About Treasury PKI

Treasury PKI is a combination of policies, procedures and technology that provide a high degree of trust in Treasury personnel, systems and data. This degree of trust is achieved through the use of Treasury-issued digital certificates, objects created by highly secure systems known as Certification Authorities (CAs). Treasury certificates bind digital information to physical identities to allow a high degree of assurance to be placed in those identities.

Treasury PKI lends the following security services to the enterprise:

  • Authentication: Digital certificates can provide a strong means of identifying the bearer when they request access to an online resource. This is stronger than more conventional authentication methods because it is two-factor; that is, it is based on what the user has (i.e. the digital certificate) and what the user knows (i.e. the PIN to enable use of the digital certificate).

  • Confidentiality: Digital certificates can be used to encrypt information, either at rest or in motion, to prevent interception by an unauthorized party.

  • Integrity: PKI employs mathematical algorithms to enable the user to apply digital signatures to data. Once applied, the data integrity is significantly strengthened; that is, its author can place a high degree of assurance in the fact that it has not been modified by an unauthorized party, intentionally or otherwise.

  • Non-Repudiation: Just as digital signatures can strengthen integrity, they can also be leveraged to prevent data users from claiming (repudiating) that they weren't party to a transaction. This is especially important in scenarios where money is exchanged or approved for payment. Hence, Treasury PKI is very well suited for its business environment.

Treasury PKI is well-known throughout the Federal Government, and is extended to its trading partners and other Government organizations that conduct business with the Department in a secure manner. This is made possible through a technological relationship, known as a cross-certification, with the Federal Bridge PKI.

Through this relationship, Treasury may permit access to its online resources by Federal personnel who do not hold a Treasury-issued certificate; but rather, hold a certificate issued by another Agency that Treasury trusts. Likewise, these cross-certified Agencies may elect to trust Treasury-issued credentials as they are used to gain access to their resources. In this manner, business may be conducted, and information may be exchanged, seamlessly and securely.

Additionally, due to Treasurys proven PKI expertise, Treasury offers its digital certificate services to other Agencies through the Federal Shared Service Provider (SSP) program. This enables Treasury to offset operational costs by sharing infrastructure components with other Agencies as they adopt the technology to meet PIV and address other business needs.

Treasury PKI establishes an effective trust model by strict adherence to policies that govern the infrastructure. These policies are as follows:

  • Treasury Directive Publication (TDP) 85-01: Treasury Enterprise Security Policy [TDP85-01] mandates the use of CAs to enhance the organizations overall security posture. The document also requires that CAs operate under a Treasury-approved Certificate Policy (CP).

  • Treasury X.509 Certificate Policy (CP): As required by [TDP85-01], [TREAS-CP] provides detailed policies governing the issuance and use of digital certificates. Specifically, this includes:

    • Definition of trusted roles and their responsibilities in maintaining the PKI;

    • Compliance audit parameters;

    • Naming standards for certificates;

    • Certificate and key lifecycle management;

    • Records archival;

    • Disaster recovery procedures;

    • Security controls; and

    • Certificate and Certificate Revocation List (CRL) profiles.

  • Federal Bridge X.509 CP: [FBCA-CP] provides policies that are mapped to Treasurys own, to ensure that Treasury may continue to trust, and be trusted by, other Federal agencies.

  • Common Policy X.509 CP: As the name implies, [COMMON-CP] provides a set of common policy requirements that must be met by all Federal agencies for PIV and other purposes, as directed in [FIPS-201]. Note that many of these requirements are already met through Treasurys current policy; those that are not are identified in this document and addressed through future revisions to Treasurys own policy.