OMB HOME • FEDERAL REGISTER NOTICES
OFFICE
OF MANAGEMENT AND BUDGET
AGENCY: Office
of Management and Budget, Executive Office of the President
ACTION: Proposed
Implementation of the Government Paperwork Elimination Act.
SUMMARY: The
Office of Management and Budget (OMB) requests public and agency comment
on proposed procedures and guidance to implement the Government Paperwork
Elimination Act (GPEA). Under the GPEA, agencies must generally provide
for the optional use and acceptance of electronic documents and signatures,
and electronic record keeping where practicable, by October 2003.
DATES: Persons
who wish to comment on the GPEA procedures and guidance should submit
their comments no later than Friday, July 5, 1999. Each Department
and Agency is asked to submit a single coordinated set of comments.
ADDRESS: Electronic
comments will be included as part of the official record. Please send
comments electronically to: gpea@omb.eop.gov. Alternatively, hardcopy
comments may be addressed to: Information Policy and Technology Branch,
Office of Information and Regulatory Affairs, Office of Management
and Budget, Room 10236 New Executive Office Building, Washington, D.C.
20503.
ELECTRONIC
AVAILABILITY: This document is available on the Internet
in the OMB library of the "Welcome to the White House" home
page, /OMB/, the CIO Council's home page, http://cio.gov, and at
the Government Information Technology Services Board's security home
page at http://gits-sec.treas.gov.
FOR
FURTHER INFORMATION CONTACT: Peter Weiss, Information Policy
and Technology Branch, (202) 395-3630. Press inquiries should be
addressed to the OMB Communications Office, (202) 395-7254.
SUPPLEMENTARY
INFORMATION: Public confidence in the security of the government's
electronic information and information technology is essential in
creating government services that are more accessible, efficient,
and easy to use. Electronic commerce, electronic mail, and electronic
benefits transfer sensitive information within government, between
the government and private industry or individuals, and among governments.
These electronic systems must protect the information's confidentiality,
assure that the information is not altered in an unauthorized way,
and be available when needed. A corresponding policy and management
structure must support these protections.
In a major
step in this direction, the Congress recently enacted legislation,
supported by the Administration, intended to increase the ability of
citizens to interact with the Federal government electronically. The
Government Paperwork Elimination Act, Title XVII of Pub. L. 105-277,
provides for Federal agencies, by October 21, 2003, to give persons
who are required to maintain, submit, or disclose information the option
of doing so electronically when practicable as a substitute for paper,
and to use electronic authentication (electronic signature) methods
to verify the identity of the sender and the integrity of electronic
content. The Act specifically provides that electronic records and
their related electronic signatures are not to be denied legal effect,
validity, or enforceability merely because they are in electronic form.
OMB's proposed
implementation of the Act is in two parts. The first part sets forth
the policies and procedures for implementing the Act, and requesting
certain specific agencies to provide assistance in particular areas.
The second part is intended to provide Federal managers with practical
implementation guidance.
OMB requests
comments on the proposed procedures and guidance.
Donald
Arbuckle
Deputy Administrator and Acting Administrator
Office of Information and Regulatory Affairs
Proposed
OMB Procedures and Guidance on Implementing the Government Paperwork
Elimination Act
This provides
Executive agencies with the guidance needed to implement the Government
Paperwork Elimination Act (GPEA), P. L. 105-277, Title XVII, which
took effect on October 21, 1998. The GPEA is an important tool to fulfill
the Administration's vision of improved customer service and governmental
efficiency through the use of information technology. This vision,
articulated in Vice President Gore's 1997 report, Access America (http://gits.gov),
involves widespread use of the Internet, with Federal agencies transacting
business electronically, in the same way as commercial enterprises.
Those who wished to do business in this way could avoid traveling to
government offices, waiting in line, or mailing paper forms. Delivery
of government services in this way would normally save the government
time and money as well.
Access America
recognized, however, that:
Public
confidence in the security of the government's electronic information
and information technology is essential to creating government services
that are more accessible, efficient, and easy to use. Electronic commerce,
electronic mail, and electronic benefits transfer sensitive information
within government, between governments and private industry or individuals,
and among governments. These electronic systems must protect the information's
confidentiality, assure that the information is not altered in an unauthorized
way, and be available when needed.
PART I.
