IdenTrust Discontinues ACES Digital Certificates

Back in April of 2000, the U.S. General Services Administration (GSA) announced that Digital Signature Trust Company has received the first interim approval to operate on the Access Certificates for Electronic Services (ACES) contract. This breakthrough was phenomenal because it rapidly sped up the processes of schedule acquisition, maintenance, and compliance more broadly. The ACES contract is currently managed by the Office of Information Security in GSA's Federal Technology Service.

ACES goals include identification, authentication, and non-repudiation via the use of digital signature technology as a means for individuals and business entities to be authenticated when accessing, retrieving, and submitting information with the government.

However, one year ago, the General Services Administration (GSA) General Council made the decision to discontinue the Access Certificates for Electronic Services (ACES) program. The rationale was that operating a public key infrastructure (PKI) is outside of GSA’s scope. In addition, the program failed to meet the “three commercial vendors” requirement to establish a competitive need.

What this means right now:

GSA defines a digital certificate as “an electronic credential that: asserts the identity of an individual, enables eOffer/eMod to verify the identity of the individual entering the system and signing documents, encrypt or decrypt data to ensure that it is securely transmitted, [creates] a packet of information that is stored on a web browser or on a token, [and] create[s] digital signatures which are verifiable.” Digital certificates are essential to access programs such as MassMod, where a contractor would go to update their price or item list.

This information could seem arbitrary if you already have your digital certificate, but the transition could require even more documentation in the future. Companies such as IdenTrust, which issue these certificates, will continue to support the D-Trade application by offering 1 year certificates on a limited basis, as long as no certificate exceeds an expiration date of July 31, 2020. So, if you decide to purchase an ACES certificate after July 31, 2019, the standard 1 year validity period will be truncated to expire on July 31, 2020. Additionally, if you are currently holding an ACES certificate that has a deadline beyond July 31, 2020, understand that your contract will be cut short and terminated on that date.

Transition Timeline:

Phase 1 – Inform (FY18Q1 – Q2):

You may have already heard about the discontinuation of the ACES service as a part of phase one of the transition process. GSA tried to get the word out about this movement as quickly as possible. If you hadn’t already heard about this change, then lucky for you, this post will point you in the right direction.

Phase 2 – Transition (FY18Q2 – Q3):

The ACES PMO will collaborate with the ACES vendors and federal relying parties to transition to Federal PKI alternatives that are comparable to ACES certificates. The federal relying parties will be instructed to transition to Federal PKI alternatives by July 2018. After all federal relying parties have confirmed their transition, the ACES PMO will direct the ACES vendor to stop selling/issuing ACES certificates. The ACES PMO will conduct periodic touch points with the federal relying parties to assist with any transition challenges.

Phase 3 – Sunset (FY18Q3–FY20Q3):

Based on the expiration date of the last active ACES certificate, the ACES PMO will monitor sunset status through ACES vendor monthly reporting on remaining active certificates. Around FY20Q3 when the last ACES certificate is either revoked or expires, the ACES PMO will direct the ACES vendors and the Federal PKI to revoke all ACES CA certificates and decommission the ACES issuing CAs. The ACES PMO will also be decommissioned and program material archived.

Future Alternatives:

In an effort to replace the ACES program, the Federal PKI Non-Federal Issuer (NFI) affiliate program was designed specifically for businesses to interact with the government in a secure and cost-effective manner. Alternatives for ACES certificates are likely going to take the form of Federal PKI Federal Bridge Certification Authority (FBCA) certificates. For example, the ACES Unaffiliated Individual will become the FBCA Basic, the ACES Application SSL Sever will become the FBCA Medium Device, etc.
The GSA ACES program was designed specifically for citizens and businesses to purchase individual certificates, and there are NFI affiliates who offer similar services. NFI affiliates, in addition to being recognized as compliant, just like ACES, also meet NIST assurances, another reason for GSA to make this transition. Similarly, NFI affiliates offer increased certificate lifetime of up to three years compared to the ACES two year. For a government contractor this is great because you won’t have to update your status quite so frequently!

For more information on the NFI program see the Business Identity and Credentials overview on the GSA Identity Management Website. Additional questions? Our consultants are here to help.