OFFICE OF MANAGEMENT AND BUDGET
AGENCY: Office of Management and Budget, Executive Office of the
President
ACTION: Proposed Implementation of the Government Paperwork
Elimination Act.
SUMMARY: The Office of Management and Budget (OMB) requests
public and agency comment on
proposed procedures and guidance to implement the Government Paperwork Elimination Act (GPEA).
Under the GPEA, agencies must generally provide for the optional use and acceptance of electronic
documents and signatures, and electronic record keeping where practicable, by October 2003.
DATES: Persons who wish to comment on the GPEA procedures and
guidance should submit their
comments no later than Friday, July 5, 1999. Each Department and Agency is asked to submit a single
coordinated set of comments.
ADDRESS: Electronic comments will be included as part of the official
record. Please send comments
electronically to: gpea@omb.eop.gov. Alternatively, hardcopy comments may be addressed to:
Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of
Management and Budget, Room 10236 New Executive Office Building, Washington, D.C. 20503.
ELECTRONIC AVAILABILITY: This document is available on the
Internet in the OMB library of
the "Welcome to the White House" home page, http://www.whitehouse.gov/OMB/, the CIO
Council's home page, http://cio.gov, and at the Government Information Technology Services Board's
security home page at http://gits-sec.treas.gov.
FOR FURTHER INFORMATION CONTACT: Peter Weiss,
Information Policy and Technology
Branch, (202) 395-3630. Press inquiries should be addressed to the OMB Communications Office,
(202) 395-7254.
SUPPLEMENTARY INFORMATION: Public confidence in the
security of the government's
electronic information and information technology is essential in creating government services that are
more accessible, efficient, and easy to use. Electronic commerce, electronic mail, and electronic
benefits
transfer sensitive information within government, between the government and private industry or
individuals, and among governments. These electronic systems must protect the information's
confidentiality, assure that the information is not altered in an unauthorized way, and be available when
needed. A corresponding policy and management structure must support these protections.
In a major step in this direction, the Congress recently enacted legislation, supported by the
Administration, intended to increase the ability of citizens to interact with the Federal government
electronically. The Government Paperwork Elimination Act, Title XVII of Pub. L. 105-277, provides
for Federal agencies, by October 21, 2003, to give persons who are required to maintain, submit, or
disclose information the option of doing so electronically when practicable as a substitute for paper, and
to use electronic authentication (electronic signature) methods to verify the identity of the sender and the
integrity of electronic content. The Act specifically provides that electronic records and their related
electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are
in electronic form.
OMB's proposed implementation of the Act is in two parts. The first part sets forth the policies and
procedures for implementing the Act, and requesting certain specific agencies to provide assistance in
particular areas. The second part is intended to provide Federal managers with practical implementation
guidance.
OMB requests comments on the proposed procedures and guidance.
Donald Arbuckle
Deputy Administrator and Acting Administrator
Office of Information and Regulatory Affairs
Proposed OMB Procedures and Guidance on Implementing the Government Paperwork
Elimination
Act
This provides Executive agencies with the guidance needed to implement the Government
Paperwork
Elimination Act (GPEA), P. L. 105-277, Title XVII, which took effect on October 21, 1998. The
GPEA is an important tool to fulfill the Administration's vision of improved customer service and
governmental efficiency through the use of information technology. This vision, articulated in Vice
President Gore's 1997 report, Access America (http://gits.gov), involves widespread use of the
Internet,
with Federal agencies transacting business electronically, in the same way as commercial enterprises.
Those who wished to do business in this way could avoid traveling to government offices, waiting in
line, or mailing paper forms. Delivery of government services in this way would normally save the
government time and money as well.
Access America recognized, however, that:
Public confidence in the security of the government's electronic information and
information
technology is essential to creating government services that are more accessible, efficient, and
easy to use. Electronic commerce, electronic mail, and electronic benefits transfer sensitive
information within government, between governments and private industry or individuals, and
among governments. These electronic systems must protect the information's confidentiality,
assure that the information is not altered in an unauthorized way, and be available when needed.
