Treasury Orders and Directives

TREASURY DIRECTIVE 16-02

Date: December 21, 1992

Sunset Review: TBD

Expiration Date: TBD

SUBJECT: Electronic Funds and Securities Transfer Policy Message Authentication and Enhanced Security

1. PURPOSE. This directive states Treasury policy to assure the integrity of the Government's electronic funds transfer (EFT) data.

2. SCOPE. This directive applies to all bureaus, the Departmental Offices (DO), and the Office of Inspector General.

3. POLICY. It is the policy of the Department of the Treasury that EFT transactions be properly authenticated. Authentication measures must conform to American National Standards Institute Standard X9.9, "American National Standard for Financial Institution Message Authentication" or equivalent authentication technique. This standard establishes a universally applicable method to authenticate financial messages, including fund transfers, letters of credit, security transfers, loan agreements, and foreign exchange contracts which are transmitted by electronic means.

a. These measures shall be applied to Federal systems which originate, transmit, relay, receive, or process Federal Government EFT transactions to prevent the undetected, deliberate or inadvertent unauthorized manipulation, modification, or loss of EFT data.

b. Equipment designed and used to perform the authentication function must comply with Federal Information Processing Standard (FIPS) 140, "General Security Requirements for Equipment Using the Data Encryption Standard," dated April 14, 1982, which specifies the minimum general security requirements to be satisfied in implementing FIPS Pub. 46, "Data Encryption Standard" (DES), dated January 15, 1977. Keying material used in DES authentication must be generated and protected in accordance with approved methods as specified in this directive.

4. DEFINITIONS.

a. EFT Wire Transaction. This is defined as the movement of value from one party to another by electronic means. This does not include physical media transfers by magnetic tape, cartridge, diskette or other similar technology.

b. EFT Other Media Transaction. This is defined as the movement of value from one party to another through magnetic tape, etc.

c. Federal EFT System. A system owned, rented or leased by the U.S. Government to process EFT data.

5. RESPONSIBILITIES.

a. The Fiscal Assistant Secretary is responsible for:

(1) implementing the provisions of this directive within the Department and Governmentwide, under the authority of Treasury Order (TO) 106-09; and

(2) determining, on a case-by-case basis, the application of EFT authentication to other media transactions.

b. The Deputy Assistant Secretary (Administration), Heads of Bureaus, and the Inspector General, as it relates to their respective bureaus and offices, shall:

(1) ensure that all Federal EFT wire transaction systems shall be in compliance with the provisions of this directive; and

(2) ensure that all new Federal EFT systems and interfaces between systems comply with the provisions of this directive.

c. The Director, Office of Security, DO, under authority delegated to the Assistant Secretary (Management) and redelegated to the Director, Office of Security, shall:

(1) certify and maintain a list of approved authentication equipment and software techniques;

(2) provide technical support to aid in supporting this directive, which includes maintaining sources of key material, evaluating appropriate levels of physical and ADP security, and maintaining workable doctrine on the implementation of the X9.9 Standard; and

(3) approve all equipment and techniques used in conjunction with this directive.

6. CANCELLATION. Treasury Directive 16-02, "Electronic Funds and Securities Transfer Policy -- Message Authentication and Enhanced Security," dated October 3, 1986, is superseded.

7. AUTHORITY. TO 106-09, "Electronic Funds and Securities Transfer Policy -- Message Authentication and Enhanced Security," dated October 2, 1986.

8. REFERENCES.

a. FIPS Standard 140, "General Security Requirements for Equipment Using the Data Encryption Standard," dated April 14, 1982.

b. FIPS Pub. 46, "Data Encryption Standard" (DES), dated January 15, 1977.

9. OFFICE OF PRIMARY INTEREST. Office of the Fiscal Assistant Secretary.

Gerald Murphy

Fiscal Assistant Secretary