForLegacyCas_, add values: + + ``` + + sha256/jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= + + ``` + +**Note:**  In all cases above, `jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU=` is a Base64 encoding of a SHA-256 hash of the Federal Common Policy CA's Subject Public Key Information (SPKI) field. + + +#### Option 2:  Disable CT Enforcement for Domains and Sub-Domains + +Chrome for government-furnished equipment will not enforce CT requirements if you apply a policy rule and include a **.gov or .mil second-level domain**, such as _agency.gov_, or other **third-level sub-domains**, such as _example.agency.gov_. You should apply configuration changes for only government-furnished equipment and only include an explicit list of second-level or below sub-domains in use for intranet websites. In some cases, you may need to create a new registry key tree in the locations specified below: + + +**a.  Windows Registry location for Windows clients:**
+ +For _HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForUrls_, add new string value: + + ``` + Agency Sub-Domain example: + + Name = 1 | Data = example.agency.gov + + Gov/Mil Top-Level Domain example: + + Name = 2 | Data = gov + Name = 3 | Data = mil + ``` + +**b.  Windows Registry location for Chrome OS clients:**
+ +For _HKEY_LOCAL_MACHINE\Software\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForUrls_, add new string value: + + ``` + Sub-Domain example: + + Name = 1 | Data = example.agency.gov + + Gov/Mil Top-Level Domain example: + + Name = 2 | Data = gov + Name = 3 | Data = mil + ``` + +**c.  macOS**
+ +For _preference name_, _CertificateTransparencyEnforcementDisabledForUrls_, add values:
+ + ``` + + example.agency.gov + .example.agency.gov + gov + mil + + ``` + +## Frequently Asked Questions + +### 1. Will Google's use of CT in Chrome impact my agency's internal, only locally trusted CA TLS/SSL certificates? + +No. There will be no impact if you use your agency's internal, only locally trusted CA to issue TLS/SSL certificates to intranet sites. Chrome's CT enforcement will impact only federal intranet sites whose TLS/SSL certificates validate to Federal Common Policy CA, whose certificate is currently distributed through operating system trust stores. + +### 2. Why is Google enforcing CT in Chrome? + +Chrome's CT change has been planned and incrementally implemented for over two years. CT provides a benefit to the global community by: + +- Improving openness and transparency +- Allowing domain owners to identify mistakenly or maliciously issued certificates + +### 3. How do I know whether my intranet website is compliant with CT? +You can check for CT compliance by using the steps below to verify the presence of an SCT. These steps apply to any Federal PKI TLS/SSL certificate or commercially sourced certificate. + +**Note:**  SCTs are only required for certificates issued after April 30, 2018. Some certificates issued **before** this date may already be compliant. To check compliance: + +1. Open Chrome and browse to your website. +2. In Chrome, go to **Settings->More Tools**. +3. Open the **Developer Tools** panel:
+ ``` + Windows: CTRL + Shift + "i" + macOS: Apple key + Shift + "i" + ``` +4. Select the **Security** tab in the **Developer Tools**. +5. Refresh the website page and click on the website under the **Main origin** column. +6. If the certificate is compliant, it will display the CT log details under the **Certificate Transparency** heading. + +## Additional Resources +1. [What is Certificate Transparency?](https://www.certificate-transparency.org/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +2. [Certificate Transparency Background](https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/78N3SMcqUGw){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +3. [Certificate Transparency in Chrome--Detailed Information](http://www.certificate-transparency.org/certificate-transparency-in-chrome){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +3. [Certificate Transparency--Resources for Site Owners](https://sites.google.com/site/certificatetransparency/resources-for-site-owners){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +4. [How to Disable CT in Enterprise Chrome](http://www.chromium.org/administrators/policy-list-3#CertificateTransparencyEnforcementDisabledForUrls){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +5. [Chrome Policy Templates](https://www.chromium.org/administrators/policy-templates){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/announcements/04_apple_common_removal.md b/_implement/announcements/04_apple_common_removal.md new file mode 100644 index 000000000..24e81210e --- /dev/null +++ b/_implement/announcements/04_apple_common_removal.md @@ -0,0 +1,97 @@ +--- +layout: page +title: Federal Common Policy CA Removal from Apple Trust Stores Impact +pubDate: 09/13/2018 +archiveDate: 09/12/2019 +removeDate: 09/12/2021 +collection: implement +category: Apple +# permalink: /fpki/announcements/2018applepkichanges/ +description: Upcoming changes regarding Apple's remove of the U.S. Government Root CA. +sidenav: fpkiarchivedannouncements +category: implement +sticky_sidenav: true + +subnav: + - text: How Does This Work? + href: '#how-does-this-work' + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Frequently Asked Questions + href: '#frequently-asked-questions' + - text: Additional Resources + href: '#additional-resources' +--- + +{% include alert-warning.html content="This announcement has been archived and is hosted solely for historical reference. It is no longer being updated or maintained." %} + + +Upcoming changes regarding Apple devices and operating systems could impact your agency. The Federal PKI Policy Authority has elected to remove our U.S. Government Root CA certificate (Federal Common Policy CA [COMMON]) from Apple's pre-installed Operating System Trust Stores. + +Starting in the release of macOS Mojave, iOS 12, and tvOS 12, government users of Apple devices will receive errors when encountering instances of a Federal PKI CA-issued certificate. You can mitigate the impact for government intranets and the government-furnished Apple devices. + +**Apple Operating System Release Dates** +- iOS 12: September 17, 2018 +- tvOS 12: September 17, 2018 +- macOS Mojave: September 24, 2018 + +{% include alert-info.html content="The FPKIPA has also elected to remove the Federal Common Policy CA root certificate from Microsoft's Trust Store." %} + +## How Does This Work? + +Apple currently distributes the Federal Common Policy CA (COMMON) through its pre-installed operating system Trust Stores for iOS, macOS, and tvOS. + +Three root CA certificate _types_ reside in Apple's Trust Stores: + +- _Trusted Certificates_ — Trusted certificates that establish a chain of trust. +- _Always Ask_ — Untrusted certificates that are not blocked. If a resource (e.g., website or signed email) chains to one of these certificates, the Apple operating system will ask you to choose whether or not to trust it. +- _Blocked_ — Potentially compromised certificates that will never be trusted. + +These certificate types are stored within Apple _Keychains_: + +- _Login Keychain_ — Certificates associated with a user account logged into a device. +- _System Keychain_ — Certificates associated with all user accounts on a device (similar to the Microsoft Windows' _Local Machine_ certificate store). +- _System Roots Keychain_ — Includes Apple's _pre-installed_, trusted root CA certificates. COMMON will be removed from this Keychain. + +## What Will Be Impacted? + +These Apple operating system versions (and all subsequent versions) will be impacted: + +|**macOS**|**iOS**|**tvOS**| +| :-------- |:-------- |:-------- | +| Mojave (10.14), Release 9/24/18 | iOS 12, Release 9/17/18 | tvOS 12, Release 9/17/18 | + + +Government users will receive errors on government-furnished Apple devices if any of these are true: + +1. Logging into a government network with a PIV credential +2. Authenticating to a government Virtual Private Network (VPN) endpoint with a PIV credential +3. Authenticating to an internet-facing, government collaboration portal with a PIV credential +4. Browsing with Safari, Chrome, or Edge (iOS) to a government **intranet** website that uses a Federal PKI CA-issued TLS/SSL certificate +5. Opening an Apple Mail or Microsoft Outlook email that was digitally signed using a Federal PKI CA-issued certificate +6. Opening a Microsoft Office document that was digitally signed with a Federal PKI CA-issued certificate + +This change will also impact Federal Government partners that rely on COMMON—for example, a Department of Defense employee sending a digitally signed email to a business partner. + +You can mitigate the risk to government missions, intranets, applications, and government-furnished equipment. + +{% include alert-info.html content="If you are unsure whether your applications will be affected, email us at fpki@gsa.gov." %} + +## Frequently Asked Questions + +### 1.  Is PIV network login impacted? +Yes. + +### 2.  What versions are affected? +Please see [What Will Be Impacted?](#what-will-be-impacted). + +## Additional Resources +1. [macOS Available Trusted Root Certificates List](https://support.apple.com/en-us/HT202858){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +2. [iOS Available Trusted Root Certificates List](https://support.apple.com/en-us/HT204132){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +3. [tvOS Available Trusted Root Certificates](https://support.apple.com/en-us/HT207231){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +4. [Apple Keychains](https://developer.apple.com/documentation/security/keychain_services){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +5. [Apple Configuration Profile Reference](https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +6. [Over-the-Air Profile Delivery and Configuration](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +7. [Mobile Device Management Best Practices](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/6-MDM_Best_Practices/MDM_Best_Practices.html#//apple_ref/doc/uid/TP40017387-CH5-SW2){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/announcements/05_health_it_removal.md b/_implement/announcements/05_health_it_removal.md new file mode 100644 index 000000000..793a67b43 --- /dev/null +++ b/_implement/announcements/05_health_it_removal.md @@ -0,0 +1,753 @@ +--- +layout: page +title: Removal of CAs from Federal PKI +pubDate: 03/05/2019 +archiveDate: 03/04/2020 +removeDate: 03/04/2022 +collection: implement +category: Removal +#permalink: /fpki/announcements/2019removal/ +description: This announcement provides information related to the Health IT CAs removed from the Federal PKI. +sidenav: implement +sticky_sidenav: true +category: Archive + +subnav: + - text: What Was the Change? + href: '#what-was-the-change' + - text: What Certification Authorities Were Impacted? + href: '#what-certification-authorities-were-impacted' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Who Can I Contact for Help or More Information? + href: '#who-can-i-contact-for-help-or-more-information' + - text: Additional Resources + href: '#additional-resources' +--- + +Federal PKI teams performed two actions to remove fifty-nine (59) certification authorities (CAs) related to health IT use cases from the Federal PKI trust framework. This change is related to efforts to assess and maintain the mission scope for Federal PKI and reduce burden for commercial and non-profit organizations. This change is **not a distrust** action. + +This announcement provides details related to the CAs affected by this change. + +## What Was the Change? + +- **February 28, 2019:** Federal PKI issued a cross-certificate from the Federal Bridge CA 2016 to DigiCert Federated ID L3 CA. + - The issuance of the new cross-certificate was to ensure operations for three (3) electronic prescriptions for controlled substance (EPCS) systems were not immediately impacted by the planned revocation of the Federal Bridge CA 2016 / DigiCert Federated ID CA-1 cross-certificate. +- **March 4, 2019:** Federal PKI revoked the cross-certificate issued from the Federal Bridge CA 2016 to DigiCert Federated ID CA-1 CA. + +## What Certification Authorities Were Impacted? +The following CAs are still **active** and may be used for the intended purposes. These CAs no longer have a trust relationship with - or are required to be audited for - Federal PKI compliance. + +Each CA is listed by common name with a link to additional CA certificate details in the [Additional Resources](#additional-resources) section. + +**CA Certificates _Issued By_ DigiCert Federated ID CA-1 CA** + +- [DigiCert Federated Trust CA](#digicert-federated-trust-ca) +- [DigiCert Federated Trust CA-1](#digicert-federated-trust-ca-1) +- [DigiCert Federated ID L1 CA](#digicert-federated-id-l1-ca) +- [DigiCert Federated ID L2 CA](#digicert-federated-id-l2-ca) +- [DigiCert Federated ID L3 CA](#digicert-federated-id-l3-ca) +- [DigiCert Federated ID L4 CA](#digicert-federated-id-l4-ca) +- [DigiCert Federated ID US L3 CA](#digicert-federated-id-us-l3-ca) +- [DigiCert Federated ID US L4 CA](#digicert-federated-id-us-l4-ca) + + +**CA Certificates _Issued By_ DigiCert Federated Trust CA** + +- [What Was the Change?](#what-was-the-change) +- [What Certification Authorities Were Impacted?](#what-certification-authorities-were-impacted) +- [What Should I Do?](#what-should-i-do) +- [Who Can I Contact for Help or More Information?](#who-can-i-contact-for-help-or-more-information) +- [Additional Resources](#additional-resources) + - [CA Certificates _Issued By_ DigiCert Federated ID CA-1 CA](#ca-certificates-issued-by-digicert-federated-id-ca-1-ca) + - [DigiCert Federated Trust CA](#digicert-federated-trust-ca) + - [DigiCert Federated Trust CA-1](#digicert-federated-trust-ca-1) + - [DigiCert Federated ID L1 CA](#digicert-federated-id-l1-ca) + - [DigiCert Federated ID L2 CA](#digicert-federated-id-l2-ca) + - [DigiCert Federated ID L3 CA](#digicert-federated-id-l3-ca) + - [DigiCert Federated ID L4 CA](#digicert-federated-id-l4-ca) + - [DigiCert Federated ID US L3 CA](#digicert-federated-id-us-l3-ca) + - [DigiCert Federated ID US L4 CA](#digicert-federated-id-us-l4-ca) + - [CA Certificates _Issued By_ DigiCert Federated Trust CA](#ca-certificates-issued-by-digicert-federated-trust-ca) + - [AAMC Direct Intermediate CA](#aamc-direct-intermediate-ca) + - [Allina Health Connect HIE Intermediate CA](#allina-health-connect-hie-intermediate-ca) + - [Axesson Direct CA](#axesson-direct-ca) + - [Care360 Direct Intermediate CA](#care360-direct-intermediate-ca) + - [Cerner Corporation Direct Intermediate CA](#cerner-corporation-direct-intermediate-ca) + - [Cerner Corporation Resonance Intermediate CA](#cerner-corporation-resonance-intermediate-ca) + - [CompuGroup Medical Certificate Authority](#compugroup-medical-certificate-authority) + - [Corepoint Direct Intermediate CA](#corepoint-direct-intermediate-ca) + - [DigiCert Accredited Direct Med CA](#digicert-accredited-direct-med-ca) + - [DigiCert Direct Non-Provider CA](#digicert-direct-non-provider-ca) + - [DigiCert Federated Healthcare CA](#digicert-federated-healthcare-ca) + - [DigiCert Governmental Direct CA](#digicert-governmental-direct-ca) + - [DigiCert Provisional Direct Med CA](#digicert-provisional-direct-med-ca) + - [Indian Health Service-RPMS DIRECT Messaging CA](#indian-health-service-rpms-direct-messaging-ca) + - [Inpriva Direct Federated CA](#inpriva-direct-federated-ca) + - [INTEGRIS Direct Intermediate CA](#integris-direct-intermediate-ca) + - [iShare Medical Direct Intermediate CA](#ishare-medical-direct-intermediate-ca) + - [MedicaSoft Direct Intermediate CA](#medicasoft-direct-intermediate-ca) + - [Medicity Direct CA](#medicity-direct-ca) + - [MHIN Direct CA](#mhin-direct-ca) + - [Mirth Direct Intermediate CA](#mirth-direct-intermediate-ca) + - [MobileMD Direct Intermediate CA](#mobilemd-direct-intermediate-ca) + - [MRO Direct Intermediate CA](#mro-direct-intermediate-ca) + - [Oregon Health Authority Direct CA](#oregon-health-authority-direct-ca) + - [Orion Health Direct Secure Messaging CA](#orion-health-direct-secure-messaging-ca) + - [RelayHealth Direct CA](#relayhealth-direct-ca) + - [Rochester RHIO Intermediate CA](#rochester-rhio-intermediate-ca) + - [SCHIEx Direct CA](#schiex-direct-ca) + - [CA Certificates _Issued By_ DigiCert Federated Trust CA-1](#ca-certificates-issued-by-digicert-federated-trust-ca-1) + - [MIDIGATE CA](#midigate-ca) + - [Trinity Health Direct CA](#trinity-health-direct-ca) + - [CA Certificates _Issued By_ Orion Health Direct Secure Messaging CA](#ca-certificates-issued-by-orion-health-direct-secure-messaging-ca) + - [Alaska eHealth Network CA](#alaska-ehealth-network-ca) + - [Cal INDEX CA](#cal-index-ca) + - [Catholic Health Initiatives CA](#catholic-health-initiatives-ca) + - [Greenville Health System CA](#greenville-health-system-ca) + - [Highmark Tapestry HIE CA](#highmark-tapestry-hie-ca) + - [Huntsville Hospital System CA](#huntsville-hospital-system-ca) + - [Inland Empire Health Information Exchange](#inland-empire-health-information-exchange) + - [Jax HR Saint Vincents HIE CA](#jax-hr-saint-vincents-hie-ca) + - [KeystoneHIE KeyHIE CA](#keystonehie-keyhie-ca) + - [Louisiana Health Care Quality Forum CA](#louisiana-health-care-quality-forum-ca) + - [Mary Washington Healthcare CA](#mary-washington-healthcare-ca) + - [Mass HIway CA](#mass-hiway-ca) + - [Mississippi Division of Medicaid CA](#mississippi-division-of-medicaid-ca) + - [New Hampshire Health Information Organization CA](#new-hampshire-health-information-organization-ca) + - [New Mexico Health Information Collaborative CA](#new-mexico-health-information-collaborative-ca) + - [North Carolina Health Information Exchange CA](#north-carolina-health-information-exchange-ca) + - [North Dakota Information Technology Department CA](#north-dakota-information-technology-department-ca) + - [Oklahoma State Department of Health CA](#oklahoma-state-department-of-health-ca) + - [Optioncare CA](#optioncare-ca) + - [Orion Health Direct Secure Messaging Public HISP CA](#orion-health-direct-secure-messaging-public-hisp-ca) + - [Rush Health CA](#rush-health-ca) + - [Sutter Health CA](#sutter-health-ca) + - [The Koble Group CA](#the-koble-group-ca) + - [Western Connecticut Health Network CA](#western-connecticut-health-network-ca) + + +**CA Certificates _Issued By_ DigiCert Federated Trust CA-1** + +- [MIDIGATE CA](#midigate-ca) +- [Trinity Health Direct CA](#trinity-health-direct-ca) + +**CA Certificates _Issued By_ Orion Health Direct Secure Messaging CA** + +- [Alaska eHealth Network CA](#alaska-ehealth-network-ca) +- [Cal INDEX CA](#cal-index-ca) +- [Catholic Health Initiatives CA](#catholic-health-initiatives-ca) +- [Greenville Health System CA](#greenville-health-system-ca) +- [Highmark Tapestry HIE CA](#highmark-tapestry-hie-ca) +- [Huntsville Hospital System CA](#huntsville-hospital-system-ca) +- [Inland Empire Health Information Exchange](#inland-empire-health-information-exchange) +- [Jax HR Saint Vincents HIE CA](#jax-hr-saint-vincents-hie-ca) +- [KeystoneHIE KeyHIE CA](#keystonehie-keyhie-ca) +- [Louisiana Health Care Quality Forum CA](#louisiana-health-care-quality-forum-ca) +- [Mary Washington Healthcare CA](#mary-washington-healthcare-ca) +- [Mass HIway CA](#mass-hiway-ca) +- [Mississippi Division of Medicaid CA](#mississippi-division-of-medicaid-ca) +- [New Hampshire Health Information Organization CA](#new-hampshire-health-information-organization-ca) +- [New Mexico Health Information Collaborative CA](#new-mexico-health-information-collaborative-ca) +- [North Carolina Health Information Exchange CA](#north-carolina-health-information-exchange-ca) +- [North Dakota Information Technology Department CA](#north-dakota-information-technology-department-ca) +- [Oklahoma State Department of Health CA](#oklahoma-state-department-of-health-ca) +- [Optioncare CA](#optioncare-ca) +- [Orion Health Direct Secure Messaging Public HISP CA](#orion-health-direct-secure-messaging-public-hisp-ca) +- [Rush Health CA](#rush-health-ca) +- [Sutter Health CA](#sutter-health-ca) +- [The Koble Group CA](#the-koble-group-ca) +- [Western Connecticut Health Network CA](#western-connecticut-health-network-ca) + + +## What Should I Do? +A majority of mission operational use cases will never encounter certificates issued from these CAs. Certificates from these CAs are primarily used for nationwide healthcare information systems and electronic health records. + +You can remove these CAs from trust list configurations used for the following purposes: + +- Federal government enterprise virtual private network (VPN) configurations +- Federal government enterprise ICAM single-sign-on services +- Federal government enterprise network authentication configurations +- Federal government enterprise federation service configurations used for authentication of end users + +Removing the CAs from these trust list configurations may improve performance and reduce maintenance overhead. + + +## Who Can I Contact for Help or More Information? +Email us at fpki@gsa.gov + +## Additional Resources +Details of each CA affected by this change are listed below. You can also download files with copies of the CA certificates. + + +#### CA Certificates _Issued By_ DigiCert Federated ID CA-1 CA + +##### DigiCert Federated Trust CA +- Serial #: 0E569A999C8F5DDAF576E08A12759914 +- Not Before: 11/18/2011 +- Not After: 11/18/2023 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- Thumbprint (SHA-1 Hash): A6B8FEE249869E52A3039CB86B97DE5EFB6E8EB4 +- SPKI (SHA-256 Hash): BAE872B27520AF07BCEC1F276FAACF9A3F53793CC340D7C6ADC6D60F9D37D841 + +##### DigiCert Federated Trust CA-1 +- Serial #: 0E25E27258328AEBDA5BAE23412F0B83 +- Not Before: 8/24/2017 +- Not After: 1/14/2023 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 6BD202D3D1A9638B394B45319A8F0CBE29E6012B +- Thumbprint (SHA-1 Hash): E29C44387F7BAA9F49EFCCAEA654BCE20CFF5FD3 +- SPKI (SHA-256 Hash): 6473D4F3B628CD1A39AD7DD43D6EC4E85418154A64581EC8A5EB85CABD09235F + +##### DigiCert Federated ID L1 CA +- Serial #: 0C7A7DCC53DDE3D580FC9688D3449627 +- Not Before: 10/30/2012 +- Not After: 10/30/2027 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: DE9A5CAE53D3C97418000031921B4A2709C87948 +- Thumbprint (SHA-1 Hash): 629D8910A0342BF54BC81CE857B1CDE8F197FDE6 +- SPKI (SHA-256 Hash): 3D40F285BCE77279A6510F123783B0663D35BA4CE5AABCA8FE412AB95584AD4A + +##### DigiCert Federated ID L2 CA +- Serial #: 0DBA21F019A2AF46C3614FE7E72721F8 +- Not Before: 1/8/2014 +- Not After: 1/8/2029 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 0A26205117910D71DB3B3E5E0200A0E803B65519 +- Thumbprint (SHA-1 Hash): A6B6A96F9FE96A7ABD6D653F1C042B46DB997ABF +- SPKI (SHA-256 Hash): B8580D56E54732240057C330614D728E0FE31D4598671FEADAC59D7EA2743DFA + +##### DigiCert Federated ID L3 CA +- Serial #: 0FDAC8733E6F53E33102675179703290 +- Not Before: 1/8/2014 +- Not After: 1/8/2029 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 8F23D3C49CEBC2A6964E3AF1CE88B28BE2935412 +- Thumbprint (SHA-1 Hash): B60E8344FC32949C23D31A294F867EA64A9BECF2 +- SPKI (SHA-256 Hash): 0FFCB556F276AA77482A6A89EB1708AFB08DC32EE3D2D67199F00BA98DC8F436 + +##### DigiCert Federated ID L4 CA +- Serial #: 0AE4FB7C15E43A90A753212AFFCFE140 +- Not Before: 10/30/2012 +- Not After: 10/30/2027 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: E33A75499CDA442F6C86031C818B2857C8FFA232 +- Thumbprint (SHA-1 Hash): D69D7163302134697AFFBDB934E40CAB6AD57795 +- SPKI (SHA-256 Hash): E5F60FB3FCEA3DFB8BBF09B06F26077C46BFBB36966B611B6DCCCC0D2B591186 + +##### DigiCert Federated ID US L3 CA +- Serial #: 079E9B3BDD54A4449B220580F2602B97 +- Not Before: 1/8/2014 +- Not After: 1/8/2029 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 0A8FEE0166735DE223EDA829E85592525AD0BE88 +- Thumbprint (SHA-1 Hash): 7FF5F80F53A0DF20C42A7D0DC544C68D684CD557 +- SPKI (SHA-256 Hash): D78BD9425A708E062927E3FE396AC22DF1414B1AE926FB6E868165C039197CAC + +> **Note**: Federal Bridge CA 2016 issued a cross certificate to the DigiCert Federated ID L3 CA on February 28, 2019. This will ensure operations for three (3) Electronic Prescriptions for Controlled Substance (EPCS) customers are not immediately impacted while we continue to review these systems and the use case. + +##### DigiCert Federated ID US L4 CA +- Serial #: 0288147B73BE38D74651E1DCA065CD08 +- Not Before: 4/18/2013 +- Not After: 4/18/2028 +- AKI: D02B3BFF6871D6900CF7C47379C7997000E54740 +- SKI: 9AC44371300E3025A54AE9B4234ED338F3373FA8 +- Thumbprint (SHA-1 Hash): F7F5D745DB7AEADE2AA27E0D5AFAB9760BF8B8A4 +- SPKI (SHA-256 Hash): 07CCF59B26C0559F70F16FB8876444394F7148569D62CC06B07B18EBB1ECCCFF + + +#### CA Certificates _Issued By_ DigiCert Federated Trust CA + +##### AAMC Direct Intermediate CA +- Serial #: 0B6957DF612F5190A590DCA544B775A1 +- Not Before: 5/28/2015 +- Not After: 5/28/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 4B322EA7FD956726D59CD8AE250C0C04284D71AD +- Thumbprint (SHA-1 Hash): 3C2C135BC01B3DF5B2F85AB78BB83698F1377116 +- SPKI (SHA-256 Hash): 317D690B644ADFBF8D3EBE4F235421A6840ED49945A15C787805B24A125E830A + +##### Allina Health Connect HIE Intermediate CA +- Serial #: 0A2F68961CDF5A7205CC820AD212BF21 +- Not Before: 12/8/2015 +- Not After: 12/8/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: B051F97D55E4B8729FD13A680AD085DADA850F90 +- Thumbprint (SHA-1 Hash): 97C378CD81E32241D903CCC546BA6AD9C5C5880A +- SPKI (SHA-256 Hash): 92E2F8C212A70D9489D715A0D12379420ADAC5C4FBB551A4699E1B869FD11C4D + +##### Axesson Direct CA +- Serial #: 088F6B9D51E46E382D4D50F2F3FCF1C8 +- Not Before: 1/8/2014 +- Not After: 1/8/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: BE8F4706EA5DBF8441C38E055111DAA347EF9CCB +- Thumbprint (SHA-1 Hash): C0A5BB8F511AB6BE007E0A5502E2E2F3998F958A +- SPKI (SHA-256 Hash): C76C23E36F825706D78B849E581CD1CB2BFBAC48D1BB500A177CB28FAFD536B3 + +##### Care360 Direct Intermediate CA +- Serial #: 0E117F35E685C8377C967FE06C8CD0D9 +- Not Before: 8/25/2015 +- Not After: 8/25/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 56901A6BF9F4429A64A6072F1524EE8C280E2A63 +- Thumbprint (SHA-1 Hash): 81C35E4E102FB6CCC52FAB22D3A193E0A63E5223 +- SPKI (SHA-256 Hash): E1573E8E0951404B724AF2AF5DD5760B29262F4DDF628B8BD1F752816EF0A894 + +##### Cerner Corporation Direct Intermediate CA +- Serial #: 0ED8D84E972DB014A66912DFFE8FDA97 +- Not Before: 9/26/2014 +- Not After: 9/26/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 52B72C85440C1F62F87B1C621ADD6C4DB98F0931 +- Thumbprint (SHA-1 Hash): 9C549F6C12662A37B0EDF91778444C1290D58D47 +- SPKI (SHA-256 Hash): B663DEB2964FE08D1485025A0469078E82BA828CF85C56A0E5D58CB1E39E0D09 + +##### Cerner Corporation Resonance Intermediate CA +- Serial #: 0D535AE73B9D531AAFAAD8E02686F9F7 +- Not Before: 11/11/2015 +- Not After: 11/11/2021 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 5F2474960E21A88FCD98F0DAF610779428D58A36 +- Thumbprint (SHA-1 Hash): 0D535AE73B9D531AAFAAD8E02686F9F7 +- SPKI (SHA-256 Hash): E02D3B571F6878D487DE5E2788E8509BBD127199E611E83C3AA24C1078B8CFD5 + +##### CompuGroup Medical Certificate Authority +- Serial #: 0898830DED1957A72AB05F28363241D5 +- Not Before: 12/8/2015 +- Not After: 12/8/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 0D177F4A586EB40F15D1AAF3D1E486786C67E236 +- Thumbprint (SHA-1 Hash): 6A586F2CFCBED8C8C506A245AA59F329B45A84E5 +- SPKI (SHA-256 Hash): 8E215DE3D86027B3AABCA721136D295B33A5B8037C2F54C1C5ED18073379A0F7 + +##### Corepoint Direct Intermediate CA +- Serial #: 05B60D635544534278B24A48BCD8E8E3 +- Not Before: 1/14/2015 +- Not After: 1/14/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 32688EEF55C5851961D2DB09D07EAE98912632BC +- Thumbprint (SHA-1 Hash): 1A9B160563BC27E23F6CA9EA4C5D18F3DDA7D08D +- SPKI (SHA-256 Hash): A5CC00D887AD3538AF5710CD60A985FDF35C9B036C201C69F3B0358BD7D6FE05 + +##### DigiCert Accredited Direct Med CA +- Serial #: 09547628F41064DB095087100950673E +- Not Before: 8/6/2013 +- Not After: 8/6/2023 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 77AE03566D1250157FFE10AB79BA2CB68C6F49D6 +- Thumbprint (SHA-1 Hash): DD110A059FE70BD57A26CA466AD7AE5573FAAF1F +- SPKI (SHA-256 Hash): 6C9292A402CC644B4DF0CB4BE498662ACE4A34000FDD9DE6FE869E4DAEC0F2F4 + +##### DigiCert Direct Non-Provider CA +- Serial #: 024F7D6040D5E5FA85D13EC99EC83152 +- Not Before: 2/11/2014 +- Not After: 2/11/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: F98866882657FB27637B3F6343D18B01CA3A12F3 +- Thumbprint (SHA-1 Hash): F6AABDD56AA6333C4BEA891688E75141D4F82D77 +- SPKI (SHA-256 Hash): 3FE5DAB75E102E06E3523093EE6A42A518684B3D036C25A0731A8C27E374705E + +##### DigiCert Federated Healthcare CA +- Serial #: 0656F256EAA1A6DFF943082ABAE7B4EA +- Not Before: 2/11/2014 +- Not After: 2/11/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 824D97867C04CFD31144D21C1263C889417E2D3E +- Thumbprint (SHA-1 Hash): 0E694D69F792A2546B993D841A08AA4A85319C5B +- SPKI (SHA-256 Hash): 7E53D9869A0F6978EEE006E73C8508FAF7475B887692C4762E494C9D5F4CA731 + +##### DigiCert Governmental Direct CA +- Serial #: 0916AC4212F94019E734F0630DBF095F +- Not Before: 9/25/2015 +- Not After: 9/25/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 702D4BA984011A8475F778A90949EC304BF96FEB +- Thumbprint (SHA-1 Hash): F5F0A823699425DA59C5C48B1848F36CB78B1BB2 +- SPKI (SHA-256 Hash): E93A89E2D242026C0D06DE7889B06E963B3B286F85F0D4DB819E54E2072B6E79 + +##### DigiCert Provisional Direct Med CA +- Serial #: 0BEE774D81066945E4EB6DB18C39AE3B +- Not Before: 6/3/2014 +- Not After: 6/3/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 75AEE40F2EA9BEB233D9159AC994C1F730B435AA +- Thumbprint (SHA-1 Hash): 40EF4AFD9E41C1A7CB19D7AC603CBDAF4A6B0639 +- SPKI (SHA-256 Hash): AAB8548337A1266A4B049391497C3946BEF805ED395357879EFD0F9C3357517E + +##### Indian Health Service-RPMS DIRECT Messaging CA +- Serial #: 0933E5758078BBA93074A4D164FAA171 +- Not Before: 4/4/2014 +- Not After: 4/4/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 1B73DB517EB2CDE145E054E06D2B9872F066C02A +- Thumbprint (SHA-1 Hash): 2B1BDA3A2B2015CD00CD7DFCE9832ACA58FD92C9 +- SPKI (SHA-256 Hash): E5E29329C19A97086075EF390BC0CD6550BC44BA30DB711F65113D9CF1819259 + +##### Inpriva Direct Federated CA +- Serial #: 0EDEB3BAB925834900B297481174C4F0 +- Not Before: 11/18/2011 +- Not After: 11/18/2021 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 7D174A10701A3F153BB4837AAE9FF128613E9E23 +- Thumbprint (SHA-1 Hash): 0983E63BFDAC2240FF648C1521DEE226DAD1E447 +- SPKI (SHA-256 Hash): 11B3D11879E58617BAB9AEC5E2D0C7764F5BDB5B2EC3469D8012662EDEE366B9 + +##### INTEGRIS Direct Intermediate CA +- Serial #: 01E9F27D867B6F81937EF4720B17E660 +- Not Before: 11/18/2014 +- Not After: 11/18/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: CA8782FBA642FF63A96C4451CF74F76E8936E6BC +- Thumbprint (SHA-1 Hash): C28E0ADCB82438286285B2DA6BBCAB0980E30357 +- SPKI (SHA-256 Hash): 548AB06640FBDFC0902AA1B413031018C26AD8A3E219ADE869E99F49D64C1D05 + +##### iShare Medical Direct Intermediate CA +- Serial #: 0728BE4E2D23504FB44BB6D7ED21BAB7 +- Not Before: 1/14/2015 +- Not After: 1/14/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 05A93FA6DE09C5DEB45DE9F2D0F94EFD3EE4B4DD +- Thumbprint (SHA-1 Hash): AD7937A799CD888A08BAA603A253759FDF73253E +- SPKI (SHA-256 Hash): C82A85BC54A85A5AE54A48584E5DBC4738C6DFCA242677AE5F2F1BE9C51F115D + +##### MedicaSoft Direct Intermediate CA +- Serial #: 0FFCEBA644F85AAFFF1C45BCB2DD74C2 +- Not Before: 4/28/2015 +- Not After: 4/28/2025 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 3DB1C40E4E7E977BA56F8592E0C8968C42AB0896 +- Thumbprint (SHA-1 Hash): E9F761B8D2BE9BE719B7D4D37DDD2A193EA240A0 +- SPKI (SHA-256 Hash): 57C8C86D14D9D8973087EFB1AAB734ED6ABB835B17F2ACF89B6A5DCE401F59CF + +##### Medicity Direct CA +- Serial #: 05376E815724C49DEC67CE208B8FA835 +- Not Before: 2/13/2014 +- Not After: 2/13/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 59F455C75BEE76663263173997F79A74D86C0EB7 +- Thumbprint (SHA-1 Hash): 9278A953771BE9BDE82E37A9C19BDD29D974B907 +- SPKI (SHA-256 Hash): 29C6DEEA67531B3EE41905E2BAA91907E0B997DA5B346F41A4B2B2154EACF0C2 + +##### MHIN Direct CA +- Serial #: 029FAFE71A57144DAF7CB403031616AF +- Not Before: 1/8/2014 +- Not After: 1/8/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 39629D94ACF873DDB2FDA4D15C208641A497C6C9 +- Thumbprint (SHA-1 Hash): DCC8C9D8F2610843F5653876CF7E2879FC62CB41 +- SPKI (SHA-256 Hash): C8CEFF21E62EEC7B49D5C00B718A4B661223D52EE940DC5A1EDEEC21AAD298F9 + +##### Mirth Direct Intermediate CA +- Serial #: 094A57F3ED91461B4D4E47B015698B4F +- Not Before: 9/26/2014 +- Not After: 9/26/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: B25C27C56F7962A1FD3EB46683A440BCCA37E07D +- Thumbprint (SHA-1 Hash): BB1B5A342AD6929AF28AAC038CF4ED8E5377FD3B +- SPKI (SHA-256 Hash): 3FBD2D26E6A90688784E5EC17965109E997DBE7C9F84E426B9955F8F504B3C88 + +##### MobileMD Direct Intermediate CA +- Serial #: 0E14FC08CF32009C59C596A1AFEEE1B1 +- Not Before: 10/21/2014 +- Not After: 10/21/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 055244C67830566C0471612C12C8A493E14452AC +- Thumbprint (SHA-1 Hash): 633C3C8B7999E1D6998ECA1DB9D522961ED13379 +- SPKI (SHA-256 Hash): 285F267D69801CE8459D69A3C3BAA872EE8699F462F26ECB3F0C1C5604CC4BBB + +##### MRO Direct Intermediate CA +- Serial #: 0EDF2AA525860365D47A0662D3C9A48D +- Not Before: 10/21/2014 +- Not After: 10/21/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: D245010C188D7330FCD40E2CFFA0E023E8B60CDB +- Thumbprint (SHA-1 Hash): 29431E91F570B976DA3B9A104FBC4CAA77E86C69 +- SPKI (SHA-256 Hash): 309B9EC320A5757B18045977BAA8F3320423372A4934FECFED93CBC5EAF7D3D0 + +##### Oregon Health Authority Direct CA +- Serial #: 0FE3D8092A6D7DF40369050171AF1E8B +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 6A4A9128687032385649F2BE4D5D09285131CC0D +- Thumbprint (SHA-1 Hash): 0A57575F663467ECCE525284C84E7ADBB29BD8C6 +- SPKI (SHA-256 Hash): 0CD7582516043FDF87616AB4016F331E5EF1CC4B18B2C681D6F0941D48A94503 + +##### Orion Health Direct Secure Messaging CA +- Serial #: 0133727B8425DA865077348D70A96C03 +- Not Before: 10/21/2013 +- Not After: 10/23/2023 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- Thumbprint (SHA-1 Hash): C30BBDFA0C87E1F85D5C5F67315914305B88EA3B +- SPKI (SHA-256 Hash): 6C3148A661509D57D73F18C7E644A6573C55ED215C9F28AFA849B059948F1775 + +##### RelayHealth Direct CA +- Serial #: 0A1EC50E115F965EECCFFE5246BE3563 +- Not Before: 4/4/2014 +- Not After: 4/4/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 58E321F302914D72C610BE5E29F5F8724D7921F0 +- Thumbprint (SHA-1 Hash): A0B3E7213BC44939788EEC7647EC18D45EBBA335 +- SPKI (SHA-256 Hash): F2BFD6BC69CD63088991ABA3AA4A7DC3C0B1FF2743B5F1960FEBB82FF6550545 + +##### Rochester RHIO Intermediate CA +- Serial #: 0B8C2A7EF1543A0E64C54FE60F0A7FB6 +- Not Before: 10/21/2014 +- Not After: 10/21/2024 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: 39979F30AABA80BECD81463F31EBD49FA936DAD1 +- Thumbprint (SHA-1 Hash): 36197F60193DC00077E84AEB27DCAB5F835A2E61 +- SPKI (SHA-256 Hash): 390ED57A8EC33CD534AD7B98E32D52CC5C8A46B65CE13D12F2B5B0AEA6CA3D54 + +##### SCHIEx Direct CA +- Serial #: 05E21F7FE97524F25B84EFC29188FEB8 +- Not Before: 6/7/2016 +- Not After: 6/7/2026 +- AKI: 4608385AA98E20BB0CAF5E31BA89B328BFAC8C36 +- SKI: CEE902347DAA0638416D04D5CFBAF2F03AA4435C +- Thumbprint (SHA-1 Hash): 0ECD0F4D9AB83326E91DC4CEC99C6FEFABDD3CCC +- SPKI (SHA-256 Hash): 9493051083E71E3404D462B36C4E89CEC4A397FFCDFCD10504316A3AD36C9E32 + +#### CA Certificates _Issued By_ DigiCert Federated Trust CA-1 + +##### MIDIGATE CA +- Serial #: 0C436FDCE81703C46951EB97CF926806 +- Not Before: 11/6/2017 +- Not After: 1/13/2023 +- AKI: 6BD202D3D1A9638B394B45319A8F0CBE29E6012B +- SKI: 240E400C2ED027DC1F2997EB1E9B2AC6D8E9A0C5 +- Thumbprint (SHA-1 Hash): FB597F2604CB7EEC8953935E2EF527CB83B67ECA +- SPKI (SHA-256 Hash): 0F88A7105EBE623CAD76D22E7A0A4229A7BB43714ED06BB798D781500E9ABE07 + +##### Trinity Health Direct CA +- Serial #: 05511821092EC4F77D4836AF31BB170F +- Not Before: 8/24/2017 +- Not After: 1/13/2023 +- AKI: 6BD202D3D1A9638B394B45319A8F0CBE29E6012B +- SKI: A5C2E43A16B419C3E1FABC3E7EC758C353798BC1 +- Thumbprint (SHA-1 Hash): 91C374480ABA3BB9B46C8A870F95E0CA98CF0C70 +- SPKI (SHA-256 Hash): 5B7AAE96A364A9DEE4E69BD81A910B5E4AD11A0ACB153EB033657CF9C88179B5 + +#### CA Certificates _Issued By_ Orion Health Direct Secure Messaging CA + +##### Alaska eHealth Network CA +- Serial #: 07A42C0E8D2725E05DF2A012B520D378 +- Not Before: 10/22/2013 +- Not After: 10/22/2023 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 3FC54CA205FF8E1C0EF1F6E9C36F05FC71CF2977 +- Thumbprint (SHA-1 Hash): 41C64D922958E527051246C6D26FB0A1C392A6EB +- SPKI (SHA-256 Hash): 75F904F9B4876E6AE3441C24ACC1F93D0C1A210928B3F0267F010925760E21AD + +##### Cal INDEX CA +- Serial #: 04E99C3BEA35EBC9C93115BB5873F769 +- Not Before: 7/12/2016 +- Not After: 7/12/2026 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 8A713030C19507E7331887D1175656487894E608 +- Thumbprint (SHA-1 Hash): C7E2D4CEC6F65653956E4116D896691A18A13FCB +- SPKI (SHA-256 Hash): F46B700EC8CCB400E860EC1BD517C9AEC697DDB25B4516478644004CD204260B + +##### Catholic Health Initiatives CA +- Serial #: 5737EBA16AEBC582D962F2EA938CC59 +- Not Before: 8/19/2014 +- Not After: 8/19/2024 +- AKI: 0A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 66D2726A1C675A9520BB6321E1D8E54C545242A2 +- Thumbprint (SHA-1 Hash): F32A0706A0632E565D79F317141619FF2D314562 +- SPKI (SHA-256 Hash): 7868086FD31FF11D876E7344CB545DC56716DB3C9C626A599A5DF7BFC214EB46 + +##### Greenville Health System CA +- Serial #: 039C60B26637C6B8E9B63B5A9EC588AA +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: E0ADB796C1268C12FC470B8A85779EBFE1525C31 +- Thumbprint (SHA-1 Hash): AA1FF6AE9B3B3F437A887B806CEF53689FD70CBD +- SPKI (SHA-256 Hash): C8FB8CC2924C78C2DAE2912AD02F052FFBA0A54EFFC77663FF97E63821ED4612 + +##### Highmark Tapestry HIE CA +- Serial #: 0B7D4F1EA2A013A2A1BE3AB00CD0407D +- Not Before: 8/19/2014 +- Not After: 8/19/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: BEB1DC3128BCB53142C45CCB287A3A3BBFEFFFBA +- Thumbprint (SHA-1 Hash): E1CAD6EC91D6D1CFB2777AB023BEA496C2E2EDBE +- SPKI (SHA-256 Hash): B6F3758082B347CEAA3D2436030AEABA098E8BA1ADAC8A681E499EEEC7A6F756 + +##### Huntsville Hospital System CA +- Serial #: 0F0CCD49BA7A570FB90C8108BF1693A2 +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: E86E22CAF499502F44F4D42D62E76C5975DCFA19 +- Thumbprint (SHA-1 Hash): B75219D4843296613B6369AFC628078CBC69DCFA +- SPKI (SHA-256 Hash): E236742BE61F26AA1C35AE90DCEA25B920CD9128EAD32B69BC0B6B0E04EA2EE4 + +##### Inland Empire Health Information Exchange +- Serial #: 0F6D2AE4D2580E0CA9EB1D4E1EAD131D +- Not Before: 1/8/2014 +- Not After: 1/8/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 0C95F04752DB4BA4EBE747D289B65CD1AF3A3010 +- Thumbprint (SHA-1 Hash): C68C49E448435DC6BD352A0CD05B157CD1D1E29C +- SPKI (SHA-256 Hash): ABA80268F12EEA1037FBBF18A8253DED14316A7BFE84C2269802A8BBFE52DE09 + +##### Jax HR Saint Vincents HIE CA +- Serial #: 0C03AE8086FBACDDDD35ADF818F0979C +- Not Before: 2/16/2015 +- Not After: 2/16/2025 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 0E7E0E62F9F8B72F4FC6F4783EAC87D21790CE00 +- Thumbprint (SHA-1 Hash): EFABA80CF00268CE78B5F21C11CF3494FED2751C +- SPKI (SHA-256 Hash): ED367E66155FD54C27842FAC81802DDB3839FC4E8569880592D6AE25BA9A7C74 + +##### KeystoneHIE KeyHIE CA +- Serial #: 02A537BC58D09EB0714B9004340C9504 +- Not Before: 8/19/2014 +- Not After: 8/19/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 976E49AA98A72FDABBA276C51EF206073DC70C22 +- Thumbprint (SHA-1 Hash): 62247623C912B6286AC3EFB0EA2E649720EAB7DE +- SPKI (SHA-256 Hash): 06A14E63979CE1F42AED287C6E5BCFF6C5FF987B4CCEA622BC8E5A45B8FA2CC7 + +##### Louisiana Health Care Quality Forum CA +- Serial #: 0491751063891838340AD681034CF86A +- Not Before: 10/22/2013 +- Not After: 10/22/2023 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: FB88E1E7C123C6EB6B11D3F224D42F11962DDC9C +- Thumbprint (SHA-1 Hash): 9DB9E8FD19740D423B20E047FEDE8FCA03D6D599 +- SPKI (SHA-256 Hash): D2815EE9A325C079F3396BC9E8F24E5B5B194CC5E0CF2635FF48B39F07FC7E33 + +##### Mary Washington Healthcare CA +- Serial #: 0A3511BA0C581298F96CF119505F3FC3 +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 302AF2922B485D0073E901735832EC0DC331D2FF +- Thumbprint (SHA-1 Hash): F2E05E1647BB5948040127E8E5515A38B24D0434 +- SPKI (SHA-256 Hash): DDF659CACDE9095019CC622F16308DF6A3D301AFC767170716F1255DA2F4A04A + +##### Mass HIway CA +- Serial #: 05A42A2A54A348EF8B10AAFCFDEDBB73 +- Not Before: 9/25/2015 +- Not After: 9/25/2025 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 41F486F29C43C5AA9C525A7A3C7EF18431BC61BA +- Thumbprint (SHA-1 Hash): 7B3CE1AA5B8CB71DD8E7609AC7D144760C93CF84 +- SPKI (SHA-256 Hash): 3D5116D3A253451C0CB0D17D3FA3AAD1E3D07C1EFE79AA90B73AA369465BAB76 + +##### Mississippi Division of Medicaid CA +- Serial #: 07B268D3565D4EA118524BFE1A3088DD +- Not Before: 1/8/2014 +- Not After: 1/8/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: B476B692CF0AF437BA2617FABF2011985A819271 +- Thumbprint (SHA-1 Hash): 03A88451EB50024EE1665F181BF511A623C724F3 +- SPKI (SHA-256 Hash): 4121DBF41295B77B1B6D97296EC621CDAEF8456618AC2C96D934623AE4589B6E + +##### New Hampshire Health Information Organization CA +- Serial #: 0FC78FF0B25CE0F20630C639C5A08C5F +- Not Before: 10/22/2013 +- Not After: 10/22/2023 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 13CAA050FEDEAE9E4FDCAA61FDDC813C4BD7D695 +- Thumbprint (SHA-1 Hash): 6E2EF1187693A1C09E92DD083735BC7F39B3551E +- SPKI (SHA-256 Hash): 15C69004AA0A3A876AE0B322485114CC225AD1D1482D9EADC6EC62BD4210580E + +##### New Mexico Health Information Collaborative CA +- Serial #: 057E0CDCDDB211396AB5242B1839CC0E +- Not Before: 9/26/2014 +- Not After: 9/26/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: A331DD14B60608534B60294205572C40E1218C9E +- Thumbprint (SHA-1 Hash): 71440E4192C9C5F916D1BAC809C09E52C77A9661 +- SPKI (SHA-256 Hash): D66EBFC9869A49975D37670D8E3D156B0691887A52EB80F3C2D869AD6923760F + +##### North Carolina Health Information Exchange CA +- Serial #: 066B4604152D707EE44DD584B4EE81C4 +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 0F16204B5D1DA1D4E50421288478FC6A472D11F3 +- Thumbprint (SHA-1 Hash): FF1414C895D1BC1EDC866BA333D2942B46EDCBCC +- SPKI (SHA-256 Hash): B0A3302C22C10B9B713448CBE47B10489D40965B078ECADC19E7269D405D27FF + +##### North Dakota Information Technology Department CA +- Serial #: 04357DD28DE9370678C5094E9940E821 +- Not Before: 1/10/2014 +- Not After: 1/10/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 95C5DFF9172828E13FF267EAD9113D43381C4BE1 +- Thumbprint (SHA-1 Hash): A295DF1D857F219D96A9EAAA8CB4DE725B634D63 +- SPKI (SHA-256 Hash): 7BA409DEE6B1B5D74AAE9C311A17432226D8F8BC02BC4690540F927B07031EEC + +##### Oklahoma State Department of Health CA +- Serial #: 04793AAA351A61AE7F2756A5E524B014 +- Not Before: 2/16/2015 +- Not After: 2/16/2025 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 0972F7657FC66F353FB4CF13823895BE1D80A986 +- Thumbprint (SHA-1 Hash): E1245959AF582F9AF0B101198CD85C97970765F9 +- SPKI (SHA-256 Hash): C50453968E8DF547E854C8E99C9199B6926BD3A2DD0C1A56A58FBC1027693A49 + +##### Optioncare CA +- Serial #: 074F2D04ADEBFC19884F420FFF9DF2CF +- Not Before: 3/1/2016 +- Not After: 3/1/2026 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: AD758EFBA5158B51565195450D1A714BEC4F3E63 +- Thumbprint (SHA-1 Hash): A776F75611B2A7B548573DC29994F142DD363882 +- SPKI (SHA-256 Hash): D5CA301C0A1FF6A5E18A2B4537BAE2047AE6E757D432D82EADB40EB765DD4128 + +##### Orion Health Direct Secure Messaging Public HISP CA +- Serial #: 06406F00285529404B11F92A78E67DA9 +- Not Before: 10/22/2013 +- Not After: 10/22/2023 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: FBC2F9B415959A384D5574A0DFBD873BD5783D38 +- Thumbprint (SHA-1 Hash): DCDC844A0B183107A172802BF2489173A914B0C9 +- SPKI (SHA-256 Hash): FC3903663F33AABAADB3B9E047CBDE625DD02D088275A16F23B8F7A2F2C92E34 + +##### Rush Health CA +- Serial #: 04B43B1C31EAB7E37BEB31F0CC3DBADD +- Not Before: 4/23/2014 +- Not After: 4/23/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: BE66CD9A79849F1B023EDB3D1AD08F32164996E0 +- Thumbprint (SHA-1 Hash): EC5C1E327D71840FD108557031AEAB63E762A207 +- SPKI (SHA-256 Hash): 1F89679357E72BC42B1B977022EA54CE733ABE3D5268C8077B7B9781D48727EA + +##### Sutter Health CA +- Serial #: 0C59E5800EE065EA52B5581A65775CC6 +- Not Before: 10/21/2014 +- Not After: 10/21/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: DF2B01740E9469FA8F055F48EA1D986BACAEE5FC +- Thumbprint (SHA-1 Hash): 6887CAE99ECD54FEC484A90294C45973FBC12A08 +- SPKI (SHA-256 Hash): E6D7D13A3FAB0C1123CFAFBEE3AE1621790AC39E5D86AAB33EC72FDE60528A93 + +##### The Koble Group CA +- Serial #: 01BC6B791447CDA90A8A14E8204957FD +- Not Before: 6/21/2016 +- Not After: 6/21/2026 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: CF604AC6EDBDC504D9C96A179A34FCD3F9D4DE79 +- Thumbprint (SHA-1 Hash): 4D540D6E7BC3867D81178F98C5F21991247C2FBB +- SPKI (SHA-256 Hash): F9BC6EFB2686D571B863BA7558B4CC37D55F90A384A419FF06CBBBB49B22D94E + +##### Western Connecticut Health Network CA +- Serial #: 07295D1F92953D6776E2146E93A58957 +- Not Before: 3/5/2014 +- Not After: 3/5/2024 +- AKI: A56E22FF39693A23FB892417C66094001ADA8E9E +- SKI: 5B4B77AF749FD4F36146FE93C5AF8151A118075B +- Thumbprint (SHA-1 Hash): 948D1DAF1D124ACE83F6826192036EDC35C4D005 +- SPKI (SHA-256 Hash): 22AE4FFC23AEE5E6369025594C915F20B453E45EB058E2EC54CD7DD8AE6C0F5E + + + diff --git a/_implement/announcements/06_digicert_ca_decommissioning.md b/_implement/announcements/06_digicert_ca_decommissioning.md new file mode 100644 index 000000000..4ffb36a51 --- /dev/null +++ b/_implement/announcements/06_digicert_ca_decommissioning.md @@ -0,0 +1,36 @@ +--- +layout: page +title: DigiCert CA Decommissioning +pubDate: 04/01/2019 +archiveDate: 03/20/2020 +removeDate: 03/02/2022 +collection: implement +category: Decommission +#permalink: /fpki/announcements/2019digicert/ +description: Information related to the DigiCert CAs affected by this change. +sidenav: implement +sticky_sidenav: true +category: Removed + +--- + +DigiCert is planning on decommissioning several certification authorities (CAs) from the Federal PKI. These CAs are no longer active or required, and there is no expected impact from these changes. + +Remaining active certificates issued from any of the CAs listed in the table below will be revoked. Each CA planned for decommissioning will issue a long-lived CRL, and then have its signing CA certificate revoked by the Symantec Class 3 SSP Intermediate CA - G3 CA. + +The following CAs are planned for revocation and decommissioning: + +| Certificate Serial Number | Subject | Issuer | +|---------------------------|---------|--------| +| 0f76b14f6e3c3f3d78cc7cabf1e9d1f2 | CSC CA - 2 | Symantec Class 3 SSP Intermediate CA - G3 | +| 22058f804d89edd93122c840987ac7ab | CSRA FBCA C4 Device CA | Symantec Class 3 SSP Intermediate CA - G3 | +| 2aaa084cce8d13dc0b3b05b34e325922 | CSRA FBCA C4 CA | Symantec Class 3 SSP Intermediate CA - G3 | +| 45aabdffdae1621d52b260daf7ef3bd7 | CSRA FBCA C3 Device CA | Symantec Class 3 SSP Intermediate CA - G3 | +| 48b53c25944e6ed645339ecf1079fd37 | CSRA FBCA C3 CA | Symantec Class 3 SSP Intermediate CA - G3 | +| 75c13dbed31093353c73618effdabe6e | SureID Inc. CA2 | Symantec Class 3 SSP Intermediate CA - G3 | +| 4ff47dfa24d3aa3633dd4e55de80f870 | SureID Inc. Device CA1 | Symantec Class 3 SSP Intermediate CA - G3 | +| 7bc54c654c3a41d738d48ac17ab603af | Eid Passport LRA Content Signer CA 3 | Symantec Class 3 SSP Intermediate CA - G3 | +| 404d442e9c097771209218ac534936c3 | Eid Passport LRA Device 2 CA | Symantec Class 3 SSP Intermediate CA - G3 | + +## Who Can I Contact for Help or More Information? +Email us at fpki@gsa.gov. diff --git a/_implement/announcements/07_fpki-repository-migration.md b/_implement/announcements/07_fpki-repository-migration.md new file mode 100644 index 000000000..206206a03 --- /dev/null +++ b/_implement/announcements/07_fpki-repository-migration.md @@ -0,0 +1,52 @@ +--- +layout: page +title: Upcoming Migration of Federal PKI Certificate Repository Services +pubDate: 04/01/2019 +archiveDate: 03/30/2020 +removeDate: 03/30/2022 +collection: implement +category: Migration +#permalink: /fpki/announcements/2019fpkimigration/ +description: Information related to the upcoming migration. +sidenav: implement +sticky_sidenav: true +category: Removed + +subnav: + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: When Will This Change Take Place? + href: '#when-will-this-change-take-place' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Who Can I Contact for Help or More Information? + href: '#who-can-i-contact-for-help-or-more-information' + +--- + +{% include alert-info.html content="Upcoming changes to the hosting of Federal Public Key Infrastructure Certification Authority (CA) data repositories could impact your agency." %} + +On April 22, 2019, the Federal Public Key Infrastructure Management Authority will migrate the hosting of HyperText Transfer Protocol (HTTP) repository services to a cloud-based solution. Existing Federal PKI CA certificate Uniform Resource Locators (URLs) **will not** change as a result of this migration. + +## What Will Be Impacted? + +This change will affect the hosting of certificate revocation lists, CA certificates, and certificate bundles for the following Federal PKI CAs: +- Federal Bridge CA 2016 +- Federal Common Policy CA +- SHA1 Federal Root CA +- Some Test CAs operating for the FPKI Community Interoperability Test Environment (CITE) + +## When Will This Change Take Place? +The migration will take place on April 22, 2019. + +## What Should I Do? +This change will be transparent to Relying Parties, and should not require any agency action. + +The FPKI Community Interoperability Test Environment HTTP repository [http://http.cite.fpki-lab.gov](http://http.cite.fpki-lab.gov){:class="usa-link usa-link--external"} has used the new service since June 2018 with no reported issues. + +A new base URL is available for anyone who would like to test the planned repository service update before the April 22, 2019 migration. For example, to download a copy of the Federal Common Policy CA certificate using the cloud-based hosting solution, navigate to [http://cdn.http.fpki.gov/fcpca/fcpca.crt](http://cdn.http.fpki.gov/fcpca/fcpca.crt){:class="usa-link usa-link--external"}. + +Contact fpki-help@gsa.gov with the subject “CDN Test Issue” if you'd like to learn more about testing or if you have any issues. + +## Who Can I Contact for Help or More Information? +Email us at fpki-help@gsa.gov. diff --git a/_implement/announcements/08_commong2.md b/_implement/announcements/08_commong2.md new file mode 100644 index 000000000..6ea035808 --- /dev/null +++ b/_implement/announcements/08_commong2.md @@ -0,0 +1,56 @@ +--- +layout: page +title: Federal Common Policy CA Update +date: 10/12/2020 +removeDate: 10/11/2023 +collection: implement +permalink: /implement/announcements/common-g2-update/ +description: Details on the Federal Common Policy CA G2 timeline and actions agencies need to perform. +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +subnav: + - text: What Will Be Impacted? + href: '#what-will-be-impacted' + - text: When Will This Change Take Place? + href: '#when-will-this-change-take-place' + - text: What Should I Do? + href: '#what-should-i-do' + - text: Who Can I Contact for Help or More Information? + href: '#who-can-i-contact-for-help-or-more-information' +--- + +{% include alert-info.html content="Upcoming changes to the Federal Common Policy Certification Authority (CA) will impact your agency. This announcement will be updated as more information is available." %} + +In **October 2020**, the Federal Government created a new Federal Public Key Infrastructure (FPKI) Root Certification Authority (CA). The new root is named the **Federal Common Policy CA G2**. + +Between December 2020 and June 2021, the CAs signed by the old root will be migrated to be signed by this new root: Federal Common Policy CA G2. Once the migration is complete, the old root will be decommissioned. + +## What Will Be Impacted? + +**This change will affect all federal agencies** and will have an impact on the following services: + +- Personal Identity Verification (PIV) credential authentication to the government networks +- Agency web applications implementing client authentication (e.g., PIV authentication) +- User digital signatures that leverage PIV or similar credentials +- Other applications leveraging the Federal Common Policy CA as a root + +## When Will This Change Take Place? +Tentative time-line: +- **October 14, 2020**: The Federal PKI Management Authority (FPKIMA) created the new Federal Common Policy CA G2 root +- **October 15, 2020**: The FPKIMA team issued a cross certificate from the Federal Common Policy CA G2 to the Federal Bridge CA G4 +- **November 18, 2020**: The FPKIMA team will issue CA certificates to migrate agency and shared service providers CAs to the new root: Federal Common Policy CA G2 +- **December 2020 to June 2021**: All agencies will need to transition from using the old Federal Common Policy CA as the root to the new Federal Common Policy CA G2 *(approximately six months)* +- **June 2021**: The FPKIMA team will decommission the old Federal Common Policy CA + +## What Should I Do? + +{% include alert-info.html content="We are collaborating with CISA on a series of webinars to communicate the upcoming changes and answer your questions. Email fpkirootupdate@gsa.gov to be notified of future events." %} + +To prevent issues, agencies **must** distribute the Federal Common Policy CA G2 root certificate as a trusted Root Certification Authority to workstations and servers. + +To prepare for the Federal Common Policy CA update, read our guide [here]({{ site.baseurl }}/fpki/common). + +## Who Can I Contact for Help or More Information? +Email us at fpkirootupdate@gsa.gov. diff --git a/_implement/announcements/09_test_tools.md b/_implement/announcements/09_test_tools.md new file mode 100644 index 000000000..40928de36 --- /dev/null +++ b/_implement/announcements/09_test_tools.md @@ -0,0 +1,34 @@ +--- +layout: page +title: New Test Tools Available +pubDate: 05/18/2021 +removeDate: 05/18/2024 +collection: implement +permalink: /implement/announcements/test-tools/ +description: Release announcement for the Card Conformance Tool (CCT) and Certificate Profile Conformance Tool (CPCT). +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +--- + +GSA has created two tools to streamline Federal PKI Annual Review testing with remote evaluation capabilities. + +- [**Card Conformance Tool (CCT)**]({{site.baseurl}}/fpki/tools/cct/) - a GSA managed Java tool which validates that Personal Identity Verification (PIV) and PIV-Interoperable (PIV-I) smart cards are compliant with key standards. +- [**Certificate Profile Conformance Tool (CPCT)**]({{site.baseurl}}/fpki/tools/cpct/) - a web site application that analyzes certificates for conformance to a specific Federal PKI profile document version and certificate profile. + +The tools enable entity representatives to perform testing directly, with results verified by the GSA FIPS 201 Evaluation Program support team. Benefits include: +- Preemptive identification of possible issues during development and maintenance, and +- Reduction in travel and related resource time costs. + +For more information, see the following web sites: +- Card Conformance Tool + - Latest release: [https://github.com/GSA/piv-conformance/releases](https://github.com/GSA/piv-conformance/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + - Support page: [https://github.com/GSA/piv-conformance/wiki](https://github.com/GSA/piv-conformance/wiki){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +- Certificate Profile Conformance Tool + - Latest release: [https://github.com/GSA/cpct-tool/releases](https://github.com/GSA/cpct-tool/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + - Support page: [https://github.com/GSA/cpct-tool/wiki](https://github.com/GSA/cpct-tool/wiki){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +## Who can I contact for help or more information? +Email us at fpki@gsa.gov. diff --git a/_implement/announcements/10_ldap_removal.md b/_implement/announcements/10_ldap_removal.md new file mode 100644 index 000000000..02e5cac5b --- /dev/null +++ b/_implement/announcements/10_ldap_removal.md @@ -0,0 +1,30 @@ +--- +layout: page +title: FCPCA SIA LDAP Decommissioning +pubDate: 10/11/2022 +removeDate: 10/11/2025 +collection: implement +permalink: /implement/announcements/ldap-removal/ +description: The FPKIMA will be decommissioning the LDAP service associated with the old FCPCA root's SIA repository +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +--- + +The FPKIMA team will be taking action to reduce unnecessary external activity on their repositories in order to avert potential negative impacts to availability. + +**Plan of Action:** +The FPKIMA team is turning off its sole remaining LDAP repository services on 10/12/2022, this only impacts the SIA repository for the old Federal Common Policy CA (FCPCA) root. + +**Mitigating Factors:** +The proposed action should not impact FPKI relying parties, provided they are properly configured to validate end entity certificates up to the Federal Common Policy CA G2 (FCPCAG2). This action is further reinforced given the following considerations: + +- The associated HTTP repository is still available - [http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c](http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c){:class="usa-link usa-link--external"} +- LDAP support was deprecated in 2013, and the last certificate issued by the old FCPCA with an FPKI LDAP URI expired in 2020 +- The old FCPCA Self-signed root certificate expires in 2030 and contains one LDAP URI in the SIA to a Directory entry that contains no certificates + +As a result, of these mitigating factors, there should be no impacts to any relying parties that have successfully migrated to the [FCPCAG2 trust anchor]({{site.baseurl}}/fpki/certsandcrls/), nor is there an ability to dynamically conduct full path discovery and validation of an end entity certificate to the old FCPCA, per the previous migration effort. + +If you have any questions regarding this action please contact: +fpki dash help at gsa dot gov diff --git a/_implement/announcements/11_cpct-transition.md b/_implement/announcements/11_cpct-transition.md new file mode 100644 index 000000000..3a5bdf8e6 --- /dev/null +++ b/_implement/announcements/11_cpct-transition.md @@ -0,0 +1,22 @@ +--- +layout: page +title: CPCT Tool transition from Cloud.gov +pubDate: 10/21/2022 +removeDate: 10/21/2025 +collection: implement +permalink: /implement/announcements/cpct-transition/ +description: The Certificate Profile Conformance Tool (CPCT) will transition from Cloud.gov. +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +--- + +**Plan of Action:** +In order to better serve the Federal PKI community, the CPCT application will transition from an online application to an application that can be hosted and run from an individual workstation. As part of this transition, the online version of CPCT at `cpct.app.cloud.gov` will be disabled this **Friday, October 21, 2022 at 5:00 pm EST**. + +**Mitigating Factors:** +The next version of the tool and instructions for obtaining and installing it will be provided in the coming weeks. + +If you have any questions regarding this action please contact: +fpki dash help at gsa dot gov \ No newline at end of file diff --git a/_implement/announcements/12_cpct_update.md b/_implement/announcements/12_cpct_update.md new file mode 100644 index 000000000..0686c9a5b --- /dev/null +++ b/_implement/announcements/12_cpct_update.md @@ -0,0 +1,26 @@ +--- +layout: page +title: CPCT Tool Version Update +pubDate: 1/12/2023 +removeDate: 1/12/2026 +collection: implement +permalink: /implement/announcements/cpct-update101/ +description: The Certificate Profile Conformance Tool (CPCT) has been updated to account for Common Profiles v2.2. +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +--- + +**CPCT Software Update:** + +In order to account for the recent FPKIPA approval of Common Policy X.509 Certificate and CRL Profiles v2.2, the CPCT has been updated to account for the changes since the previous version (v2.1). This update requires any local copies of the CPCT tool to be updated by removing the old version and reinstalling the newest release. + +**CPCT Update Instructions:** + +In order to update the CPCT tool you will need to remove any existing instances of the Docker image, and subsequently reintall the latest release. Please find the following links with more detailed instructions on this updgate process: +1. [Remove the current Docker image](https://github.com/GSA/cpct-tool/wiki/Removing-Docker-Images){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +2. [Update the CPCT Tool](https://github.com/GSA/cpct-tool/wiki/Updating-the-CPCT-Tool){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +If you have any questions regarding this action please contact: +fpki dash help at gsa dot gov diff --git a/_implement/announcements/13_PT_TLS_CP.md b/_implement/announcements/13_PT_TLS_CP.md new file mode 100644 index 000000000..cd2fb684d --- /dev/null +++ b/_implement/announcements/13_PT_TLS_CP.md @@ -0,0 +1,23 @@ +--- +layout: page +title: Public Trust PKI Certificate Policy Update +pubDate: 2/10/2023 +removeDate: 2/10/2026 +collection: implement +permalink: /implement/announcements/PT-TLS-CP/ +description: The US Federal Public Trust PKI Certificate Policy v1.0 is now archived and undergoing revision. +category: Active +sticky_sidenav: true +sidenav: fpkiannouncements + +--- + +**US Federal Public Trust TLS Certificate Policy** + +The current version (v1.0) of the [US Federal Public Trust TLS Certificate Policy](https://devicepki.idmanagement.gov/assets/docs/us-federal-public-trust-tls-cp.pdf){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} has been archived. This version of the policy was completed in 2019 in order to prepare for a publicly trusted government operated PKI aimed at facilitating TLS certificate issuance for .mil and .gov websites. + +**Document Updates** + +As the initial operational capability of the US Federal Public Trust PKI is nearing, the US Federal Public Trust TLS Certificate Policy is currently undergoing revisions in order to accomodate the Certification Authority/Browser (CA/B) Forum's most recent updates to their [baseline requirements](https://cabforum.org/baseline-requirements-documents/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for public trust TLS. + +Moving forward the updated certificate policy will be appoved by the FPKIPA and published to [devicepki.idmanagement.gov](https://devicepki.idmanagement.gov/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, and will be annouced here in the [FPKI Playbook Annoucements]({{site.baseurl}}/fpki/announcements/), stay tuned. diff --git a/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G5.cer b/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G5.cer new file mode 100644 index 000000000..b06f46300 Binary files /dev/null and b/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G5.cer differ diff --git a/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G6.cer b/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G6.cer new file mode 100644 index 000000000..7ef726727 --- /dev/null +++ b/_implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G6.cer @@ -0,0 +1,42 @@ +-----BEGIN CERTIFICATE----- +MIIHTTCCBTWgAwIBAgIUIx6zGZCF7oGH31x6WY7zNrNWCS8wDQYJKoZIhvcNAQEM +BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG +A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy +MB4XDTIyMDMxNjEzNDgxNVoXDTMyMDMxNjEzNDgxNVowWjELMAkGA1UEBhMCVVMx +FzAVBgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTIwMAYDVQQDEylEaWdpQ2VydCBGZWRl +cmFsIFNTUCBJbnRlcm1lZGlhdGUgQ0EgLSBHNjCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAM3hvLNMPwBdniBp5uPiwKXEccwoNZjMzYXbYxh32UOq5Apd +T4SSGT8vekSoz+pZxOAt2ERPsgBXNYN2lHA0b/OGZ4lL4SYIjTM63ED3CZF7mNUo +tY3mlrjuML81/HHUfEwUZbMlmr/vaEVlLghIqzj/t1HtdbE3CQr22sXz7xQ8URqz +jPnmlmVF5fG5hWnltYQ1JB7JDNDGundJ/OHSqJF0C6U7WTLkZUGpgcvyXRk6sT91 +KkLrPF52g0VGuX34YRpS2Mzt33yHKXm0K1H7lxUr9f4D9FtTq8qzxtHruJ/rSpnk +oUJWokZ9hX2IAreqXAQb4jYE6dFE9FTa1TktC7nY0YRMiYC9/OhMM/YsEj8lLIWL +B40Xcjh8KrnN0lu+CWOTjP8q8acGF05q/xR3riJeDk1MwlMnfxflLrEdmbVKyrmV +SVaccU0nHNcf0wO/0Y35klmPwirqOspMJLM5jf7c2kw2NI1cePPn1wY8Q5f3o+N3 +LlYVXjHOTrvMbkdpO8Yf0zFBkXGSa2arsViLf6GJhjyBZIFDPcgZ6Vz4dgjxZQYw +u/vSmpI7tKpvYjNZT403uJlfKAA7v99jO1gfjSt9+uGXrXKKKP0yO1Gvvw7EjGSv +EWFPZGUuPaQQRWWSJL3k2nCLTbcJHFmjo5pcpfd606wQoyF2rxmpoTtyQZQTAgMB +AAGjggIHMIICAzAdBgNVHQ4EFgQUHXYFakmPEVm63wvrTbK3DPomsckwHwYDVR0j +BBgwFoAU9CdcqcN8R/T6pqewWZeq3TUmF+MwDgYDVR0PAQH/BAQDAgEGMA8GA1Ud +EwEB/wQFMAMBAf8wgZcGA1UdIASBjzCBjDAMBgpghkgBZQMCAQMGMAwGCmCGSAFl +AwIBAwcwDAYKYIZIAWUDAgEDCDAMBgpghkgBZQMCAQMkMAwGCmCGSAFlAwIBAw0w +DAYKYIZIAWUDAgEDEDAMBgpghkgBZQMCAQMRMAwGCmCGSAFlAwIBAycwDAYKYIZI +AWUDAgEDKDAMBgpghkgBZQMCAQMpMFcGCCsGAQUFBwELBEswSTBHBggrBgEFBQcw +BYY7aHR0cDovL3NzcC1zaWEuZGlnaWNlcnQuY29tL1NTUC9DZXJ0c19pc3N1ZWRf +YnlfU1NQQ0FHNi5wN2MwEgYDVR0kAQH/BAgwBoABAIEBADANBgNVHTYBAf8EAwIB +ADBRBggrBgEFBQcBAQRFMEMwQQYIKwYBBQUHMAKGNWh0dHA6Ly9yZXBvLmZwa2ku +Z292L2ZjcGNhL2NhQ2VydHNJc3N1ZWRUb2ZjcGNhZzIucDdjMDcGA1UdHwQwMC4w +LKAqoCiGJmh0dHA6Ly9yZXBvLmZwa2kuZ292L2ZjcGNhL2ZjcGNhZzIuY3JsMA0G +CSqGSIb3DQEBDAUAA4ICAQBDCcVMy/qeJC1JCG2eYrEPECDAxulvD7v9QqAotnUE +y9tgDhYW2WC0RihduGxp7NWMIhkXXvwtxgqghKlVFqqMUVUwJNp/HNfe/qLs4WMq +zy6IQjPtIWuSC5XLgEXR53T3xxyaRjktWD53CJP1ujgU9FAVJZxYsBrZu2dOb52V +gfB3wBSBr3lZ4CpV7pYegbMcDoR8k5VDM4oZc2WaX+7PaP2ddLQZaMCzfLoEZ6+8 +FyUzh45ebkP4YRO/tZ5V3ZI3F0H0pao/6iffxltKkgHJWh5+lm6b4JKK08MWcUkj +neE/uq7Qyx8spr8CoaLqexsYjwrZIid0skmIWCGQuOTHxwk2ai3BD0PdJMC7iJdm +AxsllXMdFRxMzcpMINfdDKP9iPivTVvVsaXQ3BuGc1ZqB18/l1ENrQGXYK4D+jBg +5LEKRzQlj/qbjvfIV15ViHEFqYygwC9i47uXCPwER7P4KMwVcgSPD5wteXhlG6sd +ygW0ouDx30ZmydPKz64ddqm9dgoobaqRkdggMZD0Rm80BAU+zgEjD5ycEfGc7x5O +RESK7dTWNoWkTCyMxnawNdSkxq84ADIlO8V3yUHnYKJS5AjVMBQNgkWYwGB1o5dN +3aRfoQ6R7nQcudq92nzMKIBYg0Ep+x+Xh9mn5j6EUInJ7Bz2qqQ9U1w4bCZb7IBi +kw== +-----END CERTIFICATE----- diff --git a/_implement/certs/Entrust_Managed_Services_Root_CA.cer b/_implement/certs/Entrust_Managed_Services_Root_CA.cer new file mode 100644 index 000000000..9077e5962 Binary files /dev/null and b/_implement/certs/Entrust_Managed_Services_Root_CA.cer differ diff --git a/_implement/certs/Entrust_Managed_Services_Root_CA_Link.cer b/_implement/certs/Entrust_Managed_Services_Root_CA_Link.cer new file mode 100644 index 000000000..9e6367e4a Binary files /dev/null and b/_implement/certs/Entrust_Managed_Services_Root_CA_Link.cer differ diff --git a/_implement/certs/Federal_Common_Policy_CA_G2_from_FBCAG4.cer b/_implement/certs/Federal_Common_Policy_CA_G2_from_FBCAG4.cer new file mode 100644 index 000000000..7db002130 Binary files /dev/null and b/_implement/certs/Federal_Common_Policy_CA_G2_from_FBCAG4.cer differ diff --git a/_implement/certs/ORC_SSP_4.cer b/_implement/certs/ORC_SSP_4.cer new file mode 100644 index 000000000..13f3a2cb7 Binary files /dev/null and b/_implement/certs/ORC_SSP_4.cer differ diff --git a/_implement/certs/Symantec_SSP_Intermediate_CA_-_G4.cer b/_implement/certs/Symantec_SSP_Intermediate_CA_-_G4.cer new file mode 100644 index 000000000..d5ca95238 Binary files /dev/null and b/_implement/certs/Symantec_SSP_Intermediate_CA_-_G4.cer differ diff --git a/_implement/certs/US_Department_of_State_AD_Root_CA.cer b/_implement/certs/US_Department_of_State_AD_Root_CA.cer new file mode 100644 index 000000000..be035a269 Binary files /dev/null and b/_implement/certs/US_Department_of_State_AD_Root_CA.cer differ diff --git a/_implement/certs/US_Treasury_Root_CA.cer b/_implement/certs/US_Treasury_Root_CA.cer new file mode 100644 index 000000000..944f22b13 --- /dev/null +++ b/_implement/certs/US_Treasury_Root_CA.cer @@ -0,0 +1,52 @@ +-----BEGIN CERTIFICATE----- +MIIJLjCCBxagAwIBAgIUJ58Jc3/l3T11NL4OpRr/ncQBhQEwDQYJKoZIhvcNAQEM +BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG +A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy +MB4XDTIyMDQwNjE3MDg0MFoXDTI1MDQwNjE3MDg0MFowgY4xCzAJBgNVBAYTAlVT +MRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxIzAhBgNVBAsTGkRlcGFydG1lbnQg +b2YgdGhlIFRyZWFzdXJ5MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 +aWVzMRwwGgYDVQQLExNVUyBUcmVhc3VyeSBSb290IENBMIICIjANBgkqhkiG9w0B +AQEFAAOCAg8AMIICCgKCAgEA7D5nzQgGJWbAzFCMv5x7nb7bZ1ERbKGEfKVLg7XW +T8xTsL8CaItldWtTGGwbjiTH+sbLmk19jkfCQ7QhyipMHDfmFxEAa/aTc28nWquT +/Omt1yEunX2qQK7XA42gGYLRfkjcV8wr/gcHieQDERUKUSYPo/ecrzfcJ7S7xRpI +KqiBPlD5msWJjBHBsgZWvMpvT2tZuOU3nK47oQ3FNZtHUiUkYUtQieMRwk8TQ8Y0 +fdZ+rwJxWTo44LUJp4hXPgtdSSe+DFDJv+le8Ncvzw1cH8lJ8sjPjFvFCjeWVZVF +hDC/HR2BqnC7vqcSAyWCwsIaNNfn11kruLMf87SUdqKwWeLH+xJOh5slKV91+pee +7HqUYIawO3bLCeHZ2TXQfoN37n224IeFgzpR2t4fVRLlYYeZuFxRb4vInCIFMwvl +morOXitVCfaZd71Ws9GKO3Sg3ur9sNvKgBeE7A4mm5bEVRBS0Gpo+s6L9jdUPYvr +zV1bRx1f4IfIwuSbxl93Mn1JLLNFPS1nAHhROc1NzTf/1annVnPWt49xvJfeKmFa +gwkMKv3wFqa0UHF9TO8TYcO5jueOwfiHY6e9ASElT0ev5Wk3kaoP5wPWeP8Rhkt1 +HnD9puitgAiUNHsEol7osemoRQdlzmg5jZE306KGzwjbgNdX4QN8iGp/vt3rg+0s +FVkCAwEAAaOCA7MwggOvMB8GA1UdIwQYMBaAFPQnXKnDfEf0+qansFmXqt01Jhfj +MB0GA1UdDgQWBBQXS7gmuml6rRJQV0Uxnle7dKXaLzAOBgNVHQ8BAf8EBAMCAQYw +DwYDVR0TAQH/BAUwAwEB/zCB3QYDVR0gBIHVMIHSMAwGCmCGSAFlAwIBAwEwDAYK +YIZIAWUDAgEDAjAMBgpghkgBZQMCAQMSMAwGCmCGSAFlAwIBAxMwDAYKYIZIAWUD +AgEDFDAMBgpghkgBZQMCAQMGMAwGCmCGSAFlAwIBAwcwDAYKYIZIAWUDAgEDCDAM +BgpghkgBZQMCAQMkMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUDAgEDEDAMBgpghkgB +ZQMCAQMRMAwGCmCGSAFlAwIBAycwDAYKYIZIAWUDAgEDKDAMBgpghkgBZQMCAQMp +MIIBeQYDVR0hBIIBcDCCAWwwGAYKYIZIAWUDAgEDAQYKYIZIAWUDAgEFAjAYBgpg +hkgBZQMCAQMCBgpghkgBZQMCAQUDMBgGCmCGSAFlAwIBAwYGCmCGSAFlAwIBAwYw +GAYKYIZIAWUDAgEDBgYKYIZIAWUDAgEFBzAYBgpghkgBZQMCAQMHBgpghkgBZQMC +AQMHMBgGCmCGSAFlAwIBAwcGCmCGSAFlAwIBBQQwGAYKYIZIAWUDAgEDEAYKYIZI +AWUDAgEDEDAYBgpghkgBZQMCAQMQBgpghkgBZQMCAQUFMBgGCmCGSAFlAwIBAxIG +CmCGSAFlAwIBBQowGAYKYIZIAWUDAgEDEwYKYIZIAWUDAgEFCzAYBgpghkgBZQMC +AQMUBgpghkgBZQMCAQUMMBgGCmCGSAFlAwIBAxIGCmCGSAFlAwIBAy0wGAYKYIZI +AWUDAgEDEwYKYIZIAWUDAgEDLjAYBgpghkgBZQMCAQMUBgpghkgBZQMCAQMvMEAG +CCsGAQUFBwELBDQwMjAwBggrBgEFBQcwBYYkaHR0cDovL3BraS50cmVhc3VyeS5n +b3Yvcm9vdF9zaWEucDdjMBIGA1UdJAEB/wQIMAaAAQCBAQAwDQYDVR02AQH/BAMC +AQAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzAChjVodHRwOi8vcmVwby5mcGtp +Lmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVkVG9mY3BjYWcyLnA3YzA3BgNVHR8EMDAu +MCygKqAohiZodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9mY3BjYWcyLmNybDAN +BgkqhkiG9w0BAQwFAAOCAgEAcicSaU1ju+btaAOfCyP9Mx/sKibvR/mcEH6Ci8fH +rham75+mR7fyQ7C6PZhCQhFO3z0jLxW6IzpnKhpzp0oqJOkV75WkqKoCd/awpWyP +wAtrWHMjyb6s7AHcFwjAC0heK96ZMr+SOM7XopVYIAnQ4tYe1ON5lDBLmoJOpHOI +z1E4E+ubcwTuWygLAyL5IUHGYJQLM6J/bDhbRDbz6aeCxShXWZP7Aa+jhi0N1Zmy +HrZ1uukPpMX9R/qqhXSjzRYwxq6wozdbh+aj2OU3ZdRVKaCC04k9zr4lFVq1RtKc +34iYqtpbBCm1IWaLH1Uo4aovvJlxwEPEI0XBa50ILCkEYeOCTk59kBWgTTNx9R7F +FAA+DoTW1Y+1VibZpXxkgpBpFmiYBoI9LfwNh50n/lixxxoIGqe/fTup1yEaboph +qNchBlK5tRcfHDdAd24Vq4MCq1G+zUVzdLHK8nXcXGzNWa/KZvEsaAOkLx1bGyxp +0D8bYmsKWummm/jlMYq1RGHxFRMXPMbcn+IZmw5t8bC7wITvRlToRl6CCfE1cSx6 +9cgOqIVFIs43J18nymUYpKOirp3Km8uT47UyHTEgtn3VLKMhW1sN1zEjyYl4WcMo +Glja2xW0Wy8TFld3a+0O1YyH3BZhuC/1MvSaRVE64mHWnwnZqnDYw4xJ1OS1Q+l1 +8Eg= +-----END CERTIFICATE----- diff --git a/_implement/certs/Verizon_SSP_CA_A2.cer b/_implement/certs/Verizon_SSP_CA_A2.cer new file mode 100644 index 000000000..dc1e96498 Binary files /dev/null and b/_implement/certs/Verizon_SSP_CA_A2.cer differ diff --git a/_implement/certs/WidePoint_ORC_SSP_5.cer b/_implement/certs/WidePoint_ORC_SSP_5.cer new file mode 100644 index 000000000..4bc46ec4b Binary files /dev/null and b/_implement/certs/WidePoint_ORC_SSP_5.cer differ diff --git a/_implement/certs/WidePoint_SSP_Intermediate_CA.cer b/_implement/certs/WidePoint_SSP_Intermediate_CA.cer new file mode 100644 index 000000000..60070afca --- /dev/null +++ b/_implement/certs/WidePoint_SSP_Intermediate_CA.cer @@ -0,0 +1,41 @@ +-----BEGIN CERTIFICATE----- +MIIHLzCCBRegAwIBAgIUKPSaYpRAs/3wl6wP1G29lzU3kYcwDQYJKoZIhvcNAQEM +BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG +A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy +MB4XDTIzMDQwMzEzNTEzOFoXDTMzMDMxNTEzNTEzOFowRzELMAkGA1UEBhMCVVMx +EDAOBgNVBAoTB09SQyBQS0kxJjAkBgNVBAMTHVdpZGVQb2ludCBTU1AgSW50ZXJt +ZWRpYXRlIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAke629VY4 +Y+UxkQxDXkXDIhplmiWXlRLlQib3SU7KfQQZRqVK/HcibX/xTHNd1sdXUuDkZvtc +iepsaUYK9V9uWDt2HGppnLwyWr146VJxy+a7KqQ1PzB9/PfVUcSCVW4xKWbxAefr +Debk9KQ7ZHzKDFGoBvuzTb4sHSHtQQEyyLxs2bClltO/rXE51ejEp9c+ZlQ8OwB+ +zOfrRdUATbnDjqyq6maOckztG/7vkow/rKrDmDywLciFEaMuvuwCyUXFHGBSlZks +eIkA+LWUk+o9g/J0n0LUX12AXVH/8efgOrYnITlIHfkFkQCNLg4e60G2rVMTlqjf +BFKHBh8JUBS+k4/CfmXwC+0MCM7wfp7eIo0He6iLubpIzUf3h+i37eKJN7S0Uh5Q +D145LDqQPYGAVeUwcwW4Qpl5PvqKGtglf1BWvjGgS4BzLyanstZ+k8XFL4xRjeBf +14SMC2nbk2eSALuj2b/jA1wHvfr2gLE6ODxgKPsFHzi38nPHqwH6N/2fAnXb/Crx +h4bGzJyDkA0KZSUxWVXEVP4en3hyPZaAUgFgjvAAmllvnTolo/fLYYMuJAGPPkYK +Nz5pJ3ZrQfZnDbzuBzJRIN2KdVIWoT/mEfuobv2igb/DMXtFk8DwYkH8ZOcflgMC +NQYqM9XzwUDhR/Es7cUOUaAuk2GxtHdepYUCAwEAAaOCAfwwggH4MB0GA1UdDgQW +BBSLIwe3jgog8jb2uWE0v7j1w2u+6TAfBgNVHSMEGDAWgBT0J1ypw3xH9Pqmp7BZ +l6rdNSYX4zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zCBiAYDVR0g +BIGAMH4wDAYKYIZIAWUDAgEDBjAMBgpghkgBZQMCAQMHMAwGCmCGSAFlAwIBAwgw +DAYKYIZIAWUDAgEDJDAMBgpghkgBZQMCAQMNMAwGCmCGSAFlAwIBAxEwDAYKYIZI +AWUDAgEDJzAMBgpghkgBZQMCAQMoMAwGCmCGSAFlAwIBAykwWwYIKwYBBQUHAQsE +TzBNMEsGCCsGAQUFBzAFhj9odHRwOi8vY3JsLXNlcnZlci5vcmMuY29tL2NhQ2Vy +dHMvY2FDZXJ0c0lzc3VlZEJ5V1BTU1BJbnRDQS5wN2MwEgYDVR0kAQH/BAgwBoAB +AIEBADANBgNVHTYBAf8EAwIBADBRBggrBgEFBQcBAQRFMEMwQQYIKwYBBQUHMAKG +NWh0dHA6Ly9yZXBvLmZwa2kuZ292L2ZjcGNhL2NhQ2VydHNJc3N1ZWRUb2ZjcGNh +ZzIucDdjMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9yZXBvLmZwa2kuZ292L2Zj +cGNhL2ZjcGNhZzIuY3JsMA0GCSqGSIb3DQEBDAUAA4ICAQAfqN301L5mpqvZfoMY +tN+803N0VENm6UoXpy16dn07byXx5MEY45Q/5GEMdPMA9ZWNRr4OqA3tsgS706dN +k1wrZWxtv7fULpw9uVvZvdVaQSjju8Gts0AQod4STy/xg2v1J9mLWzqNm820Ez/z +AY4pay0IGQf2mXUspoyne2CY6WiV7tVptVfJVIcXNikJFG4EXYv0KG6Tth2cerd6 +X72ITeFSrsOw6S/Wzg4cDtoMoUPTNprvm5+hWzjmn1rrp3dKVjTGLdIl4Bcmrrs7 +4UiENnhgV2uOmcS/F3w4+NJOGg8Ff2gLpl7xCyFQ92bCXxGV2XwUaTOOk3DgI34Y +vdLQ4gyouQT8BrNyVLJK7IUYtPOD4mD0SKd/QrNqxMiuSoivhVCkwGdpzGqZYIM3 +1THe0mz01jwoTnC4InZ4QigL01viIqq4lA5xX5Z9Ge9ZLITsD1Fw63AbE+pQXSHh +96qnvJ0Z2pCC8CDJB2C2f2VKpp6q+pOiGW4+5hcw+VaJ9erLA5NBMrbd7WN4pUNd +yV4I3xIqkYTl6E+6IecJ0hHJmNe9I7Nq81+3e5bk/qV4ZSsM3VcaUS7nRC5RZRnK +8k0ZH5HGRBqzE77mEaSL2k9aW8q6jbhXMhDsdh+oJEY2EAoU0qpjajkYnvLB4Ez6 +Bzogjx+Ht7jeJYYCZMjKjQrTEQ== +-----END CERTIFICATE----- diff --git a/_implement/certs/federal_bridge_ca_g4.cer b/_implement/certs/federal_bridge_ca_g4.cer new file mode 100644 index 000000000..ed5a51c53 Binary files /dev/null and b/_implement/certs/federal_bridge_ca_g4.cer differ diff --git a/_implement/certs/fpki-unmanaged-bundle.mobileconfig b/_implement/certs/fpki-unmanaged-bundle.mobileconfig new file mode 100644 index 000000000..ad37a56e3 --- /dev/null +++ b/_implement/certs/fpki-unmanaged-bundle.mobileconfig @@ -0,0 +1,877 @@ + + + + + PayloadContent + + + PayloadCertificateFileName + federal_bridge_ca_g4.cer + PayloadContent + + MIIHNDCCBRygAwIBAgIUI0IAvqptraZY9TtAP0GClSkMroIwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTAxNTE1 + NTI0NloXDTI5MTIwNjE2NTI0NlowVTELMAkGA1UEBhMCVVMxGDAW + BgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEd + MBsGA1UEAxMURmVkZXJhbCBCcmlkZ2UgQ0EgRzQwggEiMA0GCSqG + SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlJxRYAIEBQGhhiUzNMWWr + VUSvyQ4Lc+6ltq+L6l+023wOsa+VFdczCUJQHT9v75gUXQ+RQpFO + zvp8xp6jz7rGtSj9avrPw3n9c2nhkg8sHQhYyfkzMrXMqxh3QwEL + hMGwZHUQZMZWr8Vr0Vwx8DddhGxyQwpyv7GusjVwJ79qEduI38fl + 6hxaju8LrfN8oBFeDhWpAM6Dip0vY60TK2ymVoRvI8zy3Gy4fjOl + SbnjwNpf0knOyKXYxYCdmUmIbeVZffIK+pNxidx96khD6F/q5w/7 + QnI50srpKGURzhkJgGggb2SfA7dyYVNptvl01B7dww3f02vrUol1 + VUwn+37fAgMBAAGjggLzMIIC7zAdBgNVHQ4EFgQUefAASet/d8Jd + QQJlNIqQI5seB28wHwYDVR0jBBgwFoAU9CdcqcN8R/T6pqewWZeq + 3TUmF+MwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w + gfkGA1UdIASB8TCB7jAMBgpghkgBZQMCAQMBMAwGCmCGSAFlAwIB + AwIwDAYKYIZIAWUDAgEDDjAMBgpghkgBZQMCAQMPMAwGCmCGSAFl + AwIBAxIwDAYKYIZIAWUDAgEDEzAMBgpghkgBZQMCAQMUMAwGCmCG + SAFlAwIBAwYwDAYKYIZIAWUDAgEDBzAMBgpghkgBZQMCAQMIMAwG + CmCGSAFlAwIBAyQwDAYKYIZIAWUDAgEDDTAMBgpghkgBZQMCAQMQ + MAwGCmCGSAFlAwIBAxEwDAYKYIZIAWUDAgEDJzAMBgpghkgBZQMC + AQMoMAwGCmCGSAFlAwIBAykwgY0GA1UdIQSBhTCBgjAYBgpghkgB + ZQMCAQMGBgpghkgBZQMCAQMDMBgGCmCGSAFlAwIBAwcGCmCGSAFl + AwIBAwwwGAYKYIZIAWUDAgEDEAYKYIZIAWUDAgEDBDAYBgpghkgB + ZQMCAQMIBgpghkgBZQMCAQMlMBgGCmCGSAFlAwIBAyQGCmCGSAFl + AwIBAyYwUQYIKwYBBQUHAQsERTBDMEEGCCsGAQUFBzAFhjVodHRw + Oi8vcmVwby5mcGtpLmdvdi9icmlkZ2UvY2FDZXJ0c0lzc3VlZEJ5 + ZmJjYWc0LnA3YzASBgNVHSQBAf8ECDAGgAEAgQECMA0GA1UdNgEB + /wQDAgEAMFEGCCsGAQUFBwEBBEUwQzBBBggrBgEFBQcwAoY1aHR0 + cDovL3JlcG8uZnBraS5nb3YvZmNwY2EvY2FDZXJ0c0lzc3VlZFRv + ZmNwY2FnMi5wN2MwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL3Jl + cG8uZnBraS5nb3YvZmNwY2EvZmNwY2FnMi5jcmwwDQYJKoZIhvcN + AQEMBQADggIBABqJXcmGT7KQFbGtDn1t2sSlzjk7uneiOkIhtBEC + XHm0tCAdgbhfaFpaKP6tRwVMgurJRxRFo+EiLtJOSx8VvBLMlrNz + nKP5NIPIHi1LQbJyigx4Vku+XND41XYFgr4Tid6oDAfrKR/5IDhc + uK4wQ7ygAw8gXfCqp0Xh6M1hJyJv5UgecKxXh2mt6SY5ymJWfQHw + COBjDfQaWV6DRgJKtWtyB3KDGPOo3Ri8sxnVD3whUMiCp4g4iiKA + lWafsRMSxrT5QA+nMA5sD/i+YyYO6oUOfLzLGai6EVXHG2oDeUD+ + Z15h88K0O3hQqzlWI/6hyZqVDB63NPVmAYDyDcvAIFcaVKcjh/7v + 26D6d0YqA6mD0GaKKMBHuEvdasZ1nSUm0mj37U97mTL4UQoRy2pC + w20EidhxP81obO5wCw9ZNWh96/pGQ4Bof/jiSmIP75ZulsvtVbVE + 3aFm0ejfwNahXtwEgMAsxlv1KvXN0Cj8f6QgYojJuavgpXdUSQmq + N3iZj+cpmPuGC9EZpjk3DSnKqqgZdGNgAba7DsDGWQ5ZTqAVKvuQ + SPeL/wGpghuX75cNkPKG9XnCxAI59sOJp+xyuKHSr/YQ+/H0Im2O + q9YWIbwV5b4vfdihUbA9Y4n2EyDCrkcypREh1zbjESKiXDB4NvDP + ciGH+u3lXW8kKBMYV2t8 + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + Federal Bridge CA G4 + PayloadIdentifier + com.apple.security.pkcs1.11A4D5E0-8EB8-4177-BDDC-041EF0BB047A + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 11A4D5E0-8EB8-4177-BDDC-041EF0BB047A + PayloadVersion + 1 + + + PayloadCertificateFileName + Symantec_SSP_Intermediate_CA_-_G4.cer + PayloadContent + + MIIGLzCCBBegAwIBAgIUJivR8CXIrzczRUVmbqbJ6pRsLDQwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE0 + NDI0MVoXDTI0MTExMjE0NDI0MVowWDELMAkGA1UEBhMCVVMxHTAb + BgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMSowKAYDVQQDEyFT + eW1hbnRlYyBTU1AgSW50ZXJtZWRpYXRlIENBIC0gRzQwggEiMA0G + CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf7AaRyHztQNpQRygN + Bu7MivKvND+elmYuA6m1BZUROEUy7Y7BfQo2Xje0CZKSHOdfmYlm + 6GxTKFZIzjVSArtd2wwOWT9vz6+h2GjME/UdGCpOImHd9EXkzofi + gopI9PtYmdDH/6KFfI1lV6OjrYPK6qMU2+HROX7mxzQbIVrv9E0d + aSVTgzUuE8K1XXxrh4iKgL0NZrbOU4SlLovhNpmmQ2bz5mWYivkx + srdM/4N72c96tMgfVReMZK24IAspPfZh6bl/lW73USqCI3VUCaOd + 857TGQmQzTRbQLu/GfOtk5uS9Tt5fJ7bCX0mcW9H+5yRdwzdr6GR + HJ4Q6eqmz0cbAgMBAAGjggHrMIIB5zAdBgNVHQ4EFgQU/8w00dtK + 4eHCC9Lb64B8cwx1X2YwHwYDVR0jBBgwFoAU9CdcqcN8R/T6pqew + WZeq3TUmF+MwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB + Af8weQYDVR0gBHIwcDAMBgpghkgBZQMCAQMGMAwGCmCGSAFlAwIB + AwcwDAYKYIZIAWUDAgEDCDAMBgpghkgBZQMCAQMkMAwGCmCGSAFl + AwIBAw0wDAYKYIZIAWUDAgEDEDAMBgpghkgBZQMCAQMRMAwGCmCG + SAFlAwIBAycwWgYIKwYBBQUHAQsETjBMMEoGCCsGAQUFBzAFhj5o + dHRwOi8vc3NwLXNpYS5zeW1hdXRoLmNvbS9TU1AvQ2VydHNfaXNz + dWVkX2J5X1NZTUNTU1BDQUc0LnA3YzASBgNVHSQBAf8ECDAGgAEA + gQEAMA0GA1UdNgEB/wQDAgEAMFEGCCsGAQUFBwEBBEUwQzBBBggr + BgEFBQcwAoY1aHR0cDovL3JlcG8uZnBraS5nb3YvZmNwY2EvY2FD + ZXJ0c0lzc3VlZFRvZmNwY2FnMi5wN2MwNwYDVR0fBDAwLjAsoCqg + KIYmaHR0cDovL3JlcG8uZnBraS5nb3YvZmNwY2EvZmNwY2FnMi5j + cmwwDQYJKoZIhvcNAQEMBQADggIBACS8hsZFvHoUBFFmAGvsr763 + gw78iEjz9zo5ODyiuEloBM1i9gUOsGujFBUWMWYv89vZzK8BtwJP + vJ+Akiz9zWyMBxfMItdZXWLxw4AeYQQ3Ir6cOjXTy8IK6ZGyl73N + M3PSeJ+hmavMcRRXhiiR2Tt7IT+rCd9/QSAfvLd55Pp54DQEK/Xf + WXFunOQDOl0mnIc9q/cZTTg7cbZHl5cvikFLyxAFN97pQVr9WjFQ + 193yZfofwS1kGAKCHJfrOsQi/I//+xovcX0cdY1DAe7jsThKdeE0 + QexHKFJhbm9+ZleFv+HHmlFFHYrx703FxkzWeq0MNFINmp76bOce + vFvo30AjOzGfdXyHD9V7MuyX37Hp8fFAJGSJ9WeWuUGSNWhi+SMu + +L7IySdWZo/m5WzRYLd7rfMPpUbuS3Ne49fZIqGNmjGwSKaiFntK + imXaeXOWPWvQYxVIBtS4UKLEtCGEn2QirZNd8tjqBGlYMMPmX1+s + 0W1WFLQLUWddNw+7v4z7rox6lccZmJeIorZONbH+dLWX5t5BSyyk + eSxI0LWkcrIvEFw/sWREWggc7YAQtaIr+W4SgFst5VGJ4AAU6icC + NCepUiquHg06f7xWsoQ+yTNIyG7YliWqXCDGNouPfUfAjredXmQW + ntjHxMc51c3Pzt+AqsYxnrggK2KwNtg9l1Db + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + Symantec SSP Intermediate CA - G4 + PayloadIdentifier + com.apple.security.pkcs1.FF48FBDC-E464-4F40-B9F8-E3DCED78835C + PayloadType + com.apple.security.pkcs1 + PayloadUUID + FF48FBDC-E464-4F40-B9F8-E3DCED78835C + PayloadVersion + 1 + + + PayloadCertificateFileName + fcpcag2 (1).crt + PayloadContent + + MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTAxNDEz + MzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMxGDAW + BgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEk + MCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIIC + IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA19fTFzEmIRgQ + KkFty6+99sRRjCTYBYh7LloRpCZs4rgpBk+/5P4aZYd5v01GYBfO + KywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf77n5JgMh + vg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDS + t4+75i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9U + vhWAPVAhxm8oT4wxSOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmS + FuEPzivcOrytoPiPfgXMqY/P7zO4opLrh2EV5yA4XYEdoyA2dVD8 + jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4EmtRq82JLqZQlyr + MbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7h + pV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse7 + 2yo6MyNF46uumO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4d + UG+pQADSstRJ60gePp0IAtQSHZYd1iRiXKpTLl0kofB2Y3LgAFNd + YmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjLZePhc3qt8ubjhZN2 + Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcCAwEA + AaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB + BjAdBgNVHQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYB + BQUHAQsERTBDMEEGCCsGAQUFBzAFhjVodHRwOi8vcmVwby5mcGtp + Lmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVkQnlmY3BjYWcyLnA3YzAN + BgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06NCj7eIL7 + /I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hSh + GoKQcbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141 + HyeDWdQ6dDXDz6dr8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AV + z3uqe5k+ObJYpC0aXHNMy1OnFgL6oxMeGMlSecU/QUAIf0ncDurY + FSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO+E3o3QoU+ThC + PPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJD + crTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi + 9aWAYHJXTzbjzGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifg + rmPi0/uU1w0crclEsSsya7FIBVRTURoSwwda25wIIWPIkQsQK1sn + JxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5hphYQnf8sD8FpoUDj + oLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2e+aR + eLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcic + sdU8kV2Mee/xJ/c0cIHZWMw0HoRZPbo= + + PayloadDescription + Adds a CA root certificate + PayloadDisplayName + Federal Common Policy CA G2 + PayloadIdentifier + com.apple.security.root.5585E2D8-10EB-4D48-8A1D-752AEAA2E973 + PayloadType + com.apple.security.root + PayloadUUID + 5585E2D8-10EB-4D48-8A1D-752AEAA2E973 + PayloadVersion + 1 + + + PayloadCertificateFileName + U.S. Department of State AD Root CA.cer + PayloadContent + + MIIJrDCCB5SgAwIBAgIEUbC4bzANBgkqhkiG9w0BAQsFADCBsTET + MBEGCgmSJomT8ixkARkWA3NidTEVMBMGCgmSJomT8ixkARkWBXN0 + YXRlMRYwFAYDVQQDDA1Db25maWd1cmF0aW9uMREwDwYDVQQDDAhT + ZXJ2aWNlczEcMBoGA1UEAwwTUHVibGljIEtleSBTZXJ2aWNlczEM + MAoGA1UEAwwDQUlBMSwwKgYDVQQDDCNVLlMuIERlcGFydG1lbnQg + b2YgU3RhdGUgQUQgUm9vdCBDQTAeFw0wNDA2MjMxNzUwNTVaFw0z + NDA2MjMxODIwNTVaMIGxMRMwEQYKCZImiZPyLGQBGRYDc2J1MRUw + EwYKCZImiZPyLGQBGRYFc3RhdGUxFjAUBgNVBAMMDUNvbmZpZ3Vy + YXRpb24xETAPBgNVBAMMCFNlcnZpY2VzMRwwGgYDVQQDDBNQdWJs + aWMgS2V5IFNlcnZpY2VzMQwwCgYDVQQDDANBSUExLDAqBgNVBAMM + I1UuUy4gRGVwYXJ0bWVudCBvZiBTdGF0ZSBBRCBSb290IENBMIIB + IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuTZfs7EF2kri + a8OXf0pcENkKKa/Zb5pVr6UZbrT0pe1+Q4OVkslNldLvviRNLqaz + obPmSPVktuzCvmt9jpjM04Oh1c6Tt3Lq0YjP4eXyawBAWBXl6Lq9 + KFB2BcFnAoYtZNJmZDK2+FjvflqaUxZSL/W+zEoGjqB+VE1DRORw + DDA4D1UBpyLMcpX7Re4pAspXeOTe+uBwy3ZX88No9ER59Z7RMNqt + KaerxmwTff0T4fe6zqiayiK94nhOAc8N2/oABeMpo3CjooJdpYof + DyRuWabhpj8Dpll4fq5sJ8wDOqUJh6f8VwyD6iceYb036DirCYQY + nj4MEDnNG5WILFzO5wIDAQABo4IEyDCCBMQwDwYDVR0TAQH/BAUw + AwEB/zAOBgNVHQ8BAf8EBAMCAQYwgd0GA1UdIASB1TCB0jAMBgpg + hkgBZQMCAQYBMAwGCmCGSAFlAwIBBgIwDAYKYIZIAWUDAgEGAzAM + BgpghkgBZQMCAQYEMAwGCmCGSAFlAwIBBgwwDAYKYIZIAWUDAgED + BjAMBgpghkgBZQMCAQMHMAwGCmCGSAFlAwIBAwgwDAYKYIZIAWUD + AgEDDTAMBgpghkgBZQMCAQMQMAwGCmCGSAFlAwIBAxEwDAYKYIZI + AWUDAgEDJDAMBgpghkgBZQMCAQMnMAwGCmCGSAFlAwIBAygwDAYK + YIZIAWUDAgEDKTCCAXYGCCsGAQUFBwEBBIIBaDCCAWQwgdwGCCsG + AQUFBzAChoHPbGRhcDovL2NlcnRyZXAucGtpLnN0YXRlLmdvdi9j + bj1VLlMuJTIwRGVwYXJ0bWVudCUyMG9mJTIwU3RhdGUlMjBBRCUy + MFJvb3QlMjBDQSxjbj1BSUEsY249UHVibGljJTIwS2V5JTIwU2Vy + dmljZXMsY249U2VydmljZXMsY249Q29uZmlndXJhdGlvbixkYz1z + dGF0ZSxkYz1zYnU/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3ND + ZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MEYGCCsGAQUFBzAChjpodHRw + Oi8vY3Jscy5wa2kuc3RhdGUuZ292L0FJQS9DZXJ0c0lzc3VlZFRv + RG9TQURSb290Q0EucDdjMDsGCCsGAQUFBzABhi9odHRwOi8vb2Nz + cC5wa2kuc3RhdGUuZ292L09DU1AvRG9TT0NTUFJlc3BvbmRlcjAf + BgNVHSMEGDAWgBTMAGhhpqUDkxAKG2G3hxjBRVbagjAdBgNVHQ4E + FgQUb4P+glBkZXc+/d8Dms4p0S8wzOwwggHqBgNVHR8EggHhMIIB + 3TCCAQqgggEGoIIBAoYyaHR0cDovL2NybHMucGtpLnN0YXRlLmdv + di9jcmxzL0RvU0FEUEtJUm9vdENBMS5jcmyGgctsZGFwOi8vZGly + LnBraS5zdGF0ZS5nb3YvY249V2luQ29tYmluZWQxLGNuPVUuUy4l + MjBEZXBhcnRtZW50JTIwb2YlMjBTdGF0ZSUyMEFEJTIwUm9vdCUy + MENBLGNuPUFJQSxjbj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxj + bj1TZXJ2aWNlcyxjbj1Db25maWd1cmF0aW9uLGRjPXN0YXRlLGRj + PXNidT9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0O2JpbmFyeTCB + zKCByaCBxqSBwzCBwDETMBEGCgmSJomT8ixkARkWA3NidTEVMBMG + CgmSJomT8ixkARkWBXN0YXRlMRYwFAYDVQQDDA1Db25maWd1cmF0 + aW9uMREwDwYDVQQDDAhTZXJ2aWNlczEcMBoGA1UEAwwTUHVibGlj + IEtleSBTZXJ2aWNlczEMMAoGA1UEAwwDQUlBMSwwKgYDVQQDDCNV + LlMuIERlcGFydG1lbnQgb2YgU3RhdGUgQUQgUm9vdCBDQTENMAsG + A1UEAwwEQ1JMMTAZBgkqhkiG9n0HQQAEDDAKGwRWOC4yAwIEkDAN + BgkqhkiG9w0BAQsFAAOCAgEARJltIzIKrkKMLaDgAxODAlMFXIMx + dwiuOZl45hd28CXN5IDJz++/2I9Gk/MHI4sfXg8svloxT+gsyWfq + SOmW9bA3hywtLzrQQ1ER8aumV0jiU0rP3JV/ZJWdapMhM5YDSe+z + yu47z6HQM6Wv225emrZTnvqor+yhDMnnN6mmfSapAbXc+WtX8pxz + ARJrLNjYWv4QF2RR+X8C728sz9Gbbmk3fLQU/rlGTkxlFE72TrSD + eaU/YnfvG56hcHrjmQrUhrUrbzdumjBAVjnVJMVP3WSwembUwi3/ + K4w3yuYDpYDC3jodPa5msvu+VN8BUv2Rk3hpslkwYefa5ZakVj+u + GOSpXey66Ka6kgBx6tGfLSXe79i3S+lGwLu+MW9YcFhZI7dLzFWp + 4Y/MWN0ZNu5/OTEL84wtagKzzTjBCyuuli0QtvcCNWwrCdoADSwd + LUHQANVGNLhzPkXlR+UMiMOeLSzS9mkUI1nka6JaVjLjZ9nGqyCg + 19PcKea3FuSQTMBuAd4gdZaUEXoM8ex7nwrJPP2YMSd8/QzkbiIx + IOu6EMMEt0c1+ErLgQ4upwV7NkThoTe4PYdJeJ13ms//HMHI0Mqz + 6Ywc6lT5vNPA8RUmX/rJOQ9GYRM3Y5yjLiuRshmJt3J+L6w6e20+ + 2hR9Ju/Ny3jiIodrN3bgUCJGRs2VuU0= + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + U.S. Department of State AD Root CA + PayloadIdentifier + com.apple.security.pkcs1.99E974C7-9052-4CF3-9A21-69CF755B493D + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 99E974C7-9052-4CF3-9A21-69CF755B493D + PayloadVersion + 1 + + + PayloadCertificateFileName + US_Department_of_State_AD_Root_CA.cer + PayloadContent + + MIIIyjCCBrKgAwIBAgIUJ2NP0yHL/Yx+/ArrAodvY9pMDAkwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE2 + MTcxM1oXDTIzMTExODE2MTcxM1owgbExEzARBgoJkiaJk/IsZAEZ + FgNzYnUxFTATBgoJkiaJk/IsZAEZFgVzdGF0ZTEWMBQGA1UEAwwN + Q29uZmlndXJhdGlvbjERMA8GA1UEAwwIU2VydmljZXMxHDAaBgNV + BAMME1B1YmxpYyBLZXkgU2VydmljZXMxDDAKBgNVBAMMA0FJQTEs + MCoGA1UEAwwjVS5TLiBEZXBhcnRtZW50IG9mIFN0YXRlIEFEIFJv + b3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDV + ZF3CZ2Jrfb6m0aOrxhfYXRlqaCOYbI6Mpyu2HXacbKW8Gtws3lsO + zBxDRuPA/N4JYcRyC4nwYU91aGN1/7cZrdtx5ngXyFHUzaegMmSS + nW/zIS7b2d13E6ftWnUJwo3CgS4ngrKR2exABUPdIrQQq8y53TzF + uUVvajkFdQqf8tjHJBJ27g/KFYljcMzQuICemGfI1inGh5cTe3jV + Mb5W7BMreBfx7JuTybPZHdcwKK98TF2/X1i9ek9GNo43ytYAfdiL + rZf2akOsUXs3Vn0ebTn7I6NdSBNrLg1xz7EHPAbKiQwt5CbPGWO4 + ZVU8x6JBU3QTPVAGVqeK1FnMpDtdgJ4/Bw+CHn74jDtn/TSaLnoV + 7IzCmZP0yey+zBCazTUVx5vuuVnBYla0kfVZ/3a5pTTeI6aHaAyQ + W1VhQ/mq2XUOLnR7FBUAW9vjFLkPglos0xAAlZR2fIMmcCiB+KaE + 8d+KvvUcINuxd25soTyRZcyZdlDwgn+L5tj59A2nOBDedpgKzoCK + SDwaLMQRxw8yNshXjPpyLkw7V5AwtB9LEcxgBbU+S8G4wGo67I2P + KLF/EPOGtFUt/QVB4o1q15VDenK/lFncKe/4dUR7q3sQhODP17ED + E5WBfXwtrd3nf+bp8ftLeh/vjwuSIlzwWZ7/5RRCwEh7sMq64MqJ + 0i0GqQIDAQABo4IDLDCCAygwHQYDVR0OBBYEFMwAaGGmpQOTEAob + YbeHGMFFVtqCMB8GA1UdIwQYMBaAFPQnXKnDfEf0+qansFmXqt01 + JhfjMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MIGX + BgNVHSAEgY8wgYwwDAYKYIZIAWUDAgEDEzAMBgpghkgBZQMCAQMG + MAwGCmCGSAFlAwIBAwcwDAYKYIZIAWUDAgEDCDAMBgpghkgBZQMC + AQMkMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUDAgEDEDAMBgpghkgB + ZQMCAQMRMAwGCmCGSAFlAwIBAycwDAYKYIZIAWUDAgEDKDCCASsG + A1UdIQSCASIwggEeMBgGCmCGSAFlAwIBAwYGCmCGSAFlAwIBAwYw + GAYKYIZIAWUDAgEDBgYKYIZIAWUDAgEGAzAYBgpghkgBZQMCAQMH + BgpghkgBZQMCAQMHMBgGCmCGSAFlAwIBAwcGCmCGSAFlAwIBBgww + GAYKYIZIAWUDAgEDEAYKYIZIAWUDAgEDEDAYBgpghkgBZQMCAQMQ + BgpghkgBZQMCAQYEMBgGCmCGSAFlAwIBAwgGCmCGSAFlAwIBAwgw + GAYKYIZIAWUDAgEDCAYKYIZIAWUDAgEGJTAYBgpghkgBZQMCAQMk + BgpghkgBZQMCAQMkMBgGCmCGSAFlAwIBAyQGCmCGSAFlAwIBBiYw + GAYKYIZIAWUDAgEDEwYKYIZIAWUDAgEDLjBTBggrBgEFBQcBCwRH + MEUwQwYIKwYBBQUHMAWGN2h0dHA6Ly9jcmxzLnBraS5zdGF0ZS5n + b3YvU0lBL0NlcnRzSXNzdWVkQnlBRFJvb3RDQS5wN2MwDwYDVR0k + BAgwBoABAIEBADAKBgNVHTYEAwIBADBRBggrBgEFBQcBAQRFMEMw + QQYIKwYBBQUHMAKGNWh0dHA6Ly9yZXBvLmZwa2kuZ292L2ZjcGNh + L2NhQ2VydHNJc3N1ZWRUb2ZjcGNhZzIucDdjMDcGA1UdHwQwMC4w + LKAqoCiGJmh0dHA6Ly9yZXBvLmZwa2kuZ292L2ZjcGNhL2ZjcGNh + ZzIuY3JsMA0GCSqGSIb3DQEBDAUAA4ICAQADhz1QKMNRhRnYuH8R + aEwdZfUIgvV+JQjxp8ZIlPjoONqUkmIGKWUE3aYRLOhvBAEuefvU + TNEvWVw39Cy9reIVpXYJv8mgrvszvvpO1Oa6aD/MOBdst9TvrYJt + y+npQVhe/lICRyKCtRkAYMo0O/IhHNfesl5qJ2x+9sVR4y4k8Phq + /94ZILhnohveKsQbT5h7adI/K8BYCeWhlMeec/mnB1u06mZKtkGr + hnhZDwgEgypRRHpDy2decnomU0E/lxnykCtd5pZMq5yJ6NGsdKH+ + PhZTIhZ00Rt7p+wOOBRU5qMX4t+XukWy0lR9++xmTMgur8IbzHDN + 5pzWFqLwEsLB+etfH2hi+vHrDl9Gt0TFQZNcy+6xSaxR3GF2Eb9p + sJQTAeQyFj1vqKU6rDZLhjxvDWr71Lt7Jwzx0wBuibaN21oD8Bl4 + ysCU30zAO2kd8mFLiJsHiXIggknprzUE5Kzz7himkT7zrRfoDcMk + aQH0spWOBPWwBzzpseqfV5GlEOdGDI7OAIJtOXRKjnS15qgTjoQ9 + SDEOiVNNhJ3tCyH5rTJf0XYet5aq6TLFGV+oDuqhD2f/Hc3ghXxP + QmFdJygKwYit3JkW9RzEBe0PrdBdgAXKvlYqHTl+lUr1CX+rpkMh + 1swXmkBqUwKRXNoIYluolhYJbuCKYq0OhpN1a8eFXQ== + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + U.S. Department of State AD Root CA + PayloadIdentifier + com.apple.security.pkcs1.2044520D-DA80-48DD-8918-8193B315C9C5 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 2044520D-DA80-48DD-8918-8193B315C9C5 + PayloadVersion + 1 + + + PayloadCertificateFileName + Entrust_Managed_Services_Root_CA_Link.cer + PayloadContent + + MIIGGjCCBQKgAwIBAgIERIEHezANBgkqhkiG9w0BAQsFADBuMQsw + CQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZ + Q2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEpMCcGA1UECxMgRW50 + cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFJvb3QgQ0EwHhcNMTUwNzIz + MTYwNjM2WhcNMjUwNzIzMTYzNjM2WjBuMQswCQYDVQQGEwJVUzEQ + MA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlv + biBBdXRob3JpdGllczEpMCcGA1UECxMgRW50cnVzdCBNYW5hZ2Vk + IFNlcnZpY2VzIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQCYqKN6KNw4zYLKgi6YOoiuw6K/9e/bn7D2gNlA + QxPZtGvmvhzIOx2UeHDwhmFkivNy2fgIr85/brQfKgukWgpcES9D + l2GpcsnOXDSm+cAtGJrEV6/Ecv6o+z2qm0YRODNEaMF4ANLl/H95 + yfR4l54aI+MX6rxzTnTv+j/QptL3ZyJe8LnQoeIHr69Jo21e6ekG + RtlYJ9L8r5qn7s/bF9KZ/aksWeB21d1wci3dIIpN5bM8r5YnQLEj + jzg35SsbqBEft1/QvgxDbEWTW9/IIj5hWrpyBVe23pJwNtEWluvF + xhzQz3xJ0U1ZBRQXySVHbx0k0SyRlhhFv6ricooEThtJAgMBAAGj + ggK+MIICujAPBgNVHRMBAf8EBTADAQH/MHkGA1UdIARyMHAwDAYK + YIZIAWUDAgEDBjAMBgpghkgBZQMCAQMHMAwGCmCGSAFlAwIBAwgw + DAYKYIZIAWUDAgEDDTAMBgpghkgBZQMCAQMRMAwGCmCGSAFlAwIB + AycwDAYKYIZIAWUDAgEDKDAMBgpghkgBZQMCAQMpMA4GA1UdDwEB + /wQEAwIBhjBfBggrBgEFBQcBCwRTMFEwTwYIKwYBBQUHMAWGQ2h0 + dHA6Ly9yb290d2ViLm1hbmFnZWQuZW50cnVzdC5jb20vU0lBL0NB + Y2VydHNJc3N1ZWRCeUVNU1Jvb3RDQS5wN2MwgaQGCCsGAQUFBwEB + BIGXMIGUME0GCCsGAQUFBzAChkFodHRwOi8vcm9vdHdlYi5tYW5h + Z2VkLmVudHJ1c3QuY29tL0FJQS9DZXJ0c0lzc3VlZFRvRU1TUm9v + dENBLnA3YzBDBggrBgEFBQcwAYY3aHR0cDovL29jc3AubWFuYWdl + ZC5lbnRydXN0LmNvbS9PQ1NQL0VNU1Jvb3RDQVJlc3BvbmRlcjAf + BgNVHSMEGDAWgBRJVJFMaUQ7xPgCLPT4LTNWiXWYEDAdBgNVHQ4E + FgQUqVO+ZISDS10mxic+LtGEaFU80HUwgdMGA1UdHwSByzCByDA8 + oDqgOIY2aHR0cDovL3Jvb3R3ZWIubWFuYWdlZC5lbnRydXN0LmNv + bS9DUkxzL0VNU1Jvb3RDQTMuY3JsMIGHoIGEoIGBpH8wfTELMAkG + A1UEBhMCVVMxEDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNl + cnRpZmljYXRpb24gQXV0aG9yaXRpZXMxKTAnBgNVBAsTIEVudHJ1 + c3QgTWFuYWdlZCBTZXJ2aWNlcyBSb290IENBMQ0wCwYDVQQDEwRD + UkwxMA0GCSqGSIb3DQEBCwUAA4IBAQA/ajdhyDBMELNyPOHPu2t2 + fiDKGPaYeKr0mZhgZbrznGtD3KdqUrA6urHyIprCL8d05PgLPmFK + p1UDO+BMJHef2mVaYH513xlIRJa75L/81O1z/hBjaPai9+uMiVpx + A94guFiaFwpE55gMyaPknYYCHindd8r+qLb3+4AevkcaLnCBnCHo + dLgc6KyLwk44zfXJW+U/UyjBkJnk1DZpIbpvTZkfAvxHyGADcfPQ + 4iKdMFCfzEk1EQcM3K95UfXzH6LocRcGsOCU57mGRWPeBLDwoHW1 + wY2PKwxgJW3bEpaECLPK958Ntoj5UCVS4R811DCRfEzpeJGeQb9G + iJqYSXj/ + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + Entrust_Managed_Services_Root_CA_Link.cer + PayloadIdentifier + com.apple.security.pkcs1.C496F12B-1FDB-42DA-986E-B5A9D1142E40 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + C496F12B-1FDB-42DA-986E-B5A9D1142E40 + PayloadVersion + 1 + + + PayloadCertificateFileName + US_Treasury_Root_CA.cer + PayloadContent + + MIII2jCCBsKgAwIBAgIUIBPbLNMN0p0X7cSFNcXgDYkWzwIwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE0 + NTMwMFoXDTIyMDgxNDEzNTMwMFowgY4xCzAJBgNVBAYTAlVTMRgw + FgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxIzAhBgNVBAsTGkRlcGFy + dG1lbnQgb2YgdGhlIFRyZWFzdXJ5MSIwIAYDVQQLExlDZXJ0aWZp + Y2F0aW9uIEF1dGhvcml0aWVzMRwwGgYDVQQLExNVUyBUcmVhc3Vy + eSBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC + AgEA7D5nzQgGJWbAzFCMv5x7nb7bZ1ERbKGEfKVLg7XWT8xTsL8C + aItldWtTGGwbjiTH+sbLmk19jkfCQ7QhyipMHDfmFxEAa/aTc28n + WquT/Omt1yEunX2qQK7XA42gGYLRfkjcV8wr/gcHieQDERUKUSYP + o/ecrzfcJ7S7xRpIKqiBPlD5msWJjBHBsgZWvMpvT2tZuOU3nK47 + oQ3FNZtHUiUkYUtQieMRwk8TQ8Y0fdZ+rwJxWTo44LUJp4hXPgtd + SSe+DFDJv+le8Ncvzw1cH8lJ8sjPjFvFCjeWVZVFhDC/HR2BqnC7 + vqcSAyWCwsIaNNfn11kruLMf87SUdqKwWeLH+xJOh5slKV91+pee + 7HqUYIawO3bLCeHZ2TXQfoN37n224IeFgzpR2t4fVRLlYYeZuFxR + b4vInCIFMwvlmorOXitVCfaZd71Ws9GKO3Sg3ur9sNvKgBeE7A4m + m5bEVRBS0Gpo+s6L9jdUPYvrzV1bRx1f4IfIwuSbxl93Mn1JLLNF + PS1nAHhROc1NzTf/1annVnPWt49xvJfeKmFagwkMKv3wFqa0UHF9 + TO8TYcO5jueOwfiHY6e9ASElT0ev5Wk3kaoP5wPWeP8Rhkt1HnD9 + puitgAiUNHsEol7osemoRQdlzmg5jZE306KGzwjbgNdX4QN8iGp/ + vt3rg+0sFVkCAwEAAaOCA18wggNbMB8GA1UdIwQYMBaAFPQnXKnD + fEf0+qansFmXqt01JhfjMB0GA1UdDgQWBBQXS7gmuml6rRJQV0Ux + nle7dKXaLzAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB + /zCB3QYDVR0gBIHVMIHSMAwGCmCGSAFlAwIBAwEwDAYKYIZIAWUD + AgEDAjAMBgpghkgBZQMCAQMSMAwGCmCGSAFlAwIBAxMwDAYKYIZI + AWUDAgEDFDAMBgpghkgBZQMCAQMGMAwGCmCGSAFlAwIBAwcwDAYK + YIZIAWUDAgEDCDAMBgpghkgBZQMCAQMkMAwGCmCGSAFlAwIBAw0w + DAYKYIZIAWUDAgEDEDAMBgpghkgBZQMCAQMRMAwGCmCGSAFlAwIB + AycwDAYKYIZIAWUDAgEDKDAMBgpghkgBZQMCAQMpMIIBKwYDVR0h + BIIBIjCCAR4wGAYKYIZIAWUDAgEDAQYKYIZIAWUDAgEFAjAYBgpg + hkgBZQMCAQMCBgpghkgBZQMCAQUDMBgGCmCGSAFlAwIBAwYGCmCG + SAFlAwIBAwYwGAYKYIZIAWUDAgEDBgYKYIZIAWUDAgEFBzAYBgpg + hkgBZQMCAQMHBgpghkgBZQMCAQMHMBgGCmCGSAFlAwIBAwcGCmCG + SAFlAwIBBQQwGAYKYIZIAWUDAgEDEAYKYIZIAWUDAgEDEDAYBgpg + hkgBZQMCAQMQBgpghkgBZQMCAQUFMBgGCmCGSAFlAwIBAxIGCmCG + SAFlAwIBBQowGAYKYIZIAWUDAgEDEwYKYIZIAWUDAgEFCzAYBgpg + hkgBZQMCAQMUBgpghkgBZQMCAQUMMEAGCCsGAQUFBwELBDQwMjAw + BggrBgEFBQcwBYYkaHR0cDovL3BraS50cmVhc3VyeS5nb3Yvcm9v + dF9zaWEucDdjMA8GA1UdJAQIMAaAAQCBAQAwCgYDVR02BAMCAQAw + UQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzAChjVodHRwOi8vcmVw + by5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVkVG9mY3BjYWcy + LnA3YzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vcmVwby5mcGtp + Lmdvdi9mY3BjYS9mY3BjYWcyLmNybDANBgkqhkiG9w0BAQwFAAOC + AgEAhRTz6wkhokP3g0AJAq3FZD/IfwSsQUtj91BbarwKpESDDpKo + AiOWTsGn2WLcgCh5Eokj0B+OrWBAah+CbTRGvJ/v23T+IC8m7jv3 + KAVGKLsnaAXj1oQpFqDpjQUPeTcythlNG4pnPXmjepdzPTqP6hZL + RDmJ/Pz7ZCCQu08TNcAItoB3+/9it3SU5S3qVwev+C4ElKRNOWeV + N5QBpace7G8srPhf9pUxRVAOvSJxup+nwJVMhLJUjsUkom3oCq98 + canwZzmyQR5xxPdE2FCHeP0W+wd0iWQD3skkrsEg54r01ZQz2+KN + kYbA+dTWpIt9/z0GSuvzIIbrLmdDwSnHbYLN7B0cTikEH6Co50aC + OVH08mHOplU96oQxOQsta/7f+YOzSJL18n8eE+y55YhigK/zG79D + jPY8lFr+7TkRa5p/A6tFH0HSpsopg0l+o708D9AjvCL2xswOvxNH + pcZ0eT7jY0BqEn4b2GKlDk2VjsGxwf7SegUqstOb8Dqa/25XbCLy + l3zsV/OSBvN4O+LjcVsgqNmRKV2PDVbJGckNykb1In9u1vA+aGL9 + 6h92UZoc07VwqtjfYZ7VFsUuSZzcXbZJNmaRg9NFy+OYDSOtWUEL + i2KgdiYB5s8qVVRYXz+rjDeVXzSmuOnr31omBybsGR97dsOF1DfA + Iyd6W1mTCSE= + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + US_Treasury_Root_CA.cer + PayloadIdentifier + com.apple.security.pkcs1.E2266309-D968-44CE-8781-EC38583E02C7 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + E2266309-D968-44CE-8781-EC38583E02C7 + PayloadVersion + 1 + + + PayloadCertificateFileName + DigiCert_Federal_SSP_Intermediate_CA_-_G5.cer + PayloadContent + + MIIGLjCCBBagAwIBAgIUJLwWj5zLMM/O+PCljybxAYGGkmYwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE2 + MzQzOFoXDTI4MTIxMzE2MzQzOFowWjELMAkGA1UEBhMCVVMxFzAV + BgNVBAoTDkRpZ2lDZXJ0LCBJbmMuMTIwMAYDVQQDEylEaWdpQ2Vy + dCBGZWRlcmFsIFNTUCBJbnRlcm1lZGlhdGUgQ0EgLSBHNTCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuSOxdlMn/Phgem + kiviGavyIwP2LVXZ+rlRnfvLHtT9zIBy9swXu5JPXjavPPJmMa50 + nfZl9uFgv8wMmyAOigbKi6SRCvc5pEc4dEf4BztCzeOeXFfoQzpQ + VM+8fDk+xhI+/JQZ1VgqoVI8ugO+N2olEkGKVWsu5qDLk/bE8Q/G + 03I7fMt+9Z4gKKFeKQNc1/KgzqlE/vCW0k2meFDIwG8T3dnnCmSi + eghOmKn0uFaZvC/gR57IRelosvkymopTTxlFc+6JOVPwiYW5VmVb + Nw7l94wmC9c2HVEl3LzNzg7NCdGX8H7v+RJa7etlPdnG0wi5d3uN + D/Fhs1LOg5JwlLcCAwEAAaOCAegwggHkMB0GA1UdDgQWBBRXGeXY + 1qzeeOJC9eRFtNk5kwu92jAfBgNVHSMEGDAWgBT0J1ypw3xH9Pqm + p7BZl6rdNSYX4zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw + AwEB/zB5BgNVHSAEcjBwMAwGCmCGSAFlAwIBAwYwDAYKYIZIAWUD + AgEDBzAMBgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAyQwDAYKYIZI + AWUDAgEDDTAMBgpghkgBZQMCAQMQMAwGCmCGSAFlAwIBAxEwDAYK + YIZIAWUDAgEDJzBXBggrBgEFBQcBCwRLMEkwRwYIKwYBBQUHMAWG + O2h0dHA6Ly9zc3Atc2lhLmRpZ2ljZXJ0LmNvbS9TU1AvQ2VydHNf + aXNzdWVkX2J5X1NTUENBRzUucDdjMBIGA1UdJAEB/wQIMAaAAQCB + AQAwDQYDVR02AQH/BAMCAQAwUQYIKwYBBQUHAQEERTBDMEEGCCsG + AQUFBzAChjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNl + cnRzSXNzdWVkVG9mY3BjYWcyLnA3YzA3BgNVHR8EMDAuMCygKqAo + hiZodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9mY3BjYWcyLmNy + bDANBgkqhkiG9w0BAQwFAAOCAgEADnzUPcRQhrO9s5jQK9iI2pmo + 4YxR7IzHndTiZJfcfHFynR24gYT49uolHdtVsZS4mepL6Qcu5feB + vi2AUHOKcXgNPczLFH+fpjGfzslXc/dcIT47JY/Q8X3rCsLNrEdp + SmcztcZIxRE9qphHfW2PAsYK4mDIthhLhhwgvXeJNKMNEWjLpI79 + Y2Ly0qozuoZCRTSSRdz4nuxgk/nhOsVWHzznLpNmUPqExqTjy4Rq + giLbIVsPVVxM9uQozBEzVGPFZFbqI+WwEp1rXQl2h0r8Y+JCz+Sy + p2H4knE1+O7cJ+5oRMRmFZtmUIE3BThzC9pgpi7XNzQ9UNqLCQje + bhsJzZKT68beAsIFLAlCGMDU9nxOb6VYegcRg4SPVMG+Sd2VrSaV + 11OsVN9dCMvicNnVjewvIZakLeZpMQzCKdHzKYfuVIjtJhAL2dmY + Jk1gURm/iSZdg/DRzpcX6MvGrBcO9rwi9c6pBC4plRwvjmLSilXR + jgY2XafEQv/KyxAdPKDV0WqC466AfXJKzxzvtqmmWk6i3XaAhBun + 2maGJZ/Gkkm5J9FxUFoVpURtuOdch90YNNiPCKKk0h65ssm1im7g + gGPZbpCpd0/EnGzPv5HBDcUHp2CdPTvDcH6wJjwLzDKYIPjZE0ma + 2SBC+6GixP9rm7I73b+VF/zNSFk7gfCw8Y4= + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + DigiCert Federal SSP Intermediate CA - G5 + PayloadIdentifier + com.apple.security.pkcs1.6306A9B5-3113-4F5A-9EB4-56078617B1E0 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 6306A9B5-3113-4F5A-9EB4-56078617B1E0 + PayloadVersion + 1 + + + PayloadCertificateFileName + Verizon_SSP_CA_A2.cer + PayloadContent + + MIIGFzCCA/+gAwIBAgIUJfyoNK2iSkRVotsP9M73xBEZjjowDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE0 + NTYxOFoXDTI2MTIwNjE0NTYxOFowSTELMAkGA1UEBhMCVVMxEDAO + BgNVBAoTB1Zlcml6b24xDDAKBgNVBAsTA1NTUDEaMBgGA1UEAxMR + VmVyaXpvbiBTU1AgQ0EgQTIwggEiMA0GCSqGSIb3DQEBAQUAA4IB + DwAwggEKAoIBAQCT0WM4O/ZFY8urrsSIAnTgMqoPK1OZJ6iGWPJF + IOLCGcOXH69ZdZh5WF0RXLtViaxLgh9R1GiCTmH6b79okvAxvXOA + swow+eUq9EXj9p37UnzRB8QUJF1WZDQvu4W0zpKEghhBVnGqzkEO + V/QEYf/aawuZGY/YsvwrUbj6l0hjpCcBK7w8OxA885bCtBrrjnmF + CbLhGkB+A567lccLRLVW94oOSeYx3BB2yCrfEIVIm7mHyB5FG9XL + Wmv7FZPQgy6yclYZtrplxS7Jjh6A2luIQHV2G5x8SW+QwzFM4uI1 + IM43M51mrb0N3A8gg59Jl8mBHjLdqmMfci6/QuXI15jDAgMBAAGj + ggHiMIIB3jAdBgNVHQ4EFgQU+zfdR0E/PXEiYH+fgoQCQAmqyosw + HwYDVR0jBBgwFoAU9CdcqcN8R/T6pqewWZeq3TUmF+MwDgYDVR0P + AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8weQYDVR0gBHIwcDAM + BgpghkgBZQMCAQMGMAwGCmCGSAFlAwIBAwcwDAYKYIZIAWUDAgED + CDAMBgpghkgBZQMCAQMNMAwGCmCGSAFlAwIBAxEwDAYKYIZIAWUD + AgEDJzAMBgpghkgBZQMCAQMoMAwGCmCGSAFlAwIBAykwUQYIKwYB + BQUHAQsERTBDMEEGCCsGAQUFBzAFhjVodHRwOi8vc2lhMS5zc3At + c3Ryb25nLWlkLm5ldC9DQS9WWi1TU1AtQ0EtQTItU0lBLnA3YzAS + BgNVHSQBAf8ECDAGgAEAgQEAMA0GA1UdNgEB/wQDAgEAMFEGCCsG + AQUFBwEBBEUwQzBBBggrBgEFBQcwAoY1aHR0cDovL3JlcG8uZnBr + aS5nb3YvZmNwY2EvY2FDZXJ0c0lzc3VlZFRvZmNwY2FnMi5wN2Mw + NwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL3JlcG8uZnBraS5nb3Yv + ZmNwY2EvZmNwY2FnMi5jcmwwDQYJKoZIhvcNAQEMBQADggIBAG04 + L1MrQFdSYULkCM6OxRDKVjZB3xO4lJh3QLQlIl/bQ4Wb/s1EYsdU + ESi5T+YicA0mrT0SNBlo8yZBlZi359/4SADcdoF52kCgAT3RafYV + ZV1Ubb0F7jKLk8TxDuc7sWzERAHuMKAHy9D0Y7eOGDmTKnKQ9yO+ + AdCItQU7iDRraFu2J4pJu6rfcwEew7p02ztTh66vBajYyFk5DpBb + SXl9NX68pAbHiY8VmaiCUqmkM8LNuexFLXhRxE65ehqAleVVXUUG + oIEkTK3Z8UcH+nLSrYNTouNRE5Uy/jRCqyhd+aX1umjzFGcN3Nfv + UvAQcVuMi1zXZP87F9WnLPsWckl3sX4U7WrYRLH7/U2Tw3Z5n+us + 7IPwIm2VzUC/3zPFWWs/1ig/i0Sc5VRQnvpjzzzRjSFlGfdOXlE0 + NvGKT34mwP3WSK7sE/D6JN07BrQTYGKuc2D2cFiIfdOrJ7Ap2zfF + WtOLrjtxKvfPAkevgGkHIrowX3LFIvu9lXbTMHWrywv+Apg8oRpX + H9DL9ujTBTNwqIc6CUUiKPrLSyUpxXRVf07QkpJtcGsUXU3Opsw4 + pH5GSb9oatvsNg1V1+un9UEklO0X8j7PK9xy9QV67c9Q7bRfuQRI + G+G6e1BhwTW+wWuc6/u4MqtFvsHj3GT7xCuQwY9CeK1tKvANafWR + ruMc + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + Verizon SSP CA A2 + PayloadIdentifier + com.apple.security.pkcs1.EB5A89E7-2D57-49A1-8840-2C7C3F87F76D + PayloadType + com.apple.security.pkcs1 + PayloadUUID + EB5A89E7-2D57-49A1-8840-2C7C3F87F76D + PayloadVersion + 1 + + + PayloadCertificateFileName + US Treasury Root CA.cer + PayloadContent + + MIIHgDCCBWigAwIBAgIEVw0sADANBgkqhkiG9w0BAQsFADCBjjEL + MAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDEj + MCEGA1UECxMaRGVwYXJ0bWVudCBvZiB0aGUgVHJlYXN1cnkxIjAg + BgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxHDAaBgNV + BAsTE1VTIFRyZWFzdXJ5IFJvb3QgQ0EwHhcNMDYwODA1MTQxNjMw + WhcNMjYwODA1MTQ0NjMwWjCBjjELMAkGA1UEBhMCVVMxGDAWBgNV + BAoTD1UuUy4gR292ZXJubWVudDEjMCEGA1UECxMaRGVwYXJ0bWVu + dCBvZiB0aGUgVHJlYXN1cnkxIjAgBgNVBAsTGUNlcnRpZmljYXRp + b24gQXV0aG9yaXRpZXMxHDAaBgNVBAsTE1VTIFRyZWFzdXJ5IFJv + b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDo + JARZzJjHfGSxatc7KUjHu1jq36LEKpPRaNaLg8IqQOZq7G4a3+kj + 71Rh2uWi7XYAaQTVTPK/xBtohVGuB6c42QqzUhE2nyKB3gRId76o + r7LxeC6sxFiHUIYCDHs3aAidYk21CbfxFnPbBOhG6YiTJcjabaOo + jCHfxtc2WCDbrfaMEoAil1j040KLfdH0frl/Vu+6MbxJ7BKvCIC5 + 4pdiYH/vg/lj3utwbqvETw80EqbLrSZDy48DxvOeJB4qg7Bq5in/ + Vx6xbl9PQNVCtarVtFHksntbBvyCosyxFr8+RMejZLeC9mhy2+b+ + e2Hb/q51dszcbFLZvAeoOWbrj5rLAgMBAAGjggLiMIIC3jAOBgNV + HQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBLBggrBgEFBQcB + AQQ/MD0wOwYIKwYBBQUHMAKGL2h0dHA6Ly9wa2kudHJlYXN1cnku + Z292L2NhY2VydHNpc3N1ZWR0b3RyY2EucDdjMEAGCCsGAQUFBwEL + BDQwMjAwBggrBgEFBQcwBYYkaHR0cDovL3BraS50cmVhc3VyeS5n + b3Yvcm9vdF9zaWEucDdjMIH5BgNVHSAEgfEwge4wDAYKYIZIAWUD + AgEDBjAMBgpghkgBZQMCAQMHMAwGCmCGSAFlAwIBAwgwDAYKYIZI + AWUDAgEDDTAMBgpghkgBZQMCAQMQMAwGCmCGSAFlAwIBAxEwDAYK + YIZIAWUDAgEDJDAMBgpghkgBZQMCAQMnMAwGCmCGSAFlAwIBAygw + DAYKYIZIAWUDAgEDKTAMBgpghkgBZQMCAQUCMAwGCmCGSAFlAwIB + BQMwDAYKYIZIAWUDAgEFBDAMBgpghkgBZQMCAQUHMAwGCmCGSAFl + AwIBBQowDAYKYIZIAWUDAgEFCzAMBgpghkgBZQMCAQUMMB8GA1Ud + IwQYMBaAFBdLuCa6aXqtElBXRTGeV7t0pdovMB0GA1UdDgQWBBRo + hBVIjFRwfy0SWA7sHHjvPC5ZZDCB7wYDVR0fBIHnMIHkMIGpoIGm + oIGjpIGgMIGdMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBH + b3Zlcm5tZW50MSMwIQYDVQQLExpEZXBhcnRtZW50IG9mIHRoZSBU + cmVhc3VyeTEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3Jp + dGllczEcMBoGA1UECxMTVVMgVHJlYXN1cnkgUm9vdCBDQTENMAsG + A1UEAxMEQ1JMMTA2oDSgMoYwaHR0cDovL3BraS50cmVhc3VyeS5n + b3YvVVNfVHJlYXN1cnlfUm9vdF9DQTEuY3JsMA0GCSqGSIb3DQEB + CwUAA4ICAQDkJPyJSS87CAuaDXkdJFGsLkgQOrDxCJpNgD1ZQ1Rm + AbBwpO8x94m00gjE2uN9Gj/ezADsK0Yu9z83XdAl/6706GJ3bChB + y/0m2xeBi/oYhhkXB17Sc2a8O8gA8DLm3bXqvO3T32pVJnyXj/ck + UU1P424zQjqhj5d+/xs/M96a/jiFc7pFAE4lCBI6ydDeUNBZgRle + X9R7Bp23/Uygd59wzEZ0Jvu2ls9x1bBGqtp71PsGRhKyU64XFEKT + aNknye/0TqRdTqpWzH6foTBjptYvn08cZmGVQNientSbqWk+pvgx + JtM9piiGDlUaPcizdnL5O3xVfjwYQNRteVPwXepkBSl9yPIG49yk + nUcHfj0S2NCQy1OYqhy+oFYr+2aJG0CON5LFrwkaUU0bvRAXpW33 + hqN5/+8cApccXAehD42+gKVr+M/vNJGat46KKX6PF1ZflFfrE7jx + D3Jza0N4dTXDRCagj30QmegziIA2vylt+7jH7FHUVvOfTZaHMqvy + Zfc9dFKYpqJKrFEaMv6Fqawejir8kF9CUpSAF2O7A843vFQuVRgI + wp1M+D4xnvxnLbehLzqEZ6ZSSIPoHXzitfz9/oycCfUbIyYE4TW9 + 8wEwfpj4wCO1Gldl+2rZYUEb5mjkkltR1O8s5rYqoxVSVKUrAD/f + HYdOzteWkNQkyiTo/Q== + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + US Treasury Root CA.cer + PayloadIdentifier + com.apple.security.pkcs1.B08984B4-867E-48B7-A5DD-26FDCBBF7DF6 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + B08984B4-867E-48B7-A5DD-26FDCBBF7DF6 + PayloadVersion + 1 + + + PayloadCertificateFileName + Entrust_Managed_Services_Root_CA.cer + PayloadContent + + MIIG3DCCBMSgAwIBAgIUIV542ZZIsCHGOUplZtjgD0ah5ZUwDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE0 + MzAzNFoXDTI5MDgxNDEzMzAzNFowbjELMAkGA1UEBhMCVVMxEDAO + BgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24g + QXV0aG9yaXRpZXMxKTAnBgNVBAsTIEVudHJ1c3QgTWFuYWdlZCBT + ZXJ2aWNlcyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A + MIIBCgKCAQEA572gaoFb74+gsCeMrlon3dv5pjLJyU4nCO0QqiSh + zXK8ZqgwNa47z+KdF3w1ofeRxYsu0qg/6gzlQU5s1DblG8CeNsXX + owjaYwDAMosDSR4HrsLttr1C/4xxLkKejX4GQ01kpTHWMejtpioG + MH3FqgK+E9Ga7hGU9rgy0CeVM2/LoJ3ekt36xdpndCEbUfe9yQIl + iEICbJbKhxcMebJKAOb6g8jyr0CzeKXnDqwVMUEn4REDsVxQgEzm + QMryWdr/LBZckS40AEEhc4D1ojtssABvKrb9NzpGnSCPSDFXFY8N + 5C++CmA2OhZaZOHg//p85PExb4AVBmyZceIay1wezQIDAQABo4IC + gjCCAn4wHQYDVR0OBBYEFElUkUxpRDvE+AIs9PgtM1aJdZgQMB8G + A1UdIwQYMBaAFPQnXKnDfEf0+qansFmXqt01JhfjMA4GA1UdDwEB + /wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MIGzBgNVHSAEgaswgagw + DAYKYIZIAWUDAgEDEjAMBgpghkgBZQMCAQMTMAwGCmCGSAFlAwIB + AxQwDAYKYIZIAWUDAgEDBjAMBgpghkgBZQMCAQMHMAwGCmCGSAFl + AwIBAwgwDAYKYIZIAWUDAgEDJDAMBgpghkgBZQMCAQMNMAwGCmCG + SAFlAwIBAxEwDAYKYIZIAWUDAgEDJzAMBgpghkgBZQMCAQMoMAwG + CmCGSAFlAwIBAykwXQYIKwYBBQUHAQsEUTBPME0GCCsGAQUFBzAF + hkFodHRwOi8vcm9vdHdlYi5tYW5hZ2VkLmVudHJ1c3QuY29tL1NJ + QS9DZXJ0c0lzc3VlZEJ5RU1TUm9vdENBLnA3YzASBgNVHSQBAf8E + CDAGgAEAgQEAMA0GA1UdNgEB/wQDAgEAMFEGCCsGAQUFBwEBBEUw + QzBBBggrBgEFBQcwAoY1aHR0cDovL3JlcG8uZnBraS5nb3YvZmNw + Y2EvY2FDZXJ0c0lzc3VlZFRvZmNwY2FnMi5wN2MwNwYDVR0fBDAw + LjAsoCqgKIYmaHR0cDovL3JlcG8uZnBraS5nb3YvZmNwY2EvZmNw + Y2FnMi5jcmwwVwYDVR0hBFAwTjAYBgpghkgBZQMCAQMSBgpghkgB + ZQMCAQMtMBgGCmCGSAFlAwIBAxMGCmCGSAFlAwIBAy4wGAYKYIZI + AWUDAgEDFAYKYIZIAWUDAgEDLzANBgkqhkiG9w0BAQwFAAOCAgEA + v65FJeNH7H2AjfuaAa2kNJGBI+QaltbncrWbISA31sateJabjnoc + yW1TfbtQUzlsiATk5p8RaT+LPRVRNs/4TtYs6XkhItOYMIcNkBk8 + jc+4xKMR8GXA/sPfZa7Wo7Vk1TcNMdO2DZtEumaH94zq/CtLbyzB + NHj4N5hZyE9S/lX2JAVzRFuNjsgbEgza7+q2WNb5oo8JKRFJNUTh + 9KvFpmHOeqyngGivIzLvc0w61mV9ZPAqKYdS59ZD2b91LKIFAr2C + BGhwrY5Mj/VTIRdklPa7cPcXumCWgBCtln7LlhPrxg7OTDvvRDjt + 6aHJuRn4lesOHpbgiaQWxUBrfD/id7tLacEpvWNZR3wENnU805LH + Ak2GvNvjzXelhgAfr81GSxCX8gw0paZHotoh5zWuHksBwCAoDIQe + PW738hp0NQc3KsaWxMZyuXFt4EuchW7TjpAIiiDjvqg5t2z7+xfp + Em5TegTg8d9dsqw0Jch4xOGqrqmM0SvR7+dRUthESnUMaKacVOlr + orHt31s+lNjLrnPHc3F8YPzC1Q+0ftxVoqugK+O0wxSlmlxew1J2 + tKdiW58yw5u2mtzO0WNj1gUuvyUfw33AQ88nZCgtNUWrponvTf7o + nW+RcEJv+N/6JyYmDIp+1qtsrtLmwAoNfe/KAKBWumEv5d0EqR8j + WoFfJ0I= + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + Entrust_Managed_Services_Root_CA.cer + PayloadIdentifier + com.apple.security.pkcs1.7C0E0413-869C-4814-9D06-B84CEBD614F0 + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 7C0E0413-869C-4814-9D06-B84CEBD614F0 + PayloadVersion + 1 + + + PayloadCertificateFileName + ORC_SSP_4.cer + PayloadContent + + MIIF6jCCA9KgAwIBAgIUIKDlEzZ4gVWaXn0g01+nxnOaQqswDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExODE0 + MzgxMFoXDTI0MDEyMTE0MzgxMFowMzELMAkGA1UEBhMCVVMxEDAO + BgNVBAoTB09SQyBQS0kxEjAQBgNVBAMTCU9SQyBTU1AgNDCCASIw + DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+8Vn6VCWBxlRtK + xHs4t6xaegUojqdx2LcP2jGps1OZnnoNsdscTsiLGd+NodHeF+9d + 8EH57pzPDeJEBP7fWlWOfqxPbrDLE+CjlXxCafxQfuJ1GUsVQd/5 + YtYE3A+fTlgAnplLT536MBiF0E9Vj6s9MJ5Xn4XfSaX8ygTr+eon + Q50ffoObyoB5pgNxbbjCxjoUKgExTb8CYMY2dlX86A4K9Z+JNpRZ + CmnBN44kNaPeqlr67zJJMjPCmPLemWd32saVRXA4A8fVDLF0b+2n + KgUVxgeXJAqmj7XtYrjF7945mnh/V70FVx6LtdMUZh6X6SwKycDd + lqvMFM/xXVO3cjkCAwEAAaOCAcswggHHMB0GA1UdDgQWBBQUC5kf + mB9kjG/D/3rV//X4TkmcITAfBgNVHSMEGDAWgBT0J1ypw3xH9Pqm + p7BZl6rdNSYX4zAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw + AwEB/zBrBgNVHSAEZDBiMAwGCmCGSAFlAwIBAwYwDAYKYIZIAWUD + AgEDBzAMBgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAyQwDAYKYIZI + AWUDAgEDDTAMBgpghkgBZQMCAQMRMAwGCmCGSAFlAwIBAycwSAYI + KwYBBQUHAQsEPDA6MDgGCCsGAQUFBzAFhixodHRwOi8vY3Jsc2Vy + dmVyLm9yYy5jb20vY2FDZXJ0cy9PUkNTU1A0LnA3YzASBgNVHSQB + Af8ECDAGgAEAgQEAMA0GA1UdNgEB/wQDAgEAMFEGCCsGAQUFBwEB + BEUwQzBBBggrBgEFBQcwAoY1aHR0cDovL3JlcG8uZnBraS5nb3Yv + ZmNwY2EvY2FDZXJ0c0lzc3VlZFRvZmNwY2FnMi5wN2MwNwYDVR0f + BDAwLjAsoCqgKIYmaHR0cDovL3JlcG8uZnBraS5nb3YvZmNwY2Ev + ZmNwY2FnMi5jcmwwDQYJKoZIhvcNAQEMBQADggIBADDa5QrQwTfD + gnUqITxrtknboi09z/Suz4Y8vlzEgv2CxHi7u3N4I53ljlx6GN3l + 1WDt4oYzTUlVUGR02R9xizl2bVtwfivlQoIbgtyR+pbBbFZlRegH + GtBMGwl2Bo5VMTpCHM32ksVQn2GkAp4QnSNIMJdS+QqQGswSbpHF + CKqLVBo1qnkFccQqYJqP7DC/Hae+Xi73VrydMB3wywDZ/OhJ0Yv6 + AB2KsVRbhenyt6rIwTNoUccJG69n05lsiN4H3pktD/wthpMdDz0N + 0BwwAs1nA2qwwNUboEe0STq9PIDMm8a4wQpiIsyLHk9H5SUtPMyA + At+wHn9pGbOGk8T72s8RRWLhXOhQyQjpkIDsVmSlX/AHinutL/AD + GPMvpn2DadHusk9Piu2uMDyRrpQUTr0xDBQmTUKnHINM5q20CkGc + xKgOoGvN0EQEhR8BwNADkP0IB1ROzqqXUdKSgH9LSs/zjdIu+J0b + gixPrTr+/gSq21TfuqSyDDnoACgDXiClnSdEQITit1p4KysHnGVT + oQ/UddlT68TAl/2DtJnObfZPEH9BkmyX9ozS+gzW28x/c5mWdFbk + wvkzAyrB3+mN5VCp+RDXOJwD/CZqpm8koX+H1ta3TyC+y4B9oTdW + Nici1TFYGocZw7h5yxxNKieQLhwEhusu6kGIITHUxmfZBFNS + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + ORC SSP 4 + PayloadIdentifier + com.apple.security.pkcs1.9FB03A29-C5D5-47C2-B231-D778E506550C + PayloadType + com.apple.security.pkcs1 + PayloadUUID + 9FB03A29-C5D5-47C2-B231-D778E506550C + PayloadVersion + 1 + + + PayloadCertificateFileName + WidePoint_ORC_SSP_5.cer + PayloadContent + + MIIF/jCCA+agAwIBAgIUIQs/F9t1DmFusl8/C0kz5amMRJswDQYJ + KoZIhvcNAQEMBQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Uu + Uy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UEAxMb + RmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMB4XDTIwMTExOTE0 + MTYwMFoXDTMwMTEwNTE0MTYwMFowPTELMAkGA1UEBhMCVVMxEDAO + BgNVBAoMB09SQyBQS0kxHDAaBgNVBAMME1dpZGVQb2ludCBPUkMg + U1NQIDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCV + xl6v6mG30QXESgG+8sKlqoWrn8WGnmGGd9JJBXxmf00h5/NTaPbh + 4kwxikD3DSoJV3r0U5dzRYlH2/SDA2mCBRjRz8I8VE6LWJilvIl2 + gzm9CASUmeK5M/gp4zMPbOB19jzHj3CuRI3YKPgczCFuDPznovY3 + xLUIsUlVYyciLiVR1GbtpgihvrLUl47+teSWn9rF7OJe8DI9TTqA + 1HEKJbYY3ng1Y3aA/+7aGloNYHyJZhsAijTxuABPktwhVOp+J0pc + 8PSnTUA3dJe5cPexDUsw5pWp9mT9fluQ9hfoSYeKLTQhlJpn2Zum + bCkCNE38ny6ZxwWjy5U+4MwPzyJdAgMBAAGjggHVMIIB0TAdBgNV + HQ4EFgQUI7hOsU5tJESLRGenZc+hOzmUZtwwHwYDVR0jBBgwFoAU + 9CdcqcN8R/T6pqewWZeq3TUmF+MwDgYDVR0PAQH/BAQDAgEGMA8G + A1UdEwEB/wQFMAMBAf8wawYDVR0gBGQwYjAMBgpghkgBZQMCAQMG + MAwGCmCGSAFlAwIBAwcwDAYKYIZIAWUDAgEDCDAMBgpghkgBZQMC + AQMkMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUDAgEDETAMBgpghkgB + ZQMCAQMnMFIGCCsGAQUFBwELBEYwRDBCBggrBgEFBQcwBYY2aHR0 + cDovL2NybC1zZXJ2ZXIub3JjLmNvbS9jYUNlcnRzL1dpZGVQb2lu + dE9SQ1NTUDUucDdjMBIGA1UdJAEB/wQIMAaAAQCBAQAwDQYDVR02 + AQH/BAMCAQAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUFBzAChjVo + dHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVk + VG9mY3BjYWcyLnA3YzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8v + cmVwby5mcGtpLmdvdi9mY3BjYS9mY3BjYWcyLmNybDANBgkqhkiG + 9w0BAQwFAAOCAgEAo8X9GhqzuIWWEIERj2U3cJF2dx7RWYW1+w+Y + pxjhXbnbu4Vd9qE1/an6w8h0z//UZohrtsI3BTXibfldG9DKvG0x + IiiXvZOOXzX09phgBGEtP4uPXSjBlN43jsF65/K21NH5NHh2so1F + pBIxwsvfLiQtN91opi9iq4X+qC4+g/nTFaEvlM2Ip6xImBsG7kB5 + hsSigrmBapI4ncdWMpCd/HMbI0v/EH6vvib0blEsnzd5sZ6KcwaV + Ze0xjHZCS4pbqKeMDiyemujDHQNcnYGHJIlxAzRbCzx8sNwpb75d + EeeiwxCjd/NXjlBeDW4YA+2K9VuzZNy39jKCETGt0rpKPYkuNptw + 8h2z4u4bk4QVgvjlrg/drnCXmFEBsWfFqFndJKTK4mgimMqZEMDO + tRGd3mG2lHWpT4ILBEQ24n5f4QKSro/hNv4epQc/3Rg23E3S5r3i + zRElaTE/ABa6dyZyjdBVpCwcGni2qzhelILamir2PwVdfrHRxbam + BJfB1ZcVh7hnbF9oUtB2iKal87jFx/DuU0ZrH6izES6e0/yylFmS + L2IufXbRo/FPVJO1RSmQ6ZhO08O88ekmb39dqW6OrickuzxA0aHB + 8rhC3LKilHqCzBK+yqQ17eTy6bBoHswADAgPfSbza8VYlqt7yHbJ + 1YTAH+fhWePjhyMHBpV79QM= + + PayloadDescription + Adds a PKCS#1-formatted certificate + PayloadDisplayName + WidePoint ORC SSP 5 + PayloadIdentifier + com.apple.security.pkcs1.A50E2904-6986-45DE-9CE4-DC5F76778FFF + PayloadType + com.apple.security.pkcs1 + PayloadUUID + A50E2904-6986-45DE-9CE4-DC5F76778FFF + PayloadVersion + 1 + + + PayloadDescription + This profile will update an unmanaged macOS/iOS device to trust the Federal Common Policy CA G2 and the intermediate CA certificates it has issued. + PayloadDisplayName + Distribute FCPCAG2 and Intermediates + PayloadIdentifier + FCPCAG2-00002 + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + 77C84129-D0BC-4BDA-8180-89C87DADF9C6 + PayloadVersion + 1 + + diff --git a/_implement/certs/fpki-unmanaged-bundle.p7b b/_implement/certs/fpki-unmanaged-bundle.p7b new file mode 100644 index 000000000..e0758dc66 Binary files /dev/null and b/_implement/certs/fpki-unmanaged-bundle.p7b differ diff --git a/_implement/distribute-fcpca.md b/_implement/distribute-fcpca.md new file mode 100644 index 000000000..80691ba9f --- /dev/null +++ b/_implement/distribute-fcpca.md @@ -0,0 +1,1125 @@ +--- +layout: page +title: Enabling Enterprise Trust of the Common Policy Certificate +collection: implement +permalink: /implement/trust-fcpca/ +sticky_sidenav: true +sidenav: implement +site.baseurl: site.baseurl + +subnav: + - text: 1. Obtain and verify FCPCA + href: '#step-1---obtain-and-verify-the-fcpca-root-certificate' + - text: 2. Distribute the certificate to operating systems + href: '#step-2---distribute-to-operating-systems' + - text: 3. Verify operating system distribution + href: '#step-3---verify-operating-system-distribution' + - text: 4. Distribute to applications + href: '#step-4---distribute-to-applications' + - text: 5. Distribute intermediate certificates + href: '#step-5---distribute-intermediate-certificates' + - text: 6. Frequently Asked Questions + href: '#frequently-asked-questions' +--- + +Version 1.0 +July 2023 + +| Version Number | Date | Change Description | +| :----------: | :-------: | -------- | +| 1.0 | 07/2023 | Initial Draft | + +This guide provides information on distributing the Federal Common Policy CA G2 (FCPCAG2) certificate to government-furnished workstations and devices as a _trusted root certificate_. + +This guide is written for systems administrators who need to enable trust for the Federal Common Policy Root G2 ("FCPCAG2") within their enterprise. This guide replaces the previous FCPCA migration guide, since the migration to FCPCAG2 has been completed. This guide contains the portions of the previous guide that are still useful, including information about how to distribute the FCPCAG2 root certificate, and how to verify that the certificate is working as intended. + +Enabling Enterprise trust of the FCPCA Root Certificate requires the following steps: + +1. [Obtain and verify the FCPCAG2 Certificate](#step-1---obtain-and-verify-the-fcpca-root-certificate) +1. [Distribute the certificate to operating systems](#step-2---distribute-to-operating-systems) +1. [Verify operating system distribution](#step-3---verify-operating-system-distribution) +1. [Distribute to applications](#step-4---distribute-to-applications) +1. [Distribute intermediate certificates](#step-5---distribute-intermediate-certificates) + +This guide ends by presenting answers to [Frequently Asked Questions](#frequently-asked-questions) + +{% include alert-info.html content='**We’re calling for all solutions!** If you’d like to share your agency’s playbook on how to distribute a trusted root CA certificate to an application trust store, create an [issue on GitHub](https://github.com/GSA/idmanagement.gov/issues/new){:target="_blank"}{:rel="noopener noreferrer"} or email us at .' %} + +# Step 1 - Obtain and verify the FCPCA root certificate + +The first step in this process is to obtain a copy of the FCPCAG2 root certificate, and verify its authenticity. + +## Download a Copy of the FCPCA root certificate + +To download a copy of the FCPCAG2 root certificate, use one of these recommended options: + +- Download the certificate from +- Email to request an out-of-band copy for download. + +{% include alert-warning.html content="_You should never install a root certificate before you verify it._ The procedures below describe how to verify the authenticity of your copy of the FCPCA root certificate. Your certificate details and hash must match the expected values in the following table." %} + +| **FCPCA** | **Certificate Details** | +| :-------- | :------- | +| Distinguished Name | cn=Federal Common Policy CA G2, ou=FPKI, o=U.S. Government, c=US | +| Serial Number | 21e5b9a0cc956de278ca012ba8fdc58a98b3fbea | +| SHA-1 Thumbprint | 99B4251E2EEE05D8292E8397A90165293D116028 | +| SHA-256 Thumbprint | 5F9AECC24616B2191372600DD80F6DD320C8CA5A0CEB7F09C985EBF0696934FC | + +## Verify Your Copy of the FCPCA root certificate + +To verify your copy of the FCPCA root certificate, use one of these options: + +### On Windows: Use Microsoft Certutil + +1. Click **Start**, type **cmd**, and press **Enter**. +2. Run the following command: + + ```bash + certutil -hashfile {DOWNLOAD_LOCATION}\fcpcag2.crt SHA256 + ``` + +**Note:** The following video shows you how to verify your copy of the FCPCA root certificate on Microsoft Server 2016. [Click for a larger version]({{site.baseurl}}/assets/fpki/verify.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the verification steps performed on Microsoft Server 2016]({{site.baseurl}}/assets/fpki/verify.gif){:style="width:100%;"}]({{site.baseurl}}/assets/fpki/verify.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### On macOS: Use Terminal + +1. Click the **Spotlight** icon and search for _Terminal_. +2. Double-click the **Terminal** icon (black monitor icon with white ">_") to open a window. +3. Run the following command: + + ``` bash + shasum -a 256 {DOWNLOAD_LOCATION}/fcpcag2.crt + ``` + +**Note:** The following video shows you how to verify your copy of the FCPCA root certificate on macOS Catalina (10.15). [Click for a larger version]({{site.baseurl}}/assets/fpki/download_and_verify.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![The following video shows you how to verify your copy of the FCPCA root certificate on macOS Catalina 10 point 15]({{site.baseurl}}/assets/fpki/download_and_verify.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/download_and_verify.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### On Linux/Unix: Use the Command Line + +1. Open the command line. +2. Run the following command: + + ```bash + sha256sum {DOWNLOAD_LOCATION}/fcpcag2.crt + ``` + +After you have verified the certificate, you are ready to distribute the FCPCA root certificate certificate within your environment. + +- [You can distribute it to operating systems in your environment](#step-2---distribute-to-operating-systems), or +- you can [distribute it to applications within your environment](#step-3---verify-operating-system-distribution). + +# Step 2 - Distribute to operating systems + +To distribute the Federal Common Policy CA G2 (FCPCAG2) certificate, use one of these options: + +## For Microsoft Windows + +- [Use Microsoft Certutil](#use-microsoft-certutil) +- [Use Microsoft Group Policy Object (GPO)](#use-microsoft-group-policy-object-gpo) +- [Use third-party configuration management tools](#use-third-party-configuration-management-tools) +- [Use Microsoft Certificate Manager for unmanaged devices](#use-microsoft-certificate-manager-for-unmanaged-devices) + +## For macOS + +- [Use an Apple configuration profile](#create-distribute-and-install-an-apple-configuration-profile) +- [Use the command line](#install-fcpca-using-command-line) +- [Use Apple Keychain](#install-fcpca-using-apple-keychain-access) + +## For iOS + +- [Use an Apple configuration profile](#install-fcpca-using-an-apple-configuration-profile-in-ios) +- [Use the Safari Web Browser](#install-fcpca-using-safari-web-browser) +- [Enable Full Trust for the FCPCA root certificate](#enable-full-trust-for-fcpca) + +## For Linux/Unix + +- [Use the command line](#linux-and-unix-solutions) + +--- + +## Microsoft Solutions + +### Use Microsoft Certutil + +{% include alert-warning.html content="You must have Enterprise Administrator privileges for the domain to use these procedures. The commands must be run from an agency domain controller." %} + +1. Click **Start**, type **cmd**, and press **Enter**. +1. Run the following command: + + ```bash + certutil -dspublish -f [PATH\]fcpcag2.crt RootCA + ``` + +1. To verify that the FCPCA root certificate was distributed, run the following commands: + + ```bash + gpupdate /force + certutil -viewstore -enterprise + ``` + +1. Confirm that the output details include the FCPCAG2 root certificate. +1. Verify the certificate details against the [expected values](#step-1---obtain-and-verify-the-fcpca-root-certificate) (for example, serial number, hash, etc.). + +**Note:** The following video shows you how to distribute the FCPCAG2 root certificate using Microsoft Certutil. [Click for a larger version]({{site.baseurl}}/assets/fpki/certutil.gif){:target="_blank"}{:rel="noopener noreferrer"}. + +[![A video that shows the distribution and verification steps performed using Microsoft Certutil]({{site.baseurl}}/assets/fpki/certutil.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/certutil.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Use Microsoft Group Policy Object (GPO) + +{% include alert-warning.html content="You must have Enterprise Administrator privileges for the Domain to use these procedures. The commands must be run from an agency Domain Controller." %} + +1. Navigate to **Server Manager**. +1. Select **Tools**. +1. Select **Group Policy Management** from the drop-down list. +1. Right-click your desired domain(s), and select **Create a GPO in this domain, and Link it here**. +1. Enter a GPO **Name**, and click **OK**. +1. Right-click the newly created GPO and click **Edit**. +1. Navigate to **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies**. +1. Right-click **Trusted Root Certification Authorities**, and select **Import**. + + The Certificate Import Wizard appears. + +1. Browse to and select your copy of the FCPCAG2 root certificate. +1. Verify that the target **Certificate Store** presents **Trusted Root Certification Authorities**, and select **Next**. +1. Select **Finish** to complete the import. + + A success message appears. + +1. Close the **Group Policy Management** window. +1. Wait for clients to consume the new policy. +1. (_Optional_) To force client consumption, click **Start**, type **cmd**, press **Enter**, and run the following command: + + gpupdate /force + +**Note:** The following video shows you how to distribute the FCPCA root certificate with Microsoft GPO. [Click for a larger version]({{site.baseurl}}/assets/fpki/gpo.gif){:target="_blank"}{:rel="noopener noreferrer"}. + +[![A gif that shows the distribution and verification steps performed with Microsoft Group Policy Object also known as GPO]({{site.baseurl}}/assets/fpki/gpo.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/gpo.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Use Third-Party Configuration Management Tools + +{% include alert-warning.html content="To follow these steps, you must have Enterprise Administrator privileges for the Domain. You will need to run these commands from an agency domain controller." %} + +You can use third-party configuration management tools, such as BigFix. + +1. Using BigFix, schedule a task and push the certificate file. Run the following command (example): + + ```bash + certutil -f -addstore root “fcpcag2.crt” + ``` + +### Use Microsoft Certificate Manager for Unmanaged Devices + +To distribute the FCPCAG2 root certificate to unmanaged devices: + +1. Click **Start**, type **certmgr.msc**, and press **Enter**. +1. Right-click **Trusted Root Certification Authorities**, and select **All Tasks** > **Import**. +1. When the Certificate Import Wizard appears, browse to and select your copy of the FCPCAG2 root certificate. +1. Verify that the desired **Certificate Store** displays **Trusted Root Certification Authorities**, and select _Next_. +1. Select _Finish_ to complete the import. +1. A success message appears. + +**Note:** If several users share a device, you can run the **certlm.msc** to simultaneously update the certificate stores for the accounts on the device (vs. updating each account separately). + +--- + +## macOS Solutions + +### Create, Distribute, and Install an Apple Configuration Profile + +For **macOS and [iOS](#install-fcpca-using-an-apple-configuration-profile-in-ios)** government-furnished devices, you can use Apple configuration profiles (XML files) to distribute and automatically install the FCPCAG2 root certificate. + +These steps describe how to create, distribute, and install profiles using Apple’s free _Configurator 2_ application. There are also available third-party applications. + +{% include alert-warning.html content="Only System or mobile device management (MDM) administrators should create, distribute, and install Apple configuration profiles." %} + +### Create an Apple Configuration Profile + +1. As an administrator, [download and verify](#step-1---obtain-and-verify-the-fcpca-root-certificate) a copy of the FCPCA root certificate to your device. +1. Download and install _Configurator 2_ from the Apple App Store. +1. Open _Configurator 2_ and click **File** > **New Profile**. +1. On the **General** tab, enter a unique profile **Name** (for example, _FCPCA Profile_) and **Identifier** (for example, _FCPCA-0001_). +1. On the **Certificates** tab, click **Configure**. +1. Browse to and select your verified copy of the FCPCAG2 root certificate. +1. (_Optional_) Add additional agency-specific configurations or customizations. +1. Click **File** > **Save** to save your profile to your preferred location. +1. [Distribute the profile across your enterprise](#distribute-an-apple-configuration-profile). + +**Note:** The following video shows you how to create an Apple configuration profile. [Click for a larger version.]({{site.baseurl}}/assets/fpki/create_profile.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to create an Apple configuration profile.]({{site.baseurl}}/assets/fpki/create_profile.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/create_profile.gif){:target="_blank"}{:rel="noopener noreferrer"} + +**APPLE CONFIGURATION PROFILE (EXAMPLE)** +{:.text-center} + +{% include alert-warning.html content="Before using this profile, you should verify that it is suitable for your agency." %} + +To use this profile, copy the XML information and save it as a `.mobileconfig` file. + +```xml + + + + + PayloadContent + + + PayloadCertificateFileName + fcpcag2.crt + PayloadContent + + MIIF3TCCA8WgAwIBAgIUIeW5oMyVbeJ4ygErqP3Fipiz++owDQYJKoZIhvcNAQEM + BQAwXDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsG + A1UECxMERlBLSTEkMCIGA1UEAxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcy + MB4XDTIwMTAxNDEzMzUxMloXDTQwMTAxNDEzMzUxMlowXDELMAkGA1UEBhMCVVMx + GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEkMCIGA1UE + AxMbRmVkZXJhbCBDb21tb24gUG9saWN5IENBIEcyMIICIjANBgkqhkiG9w0BAQEF + AAOCAg8AMIICCgKCAgEA19fTFzEmIRgQKkFty6+99sRRjCTYBYh7LloRpCZs4rgp + Bk+/5P4aZYd5v01GYBfOKywGJyFh4xk33/Q4yACoOT1uZOloNq/qhhT0r92UogKf + 77n5JgMhvg/bThVB3lxxahZQMM0YqUhg1rtaKRKsXm0AplhalNT6c3mA3YDSt4+7 + 5i105oE3JbsFjDY5DtGMYB9JIhxobtWTSnhL5E5HzO0GVI9UvhWAPVAhxm8oT4wx + SOIjZ/MywXflfBrDktZu1PNsJkkYJpvFgDmSFuEPzivcOrytoPiPfgXMqY/P7zO4 + opLrh2EV5yA4XYEdoyA2dVD8jmm+Lk7zgRFah/84P2guxNtWpZAtQ9Nsag4w4Emt + Rq82JLqZQlyrMbvLvhWFecEkyfDzwGkFRIOBn1IbUfKTtN5GWpndl8HCUPbR2i7h + pV9CFfkXTgsLGTwMNV2xPz2xThrLDu0jrDG+3/k42jB7KH3SQse72yo6MyNF46uu + mO7vORHlhOTVkWyxotBU327XZfq3BNupUDL6+R4dUG+pQADSstRJ60gePp0IAtQS + HZYd1iRiXKpTLl0kofB2Y3LgAFNdYmaHrbrid0dlKIs9QioDwjm+wrDLAmuT4bjL + ZePhc3qt8ubjhZN2Naz+4YP5+nfSPPClLiyM/UT2el7eY4l6OaqXMIRfJxNIHwcC + AwEAAaOBljCBkzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV + HQ4EFgQU9CdcqcN8R/T6pqewWZeq3TUmF+MwUQYIKwYBBQUHAQsERTBDMEEGCCsG + AQUFBzAFhjVodHRwOi8vcmVwby5mcGtpLmdvdi9mY3BjYS9jYUNlcnRzSXNzdWVk + QnlmY3BjYWcyLnA3YzANBgkqhkiG9w0BAQwFAAOCAgEAAWQ3MAzwzr3O1RSBkg06 + NCj7eIL7/I5fwTBLhpoMhE0XoaoPUie0gqRo3KO2MhuBtacjy55ihIY87hShGoKQ + cbA1fh7e4Cly5QkOY+KbQsltkKzgod2zmPyC0bEOYD2LO141HyeDWdQ6dDXDz6dr + 8ObntOfMzgdo7vodCMuKU8+ysTdxRxTCi6AVz3uqe5k+ObJYpC0aXHNMy1OnFgL6 + oxMeGMlSecU/QUAIf0ncDurYFSctFwXitTC0CrcLO9/AGHqTFSHzUrIlbrgd/aGO + +E3o3QoU+ThCPPnu1K2KZLG4pyMqdBm4y7rVGPRikLmFhIv/b6b2CL8yiYL0+mJD + crTVs0PYfALtQxMpSA8n053gajlPwhG3O5jcL8SzqlaGPmGqpnEi9aWAYHJXTzbj + zGUAc2u8+Kw8Xv4JffhVWIxVKH4NS5PCtgXwxifgrmPi0/uU1w0crclEsSsya7FI + BVRTURoSwwda25wIIWPIkQsQK1snJxgEyUzXi10MUDR0WSDqQAdhbOLcmcyhED5h + phYQnf8sD8FpoUDjoLCPkU/ytfZoplmcBM4SQ4Ejgjyk63vMqBDcCMXTHciFTsV2 + e+aReLvIvU4YmaBQQl3vCFj1qMPIkRsTby1Ff8hRDQG3kH0vefcVtcicsdU8kV2M + ee/xJ/c0cIHZWMw0HoRZPbo= + + PayloadDescription + Adds a CA root certificate + PayloadDisplayName + Federal Common Policy CA + PayloadIdentifier + com.apple.security.root.1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC + PayloadType + com.apple.security.root + PayloadUUID + 1EB75E7D-C3BC-46C2-AF42-51D80A2E12FC + PayloadVersion + 1 + + + PayloadDisplayName + Federal Common Policy Certification Authority Profile + PayloadIdentifier + FCPCA-0001 + PayloadRemovalDisallowed + + PayloadType + Configuration + PayloadUUID + AAD17D9A-DA41-4197-9F0F-3C3C6B4512F9 + PayloadVersion + 1 + + +``` + +### Distribute an Apple Configuration Profile + +{% include alert-warning.html content="Only System or MDM Administrators should use these steps. You should never email an Apple configuration profile to someone outside your agency's domain." %} + +You can use Apple's _Configurator 2_ to distribute your Apple configuration profile to government-furnished macOS and iOS devices in the following ways: + +- Physically connect to the user's device. +- Email a profile to specific users.* +- Share a profile on an agency intranet webpage.* +- [Share via over-the-air profile delivery and configuration (Apple Developer Library)](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. +- [Share via over-the-air delivery and configuration from an MDM server (Apple Developer Library)](https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/MobileDeviceManagementProtocolRef/6-MDM_Best_Practices/MDM_Best_Practices.html#//apple_ref/doc/uid/TP40017387-CH5-SW2){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. Third-party applications are also available. + +> ***For iOS only** -- If you download and install the FCPCAG2 root certificate from an email or an intranet website, you will need to _manually enable SSL trust for FCPCA_. This is not needed if you use Configurator 2 with over-the-air (OTA) methods or an MDM enrollment profile to install the FCPCAG2 root certificate. (See [Enable Full Trust for FCPCA](#enable-full-trust-for-fcpca).) + +### Install an Apple Configuration Profile + +We recommend using an automated method to install Apple configuration profiles on government-furnished Apple devices (for example, a desktop configuration management or MDM tool), which will distribute FCPCA. (If you have questions about third-party products, email us at .) + +You can also manually install a profile. + +**Note:**The following video shows you how to manually install an Apple configuration profile on **macOS**. + +[![A video that shows the steps to manually install an Apple configuration profile]({{site.baseurl}}/assets/fpki/manual_install_profile.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/manual_install_profile.