Policy and Procedures
Section
1. Policy
The GPEA
charges the Office of Management and Budget, in consultation with the
Commerce Department and other appropriate entities, with the development
of procedures for Executive agencies to follow in using and accepting
electronic documents and signatures. These procedures reflect and are
to be executed with due consideration of the following policies:
- maintaining
compatibility with standards and technology for electronic signatures
generally used in commerce and industry and by State governments;
- not
inappropriately favoring one industry or technology;
- ensuring
that electronic signatures are as reliable as is appropriate for
the purpose in question and that electronic record keeping systems
reliably preserve the information submitted;
- providing
wherever appropriate for the electronic acknowledgment of electronic
filings that are successfully submitted; and
- providing,
to the extent feasible and appropriate, for multiple methods of electronic
signatures or identifiers for the submission of such forms where
the agency anticipates receipt of 50,000 or more electronic submittals
of a particular form.
Section
2. Procedures
- The
GPEA recognizes that adoption of electronic systems should be consistent
with the need to ensure that investments in information technology
are economically prudent to accomplish the agency's mission and give
due regard to privacy and security. Moreover, it is Administration
policy that a decision to not allow the option of electronic filing
and record keeping should be supported by a specific showing that,
in the context of a particular application, there is no reasonably
cost-effective combination of technologies and management controls
that can minimize the risk of significant harm. Accordingly, agencies
should develop and implement plans to use and accept documents in
electronic form, and engage in electronic transactions.
- An
agency's determination of which technology is appropriate for a given
transaction must include a risk assessment, and an evaluation of
targeted customer or user needs. Performing a risk assessment to
evaluate electronic signature alternatives should not be viewed as
an isolated activity or an end in itself. These agency risk assessments
should draw from and feed into the interrelated requirements of the
Paperwork Reduction Act, the Computer Security Act, the Government
Performance and Results Act, the Clinger-Cohen Act, the Federal Managers
Financial Integrity Act, and the Chief Financial Officers Act.
- The
initial use of the risk assessment is to identify and mitigate risks
in the context of available technologies and their relative total
costs and effects on the program being analyzed. The assessment also
should be used to develop baselines and verifiable performance measures
that track the agency's mission, strategic plans, and tactical goals.
- The
analysis of costs and benefits should be designed so that it can
be used, not only as a guide to selecting among the technologies
under consideration, but also to generate a business case and verifiable
return on investment to support decisions regarding overall programmatic
direction, investment decisions, and budgetary priorities. The effects
on the public and its needs and readiness to move to an electronic
environment are important considerations.
Section
3. Agency Responsibilities
- In order to ensure a smooth and cost-effective transition to
a more electronic government providing improved service to the public,
each agency shall:
- include
in its strategic IT plans supporting program responsibilities
(required under OMB Circular A-11) a summary of the agency's
schedule to implement optional electronic maintenance, submission,
or disclosure of information when practicable as a substitute
for paper, including through the use of electonic signatures
when practicable, by the end of Fiscal Year 2003 (note: agencies
need not revise their reports on Federal purchasing and payment
already required by OMB M-99-02, but should include the automation
of purchasing and payment functions in their schedule);
- consider
whether an appropriate combination of information security practices,
authentication technologies and management controls for each
application will be practicable, and if so, which combination
will minimize risk and maximize benefits in a cost effective
manner;
- promulgate
or amend regulations or policies as necessary and appropriate
to: (1) implement optional electronic submission, maintenance,
or disclosure of information, and the use of any necessary electronic
signature alternatives; and (2) permit private employers who
have record keeping responsibilities imposed by the Federal government
to electronically store and file information pertaining to their
employees electronically;
- maintain
appropriate information system confidentiality and security in
accordance with the guidance contained OMB Circular A-130,
Appendices
I and III, and use, to the maximum extent practicable, technologies
either prescribed in Federal Information Processing Standards
promulgated by the Secretary of Commerce or supported by voluntary
consensus standards as defined in OMB Circular A-119;
- provide,
to the extent feasible and appropriate, more than one electronic
signature option for public reporting forms which are collected
annually in electronic form from more than 50,000 respondents;
and
- report
progress against the strategic plans developed in response to
1. above through the annual agency reports submitted to OMB under
the Paperwork Reduction Act, including any determination that
a particular application is inappropriate for conversion to electronic
filing.
