Notice ID: 36C10A21Q0081
The Department of Veterans Affairs (VA), Office of Information and Technology (OI&T), IT Operations and Services (ITOPs), Service Delivery (SD) requires Homeland Security Presidential Directive 12 (HSPD-12) General Services Administration (GSA) Required Annual Audit Services. The primary objective of this audit is to verify that the identified registration practices are compliant with the applicable certificate policy during the audited period (Fiscal Year). These registration practices will be audited as governed by the governing certificate policy (CP). The audit shall be conducted in accordance with directions specified within the U.S. Federal PKI Common Policy Framework Common Policy (CP), Federal PKI Policy Management Authority (FPKIPA) auditing guidelines and its technical advisory group, the Certificate Policy Working Group (CPWG), and all relevant Federal Information Processing Standards (FIPS), National Institute of Standards and Technology (NIST) directives related to x.509 certificate practices.
The Federal Common Policy Certificate Policy (CP) Section 8 states “CAs operating under this policy shall have a compliance audit mechanism in place to ensure that the requirements of their CPS are being implemented and enforced.” Section 8.1 sets “CAs and RAs operating under this policy shall be subject to a periodic compliance audit at least once per year in accordance with the ‘FPKI Compliance Audit Requirements’ document.” Section 8.2 dictates “The auditor must demonstrate competence in the field of compliance audits, and must be thoroughly familiar with the CA’s CPS and this CP. The compliance auditor must perform such compliance audits as a regular ongoing business activity. In addition to the previous requirements, the auditor must be a certified information system auditor (CISA) or IT security specialist, and a PKI subject matter specialist who can offer input regarding acceptable risks, mitigation strategies, and industry best practices.” Section 8.3 specifies “The compliance auditor either shall be a private firm that is independent from the entities (CA and RAs) being audited.”
“Period of Performance (POP) is 12-months from award with two (2) 12-month option periods, if exercised.”
The auditor must demonstrate competence in the field of compliance audits, and must be thoroughly familiar with the CA’s CPS and this CP. The compliance auditor must perform such compliance audits as a regular ongoing business activity. In addition to the previous requirements, the auditor must be a certified information system auditor (CISA) or IT security specialist, and a PKI subject matter specialist who can offer input regarding acceptable risks, mitigation strategies, and industry best practices.
The purpose of a compliance audit shall be to verify that a CA operated by an SSP and all RAs of that CA comply with all the requirements of the current versions of the Federal Common Policy Root CA CP and the SSP’s CPS. All aspects of the CA/RA operation shall be subject to compliance audit inspections. Components other than CAs may be audited fully or by using a representative sample. If the auditor uses statistical sampling, all PKI components, PKI component managers and operators shall be considered in the sample. The samples shall vary on an annual basis.
