Corps of Engineers Electronic Signature System (Correspondence, 11/19/96, GAO/AIMD-97-18R). GAO reviewed the Army Corps of Engineers' electronic signature system. GAO noted that: (1) the electronic signatures generated by the Corps' system provide at least the same quality of evidence as the handwritten signatures they are designed to replace; (2) the system produces electronic signatures that are unique to the signer, under the signer's sole control, capable of being verified, and linked to the data in such a manner that if the data are changed, the signature is invalidated upon verification; (3) the ability of the Corps' electronic signature system to be used by other agencies has also been demonstrated; (4) according to a State Department official, adoption of the Corps' system allowed State to field a production system in about 6 months while minimizing development risk and cost; (5) the third-party security review conducted on the Corps' system resulted in a number of recommendations to enhance the security of an already well-implemented system; (6) the Corps has already completed a number of these actions and has a detailed corrective action plan that specifies how and when the remainder will be completed; and (7) GAO sanctions full-scale deployment of the Corps' electronic signature system for financial management applications, but this sanctioning does not constitute GAO approval of the Corps' financial management system. --------------------------- Indexing Terms ----------------------------- REPORTNUM: AIMD-97-18R TITLE: Corps of Engineers Electronic Signature System DATE: 11/19/96 SUBJECT: Electronic forms Data integrity Financial management systems Systems evaluation Internal controls Financial records Interagency relations Computer security IDENTIFIER: Army Corps of Engineers Electronic Signature System ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO report. Delineations within the text indicating chapter ** ** titles, headings, and bullets are preserved. Major ** ** divisions and subdivisions of the text, such as Chapters, ** ** Sections, and Appendixes, are identified by double and ** ** single lines. The numbers on the right end of these lines ** ** indicate the position of each of the subsections in the ** ** document outline. These numbers do NOT correspond with the ** ** page numbers of the printed product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ** A printed copy of this report may be obtained from the GAO ** ** Document Distribution Center. For further details, please ** ** send an e-mail message to: ** ** ** **** ** ** ** with the message 'info' in the body. ** ****************************************************************** Cover ================================================================ COVER November 1996 GAO/AIMD-97-18R Corps of Engineers Electronic Signature System (511526) Abbreviations =============================================================== ABBREV FMFIA - Federal Managers' Financial Integrity Act GAO - General Accounting Office Letter =============================================================== LETTER B-275391 November 19, 1996 Mr. John F. Wallace Director of Resource Management U.S. Army Corps of Engineers Dear Mr. Wallace: This letter responds to your October 2, 1996, request that we sanction the operation of your electronic signature system for full-scale implementation. We have reviewed the material provided by your staff, and we conclude that the electronic signatures generated by this system provide at least the same quality of evidence as the handwritten signatures they are designed to replace.\1 Specifically, your system produces electronic signatures that are (1) unique to the signer, (2) under the signer's sole control, (3) capable of being verified, and (4) linked to the data in such a manner that if the data are changed, the signature is invalidated upon verification. Based on the materials provided by your staff and our observations during this system development effort, we concur with the opinion of your third-party reviewer who stated that the electronic signature system provides "a very robust implementation of the electronic signature capability." In addition, we noted that the development of a system that can be used by other agencies and applications was also one of the original program objectives. The security review concluded that "This implementation, which is currently used by approximately 5,000 individuals (and is projected to have tens of thousands of users in the future), provides an excellent model for other computer systems in both the public and private sectors that require electronic signatures on a widely distributed basis. Principles applied in the development and implementation of the [electronic signature system] can be used in any number of applications to provide authenticity and data integrity capabilities." The ability of your electronic signature system to be used by other agencies has also been demonstrated. It is our understanding that the Department of State has decided to implement your electronic signature system in one of its applications. According to the State Department official who is responsible for that project, adoption of the Corps' system allowed State to field a production system in about 6 months while minimizing development risk and cost. We understand that other agencies are also looking at your system for possible integration into their applications. The third-party security review conducted on your system resulted in a number of recommendations that were "intended to enhance the security of an already well-implemented system." We were pleased to see that the Corps has already completed a number of these actions and has a detailed corrective action plan that specifies how and when the remainder will be completed. We would appreciate being kept informed of the progress and any problems in implementing your plan. With this letter, we sanction full-scale deployment of your electronic signature system for financial management applications. As discussed with your staff, you will need to continue to monitor the system as part of your agency's efforts to implement the Federal Managers' Financial Integrity Act (FMFIA). Reviewing this system as part of your FMFIA process should provide management and others adequate assurance that the stated controls continue to function as designed and that when warranted, improvements are implemented. Although the electronic signature system is part of your financial management system, this letter does not constitute GAO approval of your financial management system as defined by 31 U.S.C. 3512(f)(2). Should you have any questions, please contact Chris Martin, Assistant Director, at (202) 512-9481. Sincerely yours, Dr. Rona B. Stillman Chief Scientist for Computers and Telecommunications -------------------- \1 We outlined the necessary attributes of electronic signatures in Comptroller General Decision 71 Comp. Gen. 109 (1991). *** End of document. ***