GPO PKI Services - Getting Started

1. GPO PKI – Getting Started U.S. Government Publishing Office April 21, 2017

2. Agenda • About GPO PKI • Using GPO PKI for OFR eDOCS • GPO PKI Services

3. About GPO PKI • Shared Service Provider (SSP) certification – July 2007 • Cross-Certified with Federal Bridge Certification Authority since December 2005 • Meets all Federal PKI requirements • In operation at GPO since 2004

4. GPO PKI Services • End User Certificates • Medium Assurance Level (federal PKI) • Requires in-person identity proofing for Users • End user must present themselves in person to the RA or LRA • Two options: • At GPO Main Office • Agency Local Registration Authority (LRA) • Agency LRA personnel require a hardware token • LRA personnel (agency) must be identity proofed at GPO • Hardware token required due to sensitive nature of enrollment function performed • LRA enrolls other agency personnel at agency– record keeping requirements • Agency users must present themselves in person to LRA at agency

5. GPO PKI Services • Help Desk • GPO provides technical assistance to users • Email notification by users to GPO • Automatically routed to GPO PKI support • Phone number provided for emergencies • Agency IT Help Desk • Most agency end users to coordinate IT problem reporting and resolution through the agency IT Help Desk • GPO will work with agencies and PKI end users • GPO will always provide technical assistance to resolve end user PKI problems • May involve IT problems at the agency and agency will need to resolve those

6. Certificate Uses • File signing • eDOCS, for example • File encryption • Email encryption and signing (S/MIME) • For Outlook email • Other uses are possible, in consultation with GPO PKI

7. OFR eDOCS PKI • Background • OFR eDOCS application • Hosted by GPO on behalf of OFR • Allows digital submission of digitally signed files • Saves time and money • Requires official agency submitter to have PKI certificate • Required Medium Assurance PKI certificate • Requires In-Person Identity Proofing • GPO PKI services for the OFR eDOCS application • In Operation since September 16, 2006 • OFR eDOCS originally used NFC PKI (pre Sept. 2006)

8. eDOCS Document Submission Process Step 1 End user logs into GPO PKI end user software (COTS client software meeting FIPS 140-2 and Federal PKI standards from Entrust, configured by GPO to interface to the FBCA cross-certified GPO PKI). User enters appropriate password (from certificate issuance process, for initial password). Step 2 End user locates the file to be signed using Windows operating system process. Step 3 End user RIGHT CLICKS on the file to be signed. Step 4 End User selects Digitally Sign File…. Step 5 End User completes prompts to complete signing process. Step 6 GPO PKI software signs the file. Step 7 End user uploads the signed document to the OFR Web Portal. User uploads file selected and signed. Step 8 Process COMPLETE.

9. GPO PKI Services – Cost Structure • Cost Structure • End User Certificates • $150.00 per user per year • NOTE: Software certificate (does not apply to smartcard certificate) • LRA Users • $350.00 per LRA per year (includes hardware token) • LRA’s perform enrollment of agency users for GPO PKI • Costs documented in GPO Circular Letter 943 • URL: https://beta.gpo.gov/docs/default-source/circular-letters-pdf-files/2015/cir943.pdf • Business Enablement • SF-1 Form executed for GPO • Printing Officers at each federal agency – liaison to GPO • Memorandum of Agreement • Spells out roles and responsibilities

10. GPO PKI Services – Getting Started Step 1: Execute a Standard Form 1 (SF-1) and send to GPO • Send to: Bobbie McKoy at GPO (contact information on last slide) • Sample SF-1 shown on a later slide • Identify the Number of End Users that will have Certificates • Decide if Agency will use Local Registration Authority (LRA) function Step 2: Execute Memorandum of Agreement and send to GPO • Spells out Roles and Responsibilities • Send to: John Hannan at GPO at jhannon@gpo.gov Step 3: Ensure Agency IT Support staff know about: • A: Entrust Software installation on end user computers • Agencies normally review and certify software for use on Agency computers • B: Firewall Settings Required (see next slide) • Firewall changes may be needed at some Agencies (depends on Agency controls) • C: Help Desk Notification for End User Problems • Decide how Agency End Users will request Help Desk support for PKI problems • Most common model: End Users notify Agency Help Desk (using standard agency procedures) • Agency Help Desk notifies GPO PKI Help Desk, if needed Step 4: Install Entrust software on end user computers at Agency • Entrust software provided by GPO as part of fee per user • Available for download at URL: https://beta.gpo.gov/how-to-work-with-us/agency/services-for-agencies/public-key-infrastructure Step 5: Arrange a date and time for End Users to come to GPO for in-person Identity Proofing (federal PKI requirement) • Contact John Hannan at GPO at jhannon@gpo.gov.

11. Example SF-1 Form

12. Example SF-1 Form

13. Agency Firewall Settings Required

14. Contact Information Technical John Hannan, CISSP Chief Information Security Officer U.S. Government Publishing Office 202.512.1021 jhannan@gpo.gov Business Official Journals of Government Office U.S. Government Publishing Office 202.512.2100