Corps of Engineers Electronic Signature System (Correspondence, 11/19/96,
GAO/AIMD-97-18R).
GAO reviewed the Army Corps of Engineers' electronic signature system.
GAO noted that: (1) the electronic signatures generated by the Corps'
system provide at least the same quality of evidence as the handwritten
signatures they are designed to replace; (2) the system produces
electronic signatures that are unique to the signer, under the signer's
sole control, capable of being verified, and linked to the data in such
a manner that if the data are changed, the signature is invalidated upon
verification; (3) the ability of the Corps' electronic signature system
to be used by other agencies has also been demonstrated; (4) according
to a State Department official, adoption of the Corps' system allowed
State to field a production system in about 6 months while minimizing
development risk and cost; (5) the third-party security review conducted
on the Corps' system resulted in a number of recommendations to enhance
the security of an already well-implemented system; (6) the Corps has
already completed a number of these actions and has a detailed
corrective action plan that specifies how and when the remainder will be
completed; and (7) GAO sanctions full-scale deployment of the Corps'
electronic signature system for financial management applications, but
this sanctioning does not constitute GAO approval of the Corps'
financial management system.
--------------------------- Indexing Terms -----------------------------
REPORTNUM: AIMD-97-18R
TITLE: Corps of Engineers Electronic Signature System
DATE: 11/19/96
SUBJECT: Electronic forms
Data integrity
Financial management systems
Systems evaluation
Internal controls
Financial records
Interagency relations
Computer security
IDENTIFIER: Army Corps of Engineers Electronic Signature System
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO report. Delineations within the text indicating chapter **
** titles, headings, and bullets are preserved. Major **
** divisions and subdivisions of the text, such as Chapters, **
** Sections, and Appendixes, are identified by double and **
** single lines. The numbers on the right end of these lines **
** indicate the position of each of the subsections in the **
** document outline. These numbers do NOT correspond with the **
** page numbers of the printed product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
** A printed copy of this report may be obtained from the GAO **
** Document Distribution Center. For further details, please **
** send an e-mail message to: **
** **
** **
** **
** with the message 'info' in the body. **
******************************************************************
Cover
================================================================ COVER
November 1996
GAO/AIMD-97-18R
Corps of Engineers Electronic Signature System
(511526)
Abbreviations
=============================================================== ABBREV
FMFIA - Federal Managers' Financial Integrity Act
GAO - General Accounting Office
Letter
=============================================================== LETTER
B-275391
November 19, 1996
Mr. John F. Wallace
Director of Resource Management
U.S. Army Corps of Engineers
Dear Mr. Wallace:
This letter responds to your October 2, 1996, request that we
sanction the operation of your electronic signature system for
full-scale implementation. We have reviewed the material provided by
your staff, and we conclude that the electronic signatures generated
by this system provide at least the same quality of evidence as the
handwritten signatures they are designed to replace.\1
Specifically, your system produces electronic signatures that are (1)
unique to the signer, (2) under the signer's sole control, (3)
capable of being verified, and (4) linked to the data in such a
manner that if the data are changed, the signature is invalidated
upon verification.
Based on the materials provided by your staff and our observations
during this system development effort, we concur with the opinion of
your third-party reviewer who stated that the electronic signature
system provides "a very robust implementation of the electronic
signature capability." In addition, we noted that the development of
a system that can be used by other agencies and applications was also
one of the original program objectives. The security review
concluded that
"This implementation, which is currently used by approximately
5,000 individuals (and is projected to have tens of thousands of
users in the future), provides an excellent model for other
computer systems in both the public and private sectors that
require electronic signatures on a widely distributed basis.
Principles applied in the development and implementation of the
[electronic signature system] can be used in any number of
applications to provide authenticity and data integrity
capabilities."
The ability of your electronic signature system to be used by other
agencies has also been demonstrated. It is our understanding that
the Department of State has decided to implement your electronic
signature system in one of its applications. According to the State
Department official who is responsible for that project, adoption of
the Corps' system allowed State to field a production system in about
6 months while minimizing development risk and cost. We understand
that other agencies are also looking at your system for possible
integration into their applications.
The third-party security review conducted on your system resulted in
a number of recommendations that were "intended to enhance the
security of an already well-implemented system." We were pleased to
see that the Corps has already completed a number of these actions
and has a detailed corrective action plan that specifies how and when
the remainder will be completed. We would appreciate being kept
informed of the progress and any problems in implementing your plan.
With this letter, we sanction full-scale deployment of your
electronic signature system for financial management applications.
As discussed with your staff, you will need to continue to monitor
the system as part of your agency's efforts to implement the Federal
Managers' Financial Integrity Act (FMFIA). Reviewing this system as
part of your FMFIA process should provide management and others
adequate assurance that the stated controls continue to function as
designed and that when warranted, improvements are implemented.
Although the electronic signature system is part of your financial
management system, this letter does not constitute GAO approval of
your financial management system as defined by 31 U.S.C. 3512(f)(2).
Should you have any questions, please contact Chris Martin, Assistant
Director, at (202) 512-9481.
Sincerely yours,
Dr. Rona B. Stillman
Chief Scientist for Computers
and Telecommunications
--------------------
\1 We outlined the necessary attributes of electronic signatures in
Comptroller General Decision 71 Comp. Gen. 109 (1991).
*** End of document. ***