Frequently Asked Questions

The FAQs on this page are related to the information in the Customer Agencies section of this Website including specific information about the benefits of the USAccess program for your agency, processes to onboard into the USAccess Program and establish and certify your center. FAQs relating to About USAccess or the Credential Holders reside in those sections.


The USAccess Program utilizes UPS overnight shipping. Once printed, the PIV credentials are shipped according to the sponsor selected shipping preference. Credentials must be shipped to valid shipping addresses, registered in the USAccess system. PO Boxes may not be used to ship credentials.

Monthly payments on Fixed Dedicated Stations are stopped by a decommission. Payments will not be stopped or suspended due to inactivity or by taking a station offline. In the event that a site wishes to decommission a fixed (shared or dedicated) station, please follow the checklist below: 1. Email with notification of the intent to decommission. 2. The MSO will coordinate the paperwork and the site POC will be contacted within a few weeks with instructions on returning the equipment, as well as pre-paid boxes to use for return shipment. 3. If you wish to replace your station with a mobile solution, credentialing units can be leased from GSA USAccess.

No, the USAccess Program does not issue temporary credentials or certificates.

Agencies interested in ordering new USAccess CUs, Printers, Light Activation Kits can contact the MSO at If the equipment ordered is for a new Fixed Site (a Credentialing Center with a Fixed CU), then the GSA USAccess MSO will send a SET Worksheet for the Site to complete. Completed forms and SET Worksheets should be submitted to the MSO at

The Light Activation Kit allows for all credentialing actions, except enrollment.

The kit contains the following:

  • Two card readers and drivers
  • One single fingerprint device and drivers
  • ActivClient v6.1 with appropriate Service Packs and Hot Fixes
  • CMS Public Root certificate
  • Java runtime v1.6 Update 12 or newer
  • Consolidated install utility
  • Network connection test utility
  • Shortcuts to PIN Reset portal and Privacy Act
  • Light Activation Installation and User Guides and various Job Aids

Applicants may perform all attended and unattended credentialing activities, such as activations, rekeys, and PIN updates, using the Light Activation Service except enrollments.

The Invoice Report, downloadable in Excel file, shows the detail behind all charges incurred during a billing month. This report contains the detailed information your finance department will need to verify charges for payment. It is not intended to be a management report (please utilize the Applicant Status Report for your management reporting needs). The billing detail will include a sub-agency breakdown (where applicable) and charges for any item ordered off the price sheet in addition to new enrollments and the monthly maintenance. (Enrollments are composed of the number of new identity accounts created during the month. The maintenance fee is a monthly charge for maintaining each identity account in the system.)

Yes, the GSA USAccess system supports certificate suspension. The suspension for certificates is supported through both the security officer and sponsor roles. A certificate is generally in the active state which is a _valid? certificate. It can also be in an _invalid-suspended? state, meaning that the certificates are currently invalid for usage and are put on the Certification Revocation List (CRL), but can be recovered at a future date. An employee who takes family leave for 10 weeks may have the certificates put in an "invalid-suspended" state while not working. When the individual returns to work, the certificates will be unsuspended by the sponsor and be valid. Another state is _invalid-revoked? which means the sponsor or security officer has deemed your certificates a risk, which is often associated with a termination action. Certificates that are in an "invalid-revoked" state are revoked and unrecoverable.

The recipient of a signed document does not need to have a PKI certificate of their own, but they will need software to verify the digital signature and view the certificate. If the recipient's email system is capable of accepting PKI digitally signed emails or documents, the recipient will be able to open the document and verify the signature and view the certificate.

If the sender wants to encrypt an email to send to the recipient, the recipient will need a PKI encryption [public] certificate and will have to provide it to the sender. Then, when the message is received, the recipient's email system can also decrypt the message.

For a new customer, if you are joining the USAccess Program and this is your first funding document with the GSA MSO, please complete the Interagency Agreement (IA) form. If this is not your first funding document with the GSA MSO, please complete the IA Addendum to add funding to your agency existing IA.

There are separate instructions for each document that you should review in order to complete. These documents are available in the Customer Agencies Onboarding Process section of this website.

Yes, USAccess uses IPAC billing. Your IPAC billing will be initiated a few days after you receive your invoice.