(b) Department of Commerce
Department
of Commerce shall promulgate Federal Information Processing Standards
as appropriate to further the specific goals of the GPEA. The
Department should also develop best practices in the area of
authentication technologies and implementations, including cryptographic
digital signature technology, with assistance from the Government
Information Technology Services Board, the Chief Information
Officers Council and the President's Management Council.
(c)
Department of the Treasury
The Department
of the Treasury shall prescribe policies and practices for
the use of electronic authentication techniques in Federal payments
and collections, and ensure that they fulfill the the goals
of GPEA.
(d)
Department of Justice
The Department
of Justice shall develop and publish practical guidance on
legal considerations related to agency use of electronic filing
and record keeping.
(e)
General Services Administration
The General
Services Administration shall support agencies' implementation
of electronic signatures and related electronic service delivery.
Part
II. Paperwork Elimination Through the Use of Electronic Signatures
and Electronic Record Keeping
This part
provides Federal managers with basic information to assist in planning
for an orderly and efficient transition to electronic government.
Section
1. Introduction and Background.
- As
required by the Government Paperwork Elimination Act (GPEA),
this Part provides guidance for agencies to use in deciding whether
to use electronic signature technology for an application, which
electronic signature technology may be most appropriate, and
how to minimize the risk of fraud, error, or misuse when implementing
an electronic signature technology to authenticate electronic
transactions. These procedures are consistent with the requirement
of the Paperwork Reduction Act of 1995 (PRA) that agencies shall "consistent with the Computer
Security Act of 1987 (CSA)(40 U.S.C. 759 note), identify and afford
security protections commensurate with the risk and magnitude of
the harm resulting from the loss, misuse, or unauthorized access
to or modification of information collected or maintained by or on
behalf of an agency." 44 U.S.C. 3506(g)(3).
- As
the GPEA, PRA, and CSA recognize, the goal of information security
is to protect the integrity of electronic records and transactions.
Different security approaches offer varying levels of assurance
in an electronic environment. Among these approaches (in an ascending
level of assurance) are 1) the so-called "shared secrets" methods,
e.g., personal identification numbers or passwords, 2) digitized
signatures or biometric means of identification such as fingerprints
or retinal patterns and voice recognition, and 3) digital signatures.
Combinations of approaches (e.g., digital signatures with biometrics)
are also possible and may provide even higher levels of assurance.
Deciding which to use in an application depends upon the risks
associated with the loss, misuse or compromise of the information
compared to the cost and effort associated with deploying and
managing the increasingly secure methods to mitigate those risks.
Agencies must strike a balance, recognizing that achieving absolute
security is likely to be in most cases highly improbable and
prohibitively expensive.
Section
2. What is An "Electronic Signature?"
- The
GPEA defines "electronic signature" as follows:
a
method of signing an electronic message that --
(A) identifies and authenticates a particular person as the source
of the electronic message; and
(B) indicates such person's approval of the information contained in
the electronic message. (GPEA, section 1709(1)).
This definition
should be interpreted by reference to accepted legal definitions
of signatures. The term "signature" has long been understood
as including "any symbol executed or adopted by a party with present
intention to authenticate a writing." (Uniform Commercial Code,
1-201(39)(1970)). These flexible definitions permit the use of different
electronic signature technologies, such as digital signatures, digitized
signatures or biometrics, discussed below. For this reason, while
it is the case that, for historical reasons, the Federal Rules of
Evidence are tailored to the admissibility of paper-based evidence,
the Rules of Evidence have no bias against electronic evidence.
- In enacting the GPEA, Congress addressed the legal effect and
validity of electronic signatures or other electronic authentication:
Electronic
records submitted or maintained in accordance with procedures developed
under this title, or electronic signatures or other forms of electronic
authentication used in accordance with such procedures, shall not
be denied legal effect, validity, or enforceability because such
records are in electronic form. (GPEA, section 1707).
Section
3. Risk Factors to Consider In Planning and Implementing an
Electronic Signature or Record Keeping System.
Electronic
signature technologies can offer degrees of confidence in authenticating
identity greater even than the presence of a handwritten signature.
These digital tools should be used to control risks in a cost-effective
manner. In determining whether an electronic signature is sufficiently
reliable for a particular purpose, agencies should consider the
relationships between the parties, the value of the transaction,
and the likely need for accessible, persuasive information regarding
the transaction at some later date. Once these factors are considered
separately, an agency should consider them together to evaluate
its sensitivity to risk for a particular process.