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Install FCPCA Using Command Line + +{% include alert-info.html content="These steps describe how to install the FCPCA root certificate in the System Keychain. You must have system administrator privileges to perform these steps." %} + +1. Click the **Spotlight** icon and search for _Terminal_. +1. Double-click the **Terminal** icon (black monitor icon with white “>_”) to open a window. +1. Run the following command: + + ```bash + sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" {DOWNLOAD_LOCATION}/fcpcag2.crt + ``` + +**Note:**The following video shows you how to install FCPCA using the command line. [Click for a larger version]({{site.baseurl}}/assets/fpki/install_command_line.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to install FCPCA using the macOS command line.]({{site.baseurl}}/assets/fpki/install_command_line.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/install_command_line.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Install FCPCA Using Apple Keychain Access + +You can use the System Keychain or Login Keychain to install the FCPCA root certificate. + +#### System Keychain + +{% include alert-info.html content="These steps describe how to install FCPCA in the System Keychain. You must have system administrator privileges to perform these steps." %} + +1. Click the **Spotlight** icon and search for _Keychain Access_. +1. Double-click the **Keychain Access** icon to open the application. +1. Click the _System_ keychain from the left-hand navigation. +1. Click **File** -> **Import Items** +1. Browse to and select your verified copy of FCPCAG2. +1. When prompted, enter your _administrator_ username and password. +1. Keychain Access will present the installed certificate. + +**Note:**The following video shows administrators how to install FCPCAG2 by using the Apple Keychain Access import process. [Click for a larger version]({{site.baseurl}}/assets/fpki/keychain_gui_admin.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps for administrators to install FCPCAG2 using the Apple Keychain Access import process.]({{site.baseurl}}/assets/fpki/keychain_gui_admin.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/keychain_gui_admin.gif){:target="_blank"}{:rel="noopener noreferrer"} + +#### Login Keychain + +{% include alert-info.html content="These steps describe how to install FCPCA in the Login Keychain. Both system administrators and non-administrators can perform these steps." %} + +1. Browse to your downloaded, verified copy of FCPCA. +1. Double-click the file. +1. Keychain Access opens and displays the installed certificate. + +**Note:**The following video shows non-administrators how to install FCPCA using the Apple Keychain Access import process. [Click for a larger version]({{site.baseurl}}/assets/fpki/keychain_gui_non_admin.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps for non-administrators to install FCPCA using the Apple Keychain Access import process.]({{site.baseurl}}/assets/fpki/keychain_gui_non_admin.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/keychain_gui_non_admin.gif){:target="_blank"}{:rel="noopener noreferrer"} + +--- + +## iOS Solutions + +### Install FCPCA Using an Apple Configuration Profile in iOS + +You can use Apple configuration profiles to install the FCPCA root certificate on both macOS and iOS devices. + +Review the [Apple configuration profiles](#install-an-apple-configuration-profile) guidance for instructions. + +### Install FCPCA Using Safari Web Browser + +You can use the Safari web browser to install the FCPCA root certificate on **iOS devices only**. + +{% include alert-info.html content="These steps describe how to install the FCPCA root certificate as a trusted root certificate. Both system administrators and non-administrators can perform these steps." %} + +1. Launch **Safari**. +1. Navigate to the FCPCA root CA certificate: . +1. System message says: *The website is trying to open Settings to show you a configuration profile. Do you want to allow this?* +1. Click **Allow**. The FCPCA root certificate configuration profile appears. +1. Click **More Details**, and then select the FCPCA certificate entry. +1. Scroll to **Fingerprints** and verify the certificate's SHA-256 hash against the [expected value](#step-1---obtain-and-verify-the-fcpca-root-certificate). +1. At the top left of screen, click **Back** and **Install Profile**. Then, click **Install** (top right). +1. When prompted, enter your device **passcode**. +1. Click **Install** in the upper right corner, and **Install** again. +1. Click **Done**. +1. Follow the steps below to enable [full trust for FCPCA](#enable-full-trust-for-fcpca). + +**Note:**The following video shows you how to install FCPCA using the Safari web browser. [Click for a larger version]({{site.baseurl}}/assets/fpki/ios_safari_configuration-g2.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to install FCPCA in the Safari web browser.]({{site.baseurl}}/assets/fpki/ios_safari_configuration-g2.gif){:style="width:300px;"}]({{site.baseurl}}/assets/fpki/ios_safari_configuration-g2.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Enable Full Trust for FCPCA + +This option works for **iOS** devices only. + +{% include alert-info.html content="These steps describe how to enable “full trust” for certificates that chain to FCPCAG2. Both system administrators and non-administrators can perform these steps." %} + +1. On the iOS device's **Home** screen, select **Settings** > **General** > **About** > **Certificate Trust Settings**. +2. Under **Enable Full Trust for Root Certificates**, toggle _ON_ for the FCPCA root CA certificate entry. +3. When the certificate appears, click **Continue**. + +You can now successfully navigate to any intranet website whose SSL certificate was issued by a Federal Public Key Infrastructure (FPKI) CA. + +[![iOS full trust]({{site.baseurl}}/assets/fpki/ios_full_trust-g2.jpg){:style="width:300px;"}]({{site.baseurl}}/assets/fpki/ios_full_trust-g2.jpg){:target="_blank"}{:rel="noopener noreferrer"} + +--- + +## Linux and Unix Solutions + +### Debian-Based Kernels + +1. Launch the command line. + +1. Change directory with the following command: + + ``` bash + cd /usr/local/share/ca-certificates/ + ``` + +1. Convert the FCPCA certificate to PEM and set permissions with the following commands: + + ``` bash + sudo openssl x509 -inform der -in [PATH\]fcpcag2.crt -out fcpcag2-pem.crt + sudo chmod 644 fcpcag2-pem.crt + ``` + +1. Update Trusted Certificates with the following command: + + ``` bash + sudo update-ca-certificates + ``` + +### Red Hat Enterprise Linux, CentOS, and Other Non-Debian-Based Kernels + +1. Launch the command line. + +1. Change directory with the following command: + + ``` bash + cd /etc/pki/ca-trust/source/anchors/ + ``` + +1. Copy your verified copy of FCPCAG2 into the folder and set permissions with the following commands: + + ``` bash + sudo cp [PATH\]fcpcag2.crt . + sudo chown root.root fcpcag2.crt + sudo chmod 644 fcpcag2.crt + ``` + +1. Update Trusted Certificates with the following command: + + ``` bash + sudo /bin/update-ca-trust extract + ``` + +Next, verify distribution of the FCPCAG2 certificate as an operating system trusted root. + +# Step 3 - Verify operating system distribution + +To verify that the Federal Common Policy CA G2 (FCPCAG2) certificate has been distributed to your agency's workstations and devices, use one of these options: + +## Verifying - Microsoft Windows + +- **Automated Solutions (_Recommended_)** + - [Use BigFix](#use-bigfix) + - [Use LANDesk 2016](#use-landesk-2016) +- **Manual Solutions** + - [Use Microsoft Certificate Manager](#use-microsoft-certificate-manager) + - [Use Microsoft Registry Editor](#use-microsoft-registry-editor) + +## macOS + +- [Use Keychain Access](#use-keychain-access) + +## iOS + +- [Use Settings](#use-settings) + +## Linux/Unix + +- [Use the Command Line](#use-the-command-line) + +--- + +## Verifying on Microsoft Windows + +### Use BigFix + +1. Download the BigFix Enterprise Suite (.bes) analysis file: [_FPKIRootG2Detection.bes_]({{site.baseurl}}/implement/FPKIRootG2Detection.bes){:target="_blank"}{:rel="noopener noreferrer"}. +1. Use Certutil or another tool to verify the .bes file's SHA-256 hash (_required_): + + ``` bash + certutil -hashfile [DOWNLOAD_LOCATION]\FPKIRootDetection.bes SHA256 + ``` + +1. The file's hash must match this one: + + ``` bash + 03bca16f7d21be344d954105b5ccb3caf578588cf6b8bd6f1cd03dfe298361bb + ``` + +1. Log into _BigFix_:**Start** > **IBM BigFix** > **IBM BigFix Console**. +1. Import the _FPKIRootG2Detection.bes_ file:**File** > **Import** > **Open**. The **Create Analysis** window appears. +1. Assign the file:for **Create in site**, select _site name_, and for **Create in domain**, select _domain name_. Click **Okay**. +1. On the left side panel, click **Analyses** to see a list of imported analysis files. +1. Click _Federal Common Policy CA Distribution Detection_ (i.e., _FPKIRootG2Detection.bes_) and click the **Results** tab to see the distribution analysis. If the analysis was not activated _by default_, right-click the file and then click **Activate Globally**. +1. For each workstation or device listed, "_Has FCPCA Been Distributed?_" should say **True**. If **False**, you'll need to investigate the cause of the failure. If you can't find a cause, please contact us at . + +![Sample Output]({{site.baseurl}}/assets/fpki/bigfix-results.jpg){:style="width:504px;"} + +### Use LANDesk 2016 + +1. Open _LANDesk 2016_:**Start** > **LANDesk Management** > **Desktop Manager**. +1. Create a custom registry data item:**Tools** > **Reporting/Monitoring** > **Manage software list**. +1. Expand **Custom Data**, and click **Registry items**. +1. Click **Add** to add a new registry item. +1. Add the data shown below for Windows 32-bit or 64-bit versions, based on GPO or Certutil distribution of FCPCA. + + - **Microsoft Windows 32-bit Versions** + + - GPO Distribution + + ``` bash + Root Key: HKLM + Key: SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028 + Value: BLOB + Attribute Name: Custom Data – FCPCAWin32 GPO – Certificate + ``` + + - Certutil Distribution + + ``` bash + Root Key: HKLM + Key: SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028 + Value: BLOB + Attribute Name: Custom Data – FCPCAWin32 certutil – Certificate + ``` + + - **Microsoft Windows 64-bit Versions** + + - GPO Distribution + + ``` bash + Root Key: HKLM + Key: SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028 + Value: BLOB + Attribute Name: Custom Data – FCPCAWin64 GPO - Certificate + ``` + + - Certutil Distribution + + ``` bash + Root Key: HKLM + Key: SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028 + Value: BLOB + Attribute Name: Custom Data – FCPCAWin64 certutil - Certificate + ``` + +1. Create a query for the registry item:on the left side panel, expand **Network View**, and click **Queries**. +1. Right-click **My Queries**, select **New Query**, and enter a _query name_ (e.g., _FCPCA Verification: Win32 Machines_). +1. Under **Machine Component**, expand **Computer**, click **Custom Data**, and select the registry item. +1. For **Boolean**, select **Exists**. +1. For **Displayed Scanned Values**, click **Insert** and add the _BLOB_ value from above. +1. Double-click the _new query name_ to verify FCPCA distribution. The results will be similar to these ([Click for a larger version]({{site.baseurl}}/assets/fpki/landesk-results.jpg){:target="_blank"}{:rel="noopener noreferrer"}): + +![Sample Output]({{site.baseurl}}/assets/fpki/landesk-results.jpg){:style="width:504px;"} + +### Use Microsoft Certificate Manager + +1. Open _Microsoft Certificate Manager_:**Start**; then type **certlm.msc** and press **Enter**. +2. Go to **Trusted Root Certification Authorities** > **Certificates**. To see whether FCPCAG2 was successfully distributed, look for _Federal Common Policy CA G2_ shown with **Intended Purposes** of _ALL_ and a **Friendly Name** of _None_, as shown here ([Click for a larger version]({{site.baseurl}}/assets/fpki/verify_trust.png){:target="_blank"}{:rel="noopener noreferrer"}): + +![Trusted Root CA Certificates List]({{site.baseurl}}/assets/fpki/verify_trust.png){:style="width:504px;"} + +***Optional:*** + +1. Open _Microsoft Certificate Manager_: **Start**; then type **certlm.msc** and press **Enter**. +1. Select **Trusted Root Certification Authorities** from the left side panel, then select **View** > **Options**. +1. In the **View Options** box, select the **Physical certificate stores** checkbox. +1. On the left side panel, click the **>** icon next to **Trusted Root Certification Authorities** to see the subdirectories. +1. Verify the distribution of FCPCA: + - For Certutil-distributed copies of FCPCAG2, click **Enterprise** > **Certificates**. *FCPCAG2 should appear in the certificates list.* + - For GPO-distributed copies of FCPCA, click **Group Policy** > **Certificates**. *FCPCAG2 should appear in the certificates list.* + +### Use Microsoft Registry Editor + +1. Verify that FCPCAG2 has been distributed to a specific workstation or device:open the _Microsoft Registry Editor_:**Start**; type **regedit.exe** and press **Enter**. +2. The following registry keys will appear for GPO- or Certutil-distributed copies of FCPCAG2: + +#### GPO-distributed FCPCA + +``` bash +HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\ +HKLM:\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\ +``` + +#### Certutil-distributed FCPCA + +``` bash +HKLM:\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\ +HKLM:\SOFTWARE\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates\99b4251e2eee05d8292e8397a90165293d116028\ +``` + +--- + +## Verifying - macOS + +### Use Keychain Access + +1. Click the **Spotlight** icon and search for _Keychain Access_. +1. Double-click the **Keychain Access** icon. +1. Ensure that an entry for FCPCA exists in the **login** or **System** Keychain Certificates repository. [Click for a larger version]({{site.baseurl}}/assets/fpki/verify_common_macOS.png){:target="_blank"}{:rel="noopener noreferrer"} + +![Verify Common on MacOS]({{site.baseurl}}/assets/fpki/verify_common_macOS.png){:style="width:476px;"} + +--- + +## Verifying - iOS + +### Use Settings + +1. Select **Settings** > **About** > **Certificate Trust Settings**. +1. Verify that _Federal Common Policy CA G2_ has full trust enabled. + +![iOS full trust]({{site.baseurl}}/assets/fpki/ios_full_trust-g2.jpg){:style="width:300px;"} + +--- + +## Verifying - Linux and Unix + +### Use the Command Line + +1. Launch the command line. + +2. Run the following command to verify the Federal Common Policy CA G2 has an entry in the system's trust list: + +``` bash + trust list | grep "Federal Common Policy CA" +``` + +Next, distribute the FCPCA certificate to application trust stores. + +# Step 4 - Distribute to applications + +Many, but not all, software applications leverage the underlying operating system [trust store]({{site.baseurl}}/university/fpki#fpki-third-party-trust) to verify whether a certificate should be trusted. + +Collaborate across agency teams to identify applications that rely on custom trust stores to ensure distribution of the Federal Common Policy CA G2 (FCPCAG2) certificate. + +**Example applications with custom trust stores:** + +- Java and all Java-based applications (for example, Apache Tomcat) +- Mozilla products (for example, [Firefox](#how-do-i-configure-the-firefox-web-browser-to-trust-the-new-federal-common-policy-ca) or Thunderbird) +- OpenSSL-based applications (for example, Apache HTTP Server or Nginx) + +Next, determine if you need to distribute the CA certificates issued by the FCPCAG2 root certificate. + +# Step 5 - Distribute intermediate certificates + +{% include alert-success.html content="**Depending on agency configurations, you might need to distribute these certificates to systems and applications**. This page will help you understand [when to distribute the intermediate CA certificates](#do-i-need-to-distribute-the-intermediate-ca-certificates), [which certificates to distribute](#which-certificates-do-i-need-to-distribute), and [recommended solutions](#how-do-i-distribute-the-intermediate-ca-certificates). This page also lists [intermediate CA certificate details](#certificates-issued-by-the-federal-common-policy-ca), including download locations." %} + +## Do I Need to Distribute the Intermediate CA Certificates? + +### Operating Systems + +You might need to distribute the [intermediate CA certificates issued by the FCPCA root certificate](#certificates-issued-by-the-federal-common-policy-ca), depending upon your enterprise operating systems' type and configuration. + +- **Microsoft Windows**: Intermediate CA certificate distribution is **recommended**. + - Typically, Windows clients are able to dynamically build paths to a trusted root CA certificate through Microsoft's Certificate Chaining Engine (CCE). + - Distributing the intermediate CA certificates improves system performance and prioritizes use of the FCPCAG2 root certificate. + - There are instances where dynamic validation can fail, for example, when firewall rules prevent Microsoft from navigating to a certificate's Authority Information Access extension Uniform Resource Locator. Email us at with any questions or issues. + +- **macOS or iOS**: Intermediate CA certificate distribution is **required**. + +- **Linux or Unix**: Intermediate CA certificate distribution is **required**. + +### Applications + +Many, but not all, software applications leverage the underlying operating system trust store to verify whether a certificate should be trusted. + +Collaborate across agency teams to identify applications that rely on custom trust stores to ensure distribution of the intermediate CA certificates issued by the FCPCAG2 root certificate. + +Example applications with custom trust stores that may require intermediate CA certificate installation: + +- Java and all Java-based applications (for example, Apache Tomcat) +- Mozilla products (for example, Firefox or Thunderbird) +- OpenSSL-based applications (for example, Apache HTTP Server or Nginx) + +## Which Certificates Do I Need to Distribute? + +Identify which, if any, of the intermediate CA certificates issued by the Federal Common Policy CA G2 are currently being distributed across your agency. + +A recommended starting point would be to replicate the existing configuration for CA certificates issued by the Federal Common Policy CA, instead of distributing the new certificates issued by the Federal Common Policy CA G2. + +If you're not sure which [intermediate CA certificates issued by the FCPCA](#certificates-issued-by-the-federal-common-policy-ca) you need to distribute, consider distributing all of them or email us for help at . + +## How Do I Distribute the Intermediate CA Certificates? + +Recommended solutions for distributing intermediate CA certificates are listed below. + +### Use Microsoft Group Policy Object + +{% include alert-warning.html content="You must have enterprise administrator privileges for the domain to use these procedures. You must run the commands from an agency domain controller." %} + +1. Navigate to **Server Manager**. +1. Select **Tools**. +1. Select **Group Policy Management** from the drop-down list. +1. Right-click your desired domain(s), and select **Create a GPO in this domain, and Link it here**. +1. Enter a GPO **Name** and click **OK**. +1. Right-click the newly created GPO and click **Edit**. +1. Navigate to **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies**. +1. Right-click **Intermediate Certification Authorities**, and select **Import**. +1. The Certificate Import Wizard appears +1. Browse to and select the certificates [issued by the FCPCA](#certificates-issued-by-the-federal-common-policy-ca) that you want to distribute. +1. Verify that the target **Certificate Store** presents **Intermediate Certification Authorities**, and select **Next**. +1. Select **Finish** to complete the import. +1. A success message appears. +1. Close the **Group Policy Management** window. +1. Wait for clients to consume the new policy. +1. (_Optional_) To force client consumption, click **Start**, type **cmd**, press **Enter**, and run the following command: + + ```bash + gpupdate /force + ``` + +### Use Apple Configuration Profile + +{% include alert-warning.html content="Only System or Mobile Device Management (MDM) Administrators should create, distribute, and install Apple configuration profiles." %} + +#### Distribute Intermediate CA certificates with an Apple Configuration Profile + +1. As an administrator, download and verify the certificates [issued by the FCPCA](#certificates-issued-by-the-federal-common-policy-ca) that you want to distribute. +2. Download and install _Configurator 2_ from the Apple App Store. +3. Open _Configurator 2_ and click **File** > **New Profile**. +4. On the **General** tab, enter a unique profile **Name** (for example, _FPKI Intermediate CA Certificate Distribution Profile_) and **Identifier** (for example, _FCPCA-Intermediate-0001_). +5. On the **Certificates** tab, click **Configure**. +6. Browse to and select the certificates you want to distribute. +7. (_Optional_) Add additional agency-specific configurations or customizations. +8. Click **File** > **Save** to save your profile to your preferred location. +9. Follow the steps to [distribute](#distribute-an-apple-configuration-profile) the profile to macOS and iOS devices across your enterprise. + +**Note:**The following video shows you how to create an Apple configuration profile. [Click for a larger version]({{site.baseurl}}/assets/fpki/create_profile.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![The following video shows you how to create an Apple configuration profile.]({{site.baseurl}}/assets/fpki/create_profile.gif){:style="width:85%;"}]({{site.baseurl}}/assets/fpki/create_profile.gif){:target="_blank"}{:rel="noopener noreferrer"} + +### Use Linux Command Line + +The steps to distribute an intermediate CA certificate are the same as the steps to distribute a [root CA certificate](#linux-and-unix-solutions). + +--- + +### Certificates Issued By the Federal Common Policy CA + +The following certificates are published in the Federal Common Policy CA certificate's Subject Information Access extension bundle located at . + +- [Issued to: Federal Bridge CA G4](#issued-to-federal-bridge-ca-g4) +- [Issued to: U.S. Department of State AD Root CA](#issued-to-us-department-of-state-ad-root-ca) +- [Issued to: US Treasury Root CA](#issued-to-us-treasury-root-ca) +- [Issued to: DigiCert Federal SSP Intermediate CA - G5](#issued-to-digicert-federal-ssp-intermediate-ca---g5) +- [Issued to: Symantec SSP Intermediate CA - G4](#issued-to-symantec-ssp-intermediate-ca---g4) +- [Issued to: Entrust Managed Services Root CA](#issued-to-entrust-managed-services-root-ca) +- [Issued to: Verizon SSP CA A2](#issued-to-verizon-ssp-ca-a2) +- [Issued to: ORC SSP 4](#issued-to-orc-ssp-4) +- [Issued to: WidePoint ORC SSP CA 5](#issued-to-widepoint-orc-ssp-ca-5) +- [Issued to: WidePoint SSP Intermediate CA](#issued-to-widepoint-ssp-intermediate-ca) + +{% include alert-warning.html content="**Important!** To ensure PIV credentials are accepted by systems that are unable to perform dynamic path validation, you'll need to distribute additional intermediate CA certificates. Learn more on our [Frequently Asked Questions](#frequently-asked-questions) page." %} + +#### Issued to: Federal Bridge CA G4 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=Federal Bridge CA G4, OU=FPKI, O=U.S. Government, C=US | +| Validity | October 15, 2020 to December 6, 2029 | +| Serial Number | 234200beaa6dada658f53b403f418295290cae82 | +| SHA-1 Thumbprint | 97db351e069964297a82040eb760c9cc1d74ba33 | +| SHA-256 Thumbprint | 74383CA1BB648F96EFE9E6ECADB5A8A359E7DF9BA262EF7C02BD004EAB3895F4 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/federal_bridge_ca_g4.cer)| + +#### Issued to: U.S. Department of State AD Root CA + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=U.S. Department of State AD Root CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=state, DC=sbu | +| Validity | November 18, 2020 to November 18, 2023 | +| Serial Number | 27634fd321cbfd8c7efc0aeb02876f63da4c0c09 | +| SHA-1 Thumbprint | 9b3849f7047964a6654988054956e478ccb75ded | +| SHA-256 Thumbprint | 9744734dbd34f28d3c87a9094387388e7623a272437c612e88d251138c1db93c | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/US_Department_of_State_AD_Root_CA.cer)| + +#### Issued to: US Treasury Root CA + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | OU=US Treasury Root CA, OU=Certification Authorities, OU=Department of the Treasury, O=U.S. Government, C=US | +| Validity | April 6, 2022 to April 6, 2025 | +| Serial Number | 279f09737fe5dd3d7534be0ea51aff9dc4018501 | +| SHA-1 Thumbprint | 52de6628d8c70a9df9e1df94fcd84728b33c05ec | +| SHA-256 Thumbprint | ed40cc2e18e224f1c8dc6d0786559576517139be777153cd9f8ad2d215a9be79 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/US_Treasury_Root_CA.cer)| + +#### Issued to: DigiCert Federal SSP Intermediate CA - G5 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=DigiCert Federal SSP Intermediate CA - G6, O=DigiCert, Inc., C=US | +| Validity | March 16, 2022 to March 16, 2032 | +| Serial Number | 231eb3199085ee8187df5c7a598ef336b356092f | +| SHA-1 Thumbprint | 9aecfbe2de8aea49d220bbf799172c00527fe756 | +| SHA-256 Thumbprint | ea86e0baf55eef020ed58196af865f2fa72a77d1be70a779b65a9cbf0b5ee3f2 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G5.cer)| + +#### Issued to: DigiCert Federal SSP Intermediate CA - G6 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=DigiCert Federal SSP Intermediate CA - G5, O=DigiCert, Inc., C=US | +| Validity | November 18, 2020 to December 13, 2028 | +| Serial Number | 24bc168f9ccb30cfcef8f0a58f26f10181869266 | +| SHA-1 Thumbprint | 806b3aa2dbeb6a097bf07920bb77bb1eb9fbb2dd | +| SHA-256 Thumbprint | ac309ffef2da64de1a360c3194b9b78bcdb65dc4863f02c4fa2797f9d71a773b | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/DigiCert_Federal_SSP_Intermediate_CA_-_G6.cer)| + +#### Issued to: Symantec SSP Intermediate CA - G4 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=Symantec SSP Intermediate CA - G4, O=Symantec Corporation, C=US | +| Validity | November 18, 2020 to November 12, 2024 | +| Serial Number | 262bd1f025c8af37334545666ea6c9ea946c2c34 | +| SHA-1 Thumbprint | 4c40f62b5c3f13533a8f8a1d44f8b027aaa0fd3d | +| SHA-256 Thumbprint | 09d3f1a7d2e0be1a8d043fdf5d16bf8bf18e0dff2f397f27b0b8ee962de59de5 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/Symantec_SSP_Intermediate_CA_-_G4.cer)| + +#### Issued to: Entrust Managed Services Root CA + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | OU=Entrust Managed Services Root CA, OU=Certification Authorities, O=Entrust, C=US | +| Validity | November 18, 2020 to August 14, 2029 | +| Serial Number | 215e78d99648b021c6394a6566d8e00f46a1e595 | +| SHA-1 Thumbprint | 07f5dc58f83778d5b5738a988292c00a674a0f40 | +| SHA-256 Thumbprint | e3d6b1b33d0a5df0630b32bf17f9fb632b0471a6cac561f164aa6429ef0699a1 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/Entrust_Managed_Services_Root_CA.cer) | + +#### Issued to: Verizon SSP CA A2 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=Verizon SSP CA A2, OU=SSP, O=Verizon, C=US | +| Validity | November 18, 2020 to December 6, 2026 | +| Serial Number | 25fca834ada24a4455a2db0ff4cef7c411198e3a | +| SHA-1 Thumbprint | b2167fd38ff47bb910d8dcc32fcc3b7b63a09ff7 | +| SHA-256 Thumbprint | 226508d2a1c926a7092218e743ccd01bab8273291feef66941691592fa7c12b8 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/Verizon_SSP_CA_A2.cer)| + +#### Issued to: ORC SSP 4 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=ORC SSP 4, O=ORC PKI, C=US | +| Validity | November 18, 2020 to January 21, 2024 | +| Serial Number | 20a0e513367881559a5e7d20d35fa7c6739a42ab | +| SHA-1 Thumbprint | 3e6610b03daca9fa07e1093b60ccb8927c42d83b | +| SHA-256 Thumbprint | 7cd7f21d04beb99d9f833be8697138e3ad4e11313897ee573c066132d21ab5f8 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/ORC_SSP_4.cer)| + +#### Issued to: WidePoint ORC SSP CA 5 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=WidePoint ORC SSP 5, O=ORC PKI, C=US | +| Validity | November 19, 2020 to November 5, 2030 | +| Serial Number | 210b3f17db750e616eb25f3f0b4933e5a98c449b | +| SHA-1 Thumbprint | 80f4731a60fd5f2eb0468d0629310daa50ad210d | +| SHA-256 Thumbprint | 70200179049bdc8cbe94b4880730609489f324f2a770477f7c1859401e644c72 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/WidePoint_ORC_SSP_5.cer)| + +#### Issued to: WidePoint SSP Intermediate CA + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=WidePoint SSP Intermediate CA, O=ORC PKI, C=US | +| Validity | April 3, 2023 to March 15, 2033 | +| Serial Number | 28f49a629440b3fdf097ac0fd46dbd9735379187 | +| SHA-1 Thumbprint | eef5180a852b044483a138bcb30ad9548463e09b | +| SHA-256 Thumbprint | edf21e73d9114477a4a4824c93414b4ec67825604575041a33ce24f0df01f66f | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/WidePoint_SSP_Intermediate_CA.cer)| + +### Certificates issued to the Federal Common Policy CA + +Distrusting the certificate below will prevent workstations from building a path from the Federal Common Policy CA, through the Federal Bridge CA G4, to the Federal Common Policy CA or any other root. + +#### Issued by: Federal Bridge CA G4 + +| Certificate Attribute | Value | +| :-------- | :-------- | +| Distinguished Name | CN=Federal Common Policy CA, OU=FPKI, O=U.S. Government, C=US | +| Validity | October 15, 2020 to December 6, 2029 | +| Serial Number | 129217e6c9126fd816babe02d9192ae2b519e231 | +| SHA-1 Thumbprint | edf2d373f4c56b5186087300638e3c5660c9a090 | +| SHA-256 Thumbprint | 0b658c27727dfd6cd47e378ae2390ea376d9708ecf4b06775f8ee7bc50119991 | +| Download Location | Click [here]({{site.baseurl}}/implement/certs/Federal_Common_Policy_CA_G2_from_FBCAG4.cer)| + +The easiest way to verify your migration to the Federal Common Policy CA G2 (FCPCAG2) is to validate one of your PIV credential certificates. + +### Verify Migration on Windows + +1. Click **Start**, type **certmgr.msc**, and then press **Enter**. +1. Double-click **Personal**, and then **Certificates**. +1. Browse to and select any of the certificates found on your PIV credential (the **Issued To** column displays your name). +1. Double-click the certificate and select the **Certification Path** tab. +1. Verify the certificate chain begins with the **FCPCA** (pictured below). + +**Note:** It's okay if different certification authorities appear below the FCPCAG2 for your certificate. [Click for a larger version]({{site.baseurl}}/assets/fpki/verify-migration-windows.png){:target="_blank"}{:rel="noopener noreferrer"} + +![Verify common migration in Windows]({{site.baseurl}}/assets/fpki/verify-migration-windows.png){:style="width:300px;"} + +### Verify Migration on macOS + +1. Click the **Spotlight** icon and search for _Keychain Access_. +1. Double-click the **Keychain Access** icon to open the application. +1. In the left navigation, click the **Login** keychain. +1. Browse to and select any of the certificates found on your PIV credential (the **Name** column displays your name). +1. Verify the _This certificate is valid_ message appears beneath the certificate details. + +**Note:** It's okay if a different name appears in the keychain access screen. It should show the name of the user that the PIV certificate was issued to. [Click for a larger version]({{site.baseurl}}/assets/fpki/verify-migration-macos.png){:target="_blank"}{:rel="noopener noreferrer"} + +![Verify common migration in macOS]({{site.baseurl}}/assets/fpki/verify-migration-macos.png){:style="width:504px;"} + +# Frequently Asked Questions + +If your question does not appear in this list, send it to FPKI at gsa.gov. + +## What happens if I don’t distribute the FCPCAG2 root certificate in my environment? + +1. **(_High Impact_) Authentication failures** + + - Workstations + - Websites + - Applications (internal and cross-agency) + - Virtual Private Networks (VPNs) + +2. **(_Medium Impact_) Error fatigue** + + - Unexpected application errors and system behavior for legacy and government-off-the-shelf (GOTS) products + +3. **(_Low Impact_) Digital signature validation failures** + +- Email +- Documents and files (for example, Microsoft Word) + +## What errors can occur in Windows if I don't distribute the FCPCA root certificate? + +*Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/error_navigation.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing an error navigation message]({{site.baseurl}}/assets/fpki/error_navigation.png){:style="width:504px;"} + +*Sample Chrome error when PIV authentication fails because the user’s certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/error_piv_auth.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing an error piv authetication message]({{site.baseurl}}/assets/fpki/error_piv_auth.png){:style="width:504px;"} + +*Sample Microsoft Outlook error when a digital signature certificate for an email doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/error_sig_val.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing a digital signature invalid error messagee]({{site.baseurl}}/assets/fpki/error_sig_val.png){:style="width:381px;"} + +## What errors can occur in macOS if I don't distribute the FCPCA root certificate? + +*Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/safari_untrusted_ssl.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing a safari untrusted ssl error message]({{site.baseurl}}/assets/fpki/safari_untrusted_ssl.png){:style="width:504px;"} + +*Sample Safari error where client (PIV) authentication fails because a user’s certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/safari_untrusted_auth.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing a safari untrusted authentication error message]({{site.baseurl}}/assets/fpki/safari_untrusted_auth.png){:style="width:504px;"} + +*Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/chrome_untrusted_ssl.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing a chrome untrusted ssl error message]({{site.baseurl}}/assets/fpki/chrome_untrusted_ssl.png){:style="width:504px;"} + +*Sample Chrome error where client (PIV) authentication fails because a user’s certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/chrome_untrusted_auth.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing a chrome untrusted authentication error message]({{site.baseurl}}/assets/fpki/chrome_untrusted_auth.png){:style="width:504px;"} + +## What errors can occur in iOS if I don't distribute the FCPCA root certificate? + +*Sample Safari error when a user navigates to an intranet site whose SSL/TLS certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/ios_safari_untrusted_ssl.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing ios safari untrusted ssl]({{site.baseurl}}/assets/fpki/ios_safari_untrusted_ssl.png){:style="width:300px;"} + +*Sample Chrome error when a user navigates to an intranet site whose SSL/TLS certificate doesn't chain to a trusted root CA:* [Click for a larger version]({{site.baseurl}}/assets/fpki/ios_chrome_untrusted_ssl.png){:target="_blank"}{:rel="noopener noreferrer"} + +![An image showing ios chrome untrusted ssl]({{site.baseurl}}/assets/fpki/ios_chrome_untrusted_ssl.png){:style="width:300px;"} + +## How can I verify that the FCPCA root certificate has been successfully distributed to my workstation or device? + +Please review the steps to [verify distribution of the FCPCA root certificate](#step-3---verify-operating-system-distribution). + +## Do I need to distribute the FCPCA root certificate to my Bring Your Own Device (BYOD) program device? + +As a BYOD program device user, you'll need to distribute the FCPCAG2 root certificate if you: + +- use your PIV credential to log into intranet sites or VPNs, +- validate PIV digital signatures in emails or documents, or +- navigate to intranet pages whose SSL/TLS certificates chain to the FCPCAG2 root certificate. + +## How do I configure my unmanaged Windows system to trust the new Federal Common Policy CA? + +1. Download a copy of the FCPCA certificate from +1. Download the [bundle of FPKI intermediate CA certificates for unmanaged devices]({{site.baseurl}}/implement/certs/fpki-unmanaged-bundle.p7b) (fpki-unmanaged-bundle.p7b) +1. Update your Trust Store: + - Click **Start**, type **certmgr.msc**, and press **Enter**. + - Right-click **Trusted Root Certification Authorities** (on the left-hand navigation), and select **All Tasks** > **Import**. Click **Next** once the Certificate Import Wizard opens. + - Browse to and select your copy of the FCPCA root certificate. Click **Next** several times until the certificate import process is complete. + - When prompted, verify the certificate thumbprint matches _99B4251E2EEE05D8292E8397A90165293D116028_ (additional spaces may appear depending on your Windows Version). + - Click **Yes**. + - Right-click **Intermediate Certification Authorities** (on the left-hand navigation), and select **All Tasks** > **Import**. Click **Next** once the Certificate Import Wizard opens. + - Browse to and select your copy of fpki-unmanaged-bundle.p7b, making sure "All Files" are presented to view the .p7b file (this appears in a drop-down box next to the "File Name" input box). Click **Next** several times until the certificate import process is complete. + +To verify your distribution (assumes **certmgr.msc** is still open): + +1. Verify an entry for the FCPCAG2 root certificate + - Use the left-hand navigation to browse to **Trusted Root Certification Authorities** > **Certificates** + - Press the **F5** key to refresh the folder contents + - Verify an entry exists for the Federal Common Policy CA (both the **Issued To** and **Issued By** columns will present "Federal Common Policy CA G2".) +1. Verify entries for the intermediate CA certificates issued by the Federal Common Policy CA G2 + - Use the left-hand navigation to browse to **Intermediate Certification Authorities** > **Certificates** + - Press the **F5** key to refresh the folder contents + - Sort the data by clicking on the **Issued By** column + - Verify nine (9) entries for certificates issued by the Federal Common Policy CA G2 + +**Note:** The following video demonstrates the distribution steps outlined above. [Click for a larger version]({{site.baseurl}}/assets/fpki/unmanaged-device.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![configure unmanaged device]({{site.baseurl}}/assets/fpki/unmanaged-device.gif){:style="width:504px;"}]({{site.baseurl}}/assets/fpki/unmanaged-device.gif){:target="_blank"}{:rel="noopener noreferrer"} + +## How do I configure my unmanaged macOS device to trust the new Federal Common Policy CA? + +1. Download a copy of [fpki-unmanaged-bundle.mobileconfig]({{site.baseurl}}/implement/certs/fpki-unmanaged-bundle.mobileconfig) +1. Browse to and double-click on your copy of fpki-unmanaged-bundle.mobileconfig. +1. Navigate to **System Preferences** -> **Profiles** +1. Verify the profile contents and click **Install** (twice) + +**Note:**The following video shows you how to install FCPCAG2 and the intermediate CA certificates using an Apple configuration profile on macOS. [Click for a larger version]({{site.baseurl}}/assets/fpki/macos-unmanaged.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to install an Apple configuration profile on macOS]({{site.baseurl}}/assets/fpki/macos-unmanaged.gif){:style="width:504px;"}]({{site.baseurl}}/assets/fpki/macos-unmanaged.gif){:target="_blank"}{:rel="noopener noreferrer"} + +## How do I configure my unmanaged iOS device to trust the new Federal Common Policy CA? + +1. Launch **Safari**. +1. Navigate to a copy of the [fpki-unmanaged-bundle.mobileconfig]({{site.baseurl}}/implement/certs/fpki-unmanaged-bundle.mobileconfig) + > System message says: *The website is trying to open Settings to show you a configuration profile. Do you want to allow this?* +1. Click **Allow**. +1. Navigate to **Settings** -> **General** -> **Profile** +1. Select the "Distribute FCPCA and Intermediate CA Certificates" profile +1. Select **More Details** and select the certificate entry for the FCPCAG2 +1. Scroll to **Fingerprints** and verify the certificate's SHA-256 hash against the [expected value](#step-1---obtain-and-verify-the-fcpca-root-certificate). +1. At the top left of screen, click **Back** and **Install Profile**. Then, click **Install** (top right). +1. When prompted, enter your device **passcode**. +1. Click **Install** in the upper right corner, and **Install** again. +1. Click **Done**. +1. Enable [full trust for the FCPCA](#enable-full-trust-for-fcpca). + +**Note:**The following video shows you how to install FCPCAG2 and the intermediate CA certificates using the Safari web browser. [Click for a larger version]({{site.baseurl}}/assets/fpki/ios_safari_configuration-unmanaged.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to install a mobile configuration file in the Safari web browser]({{site.baseurl}}/assets/fpki/ios_safari_configuration-unmanaged.gif){:style="width:300px;"}]({{site.baseurl}}/assets/fpki/ios_safari_configuration-unmanaged.gif){:target="_blank"}{:rel="noopener noreferrer"} + +## How do I configure the Firefox web browser to trust the new Federal Common Policy CA? + +The following steps will allow Firefox to use the underlying operating system trust store. Follow these steps only after distributing the Federal Common Policy CA G2 to your Windows or macOS device. + +1. Open **Firefox**. +1. Enter **about:config** in the address bar and continue to the list of preferences. +1. Set the preference **security.enterprise_roots.enabled** to **true**. +1. Restart **Firefox**. + +**Note:**The following video shows you how to configure the Firefox web browser to trust the certificates included in the operating system trust store. [Click for a larger version]({{site.baseurl}}/assets/fpki/configure-firefox.gif){:target="_blank"}{:rel="noopener noreferrer"} + +[![A video that shows the steps to configure the Firefox web browser]({{site.baseurl}}/assets/fpki/configure-firefox.gif){:style="width:504px;"}]({{site.baseurl}}/assets/fpki/configure-firefox.gif){:target="_blank"}{:rel="noopener noreferrer"} diff --git a/_implement/fpki_notifications.md b/_implement/fpki_notifications.md new file mode 100644 index 000000000..e3234d50b --- /dev/null +++ b/_implement/fpki_notifications.md @@ -0,0 +1,709 @@ +--- +layout: page +collection: implement +title: FPKI Ecosystem Changes +permalink: /fpki/notifications/ +sidenav: implement +sticky_sidenav: true + +subnav: + - text: FPKI Announcements + href: '#fpki-announcements' + - text: FPKI Graph + href: '#fpki-graph' + - text: PIV Issuer Information + href: '#piv-issuer-information' + - text: Active Issuing CA Certificate Details + href: '#active-issuing-ca-certificate-details' + - text: Maintenance Mode Issuing CA Certificate Details + href: '#maintenance-mode-issuing-ca-certificate-details' + - text: FPKI System Changes and Notifications + href: '#fpki-system-changes-and-notifications' + - text: Notifications + href: '#notifications' + +--- + +This page contains information that is helpful in identifying changes in the Federal PKI. This includes identifying PIV issuing CA and operational changes such as URL endpoints and system outages. + +1. [FPKI Announcements](#fpki-announcements) - Hot topics impact the Federal PKI. +2. [FPKI Graph](#fpki-graph) - The FPKI Graph displays the relationships between the certification authorities in the Federal PKI (FPKI) ecosystem +3. [PIV Issuer Information](#piv-issuer-information) - List of active PIV issuing CAs with end entity certificate distribution points. +4. [FPKI System Change and Notification](#notifications) - List of changes to FPKI CA endpoint URL such as Certificate Revocation List Distribution Points, Online Certificate Status Protocol (OCSP) endpoints and other CA certificate activity. + +# FPKI Announcements + +These announcements and hot topics concern Federal Public Key Infrastructure changes that may affect your agency's operations. Announcements are removed after three years. + + + + + + + + + + + {% assign announcements = site.fpki.announcements | concat: site.data.fpkiannouncements %} + {% for announcement in announcements %} + {% if announcement.status == "Active" %} + + + + + + {% endif %} + {% endfor %} + +
