[Federal Register Volume 63, Number 108 (Friday, June 5, 1998)]
[Notices]
[Pages 30794-30795]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-14902]


=======================================================================
-----------------------------------------------------------------------

SOCIAL SECURITY ADMINISTRATION


The Chief Information Officer of the Social Security 
Administration Grants to the Social Security Administration a Waiver 
From the Use of Certain Federal Information Processing Standards

AGENCY: Social Security Administration (SSA).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Chief Information Officer of the Social Security 
Administration grants to SSA a waiver from the use of the following 
Federal Information Processing Standards (FIPS):
    1. The Secure Hashing Standard (FIPS 180-1);
    2. The Digital Signature Standard (FIPS 186); and
    3. The Data Encryption Standard (FIPS 46-2).
    This waiver is granted pursuant to authority granted to the 
Secretary of Commerce by 40 U.S.C. section 1441, and delegated to the 
Commissioner of Social Security in the above referenced FIPS 
Publications. This authority was redelegated by the Commissioner of 
Social Security to the Agency's Chief Information Officer. This waiver 
is granted to allow SSA to use commercial off-the-shelf cryptographic 
products such as those produced by RSA Data Security, Inc., in lieu of 
products conforming with the above-cited FIPS.

DATES: This waiver was effective January 26, 1998, and will remain in 
effect until the commercial off-the-shelf cryptographic products 
selected by SSA come under a FIPS or until it is rescinded by the 
Agency's Chief Information Officer.

FOR FURTHER INFORMATION CONTACT: Joan Hash, Systems Security Officer, 
Social Security Administration, Room 3206 Annex Building, 6401 Security

[[Page 30795]]

Boulevard, Baltimore, Maryland 21235. Phone (410) 965-2765.

SUPPLEMENTARY INFORMATION: The FIPS cited above establish Federal 
standards for generating digital signatures, encrypting sensitive 
information transmitted over open networks such as the Internet, and 
storing this information electronically. Each of the cited FIPS also 
allows the heads of Federal Agencies to waive the use of the FIPS if 
certain conditions are met.
    A waiver shall be granted by an Agency head only when:
    a. Compliance with a standard would adversely affect the 
accomplishment of the mission of an operator of a Federal computer 
system, or
    b. Cause a major adverse financial impact on the operator that is 
not offset by Government-wide savings.
    The Agency's Chief Information Officer has determined that 
compliance with the referenced FIPS would adversely affect the 
accomplishment of the mission of the SSA and accordingly has granted a 
waiver from the use of the referenced FIPS.
    SSA has a customer base of over 260,000,000 people, including 
individuals, businesses, small employers, organizations, and other 
Federal, State, and local government agencies. To accomplish the 
mission of serving these customers cost effectively, SSA is pursuing 
the use of electronic service delivery technologies, including the 
Internet.
    SSA has found that an increasingly large number of its customers 
prefer to work with the Agency directly through Internet services. To 
effectively serve them, SSA must use commercially accepted and 
available off-the-shelf products. The above referenced FIPS provide for 
the use of products which have not gained wide acceptance commercially, 
and these standards are not incorporated in commercial off-the-shelf 
products. Notably, the Internet Browsers published by MICROSOFT and 
NETSCAPE, together representing 93% of the publicly used browsers, do 
not use the algorithms published in the referenced FIPS.
    Therefore, SSA is granted a waiver from the use of the 
cryptographic requirements contained in the referenced FIPS in order to 
allow the Agency to use commercially available and accepted off-the-
shelf products.
    In accordance with FIPS requirements, notice of this waiver will be 
sent to the National Institute of Standards and Technology, the 
Committee on Government Reform and Oversight of the House of 
Representatives, and the Committee on Governmental Affairs of the 
Senate.

    Dated: January 26, 1998.
John R. Dyer,
Chief Information Officer, Social Security Administration.
[FR Doc. 98-14902 Filed 6-4-98; 8:45 am]
BILLING CODE 4190-29-P