- The
relationship between the parties. Agency transactions
fall into five general categories, each of which may be vulnerable
to different security risks:
(1) Intra-agency
transactions (i.e., those which remain within the same Federal agency).
(2)
Inter-agency transactions (i.e., those between Federal agencies).
(3)
Transactions between a Federal agency and state or local government
agencies.
(4) Transactions
between a Federal agency and a private organization - contractor,
university, non-profit organization, or other entity.
(5) Transactions
between a Federal agency and a member of the general public.
Inter-
or intra-governmental transactions of a relatively routine nature
will generally entail little risk of a trading partner later repudiating
the transaction, and almost no risk of the trading partner committing
fraud. Similarly, transactions between a regulatory agency and a
publicly traded corporation or other known entity regulated by that
agency bear a relatively low risk of repudiation or fraud. Risk
also tends to be relatively low in cases where there is an ongoing
relationship between the parties. On the other hand, a one-time
transaction between a person and an agency, which has legal or financial
implications, bears the highest risk. In all cases, the relative
value of the transaction needs to be considered.
- The
value of the transaction. Agency transactions fall
into five general categories, each of which may be vulnerable
to different security risks:
(1) Transactions
involving the transfer of funds.
(2) Transactions
where the parties commit to actions or contracts that may give rise
to financial or legal liability.
(3) Transactions
involving information protected under the Privacy Act or other agency-specific
statutes obliging that access to the information be restricted.
(4) Transactions where the party is fulfilling a legal responsibility
which, if not performed, creates a legal liability (criminal or
civil).
(5) Transactions
where no funds are transferred, no financial or legal liability
is involved and no privacy or confidentiality issues are involved
(electronic signatures are least necessary in these transactions
and should not be used unless specifically required by law or regulation).
- The
likely need for accessible, persuasive information regarding
the transaction at a later point. Agency transactions
fall into five general categories:
(1) Transactions
where the information generated will never be needed again.
(2)
Transactions where the information generated may later be subject
to audit.
(3) Transactions
where the information generated may later be subject to dispute
by one of the parties (or alleged parties) to the transaction.
(4)
Transactions where the information generated may later be subject
to dispute by a non-party to the transaction.
(5) Transactions
where the information generated may later be needed as proof in
court.
- Synthesizing
the Risk Factors
(1) To
evaluate the suitability of electronic signature alternatives for
a particular application, the agency needs to perform a qualitative
risk analysis and should then determine the particular technologies
and management controls best suited to minimizing the risk to an
acceptable level while maximizing the benefits to the parties involved.
(2) Risk analyses must recognize that no signature alternative is
totally reliable and secure. Every method of signature, whether
electronic or paper, can be compromised to some degree with enough
technology or due to poor security procedures or practices. In estimating
the cost of any system, agencies should include costs associated
with hardware, software, administration and support of the system,
both short-term and long-term. If it would be extremely expensive
to set up a very secure system, but past experience with fraud risks
and a careful analysis of those risks shows that exposure is low,
a less expensive system that deters the majority of fraud is probably
warranted. However, in making this tradeoff, agencies should:
(a)
evaluate whether the security elements of a less expensive system
can be disproportionately exploited resulting in greater exposure
to fraud than would be expected in comparable non-automated systems;
and
(b) consider management and other non-technical process controls
which could reduce those risks.
(3) A qualitative
risk analysis also should recognize that all risks and benefits
are not quantifiable. While some transactions can be assigned a
definite monetary value that may be placed at risk, many cannot.
For example, the value of deterring fraud cannot generally be quantified.
Should an agency conclude that a new automated system is less secure
than an old, paper-based system, attempts to commit fraud or to
repudiate transactions may increase. On the benefit side, it is
not always possible to assign a dollar value to the increased efficiency
that an agency experiences when it automates a labor-intensive process,
although agencies should attempt to make this estimation whenever
feasible. Usually, it is not possible to quantify in monetary terms
attitudes such as increased customer satisfaction and willingness
to cooperate with an agency, which are engendered by the transition
from onerous paper processes to user-friendly electronic processes.
