TMWD Tumbleweed Communications Corp (MM)

Army Accelerating PKI Implementation to Meet New DoD-Wide Mandate Requiring 100 Percent Smart Card Log-On Authentication by July 31, 2006 Tumbleweed(R) Communications Corp. (NASDAQ:TMWD), a leading provider of email security, managed file transfer, and identity validation appliance and software products, today announced that the United States Army has contracted with TKCIS, an Alaskan Native 8(a) corporation, to procure the Tumbleweed Validation Authority(TM) (VA) in support of the Army's efforts to achieve enterprise-wide public key infrastructure (PKI) validation for smart card log-on and secure messaging. Tumbleweed VA is based on the open standard Online Certificate Status Protocol (OCSP, RFC 2560), and is already the most widely deployed PKI validation solution in the U.S. Department of Defense (DoD). Designed to validate the status of digital certificates in real time, Tumbleweed VA ensures that revoked credentials cannot be used for secure email, smart card login, web access, wireless, VPN, or other electronic transactions. The Army began accelerating deployment of Tumbleweed VA earlier this month in response to a new DoD-wide mandate requiring all military services and agencies to implement PKI and 100 percent use of smart card cryptographic log-on to the Non-Classified IP Router Network by July 31, 2006. The mandate also requires implementation of public key enabling for user authentication, digital signatures, and encryption on all desktops, servers, and laptops. The Joint Task Force-Global Network Operations (JTF-GNO) accelerated the PKI implementation schedule in response to an increasing number of attacks and attempts to steal U.S. military secrets and slow network operations. The use of VA for enabling smart card cryptographic log-on also meets other directives on identity protection, including Homeland Security Presidential Directive 12 (HSPD 12). "This award supports the Army's goal to leverage the existing investment in its public key infrastructure, and to realize the Tumbleweed VA's potential as an enabling technology for protecting critical information infrastructures and assuring the integrity of communications," said Ann Smith, Tumbleweed's Vice President, Federal Sales. "Once VA is fully deployed, more than 800,000 Army personnel will be able to use their Common Access Cards (CAC) in compliance with the new DoD mandate to access department networks, communicate via e-mail, and conduct other transactions with a substantially greater level of assurance." Under its PKI initiative, the DoD has issued almost five million digital certificates to military personnel and civilian contractors. This digital certificate, stored on a CAC or "smart" card, includes the user's name, organization, and other identification information. The smart card is used to secure mission-critical applications such as email, web server access, network access, and system login. As part of the DoD's "Defense In Depth" strategy, all DoD senders must digitally sign email messages using their smart card. Like any physical credential, however, digital certificates must be validated at time of use to ensure the certificate is not revoked or expired. In particular, DoD organizations must validate the status of the digital certificate stored on the smart card when used to sign an email message or perform any trusted transaction. To align operations with the DoD's PKI and Defense In Depth initiatives, the Army decided to standardize on Tumbleweed VA, concluding that the product satisfies its requirements for a cost-effective solution that provides capabilities to speed the real-time validation of digital certificates, ensure secure communications, and to support the system-wide use of smart cards for cryptographic access to desktop, server, and network resources. Performing cryptographic logon via smart card will eliminate the need for individuals to use multiple passwords for accessing network systems. In addition to supporting the Army's PKI initiatives, the contract award to TKCIS will help the Army expand its efforts to increase the percentage of government contracts awarded to Native American and tribally-owned small businesses. Partnering with Tumbleweed will enable TKCIS to expand the depth and breadth of the solutions and expertise the company can offer. TKCIS' Senior Vice President, GSA & Systems Integration Division, Joel Lipkin, notes that "as an IT solutions and services provider, you must have the ability to offer industry-leading components to drive real growth and satisfy customer requirements. Partnering on this contract with Tumbleweed, clearly a market leader in email security, file transfer security, and identity validation solutions, provides us with a greater business development platform for driving growth in the solutions as well as the services components of our operations." About Tumbleweed Validation Authority Tumbleweed Validation Authority (VA) ensures the validity and integrity of highly valued and trusted transactions. Validation