[Federal Register Volume 71, Number 142 (Tuesday, July 25, 2006)]
[Notices]
[Pages 42093-42096]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-11760]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[OMB Control No. 3090-0270]


Federal Acquisition Service; Information Collection; Access 
Certificates for Electronic Services (ACES)

AGENCY:  Office of the Commissioner, GSA.

ACTION:  Notice of request for comments regarding a renewal to an 
existing OMB clearance.

-----------------------------------------------------------------------

SUMMARY:  Under the provisions of the Paperwork Reduction Act of 1995 
(44 U.S.C. Chapter 35), the General Services Administration will be 
submitting to the Office of Management and Budget (OMB) a request to 
review and approve a renewal of a currently approved information 
collection requirement regarding Access Certificates for Electronic 
Services (ACES). The clearance currently expires on October 31, 2006.
    The ACES Program is designed to facilitate and promote secure 
electronic communications between online automated information 
technology application systems authorized by law to participate in the 
ACES Program and users who elect to participate in the program, through 
the implementation and operation of digital signature certificate 
technologies. Individual digital signature certificates are issued to 
individuals based upon their presentation of verifiable proof of 
identity in an authorized ACES Registration Authority. Business 
Representative digital signature certificates are issued to individuals 
based upon their presentation of verifiable proof of identity and 
verifiable proof of authority from the claimed entity to an authorized 
ACES Registration Authority.
    Public comments are particularly invited on: Whether this 
collection of

[[Page 42094]]

information is necessary and whether it will have practical utility; 
whether our estimate of the public burden of this collection of 
information is accurate and based on valid assumptions and methodology; 
and ways to enhance the quality, utility, and clarity of the 
information to be collected.

DATES:  Submit comments on or before: September 25, 2006.

FOR FURTHER INFORMATION CONTACT:  Stephen Duncan, Federal Acquisition 
Service, at telephone (703) 872-8537 or via e-mail to 
[email protected].

ADDRESSES:  Submit comments regarding this burden estimate or any other 
aspect of this collection of information, including suggestions for 
reducing this burden to the Regulatory Secretariat (VIR), General 
Services Administration, Room 4035, 1800 F Street, NW., Washington, DC 
20405. Please cite OMB Control No. 3090-0270, Access Certificates for 
Electronic Services (ACES), in all correspondence.

SUPPLEMENTARY INFORMATION:

A. Background

    One of the primary goals of the emerging Government Services 
Information Infrastructure (GSII) is to facilitate public access to 
government information and services through the use of information 
technologies. One of the specific goals of the GSII is to provide the 
public with a choice of using Internet-based, online access to the 
automated information technology application systems operated by 
government agencies; such access will make it easier and less costly 
for the public to complete transactions with the government. By law, 
access to some of these automated information technology application 
systems can be granted only after the agency operating the system is 
provided with reliable information that the individual requesting such 
access is who he/she claims to be, and that he/she is authorized such 
access. The arms-length transactions envisioned by the GSII require 
implementation of methods for:
    1. Reliably establishing and verifying the identity of the 
individuals desiring to participate in the ACES Program, based 
primarily upon electronic communications between the applicant and 
authorized ACES Registration Authority.
    2. Issuing to the individuals who have been successfully identified 
a means that they can use to uniquely identify themselves to the 
automated information technology application systems participating in 
the ACES Program.
    3. Electronically and securely passing that identity to the 
automated information technology application system to which the 
individual is requesting access.
    4. Electronically and securely authenticating that identity, 
through a trusted third party, each time it is presented to an 
automated information technology application system participating in 
the ACES Program.
    5. Ensuring that the identified individual requesting access to an 
automated information technology application system has been duly 
authorized, by the management of that automated information technology 
application system, to access that system and perform the transactions 
desired.
    6. Ensuring that the information being exchanged between the 
individual and the automated information technology application system 
has not been corrupted during transmission.
    7. Reducing the ability of the parties to such transactions to 
repudiate the actions taken.
    The current state-of-the-art suggests that digital signature 
certificate technologies (often referred to as part of ``Public Key 
Infrastructure, or PKI'') provide a reliable and cost efficient means 
for meeting many of these GSII requirements. Thus, the ACES Program 
should be understood to represent an effort to implement and continue a 
PKI through which members of the public who desire to do so can 
securely communicate electronically with the online automated 
information technology application systems participating in the ACES 
Program.
    The initial step for any member of the public to take in order to 
participate in the ACES Program is to submit an application for an ACES 
certificate to an authorized ACES Registration Authority. In 
conjunction with application process, the applicant will be required to 
submit at least:
    a. His/her full name.
    b. His/her place of birth.
    c. His/her date of birth.
    d. His/her current address and telephone number.
    e. At least three(3) of the following:
    i. Current valid state issued driver license number or number of 
state issued identification card.
    ii. Current valid passport number.
    iii. Current valid credit card number.
    iv. Alien registration number (if applicable).
    v. Social Security Number.
    vi. Current employer name, address, and telephone number.
    f. If the registration is for a business representative 
certificate, evidence of authorization to represent that business 
entity.
    The information provided during the process of applying for an ACES 
certificate constitutes the continued information collection activity 
that is the subject of this Paperwork Reduction Act Notice and request 
for comments.

