[Federal Register Volume 64, Number 43 (Friday, March 5, 1999)]
[Notices]
[Pages 10896-10902]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-5409]



[[Page 10895]]

_______________________________________________________________________

Part VI





Office of Management and Budget





_______________________________________________________________________



Management of Federal Information Resources; Notice

  Federal Register / Vol. 64, No. 43 / Friday, March 5, 1999 / 
Notices  

[[Page 10896]]



OFFICE OF MANAGEMENT AND BUDGET


Management of Federal Information Resources

AGENCY: Office of Management and Budget, Executive Office of the 
President.

ACTION: Proposed Implementation of the Government Paperwork Elimination 
Act.

-----------------------------------------------------------------------

SUMMARY: The Office of Management and Budget (OMB) requests public and 
agency comment on proposed procedures and guidance to implement the 
Government Paperwork Elimination Act (GPEA). Under the GPEA, agencies 
must generally provide for the optional use and acceptance of 
electronic documents and signatures, and electronic record keeping 
where practicable, by October 2003.

DATES: Persons who wish to comment on the GPEA procedures and guidance 
should submit their comments no later than July 5, 1999. Each 
Department and Agency is asked to submit a single coordinated set of 
comments.

ADDRESSES: Electronic comments will be included as part of the official 
record. Please send comments electronically to: [email protected]. 
Alternatively, hardcopy comments may be addressed to: Information 
Policy and Technology Branch, Office of Information and Regulatory 
Affairs, Office of Management and Budget, Room 10236 New Executive 
Office Building, Washington, D.C. 20503.

ELECTRONIC AVAILABILITY: This document is available on the Internet in 
the OMB library of the ``Welcome to the White House'' home page, http:/
/www.whitehouse.gov/WH/EOP/OMB/, the CIO Council's home page, http://
cio.gov, and at the Government Information Technology Services Board's 
security home page at http://gits-sec.treas.gov.

FOR FURTHER INFORMATION CONTACT: Peter Weiss, Information Policy and 
Technology Branch, (202) 395-3630. Press inquiries should be addressed 
to the OMB Communications Office, (202) 395-7254.

SUPPLEMENTARY INFORMATION: Public confidence in the security of the 
government's electronic information and information technology is 
essential in creating government services that are more accessible, 
efficient, and easy to use. Electronic commerce, electronic mail, and 
electronic benefits transfer sensitive information within government, 
between the government and private industry or individuals, and among 
governments. These electronic systems must protect the information's 
confidentiality, assure that the information is not altered in an 
unauthorized way, and be available when needed. A corresponding policy 
and management structure must support these protections.
    In a major step in this direction, the Congress recently enacted 
legislation, supported by the Administration, intended to increase the 
ability of citizens to interact with the Federal government 
electronically. The Government Paperwork Elimination Act, Title XVII of 
Pub. L. 105-277, provides for Federal agencies, by October 21, 2003, to 
give persons who are required to maintain, submit, or disclose 
information the option of doing so electronically when practicable as a 
substitute for paper, and to use electronic authentication (electronic 
signature) methods to verify the identity of the sender and the 
integrity of electronic content. The Act specifically provides that 
electronic records and their related electronic signatures are not to 
be denied legal effect, validity, or enforceability merely because they 
are in electronic form.
    OMB's proposed implementation of the Act is in two parts. The first 
part sets forth the policies and procedures for implementing the Act, 
and requesting certain specific agencies to provide assistance in 
particular areas. The second part is intended to provide Federal 
managers with practical implementation guidance.
    OMB requests comments on the proposed procedures and guidance.
Donald Arbuckle,
Deputy Administrator and Acting Administrator, Office of Information 
and Regulatory Affairs.

Proposed OMB Procedures and Guidance on Implementing the Government 
Paperwork Elimination Act

    This provides Executive agencies with the guidance needed to 
implement the Government Paperwork Elimination Act (GPEA), Pub. L. 105-
277, Title XVII, which took effect on October 21, 1998. The GPEA is an 
important tool to fulfill the Administration's vision of improved 
customer service and governmental efficiency through the use of 
information technology. This vision, articulated in Vice President 
Gore's 1997 report, Access America (http://gits.gov), involves 
widespread use of the Internet, with Federal agencies transacting 
business electronically, in the same way as commercial enterprises. 
Those who wished to do business in this way could avoid traveling to 
government offices, waiting in line, or mailing paper forms. Delivery 
of government services in this way would normally save the government 
time and money as well.
    Access America recognized, however, that:
    Public confidence in the security of the government's electronic 
information and information technology is essential to creating 
government services that are more accessible, efficient, and easy to 
use. Electronic commerce, electronic mail, and electronic benefits 
transfer sensitive information within government, between governments 
and private industry or individuals, and among governments. These 
electronic systems must protect the information's confidentiality, 
assure that the information is not altered in an unauthorized way, and 
be available when needed.

Part I. Policy and Procedures

Section 1. Policy

    The GPEA charges the Office of Management and Budget, in 
consultation with the Commerce Department and other appropriate 
entities, with the development of procedures for Executive agencies to 
follow in using and accepting electronic documents and signatures. 
These procedures reflect and are to be executed with due consideration 
of the following policies:
    a. Maintaining compatibility with standards and technology for 
electronic signatures generally used in commerce and industry and by 
State governments;
    b. not inappropriately favoring one industry or technology;
    c. ensuring that electronic signatures are as reliable as is 
appropriate for the purpose in question and that electronic record 
keeping systems reliably preserve the information submitted;
    d. providing wherever appropriate for the electronic acknowledgment 
of electronic filings that are successfully submitted; and
    e. providing, to the extent feasible and appropriate, for multiple 
methods of electronic signatures or identifiers for the submission of 
such forms where the agency anticipates receipt of 50,000 or more 
electronic submittals of a particular form.

Section 2. Procedures

    a. The GPEA recognizes that adoption of electronic systems should 
be consistent with the need to ensure that investments in information 
technology are economically prudent to accomplish the agency's mission 
and give due regard to privacy and security.

[[Page 10897]]

Moreover, it is Administration policy that a decision to not allow the 
option of electronic filing and record keeping should be supported by a 
specific showing that, in the context of a particular application, 
there is no reasonably cost-effective combination of technologies and 
management controls that can minimize the risk of significant harm. 
Accordingly, agencies should develop and implement plans to use and 
accept documents in electronic form, and engage in electronic 
transactions.
    b. An agency's determination of which technology is appropriate for 
a given transaction must include a risk assessment, and an evaluation 
of targeted customer or user needs. Performing a risk assessment to 
evaluate electronic signature alternatives should not be viewed as an 
isolated activity or an end in itself. These agency risk assessments 
should draw from and feed into the interrelated requirements of the 
Paperwork Reduction Act, the Computer Security Act, the Government 
Performance and Results Act, the Clinger-Cohen Act, the Federal 
Managers Financial Integrity Act, and the Chief Financial Officers Act.
    c. The initial use of the risk assessment is to identify and 
mitigate risks in the context of available technologies and their 
relative total costs and effects on the program being analyzed. The 
assessment also should be used to develop baselines and verifiable 
performance measures that track the agency's mission, strategic plans, 
and tactical goals.
    d. The analysis of costs and benefits should be designed so that it 
can be used, not only as a guide to selecting among the technologies 
under consideration, but also to generate a business case and 
verifiable return on investment to support decisions regarding overall 
programmatic direction, investment decisions, and budgetary priorities. 
The effects on the public and its needs and readiness to move to an 
electronic environment are important considerations.

Section 3. Agency Responsibilities

    a. In order to ensure a smooth and cost-effective transition to a 
more electronic government providing improved service to the public, 
each agency shall:
    1. Include in its strategic IT plans supporting program 
responsibilities (required under OMB Circular A-11) a summary of the 
agency's schedule to implement optional electronic maintenance, 
submission, or disclosure of information when practicable as a 
substitute for paper, including through the use of electronic 
signatures when practicable, by the end of Fiscal Year 2003 (note: 
agencies need not revise their reports on Federal purchasing and 
payment already required by OMB M-99-02, but should include the 
automation of purchasing and payment functions in their schedule);
    2. consider whether an appropriate combination of information 
security practices, authentication technologies and management controls 
for each application will be practicable, and if so, which combination 
will minimize risk and maximize benefits in a cost effective manner;
    3. promulgate or amend regulations or policies as necessary and 
appropriate to: (1) Implement optional electronic submission, 
maintenance, or disclosure of information, and the use of any necessary 
electronic signature alternatives; and (2) permit private employers who 
have record keeping responsibilities imposed by the Federal government 
to electronically store and file information pertaining to their 
employees electronically;
    4. maintain appropriate information system confidentiality and 
security in accordance with the guidance contained OMB Circular A-130, 
Appendices I and III, and use, to the maximum extent practicable, 
technologies either prescribed in Federal Information Processing 
Standards promulgated by the Secretary of Commerce or supported by 
voluntary consensus standards as defined in OMB Circular A-119;
    5. provide, to the extent feasible and appropriate, more than one 
electronic signature option for public reporting forms which are 
collected annually in electronic form from more than 50,000 
respondents; and
    6. report progress against the strategic plans developed in 
response to 1. above through the annual agency reports submitted to OMB 
under the Paperwork Reduction Act, including any determination that a 
particular application is inappropriate for conversion to electronic 
filing.
    (b) Department of Commerce.
    The Department of Commerce shall promulgate Federal Information 
Processing Standards as appropriate to further the specific goals of 
the GPEA. The Department should also develop best practices in the area 
of authentication technologies and implementations, including 
cryptographic digital signature technology, with assistance from the 
Government Information Technology Services Board, the Chief Information 
Officers Council and the President's Management Council.
    (c) Department of the Treasury.
    The Department of the Treasury shall prescribe policies and 
practices for the use of electronic authentication techniques in 
Federal payments and collections, and ensure that they fulfill the the 
goals of GPEA.
    (d) Department of Justice.
    The Department of Justice shall develop and publish practical 
guidance on legal considerations related to agency use of electronic 
filing and record keeping.
    (e) General Services Administration.
    The General Services Administration shall support agencies' 
implementation of electronic signatures and related electronic service 
delivery.