PART I. Policy and Procedures
Section 1. Policy
The GPEA charges the Office of Management and Budget, in consultation with the
Commerce
Department and other appropriate entities, with the development of procedures for Executive agencies
to follow in using and accepting electronic documents and signatures. These procedures reflect and are
to be executed with due consideration of the following policies:
a. maintaining compatibility with standards and technology for electronic signatures generally used
in commerce and industry and by State governments;
b. not inappropriately favoring one industry or technology;
c. ensuring that electronic signatures are as reliable as is appropriate for the purpose in question
and that electronic record keeping systems reliably preserve the information submitted;
d. providing wherever appropriate for the electronic acknowledgment of electronic filings that are
successfully submitted; and
e. providing, to the extent feasible and appropriate, for multiple methods of electronic signatures or
identifiers for the submission of such forms where the agency anticipates receipt of 50,000 or more
electronic submittals of a particular form.
Section 2. Procedures
a. The GPEA recognizes that adoption of electronic systems should be consistent with the need to
ensure that investments in information technology are economically prudent to accomplish the agency's
mission and give due regard to privacy and security. Moreover, it is Administration policy that a
decision
to not allow the option of electronic filing and record keeping should be supported by a specific
showing
that, in the context of a particular application, there is no reasonably cost-effective combination of
technologies and management controls that can minimize the risk of significant harm. Accordingly,
agencies should develop and implement plans to use and accept documents in electronic form, and
engage in electronic transactions.
b. An agency's determination of which technology is appropriate for a given transaction must
include a
risk assessment, and an evaluation of targeted customer or user needs. Performing a risk assessment to
evaluate electronic signature alternatives should not be viewed as an isolated activity or an end in itself.
These agency risk assessments should draw from and feed into the interrelated requirements of the
Paperwork Reduction Act, the Computer Security Act, the Government Performance and Results Act,
the Clinger-Cohen Act, the Federal Managers Financial Integrity Act, and the Chief Financial Officers
Act.
c. The initial use of the risk assessment is to identify and mitigate risks in the context of available
technologies and their relative total costs and effects on the program being analyzed. The assessment
also should be used to develop baselines and verifiable performance measures that track the agency's
mission, strategic plans, and tactical goals.
d. The analysis of costs and benefits should be designed so that it can be used, not only as a guide
to
selecting among the technologies under consideration, but also to generate a business case and
verifiable
return on investment to support decisions regarding overall programmatic direction, investment
decisions,
and budgetary priorities. The effects on the public and its needs and readiness to move to an electronic
environment are important considerations.
Section 3. Agency Responsibilities
a. In order to ensure a smooth and cost-effective transition to a more electronic government
providing improved service to the public, each agency shall:
1. include in its strategic IT plans supporting program responsibilities (required under OMB
Circular A-11) a summary of the agency's schedule to implement optional electronic
maintenance, submission, or disclosure of information when practicable as a substitute for
paper, including through the use of electonic signatures when practicable, by the end of Fiscal
Year 2003 (note: agencies need not revise their reports on Federal purchasing and payment
already required by OMB M-99-02, but should include the automation of purchasing and
payment functions in their schedule);
2. consider whether an appropriate combination of information security practices,
authentication technologies and management controls for each application will be practicable,
and if so, which combination will minimize risk and maximize benefits in a cost effective
manner;
3. promulgate or amend regulations or policies as necessary and appropriate to: (1)
implement
optional electronic submission, maintenance, or disclosure of information, and the use of any
necessary electronic signature alternatives; and (2) permit private employers who have record
keeping responsibilities imposed by the Federal government to electronically store and file
information pertaining to their employees electronically;
4. maintain appropriate information system confidentiality and security in accordance with
the
guidance contained OMB Circular A-130, Appendices I and III, and use, to the maximum
extent practicable, technologies either prescribed in Federal Information Processing Standards
promulgated by the Secretary of Commerce or supported by voluntary consensus standards
as defined in OMB Circular A-119;
5. provide, to the extent feasible and appropriate, more than one electronic signature option
for public reporting forms which are collected annually in electronic form from more than
50,000 respondents; and
6. report progress against the strategic plans developed in response to 1. above through the
annual agency reports submitted to OMB under the Paperwork Reduction Act, including any
determination that a particular application is inappropriate for conversion to electronic filing.
