Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal Government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a Federal Government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Federal PKI Governance and Compliance Audit Information

This page contains information to help Federal Public Key Infrastructure (FPKI) program managers and auditors.

  • It includes the FPKI policies and profiles as well as the FPKI annual review schedule.
  • It can help auditors assess certification authorities (CAs) operated as part of the FPKI.
  • It can help the general public understand how the FPKI Management Authority (FPKIMA) provides trusted PKI and CA operations.

For any questions, please contact fpki@gsa.gov.

Federal PKI Policies and Profiles

The Federal Public Key Infrastructure (FPKI) provides the government with a trust framework and infrastructure to administer digital certificates and public-private key pairs. For more information on the FPKI, PIV, and PIV-I visit the following links:

The FPKI Policy Authority (FPKIPA) maintains three certificate policies (the Common Policy Framework, the Federal Bridge Certification Authority Certificate Policy, and the Federal Public Trust TLS Certificate Policy). All cross-certified CA certificate policies are mapped to the Federal Bridge certificate policy.

Federal PKI Policy Policy Name Profile Change Proposals
Federal Common Policy X.509 Certificate Policy for the U.S. FPKI Common Policy Framework v2.9 Common Policy X.509 Certificate and CRL Profiles v2.3 Common Change Proposals
Federal Bridge X.509 Certificate Policy for the Federal Bridge Certification Authority (FBCA) v3.6

and PIV-I for Federal Agencies
Federal Bridge Certification Authority (FBCA) X.509 Certificate and CRL Extensions Profile v2.0 Bridge Change Proposals
Federal Public Trust TLS U.S. Federal Public Trust TLS PKI Certificate Policy v1.1 Profiles are included in Section 7 of the Policy No change proposals

The FPKI has the following supplementary guidance:

Annual Review Requirements for All Certification Authorities

Independent compliance audits are the primary way that the Federal Public Key Infrastructure Policy Authority (FPKIPA) ensures that entities participating in the FPKI comply with the requirements identified in the appropriate Certificate Policies (CPs). Audits are an important component of the Annual Review Requirements.

Audits are required annually for supporting functions and elements of each entity. Annual review packages should be submitted to fpki@gsa.gov.

  • FPKI Annual Review Requirements (PDF, September 2024) – This document includes requirements for performing and reporting annual compliance audits.
  • RA Audit Guidance Memorandum (PDF, October 2022 – This FPKIPA Memorandum reiterates the necessity of RA audits in supporting PKI operations, normalizes differing terminology used across various references, and provides options for reducing potential duplication of RA audit efforts, as applicable to PIV issuers.
  • Annual PIV and PIV-I Credential Issuer (PCI) Test Report: This test report supports the FPKI Annual Reviews and can be done either in person at the GSA FIPS 201 lab or remotely by the package submitter. Further details related to the Annual PCI Testing are located here.
  • Non-Compliance Management Framework For The Federal Public Key Infrastructure (FPKI) (PDF, January 2016) - This document provides guidance for the FPKI Policy Authority (FPKIPA) for responding to situations in which an FPKI FBCA member is not meeting their Memorandum of Agreement (MOA) requirements and obligations.

Annual Review Schedule

Entity Type Annual Review Package Due Date
CertiPath Bridge June 30
DigiCert (ECPS) Affiliate PKI July 31
DigiCert (Formerly Symantec Non-Federal Issuer [NFI]) Affiliate PKI July 31
DigiCert (Formerly Symantec Shared Service Provider [SSP]) SSP July 31
Department of Defense (DoD) Affiliate PKI November 30
Department of State (DOS) Affiliate PKI October 31
Department of the Treasury SSP July 31
Entrust NFI Affiliate PKI November 30
Entrust Federal SSP SSP November 30
Exostar Affiliate PKI June 30
IdenTrust NFI Affiliate PKI August 31
Patent and Trademark Office (PTO) Affiliate PKI October 31
SAFE Identity Bridge June 30
Southwest Texas Regional Advisory Council (STRAC) Bridge November 30
Transglobal Secure Collaboration Program (TSCP) Bridge July 31
Verizon SSP SSP August 31
WidePoint NFI Affiliate PKI May 31
WidePoint SSP SSP May 31

Compliance Test Tools for Annual Reviews

The FPKI Program supports three remote PIV, PIV-I, and digital certificate test tools to support FPKI annual reviews as listed below:

  1. The Card Conformance Tool (CCT) is a GSA managed, Java tool hosted on GitHub that can verify that a Personal Identity Verification (PIV) or PIV-Interoperable (PIV-I) conforms to the PIV data model.
  2. The Certificate Profile Conformance Tool (CPCT) is a self-hosted application that analyzes public X.509 certificates for conformance to a specified FPKI profile.
  3. The KSJavaAPI is Java API hosted on GitHub and used to leverage that the information stored in the PIV/ PIV-I applets conform to NIST SP 800-73.