TitleDateDescription
{{ announcement.title }}{{ announcement.pubDate }}{{ announcement.description }}
+ +# FPKI Graph + + + + + + + + + + + + + + + + +**Last Update**: July 31, 2023 + +{% include graph.html %} + +The FPKI Graph displays the relationships between the certification authorities in the Federal PKI (FPKI) ecosystem. It graphically depicts how each certification authority links to another, through cross-certificates, subordinate certificates, or bridge CAs. **A P7B file of the weekly FPKI Graph run is available [here]({{ site.baseurl }}/implement/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b).** + +The Federal Common Policy Certification Authority (CA) G2 (_"COMMON"_) is shown at the center of the graph, and the rings of dots represent the outbound CAs. + +- Click on any dot in the graph to see a CA's inbound and outbound _CA_ certificates. +- _Inbound_ means the CA certificate is signed by the _Inbound_ CA. +- _Outbound_ means the CA has signed the _Outbound_ CA certificate. +- The _Search_ function is on the upper right-hand corner. +- The _Zoom_ scroll bar is in the upper left-hand corner. + +You cannot download the certificates from the graph. To download the certificates, you need to retrieve the certificates from the Authority Information Access (AIA) or Subject Information Access (SIA) URIs. (See below for more information on AIAs and SIAs.) + +### How the FPKI Graph Works + +The graph uses information published in each CA certificate's AIA and SIA extensions. This is public information:  all CAs in the FPKI are required to publish and maintain their AIA certificate bundles. + +All CA and End Entity certificates that have a certificate path (trust chain) to COMMON will have an AIA extension in their public certificates. An AIA extension contains a URI where you can find the certificate(s) used to sign that CA or End Entity certificate. + +Most CA certificates will also have an SIA extension with a URI to the CA certificates that have been issued **_by that CA_**. For example, you can find the SIA for COMMON at http://repo.fpki.gov/fcpca/caCertsIssuedByfcpcag2.p7c. + +- To use this SIA, retrieve the file (.p7c) using the link above and open it. +- You will find a dozen or more certificates that are issued by COMMON (Root) to other intermediate or issuing CAs. +- The SIA URIs from each of these certificates can then be retrieved to find the next set of signed certificates. + +### Acknowledgment + +The FPKI Graph was built by using the same tools and code as the [Berkley ICSI SSL Notary](https://www.icsi.berkeley.edu/icsi/node/5065){:target="_blank"}{:rel="noopener noreferrer"}. + +# PIV Issuer Information + +{% assign branches = "" | split: "" %} +{% for piv in site.data.fpkicustomers %} + {% assign branch = piv.branch | strip %} + {% assign branches = branches | push: branch | uniq | sort %} +{% endfor %} +{% assign branches = branches | uniq | sort %} + +The page lists the certification authorities *currently* used for Personal Identity Verification (PIV), PIV-Interoperable (PIV-I), or Derived PIV (dPIV) authentication certificates for federal government departments and agencies. Agency system administrators can leverage this list to configure systems and services for cross-government trust. + +{% include alert-info.html content="This table was last updated on August 2, 2023. Please email fpki at gsa.gov to suggest an update or correction." %} + +
+ + + + + + + + + + {% for branch in branches %} + + + + {% for piv in site.data.fpkicustomers %} + {% if piv.branch == branch %} + + + + + {% endif %} + {% endfor %} + {% endfor %} + +
Department/AgencyPIV Authentication Issuing CA
{{ branch }} Branch
{{ piv.agency }}{{ piv.ca }}
+ +## Active Issuing CA Certificate Details +These CA certificates are actively issuing PIV , PIV-I and/or Derived PIV authentication certificates. + +#### Department of Veterans Affairs CA +- Subject: OU = Department of Veterans Affairs CA, OU = Certification Authorities, OU = Department of Veterans Affairs, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 633456a0 +- Validity: May 20, 2023 to May 20, 2033 +- SHA-1 Hash: d81577f94652b7a9eb9d0d4602060f7d16492413 +- CRL DP: [http://pki.treas.gov/VA_CA3.crl](http://pki.treas.gov/VA_CA3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### DHS CA4 +- Subject: OU = DHS CA4, OU = Certification Authorities, OU = Department of Homeland Security, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 63345616 +- Validity: April 29, 2023 to April 29, 2033 +- SHA-1 Hash: d8624442ccc91753aca89698f2cbcdf59f32d3f1 +- CRL DP: [http://pki.treas.gov/DHS_CA4.crl](http://pki.treas.gov/DHS_CA4.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### DoD Issuing CAs +**DoD DERILITY CA-1** +- Subject: CN = DOD DERILITY CA-1, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 04c2 +- Validity: January 19, 2021 to January 20, 2027 +- SHA-1 Hash: 6b250683b996e2581696f499061b5581a7867c89 +- CRL DP: [http://crl.disa.mil/crl/DODDERILITYCA_1.crl](http://crl.disa.mil/crl/DODDERILITYCA_1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-73 (Not Yet Operational)** +- Subject: CN = DOD ID CA-73, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 6, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 49 +- Validity: May 16, 2023 to May 15, 2029 +- SHA-1 Hash: ce68b25fa532d959935aeb2c29e1358531903535 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_70.crl](http://crl.disa.mil/crl/DODIDCA_70.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-72 (Not Yet Operational)** +- Subject: CN = DOD ID CA-72, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 6, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 48 +- Validity: May 16, 2023 to May 15, 2029 +- SHA-1 Hash: ce68b25fa532d959935aeb2c29e1358531903535 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_72.crl](http://crl.disa.mil/crl/DODIDCA_72.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-70 (Not Yet Operational)** +- Subject: CN = DOD ID CA-70, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 6, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 47 +- Validity: May 16, 2023 to May 15, 2029 +- SHA-1 Hash: 6005f7e39bd475ce11dd4b74bc85b9c7182b9a53 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_70.crl](http://crl.disa.mil/crl/DODIDCA_70.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-71** +- Subject: CN = DOD ID CA-71, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 070c +- Validity: December 6, 2022 to December 6, 2028 +- SHA-1 Hash: d398c9f709ea787f46afb2b31cbd964628afa3d4 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_71.crl](http://crl.disa.mil/crl/DODIDCA_71.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-65** +- Subject: CN = DOD ID CA-65, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 054c +- Validity: June 1, 2021 to June 2, 2027 +- SHA-1 Hash: 2838d25ae351654a094f00348f4bd0ea3178d871 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_65.crl](http://crl.disa.mil/crl/DODIDCA_65.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-64** +- Subject: CN = DOD ID CA-64, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 054b +- Validity: June 1, 2021 to June 2, 2027 +- SHA-1 Hash: d9991bd1e89ae5a8b1143c3c37f01103779b8db7 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_64.crl](http://crl.disa.mil/crl/DODIDCA_64.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-63** +- Subject: CN = DOD ID CA-63, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 050f +- Validity: April 6, 2021 to April 7, 2027 +- SHA-1 Hash: 67b75160bd8299e2342f46cc8ac634b2afb33768 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_63.crl](http://crl.disa.mil/crl/DODIDCA_63.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-62** +- Subject: CN = DOD ID CA-63, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 054a +- Validity: April 6, 2021 to April 7, 2027 +- SHA-1 Hash: 14f4cfd8364412a6a27e5bba82c5342ff9b337a7 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_62.crl](http://crl.disa.mil/crl/DODIDCA_62.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-59** +- Subject: CN = DOD ID CA-59, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 0305 +- Validity: April 2, 2019 to April 2, 2025 +- SHA-1 Hash: 1907fc2b223ee0301b45745bdb59aad90fe7c5d7 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_59.crl](http://crl.disa.mil/crl/DODIDCA_59.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust NFI Medium Assurance SSP CA +- Subject: OU = Entrust NFI Medium Assurance SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services NFI Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 4aa96994 +- Validity: October 12, 2021 to September 12, 2030 +- SHA-1 Hash: 31ef454001a9162cbc0498866f8d49070b799191 +- CRL DP: [http://nfimediumsspweb.managed.entrust.com/CRLs/NFIMEDIUMSSPCA2.crl](http://nfimediumsspweb.managed.entrust.com/CRLs/NFIMEDIUMSSPCA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust NFI Medium Assurance SSP CA +- Subject: OU = Entrust NFI Medium Assurance SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services NFI Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 4aa8b9ea +- Validity: May 16, 2017 to November 16, 2027 +- SHA-1 Hash: 4b8818edc75e6983904ee71513c85e165f2d897c +- CRL DP: [http://nfimediumsspweb.managed.entrust.com/CRLs/NFIMEDIUMSSPCA1.crl](http://nfimediumsspweb.managed.entrust.com/CRLs/NFIMEDIUMSSPCA1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust Managed Services SSP CA +- Subject: OU = Entrust Managed Services SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 448107b6 +- Validity: August 13, 2019 to July 13, 2029 +- SHA-1 Hash: 722e8abbe6b66e47d1bcec3c7ec47aa5bbe4d3c5 +- CRL DP: [http://sspweb.managed.entrust.com/CRLs/EMSSSPCA3.crl](http://sspweb.managed.entrust.com/CRLs/EMSSSPCA3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust Derived Credential SSP CA +- Subject: OU = Entrust Derived Credential SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 44817ba9 +- Validity: May 9, 2022 to July 9, 2029 +- SHA-1 Hash: b3ddc2d8bc6c88883ef4c292a1175b1a267e7c23 +- CRL DP: [http://feddcsweb.managed.entrust.com/CRLs/FedDCSCA1.crl](http://feddcsweb.managed.entrust.com/CRLs/FedDCSCA1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### FTI Certification Authority +- Subject: OU = FTI Certification Authority, OU = FTI PKI Trust Infrastructure, O = Foundation for Trusted Identity, C = US +- Issuer: OU = STRAC Bridge Root Certification Authority, OU = STRAC PKI Trust Infrastructure, O = STRAC, C = US +- Serial #: 0141 +- Validity: January 7, 2023 to January 6, 2026 +- SHA-1 Hash: cbbc028fae9da429e1b34a4ccadd9cd815b40d9c +- CRL DP: [http://pki.fti.org/fti_ca/crl/FTICA.crl](http://pki.fti.org/fti_ca/crl/FTICA.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### HHS-FPKI-Intermediate-CA-E1 +- Subject: CN = HHS-FPKI-Intermediate-CA-E1, OU = Certification Authorities, OU = HHS, O = U.S. Government, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 44817282 +- Validity: February 23, 2022 to July 23, 2029 +- SHA-1 Hash: 492a40e6477eed5c39a58c24d6f3d5bffb0e1083 +- CRL DP: [http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCA2.crl](http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NASA Operational CA +- Subject: OU = NASA Operational CA, OU = Certification Authorities, OU = NASA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 6334559d +- Validity: April 8, 2023 to April 8 2033 +- SHA-1 Hash: 67ddd6f4be3b69568f591bf999db2ef3085f7c5b +- CRL DP: [https://pki.treas.gov/NASA_Operational_CA5.crl](https://pki.treas.gov/NASA_Operational_CA5.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Naval Reactors SSP Agency CA G3 +- Subject: CN = Naval Reactors SSP Agency CA G3, OU = U.S. Department of Energy, O = U.S. Government, C = US +- Issuer: CN = Symantec SSP Intermediate CA - G4, O = Symantec Corporation, C = US +- Serial #: 18876cd9ffd738ab7e69350ecc9d41f8 +- Validity: December 9, 2015 to November 11, 2024 +- SHA-1 Hash: 50e722c3b05485b216bbc02eb1628e2593a5565d +- CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofEnergyNavalReactorsPIVG3/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofEnergyNavalReactorsPIVG3/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NRC SSP Agency CA G4 +- Subject: CN = NRC SSP Agency CA G4, OU = U.S. Nuclear Regulatory Commission, O = U.S. Government, C = US +- Issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US +- Serial #: 3a905c654791b26551e3b7077f27aa33 +- Validity: December 17, 2018 to December 12, 2028 +- SHA-1 Hash: 1a03581dcf159d206accd7bdd176c788a0862353 +- CRL DP: [http://pki-crl.symauth.com/ca_23580f2ce24946eab1793386d8e1b510/LatestCRL.crl](http://pki-crl.symauth.com/ca_23580f2ce24946eab1793386d8e1b510/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NRC PROD G6 Fed SSP CA +- Subject: CN = NRC SSP Agency CA G4, OU = U.S. Nuclear Regulatory Commission, O = U.S. Government, C = US +- Issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US +- Serial #: 55C7AC031A83BEF41BAA8A73A68BC0CE +- Validity: April 12, 2022 to March 15, 2032 +- SHA-1 Hash: 1F060CE528BDDFB3B429B7C76EEEB0F8B0FBC60A +- CRL DP: [http://pki-crl.symauth.com/ca_ce00affea217ea042db01becf36671a4/LatestCRL.crl](http://pki-crl.symauth.com/ca_ce00affea217ea042db01becf36671a4/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### ORC SSP 4 +- Subject: CN = ORC SSP 4, O = ORC PKI, C = US +- Issuer: CN = Federal Common Policy CA, OU = FPKI, O = U.S. Government, C = US +- Serial #: 2ef9 +- Validity: August 31, 2015 to January 21, 2024 +- SHA-1 Hash: 3a70323069a4c41bc95663152e9ccc7111bb0623 +- CRL DP: [http://crl-server.orc.com/CRLs/ORCSSP4.crl](http://crl-server.orc.com/CRLs/ORCSSP4.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Senate PIV-I CA G5 PROD +- Subject: CN = Senate PIV-I CA G5 PROD, OU = Office of the Sergeant at Arms, OU = U.S. Senate, O = U.S. Government, C = US +- Issuer: CN = DigiCert Class 3 SSP Intermediate CA - G4, O = DigiCert, Inc., C = US +- Serial #: 2eec611f22944f9d462a5a8bbee06485 +- Validity: March 24, 2021 to August 18, 2030 +- SHA-1 Hash: 816a2c18db2e5673205d17a98d0fffef8bf4777e +- CRL DP: [http://pki-crl.symauth.com/ca_fc26996dc726cf860f12aa77d4270098/LatestCRL.crl](http://pki-crl.symauth.com/ca_fc26996dc726cf860f12aa77d4270098/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Senate PIV-I CA G6 +- Subject: CN = Senate PIV-I CA G5 PROD, OU = Office of the Sergeant at Arms, OU = U.S. Senate, O = U.S. Government, C = US +- Issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US +- Serial #: 68b3a082d2817ab76183e371219642aa20e7816a +- Validity: April 25, 2023 to December 31, 2030 +- SHA-1 Hash: 1d946c2a1724ed576e436604f02dbfc3f2dccff0 +- CRL DP: [http://crl-server.orc.com/CRLs/SenatePIVICAG6.crl](http://crl-server.orc.com/CRLs/SenatePIVICAG6.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Social Security Administration Certification Authority +- Subject: OU = Social Security Administration Certification Authority, OU = SSA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 6334553a +- Validity: March 4, 2023 to March 4, 2033 +- SHA-1 Hash: 533f881329d791d5a197d4dd71bafae6f7222733 +- CRL DP: [https://pki.treas.gov/SSA_CA4.crl](https://pki.treas.gov/SSA_CA4.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Treasury OCIO CA +- Subject: OU = OCIO CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 6334565d +- Validity: Mau 20, 2023 to May 20, 2033 +- SHA-1 Hash: 3f3a62c0d4b5a2d70054ea7de33c9a691937ec02 +- CRL DP: [https://pki.treas.gov/OCIO_CA6.crl](https://pki.treas.gov/OCIO_CA6.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of Education Agency CA - G5 +- Subject: CN = U.S. Department of Education Agency CA - G5, OU = U.S. Department of Education, O = U.S. Government, C = US +- Issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US +- Serial #: 5C23B98A6FF5F543B2768F6D19556C4C +- Validity: June 9, 2020 to December 12, 2028 +- SHA-1 Hash: 6F48424AE8A01C2A77213A9D34F5761DAACD9EAC +- CRL DP: [http://pki-crl.symauth.com/ca_db1ff205d5a9b79af46c7896d15cb2a9/LatestCRL.crl](http://pki-crl.symauth.com/ca_db1ff205d5a9b79af46c7896d15cb2a9/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of State PIV CA2 +- Subject: OU = U.S. Department of State PIV CA2, OU = Certification Authorities, OU = PIV, OU = Department of State, O = U.S. Government, C = US +- Issuer: CN = U.S. Department of State AD Root CA, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = state, DC = sbu, +- Serial #: 51b0b97f +- Validity: January 24, 2020 to January 24, 2030 +- SHA-1 Hash: 68A4E9AB7A1FB8FB85316A770FF9CA874C020724 +- CRL DP: [http://crls.pki.state.gov/crls/DoSADPKIPIVCA2-1.crl](http://crls.pki.state.gov/crls/DoSADPKIPIVCA2-1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of Transportation Agency CA G5 +- Subject: CN = U.S. Department of Transportation CA G5, OU = U.S. Department of Transportation, O = U.S. Government, C = US +- Issuer: CN = DigiCert Federal SSP Intermediate CA - G5, O = DigiCert, Inc., C = US +- Serial #: 0ed81c303ea3566787faca36899a931a +- Validity: March 4, 2019 to December 12, 2028 +- SHA-1 Hash: b1d05e5b9e025ea4b3b3e30dc3f45a19f9ec51f6 +- CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG5/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG5/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of Transportation Agency CA G6 +- Subject: CN = U.S. Department of Transportation CA G6, OU = U.S. Department of Transportation, O = U.S. Government, C = US +- Issuer: CN = WidePoint SSP Intermediate CA, O = ORC PKI, C = US +- Serial #: 309b986d8a7fb52a7ea7dc858693c5e06e7ae33a +- Validity: May 4, 2023 to April 7, 2033 +- SHA-1 Hash: 7b6dcb34ab284ec897f0ffe1a2f8f95082f09c74 +- CRL DP: [http://crl-server.orc.com/CRLs/DoTAgencyCAG6.crl](http://crl-server.orc.com/CRLs/DoTAgencyCAG6.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### USPTO INTR CA1 +- Subject: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov +- Issuer: CN = USPTO_INTR_CA1, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = uspto, DC = gov +- Serial #: 4c296f47 +- Validity: April 7, 2018 to December 7, 2029 +- SHA-1 Hash: bc67b9e65ee05c3742c27187259ded3e6112a587 +- CRL DP: [http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl](http://ipki.uspto.gov/IPKI/CRLs/CombinedCRL3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Veterans Affairs User CA B1 +- Subject: CN = Veterans Affairs User CA B1, OU = PKI, OU = Services, DC = va, DC = gov +- Issuer: CN = Verizon SSP CA A2, OU = SSP, O = Verizon, C = US +- Serial #: 251ea36536cfebb0e9d1334d0cb96102bab16589 +- Validity: January 25, 2017 to January 25, 2027 +- SHA-1 Hash: 671461948b8ef765fe5e1248222af3fcdd457564 +- CRL DP: [http://crl.pki.va.gov/PKI/CRL/VET-SSP-CA-B1.crl](http://crl.pki.va.gov/PKI/CRL/VET-SSP-CA-B1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Veterans Affairs CA B3 +- Subject: CN = Veterans Affairs CA B3, OU = PKI, OU = Services, DC = va, DC = gov +- Issuer: CN = Verizon SSP CA A2, OU = SSP, O = Verizon, C = US +- Serial #: 5ecb874a1b24b1113848e40e76dc3ea4449624fe +- Validity: December 15, 2017 to December 15, 2027 +- SHA-1 Hash: fddb25c3cda647fd56954b58de95878422fb9c11 +- CRL DP: [http://crl.pki.va.gov/PKI/CRL/VACAB3.crl](http://crl.pki.va.gov/PKI/CRL/VACAB3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### WidePoint ORC NFI 4 +- Subject: CN = WidePoint ORC NFI 4, OU = Certification Authorities, O = WidePoint, C = US +- Issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US +- Serial #: 3581750bd6e26757bcb9e0a4513da84946587ebf +- Validity: February 18, 2020 to February 18, 2030 +- SHA-1 Hash: 5a95aea990a7aec492134a5b437cf3324f260793 +- CRL DP: [http://crl.xca.xpki.com/CRLs/XTec_PIVI_CA1.crl](http://crl.xca.xpki.com/CRLs/XTec_PIVI_CA1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### WidePoint ORC SSP 5 +- Subject: CN = WidePoint ORC SSP 5, O = ORC PKI, C = US +- Issuer: CN = Federal Common Policy CA G2, OU = FPKI, O = U.S. Government, C = US +- Serial #: 210b3f17db750e616eb25f3f0b4933e5a98c449b +- Validity: November 19, 2020 to November 5, 2030 +- SHA-1 Hash: 80f4731a60fd5f2eb0468d0629310daa50ad210d +- CRL DP: [http://crl-server.orc.com/CRLs/WIDEPOINTORCSSP5.crl](http://crl-server.orc.com/CRLs/WIDEPOINTORCSSP5.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### WidePoint NFI CA 5 +- Subject: CN = WidePoint NFI CA 5, O = ORC PKI, C = US +- Issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US +- Serial #: 671b355a39b72fddf67723f142ed726d4e0307b4 +- Validity: April 17, 2020 to April 18, 2030 +- SHA-1 Hash: 52a2b89934a8f53719d620697496a6eb82a06e13 +- CRL DP: [http://crl-server.orc.com/CRLs/WIDEPOINTNFI5.crl](http://crl-server.orc.com/CRLs/WIDEPOINTNFI5.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### WidePoint NFI CA 6 +- Subject: CN = WidePoint NFI CA 6, O = ORC PKI, C = US +- Issuer: CN = WidePoint NFI Root 2, OU = Certification Authorities, O = WidePoint, C = US +- Serial #: 15707f8b78d4594f0fdc0d7884241c7659dd83e3 +- Validity: February 3, 2021 to December 31, 2030 +- SHA-1 Hash: 8a17d236acb45af809c0a4555f7142d82ae08736 +- CRL DP: [http://crl-server.orc.com/CRLs/WIDEPOINTNFI6.crl](http://crl-server.orc.com/CRLs/WIDEPOINTNFI6.crl){:target="_blank"}{:rel="noopener noreferrer"} + + +## Maintenance Mode Issuing CA Certificate Details +These CA certificates have issued PIV, PIV-I and/or Derived PIV authentication certificates previously and are in maintenance mode only. Agency system administrators may need to include these CAs in configurations. + +#### Department of Veterans Affairs CA (1 of 2) +- Subject: OU = Department of Veterans Affairs CA, OU = Certification Authorities, OU = Department of Veterans Affairs, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 5ccb3215 +- Validity: June 22, 2019 to June 22, 2029 +- SHA-1 Hash: 76cc898f03eb0fc7e0877aac30a0c1340bb34879 +- CRL DP: [http://pki.treas.gov/VA_CA2.crl](http://pki.treas.gov/VA_CA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Department of Veterans Affairs CA (2 of 2) +- Subject: OU = Department of Veterans Affairs CA, OU = Certification Authorities, OU = Department of Veterans Affairs, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 4e398179 +- Validity: October 17, 2015 to October 17, 2025 +- SHA-1 Hash: e2edb0df1fe8068717a08e38741b5bc4c38029d0 +- CRL DP: [http://pki.treasury.gov/VA_CA1.crl](http://pki.treasury.gov/VA_CA1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### DHS CA4 (1 of 2) +- Subject: OU = DHS CA4, OU = Certification Authorities, OU = Department of Homeland Security, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 5ccb31ca +- Validity: June 6, 2019 to June 6, 2029 +- SHA-1 Hash: 58085a64e181573f4fd917c5c021eb1cf344dd5f +- CRL DP: [http://pki.treas.gov/DHS_CA3.crl](http://pki.treas.gov/DHS_CA3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### DHS CA4 (2 of 2) +- Subject: OU = DHS CA4, OU = Certification Authorities, OU = Department of Homeland Security, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 4e398128 +- Validity: June 13, 2015 to June 13, 2025 +- SHA-1 Hash: a31a5df2f1c1019b9cf5b7ca4e3b26650b9ca93f +- CRL DP: [http://pki.treasury.gov/DHS_CA2.crl](http://pki.treasury.gov/DHS_CA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### DoD Issuing CAs (several CAs in maintenance mode) +**DoD ID CA-52** +- Subject: CN = DOD ID CA-52, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 012a +- Validity: November 22, 2016 to November 23, 2022 +- SHA-1 Hash: 82118887716a07449fadd643eef739f04981087c +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_52.crl](http://crl.disa.mil/crl/DODIDCA_52.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-51** +- Subject: CN = DOD ID CA-51, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 0129 +- Validity: November 22, 2016 to November 23, 2022 +- SHA-1 Hash: f0a49bcf0fd1fc1521b31b2796fb829780050ee4 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_51.crl](http://crl.disa.mil/crl/DODIDCA_51.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-50** +- Subject: CN = DOD ID CA-50, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 0128 +- Validity: November 22, 2016 to November 23, 2022 +- SHA-1 Hash: 5e2e392c6ca55e9bd3f522969ffa6b3657a5d910 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_50.crl](http://crl.disa.mil/crl/DODIDCA_50.crl){:target="_blank"}{:rel="noopener noreferrer"} + +**DoD ID CA-49** +- Subject: CN = DOD ID CA-49, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Issuer: CN = DoD Root CA 3, OU = PKI, OU = DoD, O = U.S. Government, C = US +- Serial #: 0127 +- Validity: November 22, 2016 to November 23, 2022 +- SHA-1 Hash: 6cd6e8bd7acd2f08e21693988a309eca6772c134 +- CRL DP: [http://crl.disa.mil/crl/DODIDCA_49.crl](http://crl.disa.mil/crl/DODIDCA_49.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust Managed Services SSP CA +- Subject: OU = Entrust Managed Services SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 448063d5 +- Validity: July 30, 2015 to July 23, 2025 +- SHA-1 Hash: dec01bf40c153fbc38bf2ca766b04f9dfbda3064 +- CRL DP: [http://sspweb.managed.entrust.com/CRLs/EMSSSPCA2.crl](http://sspweb.managed.entrust.com/CRLs/EMSSSPCA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Entrust Derived Credential SSP CA +- Subject: OU = Entrust Derived Credential SSP CA, OU = Certification Authorities, O = Entrust, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 4480b181 +- Validity: July 13, 2017 to July 13, 2025 +- SHA-1 Hash: e9245a056b17cb5be2e36abf1b8dae6dff9d3729 +- CRL DP: [http://feddcsweb.managed.entrust.com/CRLs/FedDCSCA.crl](http://feddcsweb.managed.entrust.com/CRLs/FedDCSCA.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### HHS-FPKI-Intermediate-CA-E1 +- Subject: CN = HHS-FPKI-Intermediate-CA-E1, OU = Certification Authorities, OU = HHS, O = U.S. Government, C = US +- Issuer: OU = Entrust Managed Services Root CA, OU = Certification Authorities, O = Entrust, C = US +- Serial #: 44809a90 +- Validity: December 20, 2016 to July 20, 2025 +- SHA-1 Hash: d5e311406437c35a79bc023c2bbb57049f5d8f77 +- CRL DP: [http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCA1.crl](http://hhspkicrl.managed.entrust.com/CRLs/HHSEntrustCA1.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NASA Operational CA (1 of 2) +- Subject: OU = NASA Operational CA, OU = Certification Authorities, OU = NASA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 5ccb3196 +- Validity: May 4 2019 to May 4 2029 +- SHA-1 Hash: f504012b1fe57b4381e3bf5ba9f491144ed76ee1 +- CRL DP: [https://pki.treas.gov/NASA_Operational_CA4.crl](https://pki.treas.gov/NASA_Operational_CA4.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NASA Operational CA (2 of 2) +- Subject: OU = NASA Operational CA, OU = Certification Authorities, OU = NASA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 4e398116 +- Validity: June 13, 2015 to June 13, 2025 +- SHA-1 Hash: fe7572bbde7b7f44152acc8e1715c18714dc9d63 +- CRL DP: [http://pki.treasury.gov/NASA_Operational_CA3.crl](http://pki.treasury.gov/NASA_Operational_CA3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### NRC SSP Agency CA G3 +- Subject: CN = NRC SSP Agency CA G3, OU = U.S. Nuclear Regulatory Commission, O = U.S. Government, C = US +- Issuer: CN = Symantec SSP Intermediate CA - G4, O = Symantec Corporation, C = US +- Serial #: 100f05dd316ca819d9d39febc661b326 +- Validity: November 24, 2014 to November 11, 2024 +- SHA-1 Hash: e40bee41cf7afa2ddba4eb10ff3a39f81ec48d20 +- CRL DP: [http://onsite-crl.pki.digicert.com/USNuclearRegulatoryCommissionSSPPIVG3/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USNuclearRegulatoryCommissionSSPPIVG3/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Senate PIV-I CA G4 +- Subject: CN = Senate PIV-I CA G4, OU = Office of the Sergeant at Arms, OU = U.S. Senate, O = U.S. Government, C = US +- Issuer: CN = Symantec Class 3 SSP Intermediate CA - G3, OU = Symantec Trust Network, O = Symantec Corporation, C = US +- Serial #: 52c8b762e38b30212288790964b7ab2c +- Validity: August 1, 2016 to September 28, 2024 +- SHA-1 Hash: 3c9d0bc463dd1ac0f91012b440e9bdc1cdcd0eff +- CRL DP: [http://onsite-crl.pki.digicert.com/USSenateSSPPIVIG4PROD/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USSenateSSPPIVIG4PROD/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Social Security Administration Certification Authority (1 of 2) +- Subject: OU = Social Security Administration Certification Authority, OU = SSA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 5bf45959 +- Validity: April 7, 2019 to April 7, 2029 +- SHA-1 Hash: 897a79fd488d426d6c50d0ba026f698bca3334f4 +- CRL DP: [https://pki.treas.gov/SSA_CA3.crl](https://pki.treas.gov/SSA_CA3.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Social Security Administration Certification Authority (2 of 2) +- Subject: OU = Social Security Administration Certification Authority, OU = SSA, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 4e3980ef +- Validity: April 19, 2015 to April 19, 2025 +- SHA-1 Hash: bb6c62e648d503f1beab75ef5f69b17256175993 +- CRL DP: [http://pki.treasury.gov/SSA_CA2.crl](http://pki.treasury.gov/SSA_CA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Treasury OCIO CA (1 of 2) +- Subject: OU = OCIO CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 5ccb31fe +- Validity: June 22, 2019 to June 22, 2029 +- SHA-1 Hash: e651a5dc6a1305613a22e46548e1666650c2825f +- CRL DP: [https://pki.treas.gov/OCIO_CA5.crl](https://pki.treas.gov/OCIO_CA5.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### Treasury OCIO CA (2 of 2) +- Subject: OU = OCIO CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Issuer: OU = US Treasury Root CA, OU = Certification Authorities, OU = Department of the Treasury, O = U.S. Government, C = US +- Serial #: 4e398101 +- Validity: April 19, 2015 to April 19, 2025 +- SHA-1 Hash: 5ad254c3ecebb5b7e108caa0cc8030598a7b7709 +- CRL DP: [http://pki.treasury.gov/OCIO_CA4.crl](http://pki.treasury.gov/OCIO_CA4.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of Education Agency CA - G4 +- Subject: CN = U.S. Department of Education Agency CA - G4, OU = U.S. Department of Education, O = U.S. Government, C = US +- Issuer: CN = Symantec SSP Intermediate CA - G4, O = Symantec Corporation, C = US +- Serial #: 224ad7d35a9d34350671f9b8be45a23a +- Validity: July 20, 2015 to November 11, 2024 +- SHA-1 Hash: 69e2abc173047f844e3f53cb2cbd138ba9063de8 +- CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofEducationDoEDG4PIV/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofEducationDoEDG4PIV/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of State PIV CA2 +- Subject: OU = U.S. Department of State PIV CA2, OU = Certification Authorities, OU = PIV, OU = Department of State, O = U.S. Government, C = US +- Issuer: CN = U.S. Department of State AD Root CA, CN = AIA, CN = Public Key Services, CN = Services, CN = Configuration, DC = state, DC = sbu, +- Serial #: 51b02402 +- Validity: August 3, 2016 to August 3, 2026 +- SHA-1 Hash: ffe07fb428bcef4bf38ebbfae1e42339e03e7756 +- CRL DP: [http://crls.pki.state.gov/crls/DoSADPKIPIVCA2.crl](http://crls.pki.state.gov/crls/DoSADPKIPIVCA2.crl){:target="_blank"}{:rel="noopener noreferrer"} + +#### U.S. Department of Transportation Agency CA G4 +- Subject: CN = U.S. Department of Transportation Agency CA G4, OU = U.S. Department of Transportation, O = U.S. Government, C = US +- Issuer: CN = Symantec SSP Intermediate CA - G4, O = Symantec Corporation, C = US +- Serial #: 61a90f3e5ff532f9fe6209d931279a82 +- Validity: December 10, 2014 to November 11, 2024 +- SHA-1 Hash: dc5b590800765864587902af983c21a7209be320 +- CRL DP: [http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl](http://onsite-crl.pki.digicert.com/USDepartmentofTransportationFAAPIVG4/LatestCRL.crl){:target="_blank"}{:rel="noopener noreferrer"} + +# FPKI System Changes and Notifications + +This page lists the changes to certification authorities and supporting systems operating within the Federal PKI community. + +The communication of changes, and planned or unplanned system outages, is required by the certificate policies and the incident management process. Strong communication allows for planning and response and benefits the Federal PKI community as a whole. Planned changes of the these types require notifications two (2) weeks in advance: + +- Changes to Certificate Revocation List Distribution Points +- Changes to Online Certificate Status Protocol (OCSP) endpoints +- Introducing new URIs or retiring old URIs referenced in the Certificates profiles in use +- Signing or revoking a _Certificate Authority (CA)_ certificate + +System **outages** - either through a planned maintenance activity or unplanned event - may also be posted on this page, and may trigger the Incident Management process. + +To report a change **or** system outage not listed below, please email fpki@gsa.gov. + +## How to add a new notification +System notifications can be submitted via either GitHub or email. + +### Submit notification via GitHub issue + + - Select [Add New Notification](https://github.com/GSA/ficam-playbooks/issues/new?title=System%20Notification%20for%3A%20%3CYour%20Organization%3E&body=notice_date%3A%20%0Achange_type%3A%20%20CA%20Certificate%20Issuance%2C%20CA%20Certificate%20Revocation%2C%20New%20CA%2C%20URI%20Change%2C%20System%20Outage%20%0Astart_datetime%3A%20%0Aend_datetime%3A%20%0Asystem%3A%20%0Achange_description%3A%20%0Acontact%3A%20%0Aca_certificate_hash%3A%20%0Aca_certificate_issuer%3A%20%0Aca_certificate_subject%3A%20%0Acdp_uri%3A%20%0Aaia_uri%3A%20%0Asia_uri%3A%20%0Aocsp_uri%3A%0A%20%0A&labels[]=System%20Notification){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + + - This will open a new Issue form with input information for notification information. + - Enter the information and click 'Submit new issue' to submit the notification. + +### Submit notification via email +The notification can also be emailed to fpki@gsa.gov. The email should contain the following information. + +Subject: FPKI System Notification - System Name + +- Notice date +- System +- Change type of one of the following: CA Certificate Issuance, CA Certificate Revocation, New CA, URI Change, System Outage, Intent to Issue/Revoke CA Certificate +- Change description: Include a start date or end date if applicable +- Contact email +- Issuer +- Subject DNs +- If the change is a new or revoked CA certificate, include the CA Certificate hash (sha1 thumbprint), +- If the change is a new URI, include the new Certificate Revocation List (CRL), Certificate Bundle AIA and SIA, OCSP, EE CRL DP, and/or EE OCSP value. + + +## Notifications + + + +
+ +{% for notification in site.data.fpkinotifications %} +
    +
    +
  • Notice Date: {{ notification.notice_date }}
    • +
  • System: {{ notification.system }}
    • +
  • Type: {{ notification.change_type }}
    • +
  • Change Description: {{ notification.change_description }}
    • +
  • Contact: {{ notification.contact }}
    • +
  • Certificate Issuer: {{ notification.ca_certificate_issuer }}
    • +
  • Certificate Subject: {{ notification.ca_certificate_subject }}
    • +
  • Certificate SHA1 Hash: {{ notification.ca_certificate_hash }}
    • +
  • Certificate Revocation List: {{ notification.cdp_uri }}
    • +
  • Certificate Bundle (AIA): {{ notification.aia_uri }}
    • +
  • Certificate Bundle (SIA): {{ notification.sia_uri }}
    • +
  • OCSP: {{ notification.ocsp_uri }}
    • +
  • EE CRL DP: {{ notification.ee_cdp_uri }}
    • +
  • EE OCSP: {{ notification.ee_ocsp_uri }}
    • +
+ +{% endfor %} + +
+ + + + diff --git a/_implement/fpki_tools_cite-guide.md b/_implement/fpki_tools_cite-guide.md new file mode 100644 index 000000000..6efd4a386 --- /dev/null +++ b/_implement/fpki_tools_cite-guide.md @@ -0,0 +1,436 @@ +--- +layout: page +title: CITE Participation Guide +collection: implement +permalink: /implement/fpkicite/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Overview + href: '#overview' + - text: Testing Use Cases + href: '#testing-use-cases' + - text: Technical Specifications + href: '#technical-specifications' + - text: Scheduled and Unscheduled Testing + href: '#scheduled-and-unscheduled-testing' + - text: Repository Availability + href: '#repository-availability' + - text: Technical Support Availability + href: '#technical-support-availability' + - text: Test Websites + href: '#test-websites' + - text: Test Policy Object Identifiers + href: '#appendix-a---test-policy-object-identifiers' +--- + +Prepared By: The FPKI Technical Working Group (TWG)
+An FPKI Policy Authority Working Group + +Updated: September 7, 2022
+ +## Overview + +The Community Interoperability Test Environment (CITE) was established as the FPKI integrated test environment. CITE provides the FPKI community with a test environment that tries to mimic the production FPKI hierarchy and is managed by the Federal PKI Management Authority (FPKIMA). It contains a Test Federal Common Policy and Test Federal Bridge that issue test CA certificates to participating Shared Service Providers, Federal Agency PKI, and Non-Federal Affiliates (referred to as FPKI Partners). CITE Participants refer to an FPKI Partner establishing a test PKI certified or cross-certified with the Test Common Policy or Test Bridge CA. + +- [Testing Use Cases](#testing-use-cases) +- [Technical Specifications](#technical-specifications) +- [Scheduled and Unscheduled Testing](#scheduled-and-unscheduled-testing) +- [Repository Availability](#repository-availability) +- [Technical Support Availability](#technical-support-availability) +- [Test Websites](#test-websites) +- [Appendix A - Test Policy Object Identifiers](#appendix-a---test-policy-object-identifiers) + +This guide is a practice guide for FPKI Partners who want to either become CITE participants or leverage CITE for FPKI testing. + +## Testing Use Cases + +The main purpose of CITE is interoperability and infrastructure testing of PKI components and Relying Party applications. Additional types of testing may be identified and conducted as necessary and to the extent supported by CITE Participants. CITE should not be used for system stress testing. Infrastructure testing ensures that upgrades, patches, policy changes, new products, and any other changes to the production FPKI do not adversely affect interoperability. + +Relying Party application testing ensures that application modules operate as intended. In addition, application testing ensures that the system performs as expected and can properly process transactions that rely on FPKI certificates. + +This document does not define how to perform testing in CITE. That is a responsibility of the CITE Participants. Some examples of testing conducted in CITE include: +1. Interoperability testing between cross-certified Certification Authorities (CAs); +2. Transition testing to new algorithms (e.g., SHA-2, ECC); +3. PIV and PIV-I credential interoperability testing; +4. Repository access testing when using content delivery networks, load balancers, or other networking configurations; and +5. Path discovery and/or validation testing for an application + +When testing is successful in CITE, assurance is gained that the proposed change(s) will operate in the production FPKI as intended. When tests fail in the CITE, issues are identified and addressed without production FPKI impact.
+ +## Technical Specifications + +The FPKI Community can use CITE to evaluate PKI or application changes in a test environment that mimics the production FPKI hierarchy and test potential interoperability issues before those changes are deployed to the FPKI. CITE participants shall follow the below technical specifications. + +1. The CITE Participant services shall be internet accessible. +2. Repository availability and technical support should be maintained as detailed in the [Repository Availability](#repository-availability) and [Technical Support Availability](#technical-support-availability) sections. +3. Test environments should emulate the corresponding production environment as closely as possible + 1. Each CITE Participant CA hierarchy shall mimic their production environment. A CITE Participant may limit the number of included Test CAs to one certified or cross-certified CA and either an intermediate and/or issuing CA. + 2. All CAs shall be distinctly marked to denote it is a test CA. The word "Test" or "Development" should be used in the Distinguished Names (DNs). + 3. An exact production replica of all internal CA components (e.g. hardware security modules, network zones, or other non-internet accessible components) is not required. + 4. The CITE Participant repositories should match those in the corresponding production environment as accurately as possible, including operating system versions and patch levels, protocols, and product version and patch levels. + 5. All CITE Participant CA certificates, Certificate Revocation Lists (CRLs), and cross-certificates shall be publicly accessible in the associated repository. + 6. Certificate revocation information should, when applicable, be made available using the same mechanism(s) as in the production environment (e.g., OCSP, CRLs). +4. CITE Participants should provide expired, revoked, and valid test end-entity certificates, including private keys, for application and relying party tests. The sample certificates should be hosted on a publicly accessible directory or website and shared with the FPKI Technical Working Group. The website or directory address may be made available through this guide. CITE Participants should have test certificates representing each of the certificate policies and certificate types that are issued from the corresponding production environment. +5. All CITE Participant CAs and end-entity certificates should match their production counterparts, as applicable. + 1. Test certificates and CRL profiles (including version, key length, extensions, and syntax) shall match that of the production environment. + 2. The CITE CRLs may have a longer validation period than is required in production. + 3. The CITE CA certificates and cross-certificates shall depict the same trust relationships as in the production environment. + 4. CITE Participants should assert test certificate policy Object Identifiers (OIDs), when testing with CITE. See [Appendix A - Test Policy Object Identifiers](#appendix-a---test-policy-object-identifiers) for test OIDs and their production equivalent. + 5. Resource references (such as CRL Distribution Points and Authority Information Access (AIA) points in the CITE certificates shall correspond to appropriately functional repositories. + +{% include alert-warning.html content="If publicly posting private keys for testing purposes, the corresponding certificates are required to assert test certificate policy OIDs." %} + +## Scheduled and Unscheduled Testing + +Testing and support requests (to include certificate issuance and management requests) shall be scheduled and coordinated in advance. This will allow CITE Participants to appropriately plan and schedule any technical support needed for successful testing. + +{% include alert-info.html content="Testing requests can be submitted to the FPKI Technical Working Group at fpki-ttips@listserv.gsa.gov. All testing requests should be submitted ten business days in advance." %}
+ +For unscheduled testing, the CITE and FPKI Partner repositories are internet accessible and available for testing (including vendors and other Relying Parties). Unscheduled testing may be conducted at any time if the below is true. +1. All parties involved agree to provide the necessary support; or +2. The testing party does not need support from any other CITE Participant (in which case, the testing party is willing to accept that services may or may not be available).