(b) Department of Commerce
Department of Commerce shall promulgate Federal Information Processing Standards as
appropriate to further the specific goals of the GPEA. The Department should also develop
best practices in the area of authentication technologies and implementations, including
cryptographic digital signature technology, with assistance from the Government Information
Technology Services Board, the Chief Information Officers Council and the President's
Management Council.
(c) Department of the Treasury
The Department of the Treasury shall prescribe policies and practices for the use of
electronic
authentication techniques in Federal payments and collections, and ensure that they fulfill the
the goals of GPEA.
(d) Department of Justice
The Department of Justice shall develop and publish practical guidance on legal
considerations related to agency use of electronic filing and record keeping.
(e) General Services Administration
The General Services Administration shall support agencies' implementation of electronic
signatures and related electronic service delivery.
Part II. Paperwork Elimination Through the Use of Electronic Signatures and Electronic
Record Keeping
This part provides Federal managers with basic information to assist in planning for an
orderly and efficient transition to electronic government.
Section 1. Introduction and Background.
a. As required by the Government Paperwork Elimination Act (GPEA), this Part provides
guidance for agencies to use in deciding whether to use electronic signature technology for an
application, which electronic signature technology may be most appropriate, and how to
minimize the risk of fraud, error, or misuse when implementing an electronic signature
technology to authenticate electronic transactions. These procedures are consistent with the
requirement of the Paperwork Reduction Act of 1995 (PRA) that agencies shall "consistent
with the Computer Security Act of 1987 (CSA)(40 U.S.C. 759 note), identify and afford
security protections commensurate with the risk and magnitude of the harm resulting from the
loss, misuse, or unauthorized access to or modification of information collected or maintained
by or on behalf of an agency." 44 U.S.C. 3506(g)(3).
b. As the GPEA, PRA, and CSA recognize, the goal of information security is to protect the
integrity of electronic records and transactions. Different security approaches offer varying
levels of assurance in an electronic environment. Among these approaches (in an ascending
level of assurance) are 1) the so-called "shared secrets" methods, e.g., personal identification
numbers or passwords, 2) digitized signatures or biometric means of identification such as
fingerprints or retinal patterns and voice recognition, and 3) digital signatures. Combinations of
approaches (e.g., digital signatures with biometrics) are also possible and may provide even
higher levels of assurance. Deciding which to use in an application depends upon the risks
associated with the loss, misuse or compromise of the information compared to the cost and
effort associated with deploying and managing the increasingly secure methods to mitigate
those risks. Agencies must strike a balance, recognizing that achieving absolute security is
likely to be in most cases highly improbable and prohibitively expensive.
Section 2. What is An "Electronic Signature?"
a. The GPEA defines "electronic signature" as follows:
a method of signing an electronic message that --
(A) identifies and authenticates a particular person as the source of the electronic message;
and
(B) indicates such person's approval of the information contained in the electronic message.
(GPEA, section 1709(1)).
This definition should be interpreted by reference to accepted legal definitions of signatures.
The term "signature" has long been understood as including "any symbol executed or adopted
by a party with present intention to authenticate a writing." (Uniform Commercial Code,
1-201(39)(1970)). These flexible definitions permit the use of different electronic signature
technologies, such as digital signatures, digitized signatures or biometrics, discussed below.
For this reason, while it is the case that, for historical reasons, the Federal Rules of Evidence
are tailored to the admissibility of paper-based evidence, the Rules of Evidence have no bias
against electronic evidence.
b. In enacting the GPEA, Congress addressed the legal effect and validity of electronic
signatures or other electronic authentication:
Electronic records submitted or maintained in accordance with procedures developed under
this title, or electronic signatures or other forms of electronic authentication used in accordance
with such procedures, shall not be denied legal effect, validity, or enforceability because such
records are in electronic form. (GPEA, section 1707).
Section 3. Risk Factors to Consider In Planning and Implementing an Electronic Signature or
Record Keeping System.
Electronic signature technologies can offer degrees of confidence in authenticating identity
greater even than the presence of a handwritten signature. These digital tools should be used
to control risks in a cost-effective manner. In determining whether an electronic signature is
sufficiently reliable for a particular purpose, agencies should consider the relationships
between the parties, the value of the transaction, and the likely need for accessible, persuasive
information regarding the transaction at some later date. Once these factors are considered
separately, an agency should consider them together to evaluate its sensitivity to risk for a
particular process.
a. The relationship between the parties. Agency transactions fall into
five general categories, each of which may be vulnerable to different security risks:
(1) Intra-agency transactions (i.e., those which remain within the same Federal agency).