Part II. Paperwork Elimination Through the Use of Electronic 
Signatures and Electronic Record Keeping

    This part provides Federal managers with basic information to 
assist in planning for an orderly and efficient transition to 
electronic government. Agencies should begin their planning promptly to 
ensure compliance with the timetable in the GPEA.

Section 1. Introduction and Background

    a. As required by the Government Paperwork Elimination Act (GPEA), 
this Part provides guidance for agencies to use in deciding whether to 
use electronic signature technology for an application, which 
electronic signature technology may be most appropriate, and how to 
minimize the risk of fraud, error, or misuse when implementing an 
electronic signature technology to authenticate electronic 
transactions. These procedures are consistent with the requirement of 
the Paperwork Reduction Act of 1995 (PRA) that agencies shall 
``consistent with the Computer Security Act of 1987 (CSA)(40 U.S.C. 759 
note), identify and afford security protections commensurate with the 
risk and magnitude of the harm resulting from the loss, misuse, or 
unauthorized access to or modification of information collected or 
maintained by or on behalf of an agency.'' 44 U.S.C. 3506(g)(3).
    b. As the GPEA, PRA, and CSA recognize, the goal of information 
security is to protect the integrity of electronic records and 
transactions. Different security approaches offer varying levels of 
assurance in an electronic environment. Among these approaches (in an 
ascending level of assurance) are (1) the so-called ``shared secrets'' 
methods, e.g., personal identification numbers or passwords, (2) 
digitized signatures or biometric means of identification such as 
fingerprints or retinal patterns and voice recognition,

[[Page 10898]]

and (3) digital signatures. Combinations of approaches (e.g., digital 
signatures with biometrics) are also possible and may provide even 
higher levels of assurance. Deciding which to use in an application 
depends upon the risks associated with the loss, misuse or compromise 
of the information compared to the cost and effort associated with 
deploying and managing the increasingly secure methods to mitigate 
those risks. Agencies must strike a balance, recognizing that achieving 
absolute security is likely to be in most cases highly improbable and 
prohibitively expensive.

Section 2. What Is an ``Electronic Signature?''

    a. The GPEA defines ``electronic signature'' as follows:

    A method of signing an electronic message that--
    (A) Identifies and authenticates a particular person as the 
source of the electronic message; and
    (B) Indicates such person's approval of the information 
contained in the electronic message. (GPEA, section 1709(1)).

    This definition should be interpreted by reference to accepted 
legal definitions of signatures. The term ``signature'' has long been 
understood as including ``any symbol executed or adopted by a party 
with present intention to authenticate a writing.'' (Uniform Commercial 
Code, 1-201(39)(1970)). These flexible definitions permit the use of 
different electronic signature technologies, such as digital 
signatures, digitized signatures or biometrics, discussed below. For 
this reason, while it is the case that, for historical reasons, the 
Federal Rules of Evidence are tailored to the admissibility of paper-
based evidence, the Rules of Evidence have no bias against electronic 
evidence.
    b. In enacting the GPEA, Congress addressed the legal effect and 
validity of electronic signatures or other electronic authentication:

    Electronic records submitted or maintained in accordance with 
procedures developed under this title, or electronic signatures or 
other forms of electronic authentication used in accordance with 
such procedures, shall not be denied legal effect, validity, or 
enforceability because such records are in electronic form. (GPEA, 
section 1707).