+ +## Repository Availability + +CITE Participant repositories should be available during regular business hours for scheduled and unscheduled testing. Each CITE Participant should leave its repository services operational and available 24 hours a day, 7 days a week. CITE Participants should follow the below table on repository availability requirements. + +| Days | Time | Description | Repository Availability Requirement | +| --------- | --------------- | ------------------ | ----------------------------------- | +| Mon - Fri | 0900 - 1700 EST | Business Hours | CITE Participant repository services should be operational and available, except for scheduled downtime and federal holidays. | +| Mon - Fri | 1700 - 0900 EST | Non-Business hours | No requirement | +| Sat - Sun | 0001 - 0000 EST | Non-Business hours | No requirement | + +{% include alert-warning.html content="CITE Test Common Policy and Test Federal Bridge, at a minimum, will provide 20% availability per month. CITE should not be used or relied upon for near-production availability." %} + +## Technical Support Availability + +CITE Participants shall provide the FPKI Technical Working Group with email and phone information for at least two technical contacts to help coordinate any technical service issues. In lieu of providing individual names for technical POCs, CITE Participants may establish a group or other organizational-based email addresses for communications with the appropriate technical contacts. This information will only be made available (in a controlled manner) to CITE Participants, FPKI Applicants (if applicable), and vendors supporting the FPKI as needed during testing or troubleshooting. CITE Participants involved in scheduled testing shall provide the issuance, management, and troubleshooting necessary to help resolve any issues. + +{% include alert-warning.html content="CITE Participant technical support is only available for scheduled testing with any outage resolved on a best effort basis. " %}
+ +## Test Websites + +| FPKI CA Certificates | Website URL | +| ------------ | ----------- | +| Test FCPCA G2 | http://cite.fpki.gov/fcpca/Testfcpcag2.crt | + + +| FPKI CA CRLs | CRL URL | +| ------------ | ----------- | +| Test FCPCA G2 | http://cite.fpki.gov/fcpca/Testfcpcag2.crl | +| Test FBCA G4 | http://cite.fpki.gov/bridge/Testfbcag4.crl | + +| FPKI CA p7c | SIA URL | AIA URL | +| ------------ | ----------- | ----------- | +| Test FCPCA G2 | http://cite.fpki.gov/fcpca/caCertsIssuedByTestfcpcag2.p7c | http://cite.fpki.gov/fcpca/caCertsIssuedToTestfcpcag2.p7c | +| Test FBCA G4 | http://cite.fpki.gov/bridge/caCertsIssuedByTestfbcag4.p7c | http://cite.fpki.gov/bridge/caCertsIssuedToTestfbcag4.p7c | + +| Test Partner CRLs | CRL URL | +| ------------ | ----------- | +| Treasury | http://devpki.treasury.gov/Dev_US_Treasury_Root_CA.crl | +| DoD | http://crl.nit.disa.mil/crl/DODJITCINTEROPERABILITYROOTCA2.crl | +| Entrust SSP | http://dsspweb.managed.entrust.com/CRLs/EMSDemoFRootCA2.crl | + +| Test Partner CA p7cs | p7c URLs | +| ------------ | ----------- | +| Treasury | SIA:http://devpki.treasury.gov/devroot_sia.p7c AIA:http://devpki.treasury.gov/cacertsissuedtodevtrca.p7c | +| DoD | SIA:http://crl.nit.disa.mil/issuedby/DODJITCINTEROPERABILITYROOTCA2_IB.p7c AIA:http://crl.nit.disa.mil/issuedto/DODJITCINTEROPERABILITYROOTCA2_IT.p7c | +| Entrust SSP | SIA:http://dsspweb.managed.entrust.com/SIA/CAcertsIssuedByEMSDemoFRootCA.p7c AIA:http://dsspweb.managed.entrust.com/AIA/CertsIssuedToEMSDemoFRootCA.p7c | + +## Appendix A - Test Policy Object Identifiers + +The table below lists the current test to production OID equivalent used by the FPKIMA and CITE Participants. + +1. [Federal PKI Trust Infrascture Test OIDs](#federal-pki-trust-infrastructure-test-oids) +2. [Federal Agency PKI Test OIDs](#federal-agency-pki-test-oids) +3. [Federal Shared Service Provider (SSP) Test OIDs](#federal-shared-service-provider-ssp-test-oids) +4. [Non-Federal Issuer (NFI) Test OIDs](#non-federal-issuer-nfi-test-oids) +5. [Commercial PKI Bridge Test OIDs](#commercial-pki-bridge-test-oids) + +### Federal PKI Trust Infrastructure Test OIDs + +#### Federal PKI Federal Bridge + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.1 | FBCA Rudimentary | 2.16.840.1.101.3.2.1.3.1 | +| 2.16.840.1.101.3.2.1.48.2 | FBCA Basic | 2.16.840.1.101.3.2.1.3.2 | +| 2.16.840.1.101.3.2.1.48.3 | FBCA Medium | 2.16.840.1.101.3.2.1.3.3 | +| 2.16.840.1.101.3.2.1.48.4 | FBCA Medium Hardware | 2.16.840.1.101.3.2.1.3.12 | +| 2.16.840.1.101.3.2.1.48.5 | FBCA Medium CBP | 2.16.840.1.101.3.2.1.3.14 | +| 2.16.840.1.101.3.2.1.48.6 | FBCA Medium Hardware CBP | 2.16.840.1.101.3.2.1.3.15 | +| 2.16.840.1.101.3.2.1.48.7 | FBCA High | 2.16.840.1.101.3.2.1.3.4 | +| 2.16.840.1.101.3.2.1.48.78 | id-fpki-certpcy-pivi-hardware | 2.16.840.1.101.3.2.1.3.18 | +| 2.16.840.1.101.3.2.1.48.79 | id-fpki-certpcy-pivi-cardAuth | 2.16.840.1.101.3.2.1.3.19 | +| 2.16.840.1.101.3.2.1.48.80 | id-fpki-certpcy-pivi-contentSigning | 2.16.840.1.101.3.2.1.3.20 | +| 2.16.840.1.101.3.2.1.48.99 | FBCA devices | 2.16.840.1.101.3.2.1.3.37 | +| 2.16.840.1.101.3.2.1.48.100 | FBCA devices Hardware | 2.16.840.1.101.3.2.1.3.38 | + +#### Federal PKI Federal Common Policy + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.8 | id-fpki-common-policy | 2.16.840.1.101.3.2.1.3.6 | +| 2.16.840.1.101.3.2.1.48.9 | id-fpki-common-hardware | 2.16.840.1.101.3.2.1.3.7 | +| 2.16.840.1.101.3.2.1.48.10 | id-fpki-common-devices | 2.16.840.1.101.3.2.1.3.8 | +| 2.16.840.1.101.3.2.1.48.11 | id-fpki-common-authentication | 2.16.840.1.101.3.2.1.3.13 | +| 2.16.840.1.101.3.2.1.48.12 | id-fpki-common-High | 2.16.840.1.101.3.2.1.3.16 | +| 2.16.840.1.101.3.2.1.48.13 | id-fpki-common-cardAuth | 2.16.840.1.101.3.2.1.3.17 | +| 2.16.840.1.101.3.2.1.48.86 | id- fpki-common-piv-contentSigning | 2.16.840.1.101.3.2.1.3.39 | +| 2.16.840.1.101.3.2.1.48.98 | id-fpki-common-devicesHardware | 2.16.840.1.101.3.2.1.3.36 | +| 2.16.840.1.101.3.2.1.48.109 | id-fpki-common-pivAuth-derived | 2.16.840.1.101.3.2.1.3.40 | +| 2.16.840.1.101.3.2.1.48.110 | id-fpki-common-pivAuth-derived-hardware | 2.16.840.1.101.3.2.1.3.41 | +| 2.16.840.1.101.3.2.1.48.83 | id-fpki-common-pivi-authentication | 2.16.840.1.101.3.2.1.3.45 | +| 2.16.840.1.101.3.2.1.48.84 | id-pki-common-pivi-cardAuth | 2.16.840.1.101.3.2.1.3.46 | +| 2.16.840.1.101.3.2.1.48.85 | id-pki-common-pivi-contentSigning | 2.16.840.1.101.3.2.1.3.47 | + +### Federal Agency PKI Test OIDs + +#### Department of Defense (DoD) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| N/A | id-US-dod-mediumNPE-112 | 2.16.840.1.101.2.1.11.36 | +| N/A | id-US-dod-mediumNPE-128 | 2.16.840.1.101.2.1.11.37 | +| N/A | id-US-dod-mediumNPE-192 | 2.16.840.1.101.2.1.11.38 | +| N/A | id-US-dod-medium-112 | 2.16.840.1.101.2.1.11.39 | +| N/A | id-US-dod-medium-128 | 2.16.840.1.101.2.1.11.40 | +| N/A | id-US-dod-medium-192 | 2.16.840.1.101.2.1.11.41 | +| N/A | id-US-dod-mediumHardware-112 | 2.16.840.1.101.2.1.11.42 | +| N/A | id-US-dod-mediumHardware-128 | 2.16.840.1.101.2.1.11.43 | +| N/A | id-US-dod-mediumHardware-192 | 2.16.840.1.101.2.1.11.44 | + +#### Department of Defense External CA (DoD ECA) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| N/A | id-eca-medium-sha256 | 2.16.840.1.101.3.2.1.12.4 | +| N/A | id-eca-medium-token-sha256 | 2.16.840.1.101.3.2.1.12.5 | +| N/A | id-eca-medium-hardware-pivi | 2.16.840.1.101.3.2.1.12.6 | +| N/A | id-eca-cardauth-pivi | 2.16.840.1.101.3.2.1.12.7 | +| N/A | id-eca-contentsigning-pivi | 2.16.840.1.101.3.2.1.12.8 | +| N/A | id-eca-medium-device-sha256 | 2.16.840.1.101.3.2.1.12.9 | +| N/A | id-eca-medium-hardware-sha256 | 2.16.840.1.101.3.2.1.12.10 | + +#### Department of State (DOS) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.49 | state-basic | 2.16.840.1.101.3.2.1.6.1 | +| 2.16.840.1.101.3.2.1.48.50 | state-low | 2.16.840.1.101.3.2.1.6.2 | +| 2.16.840.1.101.3.2.1.48.51 | state-moderate | 2.16.840.1.101.3.2.1.6.3 | +| 2.16.840.1.101.3.2.1.48.52 | state-high | 2.16.840.1.101.3.2.1.6.4 | +| 2.16.840.1.101.3.2.1.48.53 | state-mrtd | 2.16.840.1.101.3.2.1.6.100 | +| 2.16.840.1.101.3.2.1.48.77 | State Medium Hardware | 2.16.840.1.101.3.2.1.6.12 | + +#### Department of the Treasury + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.54 | treasury-cp1 | 2.16.840.1.101.3.2.1.5.1 | +| 2.16.840.1.101.3.2.1.48.55 | treasury-level 1 | 2.16.840.1.101.3.2.1.5.2 | +| 2.16.840.1.101.3.2.1.48.56 | treasury-level 2 | 2.16.840.1.101.3.2.1.5.3 | +| 2.16.840.1.101.3.2.1.48.57 | treasury-level 3 | 2.16.840.1.101.3.2.1.5.4 | +| 2.16.840.1.101.3.2.1.48.58 | treasury-level 4 | 2.16.840.1.101.3.2.1.5.5 | +| 2.16.840.1.101.3.2.1.48.75 | Treasury Medium-Software | 2.16.840.1.101.3.2.1.5.7 | +| 2.16.840.1.101.3.2.1.48.76 | Treasury Basic Org | 2.16.840.1.101.3.2.1.5.8 | +| 2.16.840.1.101.3.2.1.48.111 | treasury-pivi-hardware | 2.16.840.1.101.3.2.1.5.10 | +| 2.16.840.1.101.3.2.1.48.112 | treasury-pivi-cardAuth | 2.16.840.1.101.3.2.1.5.11 | +| 2.16.840.1.101.3.2.1.48.113 | treasury-pivi-contentSigning | 2.16.840.1.101.3.2.1.5.12 | + +#### GSA FIPS 201 Approved Product List (APL) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.248 | APL test lab Golden PIV-I Authentication | N/A | +| 2.16.840.1.101.3.2.1.48.249 | APL test lab Golden PIV-I CardAuth | N/A | +| 2.16.840.1.101.3.2.1.48.250 | APL test lab Golden PIV-I Key Management | N/A | +| 2.16.840.1.101.3.2.1.48.251 | APL test lab Golden PIV-I Digital Signature | N/A | +| 2.16.840.1.101.3.2.1.48.252 | APL test lab Golden PIV-I Content Signing | N/A | + +#### Government Printing Office (GPO) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.37 | id-gpo-certpcy-mediumAssurance | 2.16.840.1.101.3.2.1.17.1 | +| N/A | id-gpo-certpcy-mediumHardware | 2.16.840.1.101.3.2.1.17.2 | +| N/A | id-gpo-certpcy-devices | 2.16.840.1.101.3.2.1.17.3 | + +#### U.S. Patent and Trademark Office (USPTO) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.66 | id-pto-basic-2003 | 2.16.840.1.101.3.2.1.2.7 | +| 2.16.840.1.101.3.2.1.48.67 | id-pto-medium-2003 | 2.16.840.1.101.3.2.1.2.8 | +| 2.16.840.1.101.3.2.1.48.65 | id-pto-mediumHardware | 2.16.840.1.101.3.2.1.2.9 | + +#### National Aeronautics and Space Administration (NASA) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.101.3.2.1.48.74 | NASA | 1.3.6.1.4.1.71.1.1.103 | + +### Federal Shared Service Provider (SSP) Test OIDs + +All SSPs directly assert Federal Common Policy OIDs. + +See [Federal PKI Federal Common Policy](#federal-pki-federal-common-policy) + +### Non-Federal Issuer (NFI) Test OIDs + +#### Entrust Managed Services + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.114027.200.3.10.10.1.8 | id-emspki-nfssp-rudimentary-policy | 2.16.840.1 .114027.200.3.10.7.8 | +| 2.16.840.1.114027.200.3.10.10.1.7 | id-emspki-nfssp-basic-policy | 2.16.840.1.114027.200.3.10.7.7 | +| 2.16.840.1.114027.200.3.10.10.1.1 | id-emspki-nfssp-medium-policy | 2.16.840.1.114027.200.3.10.7.1 | +| 2.16.840.1.114027.200.3.10.10.1.3 | id-emspki-nfssp-medium-devices | 2.16.840.1.114027.200.3.10.7.3 | +| 2.16.840.1.114027.200.3.10.10.1.2 | id-emspki-nfssp-medium-hardware| 2.16.840.1.114027.200.3.10.7.2 | +| 2.16.840.1.114027.200.3.10.10.1.4 | id-emspki-nfssp-medium-authentication | 2.16.840.1.114027.200.3.10.7.4 | +| 2.16.840.1.114027.200.3.10.10.1.6 | id-emspki-nfssp-pivi-hardware | 2.16.840.1.114027.200.3.10.7.6 | +| 2.16.840.1.114027.200.3.10.10.1.5 | id-emspki-nfssp-medium-cardAuth | 2.16.840.1.114027.200.3.10.7.5 | +| 2.16.840.1.114027.200.3.10.10.1.9 | id-emspki-nfssp-pivi-contentSigning | 2.16.840.1.114027.200.3.10.7.9 | + +#### DigiCert (and former Symantec and VeriSign) + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 2.16.840.1.114412.99.4.1.1 | DigiCert Level 1 Client Certificate - Personal | 2.16.840.1.114412.4.1.1 | +| 2.16.840.1.114412.99.4.1.2 | DigiCert Level 1 Client Certificate - Enterprise | 2.16.840.1.114412.4.1.2 | +| 2.16.840.1.114412.99.4.2 | DigiCert Level 2 Client Certificate - Basic | 2.16.840.1.114412.4.2 | +| 2.16.840.1.114412.99.4.3.1 | DigiCert Level 3 Client Certificate - US - Medium | 2.16.840.1.114412.4.3.1 | +| 2.16.840.1.114412.99.4.3.2 | DigiCert Level 3 Client Certificate - CBP - Medium | 2.16.840.1.114412.4.3.2 | +| 2.16.840.1.114412.99.4.4.1 | Digicert Level 4 Client Certificate - US - Hardware | 2.16.840.1.114412.4.4.1 | +| 2.16.840.1.114412.99.4.4.2 | Digicert Level 4 Client Certificate - CBP - Hardware | 2.16.840.1.114412.4.4.2 | +| 2.16.840.1.113733.1.7.21.1.1 | Class 1-VTN SSP-rudimentary | 2.16.840.1.113733.1.7.23.1.1.1 | +| 2.16.840.1.113733.1.7.21.2.1 | Class 2-VTN SSP-basic | 2.16.840.1.113733.1.7.23.2.1.1 | +| 2.16.840.1.113733.1.7.21.3.6 | Class 3-VTN SSP-medium | 2.16.840.1.113733.1.7.23.3.1.6 | +| 2.16.840.1.113733.1.7.21.3.7 | Class 3-VTN SSP-mediumHardware | 2.16.840.1.113733.1.7.23.3.1.7 | +| 2.16.840.1.113733.1.7.21.3.8 | Class 3-VTN SSP-Devices | 2.16.840.1.113733.1.7.23.3.1.8 | +| 2.16.840.1.113733.1.7.21.3.13 | Class 3-VTN SSP-PIV-I Hardware | 2.16.840.1.113733.1.7.23.3.1.13 | +| 2.16.840.1.113733.1.7.21.3.14 | Class 3-VTN SSP-Medium CBP | 2.16.840.1.113733.1.7.23.3.1.14 | +| 2.16.840.1.113733.1.7.21.3.15 | Class 3-VTN SSP-Medium Hardware CBP | 2.16.840.1.113733.1.7.23.3.1.15 | +| 2.16.840.1.113733.1.7.21.3.17 | Class 3-VTN SSP-PIV-I CardAuth | 2.16.840.1.113733.1.7.23.3.1.17 | +| 2.16.840.1.113733.1.7.21.3.20 | Class 3-VTN SSP-PIV-I ContentSigning | 2.16.840.1.113733.1.7.23.3.1.20 | + +#### Exostar + +| Test OID | Policy | Production OID | +|-------------------------------|---------------------------------------------------|------------------------------| +| 1.3.6.1.4.1.13948.1.1.1.18 | id-Exostar-basic-sha2 | 1.3.6.1.4.1.13948.1.1.1.8 | +| 1.3.6.1.4.1.13948.1.1.1.15 | id-Exostar-mediumSoftware-sha2 | 1.3.6.1.4.1.13948.1.1.1.5 | +| 1.3.6.1.4.1.13948.1.1.1.16 | id-Exostar-mediumHardware-sha2 | 1.3.6.1.4.1.13948.1.1.1.6 | +| unknown | id-Exostar-Software-device-sha2 | 1.3.6.1.4.1.13948.1.1.1.25 | +| unknown | id-Exostar-mediumHardware-device-sha2 | 1.3.6.1.4.1.13948.1.1.1.26 | + +#### IdenTrust + +| Test OID | Policy | Production OID | +|-------------------------------|---------------------------------------------------|------------------------------| +| 2.16.840.1.113839.99.100.2.3 | IGC Basic Software Signing | 2.16.840.1.113839.0.100.2.3 | +| 2.16.840.1.113839.99.100.2.4 | IGC Basic Software Encryption | 2.16.840.1.113839.0.100.2.4 | +| 2.16.840.1.113839.99.100.2.5 | IGC Basic Hardware Signing | 2.16.840.1.113839.0.100.2.5 | +| 2.16.840.1.113839.99.100.2.6 | IGC Basic Hardware Encryption | 2.16.840.1.113839.0.100.2.6 | +| 2.16.840.1.113839.99.100.2.7 | IGC Basic Hardware Card Authentication | 2.16.840.1.113839.0.100.2.7 | +| 2.16.840.1.113839.99.100.2.8 | IGC Basic Hardware Identity | 2.16.840.1.113839.0.100.2.8 | +| 2.16.840.1.113839.99.100.3.1 | IGC Medium Software Signing | 2.16.840.1.113839.0.100.3.1 | +| 2.16.840.1.113839.99.100.3.2 | IGC Medium Software Encryption | 2.16.840.1.113839.0.100.3.2 | +| 2.16.840.1.113839.99.100.3.3 | IGC Medium Software Group Organization Signing | 2.16.840.1.113839.0.100.3.3 | +| 2.16.840.1.113839.99.100.3.4 | IGC Medium Software Group Organization Encryption | 2.16.840.1.113839.0.100.3.4 | +| 2.16.840.1.113839.99.100.3.5 | IGC Medium Software Group Address Signing | 2.16.840.1.113839.0.100.3.5 | +| 2.16.840.1.113839.99.100.3.6 | IGC Medium Software Group Address Encryption | 2.16.840.1.113839.0.100.3.6 | +| 2.16.840.1.113839.99.100.12.1 | IGC Medium Hardware Signing | 2.16.840.1.113839.0.100.12.1 | +| 2.16.840.1.113839.99.100.12.2 | IGC Medium Hardware Encryption | 2.16.840.1.113839.0.100.12.2 | +| 2.16.840.1.113839.99.100.12.3 | IGC Medium Hardware Card Authentication | 2.16.840.1.113839.0.100.12.3 | +| 2.16.840.1.113839.99.100.12.4 | IGC Medium Hardware Identity | 2.16.840.1.113839.0.100.12.4 | +| 2.16.840.1.113839.99.100.14.1 | IGC Medium Software CBP Signing | 2.16.840.1.113839.0.100.14.1 | +| 2.16.840.1.113839.99.100.14.2 | IGC Medium Software CBP Encryption | 2.16.840.1.113839.0.100.14.2 | +| 2.16.840.1.113839.99.100.15.1 | IGC Medium Hardware CBP Signing | 2.16.840.1.113839.0.100.15.1 | +| 2.16.840.1.113839.99.100.15.2 | IGC Medium Hardware CBP Encryption | 2.16.840.1.113839.0.100.15.2 | +| 2.16.840.1.113839.99.100.15.3 | IGC Medium Hardware CBP Card Authentication | 2.16.840.1.113839.0.100.15.3 | +| 2.16.840.1.113839.99.100.15.4 | IGC Medium Hardware CBP Identity | 2.16.840.1.113839.0.100.15.4 | +| 2.16.840.1.113839.99.100.18.1 | IGC PIV-I Signing | 2.16.840.1.113839.0.100.18.1 | +| 2.16.840.1.113839.99.100.18.2 | IGC PIV-I Encryption | 2.16.840.1.113839.0.100.18.2 | +| 2.16.840.1.113839.99.100.18.3 | IGC PIV-I Identity | 2.16.840.1.113839.0.100.18.3 | +| 2.16.840.1.113839.99.100.19.1 | IGC PIV-I Card Authentication | 2.16.840.1.113839.0.100.19.1 | +| 2.16.840.1.113839.99.100.20.1 | IGC PIV-I Content Signing | 2.16.840.1.113839.0.100.20.1 | +| 2.16.840.1.113839.99.100.37.1 | IGC Medium Device Software | 2.16.840.1.113839.0.100.37.1 | +| 2.16.840.1.113839.99.100.37.2 | IGC Medium TLS/SSL Software | 2.16.840.1.113839.0.100.37.2 | +| 2.16.840.1.113839.99.100.37.3 | IGC Medium Group Device Software Signing | 2.16.840.1.113839.0.100.37.3 | +| 2.16.840.1.113839.99.100.37.4 | IGC Medium Group Device Software Encryption | 2.16.840.1.113839.0.100.37.4 | + +#### WidePoint + +| Test OID | Policy | Production OID | +|-------------------------------|---------------------------------------------------|------------------------------| +| 1.3.6.1.4.1.3922.1.2.1.3 | id-orc-nfissp-certpolicy-mediumAssurance | 1.3.6.1.4.1.3922.1.1.1.3 | +| 1.3.6.1.4.1.3922.1.2.1.12 | id-orc-nfissp-certpolicy-mediumhardware | 1.3.6.1.4.1.3922.1.1.1.12 | +| 1.3.6.1.4.1.3922.1.2.1.18 | id-orc-nfissp-certpolicy-pivi-hardware | 1.3.6.1.4.1.3922.1.1.1.18 | +| 1.3.6.1.4.1.3922.1.2.1.19 | id-orc-nfissp-certpolicy-pivi-cardAuth | 1.3.6.1.4.1.3922.1.1.1.19 | +| 1.3.6.1.4.1.3922.1.2.1.20 | id-orc-nfissp-certpolicy-pivi-contentSigning | 1.3.6.1.4.1.3922.1.1.1.20 | +| 1.3.6.1.4.1.3922.1.2.1.37 | id-orc-nfissp-certpolicy-mediumDevice | 1.3.6.1.4.1.3922.1.1.1.37 | +| 1.3.6.1.4.1.3922.1.2.1.38 | id-orc-nfissp-certpolicy-mediumDeviceHardware | 1.3.6.1.4.1.3922.1.1.1.38 | + + +### Commercial PKI Bridge Test OIDs + +#### SAFE Bio-Pharma Bridge + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| N/A | Safe basic | 1.3.6.1.4.1.23165.1.1 | +| N/A | Safe med software | 1.3.6.1.4.1.23165.1.2 | +| N/A | Safe med HW | 1.3.6.1.4.1.23165.1.3 | + +#### CertiPath Bridge + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 1.3.6.1.4.1.24019.1.1.1.101 | CertiPath medium Software | 1.3.6.1.4.1.24019.1.1.1.1 | +| 1.3.6.1.4.1.24019.1.1.1.102 | CertiPath medium Hardware | 1.3.6.1.4.1.24019.1.1.1.2 | +| 1.3.6.1.4.1.24019.1.1.1.103 | CertiPath highHardware | 1.3.6.1.4.1.24019.1.1.1.3 | +| 1.3.6.1.4.1.24019.1.1.1.104 | CertiPath medium CBP Software | 1.3.6.1.4.1.24019.1.1.1.4 | +| 1.3.6.1.4.1.24019.1.1.1.105 | CertiPath medium CBP Hardware | 1.3.6.1.4.1.24019.1.1.1.5 | +| 1.3.6.1.4.1.24019.1.1.1.106 | CertiPath highCBPHardware | 1.3.6.1.4.1.24019.1.1.1.6 | +| 1.3.6.1.4.1.24019.1.1.1.107 | CertiPath IceCAP-hardware | 1.3.6.1.4.1.24019.1.1.1.7 | +| 1.3.6.1.4.1.24019.1.1.1.108 | CertiPath IceCAP-cardAuth | 1.3.6.1.4.1.24019.1.1.1.8 | +| 1.3.6.1.4.1.24019.1.1.1.109 | CertiPath IceCAP-contentSigning | 1.3.6.1.4.1.24019.1.1.1.9 | +| 1.3.6.1.4.1.24019.1.1.1.110 | CertiPath variant medium Software | 1.3.6.1.4.1.24019.1.1.1.17 | +| 1.3.6.1.4.1.24019.1.1.1.111 | CertiPath variant medium Hardware | 1.3.6.1.4.1.24019.1.1.1.18 | +| 1.3.6.1.4.1.24019.1.1.1.112 | CertiPath variant high Hardware | 1.3.6.1.4.1.24019.1.1.1.19 | +| 1.3.6.1.4.1.24019.1.1.1.113 | CertiPath variant medium CBP Software | 1.3.6.1.4.1.24019.1.1.1.20 | +| 1.3.6.1.4.1.24019.1.1.1.114 | CertiPath variant medium CBP Hardware | 1.3.6.1.4.1.24019.1.1.1.21 | +| 1.3.6.1.4.1.24019.1.1.1.115 | CertiPath variant high CBP Hardware | 1.3.6.1.4.1.24019.1.1.1.22 | + +#### STRAC Bridge + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 1.3.6.1.4.1.39789.2.1.99.1 | stracbridge-certpcy-rudimentaryAssurance | 1.3.6.1.4.1.39789.2.1.5.1 | +| 1.3.6.1.4.1.39789.2.1.99.2 | stracbridge-certpcy-basicAssurance | 1.3.6.1.4.1.39789.2.1.5.2 | +| 1.3.6.1.4.1.39789.2.1.99.3 | stracbridge-certpcy-mediumAssurance | 1.3.6.1.4.1.39789.2.1.5.3 | +| 1.3.6.1.4.1.39789.2.1.99.4 | stracbridge-certpcy-mediumHardware | 1.3.6.1.4.1.39789.2.1.5.4 | +| 1.3.6.1.4.1.39789.2.1.99.5 | stracbridge-certpcy-mediumCBP | 1.3.6.1.4.1.39789.2.1.5.5 | +| 1.3.6.1.4.1.39789.2.1.99.6 | stracbridge-certpcy-mediumHW-CBP | 1.3.6.1.4.1.39789.2.1.5.6 | +| 1.3.6.1.4.1.39789.2.1.99.7 | stracbridge-certpcy-pivi-hardware | 1.3.6.1.4.1.39789.2.1.5.7 | +| 1.3.6.1.4.1.39789.2.1.99.8 | stracbridge-certpcy-pivi-cardAuth | 1.3.6.1.4.1.39789.2.1.5.8 | +| 1.3.6.1.4.1.39789.2.1.99.9 | stracbridge-certpcy-pivi-contentSigning | 1.3.6.1.4.1.39789.2.1.5.9 | +| 1.3.6.1.4.1.39789.2.1.99.10 | stracbridge-certpcy-mediumDevice | 1.3.6.1.4.1.39789.2.1.5.10 | +| 1.3.6.1.4.1.39789.2.1.99.11 | stracbridge-certpcy-mediumDeviceHardware | 1.3.6.1.4.1.39789.2.1.5.11 | + +#### TSCP Bridge + +| Test OID | Policy | Production OID | +| --------------------------- | ---------------------- | ------------------ | +| 1.3.6.1.4.1.38099.1.1.1.201 | tscp-certpcy-medium | 1.3.6.1.4.1.38099.1.1.1.1 | +| 1.3.6.1.4.1.38099.1.1.1.202 | tscp-certpcy-MediumHardware | 1.3.6.1.4.1.38099.1.1.1.2 | +| 1.3.6.1.4.1.38099.1.1.1.203 | tscp-certpcy-Medium-CBP | 1.3.6.1.4.1.38099.1.1.1.3 | +| 1.3.6.1.4.1.38099.1.1.1.204 | tscp-certpcy-MediumHardware-CBP | 1.3.6.1.4.1.38099.1.1.1.4 | +| 1.3.6.1.4.1.38099.1.1.1.205 | tscp-certpcy-PIVI | 1.3.6.1.4.1.38099.1.1.1.5 | +| 1.3.6.1.4.1.38099.1.1.1.206 | tscp-certpcy-PIVI-CardAuth | 1.3.6.1.4.1.38099.1.1.1.6 | +| 1.3.6.1.4.1.38099.1.1.1.207 | tscp-certpcy-PIVI-ContentSigning | 1.3.6.1.4.1.38099.1.1.1.7 | +| 1.3.6.1.4.1.38099.1.1.1.212 | tscp-certpcy-MediumDevice | 1.3.6.1.4.1.38099.1.1.1.12 | +| 1.3.6.1.4.1.38099.1.1.1.213 | tscp-certpcy-MediumDeviceHardware | 1.3.6.1.4.1.38099.1.1.1.13 | diff --git a/_implement/introduction.md b/_implement/introduction.md new file mode 100644 index 000000000..6b9fee8ac --- /dev/null +++ b/_implement/introduction.md @@ -0,0 +1,83 @@ +--- +layout: page +collection: implement +title: How to implement ICAM +permalink: /implement/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Configuration Guides + href: '#configuration-guides' + - text: ICAM Troubleshooting Tools + href: '#icam-troubleshooting-tools' + - text: Find Additional Guides + href: '#find-additional-guides' + +--- + + + +ICAM Engineering Guides are for system administrators configuring agency infrastructure, servers, and enterprise applications for authentication and other ICAM processes. The guides are focused on U.S. federal government implementations. + +The majority of engineering guides are focused on helping agencies configure PIV credential authentication in the most common operating systems and applications. A new series of FIDO multi-factor authentication playbooks are also include. + +# Configuration Guides + +1. Smart Card Configuration + 1. [Windows Domains]({{site.baseurl}}/implement/scl-windows) + 2. [MacOS]({{site.baseurl}}/implement/scl-macos) + 3. [Microsoft Outlook (on-premise)]({{site.baseurl}}/implement/outlook) + 4. [Firefox Browser]({{site.baseurl}}/implement/firefox) + 5. [SSH Command Line]({{site.baseurl}}/implement/ssh) + 6. Certificate-based Authentication on Azure AD (Coming soon!) + 7. Certificate-based Authentication on Okta (Coming soon!) +2. FIDO2 Configuration + 1. [Windows Hello for Business]({{site.baseurl}}/implement/whfb) + 2. Security keys (Coming soon!) + +# ICAM Troubleshooting Tools + +ICAM can leverage a number of open source protocols for interoperability and data transfer. The Federal PKI is also a large, distributed ecosystem of over 180 certification authorities. Each certification authority operate independently which presents a challenge in trying to troubleshoot why a PIV card can't validate. This is a list of tools to help troubleshoot ICAM issues. + +1. Federal PKI Validation + 1. [FPKI Ecosytem Changes]({{site.baseurl}}/fpki/notifications) - This page contains three distinct pages of information as well as an associated certificate bundle. + 1. [FPKI Graph]({{site.baseurl}}/fpki/notifications/#fpki-graph) - The FPKI Graph displays the relationships between the certification authorities in the Federal PKI (FPKI) ecosystem. + 2. [PIV Issuer Information]({{site.baseurl}}/fpki/notifications/#piv-issuer-information) - List of active PIV issuing CAs with end entity certificate distribution points. + 3. [FPKI System Change and Notification]({{site.baseurl}}/fpki/notifications/#notifications) - List of changes to FPKI CA endpoint URL such as Certificate Revocation List Distribution Points, Online Certificate Status Protocol (OCSP) endpoints and other CA certificate activity. + 4. [FPKI Certificate Bundle]({{site.baseurl}}/implement/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b){:target="_blank"}{:rel="noopener noreferrer"} - A certificate bundle in .p7b format that contains all CA certificfates that chain to the Common Policy CA and can be viewed in the FPKI Graph. + 2. [Personal Identify Verification (PIV) Cert Validator Tool](https://pv.test.max.gov/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - The PIV Certificate Validator is a website application hosted by Max.gov that verifies the certificates found on a PIV card. This tool is helpful in troubleshooting browser authentication issues. + 3. [FPKI Trust Infrastructure “HTTP.FPKI.Gov” URL Site Map (PDF, September 2022)]({{site.baseurl}}/docs/fpki-fpkima-sitemap.pdf){:target="_blank"}{:rel="noopener noreferrer"} - A consolidated list of public repository information for FPKI resources. +2. Federal PKI Deep Analysis + 1. [FPKI Certificate Profile Conformance Tool (CPCT)](https://github.com/GSA/cpct-tool/releases/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - CPCT is an self-hosted application that analyzes a FPKI certificate for conformance. Use this tool to identify if a FPKI certificate is compliant. + 2. [PIV and PIV-I Card Conformance Tool (CCT)](https://github.com/GSA/piv-conformance/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - A GSA developed, java tool similar in function to the CPCT, but for PIV and PIV-I smart card testing. This is useful in identifying issues with a smart card. + 3. [NIST 85B (800-73-4) Test Tool](https://csrc.nist.gov/projects/nist-personal-identity-verification-program/software-downloads){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - Used to pull deep PIV contents when integrating PIV with various infrastructure components. +3. PKI Tools + 1. [PKI Interoperability Test Tool (PITT) for Microsoft Windows](http://pkif.sourceforge.net/pitt.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - PITT is a utility that allows inspection and troubleshooting of certification path processing for a given PKI using both PKIF and Microsoft CAPI. It’s especially useful for identifying path discovery and validation issues as well as a PKI performance problems. + 2. [crt.sh](https://crt.sh/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} - Certificate Transparency auditor used to find and audit TLS certificate issuances and issues. This is helpful in identifying all publicly issued certificates to a website. +4. FIDO2 Tools + 1. Coming soon! +5. Federation Tools + 1. Coming soon! + +# Find Additional Guides + +You can find additional guides across agency websites by using a few simple methods: + +1. Search on the Internet: include the _server_ or _application_ or _topic_ and add "+PIV +CAC" +2. Search on the Internet: include the _server_ or _application_ or _topic_ and add "+x509" +3. Search on Max.gov: [Max.gov](https://max.gov){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} requires you to log in. Try searching for the topic or guide. + +If you don't find what you're looking for, open an [Issue]({{site.repourl}}/issues/new){:target="_blank"}{:rel="noopener noreferrer"}. We can help look through the archives of guides that haven't been posted yet or help you send a request to the government listserves. + +Your contributions are encouraged and welcome! You can [contribute]({{site.baseurl}}/contribute/){:target="_blank"}{:rel="noopener noreferrer"} to this effort or open an [Issue]({{site.repourl}}/issues/new){:target="_blank"}{:rel="noopener noreferrer"} to discuss a need you may have for a guide. + +{% include alert-info.html heading="Are you trying to solve a problem?" content="Your colleagues have likely encountered or solved the same problem. Engineering guides exist across government. This site's purpose is to organize tips from agency engineers, help link to .gov or .mil information available, and provide a common site for collaboration." %} + diff --git a/_implement/outlook.md b/_implement/outlook.md new file mode 100644 index 000000000..2edf89a97 --- /dev/null +++ b/_implement/outlook.md @@ -0,0 +1,117 @@ +--- +layout: page +collection: implement +title: Sign and Encrypt Emails in Microsoft Outlook +permalink: /implement/outlook/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Configure Outlook to Send Secure Email + href: '#configure-outlook-to-send-secure-email' + - text: Send a Signed Email + href: '#send-a-signed-email' + - text: Send an Encrypted Email + href: '#send-an-encrypted-email' + - text: Decrypt an Email + href: '#decrypt-an-email' + - text: Other Helpful References + href: '#other-helpful-references' + +--- + +Personal Identity Verification (PIV) cards contain digital certificates that can help users send secure email. In general, "secure email" refers to digitally signed and/or encrypted emails. Digitally signed emails give us confidence that the individual who claimed to send a message actually did (non-repudiation) and that the message was not modified while in transit (integrity). Encrypted emails prevent the message from being read by unintended recipients (confidentiality). + +The following guide walks you through configuring Outlook to leverage the digital signature and key management certificates found on your PIV to enable secure email. By default, Outlook will only allow sign and encrypt emails when the configured email address on the client is same email address as encoded on the PIV card. + +## Configure Outlook to Send Secure Email + +The following steps pertain to Microsoft Outlook 2016. + +1. Insert your PIV card in your computer's smart card reader. +2. Browse to **File** > **Options** > **Trust Center** > **Trust Center Settings...** and select **Email Security**. +3. Click **Settings...** beneath the *Encrypted Email* heading. +4. Click **New** to create a new security preference. +5. Assign a *Security Settings Name* (for example, "Secure Email - PIV"). +6. Click **Choose** next to *Signing Certificate*. + - Select your PIV card's digital signature certificate and click **OK**. + - Select **SHA256** as the *Hash Algorithm*. +7. Click **Choose** next to *Encryption Certificate*. + - Select your PIV card's digital signature certificate and click **OK**. + - Select **AES (256-bit)** as the *Encryption Algorithm*. +8. Enable the **Send these certificates with signed messages** selection box. +9. Click **OK** three times. + +**Note:** The following screenshot shows an example of a completed security preference configuration. + +A completed security preference configuration. + +### Publish Your Certificates to the Global Address List + +The Global Address List (GAL) is a shared, enterprise-wide contact directory in Microsoft Outlook. Publishing your certificates to the GAL will add your encryption certificate to an enterprise address book, making it easier for other agency users to send you an encrypted email. + +1. Insert your PIV card in your computer's smart card reader. +2. Browse to **File** > **Options** > **Trust Center** > **Trust Center Settings** and select **Email Security**. +3. Click **Publish to GAL...** beneath the *Digital IDs (Certificates)* heading. +4. Click **OK** when warned about Outlook publishing your default security certificates to the Global Address List. +5. Enter your PIV card PIN when prompted. +6. Click **OK** twice. + +**Note:** The following screenshot shows the location of the **Publish to GAL...** button. + +The Publish to GAL button is located in the Trust Center. + +## Send a Signed Email +1. Compose an email. +2. Click the **Options** tab. +3. Enable the **Sign** icon (appears as a red ribbon icon). +4. Click **Send**. +5. Enter your PIV card PIN when prompted. + +**Note:** The following screenshot shows a signed email. + +A signed email. + +## Send an Encrypted Email +1. Compose an email. +2. Click the **Options** tab. +3. Enable the **Encrypt** icon (appears as a yellow lock icon). +4. Click **Send**. + +**Note:** It is common practice to sign a message when encrypting it below. + +A signed and encrypted email. + +### Manually Import a User's Encryption Certificate + +When sending an encrypted email, the message is encrypted using the public key in the intended recipient's certificate. If Outlook cannot find the intended recipient's public key through the [Global Address List](#publish-your-certificates-to-the-global-address-list), you may need to load it manually. + +1. Obtain a copy of the intended recipient's [Key Management]({{site.baseurl}}/arch/pivdetails/) certificate (you may need to ask the intended recipient to export and share their certificate with you) +2. Click the **Home** tab. +3. Click the **Address Book**. +4. Select **File** > **New Entry**. +5. Select **New Contact** and then click **OK**. +6. Populate the recipient's contact information, minimally including name and email address. +7. Click the **Certificates** icon. +8. Click **Import** and browse to the intended recipient's encryption certificate. +9. Click **Save & Close** and then follow the steps to [send an encrypted email](#send-an-encrypted-email). + + **Note:** The following screenshot shows a certificate loaded into a contact entry. + +A completed contact entry. + +## Decrypt an Email + +PIV users may receive and store encrypted emails througout their tenure in an organization. These emails may have been encrypted with various public key management keys are now retired or replaced. Many PIV card issuers provide historical key management keys when they issue a PIV card, but others may not. Outlook, via the Cryptographic Application Programming Interface (CAPI), can decrypt these emails if the associated private keys are available. The following steps outline how to decrypt an email when the private decryption keys are available via CAPI: + +1. Select an encrypted email +2. Enter your PIV card PIN or private key password when prompted + +**Note:** Your organization may not recover previously issued encryption keys onto your PIV. Instead, it may maintain a separate key recovery service. Please reach out to your local IT department to determine if you can recover retired key management keys. + +## Other Helpful References + +- Enabling S/MIME on [Mac Mail](https://support.apple.com/guide/mail/sign-or-encrypt-emails-mlhlp1180/mac){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- Enabling S/MIME on [Thurderbird email client](https://docs.nitrokey.com/pro/smime-thunderbird.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- S/MIME with [Gmail](https://support.google.com/a/topic/9061730?hl=en&ref_topic=2683828){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +- S/MIME with [O365](https://support.microsoft.com/en-us/office/encrypt-messages-by-using-s-mime-in-outlook-web-app-2e57e4bd-4cc2-4531-9a39-426e7c873e26){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/scl-firefox.md b/_implement/scl-firefox.md new file mode 100644 index 000000000..a9f8a86ec --- /dev/null +++ b/_implement/scl-firefox.md @@ -0,0 +1,72 @@ +--- +layout: page +collection: implement +title: Smart Card Logon for Firefox Browser +permalink: /implement/scl-firefox/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Install and Test OpenSC + href: '#install-and-test-opensc' + - text: Configure Firefox + href: '#configure-firefox' + - text: Load New Security Device + href: '#load-new-security-device' + - text: Import PIV Issuer Certificate + href: '#import-piv-issuer-certificate' + - text: Test Authentication + href: '#test-authentication' +--- + +You may need to configure Firefox to enable your agency users to log into web applications using their PIV credentials. This can be tricky because Firefox supports a protocol (PKCS #11) that is not always natively supported by operating systems (OS) or OS default drivers. + +This guide will help you configure Firefox by using an open source software package. In addition to open source solutions, commercial software may be used. + +{% include alert-info.html heading="PKCS #11" content="Are you interested in learning more? Search online for PKCS #11 to find other available resources." %} + +## Install and Test OpenSC +OpenSC will enable a user's PIV credential to work with Firefox and some signing and encryption applications. + +First, you will need to install and test **OpenSC**. OpenSC has installers for multiple operating systems, including Windows, macOS, and Linux flavors. The installers can be downloaded directly from GitHub and the OpenSC wiki: + +* [View instructions and installation procedures for OpenSC](https://github.com/OpenSC/OpenSC/wiki/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +When installing OpenSC, you need to consider some items that are specific for the federal government: + +{% include alert-warning.html heading = "Use OpenSC Version Greater Than 0.20.0 to avoid Authentication Errors" content="If a version of OpenSC less than 0.20.0 is used, users will encounter errors when performing mTLS with servers that offer TLS 1.3. This can include browser errors like ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED." %} + +* You will need to download and install either the 64-bit or 32-bit version of OpenSC, depending on the OS. +* You do not need to install the full packages for OpenSC. +* You can limit the packages for distribution to enterprise workstations to just support PKCS #11. +* You can push the packages to the enterprise workstations using your enterprise configuration management tools. + +## Configure Firefox + +### Load New Security Device + +Launch **_Firefox_** and load a new _Security Device_ (i.e., the Security Device is your PIV credential) using the OpenSC PKCS #11 driver: +* From the _Firefox_ taskbar, click the _Options_ icon ("gear" shape). +* Click the _Privacy & Security_ menu from the left-hand navigation. +* Scroll down until you see the _Certificates_ heading, and then click _Security Devices_. +* At the _Device Manager_ window, click the _Load_ button and enter this module name: _OpenSC PKCS#11 Module_. +* Select the directory where the OpenSC PKCS #11 driver is located. The default locations are: + +| **OS** | **Default Driver Location** | **Driver File Name** | +| ----- | -------| -------| +| **Windows** | C:\Windows\System32 | pkcs11.dll | +| **macOS** | /Library/OpenSC/lib/ | pkcs11.so | +| **Red Hat** | /usr/lib/ | pkcs11.so | +| **Ubuntu** | /usr/lib/x86_64-linux-gnu/ | opensc-pkcs11.so | + +* Click _Open_ and verify that the module has been loaded. Then click _OK_ to return to the _Privacy & Security_ options. + +### Import PIV Issuer Certificate +* Click the _View Certificates_ button. If prompted, enter your PIV credential PIN. +* Click the _Authorities_ tab from the top navigation. +* Click the _Import_ button to import a copy of your PIV credential issuer's certification authority (CA) certificate. When prompted, trust the certificate for identifying websites _and_ email users. +* Click _OK_ and restart _Firefox_. + +### Test Authentication +* Browse to a web application that requires authentication with a PIV credential. A common web application to use as a test is [MAX.gov](https://max.gov/maxportal/home.action){:target="_blank"}{:rel="noopener noreferrer"}. (**Note:** You'll need to have an existing MAX.gov account for this to work.) +* Firefox will prompt you to enter your PIV credential PIN and select a certificate for authentication. diff --git a/_implement/scl-macos.md b/_implement/scl-macos.md new file mode 100644 index 000000000..f55844c8d --- /dev/null +++ b/_implement/scl-macos.md @@ -0,0 +1,94 @@ +--- +layout: page +collection: implement +title: Configure Smart Card Logon for MacOS +permalink: /implement/scl-macos/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Choose an Authentication Option + href: '#choose-an-authentication-option' + - text: Local Account Pairing + href: '#local-account-pairing' + - text: Windows Domain Account Pairing + href: '#windows-domain-account-pairing' + - text: Helpful References + href: '#helpful-references' + +--- + +As federal IT networks and systems expand, especially in light of recent Bring-Your-Own-Device (BYOD) models gaining popularity, it has become necessary to extend mandatory security controls to previously unsupported devices. This guide provides implementation resources to enable smart card authentication on Mac operating system (macOS) workstations and laptops for macOS-local and windows-domain accounts. + +{% include alert-warning.html heading="macOS Version Support" content="Smart card logon is natively supported on macOS Sierra 10.12 or later and Windows Server Directory logon since High Sierra 10.13. All instructions contained within this guide assume the implementer is leveraging High Sierra or a more recent macOS." %} + +{% include alert-success.html heading="Compliance Support" content="Enablement of mandatory smart card login for all Mac workstations and laptops within your environment will help align to the NIST SP 800-53 Identification and Authentication family of controls to support FISMA compliance." %} + +## Choose an Authentication Option +Agencies have two options to enforce smart card authentication in macOS. +1. Local Account Pairing - For a non-domain joined macOS account, an agency may enable local account pairing. This method pairs a smart card to the local macOS user account and requires its use for desktop authentication. No domain or Kerberos architecture is needed. +2. Windows Domain User Account - For a windows domain-joined device, an agency can map smart card attributes to an Active Directory account. This method involves creating a plist configuration file and disabling local pairing on the macOS device. + +Agencies may additionally choose a machine or user-based enforcement which disables all password-based authentication. +1. Machine-Based Enforcement (MBE): This implementation removes the option for password-based authentication in favor of smart card-only authentication for any account accessible by the macOS device (local or network). +2. User-Based Enforcement (UBE): This implementation creates an exception to smart card-only authentication for specific users or groups of users (e.g., network admins, device admins, and individuals waived from smart card requirements). + +This [Apple Platform Deployment guide](https://support.apple.com/guide/deployment/configure-macos-smart-cardonly-authentication-depfce8de48b/1/web/1.0){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} provides some additional detail on MBE vs. UBE. Additional details on [Windows authentication enforcement models]({{site.baseurl}}/implement/group-policies/){:target="_blank"}{:rel="noopener noreferrer"} can be found here. + +## Local Account Pairing +Local Account Pairing is a user-prompted process. +1. Insert the PIV card into a card reader connected to the macOS device. +2. A series of prompts direct the user to pair the PIV card to the local account. The user will need administrative access to complete the process. +3. Provide the PIV PIN and then log out. +4. Insert the PIV and provide the PIN to log back in. + +See [this Apple Platform Deployment guide](https://support.apple.com/guide/deployment/use-a-smart-card-depc705651a9/web){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for more information on local account pairing. + +## Windows Domain Account Pairing +Most departments and agencies already maintain processes to map PIV attributes to Active Directory domain accounts. This playbook also provides guidance on the different models that can be used to [link domain accounts to PIV certificate attributes]({{site.baseurl}}/implement/account-linking/){:target="_blank"}. + +Ensure the following prerequisites are complete or ready: +1. The person completing this process has administrative privileges on the macOS device. +2. The macOS device is joined to the Windows domain. +3. Federal PKI and domain controller certificates are distributed and installed on the macOS device key store. + +{% include alert-warning.html heading="Domain Controller Certificate Trust" content="Many organizations run internal device PKIs that issue their domain controller certificates. Ensure all certificates needed to conduct a smart card domain authentication are distributed to the macOS devices." %} + +### Step 1. Disable Local Account Pairing +The local pairing interface must be disabled. To disable the local pairing dialog: +1. Open the Terminal app. +2. Type the following: +``` +sudo defaults write /Library/Preferences/com.apple.security.smartcard UserPairing -bool NO +``` +3. When prompted, enter the administrator password. + +### Step 2. Write the Property List +A property list, or plist, maps smart card attributes to a Windows domain account. The most common configuration is to map the NT Principal Name in the PIV Authentication certificate Subject Alternative Name to the userPrincipalName attribute in Active Directory. The following image provides the contents of a configuration file that extracts the NT Principal Name from a PIV to match against a directory AltSecID in support of an authentication event. + +PList configuration for extracting a domain account identifier from a PIV. + +Agencies may want to apply [additional smart card configuration](https://developer.apple.com/documentation/devicemanagement/smartcard){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} settings. Additional options may include: +- allowSmartCard - Must be set to TRUE to allow the device to leverage smart cards for multiple functions (authentication, digital signing). +- enforceSmartCard - Can be set to TRUE to ensure that smart card authentication is made mandatory at initial logon, authorization, and unlocking from screensaver mode. +- tokenRemovalAction - If set to "1," enables the screensaver when a smart card is physically removed from the device. +- UserPairing - Can be set to FALSE to prevent the pairing dialogue from appearing on smart card insertion. +- oneCardPerUser - Can be set to FALSE for users who may have multiple acceptable smart cards (e.g., PIV and alternative tokens). +- checkCertificateTrust - Can be an integer between 0 and 3: + - 0 - turns off certificate trust checking + - 1 - turns on trust checking, but does not conduct revocation checking + - 2 - turns on trust checking, and a 'soft' revocation check is conducted where 'valid' and 'unknown' are treated the same + - 3 - turns on trust checking, and a 'hard' revocation check is conducted where the response must contain a 'valid' status to allow the authentication to proceed + +### Step 3. Choose a Deployment Method +An agency may deploy a plist through various remote mechanisms. +1. Employ third-party Mobile Device Management (MDM) tools +2. Leveraging an [Apple specific configuration tool](https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} via the App Store +3. Direct configuration profile delivery via an email, webpage, or [over-the-air profile delivery](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/iPhoneOTAConfiguration/Introduction/Introduction.html#//apple_ref/doc/uid/TP40009505){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +If a remote deployment it not availabler, the administrator may also perform the configuration locally following Step 1 and 2. + +## Helpful References +1. [Apple Deployment Guide - Use a smart card in macOS](https://support.apple.com/guide/deployment/use-a-smart-card-depc705651a9/web){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +2. [Apple Deployment Guide - Configure macOS for smart card-only authentication](https://support.apple.com/guide/deployment/configure-macos-smart-cardonly-authentication-depfce8de48b/1/web/1.0){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} +3. [Apple Deployment Guide - Advanced smart card options in macOS](https://support.apple.com/guide/deployment/advanced-smart-card-options-dep7b2ede1e3/1/web/1.0){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} diff --git a/_implement/scl-ssh.md b/_implement/scl-ssh.md new file mode 100644 index 000000000..f3cc58b4d --- /dev/null +++ b/_implement/scl-ssh.md @@ -0,0 +1,221 @@ +--- +layout: page +collection: implement +title: Smart Card Logon for SSH +permalink: /implement/scl-ssh/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: SSH from Windows - Using PuTTY-CAC + href: '#ssh-using-putty-cac' + - text: SSH from Windows - Using WinSCP and Pageant + href: '#ssh-using-winscp-and-pageant' + - text: SSH from macOS - Built-in and OpenSC + href: '#ssh-from-macos' + - text: Configure a Linux Server + href: '#configure-a-linux-server' + - text: Special Thanks + href: '#special-thanks' +--- + +For network engineers, this guide will help you authenticate with your PIV/CAC credential and use SSH to access a remote Linux server from a Windows or macOS computer. For server administrators, this guide will help you configure a Linux server for remote access. + +This guide uses open-source options: +* **Windows:** PuTTY-CAC (without Pageant) and WinSCP with Pageant +* **macOS:** OpenSC + +Commercial solutions are also available. + +{% include alert-info.html content = "Your PIV/CAC credential contains an authentication certificate key pair (public and private) for smart card logon. Using a PIV/CAC key pair is very similar to using a self-signed key pair for SSH. " %} + +{% include alert-info.html content = "Your Chief Information Security Officer must determine that security controls are in place and approve SSH scenarios. You should also review your agency's policies and use your physical or virtual jump servers to restrict users from using SSH directly from workstations." %} + +## SSH from Windows + +{% include alert-warning.html content = "Network administrator privileges are needed to use SSH for remote access." %} + +### SSH Using PuTTY-CAC + +PuTTY-CAC is an open-source SSH client that uses Microsoft's CryptoAPI (CAPI). (Pageant isn't needed with PuTTY-CAC for this solution.) +1. You'll need to download [**PuTTY-CAC**](https://www.github.com/NoMoreFood/putty-cac/releases){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to _C:\ssh\putty.exe_ or a similar folder. Select either _32-bit_ or _64-bit_, based on your Windows OS. (Pageant and MSI Installers aren't needed.) +2. Double-click on _putty.exe_ and insert your PIV/CAC card into your card reader. +3. At the **PuTTY Configuration** window, go to _Category:_ > _Connection_ > _SSH_ > _Certificate_. Click the _Set CAPI Cert..._ button and _OK_. +

+PuTTY configuration window. +

+4. From the **Windows Security** list, select your PIV/CAC authentication certificate by clicking _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/arch/pivdetails/). +

+A PuTTY select certificate for authentication screenshot. +
+5. Back at the **PuTTY Configuration** window, click the _Copy to Clipboard_ button and paste the SSH key into a text file. (**Note:** PuTTY-CAC derives the SSH key from the public key of your authentication certificate.) The SSH key will look like this: + + ``` + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPn2dShOF... + CAPI:05bf4653b3098a87b67816d81049f489d5b5ffb4 + ``` +6. Send the text file to the server administrator and request an account. (Notice that the _Attempt Certificate Authentication_ box is now checked.)
+7. While waiting for an account, you can create SSH session profiles for target remote servers:
+ - Click _Session_ and enter a remote server's _hostname_ or _IP address_.
+ - For _Connection type_, click _SSH_. (Notice that under _Port_, _22_ appears.)
+ - Enter a session name in _Saved Sessions_ and click _Save_.
