NIST Logo and ITL Banner Link to the NIST Homepage Link to the ITL Homepage Link to the NIST Homepage

Public Key Infrastructures - Federal PKI

Federal PKI

NIST plays a leading role in the deployment of the Federal PKI, serving as an advisor for architectural issues and leading the development, evaluation, and maintenance of certificate policies for the Federal PKI. The Federal PKI architecture features the Federal Bridge Certification Authority (FBCA), which supports interoperability among PKI domains with disparate policies in a peer to peer fashion, and the Common Policy Root CA, which manages a hierarchical PKI.

FPKI Architecture

The FBCA operates under the FBCA Certificate Policy, which specifies five levels of assurance. The FBCA issues certificates to the Principal CA of a PKI domain after the Federal PKI Policy Authority: (1) determines which FBCA levels of assurance are satisfied by the policies supported in that PKI domain; (2) determines that the PKI domain fulfills its responsibilities under those policies; and (3) establishes a legal agreement between the FBCA and the PKI domain. The NIST managed Federal Certificate Policy Working Group (CPWG) leads (1) and (2). For an overview of the operations of the Federal PKI Policy Authority, see the Criteria and Methodology For Cross-Certification With the U.S. Federal Bridge Certification Authority (FBCA) or Citizen and Commerce Class Common Certification Authority (C4CA).

Hierarchical Federal PKI

The Common Policy Root CA operates under the Common Policy Framework, which specifies three policies with a relatively uniform level of assurance. The Common Policy Root CA will issue a certificate to a subordinate CA operated by or on behalf of a federal agency after determining that the CAs operations satisfies the requirements of the Common Policy. The FPKI PA has delegated this responsibility to the CPWG and the Shared Service Provider (SSP) Subcommittee. The CPWG evaluates CAs operated by an agency for internal operations; the SSP Subcommittee evaluates CAs that offer PKI services to federal agencies based on the Common Policy.