(4) One advantage of electronic authentication is that an agency
may strengthen the signature validation by incorporating electronic
links between the user and preexisting data about that user in the
agency's records. The IRS has successfully adopted this approach
in its TeleFile program, which enables selected taxpayers to file
1040EZs with a touch-tone phone. Taxpayers get Customer Service
Numbers (CSNs, i.e., PINs) that they then use to sign their returns
and which help to validate their identities to the agency. Even
though a CSN is not unique to an individual taxpayer (since it is
only five digits long), the IRS authenticates the filer by using
other identifying factors, such as the taxpayer's date of birth,
taxpayer identification number, and by using additional procedures.
This approach is not used over the Internet. Rather, it occurs in
short-term connections over telephone lines, an environment where
it is comparatively difficult for malefactors to eavesdrop and to
steal information or to substitute false information for fraudulent
purposes.
(5) The
Computer Security Act places on agency managers the responsibility
to select an appropriate combination of technologies and practices
to minimize risk cost-effectively while maximizing benefits to the
agency and to its customers. These decisions, however qualitative,
should be documented for later review and adjustment.
Section
4. Privacy and Disclosure.
Section
1708 of the GPEA limits the use of information collected in electronic
signature services for communications with a Federal agency. It directs
agencies and their staff and contractor personnel not to such use information
for any purpose other than for facilitating the communication. Exceptions
exist if the person (or entity) who is the subject of the information
provides affirmative consent to the additional use of the information,
or if such additional use is otherwise provided by law. Accordingly,
agencies should follow several privacy tenets:
-
Electronic authentication should only be required where needed.
Many transactions do not need, and should not require, detailed
information about the individual.
- When
electronic authentication is required for a transaction, do not
collect more information from the user than is required for the
application.
- Users
should be able to decide the scope of their electronic means
of authentication. In other words, if a user wants a certain
mechanism for authentication to work only with a single agency
or for a single type of transaction, the user's desires should
be honored if practicable. Conversely, if the user wishes to
have the authentication work with multiple agencies or for multiple
types of transactions, that should also be permitted consistent
with how the agency employs such means of authentication and
with relevant statute and regulation.
- Agencies
should ensure, and users should be informed, that information
collected for the purpose of issuing or using electronic means
of authentication will be managed and protected in accordance
with applicable requirements under the Privacy Act, the Computer
Security Act, and any agency-specific statutes mandating the
protection of such information.
Section
5. Overview of Current Electronic Signature Technologies.
This section
addresses two categories of security: 1) Non-cryptographic methods
of authenticating identity; and 2) cryptographic control methods. The
non-cryptographic approach relies solely on an identification and authentication
mechanism linked to a specific software application. Cryptographic
controls can be used for multiple applications, if properly managed,
and encompass authentication and encryption services. A highly secure
implementation may combine both categories of technologies. The spectrum
of electronic signature technologies currently available is described
below.
- Non-Cryptographic Methods of Authenticating Identity
(1) Personal
Identification Number (PIN) or password: A user accessing
an agency's electronic application is requested to enter a "shared
secret" (called "shared" because it is known both
to the user and to the system), such as a password or PIN. When
the user of a system enters her name, she also enters a password
or PIN. The system checks that password or PIN as a shared secret
to "authenticate" the
user. If the authentication process is performed over an open
network such as the Internet, it is usually essential that at
least the shared secret be encrypted; this can be accomplished
through the technology called "Secure Sockets Layer" currently
built into almost all popular Web browsers, in a fashion that
is transparent to the end user.
(2) Smart
Card: A smart card is a plastic card the size of a credit
card which contains an embedded chip that can generate, store,
and/or process data. It can be used to facilitate various authentication
technologies. A user inserts the smart card into a card reader
device attached to a microcomputer or network input device. In
the computer, information from the card's chip is read by security
software only when the user enters a PIN, password, or biometric
identifier. This method provides greater security than use of
a PIN alone, because a user must have both a) physical possession
of the smart card and b) knowledge of the PIN. Good security
requires that the smart card and the PIN never be kept together.
Note that the PIN, password or biometric identifier in this case
is a secret shared between the user and the smart card, not between
the user and a local or remote computer.