B. Description

    A detailed description of the current ACES Program is available on 
the World Wide Web at http://www.gsa.gov/aces, or through the ``FOR 
FURTHER INFORMATION CONTACT '' listed above.
    Please note that all ACES identity information collected from the 
public is covered by the Privacy Act, the Computer Security Act, and 
related privacy and security regulations, regardless of whether it is 
provided directly to an agency of the Federal Government or to an 
authorized ACES Registration Authority providing ACES-related services 
under a contract with GSA. Compliance with all of the attending 
requirements is enforced through binding contracts, periodic monitoring 
by GSA, annual audits by independent auditing firms, and tri-annual re-
accreditation by GSA. Only fully accredited Registration Authorities 
will be permitted to accept and maintain identity information provided 
by the public.
    The identity information collected will be used only to establish 
and verify the identity and eligibility of applicants for ACES 
certificates; no other use of the information is permitted.
    Participation in the ACES Program is strictly voluntary, but 
participation will only be permitted upon presentation of identity 
information by the applicant, and verification of that information by 
an authorized ACES Registration Authority.
    ACES is designed to permit on-line, arms-length registration 
through the Internet, which significantly reduces the public's 
reporting burden. Based upon preliminary tests run on similar systems 
for gathering identity-related information from the public (e.g., U.S. 
Passports, initial issuance of state-issued driver's license, etc.), 
the individual reporting burden for providing identity information for 
the initial ACES certificate is estimated at an average of 15 minutes, 
including gathering the information together and entering the data into 
the electronic forms provided by the authorized ACES Registration 
Authorities.
    Service providers participating in the ACES Program may choose to 
participate in the E-Authentication Services Component (ASC) as a

[[Page 42095]]