Section 3. Risk Factors To Consider In Planning and Implementing an 
Electronic Signature or Record Keeping System

    Electronic signature technologies can offer degrees of confidence 
in authenticating identity greater even than the presence of a 
handwritten signature. These digital tools should be used to control 
risks in a cost-effective manner. In determining whether an electronic 
signature is sufficiently reliable for a particular purpose, agencies 
should consider the relationships between the parties, the value of the 
transaction, and the likely need for accessible, persuasive information 
regarding the transaction at some later date. Once these factors are 
considered separately, an agency should consider them together to 
evaluate its sensitivity to risk for a particular process.
    a. The relationship between the parties. Agency transactions fall 
into five general categories, each of which may be vulnerable to 
different security risks:
    (1) Intra-agency transactions (i.e., those which remain within the 
same Federal agency).
    (2) Inter-agency transactions (i.e., those between Federal 
agencies).
    (3) Transactions between a Federal agency and state or local 
government agencies.
    (4) Transactions between a Federal agency and a private 
organization--contractor, university, non-profit organization, or other 
entity.
    (5) Transactions between a Federal agency and a member of the 
general public.
    Inter- or intra-governmental transactions of a relatively routine 
nature will generally entail little risk of a trading partner later 
repudiating the transaction, and almost no risk of the trading partner 
committing fraud. Similarly, transactions between a regulatory agency 
and a publicly traded corporation or other known entity regulated by 
that agency bear a relatively low risk of repudiation or fraud. Risk 
also tends to be relatively low in cases where there is an ongoing 
relationship between the parties. On the other hand, a one-time 
transaction between a person and an agency, which has legal or 
financial implications, bears the highest risk. In all cases, the 
relative value of the transaction needs to be considered.
    b. The value of the transaction. Agency transactions fall into five 
general categories, each of which may be vulnerable to different 
security risks:
    (1) Transactions involving the transfer of funds.
    (2) Transactions where the parties commit to actions or contracts 
that may give rise to financial or legal liability.
    (3) Transactions involving information protected under the Privacy 
Act or other agency-specific statutes obliging that access to the 
information be restricted.
    (4) Transactions where the party is fulfilling a legal 
responsibility which, if not performed, creates a legal liability 
(criminal or civil).
    (5) Transactions where no funds are transferred, no financial or 
legal liability is involved and no privacy or confidentiality issues 
are involved (electronic signatures are least necessary in these 
transactions and should not be used unless specifically required by law 
or regulation).
    c. The likely need for accessible, persuasive information regarding 
the transaction at a later point. Agency transactions fall into five 
general categories:
    (1) Transactions where the information generated will never be 
needed again.
    (2) Transactions where the information generated may later be 
subject to audit.
    (3) Transactions where the information generated may later be 
subject to dispute by one of the parties (or alleged parties) to the 
transaction.
    (4) Transactions where the information generated may later be 
subject to dispute by a non-party to the transaction.
    (5) Transactions where the information generated may later be 
needed as proof in court.
    d. Synthesizing the Risk Factors.
    (1) To evaluate the suitability of electronic signature 
alternatives for a particular application, the agency needs to perform 
a qualitative risk analysis and should then determine the particular 
technologies and management controls best suited to minimizing the risk 
to an acceptable level while maximizing the benefits to the parties 
involved.
    (2) Risk analyses must recognize that no signature alternative is 
totally reliable and secure. Every method of signature, whether 
electronic or paper, can be compromised to some degree with enough 
technology or due to poor security procedures or practices. In 
estimating the cost of any system, agencies should include costs 
associated with hardware, software, administration and support of the 
system, both short-term and long-term. If it would be extremely 
expensive to set up a very secure system, but past experience with 
fraud risks and a careful analysis of those risks shows that exposure 
is low, a less expensive system that deters the majority of fraud is 
probably warranted. However, in making this tradeoff, agencies should: 
(a) Evaluate whether the security elements of a less expensive system 
can be disproportionately exploited resulting in greater exposure to 
fraud than would be expected in

[[Page 10899]]