(3) Digitized
Signature: A digitized signature is a graphical image
of a handwritten signature. Some applications require a user
to create his or her hand-written signature using a special computer
input device, such as a digital pen and pad. The digitized representation
of the entered signature is compared with a stored copy of the
graphical image of the handwritten signature. If special software
considers both images comparable, the signature is considered
valid. This application of technology shares the same security
issues as those using the PIN or password approach, because the
digitized signature is another form of shared secret known both
to the user and to the system. The digitized signature is more
reliable for authentication than a password or PIN because there
is a biometric component to the creation of the image of the
handwritten signature. Forging a digitized signature can be more
difficultn than forging a paper signature to the extent that
the technology digitally compares the submitted signature image
with the known signature image, and is better than the human
eye. Another element in a digitized signature which helps make
it unique is measuring how each stroke is made - its duration
or pen pressure, for example. This information can also be compared
to a reference value. As with all shared secret techniques, compromise
of a digitized signature image file could pose a security risk
to users.
(4) Biometrics: Individuals
have unique physical characteristics that can be converted into
digital form and then interpreted by a computer. Among these
are voice patterns (where an individual's spoken words are converted
into a special electronic representation), fingerprints, and
the blood vessel patterns present on the retina (or rear) of
one or both eyes. In this technology, the physical characteristic
is measured (by a microphone, optical reader, or some other device),
converted into digital form, and then compared with a copy of
that characteristic stored in the computer and authenticated
beforehand as belonging to a particular person. If the test pattern
and the previously stored patterns are sufficiently close (to
a degree which is usually selectable by the authenticating application),
the authentication will be accepted by the software, and the
transaction allowed to proceed. Biometric applications can provide
very high levels of authentication especially when the identifier
is obtained in the presence of a third party (making spoofing
difficult), but as with any shared secret, if the digital form
is compromised, impersonation becomes a serious risk. Thus, just
like PINs, such information should not be sent over open networks
unless it is encrypted. Moreover, measurement and recording of
a physical characteristic can raise privacy concerns.
- Cryptographic Control
Creating
electronic signatures may involve the use of cryptography in
two ways: symmetric (or shared private key) cryptography, or
asymmetric (public key/private key) cryptography. The latter
is used in producing digital signatures, discussed further below.
(1) Shared
Private Key Cryptography. In shared private key (symmetric)
approaches, the user signs a document and verifies the signature
using a single key (consisting of a long string of zeros and
ones) that is not publicly known, or is secret. Since the same
key does these two functions, it must be transferred from the
signer to the recipient of the message. This situation can undermine
confidence in the authentication of the user's identity because
the private key is shared between sender and recipient and therefore
is no longer unique to one person. Since the private key is shared
between the sender and possibly many recipients, it is really
not "private" to
the sender and hence has lesser value as an authentication mechanism.
This approach offers no additional cryptographic strength over
digital signatures (see below). Further, digital signatures avoid
the need for the shared secret.
(2) Public/Private
Key (Asymmetric) Cryptography - Digital Signatures.
(a)
To produce a digital signature, a user has his or her computer
generate two mathematically linked keys -- a private signing
key that is kept private, and a public validation key that is
available to the public. The private key cannot be deduced from
the public key. In practice, the public key is made part of a "digital
certificate,"
which is a specialized electronic document digitally signed by
the issuer of the certificate, binding the identity of the individual
to his or her private key in an unalterable fashion.
(b) A "digital
signature" is created when the owner of a private signing
key uses that key to create a unique mark (called a "signed
hash")
on an electronic document or file. The recipient employs the
owner's public key to validate the authenticity of the attached
private key. This process also verifies that the document was
not altered. Since the two keys are mathematically linked, they
are unique: only one public key will validate signatures made
using its corresponding private key. Moreover, if the private
key has been properly protected from compromise or loss, the
signature is unique to the individual who owns it, that is, the
owner is bound by the signature. One concern in relatively high-risk
transactions is that the private key owner could feign loss to
repudiate a transaction. This concern can be mitigated by encoding
the private key onto a smart card or an equivalent device, and
by using a biometric mechanism (rather than a PIN or password)
as the shared secret between the user and the smart card for
unlocking the private key to effect a signature. It can also
be addressed by agencies establishing clear procedures for a
particular implementation, so that all parties know what the
obligations, risks and consequences are.
The reliability
of the digital signature is directly proportional to the degree
of confidence one has in the link between the owner's identity
and the digital certificate, how well the owner has protected
the private key from compromise or loss, and to the cryptographic
strength of the methodology used to generate the key pair. Further
information on digital signatures can be found in Access with
Trust (http://gits-sec.treas.gov), a report published by OMB
and NPR.