To request the annual testing report for PIV/PIV-I cards, fill out the Annual PIV Credential Issuer (PCI) Testing Application Form (PDF, February 2020) and send it with Compliance Test Tool outputs and testing artifacts (for remote testing) to fips201ep@gsa.gov.

Submitting a Test Results Package

If you are running the Card Conformance Tool as part of the annual requirement to undergo PIV/PIV-I testing, you must email the artifacts listed below to fips201ep@gsa.gov.

  1. A completed testing application for each PCI configuration evaluated (See Section 1 of the application for more information).
  2. All accompanying Card Conformance Tool Log files, these reside in the same directory as the extracted package after the tests have been run:
    • logs (directory)
    • piv-artifacts (directory)
    • x509-artifacts (directory)
    • x509-certs (directory)
    • the test database used for the evaluation (e.g., PIV_Production_Cards.db)
  3. The card’s Answer-to-Rest value presented within the “Reader Status” text box (e.g., 3bd6970081b1fe451f078031c1521118f9), which is displayed on the CCT landing page provided a card is available to the test system.
  4. A report (PDF or XLSX) for each certificate found on the card (use the Certificate Profile Conformance Tool (web application) to generate the reports.
  5. High-resolution card photos of the front and back of each card tested.

Helpful Hint

Collecting all accompanying Card Conformance Tool Log files is most easily achieved by zipping the fips201-card-conformance-tool-[Release-Version]-[Release-Date] directory; this is the same directory where you had extracted the tool.

Note

Failure to submit a complete CCT Package may delay review of your testing results and completion of your annual FPKI PIV/PIV-I testing requirement.

Audit Information for the FPKI Management Authority

This section contains information on audits performed on the Federal Common Policy Certification Authority and the Federal Bridge Certification Authority.

  • The Federal Common Policy Certification Authority (FCPCA) operates in compliance with the Federal Common Certificate Policy.
  • The Federal Bridge Certificate Authority (FBCA) operates in compliance with the Federal Bridge Certificate Policy.

The FPKIMA Certification Practice Statement (CPS) documents the operational practices required to ensure trusted operations. Additional compliance audit information for the FPKI Trust Infrastructure Systems is also provided below.

Report an Incident

FPKI affiliates include federal agencies and commercial service providers operating a certification authority certified by the Federal PKI Policy Authority. FPKI affiliate responsibilities related to the incident management process include:

  1. Communicating security incidents involving infrastructures or services to the FPKI Authorities, users/customers, and known relying parties.
  2. Providing additional investigation support and/or information about incidents to the FPKI Authorities as they become known, and
  3. Conducting remediation activities once an incident is confirmed.

To report a security incident, such as a key compromise, data breach, or other fraud waste or abuse regarding FPKI CAs or certificates, please contact both fpki@gsa.gov and fpki-help@gsa.gov, and include any relevant known information on the incident up to that point. Further information will be requested from the affiliate per the FPKI Incident Management Plan.

Federal PKI Document Archive

A Federal PKI document may be needed for three years for compliance review purposes. This pages contains three years of FPKI documents, including:

  • Certificate Policies
  • Certificate Profiles
  • Supplementary Guidance
  • Change Proposals

A blank category indicates no updates in the previous three years. If you seek a document that is older than three years or is not listed here, please contact fpki@gsa.gov or look in the archived document repository on github.

