Senet Services

Experience with the U.S. Government Printing Office (GPO)

SeNet conducted both external and internal vulnerability assessments of GPO’s networks, along with wireless identification tasks. Network scans were executed using tools such as Nmap and Nessus to identify network level vulnerabilities on an entire B class address range.  Selected systems are then examined using host-based tools in order to discover security violations in areas such as account policy, file permissions, and registry settings.  A report was then produced that ranks the vulnerabilities by severity and includes recommendations on how to mitigate the discovered vulnerabilities.

The goal of the wireless identification tasks was to search for and verify that no unauthorized wireless network devices were present at the GPO facilities. The searches were performed at the GPO Headquarters and the printing facility using wireless transceivers of different bands and protocols. When the presence of a wireless device was suspected, SeNet attempted to identify the device and collected any information that was available. The information was then analyzed and included with our findings in the test report.

SeNet also assisted GPO in evaluating and assessing its implementation and use of PKI technology, in accordance with the agency’s overall security program plan. Our activities followed established Risk Assessment guidelines and PKI specific guidelines (NIST 800-25, NARA “Records Management Guidance for Agencies Implementing Electronic Signature Technologies", IETF RFC 2527 and others).

The assessment activities covered the management, operational and technical aspects of the GPO PKI system:

  • Review of GPO PKI documentation:
    • System architecture, Design and as-built documentation
    • GPO  PKI policy documents Certification Practice Statement (CPS) and Certification Policy (CP)
    • Third party/interagency agreements
  • Review of roles and responsibilities related to the GPO PKI system.
  • Inspection of GPO PKI components and testing of network/device components for security vulnerabilities
  • Review of GPO PKI Standard Operational Procedures for example the enrollment/disenrollment process including the following steps:
    • Digital Certificate Application
    • Identity proofing
    • Key pair generation and Certificate request
    • Certificate Issuance
    • Certificate Revocation
  • Review of PKI components audit logs such as admin-level access, configuration changes, operator’s actions etc.

As a result of SeNet’s assessment, the GPO Certificate Authority was certified for connection to the Federal PKI Bridge.