Approved Date – 04/22/2016
Published Date – 04/22/2016
Revised Date – 05/25/2021
To establish the responsibilities and measures for the implementation and usage of Public Key Infrastructure (PKI) Certification Authority (CA) by the District of Columbia (“District”) and its agencies.
DC Official Code § 1-1401 et seq., provides the Office of the Chief Technology Officer (“OCTO”) with the authority to provide information technology (IT) services, write and enforce IT policies, and secure the network and IT systems for the District government. This document can be found at: https://code.dccouncil.us/dc/council/code/sections/1-1402.html.
This policy applies to all District workforce members (including contractors, vendors, consultants, temporary staff, interns, and volunteers) performing official functions on behalf of the District, and/or any District agency or entity (e.g. subordinate and independent agencies, Council of the District of Columbia, D.C. Charter Schools, etc.) who receive enterprise services from OCTO.
In addition, this Policy applies to any providers and third-party entities with access to District information, networks, and applications.
This policy guides all District agencies that implement PKI in conjunction with any District government information systems connected to the internal District Wide Area Network (WAN).
4.1. Private Key
The agency Chief Information Officer (CIO) or their designee must ensure that each private key is protected and stored in a safe location, such as in a security token or smart card secured by a Personal Identification Number (PTN).
4.2. Password Restrictions
The agency CIO or their designee must ensure that the password restrictions stated in OCTO Password Management Policy (OCTO-2003.2) are imposed on the PIN of the security token/smart card to prevent unauthorized access to the private key inside.
4.3. Procedures for Key Lifecycle Management
The agency CIO or his/her designee must ensure that procedures are in place to handle key lifecycle management, issuing and revoking of certificates, storing and retrieving certificates, and list of certificates that have been revoked or are otherwise inactive (Certificate Revocation Lists).
4.4. New Private Key Issue
The CIO or their designee must ensure that when any private key is lost, expired, or compromised, a new private key is issued.
Exceptions to this policy shall be requested in writing to the Agency’s CIO and the request will be escalated to the OCTO Chief Information Security Officer (“CISO”) for approval.
The definition of the terms used in this document can be found in the Policy Definitions website.