- Technical Considerations of the Various Technologies
(1) While
generally the most certain method for assuring identity electronically,
use of digital signatures requires agencies to develop a series
of policies and documents which provide the important underlying
framework of trust and which facilitate the evaluation of risk.
The framework identifies how well the signer's identity is bound
to his or her public key in a digital certificate (identity proofing);
whether the private key is placed on a highly secure hardware
token or is encapsulated in software only; and how difficult
it is for a malefactor to deduce using cryptographic methods
the private key (the cryptographic strength of the key-generating
algorithm).
(2) By
themselves, digitized (not digital) signatures, PINs and biometric
identifiers do not directly bind identity to the contents of
a document. For them to do so, they must be used in conjunction
with some other mechanism. Biometric identifiers such as retinal
patterns used in conjunction with digital signatures can offer
far greater proof of identify than pen and ink signatures.
(3)
While not as robust as biometric identifiers and digital signatures,
PINs have the decidedadvantage of proven customer and citizen
acceptance, as evidenced by the universal use of PINs for automated
teller machine transactions. Such transactions, however, typically
occur over proprietary networks rather than open networks like
the Internet, where eavesdropping on transactions is much easier,
unless the messages are encrypted.
(4) It
is important to remember that technical factors are but one aspect
to be considered when an agency plans to implement electronic
signature-based applications. Other important aspects are considered
in the following sections.
Section
6. Agency Implementation of Electronic Signature and Authentication
After the
agency has conducted the risk analysis and identified an appropriate
electronic signature or other electronic authentication, the agency
will then proceed to implement this decision. In doing so, agencies
should consider the following:
- Develop
a regulatory or policy scheme. Agencies should consider
whether their programmatic regulations or policies support
the use and enforceability of electronic signature alternatives
to handwritten signatures. By clearly informing the regulated
community that electronic signatures and records will be acceptable
and used for enforcement purposes, their legal standing is
enhanced. Several agencies have already promulgated policies
and regulations making this clear, and a number are developing
them:
Securities
and Exchange Commission (17 C.F.R. Part 232), electronic regulatory
filings;
Environmental
Protection Agency (55 Fed. Reg. 31,030 (1990)), policy on electronic
reporting;
Food and
Drug Administration (21 C.F.R. Part 11), electronic signatures and
records;
Internal
Revenue Service (Treasury Reg. 301.6061-1), signature alternatives
for tax filings;
Federal
Acquisition Regulation (41 C.F.R. Parts 2 and 4), electronic contracts;
General
Services Acquisition Regulation (48 C.F.R. Part 552.216-73), electronic
orders;
Federal
Property Management Regulations (41 C.F.R. Part 101-41), electronic
bills of lading.
When specifying the requirements for using electronic record keeping by regulated
entities (particularly the maintenance of electronic forms pertaining
to employees by employers), agencies should consider the "Performance
Guideline for the Legal Acceptance of Records Produced by Information Technology
Systems," developed
by the Association for Information and Image Management (ANSI AIIM
TR31). This document provides suggestions for maximizing the likelihood that
electronically filed and stored documents will be accorded full legal recognition.
If an agency chooses to use digital signatures, a regulation may specify
that each individual will be issued a unique digital signature certificate
to use, agree to keep the private key confidential, and agree to accept responsibility
for anything that is submitted using that key, or other conditions
under which the agency will accept electronic submissions using it.
- Use
a mutually-understood, signed agreement between the person
or entity submitting the electronically-signed information
and the receiving Federal agency.
As a matter
of efficiency, arrangements with large numbers of customers would
be best accomplished by setting forth an agency's terms and conditions
in a regulation or policy. Arrangements with smaller numbers may
lend themselves to one or more agreements, using a document referred
to as a "terms and conditions" agreement. These agreements
can ensure that all conditions of submission and receipt of data
electronically are known and understood by the submitting parties.
This is particularly the case where terms and conditions are not
spelled out in agency programmatic regulations.
It is also
important to establish that the user of the digital signature or
PIN/password is fully aware of what he or she is signing at the time
of signature. This can be ensured by programming appropriate ceremonial
banners that alert the individual of the gravity of the action into
the software application. The presence of such banners can later
be used to demonstrate to a court that the user was fully informed
of and aware of what he or she was signing.
