COVID-19 information CLICK HERE               COVID-19 information CLICK HERE               COVID-19 information CLICK HERE 
COVID-19 information CLICK HERE               COVID-19 information CLICK HERE               COVID-19 information CLICK HERE 

Frequently Asked Questions

Applicants may perform all attended and unattended credentialing activities, such as activations, rekeys, and PIN updates, using the Light Activation Service except enrollments.

The Invoice Report, delivered in a PDF file, shows the detail behind all charges incurred during a billing month. This report contains the detailed information your finance department will need to verify charges for payment. It is not intended to be a management report (please utilize the Applicant Status Report for your management reporting needs). The billing detail will include a sub-agency breakdown (where applicable) and charges for any item ordered off the price sheet in addition to new enrollments and the monthly maintenance. (Enrollments are composed of the number of new identity accounts created during the month. The maintenance fee is a monthly charge for maintaining each identity account in the system.)

Yes, the GSA USAccess system supports certificate suspension. The suspension for certificates is supported through both the security officer and sponsor roles. A certificate is generally in the active state which is a _valid? certificate. It can also be in an _invalid-suspended? state, meaning that the certificates are currently invalid for usage and are put on the Certification Revocation List (CRL), but can be recovered at a future date. An employee who takes family leave for 10 weeks may have the certificates put in an "invalid-suspended" state while not working. When the individual returns to work, the certificates will be unsuspended by the sponsor and be valid. Another state is _invalid-revoked? which means the sponsor or security officer has deemed your certificates a risk, which is often associated with a termination action. Certificates that are in an "invalid-revoked" state are revoked and unrecoverable.

The recipient of a signed document does not need to have a PKI certificate of their own, but they will need software to verify the digital signature and view the certificate. If the recipient's email system is capable of accepting PKI digitally signed emails or documents, the recipient will be able to open the document and verify the signature and view the certificate.

If the sender wants to encrypt an email to send to the recipient, the recipient will need a PKI encryption [public] certificate and will have to provide it to the sender. Then, when the message is received, the recipient's email system can also decrypt the message.

For a new customer, if you are joining the USAccess Program and this is your first funding document with the GSA MSO, please complete the Interagency Agreement (IA) form. If this is not your first funding document with the GSA MSO, please complete the IA Addendum to add funding to your agency existing IA.

There are separate instructions for each document that you should review in order to complete. These documents are available in the Customer Agencies Onboarding Process section of this website.

Yes, USAccess uses IPAC billing. Your IPAC billing will be initiated a few days after you receive your invoice.

You will receive your first invoice one to two month(s) after your first service begins. The service may be a PIV enrollment, replacement credential, or renewal credential or any other item from the Pricing Sheet, which can be found in the Customer Agencies > Agency Orders and Services section of this website.

The GSA MSO will provide two (2) copies of the invoice, one to the program and the second to the financial point-of-contact (POC) on your Interagency Agreement(s). If additional people from your finance department would like to receive copies of the invoices, please coordinate those requests within your agency.

Once the onboarding process is complete, the GSA MSO Deployment Team will help guide you through the deployment process, beginning with ordering the services and equipment you have identified in your agency project plan. In your project plan, you will need to determine if your agency is going to host any credentialing centers or if you will use the existing shared centers. These are factors that will determine when you can start issuing PIV credentials. For more details about what you need to do, visit the USAccess Customer Agencies Getting Operational section of this website.

Most agencies in any branch of the federal government may purchase services from GSA MSO. Please contact for information.

Once you get your invoice, review it to verify your information is correct. If you believe that you have been invoiced incorrectly, please contact Lorraine Irizzarry and Lalit Bajaj at with a description of the charges you wish to dispute.

The GSA MSO will work with you to ensure your invoice is adjusted as appropriate and you are billed correctly in the subsequent month.

Please do not process a charge back. As a reminder, your signed Interagency Agreement (IA) states in section 1.8.7:

The MSO standard billing procedure is to submit a monthly billing request to the GSA Office of Finance. The Accounts Receivable Branch of the GSA Office of Finance will bill the client. These billings must be paid promptly as rendered, without pre-audit or receipt verification (FPMR 101-2.105). Any discrepancies noted after payment will be adjusted on subsequent billings.

Public Key Infrastructure (PKI) is the combination of software, encryption technologies, and services that enables entities to protect the security of their communications and business transactions on networks. Using a combination of private (e.g., secret) key and public key cryptography, PKI enables a number of other security services, including data confidentiality, data integrity and non-repudiation. PKI integrates digital certificates, public key cryptography, and certification authorities into one complete network security architecture.

A typical PKI infrastructure encompasses:

  • The issuance of digital certificates to individual users and servers
  • End-user enrollment software
  • Integration with certificate directories
  • Tools for managing, renewing, and revoking certificates
  • Other related services and support

A PKI certificate allows someone to digitally bind their identity and use the certificate to perform some of these functions:

  • Encrypt and authenticate e-mail messages and documents
  • Digitally sign e-mail messages and documents
  • Authentication and/or authorization of users to networks and applications e.g., PIV credential login
  • Authorization of a user to an application giving rights to perform specific functions
  • Perform any of the above functions using a personal computer or mobile device

As a government employee or contracted worker, you may need now, or at some time in the future, a PKI certificate to gain access to the agency information network and systems.

The GSA MSO Shared Service Provider, Entrust Managed Services (EMS) Shared Service Provider (SSP) publishes certificate status in Certificate Revocation Lists (CRLs) accessible via LDAP and HTTP. In addition, EMS SSP supports validation of PKI certificates via Online Certificate Status Protocol (OCSP). The information for validation of a PKI certificate is contained within each certificate.

