GSA Pilot Tests Paperless Federal Transactions Program

GSA #9395

March 31, 1997
Contact: Bill Bearden
202-501-1231
Internet: bill.bearden@gsa.gov
or Judith Spencer
202-708-5600

As part of the government's continuing effort to provide enhanced services to the citizen, David J. Barram, U.S. General Services Administration's Acting Administrator, today announced the delivery of hardware and software security tools to Johns Hopkins University Applied Physics Laboratory (JHUAPL) to begin pilot testing of certificate based access control.

The concept was developed in support of the "Paperless Federal Transactions for the Public" pilot program, and marks the beginning of testing of a public key infrastructure to allow citizens to perform paperless business with the Federal government.

JHUAPL is assisting the Department of Transportation's Office of Motor Carriers develop a secure link on the worldwide web which will allow driver's of commercial vehicles access to their own commercial driving records. This is the first of six government programs targeted for testing under this one-year pilot program.

In making this announcement Mr. Barram said, "This effort could not have succeeded without the enthusiastic support of Federal agencies and partnership of industry representatives. GSA is pleased to be part of an effort which will result in a more 'citizen friendly' government."

Other agencies participating in pilots are DOT Federal Transit Administration, GSA Federal Acquisition Services for Technology (FAST) Program, GSA Post Federal Telecommunications Services 2001 Project, Government Printing Office, and National Security Telecommunications and Information Systems Security Committee.

Each pilot participant will be issued a hardware token that resembles a 3.5-inch floppy diskette. Each token will contain a certificate identifying the individual and a public/private key pair unique to the individual. With this token, the participant will be able to access a secure server, then exchange certificates in order to verify each other's identity, then an encrypted connection will be established and the digitally signed data exchanged.

In order to make this pilot a reality, the SI-PMO developed a plug-and-play concept and approached industry to participate in providing products that meet Federal Standards for digital signature and encryption. Several companies signed up and worked with each other and the SI-PMO to solve interoperability problems. Four key participants are: Atalla (a Tandem Company), CygnaCom Solutions, Fischer International, and Frontier Technologies. Additional industry partnerships have been established with Banyan Vines, Information Security Corporation, SAIC, and Trusted Information Systems to provide unique related hardware and software solutions.

As a result, the SI-PMO can now demonstrate public key infrastructure security services utilizing the Fischer SmartDisk, the Frontier secure web browser and the Atalla WebSafe.

Established in April 1995, the SI-PMO is hosted by the General Services Administration and co-chaired by GSA and DOD; participating agencies include the Department of the Treasury, Department of Agriculture, National Security Agency, and U.S. Postal Service. The office is tasked with the development of an Information Security Infrastructure providing requisite security services for the modernization of the Federal Government's information management processes.

# # #

_________________________________________________________________

Project Background Information

The Paperless Federal Transactions for the Public Project

The SI-PMO, an interagency initiative chartered by the General Services Administration and the Department of Defense has set up industry partnerships to deliver COTS (commercial off-the-shelf) products in support of a certificate-based, public key infrastructure utilizing a hardware token, providing users with the ability to send and receive data over the worldwide web that is protected from interception and non-reputable.

Established in April 1995, the SI-PMO is hosted by GSA and co-chaired by GSA and DOD. Participating agencies include the Department of the Treasury, Department of Agriculture, National Security Agency, and U.S. Postal Service. It is tasked with the development of an Information Security Infrastructure providing requisite security services for the modernization of the Federal Government's information management processes. More specific goals, as identified in its implementing charter, are that "the SI-PMO, working with individual agencies, will design pilots, coordinate implementations across agencies, and promote the use of an information security infrastructure within government."

This initial pilot is based on Vice President Gore's vision in the National Performance Review initiative IT10:

"Imagine this: A Business woman walks into a post office, presents a picture ID, and is given a "public key." Using this key card, she electronically signs a federal contract and transmits it over the National Information Infrastructure to a contracting agency. This transaction is valid, secure and paperless."

The Paperless Federal Transactions For The Public pilot, anticipated to be one year in duration, is a proof-of-concept initiative that will allow citizens to perform paperless business with the Federal Government. Each participant is issued a hardware token that resembles a 3.5-inch floppy diskette which contains a certificate identifying the individual and a public/private key pair unique to the individual. With this token, the participant is able to access a secure server, they then exchange certificates in order to verify each other's identity. Once identity verification is complete, an encrypted connection is established and the digitally signed data is exchanged.

In order to make this pilot a reality, the SI-PMO developed a plug-and-play concept and approached industry to participate in providing products that meet Federal Standards for digital signature and encryption. Several companies signed up and worked with each other and the SI-PMO to solve interoperability problems. Four key participants are profiled below:

Atalla

Atalla (a Tandem Company), located in San Jose, California, brings nearly 25 years of experience securing electronic commerce over banking ATM/EFT networks. The company's products include industry-leading hardware-based security processors for the Internet, Intranet and the bank transfer networks, POS/POE (point-of-sale/point-of-entry) credit/debit payment terminals, customer authorization and PIN selection terminals, and secure enrollment products for banking, retailing and government applications. An estimated 70 percent of all ATM transactions in North America (estimated value: $1.4 trillion daily) are secured by Atalla's specialized processor products. Atalla is contributing specialized high-performance cryptographic processing technology to support the FSI's Paperless project goal of securing paperless federal transactions for all U.S. citizens using a unique and flexible secure system architecture.