Credential Service Provider (CSP). As a result and to support the 
technical requirements of the ASC CSP's may supply attribute 
information in Security Assertion Markup Language (SAML) Assertions 
between the CSP and the Agency e-government application. This applies 
to SAML based use cases only.
    The E-Authentication Service Component leverages credentials from 
multiple credential providers through certifications, guidelines, 
standards and policies. The E-Authentication Service Component 
accommodates assertion based authentication (i.e., authentication of 
PIN and Password credentials) and certificate-based authentication 
(i.e., Public Key Infrastructure (PKI) digital certificates, and other 
forms of strong authentication) within the same environment. The E-
Authentication Service Component is aligned with OMB Policy Memorandum 
M-04-04, EAuthentication Guidance for Federal Agencies (http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf ), which provides 
policy guidance for identity authentication and establishes four levels 
of authentication assurance. It is also aligned with National Institute 
for Standards and Technology (NIST) Special Publication 800-63, 
Recommendation for Electronic Authentication http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf. This document 
accompanies and supports OMB M-04-04 and provides technical and 
procedural requirements for authentication systems which correlate to 
the four defined authentication assurance levels defined in OMB M-04-
04. The E-Authentication Service Component provides the infrastructure 
for Federal agencies to implement the policies and recommendations of 
OMB M-04-04 and NIST SP 800-63. These documents as well as other 
technical, policy, and informational documents and materials can be 
accessed at the website: http://www.cio.gov/eauthentication.
    The Interface Specifications require the following information to 
be contained in the SAML assertion between the Credential Service 
Provider and an e-Government Agency Application (AA) which is the 
relying party to the identity assertion:
    Common Name: expressed as First Name, Middle Name, Last Name, 
suffix surname;
    User ID: provided by the CSP so that no two subscribers within a 
credential service can share the same User ID;
    Authentication Assurance Level: i.e., assurance level 1, 2, 3, or 
4; and
    CSP: CSP is identified in the assertion.
    Since the SAML assertion contains only common name and user ID of 
the end user for the selected CSP, most agencies have determined that a 
separate activation process is necessary to identify the specific 
individual as represented in the AA. This generally requires creating a 
separate query process to identify the end user to the AA. To 
facilitate the activation process and avoid requiring the end user to 
reenter the same identifying information multiple times, GSA is also 
proposing to add the following attribute information to the SAML 1.0 
Interface Specifications as optional information:
    Partial Social Security Number (SSN): the last four digits of the 
end users' SSN;
    Date of Birth (DOB): MM/DD/YYYY; and
    Physical Address: street address, city, state, and zip code.
    The end user name, partial SSN, physical address and DOB are 
intended to allow the AA to identify the correct end user during the 
activation process, without necessarily requiring the AA to query the 
end user for any additional information. AAs will match the last four 
digits of the identity information in the SAML assertion against the 
information currently maintained in application records systems. The 
Interface specification requires that CSPs which do not collect or 
maintain SSN, DOB, and/or physical address information to enter a null 
field for these attribute elements. The attribute information contained 
in the assertion is intended for the purposes of activation, and will 
not be provided to agencies that do not already have the authority to 
maintain this attribute information. AAs/records systems that do not 
collect or maintain the attribute fields of SSN, DOB, or physical 
address will not be passed that information in the SAML assertion from 
the CSPs. The EAuthentication AAs can also determine that they do not 
want to receive the additional attribute information of partial SSN, 
DOB and physical address and can opt out of receiving this information 
in the SAML assertions.
    The E-Authentication Federation/Service Component does not involve 
any new collection of information from end users. If a Federal agency 
chooses to create or modify a records system to maintain information 
expressed in the SAML assertion, it must establish or amend a system of 
records (SOR) notice through publication in the Federal Register. 
Federal agencies that serve as CSPs or AAs may choose to maintain audit 
logs for browser-based access; such logs may include transaction data 
associated with the SAML assertion. Such audit logs are used to monitor 
browser access and are not considered systems of records requiring 
coverage under the Privacy Act. Once the identity information is known 
to the AA, the user interacts directly with the AA for business 
transactions. While the EAuthentication Service Component addresses the 
need for common infrastructure for authenticating end users to 
applications, authorization privileges at the application are beyond 
the scope of the E-Authentication initiative. Authorization and related 
functionality such as access control and privilege management are left 
to the application owners. Ensuring trust between the participating 
entities of the EAuthentication Federation (AAs, CSPs and End users) is 
core to the mission of the E-Authentication initiative. The 
EAuthentication Service Component provides:
     Policies and guidelines for Federal authentication;
     Credential assessments and authorizations;
     Technical architecture and documents, including Interface 
Specifications, for communications within the E-Authentication 
Federation Network;
     Interoperability testing of candidate products, schemes or 
protocols;
     Business rules for operating within the Federation; and
     Management and control of accepted federation schemes 
operating within the environment.
    The E-Authentication Service Component technical approach has two 
different architectural techniques, assertion-based authentication and 
certificate-based authentication. PIN and Password authentications 
typically use assertion-based authentication, where users authenticate 
to the selected CSP, which in turn asserts their identity to the AA. 
Certificate-based authentication relies on X.509v3 digital certificates 
in a Public Key Infrastructure (PKI) for authentication, and can be 
used at any assurance level. PKI credentials offer considerable 
advantages for authentication. Certificates can be validated using only 
public information. Standards for PKI are also more mature than other 
authentication technologies and more widely used than the emerging 
standards for assertion-based authentication of PIN and password 
credentials. Nevertheless, the Authentication Service Component 
incorporates both assertion-based and certificate-based authentication 
to

[[Page 42096]]

provide the broadest range of flexibility and choices to Federal 
agencies and end users.

C. Purpose

    The General Services Administration (GSA) is responsible for 
assisting Federal agencies with the implementation and use of digital 
signature technologies to enhance electronic access to government 
information and services by all eligible persons. In order to ensure 
that the ACES program certificates are issued to the proper 
individuals, GSA will continue to collect identity information from 
persons who elect to participate in ACES.

D. Annual Reporting Burden

    Respondents: 1,000,000.
    Responses Per Respondent: 1.
    Hours Per Response: .25.
    Total Burden Hours: 250,000.
    Obtaining Copies of Proposals: Requesters may obtain a copy of the 
information collection documents from the General Services 
Administration, Regulatory Secretariat (VIR), 1800 F Street, NW., Room 
4035, Washington, DC 20405, telephone (202) 501-4755. Please cite OMB 
Control No. 3090-0270, Access Certificates for Electronic Services 
(ACES), in all correspondence.

    Dated: July 18, 2006
Michael W. Carleton,
Chief Information Officer.
[FR Doc. E6-11760 Filed 7-24-06; 8:45 am]
BILLING CODE 6820-DH-S