Public Key Infrastructure:

Examples of Risks and Internal Control Objectives Associated with Certification Authorities

GAO-04-1023R: Published: Aug 10, 2004. Publicly Released: Sep 9, 2004.

Additional Materials:


Keith A. Rhodes
(202) 512-6412


Office of Public Affairs
(202) 512-4800

This letter is in response to a Congressional request that we examine our advice to executive branch agencies regarding commercial managed service public key infrastructure (PKI) solutions to see if the advice is consistent with current federal policy and private sector best practices. Specifically, over the past several years, staff from various agencies has asked for informal advice on these matters. Our informal advice was based on the control environment described to us by the agencies. This control environment, which is discussed later in this letter, resulted in the informal advice that the agencies may incur a greater burden in ensuring that a contract certification authority whose certificates are used in financial management applications has implemented an adequate system of internal controls than would be necessary if the certification authority were implemented internally. However, if agencies are willing to accept this potential increased burden by accepting and mitigating the potential risks (not all of which may be known and understood at this time) associated with commercial certification authorities contracting out, a certification authority may be able to provide the same level of security assurances as an internal certification authority. One key aspect of mitigating the risk will be the close involvement of agency personnel in the commercial implementation. We also told the agencies that until we were formally requested by an agency to review a commercial service provider's system, we could not express a formal position. To date, we have not received such a request.

Mar 26, 2015

Mar 18, 2015

Mar 16, 2015

Mar 9, 2015

Mar 4, 2015

Feb 27, 2015

Feb 23, 2015

Feb 11, 2015

  • government icon, source: Eyewire

    GAO'S 2015 High-Risk Series:

    An Update
    GAO-15-371T: Published: Feb 11, 2015. Publicly Released: Feb 11, 2015.
  • government icon, source: Eyewire

    GAO's 2015 High-Risk Series:

    An Update
    GAO-15-373T: Published: Feb 11, 2015. Publicly Released: Feb 11, 2015.
  • government icon, source: Eyewire

    High-Risk Series:

    An Update
    GAO-15-290: Published: Feb 11, 2015. Publicly Released: Feb 11, 2015.

Looking for more? Browse all our products here