CygnaCom Solutions

CygnaCom Solutions is a small high-technology company located in McLean, Virginia, that specializes in information security. CygnaCom has extensive experience and expertise in design and implementation of public key cryptography applications and associated certification authorities and public key infrastructures. CygnaCom also operates the NIST accredited CEAL laboratory to validate cryptographic modules for compliance with FIPS 140-1. CygnaCom developed the SI-PMO Certificate Authority (CA) for the Windows NT platform and the registration workstation that runs on a Windows 95 platform . The CA generates version 3 certificates and offers on-line certificate and certificate status access. The CA uses the Atalla hardware cryptographic module for signature and verification functions.

Fischer International

Fischer International Systems Corporation (FISC) is a leading supplier of solutions for secure Electronic Commerce. The company, founded in 1982 and located in Naples, Florida, serves government and businesses worldwide with a family of enterprise-wide office automation and security products and services. Among the company's offerings are the advanced family of SmartDiskTM products: SafeBoot+TM for two-factor access control for laptops and PCs, Crypto SmartDiskTM for encryption and digital signatures, as well as two soon-to-be-released products, SmartyTM smart card reader and FlashPathTM flash memory reader. Crypto SmartDisk is the world's first intelligent security token housed in a floppy disk-sized device. For its role in the Paperless Pilot, FISC enhanced the token to support Diffie-Helman and PKCS#11. Crypto SmartDisk also supports RSA and DSA for encryption and digital signatures.

Frontier Technologies Corporation

Frontier Technologies' mission is to pioneer Internet and Intranet applications that make individuals more productive and businesses more competitive in a global market. Frontier Technologies Corporation, located in Mequon, Wisconsin, is a proven technology leader in Internet and Intranet networking applications for Microsoft Windows, Windows 95 and Windows NT environments. They have contributed significant new technology development, products, publicity efforts, and other assistance to help further the goals of the Pilot. Specifically, they have developed the secure World Wide Web browser and the secure World Wide Web server necessary to enable the public to access personal credentials through personal computers or government kiosks. Their Internet security architecture protects the privacy of transactions between the public and the Federal Government through verification of both the sender and the recipient at both the client and server ends.

Additional industry partnerships were established with Banyan Vines, Information Security Corporation, SAIC, and Trusted Information Systems to provide unique related hardware and software solutions.

As a result, the SI-PMO can now demonstrate public key infrastructure security services utilizing the Fischer SmartDisk, the Frontier secure web browser and the Atalla WebSafe.

Once it was established that the concept was viable, pilot participants were sought within the Federal Government. Six Government organizations agreed to participate in the pilot which will be operational in early 1997. The SI-PMO provided each participant with a secure server and up to 300 hardware tokens and web browsers. Each organization is responsible for developing its own application. In addition to the Department of Transportation, Office of Motor Carriers, participating agencies are as follows:

The Department of Transportation, Federal Transit Administration. This agency provides grants to state and local governments and transit agencies in the form of capital and operating assistance supporting public transit systems. The secure web will be used to facilitate electronic grant processing.
The General Services Administration's Federal Acquisition Services for Technology (FAST) Program. The FAST Program is a rapid procurement, cost reimbursable GSA buying service managed by GSA for use by Federal Agencies. Buying offices are located at GSA's Central Office and in each GSA region. Federal Agencies may use any GSA buying office. FAST will utilize the secure web to accept proposals.
The General Services Administration's Post Federal Telecommunications Services 2001 Project (FTS2001). This next generation of Federal Telecommunications Services is conducting a feasibility study on use of the electronic based secure technology developed by the FSI for RFP distribution and proposal submissions.
The Government Printing Office. This office will begin preparing the Commerce Business Daily for on-line dissemination via the Internet and producing camera copy to facilitate print distribution. It will be accepting CBD announcements from Federal Procurement Personnel via the Internet. Their involvement in the pilot project will be to investigate the feasibility of accepting secure transactions for inclusion in this and other publications.
The National Security Telecommunications and Information Systems Security Committee. The Information Assurance Issues Group of the NSTISSC is participating in order to provide secure web access to its members for sharing and accessing information.

Once the pilot is operational, the SI-PMO will be able to identify additional issues and obstacles and develop solutions. They will then address the transition from pilot to a fully operational and seamless public key infrastructure.

The SI-PMO is planning a Paperless Project Conference in the near future to allow press, public, and vendors an opportunity to view a demonstration of the technology and learn more about the project, its participants and the industry partners. A press announcement and invitations will precede the event.

# # #