[Federal Register Volume 62, Number 68 (Wednesday, April 9, 1997)]
[Notices]
[Page 17187]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-9092]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-5808-3]


Federal Information Processing Standards Waiver

ACTION: Notice of FIPS waiver.

-----------------------------------------------------------------------

SUMMARY: The Chief Information Officer for the Environmental Protection 
Agency has granted a waiver to the Agency to use the RSA 
cryptographical features provided in Lotus Notes in lieu of the Secure 
Hashing Standard (FIPS PUB 180-1), Digital Signature Standard (FIPS PUB 
186), and Data Encryption Standard (FIPS PUB 46-2). This waiver is 
pursuant to section 111(d)(3) of the Federal Property and Services Act 
of 1949, as amended.

DATES: The waiver takes effect on March 21, 1997 and is valid until 
January 1, 1999. If the vendor incorporates Federal standards into the 
core product prior to January 1, 1999, EPA will end the waiver early at 
that time.

FOR FURTHER INFORMATION CONTACT: Paul Wohlleben, Office of Information 
Resources Management, 401 M Street SW (3401), Washington, DC 20460, 
202-260-4465.

SUPPLEMENTARY INFORMATION: Federal Information Processing Standards 
publications (FIPS PUBS) for the Secure Hashing Standard (FIPS PUB 180-
1), Digital Signature Standard (FIPS PUB 186), and the Data Encryption 
Standard (FIPS PUB 46-2) establish standards for generating digital 
signatures (which can be used to verify authenticity) and for the 
encryption of sensitive information transmitted and stored 
electronically. These FIPS publications also allow Federal agencies to 
waive them under certain circumstances:

    A waiver may be granted if compliance with a standard would 
adversely affect the accomplishment of the mission of an operator of 
a Federal computer system; or compliance with a standard would cause 
a major financial impact on the operator which is not offset by 
Government-wide savings.

    The Chief Information Officer for the Environmental Protection 
Agency (EPA) has granted a waiver of FIPS PUBS 180-1, 186, and 46-2 to 
enable EPA to use the built-in cryptographical features of the 
groupware product Lotus Notes. The installed version of Lotus Notes, 
currently used by EPA, does not employ FIP standard cryptography. 
Rather it uses cryptography that enjoys widespread use in the private 
sector, domestically and internationally. This cryptography is Message 
Digest 2 (MD-2), the Rivest, Shamir, and Adelman (RSA) signature 
algorithm, and RC-4 symmetric encryption algorithm.
    EPA determined that the cryptographic protection embedded in Lotus 
Notes provides an appropriate level of security to protect the 
unclassified information used, communicated, and stored by EPA. Upon 
reviewing RSA's cryptographic capabilities, Agency personnel have 
concluded that if properly implemented, Lotus Notes provides a full 
range of security functionality that fully satisfies Agency 
requirements.
    The additional costs required to purchase and maintain FIPS-
compliant products that provide equivalent security functionality as 
that provided by non-standard, but commercially acceptable cryptography 
found in Lotus Notes is a significant factor underlying the granting of 
this waiver. The acquisition costs for either software- or hardware-
based products that implement existing Federal cryptographic standards 
are unnecessary. By using the cryptography embedded in Lotus Notes, EPA 
is able to avoid unnecessary costs, while utilizing security 
functionality widely accepted by the public and private sectors.
    In accordance with FIPS requirements, notice of this waiver has 
been sent to the National Institute of Standards and Technology, the 
Committee on Government Reform and Oversight of the House of 
Representatives, and the Committee on Governmental Affairs of the 
Senate.

    Dated: March 21, 1997.
Alvin M. Pesachowitz,
Acting Assistant Administrator and Chief Information Officer.
[FR Doc. 97-9092 Filed 4-8-97; 8:45 am]
BILLING CODE 6560-50-P