WidePoint Cyber Security Solutions (formerly Operational Research Consultants, Inc. (ORC)) Non-Federal Issuer (NFI) Certification Practices Statement Summary Version 1.3.7 July 21, 2016 11250 Waples Mill Road South Tower, Suite 210 Fairfax, VA 22030 ____________________________________________ Date: Chief Executive Officer, WidePoint Cybersecurity Solutions Corporation WidePoint NFI CPS v1.3.6 Notice: Operational Research Consultants, Inc. (ORC), a wholly-owned subsidiary of WidePoint Corporation, has changed its legal name to WidePoint Cybersecurity Solutions Corporation, hereafter referred to simply as WidePoint. This is a legal name change only for branding purposes with no change to ownership, corporation type or other status. Any and all references to "WidePoint" within this document refers specifically and only to WidePoint Cybersecurity Solutions Corporation, the wholly-owned subsidiary of WidePoint Corporation, and not to WidePoint Corporation as a whole. Any reference or citing of personnel within this document, such as "WidePoint CEO", refers to the CEO of WidePoint Cybersecurity Solutions Corporation and not the CEO of WidePoint Corporation. The operation of CAs under this CPS will continue to issue certificates with cn=ORC NFI until such time as new CAs are stood up that assert cn=WidePoint NFI. Certificates issued that assert cn=ORC NFI will continue to be supported until the last valid certificate expires or is revoked. © Copyright 2016, WidePoint Corporation ii All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. WidePoint NFI CPS v1.3.6 Revision History Document Revision Version Date Revision Details 11 March Initial version established to support cross-certification with 0.1 2011 FBCA as an NFI 2 May 2011 Edits to comply with ORC NFI CP. 5 May 2011 Edits to comply with ORC NFI CP. 1.0 10 June 2011 Edits resulting from Triennial Phase 1 audit. Updates resulting from operational updates and completion 1.1 17 Nov 2011 of Triennial Phase 1 audit. 1.2 12 June 2013 Updates corresponding to changes to CP. Review and updates to Section 5.1.2 procedures to include 20 March 1.3 access for authorized WidePoint personnel and contractors; 2014 Update to OIDs; Updates resulting from 2013 audit. 1.3.1 15 July 2015 Annual review and update 1.3.2 14 Aug 2015 Formatting update Edits to Section 3.2.3.2 removing unneeded sub-heading; 1.3.3 23 Nov 2015 adding clarifying text. Add corporate name change from ORC to WidePoint Cyber 1.3.4 4 Feb 2016 Solutions Corp.; addition of Cert-on-device capabilities Add “Notice” to clarify corporate name change and its 1.3.5 28 Apr 2016 implication. 1.3.6 21 Jul 2016 Certificate policy description update © Copyright 2016, WidePoint Corporation iii All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. WidePoint NFI CPS v1.3.6 TABLE OF CONTENTS 1 Introduction ............................................................................................................................. 1 1.1 Overview ......................................................................................................................... 2 1.1.1 Certificate Policy .................................................................................................... 3 1.1.2 Relationship Between the WidePoint NFI PKI CP and the ORC NFI PKI CPS .... 3 1.1.3 Relationship between the WidePoint NFI PKI CP and the Federal Bridge Certification Authority (FBCA) CP ........................................................................................ 3 1.1.4 Scope ....................................................................................................................... 3 1.1.5 Interaction between WidePoint NFI PKI and the Federal Government ................. 4 1.2 Document Name and Identification ................................................................................ 4 1.3 PKI Entities ..................................................................................................................... 7 1.3.1 WidePoint NFI PKI Authorities.............................................................................. 7 1.3.1.1 WidePoint NFI PKI Policy Authority ................................................................. 7 1.3.1.2 WidePoint NFI PKI Certificate Management Authority (CMA) ....................... 8 1.3.1.3 ORC NFI PKI Program Manager ....................................................................... 8 1.3.1.4 Authorized ORC NFI PKI CAs .......................................................................... 8 1.3.1.5 Cross-Certification with the FBCA .................................................................. 10 1.3.1.6 Certificate Status Authority .............................................................................. 10 1.3.2 Registration Authorities ........................................................................................ 10 1.3.3 Card Management System (CMS) ........................................................................ 11 1.3.4 Subscribers ............................................................................................................ 11 1.3.5 Affiliated Organizations........................................................................................ 12 1.3.6 Relying Parties ...................................................................................................... 12 1.3.7 Other Participants.................................................................................................. 13 © Copyright 2016, WidePoint Corporation iv All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. WidePoint NFI CPS v1.3.6 1.3.7.1 WidePoint NFI PKI Local Registration Authorities (LRAs) ............................ 13 1.3.7.2 PKI Sponsor ...................................................................................................... 13 1.4 Certificate Usage ........................................................................................................... 13 1.4.1 Appropriate Certificate Uses ................................................................................. 13 1.4.1.1 Medium Assurance (Software Certificate) ....................................................... 14 1.4.1.2 Medium Hardware Assurance ........................................................................... 15 1.4.1.3 PIV-I Hardware Assurance ............................................................................... 15 1.4.1.4 PIV-I Card Authentication Assurance .............................................................. 15 1.4.1.5 PIV-I Content Signing Assurance ..................................................................... 15 1.4.1.6 Medium Device Assurance ............................................................................... 15 1.4.1.7 Medium Device Hardware Assurance .............................................................. 15 1.4.2 Prohibited Certificate Uses ................................................................................... 16 1.5 Policy Administration ................................................................................................... 16 1.5.1 Organization Administering the Document .......................................................... 16 1.5.2 Contact Person ...................................................................................................... 16 1.5.3 Persons Determining WidePoint NFI PKI CPS Suitability for the WidePoint NFI PKI Policy ............................................................................................................................. 17 1.5.4 CPS Approval Procedures..................................................................................... 17 1.6 Definitions and Acronyms ............................................................................................ 17 2 Publication and Repository Responsibilities ........................................................................ 18 2.1 Repositories................................................................................................................... 18 2.1.1 Repository Obligations ......................................................................................... 19 2.2 Publication of Certification Information ....................................................................... 20 2.2.1 Publication of Certificates and Certificate Status ................................................. 20 © Copyright 2016, WidePoint Corporation v All Rights Reserved This document is proprietary and may not be disclosed to other parties, be it pursuant to the Freedom of Information Act or to any other law or regulation. WidePoint NFI CPS v1.3.6 2.2.2 Publication of WidePoint NFI PKI CA Information ............................................ 20 2.2.3 Interoperability ...................................................................................................... 20 2.3 Frequency of Publication .............................................................................................. 21 2.4 Access Controls on Repositories .................................................................................. 21 3 Identification and Authentication ........................................................................................