Authority is a Certificate Authority (CA) neutral, extensible server that utilizes multiple validation protocols for checking the validity of X.509 certificates within Public Key Infrastructure (PKI) environments. Validation Authority delivers a comprehensive, scalable, and reliable framework for validating digital certificates in real time, and can validate a certificate issued by any CA. It complies with Federal Information Protection Standard (FIPS) 140-l, DOD Joint Interoperability Testing Command, and Identrus standards. Additionally, Validation Authority is completing Common Criteria (ISO/IEC 15408) Evaluation Assurance Level (EAL-3) certification by the National Information Assurance Partnership (NIAP), a collaboration between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). Tumbleweed VA is the first fully open standards product to enable digital certificate status validation in large scale distributed computing environments through the introduction of a new Repeater-Responder architecture, a significant innovation in digital certificate validation and PKI. A Repeater is an OCSP caching server which can be pre-loaded with OCSP responses generated by a Responder, as well as dynamically build up an OCSP response cache by acting as a proxy for client requests to a Responder. The product's flexible architecture improves performance, security, fault-tolerance, and overall robustness of PKI. Since Repeaters and Responders do not need to be in the same administrative domain, Responders (and their associated private keys) can be further secured via a firewall or air gap. Additionally, since Repeaters do not need to perform any digital signing operations, they enable organizations to scale their digital certificate validation infrastructures without incurring the additional cost of hardware signing modules. SAFE HARBOR STATEMENT Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below. Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to the deployment of Tumbleweed Validation Authority by the U.S. Department of Defense, as well as the performance and functionality of Tumbleweed's products. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 16, 2005 and Form 10-Q filed November 2, 2005. Tumbleweed assumes no obligation to update information contained in this press release, including for example its guidance regarding its future performance, which represents Tumbleweed's expectations only as of the date of this release and should not be viewed as a statement about Tumbleweed's expectations after such date. Although this release may remain available on Tumbleweed's website or elsewhere, its continued availability does not indicate that Tumbleweed is reaffirming or confirming any of the information contained herein. About TKC Integration Services, LLC TKC Integration Services (TKCIS) is a small disadvantaged business, an SBA-certified 8(a) Corporation, a tribally-owned Native American Corporation, and an Alaskan Native Corporation with an extensive track record in delivering a wide spectrum of technology solutions for the Federal government. TKCIS is 100% owned by TKC Management Services Company (TKCMS), a holding company charged with growing companies that generate income to be distributed to over 13,000 Native American shareholders. Known for phenomenal service and exceptional accuracy in client delivery, the TKC companies currently provide over $140,000,000 in services to federal and commercial customers, with core expertise in telecommunications, information technology, product development, major program management, construction management, facility operations, and operations support. For more information on TKCIS, go to www.tkcis.com. Additional information on TKCMS and its subsidiaries is available at www.tkcms.com. About Tumbleweed Communications Corp. Tumbleweed provides security solutions for email protection, file transfers, and identity validation that allow organizations to safely conduct business over the Internet. Tumbleweed offers these solutions in three comprehensive product suites: MailGate(R), SecureTransport(TM), and Validation Authority(TM). MailGate provides protection against spam, viruses, and attacks, and enables policy-based message filtering, encryption, and routing. SecureTransport enables business to safely exchange large files and transactions without proprietary software. Validation Authority is the world-leading solution for determining the validity of digital certificates. Tumbleweed's enterprise and government customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), St. Luke's Episcopal Healthcare System, the U.S. Food and Drug Administration, the U.S. Department of Defense, and all four branches of the U.S. Armed Forces. Tumbleweed was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000. Tumbleweed, MailGate, SecureTransport and Validation Authority are either registered trademarks or trademarks of Tumbleweed Communications Corp. in the United States and/or other countries. All other trademarks are the property of their respective owners.