comparable non-automated systems; and (b) consider management and other 
non-technical process controls which could reduce those risks.
    (3) A qualitative risk analysis also should recognize that all 
risks and benefits are not quantifiable. While some transactions can be 
assigned a definite monetary value that may be placed at risk, many 
cannot. For example, the value of deterring fraud cannot generally be 
quantified. Should an agency conclude that a new automated system is 
less secure than an old, paper-based system, attempts to commit fraud 
or to repudiate transactions may increase. On the benefit side, it is 
not always possible to assign a dollar value to the increased 
efficiency that an agency experiences when it automates a labor-
intensive process, although agencies should attempt to make this 
estimation whenever feasible. Usually, it is not possible to quantify 
in monetary terms attitudes such as increased customer satisfaction and 
willingness to cooperate with an agency, which are engendered by the 
transition from onerous paper processes to user-friendly electronic 
processes.
    (4) One advantage of electronic authentication is that an agency 
may strengthen the signature validation by incorporating electronic 
links between the user and preexisting data about that user in the 
agency's records. The IRS has successfully adopted this approach in its 
TeleFile program, which enables selected taxpayers to file 1040EZs with 
a touch-tone phone. Taxpayers get Customer Service Numbers (CSNs, i.e., 
PINs) that they then use to sign their returns and which help to 
validate their identities to the agency. Even though a CSN is not 
unique to an individual taxpayer (since it is only five digits long), 
the IRS authenticates the filer by using other identifying factors, 
such as the taxpayer's date of birth, taxpayer identification number, 
and by using additional procedures. This approach is not used over the 
Internet. Rather, it occurs in short-term connections over telephone 
lines, an environment where it is comparatively difficult for 
malefactors to eavesdrop and to steal information or to substitute 
false information for fraudulent purposes.
    (5) The Computer Security Act places on agency managers the 
responsibility to select an appropriate combination of technologies and 
practices to minimize risk cost-effectively while maximizing benefits 
to the agency and to its customers. These decisions, however 
qualitative, should be documented for later review and adjustment.

Section 4. Privacy and Disclosure

    Section 1708 of the GPEA limits the use of information collected in 
electronic signature services for communications with a Federal agency. 
It directs agencies and their staff and contractor personnel not to 
such use information for any purpose other than for facilitating the 
communication. Exceptions exist if the person (or entity) who is the 
subject of the information provides affirmative consent to the 
additional use of the information, or if such additional use is 
otherwise provided by law. Accordingly, agencies should follow several 
privacy tenets:
    a. Electronic authentication should only be required where needed. 
Many transactions do not need, and should not require, detailed 
information about the individual.
    b. When electronic authentication is required for a transaction, do 
not collect more information from the user than is required for the 
application.
    c. Users should be able to decide the scope of their electronic 
means of authentication. In other words, if a user wants a certain 
mechanism for authentication to work only with a single agency or for a 
single type of transaction, the user's desires should be honored if 
practicable. Conversely, if the user wishes to have the authentication 
work with multiple agencies or for multiple types of transactions, that 
should also be permitted consistent with how the agency employs such 
means of authentication and with relevant statute and regulation.
    d. Agencies should ensure, and users should be informed, that 
information collected for the purpose of issuing or using electronic 
means of authentication will be managed and protected in accordance 
with applicable requirements under the Privacy Act, the Computer 
Security Act, and any agency-specific statutes mandating the protection 
of such information.

Section 5. Overview of Current Electronic Signature Technologies

    This section addresses two categories of security: (1) Non-
cryptographic methods of authenticating identity; and (2) cryptographic 
control methods. The non-cryptographic approach relies solely on an 
identification and authentication mechanism linked to a specific 
software application. Cryptographic controls can be used for multiple 
applications, if properly managed, and encompass authentication and 
encryption services. A highly secure implementation may combine both 
categories of technologies. The spectrum of electronic signature 
technologies currently available is described below.
    a. Non-Cryptographic Methods of Authenticating Identity
    (1) Personal Identification Number (PIN) or password: A user 
accessing an agency's electronic application is requested to enter a 
``shared secret'' (called ``shared'' because it is known both to the 
user and to the system), such as a password or PIN. When the user of a 
system enters her name, she also enters a password or PIN. The system 
checks that password or PIN as a shared secret to ``authenticate'' the 
user. If the authentication process is performed over an open network 
such as the Internet, it is usually essential that at least the shared 
secret be encrypted; this can be accomplished through the technology 
called ``Secure Sockets Layer'' currently built into almost all popular 
Web browsers, in a fashion that is transparent to the end user.
    (2) Smart Card: A smart card is a plastic card the size of a credit 
card which contains an embedded chip that can generate, store, and/or 
process data. It can be used to facilitate various authentication 
technologies. A user inserts the smart card into a card reader device 
attached to a microcomputer or network input device. In the computer, 
information from the card's chip is read by security software only when 
the user enters a PIN, password, or biometric identifier. This method 
provides greater security than use of a PIN alone, because a user must 
have both (a) physical possession of the smart card and (b) knowledge 
of the PIN. Good security requires that the smart card and the PIN 
never be kept together. Note that the PIN, password or biometric 
identifier in this case is a secret shared between the user and the 
smart card, not between the user and a local or remote computer.
    (3) Digitized Signature: A digitized signature is a graphical image 
of a handwritten signature. Some applications require a user to create 
his or her hand-written signature using a special computer input 
device, such as a digital pen and pad. The digitized representation of 
the entered signature is compared with a stored copy of the graphical 
image of the handwritten signature. If special software considers both 
images comparable, the signature is considered valid. This application 
of technology shares the same security issues as those using the PIN or 
password approach, because the digitized signature is another form of 
shared secret known both to the user and to the system. The digitized 
signature is more reliable for