(2) Inter-agency transactions (i.e., those between Federal agencies).
(3) Transactions between a Federal agency and state or local government agencies.
(4) Transactions between a Federal agency and a private organization - contractor, university,
non-profit organization, or other entity.
(5) Transactions between a Federal agency and a member of the general public.
Inter- or intra-governmental transactions of a relatively routine nature will generally entail
little
risk of a trading partner later repudiating the transaction, and almost no risk of the trading
partner committing fraud. Similarly, transactions between a regulatory agency and a publicly
traded corporation or other known entity regulated by that agency bear a relatively low risk of
repudiation or fraud. Risk also tends to be relatively low in cases where there is an ongoing
relationship between the parties. On the other hand, a one-time transaction between a person
and an agency, which has legal or financial implications, bears the highest risk. In all cases, the
relative value of the transaction needs to be considered.
b. The value of the transaction. Agency transactions fall into five
general categories, each of which may be vulnerable to different security risks:
(1) Transactions involving the transfer of funds.
(2) Transactions where the parties commit to actions or contracts that may give rise to
financial or legal liability.
(3) Transactions involving information protected under the Privacy Act or other
agency-specific statutes obliging that access to the information be restricted.
(4) Transactions where the party is fulfilling a legal responsibility which, if not performed,
creates a legal liability (criminal or civil).
(5) Transactions where no funds are transferred, no financial or legal liability is involved and
no privacy or confidentiality issues are involved (electronic signatures are least necessary in
these transactions and should not be used unless specifically required by law or regulation).
c. The likely need for accessible, persuasive information regarding the transaction at
a later point. Agency transactions fall into five general categories:
(1) Transactions where the information generated will never be needed again.
(2) Transactions where the information generated may later be subject to audit.
(3) Transactions where the information generated may later be subject to dispute by one of
the parties (or alleged parties) to the transaction.
(4) Transactions where the information generated may later be subject to dispute by a
non-party to the transaction.
(5) Transactions where the information generated may later be needed as proof in court.
d. Synthesizing the Risk Factors
(1) To evaluate the suitability of electronic signature alternatives for a particular application,
the agency needs to perform a qualitative risk analysis and should then determine the particular
technologies and management controls best suited to minimizing the risk to an acceptable level
while maximizing the benefits to the parties involved.
(2) Risk analyses must recognize that no signature alternative is totally reliable and secure.
Every method of signature, whether electronic or paper, can be compromised to some degree
with enough technology or due to poor security procedures or practices. In estimating the cost
of any system, agencies should include costs associated with hardware, software,
administration and support of the system, both short-term and long-term. If it would be
extremely expensive to set up a very secure system, but past experience with fraud risks and a
careful analysis of those risks shows that exposure is low, a less expensive system that deters
the majority of fraud is probably warranted. However, in making this tradeoff, agencies
should: (a) evaluate whether the security elements of a less expensive system can be
disproportionately exploited resulting in greater exposure to fraud than would be expected in
comparable non-automated systems; and (b) consider management and other non-technical
process controls which could reduce those risks.
(3) A qualitative risk analysis also should recognize that all risks and benefits are not
quantifiable. While some transactions can be assigned a definite monetary value that may be
placed at risk, many cannot. For example, the value of deterring fraud cannot generally be
quantified. Should an agency conclude that a new automated system is less secure than an old,
paper-based system, attempts to commit fraud or to repudiate transactions may increase. On
the benefit side, it is not always possible to assign a dollar value to the increased efficiency that
an agency experiences when it automates a labor-intensive process, although agencies should
attempt to make this estimation whenever feasible. Usually, it is not possible to quantify in
monetary terms attitudes such as increased customer satisfaction and willingness to cooperate
with an agency, which are engendered by the transition from onerous paper processes to
user-friendly electronic processes.
(4) One advantage of electronic authentication is that an agency may strengthen the signature
validation by incorporating electronic links between the user and preexisting data about that
user in the agency's records. The IRS has successfully adopted this approach in its TeleFile
program, which enables selected taxpayers to file 1040EZs with a touch-tone phone.