You will receive your first invoice one to two month(s) after your first service begins. The service may be a PIV enrollment, replacement credential, or renewal credential or any other item from the Pricing Sheet, which can be found in the Customer Agencies > Agency Orders and Services section of this website.

Designated agency finance PoC's can directly access the invoice off of the website. If additional people from your finance department would like to receive copies of the invoices, please coordinate those requests within your agency while ensuring that all IT security requirements are met.
To designate a new or update an existing finance PoC, email:

Once the onboarding process is complete, the GSA MSO Deployment Team will help guide you through the deployment process, beginning with ordering the services and equipment you have identified in your agency project plan. In your project plan, you will need to determine if your agency is going to host any credentialing centers or if you will use the existing shared centers. These are factors that will determine when you can start issuing PIV credentials. For more details about what you need to do, visit the USAccess Customer Agencies Getting Operational section of this website.

Most agencies in any branch of the federal government may purchase services from GSA MSO. Please contact for information.

Once you get your invoice, review it to verify your information is correct. If you believe that you have been invoiced incorrectly, please contact Lorraine Irizzarry and Lalit Bajaj at with a description of the charges you wish to dispute.

The GSA MSO will work with you to ensure your invoice is adjusted as appropriate and you are billed correctly in the subsequent month.

Please do not process a charge back. As a reminder, your signed Interagency Agreement (IA) states in section 1.8.7:

The MSO standard billing procedure is to submit a monthly billing request to the GSA Office of Finance. The Accounts Receivable Branch of the GSA Office of Finance will bill the client. These billings must be paid promptly as rendered, without pre-audit or receipt verification (FPMR 101-2.105). Any discrepancies noted after payment will be adjusted on subsequent billings.

Public Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables entities to protect the security of their communications and business transactions on networks. Using a combination of private (e.g., secret) key and public key cryptography, PKI enables a number of other security services, including data confidentiality, data integrity and non-repudiation. PKI integrates digital certificates, public key cryptography, and certification authorities into one complete network security architecture.

A typical PKI infrastructure encompasses:

  • The issuance of digital certificates to individual users and servers
  • End-user enrollment software
  • Integration with certificate directories
  • Tools for managing, renewing, and revoking certificates
  • Other related services and support

A PKI certificate allows someone to digitally bind their identity and use the certificate to perform some of these functions:

  • Encrypt and authenticate e-mail messages and documents
  • Digitally sign e-mail messages and documents
  • Authentication and/or authorization of users to networks and applications e.g., PIV credential login
  • Authorization of a user to an application giving rights to perform specific functions
  • Perform any of the above functions using a personal computer or mobile device

As a government employee or contracted worker, you may need now, or at some time in the future, a PKI certificate to gain access to the agency information network and systems.

The GSA MSO Shared Service Provider, Entrust Managed Services (EMS) Shared Service Provider (SSP) publishes certificate status in Certificate Revocation Lists (CRLs) accessible via LDAP and HTTP. In addition, EMS SSP supports validation of PKI certificates via Online Certificate Status Protocol (OCSP). The information for validation of a PKI certificate is contained within each certificate.

The costs for each agency will vary depending on the services an agency wants to purchase. There is no set formula, as there are a number of variables that will affect the prices. To learn about the services offered and the prices associated with the USAccess Program, you may review the USAccess Price List.

Yes, the certificate profile is defined in the Federal PKI Common Policy at

In order to participate in the USAccess Program, your agency must complete the onboarding process. To begin, follow these steps:
1. To begin the process, visit the USAccess Customer Agencies Onboarding Process section of this website to download the GSA InterAgency Agreement form and instructions. Once you have filled out and signed the form, please return it to Lorraine Irizzarry and Lalit Bajaj at

2. Upon receipt and acceptance of your InterAgency Agreement form, GSA MSO personnel will work with you to build an agency-specific configuration for the PIV credential (e.g., agency seal, optional fields, and hardware options).

3. Next, the MSO will assist you with the setting up the first four (4) role holders information in the USAccess System. At a minimum, those roles are sponsor, security officer, adjudicator, and role administrator.

For questions about Light Solution, please contact:
USAccess Role Holder Helpdesk

Email This Link