[[Page 10900]]

authentication than a password or PIN because there is a biometric 
component to the creation of the image of the handwritten signature. 
Forging a digitized signature can be more difficult than forging a 
paper signature to the extent that the technology digitally compares 
the submitted signature image with the known signature image, and is 
better than the human eye. Another element in a digitized signature 
which helps make it unique is measuring how each stroke is made--its 
duration or pen pressure, for example. This information can also be 
compared to a reference value. As with all shared secret techniques, 
compromise of a digitized signature image file could pose a security 
risk to users.
    (4) Biometrics: Individuals have unique physical characteristics 
that can be converted into digital form and then interpreted by a 
computer. Among these are voice patterns (where an individual's spoken 
words are converted into a special electronic representation), 
fingerprints, and the blood vessel patterns present on the retina (or 
rear) of one or both eyes. In this technology, the physical 
characteristic is measured (by a microphone, optical reader, or some 
other device), converted into digital form, and then compared with a 
copy of that characteristic stored in the computer and authenticated 
beforehand as belonging to a particular person. If the test pattern and 
the previously stored patterns are sufficiently close (to a degree 
which is usually selectable by the authenticating application), the 
authentication will be accepted by the software, and the transaction 
allowed to proceed. Biometric applications can provide very high levels 
of authentication especially when the identifier is obtained in the 
presence of a third party (making spoofing difficult), but as with any 
shared secret, if the digital form is compromised, impersonation 
becomes a serious risk. Thus, just like PINs, such information should 
not be sent over open networks unless it is encrypted. Moreover, 
measurement and recording of a physical characteristic can raise 
privacy concerns.
b. Cryptographic Control
    Creating electronic signatures may involve the use of cryptography 
in two ways: symmetric (or shared private key) cryptography, or 
asymmetric (public key/private key) cryptography. The latter is used in 
producing digital signatures, discussed further below.
    (1) Shared Private Key Cryptography. In shared private key 
(symmetric) approaches, the user signs a document and verifies the 
signature using a single key (consisting of a long string of zeros and 
ones) that is not publicly known, or is secret. Since the same key does 
these two functions, it must be transferred from the signer to the 
recipient of the message. This situation can undermine confidence in 
the authentication of the user's identity because the private key is 
shared between sender and recipient and therefore is no longer unique 
to one person. Since the private key is shared between the sender and 
possibly many recipients, it is really not ``private'' to the sender 
and hence has lesser value as an authentication mechanism. This 
approach offers no additional cryptographic strength over digital 
signatures (see below). Further, digital signatures avoid the need for 
the shared secret.
    (2) Public/Private Key (Asymmetric) Cryptography--Digital 
Signatures. (a) To produce a digital signature, a user has his or her 
computer generate two mathematically linked keys--a private signing key 
that is kept private, and a public validation key that is available to 
the public. The private key cannot be deduced from the public key. In 
practice, the public key is made part of a ``digital certificate,'' 
which is a specialized electronic document digitally signed by the 
issuer of the certificate, binding the identity of the individual to 
his or her private key in an unalterable fashion.
    (b) A ``digital signature'' is created when the owner of a private 
signing key uses that key to create a unique mark (called a ``signed 
hash'') on an electronic document or file. The recipient employs the 
owner's public key to validate the authenticity of the attached private 
key. This process also verifies that the document was not altered. 
Since the two keys are mathematically linked, they are unique: only one 
public key will validate signatures made using its corresponding 
private key. Moreover, if the private key has been properly protected 
from compromise or loss, the signature is unique to the individual who 
owns it, that is, the owner is bound by the signature. One concern in 
relatively high-risk transactions is that the private key owner could 
feign loss to repudiate a transaction. This concern can be mitigated by 
encoding the private key onto a smart card or an equivalent device, and 
by using a biometric mechanism (rather than a PIN or password) as the 
shared secret between the user and the smart card for unlocking the 
private key to effect a signature. It can also be addressed by agencies 
establishing clear procedures for a particular implementation, so that 
all parties know what the obligations, risks and consequences are.
    The reliability of the digital signature is directly proportional 
to the degree of confidence one has in the link between the owner's 
identity and the digital certificate, how well the owner has protected 
the private key from compromise or loss, and to the cryptographic 
strength of the methodology used to generate the key pair. Further 
information on digital signatures can be found in Access with Trust 
(http://gits-sec.treas.gov), a report published by OMB and NPR.
c. Technical Considerations of the Various Technologies
    (1) While generally the most certain method for assuring identity 
electronically, use of digital signatures requires agencies to develop 
a series of policies and documents which provide the important 
underlying framework of trust and which facilitate the evaluation of 
risk. The framework identifies how well the signer's identity is bound 
to his or her public key in a digital certificate (identity proofing); 
whether the private key is placed on a highly secure hardware token or 
is encapsulated in software only; and how difficult it is for a 
malefactor to deduce using cryptographic methods the private key (the 
cryptographic strength of the key-generating algorithm).
    (2) By themselves, digitized (not digital) signatures, PINs and 
biometric identifiers do not directly bind identity to the contents of 
a document. For them to do so, they must be used in conjunction with 
some other mechanism. Biometric identifiers such as retinal patterns 
used in conjunction with digital signatures can offer far greater proof 
of identify than pen and ink signatures.
    (3) While not as robust as biometric identifiers and digital 
signatures, PINs have the decided advantage of proven customer and 
citizen acceptance, as evidenced by the universal use of PINs for 
automated teller machine transactions. Such transactions, however, 
typically occur over proprietary networks rather than open networks 
like the Internet, where eavesdropping on transactions is much easier, 
unless the messages are encrypted.
    (4) It is important to remember that technical factors are but one 
aspect to be considered when an agency plans to implement electronic 
signature-based applications. Other important aspects are considered in 
the following sections.