Taxpayers get Customer Service Numbers (CSNs, i.e., PINs) that they then use to sign their
returns and which help to validate their identities to the agency. Even though a CSN is not
unique to an individual taxpayer (since it is only five digits long), the IRS authenticates the filer
by using other identifying factors, such as the taxpayer's date of birth, taxpayer identification
number, and by using additional procedures. This approach is not used over the Internet.
Rather, it occurs in short-term connections over telephone lines, an environment where it is
comparatively difficult for malefactors to eavesdrop and to steal information or to substitute
false information for fraudulent purposes.
(5) The Computer Security Act places on agency managers the responsibility to select an
appropriate combination of technologies and practices to minimize risk cost-effectively while
maximizing benefits to the agency and to its customers. These decisions, however qualitative,
should be documented for later review and adjustment.
Section 4. Privacy and Disclosure.
Section 1708 of the GPEA limits the use of information collected in electronic signature
services for communications with a Federal agency. It directs agencies and their staff and
contractor personnel not to such use information for any purpose other than for facilitating the
communication. Exceptions exist if the person (or entity) who is the subject of the information
provides affirmative consent to the additional use of the information, or if such additional use is
otherwise provided by law. Accordingly, agencies should follow several privacy tenets:
a. Electronic authentication should only be required where needed. Many transactions do not need,
and should not require, detailed information about the individual.
b. When electronic authentication is required for a transaction, do not collect more information
from the user than is required for the application.
c. Users should be able to decide the scope of their electronic means of authentication. In other
words, if a user wants a certain mechanism for authentication to work only with a single agency or for a
single type of transaction, the user's desires should be honored if practicable.
Conversely, if the user wishes to have the authentication work with multiple agencies or for
multiple types of transactions, that should also be permitted consistent with how the agency
employs such means of authentication and with relevant statute and regulation.
d. Agencies should ensure, and users should be informed, that information collected for the
purpose of issuing or using electronic means of authentication will be managed and protected in
accordance with applicable requirements under the Privacy Act, the Computer Security
Act, and any agency-specific statutes mandating the protection of such information.
Section 5. Overview of Current Electronic Signature Technologies.
This section addresses two categories of security: 1) Non-cryptographic methods of
authenticating identity; and 2) cryptographic control methods. The non-cryptographic
approach relies solely on an identification and authentication mechanism linked to a specific
software application. Cryptographic controls can be used for multiple applications, if properly
managed, and encompass authentication and encryption services. A highly secure
implementation may combine both categories of technologies. The spectrum of electronic
signature technologies currently available is described below.
a. Non-Cryptographic Methods of Authenticating Identity
(1) Personal Identification Number (PIN) or password: A user
accessing an agency's
electronic application is requested to enter a "shared secret" (called "shared" because it is
known both to the user and to the system), such as a password or PIN. When the user of a
system enters her name, she also enters a password or PIN. The system checks that
password or PIN as a shared secret to "authenticate" the user. If the authentication process is
performed over an open network such as the Internet, it is usually essential that at least the
shared secret be encrypted; this can be accomplished through the technology called "Secure
Sockets Layer" currently built into almost all popular Web browsers, in a fashion that is
transparent to the end user.
(2) Smart Card: A smart card is a plastic card the size of a
credit card which contains an
embedded chip that can generate, store, and/or process data. It can be used to facilitate
various authentication technologies. A user inserts the smart card into a card reader device
attached to a microcomputer or network input device. In the computer, information from the
card's chip is read by security software only when the user enters a PIN, password, or
biometric identifier. This method provides greater security than use of a PIN alone, because a
user must have both a) physical possession of the smart card and b) knowledge of the PIN.
Good security requires that the smart card and the PIN never be kept together. Note that the
PIN, password or biometric identifier in this case is a secret shared between the user and the
smart card, not between the user and a local or remote computer.
(3) Digitized Signature: A digitized signature is a graphical image
of a handwritten signature.