+8. Once you have an account, open PuTTY-CAC and insert your PIV/CAC card into your card reader. +9. Click a _Saved Session_ and _Load_. +10. Click _Open_ to connect to the remote server. (A dialog box displays the server's key thumbprint.) +11. Verify the server key and accept it by clicking _Yes_. +12. Enter your account username. (A dialog box displays your PIV/CAC authentication certificate.) +13. Click _Yes_ to permit the _signing operation_ and enter your PIV/CAC PIN. (You'll then be logged into the remote server.) + +{% include alert-warning.html content = "The card reader may flash. Do not remove your card until you're logged in." %} + +### SSH Using WinSCP and Pageant + +WinSCP is an open-source, secure copy protocol (SCP) and secure file transfer protocol (SFTP) client. Pageant is an SSH authentication agent that uses Microsoft's CAPI. + +1. Download **Pageant** to _C:\ssh\pageant.exe_ or a similar folder. Select [_32-bit_](https://github.com/NoMoreFood/putty-cac/blob/master/binaries/x86/pageant.exe){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} or [_64-bit_](https://github.com/NoMoreFood/putty-cac/blob/master/binaries/x64/pageant.exe){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, based on your Windows OS. +2. Download the [**WinSCP installer**](https://winscp.net/eng/download.php){:target="_blank"}{:rel="noopener noreferrer"} to _C:\ssh\WinSCP-Setup.exe_ or a similar folder. +3. Double-click _WinSCP-Setup.exe_ to launch the _WinSCP installer_ and use the recommended installation settings. +4. Double-click _pageant.exe_ to launch **Pageant**. +5. Next, at the **Windows** taskbar, click the _up-arrow_ and right-click the **Pageant** icon (_computer wearing a Fedora_). +
+A screenshot showing how to access pageant. +
+6. A **Pageant** dialog box appears. Click _Cert Auth Prompting_. +
+Enable Cert Auth Prompting. +
+7. Click _Add CAPI Cert_ to view eligible authentication certificates. +
+A screenshot showing Add CAPI Cert selected. +
+8. From the **Windows Security** screen, select your PIV/CAC authentication certificate, and click _OK_. If you don't see your certificate, click _More choices_. (For help with certificates, see [Understanding PIV Certificates]({{site.baseurl}}/arch/pivdetails/){:target="_blank"}{:rel="noopener noreferrer"}.) +
+A screenshot showing a PuTTY select certificate for authentication window with the OK button selected. +
+9. Double-click the **Pageant** icon to confirm that your certificate appears on the _Pageant Key List_. +10. The _Pageant Key List_ shows the certificate's SSH key attributes, such as type, size, thumbprint, etc. Click your certificate and the _Copy to Clipboard_ button. (**Note:** Pageant derives the SSH key from the public key of your authentication certificate.) Close the _Pageant Key List_. +
+A screenshot showing a pageant key list. +
+11. Paste the SSH key into a text file. It will look like this: + ``` + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCOpGPxNh... CAPI:268f09f34ca7544bd44e1e310d2144... + OID.0.9.2342.19200300.100.1.1=47999999999999 + CN=SAM JACKSON, OU=General Services Administration, + O=U.S. Government, C=US + ``` +12. Send the text file to the server administrator and request a new account. +13. Once you have an account, go to the **WinSCP Login** window. Click _New Site_ and then the _Advanced_ button. +

+A screenshot showing the WinSCP Login window with the Advanced button selected. +

+15. At the **Advanced Site Settings** window, select _SSH_ > _Authentication_. Click the checkbox for _Attempt Authentication using Pageant_ and then click _OK_. (WinSCP selects additional checkboxes by default.) +

+A screenshot showing the Advanced Site Settings window with SSH, Authentication, and Attempt authentication using Paegent options selected. +

+16. Insert your PIV/CAC card into your card reader. +17. Enter the remote server's host name and your username. Click _Login_. +18. The **Warning** dialog box displays the server’s key thumbprint. Verify it and click _Yes_ to accept. +19. At the **Certificate Usage Confirmation - Pageant** dialog box, click _Yes_ to confirm your authentication certificate. +

+A screenshot showing the Certificate Usage Confirmation - Pageant window with the Yes button selected. +

+20. When prompted, enter your PIV/CAC PIN. You'll then be logged into the server. + +{% include alert-warning.html content = "The card reader may flash. Do not remove your card until you're logged in." %} + +## SSH from macOS + +{% include alert-warning.html content = "Network administrator privileges are needed to use SSH for remote access." %} + +There are two options for configuring SSH clients to use a PIV/CAC device as the SSH key store: + +### Built-in PIV/CAC support + +**Only applicable for macOS High Sierra and later.** + +1. Insert your PIV/CAC into your card reader. +2. Use ` ssh-keygen -D /usr/lib/ssh-keychain.dylib` to get the OpenSSH-format public key fingerprint which can be added to your `authorized_keys` file, account profiles, etc. +3. Add `PKCS11Provider=/usr/lib/ssh-keychain.dylib` to your `~/.ssh/ssh_config` file to tell `ssh` to scan the PIV profiles for keys when determining which keys to attempt on remote hosts. + +See https://support.apple.com/en-us/HT208372 for additional information + +### OpenSC + +You can use OpenSC on your macOS computer to authenticate to a remote server with your PIV/CAC card. + +{% include alert-warning.html heading = "Use OpenSC Version Greater Than 0.20.0 to avoid Authentication Errors" content="If a version of OpenSC less than 0.20.0 is used, users will encounter errors when performing mTLS with servers that offer TLS 1.3. This can include browser errors like ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED." %} + +1. Install [OpenSC](https://github.com/OpenSC/OpenSC/wiki#download){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. +2. Insert your PIV/CAC into your card reader. +3. To view the certificates on your Mac, enter: + ``` + pkcs15-tool --list-public-keys + ``` +4. Make note of the _PIV AUTH pubkey_  **ID** number. + ``` + Using reader with a card: SCR35xx Smart Card Reader + Public RSA Key [PIV AUTH pubkey] + Object Flags : [0x0] + Usage : [0xD1], encrypt, wrap, verify, verifyRecover + Access Flags : [0x2], extract + ModLength : 2048 + Key ref : 154 (0x9A) + Native : yes + ID : 01 (EXAMPLE ONLY) + DirectValue : + ``` +5. Use your _PIV AUTH pubkey_  **ID** number to view your SSH key. Enter: + ``` + pkcs15-tool --read-ssh-key 01 + ``` +6. When prompted, enter your PIV/CAC PIN. The SSH key will look like this: + ``` + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPn2dShOFLBnMraiP2MnLU .... + ``` +7. Copy the SSH key and paste it into a text file. +8. Send the text file to the server administrator and request a new account. +9. Once you have an account, you can log into the remote server. Enter: + ``` + ssh -I /usr/lib64/opensc-pkcs11.so @ + ``` +10. Optionally, you can update the setting in the _/etc/ssh_config_ file to: + ``` + PKCS11Provider /usr/lib64/opensc-pkcs11.so + ``` +11. Enter your PIV/CAC PIN when prompted. Once it's validated, you'll be logged into the remote server. + +{% include alert-warning.html content = "The card reader may flash. Do not remove your card until you're logged in." %} + +## Configure a Linux Server + +{% include alert-warning.html content = "Server administrators must have root privileges for these steps." %} + +{% include alert-info.html content = "The following SSH configurations are examples only. Other options are available, including Pluggable Authentication Modules (PAM) that look up user accounts and authorizations through directories. You can automate account setups by using centralized configuration management tools that can push or remove authorized_keys." %} + +By default, SSH keys are read from the _.ssh/authorized_keys_ file in your home directory. + +1. You'll need to create a _/home/<username>/.ssh_ directory and change it to the requester's ownership. Then, create an _authorized_keys_ file in the _.ssh_ directory and copy the requester's SSH key to the _/home/<user>/.ssh/authorized_keys_ file starting with _ssh-rsa<public key><key_name>_: + ``` + mkdir /home//.ssh + chown .ssh + chgrp .ssh + chmod 700 .ssh + cat > authorized_keys + ssh-rsa AAAAB3NzaC1yc2EAAAADAQA... CAPI:05bf4653b3098a87b67816d81049f489d5b5ffb4 + ``` +2. Set the permissions for ..._authorized_keys_ to _600_ and change the _authorized_keys_ ownership to the user: + ``` + chmod 600 authorized_keys + chown authorized_keys + chgrp authorized_keys + ``` +3. You can change the location for the _authorized_keys_ file in the _/etc/ssh/sshd_config_ file and restart the _sshd_ service. You can also enforce authentication with a PIV/CAC card by disabling password use: + ``` + AuthorizedKeysFile /etc/ssh/authorized_keys/%u + PasswordAuthentication no + ``` +**Note:**  If you change the default settings, you'll need to create a corresponding directory for _authorized_keys_ under _/etc/ssh_ and place the _authorized_keys_ there vs. in the user's home folder. + +## Special Thanks + +Special thanks to the Department of Homeland Security, Office of the Chief Information Officer, Identity Services Branch, Information Sharing and Services Office (IS2O), for sharing its WinSCP and Pageant procedures. diff --git a/_implement/scl-windows.md b/_implement/scl-windows.md new file mode 100644 index 000000000..a3b05004f --- /dev/null +++ b/_implement/scl-windows.md @@ -0,0 +1,967 @@ +--- +layout: page +collection: implement +title: Configure Smart Card Logon on Windows Domains +permalink: /implement/scl-windows/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Introduction + href: '#introduction' + - text: Step 1 - Network Ports and Protocols + href: '#step-1---network-ports-and-protocols' + - text: Step 2 - Domain Controllers + href: '#step-2---domain-controllers' + - text: Step 3 - Trust Stores + href: '#step-3---trust-stores' + - text: Step 4 - Associate PIV Credential in Active Directory + href: '#step-4---account-linking' + - text: Step 5 - Group Policies and Enforcement + href: '#step-5---group-policies-and-enforcement' + - text: Step 6 - Network Tuning + href: '#step-6---network-tuning' + - text: Step 7 - Local Certification Authority + href: '#step-7---local-certification-authority' + - text: Step 8 - Authentication Assurance + href: '#step-8---authentication-assurance' + - text: Troubleshooting PIV Logon + href: '#troubleshooting-piv-logon' + +--- + + + + + +# Introduction + +These Windows Domain configuration guides will help you configure your Windows _network domain_ for smart card logon using PIV credentials. + +There are many useful pages and technical articles available online that include details on configurations and using generic smart cards. The information presented here addresses common questions and configurations **specific** to the U.S. federal government, **PIV** smart cards, and U.S. federal civilian agency certification authorities. + +{% include alert-info.html heading = "Teamwork" content="Work with your Network Engineers, Domain Admins, Account Management, and Information Security colleagues to review the information, perform the configurations, and troubleshoot any issues." %} + +## Pre-Launch Checklist + +Check the following items **before** reviewing these network guides and lessons learned: + +1. Users have PIV credentials and PIV card readers. +1. You are using Microsoft Active Directory to manage your Windows network. +1. Domain Controllers are Microsoft 2012 or newer. +1. User workstations **are joined** to your network and are Windows 8 or Windows 10-based. + +## Configuration Checklist + +There are five configuration categories to review with your colleagues. All five include steps that must be completed; it's best to review and complete the configuration categories in this order: + +1. [Network Ports and Protocols](#step-1----network-ports-and-protocols) +2. [Domain Controllers](#step-2---domain-controllers/) +3. [Trust Stores](#step-3----trust-stores/) +4. [Account Linking: Associating PIV credentials with User Accounts](#step-4---account-linking/) +5. [Group Policies and Enforcement](#step-5---group-policies/) + +There are five additional guides: + +6. [Network Tuning](#step-6---network-tuning/) +7. [Local Certification Authority](#step-7---local-certificate-authority) +8. [Authentication Assurance](#step-8---authentication-assurance) + +We want to add additional information for installing Online Certificate Status Protocol (OCSP) services, addressing common errors and troubleshooting, and configuring MacOSX and other operating systems. + +Submit an [Issue]({{site.repourl}}/issues/new){:target="_blank"}{:rel="noopener noreferrer"} to identify information that would be helpful to you, or consider contributing a page to these guides with your lessons learned. + + + + +# Step 1 - Network Ports and Protocols + +Your workstations, servers, network domain controllers, and applications need to validate the [revocation status]({{site.baseurl}}/university/pki/#revocation-checking) of the PIV certificates and all intermediate certificate authority (CA) certificates. In addition, the [certificate chain]({{site.baseurl}}/university/pki/#establishing-trust) path building may retrieve and download the intermediate CA certificates. + +The validation occurs in real time (with some caching) and requires ensuring network traffic is open and available to the destination web services, ports, and protocols. Many U.S. federal agencies implement a layered network security model with demilitarized zones (DMZs), proxies, and Trusted Internet Connections (TICs) to monitor, defend, and protect the networks, applications and users. + +## Verifying and Troubleshooting +Non-accessible endpoints for the web services due to firewalls blocking access is a very common root cause for errors. If you encounter user errors including "Cannot validate" and similar domain controller errors, your first troubleshooting step should be to verify your network and access. + +{% include alert-info.html heading = "nslookup and certutil are your friendly tools" content="Restricted or denied access to Internet web services including the OCSP and CRL web services used in the certificate validations lead to common errors and issues. Collaborate with your Network Engineers to review the web services, IP addresses, ports and protocols, and verify access from all local and wide-area network segments." %} + +It is simple to begin troubleshooting if the web services endpoints are accessible or blocked by firewall rules. You have the basic four utility tools for troubleshooting: + +- certutil (Microsoft) +- openssl +- nslookup +- tracert + + +For the typical network domain, _certutil_ will be your best option to identify a number of possible root causes. There are many options available in the _certutil_ utility tool, and two are covered here. + +Export your _public_ key and certificate for PIV Authentication to a .cer file (mypiv_auth.cer), and run the following command in a command line from workstation(s) *and* domain controller(s): + +``` + certutil -verify -urlfetch mypiv_auth.cer >>verify_piv.txt +``` + +The text file output will include a *full* check against all options for CRLs, OCSP, intermediate certificates to verify a trust chain, and the root (COMMON). Review all items and ensure at least one successful verification message is included for _each check_. You may see errors for the LDAP verifications and these can be ignored if a CRL or OCSP check is successful. + +{% include alert-warning.html heading = "Time is important" content="When reviewing the verification messages, you should pay careful attention to the time. For example, if a CRL file is not downloaded in under 15 seconds, it is very likely that you will encounter network authentication errors and will need to perform some tuning." %} + +There is also a graphical user interface to help perform these verification checks. + +``` + certutil -v -url mypiv_auth.cer +``` +The graphical user interface allows you to check OCSP, CRL, and AIA (intermediate certificate retrievals). + + + +## Web Services for Validating PIV Certificates + +[Revocation]({{site.baseurl}}/university/pki/#revocation-checking)) status is validated using using either Online Certificate Status Protocol (OCSP) or Certificate Revocation Lists (CRLs). To meet your initial network requirements, you should ensure the OCSP and CRL URLs included in *your agency* users' [PIV Credential Certificates]({{site.baseurl}}/university/piv/#view-your-piv-credential-certificates) are accessible from all workstations and domain controllers. + +| Type | Certificate Extension | Protocol (Port) | Considerations| +| ----- | -------| -------| ------| +| OCSP | Authority Information Access | HTTP (80) | All PIV certificates have OCSP references and OCSP URLs which are Internet accessible and provided by the issuing CA. Intermediate CAs are **not** required to have OCSP available for the _intermediate_ certificates.| +| CRL | CRL Distribution Point (CDP) | HTTP (80) | All PIV certificates have CRL capabilities provided by the issuing CA. All intermediate CA certificates have CRL capabilities. CRL files have an expiration time that varies between 6 to 18 hours. CRL file sizes range from a few kilobytes to more than 30 megabytes (MB). + +Lightweight Directory Application Protocol (LDAP) for retrieving information is not preferred and has been increasingly deprecated; therefore, LDAP is not included. + +There are dozens of OCSP and CRL URLs for *all* issued PIV credentials. If you have users with PIV credentials from other agencies or partners, identifying all the URLs to verify against your network configurations will be more complex. + +## Web Services for the Federal Public Key Infrastructure + +The Federal Common Policy Certificate Authority G2 (COMMON) is the root certificate authority and has web services to publish both certificate chains (p7b files) and CRLs for all intermediate certificate authorities which the root signs. + +To enable communications with these Federal Common Policy Certificate Authority services, including those currently operational and any expansion, you should verify outbound communications to the base domain of _http.fpki.gov_. For example, a successful connection to [http://repo.fpki.gov/fcpca/fcpcag2.crt](http://repo.fpki.gov/fcpca/fcpcag2.crt){:class="usa-link usa-link--external"} will download a copy of the Federal Common Policy CA certificate. + +You should consider allowing two protocols (ports): HTTP (80) and DNS (53). Although the web services for publishing CRLs are not currently served over HTTPS (443), you may want to allow HTTPS (443) to future proof for any expansion. + +# Step 2 - Domain Controllers + +To use smart cards and PIV credentials for network authentication, all domain controllers need to have domain controller authentication certificates. + +{% include alert-info.html heading = "Devices authenticate too!" content="When your users are using certificates to authenticate to the network, the domain controllers are also authenticating as devices using certificates. Each works together to create secure connections. To learn more, search for online resources that discuss Public Key Cryptography for Initial Authentication (PKINIT) protocols." %} + +This page contains information on domain controller certificate profiles and issuing domain controller certificates. + +## Domain Controller Certificate Profiles + +Domain controller certificates must be issued with a set of specific extensions and values. The certificate profile for each domain controller must meet the following requirements: + +- The certificate **Key Usage** extension must contain: + + Digital Signature, Key Encipherment + +- The certificate **Enhanced Key Usage** extension must contain: + + Client Authentication (1.3.6.1.5.5.7.3.2) + Server Authentication (1.3.6.1.5.5.7.3.1) + +- The certificate **Subject Alternative Name** extension must contain the Domain Name System (DNS) qualifier and fully qualified domain controller name. For example: + + DNS Name=controller1.intranet.agency.gov + +- The certificate **Subject Alternative Name** must also contain the domain controller's Global Unique Identifier (GUID) (i.e., for the "domain controller object"). + + * To determine the domain controller's GUID, start **Ldp.exe** and locate the **domain-naming context**. + * Double-click on the **name of the domain controller** whose GUID you want to view. + + > The list of attributes for the domain controller object contains **"Object GUID" followed by a long number**. The number is the object GUID. For example: + + Other Name: 1.3.6.1.4.1.311.25.1 = ac 4b 29 06 bb d6 5d 4f e3 9c 4c ab c3 6a 55 d9 + + > The domain controller's certificate must be installed in the domain controller's local computer's **_personal certificate store_**. + +## Issue Domain Controller Certificates + +U.S. federal civilian agencies have a variety of information security policies. These policies cover whether you should use a domain controller certificate issued from your agency's local enterprise certification authority (CA) or whether the certificate must be issued from a CA managed and certified under the Federal Public Key Infrastructure (FPKI). Each agency's information security policy should be followed. + +It is not recommended to set up a local enterprise CA just to issue domain controller certificates without ensuring the proper management and security protections are enabled. Your Chief Information Security Officer (CISO) must have awareness and oversight established for the CA management. + +Collaborate with your CISO or Information Security Office for a definitive answer and direction. + +If you do have a local enterprise CA, [here are some tips](#step-7---local-certificate-authority). + +# Step 3 - Trust Stores + +Follow [Step 3 - Distribute to Operating System from the distribute FCPCA configuration guide](#step-3---distribute-to-operating-systems). + +# Step 4 - Account Linking + +*Account linking* refers to the process of associating a certificate on a user's PIV credential with their domain account. + +## Comparing altSecurityIdentities and User Principal Name + +There are two account linking attributes to choose from: +- altSecurityIdentities (_recommended_) +- User Principal Name (UPN) + +It's not possible to configure a domain to use *both* altSecurityIdentities *and* User Principal Name mapping. You must choose **one** of these options and configure its use for *all* domain users. + +### altSecurityIdentities Approach +- Each PIV credential can be associated with **more than one** account. + - This flexibility allows for the association of a single PIV credential certificate to an individual's end-user and privileged user account(s). +- Users are presented with an additional field during network authentication to identify which account the user wants to access. This field is known as the _User Name Hint_. + - The User Name Hint informs Windows which account the user is trying to log in to if the mapped certificate is associated with multiple accounts. + - Entering a User Name Hint is optional if the user's PIV Authentication certificate UPN matches their Windows logon name. +- You can choose from one of [six options](#1-link-the-piv-authentication-certificate) to map a certificate to a given account. +- There is more flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-Interoperable (PIV-I) credentials. + +### User Principal Name Approach +- Each PIV credential can only be associated with **one** account. +- The UPN value from the _Subject Alternate Name_ in the PIV Authentication certificate is required. +- There is no flexibility for associating the PIV credential to separate privileged accounts. +- There is less flexibility for accepting PIV credentials issued by other government agencies or partners, including PIV-I credentials. + + +## Transitioning from UPN Mapping to altSecurityIdentities Mapping +If you have a large network with many domains, you should carefully plan the migration from User Principal Name to the altSecurityIdentities account linking method. + +{% include alert-warning.html heading = "Use of UPN by Applications" content="You may find that you have many applications that rely on User Principal Name values. There is no need to remove existing or stop populating new User Principal Name values in your transition to altSecurityIdentities." %} + +There are three steps to implement altSecurityIdentities account linking: + 1. [Link the PIV Authentication Certificate](#option-1-link-the-piv-authentication-certificate) + 2. [Enable User Name Hints](#option-2-enable-user-name-hints) + 3. [Disable User Principal Name Mapping](#option-3-disable-user-principal-name-mapping) + + +## Option 1. Link the PIV Authentication Certificate +First, you need to link each user's PIV Authentication certificate to their domain account(s). This is accomplished by populating data extracted from the user's PIV Authentication certificate into their Active Directory record, specifically into the **altSecurityIdentities** attribute. + +Adding altSecurityIdentities attributes **will not** break existing UPN account linking or cause smart card logon to fail. It's possible to plan your transition carefully and to take your time populating the altSecurityIdentities attribute for domain users. + +There are six mapping options to choose from, but most organizations use **Issuer and Subject**. + +| Options | Tag | Example | Considerations | +| ------------- |-------------| -----|-----| +| Subject | X509:\ | X509:\C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=25001003151020 | For certificates which assert the UID identifier (0.9.2342.19200300.100.1.1) or other object identifier in the common name, the identifier is prepended with the _OID_ qualifier. | +| Issuer and Subject | X509:\\ | X509:\C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA\C=US,O=U.S. Government,OU=Government Agency,CN=JANE DOE OID.0.9.2342.19200300.100.1.1=47001003151020 | Note the spaces carefully when testing machine-readable formats of the certificate extensions versus the human-readable formats. | +| Issuer and Serial Number | X509:\\ | X509:\C=US,O=U.S. Government,OU=Certification Authorities,OU=Government Demonstration CA\46a65d49 | Serial number is stored in a reversed byte order from the human-readable version, starting at the most significant byte. | +| Subject Key Identifier | X509:\ | X509:\df2f4b04462a5aba81fec3a42e3b94beb8f2e087 | Not generally recommended; may be difficult to manage. | +| SHA1 hash of public key| X509:\ | X509:\50bf88e67522ab8ce093ce51830ab0bcf8ba7824 | Not generally recommended; may be difficult to manage. | +| RFC822 name | X509:\ | Not recommended | Not recommended; not commonly populated in PIV Authentication certificates. | + +### Gathering PIV Authentication Certificates for Mapping into AD + +Identity certificates used for Windows logon can generally be found: +- On the smart card itself. +- By requesting the certificates directly from the smart card issuer. +- By exporting the certificates from a third party application in which the certificates are already registered. + +Each of these options is discussed below. + +**Gather Certificate from Smart Card**
+To gather the certificate from the smart card using a Windows workstation, have the cardholder do the following: +1. Open the Start Menu, located in the bottom left corner of the screen.
+2. Type **command prompt**.
+3. In the prompt, type **certutil -scinfo**.
+A screenshot of a command prompt with certutil information. +4. Press **Enter**.
+5. The cardholder will be prompted several times for a PIN, but a PIN is not required for this operation. Have the cardholder press **cancel** each time they are prompted for a PIN until they see the Certificate List.
+A screenshot of a Windows Security Certificate List window.
+6. Have the cardholder click **Click here to view certificate properties**. The appropriate certificate will list “Smart Card Logon” in the intended purposes on the General tab. If the certificate has this purpose listed, have the cardholder proceed to Step 7. Otherwise, have the cardholder close the certificate, click **more choices** on the Certificate List, click another certificate in the list, and click **Click here to view certificate properties** until the correct certificate has been identified.
+A screenshot of a Certificate Details window.
+7. Have the cardholder select the **Details** tab and then proceed with the steps below.
+8. Click **copy to file** to start the certificate export wizard.
+9. Click **Next**.
+10. Click **Next** again to indicate that the cardholder does not wish to export the private key.
+11. Click **Next** again to use the default DER encoding.
+12. Click **Browse** to select where to save the certificate. Have the cardholder select a location that he or she has permission to save to, such as Desktop or Documents.
+13. Enter a meaningful name for the certificate (such as the cardholder’s name or employee ID).
+14. Click **Save**.
+15. Click **Next**.
+16. Click **OK**.
+17. Click **OK** to close the Certificate Details window.
+18. Click **OK** to close the Certificate List.
+19. Close the command prompt.
+A screenshot of a Save As window with the This PC option highlighted.
+A screenshot showing several windows with the Certificate Export Wizard window on top.
+20. Have the cardholder send the exported .cer file to your organization’s Network Administrator in a way that aligns with the organization’s security policies.
+ +**Request Certificates from the Smart Card Issuer**
+Your organization’s credential issuer may have a copy of certificates issued to current users. You will need to specifically request from the issuer the most recent valid identity certificates suitable for smart card logon. The issuer will produce these certificates in a variety of ways, based on the certification authority or the Card Management System in use. + +**Export Certificates from a Third Party System**
+Your organization may have already collected the relevant certificates as part of the enrollment process for a third party application, such as a FIPS 201-compliant PACS system. Depending on the system and configuration in use, you may be able to export your cardholders’ certificates from the database where they are enrolled. Speak with your PACS integrator to understand what options are available to you. +A screenshot of a Card Operations window that shows several rows of card IDs and other information. + +### Methods for Linking the PIV Authentication Certificate +System administrators can leverage one of the approaches below to link PIV Authentication certificates with user accounts. Run these steps from a domain controller with elevated privileges. + +**A. Use the Active Directory Users and Computers Graphical User Interface**
+The following steps are useful if you only need to update a small number of user accounts: + - **Start** > **Server Manager** + - **Tools** > **Active Directory Users and Computers** + - **View** > **Advanced Features** + - Expand your domain to reveal the **Users** directory + - Right-click on the user whose certificate you'd like to map and select **Name Mappings** + - Click **Add** and browse to a local copy of the user's PIV Authentication certificate + - Click **Apply** and then **OK** + +**B. Use Automation**
+If you are designing an automated process to transition users from Principal Name to altSecurityIdentities mapping, consider the following functionality: +- Load and process multiple certificates at once (for example, reading a directory of user certificates) +- Extract the UPN from each certificate and ensure a corresponding user record exists in Active Directory +- For certificates that contain a UPN that matches a record in Active Directory: + - Extract and format the certificate Issuer and Subject attributes in preparation for publishing to Active Directory + - Update the user's Active Directory record with the altSecurityIdentities attribute and corresponding Issuer and Subject data +- For certificates that do not contain a UPN that matches a record in Active Directory: + - Set aside for manual review (e.g., these users may be no longer affiliated with your organization) +- Evaluate accounts in Active Directory that do not contain an altSecurityIdentities attribute after process execution for manual review and further remediation + +
+
+

Collaborate with us!

+

+ We're working with a small number of agencies to pilot a simple PowerShell script to help with some of the functional requirements above. Check out the script in our + public scripts repository + or contact ICAM at GSA.Gov for more information. +

+
+
+ + +## Option 2. Enable User Name Hints +You need to enable _User Name Hints_ for your network domain. This will modify the logon prompts for _Windows_ workstations and servers joined to the network domain. Your users will be prompted to provide both the PIV credential PIN value and a User Name Hint value. + +**For Windows Server 2012 and later:** + - _Computer Configuration_ > _Administrative Templates_ > _Windows Components_, and then expand _Smart Card_. + - Select _Allow User Name Hint_ + +Management of smart card settings should be deployed using a group policy object for the domain. + +## Option 3. Disable User Principal Name Mapping +To transition from UPN mapping to altSecurityIdentities account linking, you will need to configure a registry setting on **all** domain controllers. Only configure the registry setting below once you have completed the above steps and are ready to disable UPN mapping. + +{% include alert-warning.html content="Note: Organizations should carefully plan their transition to the altSecurityIdentities account linking approach and test interoperability before implementing changes in their production IT environments. The registry configuration below will cause smart card logon to fail for any user missing the altSecurityIdentities attribute." %} + +- **Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc +- **Name:** UseSubjectAltName +- **Type:** DWORD +- **Data (Value):** 00000000 + +This setting tells your network domain _I don't always want to use the Subject Alternate Name values for my user certificates._ More information on the setting is available [here.](https://technet.microsoft.com/en-us/library/ff520074(WS.10).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +It's possible to revert to UPN account linking by removing the registry setting above. + +Use group policy objects or other centralized management options to manage registry options. + +# Step 5 - Group Policies and Enforcement + +The U.S. federal government publishes the [United States Government Configuration Baseline (USGCB)](http://usgcb.nist.gov/usgcb_content.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} for use by Executive Branch agencies to promote uniform configurations for commonly used operating systems. The USGCB configuration guidelines for specific operating systems include references to some configurations related to smart card (PIV) logon and should be referenced first. + +The information on this page is intended to answer questions and identify the most commonly used configuration options. For a full reference of options for each operating system, please refer to configuration guides published by other sources online. + +## Machine Based Enforcement Versus User Based Enforcement + +There are two options for requiring users to use PIV credentials to authenticate to the network domain: + +* Machine Based Enforcement (MBE) +* User Based Enforcement (UBE) + +These options are controlled by group policy applied to either Machine or User objects in your network domain. Planning is required to move to full User Based Enforcement and agencies are often using a combination of both Machine and User enforcement in their deployments. + +{% include alert-warning.html heading = "User Based Enforcement" content="The user's password will no longer be known by the user. Look for agency internal applications that are still using username and password and performing Form Based Authentication against the network directories. Fix these using Kerberos, SAML, or direct x509 authentication." %} + +Impacts and considerations are identified to help you plan and execute according to your agency network and user needs. + +| Type | Impacts | Considerations | +| ----- | -------| -------| +| Machine Based Enforcement | The user is required to use their PIV credential to authenticate to each device where the policy is applied. | The user password is maintained. | +| User Based Enforcement | The password stored for the user is removed and changed to a long hash value unknown to the user. Your users no longer have passwords for the network. | Any applications which were implemented to prompt your users for a username and password and which are using your network domain directories will no longer be accessible. | + +Your applications impacted by User Based Enforcement are designed or deployed using: + +1. Form Based or Basic Authentication +2. or LDAP simple binds + +The user will be presented with the application form to enter a username and password and the user will no longer have the password. + +You want to analyze your applications and identify which are configured to use your users' network domain passwords. There are methods to fix the applications by enabling Kerberos, SPNEGO (web applications), direct x509 authentication (client certificate authentication), or the SAML and Open ID Connect (OIDC) protocols. These topics will be covered in the Applications section of the guides that are in-development and we invite *all* to contribute to them! + +## Defining the Policies for Machine Based Enforcement or User Based Enforcement +The setting to enforce PIV logon is controlled by **scforceoption** in your network domain user and workstation policies. + +- Machine Based Enforcement is when you apply the **scforceoption** to a workstation or server object in your network domain. +- User Based Enforcement is when you apply the **scforceoption** to a user in your network domain. + +This is the only difference when implementing the policy: which objects in your domain you apply the policy to. + +You can set the policy option on a single user by checking the _Smart Card is required for interactive logon_ check box in the user account properties. You can also apply this setting using group policy objects. When the **scforceoption** setting is applied, the SMARTCARD_REQUIRED flag is added to the UserAccountControl (UAC) and the DONT_EXPIRE_PASSWORD attribute is set to true. + +## Defining Kerberos Policies for Reauthentication +Although users can PIV authenticate to domain controllers, the client and the domain controller mantain those sessions using kerberos tickets. + +Group policies can be configured by domain administrators to align with local security policies for maximum lifetimes of kerberos user tickets. This may cause users to be prompted to reauthenticate with their PIV when prompted with one of the following options: + +- Windows Needs Your Current Credentials +- Please Lock this computer, then unlock it using your most recent password or smart card + +These prompts happen when the kerberos ticket lifetime expires and a new authentication event is required. User is set to user based enforcement, which requires a new PKINIT event with the domain controller. + +You can find additional information on configuring kerberos policies given the following [reference documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. + + +# Step 6 - Network Tuning + +You can tune the network domain settings to help you and your users have a better experience and reduce errors. This section highlights some of the _common_ tuning configurations for network domain logon. There are additional tuning configurations and we encourage you to start with these first and contribute others. + +You can also send questions to the ICAM Technology listserve (email to ICAM-COMMUNITY-TECH at listserv.gsa.gov) to ask your government colleagues for their additional tips and tricks! + +## Cached Logon Credential Limit + +When a user authenticates to a Windows system, their logon credentials are cached to enable logon in the event the domain controller is unavailable. The [United States Government Configuration Baseline (USGCB) for Windows 7](https://usgcb.nist.gov/usgcb/microsoft/download_win7.html){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} specifies that ***Interactive logon: Number of previous logons to cache (in case domain controller is not available)*** should be set to ***2***. + +There are no required USGCB settings for _Windows 8_ or _Windows 10_. + +You should configure the cached logon credential limit to be at least "2" and _possibly more_ depending on the mission needs. + +The ***Number of previous logons to cache*** can be modified in local or group policy in the following location +***Computer Configuration\Windows Settings\Security Settings\Local Policies\Security options*** + +More information is available on [Microsoft TechNet](https://technet.microsoft.com/en-us/library/jj852209%28v=ws.11%29.aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +## CRL Retrieval Timeout Settings + +By default, Windows will time out when downloading Certificate Revocation List(s) after 15 seconds. A number of CRLs in the government environment are large, greater than 20 MB in size, which will lead to the timeout happening. This example scenario can be common and a source of frustration to you and your users: + +- The first or the 51st user will attempt to log on in the morning in a region +- The validity period and cache of the previous CRL will have expired on the domain controller +- The domain controller will attempt to download the large CRL file and will hit the timeout limit +- The user will receive an authentication failure (unable to log on) +- The user will be able to try again and be successful +- You will try to determine the root cause to diagnose the failures (i.e., chasing ghosts on the network) +- This process will repeat + +You want to tune _both_ the OCSP Response Caching Behavior setting and the CRL Retrieval Timeout Settings. + +The default timeout value can be modified using local or group policy by modifying the ***Default URL retrieval timeout*** value found in the ***Certificate Path Validation Settings***, ***Network Retrieval*** tab, located in ***Computer Configuration\Windows Settings\Security Settings\Public Key Policies*** + +Consult these step-by-step instructions:  [Manage Network Retrieval and Path Validation](https://technet.microsoft.com/en-us/library/cc771429%28v=ws.11%29.aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +## OCSP Response Caching Behavior + +By default, Microsoft Windows will retrieve and cache 50 OCSP Responses for any one issuing CA before switching to CRL mode. Depending on the size of the CRL, this may be a poor performance decision. For environments where workstations routinely interact with large CRLs, a large value may signficantly reduce network bandwidth consumption. This value can be increased by setting the ***CryptnetCachedOcspSwitchToCrlCount*** DWORD value in the following registry key: +***HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config*** + +Source:  [Optimizing the Revocation Experience](https://technet.microsoft.com/en-us/library/ee619783%28v=ws.10%29.aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +# Step 7 - Local Certification Authority + +This page provides some tips for using a local certification authority (CA) to issue a domain controller certificate. This is for local Microsoft CAs. Other platforms may be used and have different procedures. + +{% include alert-info.html content="These procedures are accurate for using Microsoft 2012 Server, Standard Edition, for CA and domain controller servers as of March 2017." %} + + + +## Prerequisites + + * The server that hosts the CA must be joined to the domain. + * The CA should **never** reside on the same server(s) that are acting as domain controller(s). + * You must be an Enterprise Administrator in the domain to perform these steps. + +## Install CA Role + + 1. Log into the **CA server** as a member of the **Enterprise Administrators** group. + 2. Open the **Server Manager** and click on **Manage > Add Roles and Features**. + 3. Proceed through the **Add Roles and Features Wizard** options. Choose the following:
+ _Server Roles:_ **_Active Directory Certificate Services_**
+ _AD CS Roles Services:_ **_Certification Authority_**
+ 4. On the **Results** page, click on **Configure Active Directory Certificate Services on the destination server**. + 5. Proceed through the **AD CS Configuration** options. Choose the following values, as required:
+ _Role Service:_ **_Certification Authority_**
+ _Setup Type:_ **_Enterprise CA_**
+ _CA Type:_ **_Root CA_**
+ _Private Key:_ **_Create a new private key_**
+ _Cryptography:_ **_RSA#Microsoft Software Key Storage Provider, 2048 bit, SHA-256 6e_**
+ _CA Name: Use the naming convention:_ **dc=[_AD suffix_], dc=[_AD domain_], cn=[_certification authority name_]**
+ (e.g., dc=_gov_, dc=_[AgencyName]_, cn=_[AgencyName]_ _NPE_ _CA1_)
+ _Validity Period:_ **_6 years_**
+ _Certificate Database:_ **_<your preference>_**
+ +## Configure Certificate Template for Domain Controller +The domain controller(s) certificate must contain valid information. These steps provide recommended options and settings. + + 1. Log into the CA server as a member of the **Enterprise Administrators** group. + 2. Open the certificate template's **MMC snap-in** (i.e., **certtmpl.msc**). + 3. Right-click on the **Domain Controller Authentication** template. Then, click on **Duplicate Template**. + 4. Under the **Compatibility** tab, modify the **Compatibility Settings** for both the _CA_ and _certificate recipients_ to the highest compatible version (e.g., **Windows Server 2012 R2** or **Windows 2008 R2**). + 5. Under the **General** tab, use these recommended settings:
+ _Template Name:_ **_<Your organization> - Domain Controller Authentication_**.
+ _Validity Period:_ **_3 years_**.
+ _Renewal Period:_ **_6 weeks_**.
+ 6. Under the **Cryptography** tab, set these values:
+ _Minimum Key Size:_ **_2048_**.
+ _Request Hash:_ **_SHA256_**
+ 7. Open the **CA console** (i.e., certsrv.msc). + 8. In the **console tree**, click on the **_[CA's name]_**. + 9. In the **details** pane, double-click on **Certificate Templates**. + 10. In the **console tree**, right-click on **Certificate Templates**. Then, click on **New > Certificate Template To Issue**. + 11. Select and enable the **_certificate template_** that was created. Click on **OK**. + +## Auto-Enroll Domain Controllers Using Group Policy Object (GPO) + + 1. Log into a **Domain Controller server** as a member of the **Enterprise Administrators** group. + 2. Open the **GPMC**: gpmc.msc + 3. Within the appropriate **GPO** applied to the Domain Controllers, go to **Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies**\ + 4. Configure **Certificate Services Client – Auto-Enrollment** with the following options:
+ _Configuration Model:_ **_Enabled_**.
+ _Renew Expired Certificates, Update Pending Certificates, Remove Revoked Certificates_: **_Check_all checkboxes_**.
+ _Update Certificates That Use Certificate Templates_: **_Check the checkbox_**.
+ 5. Replicate the group policy. Use the command: **_gpupdate /force_** at the command line, or wait for the group policy to replicate based on your replication time and settings. + 6. Open **MMC.exe -> File -> Add/Remove Snap-in -> Certificates -> Computer account -> Local computer**. + + If successful, you will see a new domain controller certificate in the **_Certificate (Local Computer) -> Personal -> Certificates folder_**. At the **Certificate Template** tab, you will also see a certificate generated with the custom certificate template. + +# Step 8 - Authentication Assurance + +When a user authenticates to your network and you've enabled Single Sign-on to applications inside your network domain, you need to know which of these authenticators was used: + +- A username and password +- A PIV credential +- An alternate authenticator + +You need to know the type of authenticator to implement increasingly granular authorization policies and to grant or deny a user access to information available from applications and shared network resources. + +To grant a user access, based on the type of authenticator used, you can use a Windows Active Directory (AD) feature called _Authentication Mechanism Assurance (AMA)_. AMA allows you to add a group membership identifier to the user’s Kerberos token. + +{% include alert-warning.html content="Do not use AMA to provide privileged user access." %} + +AMA is available for domains operating on Windows Server 2008 R2 and later versions. + +## Implementation + +You can use this PowerShell script [CertificateIssuanceOIDs.ps1](https://github.com/GSA/ficam-scripts-public/tree/master/_ama){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to import and set up a list of certificate issuance policies. This script: + +- Contains a list of certificate issuance policy object identifiers (OIDs) used by U.S. federal government agencies +- Creates security groups with the same names as the policies +- Links the policies to the security groups + +You can run the script with a few simple steps. + +- You'll need to specify the Group Distinguished Name (GroupDN) within the script. This targets where you want to create the security groups in your network directory: + + - `CertificateIssuanceOIDs.ps1 -GroupDN \` + - For example: `CertificateIssuanceOIDs.ps1 -GroupDN 'OU=Groups,OU=Administrators,DC=agency,DC=gov'` + +- After downloading this script, you may need to change the [PowerShell script execution policy](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1&viewFallbackFrom=powershell-Microsoft.PowerShell.Core){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to execute the script or sign the script to execute it. + +A sample output from the script is shown below: + +``` + PS C:\> C:\AMA\Script\CertificateIssuanceOIDs.ps1 + -GroupDN 'ou=groups,ou=security,dc=agency,dc=gov' + + Created CN=id-fpki-common-authentication,ou=groups, + ou=security,dc=agency,dc=gov + 2.16.840.1.101.3.2.1.3.13 -- Unknown ObjectId + + Localized name added to DS store. + 0: 1033,id-fpki-common-authentication + CertUtil: -oid command completed successfully. + + Created CN=13.255922318A2AF32EC47D5B70735D4DB3, + CN=OID,CN=Public Key Services,CN=Services, + CN=Configuration,DC=agency,DC=gov + AD AMA set for 2.16.840.1.101.3.2.1.3.13 id-fpki-common-authentication +``` + +**Note:**  If the GroupDN is not entered in the command line when executing the script, it will prompt for the input. + +``` + PS C:\> C:\AMA\Script\CertificateIssuanceOIDs.ps1 + cmdlet ama-script.ps1 at command pipeline position 1 + Supply values for the following parameters: + GroupDN: ou=groups,ou=security,dc=agency,dc=gov +============================================== + GroupDN entered is ou=groups,ou=security,dc=agency,dc=gov + +``` + +## Testing +To test the output on your network domain, log in with your PIV credential and check the groups assigned. + +- Authenticate with your PIV credential +- From the command line: `C:\whoami /groups` + +``` + agency\id-fpki-common-authentication Group S-1-5-21-179144328 + 1-1764752353-2202401552-1113 + Mandatory group, Enabled by default, Enabled group +``` + +## Use Case Scenarios + +### Authentication Pass-Through to a Federation Service + +A federal employee authenticates to the agency's intranet using a PIV credential and attempts to access an application hosted by a different federal agency. + +- The application is restricted to allow access only for users who have authenticated with a valid PIV Authentication certificate. +- All other users are denied access to the application. + +This federal employee successfully accesses the other federal agency's application with minimal inputs. The employee is successful because: + +- The employee's home agency has a Federation Service installed, and +- The employee's home agency has integrated with the other agency's Federation Service + +During and after the employee's logon to the network, the following steps were executed without the employee's intervention: + +1. The PIV authentication certificate is parsed +2. The certificate policy OID asserted allows Microsoft AD on the home agency's network to assign the user to a group specifically for PIV authenticated users +2. The user's session is granted a Kerberos ticket that includes the additional group membership +2. The user browses to the other federal agency's application +2. The user's browser is redirected to his/her home agency's Federation Service +2. The Federation Service at the home agency finds the Kerberos ticket for the user's session +2. A Security Assertion Markup Language (SAML) assertion is created by the Federation Service (This is a token translation.) +2. The SAML assertion includes the AD group membership information that identifies that this user authenticated with a PIV credential +2. The user's browser is redirected back to the other federal agency's application +2. The user is successfully authenticated with the valid SAML assertion +2. The other federal agency's application is configured to allow access to only those users who have authenticated using a PIV credential + +In this use case and steps, the user did **not** have to authenticate directly with a PIV credential to the other agency's application. A federation model was used. + +{% include alert-info.html content="One example for viewing this implementation pattern is Max.gov. If you click the upper left-hand Login button, you'll see the Max.gov Login page. The bottom section allows you to select an agency. Each of these icons redirects the user back to that agency's Federation Service." %} + +### Authentication Pass-Through for Integrated Windows Authentication + +A federal employee authenticates to his/her agency's intranet using a PIV credential and attempts to access a local SharePoint site. + +- The SharePoint site is restricted to allow access only for those users who have authenticated with a PIV Authentication certificate. +- All other users are denied access to the SharePoint site. + +The federal employee successfully accesses the local SharePoint site. + +During and after the employee's logon to the network and attempt to access the SharePoint site, the following steps were executed without the employee's intervention: + +1. The PIV authentication certificate is parsed +2. The certificate policy OID asserted allows Microsoft AD on the home agency's network to assign the user to a group specifically for PIV authenticated users +2. The user's session is granted a Kerberos ticket that includes the additional group membership +2. The SharePoint site is configured to only allow access to only those users who have authenticated using a PIV credential + +## Other Considerations and References + +Use the Windows Registry Editor to set the _AMA Priority_ above _Most Recently Issued Superior Certificate Heuristic_: + +- `[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]` +- `"ChainWithIssuancePolicyOIDs"=dword:00000001` + +Refer to the [AMA Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} to understand the implementation of AMA. + +# Troubleshooting PIV Logon + +--- +layout: page +collection: implement +title: Troubleshooting PIV Logon +permalink: /implement/troubleshooting/ +sticky_sidenav: true +sidenav: implement + +subnav: + - text: Logon Process Overview + href: '#logon-process-overview' +--- + +Within the federal enterprise, Windows smart card logon with a PIV card (PIV logon) is one method to satisfy Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) Risk Management Framework security controls for authentication. A PIV card enables Authenticator Assurance Level 3, two-factor authentication to a Windows desktop. Under normal conditions, this system is simple and easy for an end user to use. However, if this logon mechanism breaks, it can be difficult to troubleshoot logon and authentication errors. This page includes common symptoms and suggested steps to diagnose and solve these issues. + +## Logon Process Overview + +The figure below, from the “Smart card sign-in flow in Windows” section of the [Microsoft Certificate Requirements and Enumeration article](https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration#smart-card-sign-in-flow-in-windows){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}, provides a detailed overview of how smart card logon works in supported versions of Windows. + +A detailed workflow diagram of how smart card logon works in supported versions of Windows. + +For our use, this complex process is simplified into the following workflows: + +
+

+ +

+
+

PIV logon begins at the client workstation. First, the system discovers smart card reader devices that are built into or attached to the workstation. Next, acceptable smart card logon certificates from any connected cards are provided to the Windows logon screen. In general, PIV cards are engineered to have one authenticate certificate marked eligible for smart card logon. However, in some instances, more than one certificate may have been inadvertently made eligible, meaning the user may first be asked to select the correct certificate for smart card logon. Conversely, the user may have a Facility Access Card (FAC) that omits access to any workstation. For more details on what is in use at your organization, speak with your agency’s credential issuer or Identity, Credential, and Access Management (ICAM) office.

+ A screenshot of a logon screen that includes icons for entering a password or inserting a smart card. +
+ Back to Process Overview +
+ +

+ +

+
+

When the logon screen appears, if the system has detected a smart card reader and an attached (inserted) smart card with suitable certificates, the smart card logon option is displayed and the user is prompted to enter a PIN. Use the information below to troubleshoot symptoms encountered with card selection before PIN entry.

+
+

Symptom

+

Smart card icon is not displayed; user is not prompted for PIN.

+
+

Possible Cause 1 - Reader or Card Not Detected

+

Windows does not detect either the reader or the card due to a software or hardware issue with the card reader.

+

Diagnosis

+
    +
  1. Ask the user to make sure that the PIV card is fully inserted in the reader.
    2. +
  2. If the smart card reader is an external USB device, ask the user to remove the device and try inserting it into a different USB port.
    3. +
  3. Ask the user to try rebooting their workstation.
    4. +
  4. Ask the user to try using their PIV with their PIN elsewhere.
    5. +
  5. If the issue persists through reboot, and the PIV with PIN works elsewhere, the smart card reader may need to be replaced or the workstation may need to be serviced.
    6. +
+

Resolution

+

Replace the smart card reader if it is an external device. Otherwise, schedule workstation repair.

+
+

Possible Cause 2 - Card Damaged

+

The PIV is damaged.

+

Diagnosis

+

If faulty workstation hardware or software is ruled out, and the card does not work on other readers, the PIV may need to be replaced.

+

To confirm that the card is functional, you can use the Certutil Tool, listed on the Useful Tools page, on a known working Windows workstation.

+

On the client:

+
    +
  1. Log in to Windows using a password.
    2. +
  2. Open the Start Menu, located in the bottom left corner of the screen.
    3. +
  3. Type cmd.
    4. +
  4. Click Command Prompt, shown under Best Match.
    5. + A screenshot of the Command Prompt app icon. The words Best Match appear above the icon. +
  5. In the command prompt, type certutil -scinfo and press Enter.
    6. + A screenshot of a command prompt that includes certutil information. +
  6. A functioning card will return information on the card type and reader, begin polling for keys and validating certificates, and prompt for PIN entry. If this is the case with the card you are testing, click Cancel and close out of the command prompt.
    7. +A screenshot of a command prompt window with a Windows Security Smart Card window on top of it. +
  7. If the card is malfunctioning, certutil will recognize that a reader is connected and a card is present but will display an error and will not prompt for PIN entry.
    8. +A screenshot of a command prompt window that includes the word done near the bottom of the window. +
+

Resolution

+

Replace the PIV card if necessary.

+
+ Back to Process Overview +
+ +

+ +

+
+

After the user enters their PIN, Windows tries to unlock the card using the PIN entered. After the card has been unlocked, the workstation packages the user’s PIV authentication certificate and sends it to the logon server, also known as a domain controller. The workstation must be able to trust the domain controller so that the workstation can securely connect to it. Use the information below to troubleshoot symptoms encountered after the PIN is entered but before logon occurs.

+
+

Symptom

+

After PIN entry, the following error is displayed on the logon screen:
Signing in with a smart card isn’t supported for your account. For more information, contact your administrator.

+ A screenshot of an Other user window with an error message. +
+

Possible Cause - Domain Controller Certificate

+

A suitable domain controller authentication certificate is not installed on the domain controller.

+

Diagnosis

+

On the client:

+
    +
  1. Log in to Windows using a password.
    2. +
  2. Open the Start Menu, located in the bottom left corner of the screen.
    3. +
  3. Type event viewer.
    4. +
  4. Click Event Viewer, shown under Best Match.
    5. + A screenshot of the Event Viewer app icon and label. +
  5. On the left side of the Event View, expand Applications and Services Logs, Microsoft, Windows, and Security-Kerberos on the tree.
    6. + A screenshot of the Event Viewer app icon with several app and folder icons below it in cascading order. The Operational icon appears at the bottom of the screenshot and is highlighted with gray. +
  6. Click Operational.
    7. +
  7. On the right side of the window, under Actions, click Enable Log (skip this step if the option reads ”Disable Log”; the log is already enabled).
    8. + A screenshot of several icons, labels, and item choices below the Actions heading. The Help icon and label appears at the bottom of the screenshot. In the middle of the screenshot, the Enable Log choice is highlighted with yellow. +
  8. Log out of Windows.
    9. +
  9. Try having the user log in to their workstation again using their PIV.
    10. +
  10. Log in to Windows using a password.
    11. +
  11. Repeat Steps 2 through 6 to return to the Security-Kerberos log in Event Viewer.
    12. +
  12. Click in the center of the window where ”Error” is shown. The following log will appear.
    13. + A screenshot of an error log. It includes several labels, including Operational and Event 104, Security-Kerberos. The Details tab is open and includes details about Event 104. +
+

Resolution

+

On the domain controller:

+
    +
  1. Log in as a Domain Administrator.
    2. +
  2. Open the Start Menu.
    3. +
  3. Type mmc.exe.
    4. +
  4. Click MMC, shown under Best Match.
    5. + A screenshot of the mmc.exe icon. The words Best Match appear above the icon and the words Run command appear below the icon. +
  5. If prompted by a User Account Control pop-up, click Yes.
    6. + A screenshot of a User Account Control window. The words Do you want to allow this app to make changes to your device? appear near the top of the screenshot. The Yes button is highlighted. +
  6. Click the MMC window and press and hold Ctrl. Then press M and release both keys.
    7. +
  7. In the Add or Remove Snap-ins window, click the following:
    8. +
      +
    1. From the Available Snap-ins on the left, click Certificates.
      2. +
    2. In the center of the window, click the Add button.
      3. +
    3. In the Certificates snap-in window, click Computer account. Then click Next.
      4. +
    + A screenshot of an Add or Remove Snap-In window with an inset Certificate Snap-In window. +
  8. In the Select Computer window, click Finish.
    9. + A screenshot of a Select Computer window. The Local Computer radio button is highlighted and the Finish button is highlighted. +
  9. In the Add or Remove Snap-ins window, click OK.
    10. +
  10. On the left side of the MMC window, click the > symbol to expand these items on the tree:
    11. +
      +
    1. Certificates (Local Computer)
      2. +
    2. Personal
      3. +
    + A screenshot of a Console Root folder icon and label with three items below it in cascading order. A Certificates folder icon and label appear at the bottom of the screenshot and are highlighted with gray. +
  11. Under Personal, right-click Certificates.
    12. + A screenshot of a Console Root folder icon and label with several items and folders below it. The Certificates folder is highlighted with blue. An inset window with All Tasks highlighted in blue appears to the right of the main window and an inset Request New Certificate window appears to right of the first inset window. +
  12. Click All Tasks.
    13. +
  13. Click Request New Certificate.
    14. +
  14. In the Certificate Enrollment window, click Next.
    15. +
  15. Click Next.
    16. +
  16. Click the box next to the Domain Controller Authentication template. If you do not see this, ask your CA Administrator to publish this template.
    17. + A screenshot of a Certificate Enrollment window. The words Request Certificates appear in blue near the top of the screenshot. The screenshot includes Active Directory Enrollment Policy choices, statuses, and details. +
  17. Click Enroll.
    18. +
  18. Click Finish.
    19. + A screenshot of a Certificate Enrollment window. The words Certificate Installation Results appear in blue near the top of the screenshot. The screenshot includes Active Directory Enrollment Policy Domain Controller Authentication status and details. A green bar runs below the Certificate Enrollment window and the Finish button is highlighted. +
+
+ Back to Process Overview +
+ +

+ +

+
+

After the domain controller’s authentication certificate is used to make a secure link from the workstation to the domain controller, the certificate data for the user’s smart card is sent to the domain controller for validation. The domain controller does the following to validate the credential:

+
    +
  1. The domain controller looks up the user’s account in Active Directory (AD) using information found in the user’s PIV authentication certificate. This process is known as name mapping. More information about user name mapping can be found in the Account Linking Playbook
    2. +
  2. The certificate is sent to the Microsoft Crypto-API (CAPI) service running on the domain controller for path discovery and validation. CAPI performs basic certificate checks through Path Discovery and Validation (PDVal).
    3. +
  3. The domain controller checks its local copy of the Enterprise NTAUTH store for the presence of the issuing certification authority (CA) for the PIV authentication certificate. Steps for adding a certificate to this store can be found in the Trust Stores Playbook
    4. +
+

Note: Certificate validation of the PIV authentication certificate for smart card logon only occurs on the individual domain controller processing the logon request. The client computer does not check the validity of the logon certificate. Other applications outside of Windows logon may perform certificate validation locally, so it may still be a good idea to have a valid path installed on your organization’s client computers. if you have multiple logon servers in your environment, only the one responding to the individual logon request performs validation. Therefore, it is important to maintain a consistent configuration across your domain controllers.

+

Use the information below to troubleshoot additional symptoms encountered after the PIN is entered, but before logon occurs.

+
+

Symptom

+

After PIN entry, one of the following errors displays on the logon screen:

+
    +
  1. An untrusted certification authority was detected while processing the smart card certificate used for authentication.
    2. + A screenshot of a logon window that includes the words An untrusted certification authority was detected while processing the smart card certificate used for authentication. +
  2. The smart card used for authentication has been revoked.
    3. + A screenshot of a logon window that includes the words The smart card used for authentication has been revoked. +
+
+

Possible Cause 1 - Certificate Fails Path Discovery and Validation

+

The user’s PIV authentication certificate fails path discovery and validation on the domain controller.

+

Diagnosis

+

On the client:

+
    +
  1. Log in to Windows using a password.
    2. +
  2. Open the Start Menu, located in the bottom left corner of the screen.
    3. +
  3. Type cmd.
    4. +
  4. Click Command Prompt, shown under Best Match.
    5. + A screenshot of the Command Prompt app icon. The words Best Match appear above the icon. +
  5. In the command prompt, type echo %logonserver% and press Enter.
    6. + A screenshot of a Command Prompt window that includes the Windows version and user details. +
  6. The current domain controller being used for Windows logon is displayed. This is the best domain controller to check first for troubleshooting invalid smart card logon events.
    7. +
+

On the domain controller indicated above:

+
    +
  1. Log in as a Domain Administrator.
    2. +
  2. Open the Start Menu.
    3. +
  3. Type mmc.exe.
    4. +
  4. Log in to Windows using a password.
    5. +
  5. Open the Start Menu, located in the bottom left corner of the screen.
    6. +
  6. Type event viewer.
    7. +
  7. Click Event Viewer, shown under Best Match.
    8. + A screenshot of the Event Viewer app icon and label. The words Best Match appear above the icon. +
  8. On the left side of the Event View, click the > symbol to expand each of these items on the tree:
    9. +
      +
    1. Applications and Services Logs
      2. +
    2. Microsoft
      3. +
    3. Windows
      4. +
    4. CAPI2
      5. +
    +
  9. Click Operational.
    10. +
  10. On the right side of the window, under Actions, click Enable Log (skip this step if the option reads ”Disable Log”; the log is already enabled).