Document Name Removal From Archive
Annual Review Guidance
FPKI Annual Review Requirements v1.2 09/13/2027
FPKI Annual Review Requirements v1.01 09/29/2024
FPKI Annual Review Requirements v1.0 09/30/2024
Common Certificate Policy
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.8 10/25/2027
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.7 06/08/2027
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.6 02/23/2027
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.5 11/29/2026
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.4 08/01/2026
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.3 04/17/2026
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.2 10/1/2025
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.1 12/15/2024
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v2.0 05/18/2024
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v1.32 09/01/2023
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v1.31 *04/14/2023
X.509 Certificate Policy For The U.S. FPKI Common Policy Framework v1.30 *02/08/2022
Common Change Proposal
Proposal 2024-06 | Modify role-based certificate requirements for delegated digital signature uses 10/16/2027
Proposal 2024-07 | Trusted Agent and Key Recovery Role/Responsibility Clarifications 10/25/2027
Proposal 2024-08 | Clarifications on Private Key Recovery Storage and Private Key Activation 10/25/2027
Proposal 2024-05 | Remote Workstation Clarification 06/08/2027
Proposal 2024-02 | Remote Workstation Clarification 02/23/2027
Proposal 2024-03 | Certificate Policy Clarifications 02/23/2027
Proposal 2023-06 | Certificate Modifications and Restorations 11/29/2026
Proposal 2023-04 | Appointment of Trusted Roles 08/01/2026
Proposal 2023-02 | Updates Common Policy based on general comments received by the CPWG 04/17/2026
Proposal 2022-05 | Consolidated Changes to the Common Policy Certificate and CRL Profiles *10/17/2025
Proposal 2022-01A | Updates to Archive Retention Period Section of Common Policy 10/1/2025
Proposal 2021-03 | Remove Exclusion of Containers from Common Policy 12/15/2024
Proposal 2021-02 | Updates to Audit and Archive Sections of Common Policy 12/15/2024
Proposal 2021-01 | FPKI Key Recovery Policy Integration into COMMON Policy 04/13/2024
Proposal 2020-02 | General Update to COMMON Policy and Profiles 08/29/2023
Proposal 2020-01 | PIV-I Credentials Issued Under COMMON Requirements 03/10/2023
Common Profile
Common Policy X.509 Certificate and Certificate Revocation List (CRL) Profiles v2.2 10/25/2027
Common Policy X.509 Certificate and Certificate Revocation List (CRL) Profiles v2.1 10/17/2025
X.509 Common Policy Certificate and Certificate Revocation List Profiles v2.0 09/01/2023
FPKI Trust Infrastructure Certificate Practice Statement
X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v6.3 12/7/2026
X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v6.2 7/31/2026
X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v6.1 12/21/2025
X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v6.0 05/14/2025
X.509 Certificate Practice Statement For the FPKI Trust Infrastructure v5.1 06/28/2024
FPKIMA Audit Letter
FPKIMA Audit Letter 2023 8/20/2027
FPKIMA Audit Letter 2022 11/9/2026
FPKIMA Audit Letter 2021 10/12/2025
Federal Bridge Certificate Policy
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.5 10/25/2027
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.4 06/08/2027
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.3 02/23/2027
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.2 11/29/2026
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.1 08/01/2026
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v3.0 04/17/2026
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v2.36 11/04/2025
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v2.35 06/17/2025
X.509 Certificate Policy For The Federal Bridge CA (FBCA) v2.34 *04/15/2023
Federal Bridge Change Proposal
Proposal 2024-09 | Trusted Agent and Key Recovery Role/Responsibility Clarifications 10/25/2027
Proposal 2024-10 | Clarifications on Private Key Recovery Storage and Private Key Activation 10/25/2027
Proposal 2024-04 | Remote Workstation Clarification 06/08/2027
Proposal 2024-01 | Remote Workstation Clarification 02/23/2027
Proposal 2023-05 | Certificate Modifications and Restorations 11/29/2026
Proposal 2023-03 | Appointment of Trusted Roles and updates in Section 6.3.2 08/01/2026
Proposal 2023-01 | Updates to the Federal Bridge Certification Authority (FBCA) Certificate Policy based on comments received by the CPWG 04/17/2026
Proposal 2022-04 | Consolidated Update to the Federal Bridge Certification Authority Certificate Policy and Associated Profiles 11/04/2025
Proposal 2022-02 | PIV-I Topography Requirements in the Federal Bridge CA Certificate Policy 05/06/2025
Proposal 2019-01 | Allow Offline Federal Bridge Certification Authority *02/28/2022
Federal Bridge Profile
Federal Public Key Infrastructure (PKI) X.509 Certificate and CRL Extensions Profile v1.9 11/04/2025
Federal Public Key Infrastructure Key Recovery Policy
FPKI Key Recovery Policy 02/05/2050
Federal Public Trust TLS Certificate Policy
Federal Public Trust Device Certificate Policy v1.0 Final 02/06/2026
PIV-I Profile
X.509 PIV-I Certificate and Certificate Revocation List Profiles v1.3 11/04/2025
Supplementary Guidance
Personal Identity Verification Interoperability for Issuers v2.0.1 05/01/2025
FBCA Supplementary Antecedent, In-Person Definition 06/01/2023
NIST SP 800-53 Security Controls Overlay for PKI Systems v2.0 02/01/2024

IDManagement.gov

An official website of the U.S. General Services Administration

Looking for U.S. government information and services?
Visit USA.gov Edit this page