[[Page 10901]]

Section 6. Agency Implementation of Electronic Signature and 
Authentication

    After the agency has conducted the risk analysis and identified an 
appropriate electronic signature or other electronic authentication, 
the agency will then proceed to implement this decision. In doing so, 
agencies should consider the following:
    a. Develop a regulatory or policy scheme. Agencies should consider 
whether their programmatic regulations or policies support the use and 
enforceability of electronic signature alternatives to handwritten 
signatures. By clearly informing the regulated community that 
electronic signatures and records will be acceptable and used for 
enforcement purposes, their legal standing is enhanced. Several 
agencies have already promulgated policies and regulations making this 
clear, and a number are developing them:
    Securities and Exchange Commission (17 CFR Part 232), electronic 
regulatory filings; Environmental Protection Agency (55 FR 31,030 
(1990)), policy on electronic reporting;
    Food and Drug Administration (21 CFR Part 11), electronic 
signatures and records; Internal Revenue Service (Treasury Reg. 
301.6061-1), signature alternatives for tax filings;
    Federal Acquisition Regulation (41 CFR Parts 2 and 4), electronic 
contracts; General Services Acquisition Regulation (48 CFR Part 
552.216-73), electronic orders; Federal Property Management Regulations 
(41 CFR Part 101-41), electronic bills of lading.
    When specifying the requirements for using electronic record 
keeping by regulated entities (particularly the maintenance of 
electronic forms pertaining to employees by employers), agencies should 
consider the ``Performance Guideline for the Legal Acceptance of 
Records Produced by Information Technology Systems,'' developed by the 
Association for Information and Image Management (ANSI AIIM TR31). This 
document provides suggestions for maximizing the likelihood that 
electronically filed and stored documents will be accorded full legal 
recognition. If an agency chooses to use digital signatures, a 
regulation may specify that each individual will be issued a unique 
digital signature certificate to use, agree to keep the private key 
confidential, and agree to accept responsibility for anything that is 
submitted using that key, or other conditions under which the agency 
will accept electronic submissions using it.
    b. Use a mutually-understood, signed agreement between the person 
or entity submitting the electronically-signed information and the 
receiving Federal agency.
    (1) As a matter of efficiency, contractual arrangements with large 
numbers of trading partners would be best accomplished by setting forth 
an agency's terms and conditions in a regulation. Arrangements with 
smaller numbers of trading partners may lend themselves to one or more 
agreements, using a document referred to as a ``terms and conditions'' 
agreement. These agreements can ensure that all conditions of 
submission and receipt of data electronically are known and understood 
by the submitting parties. This is particularly the case where terms 
and conditions are not spelled out in agency programmatic regulations.
    (2) It is also important to establish that the user of the digital 
signature or PIN/password is fully aware of what he or she is signing 
at the time of signature. This can be ensured by programming 
appropriate ceremonial banners that alert the individual of the gravity 
of the action into the software application. The presence of such 
banners can later be used to demonstrate to a court that the user was 
fully informed of and aware of what he or she was signing.
    c. Minimize the likelihood of repudiation. Agencies should develop 
well-documented and established mechanisms and procedures to tie 
transaction in a legally binding way to an individual. The integrity of 
even the most secure digital signature rests on the continuing 
confidentiality of the private key, for example. Similarly, in the case 
of electronic signatures based on the use of PINs, the integrity of the 
transaction depends on the user not disclosing the PIN. If a defendant 
is later charged with a crime based on an electronically signed 
document, he or she would have every incentive to show a lack of 
control over (or loss of) the private key or PIN. Indeed, if that 
defendant plans to commit fraud, he or she may intentionally compromise 
the secrecy of the key or PIN, so that the government would later be 
unable to link him or her to the electronic transaction.
    Thus, transactions which appear to be at high risk for fraud, e.g., 
one-time high-value transactions with persons not previously known to 
an agency, may require extra safeguards or may not be appropriate for 
electronic transactions. One way to mitigate this risk is to require 
that private keys be encoded on hardware tokens, making possession of 
the token a critical requirement. Another way to guard against fraud is 
to include other identifying data in the transaction that links the key 
or PIN to the individual, preferably something not readily available to 
others.
    d. Access to the electronic data, after receipt, needs to be 
carefully controlled yet available in a meaningful and timely fashion. 
Security measures should be in place that ensure that no one is able to 
alter a transaction, or substitute something in its place, once it has 
been received by the agency. Thus, the receiving agency needs to take 
prudent steps to control access to the electronic transaction through 
such methods as limiting access to the computer database containing the 
transaction, and performing processing with the data using copies of 
the transaction rather than the original. Moreover, the information may 
be needed for audits, disputes, or court cases many years after the 
transaction itself took place. Agencies should make plans for storing 
data, and providing meaningful and timely access to it for as long as 
such access will be necessary.
    e. Ensure the ``Chain of Custody.'' Electronic audit trails must 
provide a chain of custody for the secure electronic transaction that 
identifies sending location, sending entity, date and time stamp of 
receipt, and other measures used to ensure the integrity of the 
document. These trails must be sufficiently complete and reliable to 
validate the integrity of the transaction and to prove that, (a) the 
connection between the submitter and the receiving agency has not been 
tampered with, and (b) how the document was controlled upon receipt.
    f. Provide an acknowledgment of receipt. The agency's system for 
receiving electronic transactions may be required by statute to have a 
mechanism for acknowledging receipt of transactions received, and 
acknowledging confirmation of transactions sent, with specific 
indication of the party with whom the agency is dealing.
    g. Obtain legal counsel during the design of the system. Collection 
and use of electronic data may raise legal issues, particularly if it 
is information that bears on the legality of the process or that may 
eventually be needed for proof in court.
Section 7. Summary of the Procedures and Checklist
    To summarize the process which agencies should employ to evaluate 
authentication mechanisms (electronic signatures) for electronic 
transactions and documents, the following steps apply:
    1. Examine the current business process that is being converted to 
employ electronic documents or