    11. + A screenshot of several icons, labels, and item choices below the Actions heading. The Help icon and label appears at the bottom of the screenshot. +
  11. Log out of Windows on the client workstation.
    12. +
  12. Have the user try to log in using their PIV, taking note of the time. The error should be shown on the logon screen.
    13. +
  13. On the domain controller, still in Event Viewer, on the right pane, click Refresh.
    14. +
  14. New log events will be shown. Look for the events with an “Error” status and the task category “Build Chain.”
    15. +
  15. Click the Details tab. In the UserData section, look for the user’s name in the Certificate [subjectName] field. If you do not see the user’s name, continue scrolling through the list of events to find the next event with an “Error” status and the task category “Build Chain.” Using results filtering may help to narrow this list down.
    16. + A screenshot of an Operational window labeled Event 11, CAPI2. In the center of the screenshot, the subjectName and user name are highlighted with yellow. +
  16. Once you find the event, scroll down through the details. You will see sections that say “-ChainElement.” These indicate each of the certificates in the path that was built. Within each chain element, look again for the ”- Certificate [ subjectName ],” indicating which certificate is being checked, and below it, a ”- TrustStatus” with an ”- Error Status” which will give more details about the failing validation.
    17. +
+
+

Example 1: A certificate in the path is revoked.

+ A screenshot of an Operational window labeled Event 11, CAPI2. The Certificate and the TrustStatus details are highlighted with yellow. +

Example 2: The path does not build to a trust anchor

+ A screenshot of a window labeled Event 11, CAPI2. The subjectName and the Cert Trust Is Untrusted Root details are highlighted with yellow. +

Example 3: The revocation status is unreachable, or the revocation status signature cannot be validated due to an invalid trust path.

+ A screenshot of a window labeled Event 11, CAPI2. The subjectName and the Cert Trust Revocation Status Unknown details are highlighted with yellow. +

Note: The error status in Example 3 will occur for any certificate lower in the path than the above Examples for 1 and 2. For example, if a trusted root cannot be found at the top of the path, no valid revocation status will be found for any certificate issued below the trusted root, including the issuing CA certificate and the end user’s PIV authentication certificate. This situation occurs because the revocation data cannot have its signature verified for the same reasons that the certificate itself cannot.

+

You can also use the PKI Interoperability Test Tool (PITT), listed on the Useful Tools page, to validate the certificate path on the logon server. The PITT Usage Guide contains procedures for using the tool.

+

Resolution

+
    +
  1. On the domain controller, work through any path validation issues identified in the above steps and examples. Keep in mind that that path building comes before validation and that a path is built from the bottom up. In this instance, the PIV authentication certificate chains to a trust anchor, such as Federal Common Policy G2. Ensure that the correct trust anchor for your organization’s PIV credentials is installed on every domain controller. If you also trust certificates from other agencies and organizations, the appropriate roots and cross-certificates may need to be installed to complete the path.
    2. +
  2. Find expired and revoked certificates that may be installed in your domain controller certificate store and delete them as appropriate. In a Windows environment, unexpected errors often result if you have duplicates of a certificate installed in a given store or have accidently installed an intermediate CA in the trusted root store or vice versa.
    3. +
  3. Lastly, you will need to allow outbound access over port TCP 80 from each domain controller to each of the CRL, OCSP, and AIA distribution points listed in the certificates in the path. For more information, see Path Discovery and Validation (PDVal).
    4. +
+

Possible Cause 2 - CA Not in the NTAuth Store

+
    +
  1. Follow Steps 1 through 15 for diagnosing Possible Cause 1.
    2. +
  2. Confirm that there is no error logged for the task category ”Build Chain” with matching certificate subjectName for the user.
    3. +
  3. Look for an error logged for task category ”Verify Chain Policy” with matching certificate subjectName for the user.
    4. +
  4. Confirm that the result logged is ”A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.”
    5. + A screenshot of an Operational window labeled Event 30, CAPI2. Near the top of the screenshot, a row labeled Error is highlighted with yellow. Elsewhere in the screenshot, the subjectName and user name and the Result details are highlighted with yellow. +
+

Resolution

+

Follow the steps in the Trust Stores Playbook to add the appropriate issuing CA for the PIV card to the Enterprise NTAuth trust store.

+
+

Symptom

+

During smart card logon attempt, the following error is displayed on the logon screen:
The system could not log you on. Your credentials could not be verified.

+
+

Possible Cause 1

+

The incorrect certificate was selected for smart card logon.

+

Resolution 1

+
    +
  1. In the logon screen, select a different certificate from the sign-in options. Note: Logon certificates generally display an account name in the form of an email address or user principal name.
    2. +
  2. Try entering the PIN again.
    3. + A screenshot of a logon window that shows a user name highlighted. The other user is not highlighted. +
+

Possible Cause 2

+

The identifiers listed in the Smart Card Logon certificate on the card cannot be matched to an AD account.

+

Resolution 2

+

Follow the suggestions in the Account Linking Playbook to ensure that the card identifier can be linked to the AD account. This may require User Principal Name (UPN) mapping, adding alternate security identifiers added to the AD record, or domain hinting.

+
+ Back to Process Overview +
+ +

+ +

+
+

Once name mapping and PIV validation are complete, the domain controller sends a logon package to the client computer with the user’s domain permissions and a token that allows desktop logon for that user. If the user is permitted to log in to the computer, they will now be logged into their Windows desktop.

+

The first logon must always occur while the system has a network connection to the domain controller, whether it is directly attached to the organization’s network or via a VPN. After the first logon, if the Group Policy setting pictured below is set to a value greater than 0, the user’s logon token will be permanently cached by their workstation as long as the number of subsequent users to log in does not exceed this number.

+ A screenshot of a Local Group Policy Editor window with two columns of folder and item icons and labels. The screenshot includes an inset Interactive Number of previous logons to cache window. +

If a future logon is attempted while the user’s workstation is disconnected from the organization’s network, and the logon token is cached, the workstation will only authenticate the PIV authentication certificate via PIN and, upon successful entry, will log the user into their desktop using their cached token and permissions. If the value is set to 0, caching does not occur and logon will only occur when the workstation is connected to the network and can communicate with a domain controller.

+
+ Back to Process Overview +
+
\ No newline at end of file diff --git a/_implement/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b b/_implement/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b new file mode 100644 index 000000000..f0c8c465d Binary files /dev/null and b/_implement/tools/CACertificatesValidatingToFederalCommonPolicyG2.p7b differ diff --git a/_implement/tools/fpki-certs.gexf b/_implement/tools/fpki-certs.gexf new file mode 100644 index 000000000..44ce6cdfd --- /dev/null +++ b/_implement/tools/fpki-certs.gexf @@ -0,0 +1,1469 @@ + + + + Gephi 0.8.1 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/_implement/whfb.md b/_implement/whfb.md new file mode 100644 index 000000000..7f756af24 --- /dev/null +++ b/_implement/whfb.md @@ -0,0 +1,773 @@ +--- +layout: page +collection: implement +title: Configure Windows Hello for Business in Azure AD +pubdate: 2023-06 +type: Markdown +permalink: /implement/whfb/ +description: Windows Hello for Business (WHfB) is a playbook to guide administrators through planning, configuring, testing, and implemention. +sidenav: implement +sticky_sidenav: true + +subnav: + - text: About Windows Hello for Business + href: '#about-windows-hello-for-business' + - text: Assumptions + href: '#assumptions' + - text: Prerequisites + href: '#prerequisites' + - text: Technology and terms + href: '#technology-and-terms' + - text: Prepare users to use Windows Hello + href: '#prepare-users-to-use-windows-hello' + - text: WHfB policy configuration + href: '#whfb-policy-configuration' + - text: WHfB device enrollment configuration steps + href: '#whfb-device-enrollment-configuration-steps' + - text: WHfB device configuration profile steps + href: '#whfb-device-configuration-profile-steps' + - text: WHfB user experience + href: '#whfb-user-experience' + - text: First time setup for new device/PIN creation + href: '#first-time-setup-for-new-devicepin-creation' + - text: 'Windows Hello for Business: Microsoft Authenticator Setup for iOS and Android' + href: '#windows-hello-for-business-microsoft-authenticator-setup-for-ios-and-android' + - text: iOS - Microsoft Authenticator setup + href: '#ios---microsoft-authenticator-setup' + - text: Windows fingerprint biometric setup + href: '#windows-fingerprint-biometric-setup' + - text: Windows security key setup + href: '#windows-security-key-setup' + - text: Windows Hello for Business FAQs + href: '#windows-hello-for-business-faqs' + +--- + +The purpose of this playbook is to guide administrators through planning, configuring, testing, and implementing Windows Hello for Business (WHfB). WHfB offers two-factor authentication by combining user credentials tied to a device with a biometric or a personal identification number (PIN). + +## About Windows Hello for Business + +WHfB PINs may seem similar to passwords at first glance. However, there is a fundamental difference: PINs typically are local to the device and not transmitted over the internet unlike a Microsoft 365 or Azure Active Directory (Azure AD) User Principal Name and Password combination. + +Device PIN creation establishes a trusted relationship with the identity provider (Azure AD). It also creates an asymmetric key pair that is used for authentication. Transmittal of the key to the authentication server completes the sign-in request. When paired with a Trusted Platform Module (TPM) chip, tamper protection is enabled. This feature protects the key material from attackers and locks the device after too many incorrect PIN attempts. + +### Windows Hello for Business Sign-in Options + +The available sign-in options for Windows Hello for Business include: + +- Facial recognition +- Fingerprint recognition +- PIN (for use as a backup in case the biometric authentication fails or in the absence of camera/fingerprint scanning technology) +- Security key (a physical key) + +Biometric data is stored locally on the device, and it is never sent to external devices or servers. As stated previously, authentication occurs via the asymmetric key. Users can delete or remove their biometric information by visiting **Settings** \> **Accounts** \> **Sign-in options.** + +# Assumptions +This playbook assumes that devices are cloud-only and there is no hybrid device configuration with Active Directory. Deploying Windows Hello for Business in a hybrid environment requires configuring Azure AD Connect, Azure AD Kerberos and deploying either a Cloud Trust Device Configuration Profile in Microsoft Intune (Intune), a Key trust deployment in on-premises Active Directory, or a hybrid certificate trust deployment, which requires Active Directory Federated Services (ADFS). Of these three hybrid options, the Cloud Kerberos trust deployment is recommended. More on that here: [Windows Hello for Business cloud Kerberos trust clients configuration and enrollment | Microsoft Learn](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +This playbook assumes that all devices have a TPM 2.0 module that complies with Federal Information Processing Standards (FIPS). All devices should be on Windows 10 version 1709 (or later) or Windows 11. Preferably, all devices should be Windows 10 version 1903 or later. + +This playbook also assumes that: + +- Devices are equipped with an infrared camera or fingerprint reader to perform biometric authentication. +- Microsoft Intune (Intune) is the Windows MDM solution. + +# Prerequisites +Devices must be Azure AD registered at minimum, and it's preferable that devices are Azure AD joined. + +Users must have a Microsoft Intune license feature as a stand-alone license or as part of a bundled license (Microsoft 365 E3 for GCC High and Microsoft 365 E5 for GCC High). + +It's also preferrable that all users have an Azure AD Premium P1 or P2 subscription, which is needed for automatic MDM enrollment when the device joins Azure AD. Azure AD Premium P1 licenses also grant access to Azure AD Multi-Factor Authentication (MFA) through Conditional Access policies. + +# Technology and terms + +[Introduction to device identity and join types](https://learn.microsoft.com/en-us/azure/active-directory/devices/overview){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +**Join type** + +Join type refers to how devices are associated with Azure AD. For a device to authenticate to Azure AD, it must be registered or joined. + +Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs in to Azure AD. You can use the identity to enable or disable a device. + +When combined with a mobile device management (MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This feature allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see [Enroll devices for management in Intune](https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} in Intune. + +Joining a device is an extension to registering a device. It provides you with all the benefits of registering a device and changes the local state of a device. Changing the local state enables users to sign in to a device using an organizational, work, or school account instead of a personal account. + +**Azure AD registration** + +Azure AD registered devices support the bring your own device (BYOD) scenario. In BYOD, a user can access your organization's Azure AD controlled resources using a personal device. + +Learn more about Azure AD registered devices [here](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="Learn more about Azure AD registered devices here"}. + +**Azure AD join** + +Azure AD join is intended for organizations that desire to be cloud-first or cloud-only. There's no restriction on the size or type of organizations that can deploy Azure AD join. Azure AD join also works in a hybrid environment and can enable access to on-premises applications and resources. + +Learn more about Azure AD joined devices [here](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="Learn more about Azure AD joined devices"}. + +**Hybrid Azure AD join** + +For more than a decade, organizations have used the domain join to their on-premises Active Directory to enable: + +- IT departments to manage work-owned devices from a central location. +- Users to sign in to their devices with their Active Directory work or school accounts. + +Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy to manage them. + +If your environment has an on-premises AD footprint and you want to benefit from the capabilities provided by Azure AD, you can implement hybrid Azure AD joined devices. These devices are joined to both your on-premises Active Directory and your Azure AD. + +Learn more about hybrid Azure AD joined devices [here](https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="Learn more about hybrid Azure AD joined devices"}. + +**Mobile device management** + +Device management enables organizations to administer and maintain devices, including virtual machines, physical computers, mobile devices, and IoT devices. Microsoft Intune is the mobile device management (MDM) solution for the Microsoft 365 platform. + +# Prepare users to use Windows Hello + +### Using Windows Hello and biometrics + +If organization policy allows, users can employ biometrics (fingerprint and facial recognition) with WHfB, if the hardware supports it. Figure 1 displays the sign-in options available with WHfB. + +**Figure 1: Windows Hello Sign-in Options** + +![Figure 1: Windows Hello Sign-in Options]({{site.baseurl}}/assets/playbooks/whfb/01-Windows-Hello-Sign-In-Options.png) + +In establishing a policy requiring WHfB use in the workplace, you must educate users on how to use WHfB. + +After enrolling in WHfB, users should use their gesture (such as a PIN or fingerprint) for access to corporate resources. This gesture is only valid on the enrolled device. + +Although the organization may require users to change their Active Directory or Azure AD account password at regular intervals, password changes will not affect WHfB. + +Individuals using virtual or physical smart cards for authentication can use their virtual smart card to verify their identity when they set up WHfB. + +### WHfB and password changes + +The WHfB PIN or biometric gesture you establish at enrollment is specific to that device. You can, however, set up WHfB for the same account on multiple devices. If WHfB is not deployed and the password for that account changes, you must provide the new password on each device to continue WHfB use. + +**Example 1** + +Let's suppose you have set up a PIN for your Microsoft account on **Device A**. You use your PIN to sign in on **Device A** and then change the password for your Microsoft account. Since you were using **Device A** when you changed your password, the PIN on **Device A** will continue to work with no other action on your part. + +**Example 2** + +Suppose you sign in on **Device B** and change your password for your Microsoft account. The next time that you try to sign in on **Device A** using your PIN, sign-in will fail because the **Device A** account credentials will be outdated. + +**How to update WHfB after you change your password on another device** + +1. When you try to sign in using your PIN or biometric, you'll see the following message: **Your password was changed on a different device. You must sign in to this device once with your new password; then you can sign in with your PIN.** +2. Select **OK.** +3. Select **Sign-in options.** +4. Select **Password.** +5. Sign in with new password. +6. The next time that you sign in, you can select **Sign-in options \> PIN** to resume using your PIN. + +# WHfB policy configuration + +Windows Hello for Business can be enabled multiple ways through Microsoft Intune. The first method is through Windows Device Enrollment. This method can be used for devices that are Azure AD joined but have not yet enrolled in Intune. The second method, Device Configuration Profile, is used for devices already enrolled in Intune. + +## WHfB device enrollment configuration steps + +1. Open Microsoft Intune Admin Center. At the time of this writing, the URLs provided are correct. (In late 2023, the Intune Admin Center URL will be [https://intune.microsoft.com](https://intune.microsoft.com/){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. Microsoft is already making this change, so organizations can use both of the following URLs to access the Microsoft Intune Admin Center.) + + a. For commercial tenants, the URLs are: + 1. [https://endpoint.microsoft.com](https://endpoint.microsoft.com){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + 2. [https://intune.microsoft.com](https://intune.microsoft.com){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + + b. For Microsoft 365 Government Community Cloud High (GCC High) tenants, the URLs are + 1. [https://endpoint.microsoft.us](https://endpoint.microsoft.us){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + 2. [https://intune.microsoft.us](https://intune.microsoft.us){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +2. From the **Devices \| Overview** page, select **Enroll devices** from the middle navigation pane. + + Figure 2 provides a screenshot of the Intune Devices | Overview page displaying the locale of **Enroll devices**. + + **Figure 2: Intune Devices \| Overview Page** + + ![Figure 2: Intune Devices \| Overview Page]({{site.baseurl}}/assets/playbooks/whfb/02-Intune-WHfB-Enrollment.png) + +3. By default, **Windows enrollment** is preselected on the **Enroll devices** page. Choose the button named **Windows Hello for Business.** Figure 3 displays the Intune Windows enrollment page. + + **Figure 3: Intune Windows Enrollment Page** + + ![Figure 3: Intune Windows Enrollment Page]({{site.baseurl}}/assets/playbooks/whfb/03-Intune-WHfB-Enrollment.png) + +4. A new blade appears on the right when Windows Hello for Business is selected. WHfB enrollment by default is **Enabled** and assigned to **All users**. This assignment cannot be changed and will always remain scoped to all users. In order to limit the scope of WHfB, disable this enrollment policy and instead proceed with deploying WHfB through a device configuration profile (detailed in the next section). Device configuration profiles can be assigned to user or device groups, and they can be used as a proof of concept, pilot, or gradual rollout of WHfB throughout the organization. + +Settings for this policy can be **Enabled, Not configured, or Disabled,** as shown in Figure 4. When not configured is selected, this setting acts as Disabled. + +**Figure 4: Windows Hello for Business Enrollment Policy Settings** + +![Figure 4: Windows Hello for Business Enrollment Policy Settings]({{site.baseurl}}/assets/playbooks/whfb/04-Intune-WHfB-Enrollment-Policy.png) + +After enabling the policy, a series of policy choices must be made. Recommended settings are as follows: + +
    +
  1. + Use a Trusted Platform Module: Required +
      +
    1. TPM 2.0 is required.
      2. +
    2. This is a requirement of the Windows 10/11 Defense Information Systems Agency's Security Technical Implementation Guide (DISA STIG) baseline.
      3. +
    +
    2. +
  2. + Minimum PIN length: 6 +
      +
    1. This is a requirement of the Windows 10/11 DISA STIG baseline.
      2. +
    +
    3. +
  3. + Maximum PIN length: 127 +
    4. +
  4. + Lowercase letters in PIN: Allowed +
    5. +
  5. + Uppercase letters in PIN: Allowed +
    6. +
  6. + Special characters in PIN: Allowed +
      +
    1. Requiring letters or special characters in a PIN may make users think it's a password rather than a PIN. They may reuse a device password from another cloud application.
      2. +
    2. It is recommended to leave the PIN as a numeric PIN.
      3. +
    +
    7. +
  7. + PIN expiration (days): Never +
    8. +
  8. + Remember PIN history: No +
    9. +
  9. + Allow biometric authentication: Yes +
    10. +
  10. + Use enhanced anti-spoofing, when available: Yes +
      +
    1. This is a requirement of the Windows 10/11 DISA STIG baseline.
      2. +
    2. This setting only applies to Intune enrolled and Azure AD joined devices.
      3. +
    3. This setting applies to biometric facial recognition.
      4. +
    4. What is anti-spoofing for facial recognition? An attacker with physical access to a Windows 10/11 device with WHfB set as the authentication method can use an Infrared (IR) photo of the user's face, save the frames to a custom USB device, and plug the USB into the computer. This tactic bypasses the built-in camera, and WHfB will search for frames on the external USB.
      5. +
    5. Microsoft fixed this vulnerability in Update KB 5005478 (Windows Hello CVE-2021-34466).
      6. +
    6. Read more here on the CyberArk website.
      7. +
    +
    11. +
  11. + Allow phone sign-in: Yes +
      +
    1. Only applies to portable devices that are configured to accept the WHfB PIN. Bluetooth is required as is additional configuration of the Policy CSPPassportforWork.
      2. +
    +
    12. +
  12. + Use security keys for sign-in: Not configured +
    13. +
  13. + Save the policy and begin enrolling devices in Intune via automatic enrollment settings. +
    14. +
+ +Figures 5 and 6 depict the policy choices that must be made when a WHfB policy is enabled. + +**Figure 5: Windows Hello for Business Enrollment Policy Settings 1** + +![Figure 5: Windows Hello for Business Enrollment Policy Settings 1]({{site.baseurl}}/assets/playbooks/whfb/05-Intune-WHfB-Enrollment-Policy-settings1.png) + +

+ +**Figure 6: Windows Hello for Business Enrollment Policy Settings 2** + +![Figure 6: Windows Hello for Business Enrollment Policy Settings 2]({{site.baseurl}}/assets/playbooks/whfb/06-Intune-WHfB-Enrollment-Policy-settings2.png) + +## WHfB device configuration profile steps + +1. Select **Devices** on the leftmost navigation pane. +2. Choose **Configuration profiles** from the middle navigation blade. +3. Select **Create profile**. +4. Set **Platform** : **Windows 10 and later**. +5. Set the **Profile type** : Select **Templates** \> **Identity protection**. +6. Select **Create**. + +Figure 7 depicts steps 1 through 6 for creating a device configuration profile. + +**Figure 7: Windows Device Configuration Profile Creation** + +![Figure 7: Windows Device Configuration Profile Creation]({{site.baseurl}}/assets/playbooks/whfb/07-Intune-WHfB-ConfigProfile.png) + +
    +
  1. As illustrated in Figure 8, enter the following properties in Basics : +
      +
    1. Enter Name : Enter a descriptive name for the new profile. Name your policies so you can easily identify them later.
      2. +
    2. Description : Enter a description for the profile.
      3. +
    3. Select Next to continue.
      4. +
    +
    2. +
+ +**Figure 8: Windows Device Configuration Profile Name and Description** + +![Figure 8: Windows Device Configuration Profile Name and Description]({{site.baseurl}}/assets/playbooks/whfb/08-Intune-WHfB-ConfigProfile-name.png) + +In **Configuration settings** (see Figure 9), configure the following settings: + +
    +
  1. + Configure Windows Hello for Business: Enabled +
    2. +
  2. + Minimum PIN length: 6 +
      +
    1. This is a requirement of the Windows 10/11 DISA STIG baseline.
      2. +
    +
    3. +
  3. + Maximum PIN length: 127 +
    4. +
  4. + Lowercase letters in PIN: Allowed +
    5. +
  5. + Uppercase letters in PIN: Allowed +
    6. +
  6. + Special characters in PIN: Allowed +
    7. +
  7. + PIN expiration (days): Never +
    8. +
  8. + Remember PIN history: No +
    9. +
  9. + Enable PIN recovery: Enable +
    10. +
  10. + Use a Trusted Platform Module (TPM): Enable +
      +
    1. This is a requirement of the Windows 10/11 DISA STIG baseline.
      2. +
    +
    11. +
  11. + Allow biometric authentication: Enable +
    12. +
  12. + Use enhanced anti-spoofing, when available: Enable +
      +
    1. This is a requirement of the Windows 10/11 DISA STIG baseline.
      2. +
    +
    13. +
  13. + Certificate for on-premise resources: Not configured +
    14. +
  14. + Use security keys for sign-in: Not configured +
    15. +
+ +Select **Next** to continue. + +**Figure 9: Windows Device Configuration Policy Settings** + +![Figure 9: Windows Device Configuration Policy Settings]({{site.baseurl}}/assets/playbooks/whfb/09-Intune-WHfB-ConfigProfile-settings.png) + +
    +
  1. + In Assignments (see Figure 10), select the user or device group(s) that will receive this profile. When the phased implementation is near completion, simplify the assignments by removing the existing user or device groups and select Add all users or Add all devices instead. +
      +
    1. + Note: To assign multiple users to a device, specify that the WHfB policy be applied to devices. If the policy is applied to users, only one user can be provisioned to a device. If all devices will be assigned to individual users, then user groups will be sufficient. +
      2. +
    2. + Under Included Groups, select the Add Groups button. A blade will appear on the right to choose one or multiple groups. +
      3. +
    3. + Select your groups and click Select at the bottom. The group will appear under Included Groups. +
      4. +
    4. + Repeat for Excluded Groups, specifying any groups you want to exclude from WHfB. +
      5. +
    5. + Select Next to continue with Applicability Rules. +
      6. +
    +
    2. +
+ +**Figure 10: Windows Device Configuration Group Assignment** + +![Figure 10: Windows Device Configuration Group Assignment]({{site.baseurl}}/assets/playbooks/whfb/10-Intune-WHfB-ConfigProfile-assignments.png) + +
    +
  1. In Applicability Rules (see Figure 11), use the Rule, Property, and Value options to define how this profile applies within assigned groups. Intune applies the profile to devices that meet the rules you enter.
    2. +
+ +**Figure 11: Windows Device Configuration Applicability Rules** + +![Figure 11: Windows Device Configuration Applicability Rules]({{site.baseurl}}/assets/playbooks/whfb/11-Intune-WHfB-ConfigProfile-applicability.png) + +
    +
  1. + Applicability rules for this profile are Assign profile if or Don't assign profile if (see Figure 12). +
    2. +
  2. + The available properties are OS Edition (Windows 10/11 Education, Professional, Enterprise, Home, etc.). +
    3. +
  3. + The OS version refers to a specific build number for Windows 10/11. For example: 10.0.10240, 10.0.19045, etc. +
    4. +
  4. + Select Next. +
    5. +
+ +**Figure 12: Windows Device Configuration Applicability Rules Review** + +![Figure 12: Windows Device Configuration Applicability Rules Review]({{site.baseurl}}/assets/playbooks/whfb/12-Intune-WHfB-ConfigProfile-applicability2.png) + +
    +
  1. In Review + create (see Figure 13), review your settings. Select Create to save your changes; the profile is assigned. The policy is also shown in the profiles list from step 2 in this section.
    2. +
+ +**Figure 13: Windows Hello for Business Configuration Profile Completion** + +![Figure 13: Windows Hello for Business Configuration Profile Completion]({{site.baseurl}}/assets/playbooks/whfb/13-Intune-WHfB-ConfigProfile-review.png) + + +# WHfB user experience + +This section details the user experience for setting up Windows Hello for Business. The minimum device requirements for fingerprint and facial recognition sensors can be found [here](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#has-microsoft-set-any-device-requirements-for-windows-hello){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="The minimum device requirements for fingerprint and facial recognition sensors can be found here"}. + +By default, users will be prompted for facial recognition and PIN creation if biometric authentication is enabled. Fingerprints can be added later from the **Settings \> Accounts \> Sign-in options** menu. + +## First time setup for new device/PIN creation + +Enter the username and password for an Azure AD user on a Windows 10 or 11 device, as shown in Figure 14. + +**Figure 14: Windows Sign-in** + +![Figure 14: Windows Sign-in]({{site.baseurl}}/assets/playbooks/whfb/14-FirstTimeSetUp.png) + +As shown in Figure 15, the user is prompted to set up WHfB. + +**Figure 15: Windows Hello Setup Prompt** + +![Figure 15: Windows Hello Setup Prompt]({{site.baseurl}}/assets/playbooks/whfb/15-WHfb-prompt.png) + +The MFA challenge only occurs on the first sign-in to Windows when setting up Windows Hello. The user will receive a push notification or number-matching prompt on the Microsoft Authenticator mobile application. By default, Windows does not offer additional MFA with the Microsoft Authenticator app on Windows Sign-ins. Figure 16 shows the Microsoft Authenticator prompt. + +**Figure 16: Microsoft Authenticator Request** + +![Figure 16: Microsoft Authenticator Request]({{site.baseurl}}/assets/playbooks/whfb/16-WHfb-mfa.png) + +To view Microsoft Authenticator application setup instructions, please follow this link to [Windows Hello for Business – Microsoft Authenticator Setup for iOS & Android](#windows-hello-for-business-microsoft-authenticator-setup-for-ios-and-android). + +Based on the WHfB Enrollment or Identity Protection policy previously discussed, the PIN can be numeric or alphanumeric, with or without special characters. Figure 17 provides a screenshot of the PIN setup screen. + +**Figure 17: Windows PIN Creation** + +![Figure 17: Windows PIN Creation]({{site.baseurl}}/assets/playbooks/whfb/17-WHfB_1st_pin_setup.png) + +Once the PIN is successfully created, the screen shown in Figure 18 will appear. + +**Figure 18: Windows PIN Completion** + +![Figure 18: Windows PIN Completion]({{site.baseurl}}/assets/playbooks/whfb/18-WHfB-allset.png) + +After signing out once, WHfB is configured with a PIN (minimum requirement), as shown in Figure 19. + +**Figure 19: Windows Sign-in with PIN** + +![Figure 19: Windows Sign-in with PIN]({{site.baseurl}}/assets/playbooks/whfb/19-whfb_sign_out_experience.png) + +# Windows Hello for Business: Microsoft Authenticator Setup for iOS and Android + +## iOS - Microsoft Authenticator setup + +[Download and install the Microsoft Authenticator app - Microsoft Support](https://support.microsoft.com/en-us/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +1. Install the latest version of the Authenticator app for Apple iOS (see Figure 20). On your Apple iOS device, go to the App Store to [download and install the Authenticator app.](https://support.microsoft.com/en-us/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} + +**Figure 20: iOS App Store Microsoft Authenticator Install** + +![Figure 20: iOS App Store Microsoft Authenticator Install]({{site.baseurl}}/assets/playbooks/whfb/20-WHfB-iOS-SetUp.png) + +
    +
  1. Set up two-step verification on Authenticator. To secure your account, the Authenticator app can provide you with a code that provides additional verification. There is no need to wait for texts or calls. The following instructions ensure only you can access your information.
    2. +
  2. Set up the Authenticator app (see Figure 21). After you install the Authenticator app, follow the steps below to add your account: +
      +
    1. Open the Authenticator app on your mobile device.
      2. +
    +
    3. +
+Select **Next** on your Windows device to begin the Microsoft Authenticator setup process. + +**Figure 21: Windows and Microsoft Authenticator Setup** + +![Figure 21: Windows and Microsoft Authenticator SetupFigure 21: Windows and Microsoft Authenticator Setup]({{site.baseurl}}/assets/playbooks/whfb/21-WHfB-iOS-MSAuth-Setup.png) + +On your phone, select **Work or school account** , as shown in Figure 22. + +**Figure 22: Microsoft Authenticator Work or School Account Selection** + +![Figure 22: Microsoft Authenticator Work or School Account Selection]({{site.baseurl}}/assets/playbooks/whfb/22-WHfB-iOS-MSAuth-account.png) + +Select **OK** when prompted to allow the camera to scan the QR code (see Figure 23). Doing so allows the Authenticator app to access the camera on your phone to scan QR codes for account setup. + +**Figure 23: Microsoft Authenticator for iOS Allow Camera Access** + +![Figure 23: Microsoft Authenticator for iOS Allow Camera Access]({{site.baseurl}}/assets/playbooks/whfb/23-WHfB-iOS-MSAuth-camera.png) + +
+
+

Note:

+

The first time you set up the Microsoft Authenticator app, you might receive a prompt asking whether to allow the app to access your camera. You must select Allow so the authenticator app can access your camera to take a picture of the QR code in the next step. If you don't allow camera access, you can still set up the Authenticator app, but you'll need to add the code information manually.

+
+
+ +Select **Next**. + +**Figure 24: Microsoft Authenticator for iOS Account Setup** + +![Figure 24: Microsoft Authenticator for iOS Account Setup]({{site.baseurl}}/assets/playbooks/whfb/24-WHfB-iOS-MSAuth-next.png) + +Point your camera at the QR code (see Figure 25) or follow the instructions provided in your account settings and click **Next** and **Allow** when prompted to allow the camera to scan the QR code. + +**Figure 25: Microsoft Authenticator for iOS Scan QR Code** + +![Figure 25: Microsoft Authenticator for iOS Scan QR Code]({{site.baseurl}}/assets/playbooks/whfb/25-WHfB-iOS-MSAuth-qrcode.png) + +Select **Allow** (see Figure 26) to allow notifications from the Microsoft Authenticator app. + +**Figure 26: Microsoft Authenticator for iOS Allow Notifications** + +![Figure 26: Microsoft Authenticator for iOS Allow Notifications]({{site.baseurl}}/assets/playbooks/whfb/26-WHfB-iOS-MSAuth-qrcode-scan.png) + +A notification will be sent to your device. Tap **Approve** when the notification appears, as shown in Figure 27. This process will be the means for authenticating sign-ins from now on. + +**Figure 27: Microsoft Authenticator for iOS Approve Sign-in** + +![Figure 27: Microsoft Authenticator for iOS Approve Sign-in]({{site.baseurl}}/assets/playbooks/whfb/27-WHfB-iOS-MSAuth-appsignin.png) + +When the screen shown in Figure 28 appears on your computer, click **Next.** + +**Figure 28: Microsoft Authenticator Notification Approved** + +![Figure 28: Microsoft Authenticator Notification Approved]({{site.baseurl}}/assets/playbooks/whfb/28-WHfB-iOS-MSAuth-notifapp.png) + +Select **Next** after verifying the 6-digit code, as illustrated in Figure 29. + +**Figure 29: Multi-Factor Authentication SMS One-time passcode** + +![Figure 29: Multi-Factor Authentication SMS One-time passcode]({{site.baseurl}}/assets/playbooks/whfb/29-WHfB-iOS-MSAuth-smsotp.png) + +Select **Next** when you receive the verification message shown in Figure 30. + +**Figure 30: Multi-Factor Authentication SMS Completed** + +![Figure 30: Multi-Factor Authentication SMS Completed]({{site.baseurl}}/assets/playbooks/whfb/30-WHfB-iOS-MSAuth-smsverif.png) + +Congratulations! Multi-Factor Authentication for Windows Hello for Business is set up when the screen shown in Figure 31 appears. Select **Done.** + +**Figure 31: Multi-Factor Authentication Setup Complete** + +![Figure 31: Multi-Factor Authentication Setup Complete]({{site.baseurl}}/assets/playbooks/whfb/31-WHfB-iOS-MSAuth-complete.png) + +## Android – Microsoft Authenticator setup + + +Download and install the app: + +1. Install the latest version of the Authenticator app for Google Android. + + **Figure 32: Microsoft Authenticator for Android Account Setup** + + ![Figure 32: Microsoft Authenticator for Android Account Setup]({{site.baseurl}}/assets/playbooks/whfb/32-WHfB-Android-MSAuth.png) + +2. On your Android device, go to Google Play to [download and install the Authenticator app](https://play.google.com/store/search?q=microsoft+authenticator&c=apps){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. +3. **Install, download,** and **open the Microsoft Authenticator** app from the **Google Play Store** (see Figure 33). + + **Figure 33: Google Play Store Microsoft Authenticator Install** + + ![Figure 33: Google Play Store Microsoft Authenticator Install]({{site.baseurl}}/assets/playbooks/whfb/33-WHfB-Android-MFA-appinstall.png) + +4. Select **Add account** , as shown in Figure 34. + + **Figure 34: Microsoft Authenticator for Android Add Account** + + ![Figure 34: Microsoft Authenticator for Android Add Account]({{site.baseurl}}/assets/playbooks/whfb/34-WHfB-Android-MFA-addacct.png) + +5. Select **Work or school account** (seeFigure 35). + + **Figure 35: Microsoft Authenticator for Android Account Type Selection** + + ![Figure 35: Microsoft Authenticator for Android Account Type Selection]({{site.baseurl}}/assets/playbooks/whfb/35-WHfB-Android-MFA-accttype.png) + +6. Choose **Scan a QR code** (see Figure 36). + + **Figure 36 : Microsoft Authenticator for Android Work or School Account Setup** + + ![Figure 36 : Microsoft Authenticator for Android Work or School Account Setup]({{site.baseurl}}/assets/playbooks/whfb/36-WHfB-Android-MFA-qrcode.png) + + **Note** : The first time you set up the Microsoft Authenticator app, you might receive a prompt asking whether to allow the app to take pictures and record video. You must select **Allow** so the Authenticator app can access your camera to take a picture of the QR code in the next step. If you don't allow camera access, you can still set up the Authenticator app, but you'll need to add the code information manually. + +7. Select **Next** to proceed with the QR code scan (see Figure 37). + + **Figure 37: Microsoft Authenticator for Android Account Setup** + + ![Figure 37: Microsoft Authenticator for Android Account Setup]({{site.baseurl}}/assets/playbooks/whfb/37-WHfB-Android-MSAuth-next.png) + +8. Microsoft Authenticator displays a QR Code (see Figure 38). Using the QR scanner on your device, scan the QR code shown. Then, click **Next**. + + **Figure 38: Microsoft Authenticator for Android QR Code Scan** + + ![Figure 38: Microsoft Authenticator for Android QR Code Scan]({{site.baseurl}}/assets/playbooks/whfb/38-WHfB-Android-MSAuth-qrcode.png) + +9. Use the phone camera to scan the QR code, as shown in Figure 39. + + **Figure 39: Microsoft Authenticator for Android Scan QR Code Camera View** + + ![Figure 39: Microsoft Authenticator for Android Scan QR Code Camera View]({{site.baseurl}}/assets/playbooks/whfb/39-WHfB-Android-MSAuth-qrcode2.png) + + The Microsoft Authenticator app will display **Account added successfully** once the scan is finished, as shown in Figure 40. + + **Figure 40: Microsoft Authenticator for Android Account Added** + + ![Figure 40: Microsoft Authenticator for Android Account Added]({{site.baseurl}}/assets/playbooks/whfb/40-WHfB-Android-MSAuth-acctadd.png) + +10. Respond **Approve** to the push notification to approve the sign-in (see Figure 41). + + **Figure 41: Microsoft Authenticator for Android Push Notification** + + ![Figure 41: Microsoft Authenticator for Android Push Notification]({{site.baseurl}}/assets/playbooks/whfb/41-WHfB-Android-MSAuth-pushnotif.png) + +11. The screen depicted in Figure 42 appears after tapping **Approve** on your device. Click **Next** on your computer. + + **Figure 42: Microsoft Authenticator for Android App Notification Approved** + + ![Figure 42: Microsoft Authenticator for Android App Notification Approved]({{site.baseurl}}/assets/playbooks/whfb/42-WHfB-Android-MSAuth-notifapp.png) + + Enter a phone number when prompted to receive text message notifications to ensure your security information is up to date. + + On the **Phone** page, type the phone number for your mobile device. Choose **Text me a code**. Then select **Next**. + +12. Enter a valid phone number to configure a one-time passcode as a backup authentication method (see Figure 43). Click **Next** to receive a text message containing the one-time passcode. + + **Figure 43: Multi-Factor Authentication Phone Number Setup** + + ![Figure 43: Multi-Factor Authentication Phone Number Setup]({{site.baseurl}}/assets/playbooks/whfb/43-WHfB-Android-MSAuth-smsstart.png) + +13. Enter the one-time passcode from the text message (illustrated in Figure 44). Then select **Next**. + + **Figure 44: Multi-Factor Authentication SMS One-Time Passcode** + + ![Figure 44: Multi-Factor Authentication SMS One-Time Passcode]({{site.baseurl}}/assets/playbooks/whfb/44-WHfB-Android-MSAuth-smsotp.png) + + Your security information will now be updated and you can use text messaging to verify your identity when using two-step verification or password reset. + +14. SMS verification is complete when the screen shown in Figure 45 appears. Select **Next**. + + **Figure 45: Multi-Factor Authentication SMS Complete** + + ![Figure 45: Multi-Factor Authentication SMS Complete]({{site.baseurl}}/assets/playbooks/whfb/45-WHfB-Android-MSAuth-smscomp.png) + +15. Congratulations! Multi-factor authentication has now been set up (see Figure 46). Select **Done.** + + **Figure 46: Multi-Factor Authentication Complete** + + ![Figure 46: Multi-Factor Authentication Complete]({{site.baseurl}}/assets/playbooks/whfb/46-WHfB-Android-MSAuth-complete.png) + +## Windows infrared camera biometric set-up + +Facial recognition can be set up during Windows Hello enrollment or after by visiting **Settings \> Accounts \> Sign-in options \> Facial recognition**. To learn more about Windows Hello facial recognition and how the infrared camera prevents spoofing click [here](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication#benefits-of-near-infrared){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="learn more about Windows Hello facial recognition and how the infrared camera prevents spoofing"}. + +Choose **Get started** to begin the facial recognition process (see Figure 47). + +**Figure 47: Windows Hello for Business Facial Recognition Setup** + +![Figure 47: Windows Hello for Business Facial Recognition Setup]({{site.baseurl}}/assets/playbooks/whfb/47-WHfB-Camera-start.png) + +The user will receive a prompt to center their face in the camera (see Figure 48). A square will appear around the user's face. The user must keep their eyes on the camera during this time. The square will highlight green around the perimeter of the square as Windows records and maps the user's face. + +**Figure 48: Windows Hello for Business Facial Recognition Scan** + +![Figure 48: Windows Hello for Business Facial Recognition Scan]({{site.baseurl}}/assets/playbooks/whfb/48-WHfB-Camera-facescan.png) + +Once the facial scanning is complete, the user will be prompted to improve recognition by taking another photo with or without glasses, if they have glasses (see Figure 49). + +**Figure 49: Windows Hello for Business Facial Recognition Complete** + +![Figure 49: Windows Hello for Business Facial Recognition Complete]({{site.baseurl}}/assets/playbooks/whfb/49-WHfB-Camera-finish.png) + +## Windows fingerprint biometric setup + +Increasingly, device vendors are adding built-in fingerprint sensors to keyboards. Sample keyboard layouts with built-in fingerprint sensors can be found [here](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-fingerprint-authentication#sample-keyboard-layouts){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="Sample keyboard layouts with built-in fingerprint sensors can be found here"}. If a device does not have a built-in fingerprint sensor, a USB fingerprint sensor can be used with Windows Hello for Business. + +Fingerprint setup can occur during Windows Hello enrollment or afterward by visiting **Settings \> Accounts \> Sign-in options \> Fingerprint recognition**. Multiple fingerprints can be registered with Windows Hello. + +Begin by touching your thumb or another finger to the fingerprint sensor, as shown in Figure 50. + +**Figure 50: Windows Hello for Business Fingerprint Setup** + +![Figure 50: Windows Hello for Business Fingerprint Setup]({{site.baseurl}}/assets/playbooks/whfb/50-WHfB-Fingerprint-start.png) + +Follow the prompts to lift your finger and touch the sensor again in order to map the entire print (see Figures 51 through 54). + +**Figure 51: Windows Hello for Business Fingerprint Scan 1** + +![Figure 51: Windows Hello for Business Fingerprint Scan 1]({{site.baseurl}}/assets/playbooks/whfb/51-WHfB-Fingerprint-scan1.png) + +**Figure 52: Windows Hello for Business Fingerprint Scan 2** + +![Figure 52: Windows Hello for Business Fingerprint Scan 2]({{site.baseurl}}/assets/playbooks/whfb/52-WHfB-Fingerprint-scan2.png) + +**Figure 53: Windows Hello for Business Fingerprint Scan 3** + +![Figure 53: Windows Hello for Business Fingerprint Scan 3]({{site.baseurl}}/assets/playbooks/whfb/53-WHfB-Fingerprint-scan3.png) + +**Figure 54: Windows Hello for Business Fingerprint Scan Complete** + +![Figure 54: Windows Hello for Business Fingerprint Scan Complete]({{site.baseurl}}/assets/playbooks/whfb/54-WHfB-Fingerprint-complete.png) + +If users choose to do so, they can add multiple fingerprints for improved recognition. + +## Windows security key setup + +Security keys also can be used for Windows Hello for Business authentication. This feature can be configured through the WHfB **Enrollment Policy** settings or the **Identity Protection Device Configuration Profile**. Users can also set up security keys through the Windows **Settings \> Accounts \> Sign-in options \> Security key.** + +Additional methods for enabling Windows security keys can be found [here](https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows#enable-security-keys-for-windows-sign-in){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. + +# Windows Hello for Business FAQs + +Some of the most commonly asked questions about WHfB are presented below. A full list of common questions can be found [here](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-faq){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="A full list of common questions can be found here"}. + +**What's the difference between Windows Hello and Windows Hello for Business?** + +Windows Hello represents the biometric framework provided in Windows. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate. + +**Where is the Windows Hello biometrics data stored?** + +When you enroll in Windows Hello, a representation of your biometrics, called an enrollment profile, is created. More information can be found on [Windows Hello face authentication](https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details, see [Windows Hello biometrics in the enterprise](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. + +**What happens when a user forgets their PIN?** + +If the user can sign in with a password, they can reset their PIN by selecting the **I forgot my PIN** link in the Settings app. Users can reset their PIN from the lock screen by selecting the **I forgot my PIN** link on the PIN credential provider. + +For on-premises deployments, devices must be connected to their on-premises network (domain controllers and/or certificate authority) to reset PINs. Hybrid deployments can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs. Non-destructive PIN reset works without access to the corporate network. Destructive PIN reset requires access to the corporate network. For more details about destructive and non-destructive PIN reset, see [PIN reset](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. The Microsoft PIN reset service is not available for Azure Government tenants. Enabling PIN recovery is possible for Azure Government tenants by [configuring allowed sign-in URLs](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset?tabs=intune#configure-web-sign-in-allowed-urls-using-microsoft-intune){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"} through Microsoft Intune, Group Policy Objects or a Configuration Service Providers (CSP). + +**Can I disable the PIN while using Windows Hello for Business?** + +No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that isn't a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics. + +**How many users can enroll for Windows Hello for Business on a single Windows device?** + +The maximum number of supported enrollments on a single device is 10. This lets 10 users each enroll their face and up to 10 fingerprints. For devices with more than 10 users, or for users that sign in to many devices (for example, a support technician), the use of FIDO2 security keys is recommended. + +**Can I use third-party MFA providers with Windows Hello for Business?** + +Yes, if you're using federated hybrid deployment, you can use any third-party that provides an AD FS MFA adapter. A list of third-party MFA adapters can be found [here](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}{:aria-label="A list of third-party MFA adapters"}. + +**Is Windows Hello for Business considered multi-factor authentication?** + +Windows Hello for Business is two-factor authentication based on the observed authentication factors of: _something you have_, _something you know_, and _something that's part of you_. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the something you know authentication factor with the something that is part of you factor, with the assurances that users can fall back to the something you know factor. + +**Can I use both a PIN and biometrics to unlock my device?** + +You can use _multi-factor unlock_ to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multi-factor unlock](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock){:target="_blank"}{:rel="noopener noreferrer"}{:class="usa-link usa-link--external"}. \ No newline at end of file diff --git a/_includes/alert-info.html b/_includes/alert-info.html index 48184b07a..60da43d91 100644 --- a/_includes/alert-info.html +++ b/_includes/alert-info.html @@ -1,6 +1,6 @@ -
+

{{include.heading}}

-

{{include.content}}

+

{{include.content | markdownify }}

-
+
\ No newline at end of file diff --git a/_includes/alert-success.html b/_includes/alert-success.html index a48ef8957..0ccc762f4 100644 --- a/_includes/alert-success.html +++ b/_includes/alert-success.html @@ -1,6 +1,6 @@ -
+

{{include.heading}}

-

{{include.content}}

+

{{include.content | markdownify }}

-
+
\ No newline at end of file diff --git a/_includes/alert-warning.html b/_includes/alert-warning.html index 60aa26975..0aca2d1b0 100644 --- a/_includes/alert-warning.html +++ b/_includes/alert-warning.html @@ -1,6 +1,6 @@ -
+

{{include.heading}}

-

{{include.content}}

+

{{include.content | markdownify }}

-
+
\ No newline at end of file diff --git a/_includes/footer.html b/_includes/footer.html index 10adec127..9fe5f82ff 100644 --- a/_includes/footer.html +++ b/_includes/footer.html @@ -1,19 +1,22 @@ + + +
-

IDManagement.gov

An official website of the - General Services Administration + U.S. General Services Administration

@@ -53,7 +56,7 @@
Looking for U.S. government information and services?
- Visit USA.gov + Visit USA.gov

This site is a collaboration between GSA and the Federal CIO Council. It is managed by the Identity Assurance and Trusted Access Division in the GSA Office of Government-wide Policy.

{% include components/github-edit.html footer=footer path=page.path %}
diff --git a/_includes/header.html b/_includes/header.html index 1308cb9a6..4b03dee07 100644 --- a/_includes/header.html +++ b/_includes/header.html @@ -9,7 +9,7 @@
- {% asset us_flag_small.png class="usa-banner__header-flag" alt="U.S. flag" %} + U.S. flag

An official website of the United States government

@@ -23,7 +23,7 @@
- {% asset icon-dot-gov.svg class="usa-banner__icon usa-media-block__img" alt="Dot gov" %} + Dot gov

The .gov means it’s official. @@ -34,7 +34,7 @@

- {% asset icon-https.svg class="usa-banner__icon usa-media-block__img" alt="Https" %} + Https

The site is secure. @@ -49,4 +49,4 @@

-
\ No newline at end of file +
diff --git a/_includes/hero.html b/_includes/hero.html index 530f4e3cb..9ce730561 100644 --- a/_includes/hero.html +++ b/_includes/hero.html @@ -2,13 +2,408 @@ This will be displayed on the homepage. Ideally, you want to highlight key goals of the website {% endcomment %} -
+ + + + +
+
-
-

FICAM:Protecting Digital Identities & Assets -

-

Use the FICAM Architecture to implement best practices in securing and protecting federal information systems.

- FICAM Architecture -
-
+ + + +
+

This is a carousel with auto-rotating slides. Activate any of the buttons to disable rotation. Use Next and Previous buttons to navigate, or jump to a slide using the slide dots.

+ + + + + + + +
+
+
+ {% for slide in site.data.gsacarousel %} +
+

{{ slide.heroHeading }}

+

{{ slide.heroText }}

+ {{ slide.actionButtonText }} {{ slide.heroHeading }} +
+ {% endfor %} + +
+
+
+ + + + +
+
+ +
+ + + + + + + + + + + diff --git a/_includes/highlights.html b/_includes/highlights.html index c9bc6f897..b402a7d43 100644 --- a/_includes/highlights.html +++ b/_includes/highlights.html @@ -3,64 +3,345 @@ eight. {% endcomment %} -
+ + + + + +
+
+
+
+

+

Partner with us

+

+
    +
  • +
    +
    +

    Vendors

    +
    + + +
    +
    +

    + Sell your identity, credential, and access management ICAM products and services to the federal government. +

    +
    +
    + +
    +
    +
    • +
  • +
    +
    +

    Acquisition professionals

    + +
    + + +
    +
    +

    + Adopt innovative identity, credential, and access nanagement ICAM products and services to meet your agency's mission-needs. +

    +
    +
    + +
    +
    +
    • +
  • +
    +
    +

    Program managers

    +
    + + +
    +
    +

    + Govern and operate ICAM systems and services. +

    +
    +
    + +
    +
    • +
+
+
+
+
+ + + +
+
+

Functions

+

+ +
+
    +
  • +
    +
    +

    FICAM program management office

    +
    +
    +
    + FICAM program management office +
    +
    +
    +
    +

    + The Federal, Identity, Credential, and Access Management program management office is a collaboration with the Federal CIO Council to mature agency ICAM practices and processes through governmentwide guidance like the FICAM architecture and playbooks on idmanagement.gov. +

    +
    +
    + +
    + + Latest Update: 2023-06
    Webpage
    -
    -
- -
-
-
- {% asset arch-icon.png class="usa-media-block__img" alt="Buy Products and Services" %} -
-
-
-

Acquisition Professionals

-

Adopt innovative Identity, Credential, and Access Management (ICAM) products and services to meet your agency’s mission-needs.

- Start Research + + +
+
+
    +
  • +
    +
    +

    Federal public key infrastructure governance

    +
    +
    +
    + Federal public key infrastructure governance +
    +
    +
    +
    +

    This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors. It includes the FPKI policies and profiles, annual FPKI annual review schedule, tools for compliance submissions, and information on compliance status of Federal PKI Certification Authorities.

    +
    +
    +
    + + Latest Update: 2023-06
    Webpage +
    +
    +
    • +
  • +
    +
    +

    FIPS 201 evaluation program

    +
    +
    +
    + FIPS 201 evaluation program +
    +
    +
    +
    +

    The Federal information processing standard 201 evaluation program tests and certifies services and commercial products.

    +
    +
    +

    + FIPS 201 evaluation program +

    +

    + Approved product list +

    +

    + Removed product list +

    +
    +
    +
    +
    + + Latest Update: 2023-06
    Webpage
    -
    -
- - -
-
-
- {% asset playbook-icon.png class="usa-media-block__img" alt="FICAM Governance" %} -
-
-
-

Program Managers

-

Govern and operate FICAM-compliant systems and services.

- Collaborate with Us + +
  • +
    +
    +

    GSA PKI shared service provider program

    +
    +
    +
    + GSA PKI shared service provider program +
    +
    +
    +
    +

    The General Services Administration GSA, Office of Government-wide Policy, manages the GSA Public Key Infrastructure Shared Services Provider program. The primary program focus is to help agencies meet the policy intent of Homeland Security Presidential Directive 12, as well as achieve digital signature interoperability.

    +
    +
    +
    + + Latest Update: 2023-06
    Webpage +
    +
    +
    • + +
    +

    +

    Playbooks

    +

    + +
    +
      + {% assign playbooks = site.data.playbooks | sort: "title" %} + {% for playbook in playbooks %} +
    • +
      +
      +

      {{playbook.title}}

      +
      +
      +
      + {{playbook.title}}
      +
      +
      +

      {{playbook.description}}

      +
      +
      +
      + + Latest Update: {{playbook.pubdate}}
      {{playbook.type}} +
      -
    - -
    -
    + + {% if forloop.index == 3 %} + +
    +
    +
      + {% endif %} + {% endfor %} +
    +
    + +
    diff --git a/_includes/logo.html b/_includes/logo.html index aab77f98e..4e3ed2223 100644 --- a/_includes/logo.html +++ b/_includes/logo.html @@ -1,3 +1,4 @@ diff --git a/_includes/menu.html b/_includes/menu.html index 08271ef83..1740d1420 100644 --- a/_includes/menu.html +++ b/_includes/menu.html @@ -10,7 +10,7 @@