- Minimize
the likelihood of repudiation. Agencies should develop
well-documented and established mechanisms and procedures to
tie transaction in a legally binding way to an individual.
The integrity of even the most secure digital signature rests
on the continuing confidentiality of the private key, for example.
Similarly, in the case of electronic signatures based on the
use of PINs, the integrity of the transaction depends on the
user not disclosing the PIN. If a defendant is later charged
with a crime based on an electronically signed document, he
or she would have every incentive to show a lack of control
over (or loss of) the private key or PIN. Indeed, if that defendant
plans to commit fraud, he or she may intentionally compromise
the secrecy of the key or PIN, so that the government would
later be unable to link him or her to the electronic transaction.
Thus, transactions which appear to be at high risk for fraud, e.g.,
one-time high-value transactions with persons not previously known
to an agency, may require extra safeguards or may not be appropriate
for electronic transactions. One way to mitigate this risk is to
require that private keys be encoded on hardware tokens, making possession
of the token a critical requirement. Another way to guard against
fraud is to include other identifying data in the transaction that
links the key or PIN to the individual, preferably something not
readily available to others.
- Access
to the electronic data, after receipt, needs to be carefully
controlled yet available in a meaningful and timely fashion. Security
measures should be in place that ensure that no one is able
to alter a transaction, or substitute something in its place,
once it has been received by the agency. Thus, the receiving
agency needs to take prudent steps to control access to the
electronic transaction through such methods as limiting access
to the computer database containing the transaction, and performing
processing with the data using copies of the transaction rather
than the original. Moreover, the information may be needed
for audits, disputes, or court cases many years after the transaction
itself took place. Agencies should make plans for storing data,
and providing meaningful and timely access to it for as long
as such access will be necessary.
- Ensure
the "Chain of Custody." Electronic audit trails
must provide a chain of custody for the secure electronic transaction
that identifies sending location, sending entity, date and time
stamp of receipt, and other measures used to ensure the integrity
of the document. These trails must be sufficiently complete and
reliable to validate the integrity of the transaction and to prove
that, a) the connection between the submitter and the receiving
agency has not been tampered with, and b) how the document was
controlled upon receipt.
- Provide
an acknowledgment of receipt. The agency's system for
receiving electronic transactions may be required by statute to
have a mechanism for acknowledging receipt of transactions received,
and acknowledging confirmation of transactions sent, with specific
indication of the party with whom the agency is dealing.
- Obtain
legal counsel during the design of the system. Collection
and use of electronic data may raise legal issues, particularly
if it is information that bears on the legality of the process
or that may eventually be needed for proof in court.
Section
7. Summary of the Procedures and Checklist.
To summarize
the process which agencies should employ to evaluate authentication
mechanisms (electronic signatures) for electronic transactions and
documents, the following steps apply:
- Examine
the current business process that is being converted to employ electronic
documents or transactions, identifying the existing risks associated
with fraud, error or misuse, as well as customer needs and demands.
- Consider
what risks may arise from the use of electronic transactions or documents.
This evaluation should take into account the relationships of the
parties, the value of the transactions or documents, and the later
need for the documents.
- Identify
the benefits that accrue from the use of electronic transactions
or documents.
- Consult
with counsel about any specific legal implications about the use
of electronic transactions or documents in the particular application.
- Evaluate
how each electronic signature alternative may minimize risk compared
to the costs incurred in adopting an alternative.
- Determine
whether any electronic signature alternative in conjunction with
appropriate process controls represents a practicable trade-off between
cost and risk on the one hand, and benefits on the other. If so,
determine, to the extent possible at the time, which signature alternative
is the best one. Document this determination to allow later evaluation
and audit.
- Develop
plans for retaining and disposing of information, ensuring that it
can be made continuously available to those who will need it, for
managerial control of sensitive data and accommodating changes in
staffing, and for ensuring adherence to these plans.
- Determine
if regulations or policies are adequate to support electronic transactions
and record keeping, or if "terms and conditions"
agreements are appropriate for the particular application.
- Develop
plans for seeking the continuing input of technology experts for
updates on the changing state of technology and the continuing advice
of legal counsel for updates on the changing state of the law in
these areas.
- Integrate
these plans into the agency's strategic IT planning and regular reporting
to OMB.
- Perform
periodic review and re-evaluation, as appropriate.