[[Page 10902]]

transactions, identifying the existing risks associated with fraud, 
error or misuse, as well as customer needs and demands.
    2. Consider what risks may arise from the use of electronic 
transactions or documents. This evaluation should take into account the 
relationships of the parties, the value of the transactions or 
documents, and the later need for the documents.
    3. Identify the benefits that accrue from the use of electronic 
transactions or documents.
    4. Consult with counsel about any specific legal implications about 
the use of electronic transactions or documents in the particular 
application.
    5. Evaluate how each electronic signature alternative may minimize 
risk compared to the costs incurred in adopting an alternative.
    6. Determine whether any electronic signature alternative in 
conjunction with appropriate process controls represents a practicable 
trade-off between cost and risk on the one hand, and benefits on the 
other. If so, determine, to the extent possible at the time, which 
signature alternative is the best one. Document this determination to 
allow later evaluation and audit.
    7. Develop plans for retaining and disposing of information, 
ensuring that it can be made continuously available to those who will 
need it, for managerial control of sensitive data and accommodating 
changes in staffing, and for ensuring adherence to these plans.
    8. Determine if regulations or policies are adequate to support 
electronic transactions and record keeping, or if ``terms and 
conditions'' agreements are appropriate for the particular application.
    9. Develop plans for seeking the continuing input of technology 
experts for updates on the changing state of technology and the 
continuing advice of legal counsel for updates on the changing state of 
the law in these areas.
    10. Integrate these plans into the agency's strategic IT planning 
and regular reporting to OMB.
    11. Perform periodic review and re-evaluation, as appropriate.

[FR Doc. 99-5409 Filed 3-4-99; 8:45 am]
BILLING CODE 3110-01-U