Some applications require a user to create his or her hand-written signature using a special
computer input device, such as a digital pen and pad. The digitized representation of the
entered signature is compared with a stored copy of the graphical image of the handwritten
signature. If special software considers both images comparable, the signature is considered
valid. This application of technology shares the same security issues as those using the PIN or
password approach, because the digitized signature is another form of shared secret known
both to the user and to the system. The digitized signature is more reliable for authentication
than a password or PIN because there is a biometric component to the creation of the image
of the handwritten signature. Forging a digitized signature can be more difficultn than forging a
paper signature to the extent that the technology digitally compares the submitted signature
image with the known signature image, and is better than the human eye. Another element in a
digitized signature which helps make it unique is measuring how each stroke is made - its
duration or pen pressure, for example. This information can also be compared to a reference
value. As with all shared secret techniques, compromise of a digitized signature image file
could pose a security risk to users.
(4) Biometrics: Individuals have unique physical characteristics
that can be converted into digital form and then interpreted by a computer. Among these are voice
patterns (where an individual's spoken words are converted into a special electronic representation),
fingerprints, and the blood vessel patterns present on the retina (or rear) of one or both eyes. In this
technology, the physical characteristic is measured (by a microphone, optical reader, or some
other device), converted into digital form, and then compared with a copy of that
characteristic stored in the computer and authenticated beforehand as belonging to a particular
person. If the test pattern and the previously stored patterns are sufficiently close (to a degree
which is usually selectable by the authenticating application), the authentication will be
accepted by the software, and the transaction allowed to proceed. Biometric applications can
provide very high levels of authentication especially when the identifier is obtained in the
presence of a third party (making spoofing difficult), but as with any shared secret, if the digital
form is compromised, impersonation becomes a serious risk. Thus, just like PINs, such
information should not be sent over open networks unless it is encrypted. Moreover,
measurement and recording of a physical characteristic can raise privacy concerns.
b. Cryptographic Control
Creating electronic signatures may involve the use of cryptography in two ways: symmetric
(or shared private key) cryptography, or asymmetric (public key/private key) cryptography. The
latter is used in producing digital signatures, discussed further below.
(1) Shared Private Key Cryptography. In shared private key
(symmetric) approaches, the
user signs a document and verifies the signature using a single key (consisting of a long string
of zeros and ones) that is not publicly known, or is secret. Since the same key does these two
functions, it must be transferred from the signer to the recipient of the message. This situation
can undermine confidence in the authentication of the user's identity because the private key is
shared between sender and recipient and therefore is no longer unique to one person. Since
the private key is shared between the sender and possibly many recipients, it is really not
"private" to the sender and hence has lesser value as an authentication mechanism. This
approach offers no additional cryptographic strength over digital signatures (see below).
Further, digital signatures avoid the need for the shared secret.
(2) Public/Private Key (Asymmetric) Cryptography - Digital
Signatures.
(a) To produce a digital signature, a user has his or her computer generate two
mathematically linked keys -- a private signing key that is kept private, and a public validation key that
is available to the public. The private key cannot be deduced from the public key. In practice,
the public key is made part of a "digital certificate," which is a specialized electronic document
digitally signed by the issuer of the certificate, binding the identity of the individual to his or her
private key in an unalterable fashion.
(b) A "digital signature" is created when the owner of a private signing key uses that key to
create a unique mark (called a "signed hash") on an electronic document or file. The recipient
employs the owner's public key to validate the authenticity of the attached private key. This
process also verifies that the document was not altered. Since the two keys are mathematically
linked, they are unique: only one public key will validate signatures made using its
corresponding private key. Moreover, if the private key has been properly protected from
compromise or loss, the signature is unique to the individual who owns it, that is, the owner is
bound by the signature. One concern in relatively high-risk transactions is that the private key
owner could feign loss to repudiate a transaction. This concern can be mitigated by encoding
the private key onto a smart card or an equivalent device, and by using a biometric mechanism
(rather than a PIN or password) as the shared secret between the user and the smart card for
unlocking the private key to effect a signature. It can also be addressed by agencies
establishing clear procedures for a particular implementation, so that all parties know what the
obligations, risks and consequences are.