The costs for each agency will vary depending on the services an agency wants to purchase. There is no set formula, as there are a number of variables that will affect the prices. To learn about the services offered and the prices associated with the USAccess Program, you may review the USAccess Price List.

Yes, the certificate profile is defined in the Federal PKI Common Policy at

In order to participate in the USAccess Program, your agency must complete the onboarding process. To begin, follow these steps:
1. To begin the process, visit the USAccess Customer Agencies Onboarding Process section of this website to download the GSA InterAgency Agreement form and instructions. Once you have filled out and signed the form, please return it to Lorraine Irizzarry and Lalit Bajaj at

2. Upon receipt and acceptance of your InterAgency Agreement form, GSA MSO personnel will work with you to build an agency-specific configuration for the PIV credential (e.g., agency seal, optional fields, and hardware options).

3. Next, the MSO will assist you with the setting up the first four (4) role holders information in the USAccess System. At a minimum, those roles are sponsor, security officer, adjudicator, and role administrator.

For questions about Light Solution, please contact:
USAccess Role Holder Helpdesk

FIPS 201 is the technical standard that HSPD-12 required the National Institute of Standards and Technology (NIST) to develop. FIPS 201 is entitled _Personal Identity Verification (PIV) for Federal Employees and Contractors.? The standard requires the collection of fingerprint and facial information for inclusion on the credential. (Government agencies already use such information to differing degrees depending on the agency.) The PIV credential will contain both a "contact" smart chip and a "contactless" chip. Containing both a "contact" and "contactless" chip will allow the credential to be read by devices that need direct contact with the credential and devices that can read the credential remotely. FIPS 201 was issued on February 27, 2005. The first revision of FIPS 201-1 was finalized in June 2006. The second revision of FIPS 201-2 was finalized in August 2013.

The Homeland Security Presidential Directive 12 (HSPD-12) is the directive that was issued for "Policy for a Common Identification Standard for Federal Employees and Contractors". HSPD-12 calls for all federal employees and contractors to use a standard smart credential to verify their identity for secure access to federal buildings and information systems.

HSPD-12 called upon the National Institute of Standards and Technology (NIST) to develop the actual technical standard, and the Office of Management and Budget (OMB) to manage implementation of the credentials. The uses of the credentials are left to the agencies themselves to decide.

The purpose of HSPD-12 is to provide a common reliable identification verification for government employees and contractors. It will help to protect against a variety of threats including: 

  • Unauthorized access to physical facilities or logical assets
  • Improper issuance of valid credential to malicious holder
  • Counterfeiting of credentials
  • Intercept or probing to access stored information
  • Successful cryptanalytic attacks against stored protected information
  • Use of stolen or borrowed credential to gain access to physical or logical systems
  • Intercept/technical surveillance to capture PIN(s)
  • Use of credential issued for access to lower sensitivity/criticality assets to achieve access to more sensitive/critical assets


GSA is offering the USAccess Program to help reduce the costs for participating agencies associated with procuring FIPS 201-compliant equipment, software, and services.
GSA expects to reduce costs by leveraging the collective buying power of the government through a shared-services approach. Using this approach, the program spreads infrastructure costs among all USAccess Program shareholders, which in turn reduces the overall price for each individual participant. For the price list and more information on costs associated with the USAccess Program, please contact the GSA Managed Service Office.

For agencies, the USAccess Program simplifies the process of sponsoring, enrolling, adjudicating, and credentialing applicants while maintaining the lifecycle of these credentials for each participant. For more benefits, visit Program Benefits. Employees and contractors (i.e. applicants) can trust that PIV credentials issued under the USAccess Program are secure, reliable, and comply with the government-established HSPD-12 standard.

The General Services Administration Managed Services Office offering, USAccess, delivers an end-to-end solution as a shared service to participating federal agencies. By enrolling in the USAccess Program, participants gain access to a standard, end-to-end contractor managed service.

Service components included in the USAccess Program:
Credential production, issuance, activation, and management;
Role holder administration and management;
Reporting, and
Public Key Infrastructure (PKI)

In addition to these components, the USAccess Program offers a suite of support services including deployment, training and customer support.GSA selected Electronic Data Systems (EDS) in 2007 (since renamed Perspecta) as the prime contractor to provide technology and services in support of the USAccess Program. Through EDS, GSA acquired innovative, yet standardized, end-to-end contractor managed services.

As outlined in the Homeland Security Presidential Directive 12 (HSPD-12), each government agency must issue PIV compliant credentials to its employees. In response to HSPD-12 the GSA MSO established the USAccess Program. The USAccess Program aims to ease participants from the burden of acquiring services, coordinating integration with governments systems, and managing contracted vendors. The GSA MSO serves as the executive agent for the program and will oversee all of these functions.
Agencies participating in the USAccess Program gain economies of scale from the shared services model. Leveraging the volume and program management requirements allows participants to concentrate on usage of the credential for physical and logical access controls and leads to cost reductions across the government.

The PIV requirements are based on the Homeland Security Presidential Directive-12 (HSPD-12) that requires federal agencies to issue secure and reliable forms of personal identification:

  • Based on sound criteria to verify an individual employee identity
  • That are strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation
  • That can provide rapid electronic verification of personal identity
  • That contain identity tokens issued only by providers whose reliability has been established by an official accreditation process
  • Applicable to all government organizations and contractors
  • To be used to grant access to federally-controlled facilities and logical access to federally-controlled information systems
  • Not applicable to identification associated with national security systems
  • To be implemented in a manner that protects individual privacy


Email This Link