octo

Office of the Chief Technology Officer
 

DC Agency Top Menu

-A +A
Bookmark and Share

Public Key Infrastructure Policy


Approved Date – 04/22/2016
Published Date – 04/22/2016
Revised Date – 05/25/2021

1.    Purpose 

To establish the responsibilities and measures for the implementation and usage of Public Key Infrastructure (PKI) Certification Authority (CA) by the District of Columbia (“District”) and its agencies. 

2.    Authority 

DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html

3.    Applicability 

This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO. 

In addition, this Policy applies to any providers and third-party entities with access to District information, networks, and applications. 

4.    Policy

This policy guides all District agencies that implement PKI in conjunction with any District government information systems connected to the internal District Wide Area Network (WAN). 

4.1.    Private Key

The agency Chief Information Officer (CIO) or their designee must ensure that each private key is protected and stored in a safe location, such as in a security token or smart card secured by a Personal Identification Number (PTN). 

4.2.    Password Restrictions

The agency CIO or their designee must ensure that the password restrictions stated in OCTO Password Management Policy (OCTO-2003.2) are imposed on the PIN of the security token/smart card to prevent unauthorized access to the private key inside.  
 
4.3.    Procedures for Key Lifecycle Management

The agency CIO or his/her designee must ensure that procedures are in place to handle key lifecycle management, issuing and revoking of certificates, storing and retrieving certificates, and list of certificates that have been revoked or are otherwise inactive (Certificate Revocation Lists). 
 
4.4.    New Private Key Issue

The CIO or their designee must ensure that when any private key is lost, expired, or compromised, a new private key is issued. 

 
5.    Exemption 

Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.

6.    Definitions

The definition of the terms used in this document can be found in the Policy Definitions website.