The reliability of the digital signature is directly proportional to the degree of confidence one
has in the link between the owner's identity and the digital certificate, how well the owner has
protected the private key from compromise or loss, and to the cryptographic strength of the
methodology used to generate the key pair. Further information on digital signatures can be
found in Access with Trust (http://gits-sec.treas.gov), a report published by OMB and NPR.
c. Technical Considerations of the Various Technologies
(1) While generally the most certain method for assuring identity electronically, use of digital
signatures requires agencies to develop a series of policies and documents which provide the
important underlying framework of trust and which facilitate the evaluation of risk. The
framework identifies how well the signer's identity is bound to his or her public key in a digital
certificate (identity proofing); whether the private key is placed on a highly secure hardware
token or is encapsulated in software only; and how difficult it is for a malefactor to deduce
using cryptographic methods the private key (the cryptographic strength of the key-generating
algorithm).
(2) By themselves, digitized (not digital) signatures, PINs and biometric identifiers do not
directly bind identity to the contents of a document. For them to do so, they must be used in
conjunction with some other mechanism. Biometric identifiers such as retinal patterns used in
conjunction with digital signatures can offer far greater proof of identify than pen and ink
signatures.
(3) While not as robust as biometric identifiers and digital signatures, PINs have the
decidedadvantage of proven customer and citizen acceptance, as evidenced by the universal use of
PINs for automated teller machine transactions. Such transactions, however, typically occur
over proprietary networks rather than open networks like the Internet, where eavesdropping
on transactions is much easier, unless the messages are encrypted.
(4) It is important to remember that technical factors are but one aspect to be considered
when an agency plans to implement electronic signature-based applications. Other important
aspects are considered in the following sections.
Section 6. Agency Implementation of Electronic Signature and Authentication
After the agency has conducted the risk analysis and identified an appropriate electronic
signature or other electronic authentication, the agency will then proceed to implement this
decision. In doing so, agencies should consider the following:
a. Develop a regulatory or policy scheme. Agencies should consider whether their
programmatic regulations or policies support the use and enforceability of electronic signature
alternatives to handwritten signatures. By clearly informing the regulated community that
electronic signatures and records will be acceptable and used for enforcement purposes, their
legal standing is enhanced. Several agencies have already promulgated policies and regulations
making this clear, and a number are developing them:
Securities and Exchange Commission (17 C.F.R. Part 232), electronic regulatory filings;
Environmental Protection Agency (55 Fed. Reg. 31,030 (1990)), policy on
electronic reporting;
Food and Drug Administration (21 C.F.R. Part 11), electronic signatures and records;
Internal Revenue Service (Treasury Reg. 301.6061-1), signature alternatives for tax filings;
Federal Acquisition Regulation (41 C.F.R. Parts 2 and 4), electronic contracts;
General Services Acquisition Regulation (48 C.F.R. Part 552.216-73), electronic orders;
Federal Property Management Regulations (41 C.F.R. Part 101-41), electronic bills of
lading.
When specifying the requirements for using electronic record keeping by regulated entities
(particularly the maintenance of electronic forms pertaining to employees by employers),
agencies should consider the "Performance Guideline for the Legal Acceptance of Records
Produced by Information Technology Systems," developed by the Association for Information
and Image Management (ANSI AIIM TR31). This document provides suggestions for
maximizing the likelihood that electronically filed and stored documents will be accorded full
legal recognition. If an agency chooses to use digital signatures, a regulation may specify that
each individual will be issued a unique digital signature certificate to use, agree to keep the
private key confidential, and agree to accept responsibility for anything that is submitted using
that key, or other conditions under which the agency will accept electronic submissions using
it.
b. Use a mutually-understood, signed agreement between the person or entity
submitting the electronically-signed information and the receiving Federal agency.
As a matter of efficiency, arrangements with large numbers of customers would be best
accomplished by setting forth an agency's terms and conditions in a regulation or policy.
Arrangements with smaller numbers may lend themselves to one or more agreements, using a
document referred to as a "terms and conditions" agreement. These agreements can ensure
that all conditions of submission and receipt of data electronically are known and understood
by the submitting parties. This is particularly the case where terms and conditions are not
spelled out in agency programmatic regulations.
It is also important to establish that the user of the digital signature or PIN/password is fully
aware of what he or she is signing at the time of signature. This can be ensured by
programming appropriate ceremonial banners that alert the individual of the gravity of the
action into the software application. The presence of such banners can later be used to
demonstrate to a court that the user was fully informed of and aware of what he or she was
signing.
c. Minimize the likelihood of repudiation. Agencies should develop
well-documented and
established mechanisms and procedures to tie transaction in a legally binding way to an
individual. The integrity of even the most secure digital signature rests on the continuing
confidentiality of the private key, for example. Similarly, in the case of electronic signatures
based on the use of PINs, the integrity of the transaction depends on the user not disclosing
the PIN. If a defendant is later charged with a crime based on an electronically signed
document, he or she would have every incentive to show a lack of control over (or loss of) the
private key or PIN. Indeed, if that defendant plans to commit fraud, he or she may
intentionally compromise the secrecy of the key or PIN, so that the government would later be
unable to link him or her to the electronic transaction.
Thus, transactions which appear to be at high risk for fraud, e.g., one-time high-value
transactions with persons not previously known to an agency, may require extra safeguards or
may not be appropriate for electronic transactions. One way to mitigate this risk is to require
that private keys be encoded on hardware tokens, making possession of the token a critical
requirement. Another way to guard against fraud is to include other identifying data in the
transaction that links the key or PIN to the individual, preferably something not readily
available to others.
d. Access to the electronic data, after receipt, needs to be carefully controlled yet
available in a meaningful and timely fashion. Security measures should be in place that
ensure that no one is able to alter a transaction, or substitute something in its place, once it has
been received by the agency. Thus, the receiving agency needs to take prudent steps to
control access to the electronic transaction through such methods as limiting access to the
computer database containing the transaction, and performing processing with the data using
copies of the transaction rather than the original. Moreover, the information may be needed
for audits, disputes, or court cases many years after the transaction itself took place. Agencies
should make plans for storing data, and providing meaningful and timely access to it for as
long as such access will be necessary
e. Ensure the "Chain of Custody." Electronic audit trails must provide a
chain of custody
for the secure electronic transaction that identifies sending location, sending entity, date and
time stamp of receipt, and other measures used to ensure the integrity of the document. These
trails must be sufficiently complete and reliable to validate the integrity of the transaction and to
prove that, a) the connection between the submitter and the receiving agency has not been
tampered with, and b) how the document was controlled upon receipt.
f. Provide an acknowledgment of receipt. The agency's system for
receiving electronic
transactions may be required by statute to have a mechanism for acknowledging receipt of
transactions received, and acknowledging confirmation of transactions sent, with specific
indication of the party with whom the agency is dealing.
g. Obtain legal counsel during the design of the system. Collection and
use of electronic
data may raise legal issues, particularly if it is information that bears on the legality of the
process or that may eventually be needed for proof in court.
Section 7. Summary of the Procedures and Checklist.
To summarize the process which agencies should employ to evaluate authentication
mechanisms (electronic signatures) for electronic transactions and documents, the following
steps apply:
1. Examine the current business process that is being converted to employ electronic
documents or transactions, identifying the existing risks associated with fraud, error or misuse,
as well as customer needs and demands.
2. Consider what risks may arise from the use of electronic transactions or documents. This
evaluation should take into account the relationships of the parties, the value of the
transactions or documents, and the later need for the documents.
3. Identify the benefits that accrue from the use of electronic transactions or documents.
4. Consult with counsel about any specific legal implications about the use of electronic
transactions or documents in the particular application.
5. Evaluate how each electronic signature alternative may minimize risk compared to the
costs incurred in adopting an alternative.
6. Determine whether any electronic signature alternative in conjunction with appropriate
process controls represents a practicable trade-off between cost and risk on the one hand,
and benefits on the other. If so, determine, to the extent possible at the time, which signature
alternative is the best one. Document this determination to allow later evaluation and audit.
7. Develop plans for retaining and disposing of information, ensuring that it can be made
continuously available to those who will need it, for managerial control of sensitive data and
accommodating changes in staffing, and for ensuring adherence to these plans.
8. Determine if regulations or policies are adequate to support electronic transactions and
record keeping, or if "terms and conditions" agreements are appropriate for the particular
application.
9. Develop plans for seeking the continuing input of technology experts for updates on the
changing state of technology and the continuing advice of legal counsel for updates on the
changing state of the law in these areas.
10. Integrate these plans into the agency's strategic IT planning and regular reporting to
OMB.
11. Perform periodic review and re-evaluation, as appropriate.
Return to OMB Home Page