AGENCY: Office of Management and Budget, Executive Office of the President
ACTION: Procedures and guidance.
SUMMARY: The Office of Management and Budget (OMB) provides procedures and guidance to implement the Government Paperwork Elimination Act (GPEA). GPEA requires Federal agencies, by October 21, 2003, to allow individuals or entities that deal with the agencies the option to submit information or transact with the agency electronically, when practicable, and to maintain records electronically, when practicable. The Act specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form, and encourages Federal government use of a range of electronic signature alternatives.
Electronic Availability: This document is available on the Internet in the OMB library of the "Welcome to the White House" home page, /OMB/, the Federal CIO Council's home page, http://cio.gov/, and the Federal Public Key Infrastructure Steering Committee home page, http://gits-sec.treas.gov/.
FOR FURTHER INFORMATION CONTACT: Jonathan Womer, Information Policy and Technology Branch, Office of Information and Regulatory Affairs, (202) 395-3785. Press inquiries should be addressed to the OMB Communications Office, (202) 395-7254. Inquiries may also be addressed to: Information Policy and Technology Branch, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10236 New Executive Office Building, Washington, D.C. 20503.
SUPPLEMENTARY INFORMATION:
Background
This document provides Executive agencies the guidance required under Sections 1703 and 1705 of the Government Paperwork Elimination Act (GPEA), P. L. 105-277, Title XVII, which was signed into law on October 21, 1998. GPEA is an important tool to improve customer service and governmental efficiency through the use of information technology. This improvement involves transacting business electronically with Federal agencies and widespread use of the Internet and its World Wide Web.
As public awareness of electronic communications and Internet usage increases, demand for on-line interactions with the Federal agencies also increases. Moving to electronic transactions and electronic signatures can reduce transaction costs for the agency and its partner. Transactions are quicker and information access can be more easily tailored to the specific questions that need to be answered. As a result data analysis is easier. These access and data analysis benefits often have a positive spillover effect into the rest of the agency as awareness of the agency's operations is improved. In addition, reengineering the work process associated with the transaction around the new electronic format can give rise to other efficiencies.
Public confidence in the security of the government's electronic information processes is essential as agencies make this transition. Electronic commerce, electronic mail, and electronic benefits transfer can require the exchange of sensitive information within government, between the government and private industry or individuals, and among governments. These electronic systems must protect the information's confidentiality, ensure that the information is not altered in an unauthorized way, and make it available when needed. A corresponding policy and management structure must support the hardware and software that delivers these services.
To provide for a broad framework for ensuring the implementation of electronic systems in a secure manner, the Administration has taken a number of actions. In February 1996, OMB revised Appendix III of Circular A-130, which provided guidance to agencies on securing information as they increasingly rely on open and interconnected electronic networks to conduct business. In May 1998, the President issued Presidential Decision Directive 63, which set a goal of a reliable, interconnected, and secure information system infrastructure by the year 2003, and significantly increased security for government systems by the year 2000 based on reviews by each department and agency. In September, 1998, OMB and the Federal Public Key Infrastructure Steering Committee published AAccess With Trust@ (available at http://gits-sec.treas.gov/). This report describes the Federal government=s goals and eefforts to develop a Public Key Infrastructure (PKI) to enable the widespread use of cryptographically-based digital signatures. On December 17, 1999, the President issued a Memorandum, AElectronic Government,@ which called on Federal agencies to use information technology to ensure that governmental services and information are easily accessible to the American people (Weekly Compilation of Presidential Documents, vol. 35, pp. 2641-43, (December 27, 1999); also available at http://cio.gov/). Among other things, the President charged the Administrator of General Services, in coordination with agencies, to assist agencies in the development of private, secure and effective electronic communication across agencies and with the public through the use of public key technology. This technology can offer significant benefits in facilitating electronic commerce through a shared, interoperable, government-wide infrastructure.
What is the purpose of GPEA?
GPEA seeks to Apreclude agencies or courts from systematically treating electronic documents and signatures less favorably than their paper counterparts@, so that citizens can interact with the Federal government electronically (S. Rep. 105-335). It requires Federal agencies, by October 21, 2003, to provide individuals or entities that deal with agencies the option to submit information or transact with the agency electronically, and to maintain records electronically, when practicable. It also addresses the matter of private employers being able to use electronic means to store, and file with Federal agencies, information pertaining to their employees. GPEA states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form. It also encourages Federal government use of a range of electronic signature alternatives.
This guidance implements GPEA, fosters a successful transition to electronic government as contemplated by the President=s memorandum, and employs where appropriate the work described in AAccess with Trust.@
What were the comments on the proposed implementation?
On March 5, 1999, OMB published the AProposed Implementation of the Government Paperwork Elimination Act@ for public comment. (64 FR 10896). It was also sent directly to Federal agencies for comment and made available via the Internet. In addition, OMB met with relevant committees and staff of many interested organizations including: American Bar Association (both the Business Law and the Science and Technology Sections); American Bankers Association; National Automated Clearing House Association; National Governors Association; National Association of State Information Resource Executives; National Association of State Auditors, Controllers and Treasurers; National Association of State Purchasing Officers; the Government of Canada; the Government of Australia; and relevant industry forums. All were uniformly positive about the content and tone of the guidance. OMB received specific comments from 24 organizations. Most comments proposed changes in clarity and detail. Where the comments added clarity and did not contradict the goals of the guidance, they were incorporated. The principal substantive issues raised in the comments and our responses to them are described below.
I. Comments regarding risks and benefits
A number of comments, including those from the Justice Department and the General Accounting Office, requested that the guidance contain further information on how to conduct the assessments of practicability needed to determine the proper combination of technology and management controls to manage the risk of converting transactions and record keeping to electronic form, and then conducting transactions electronically. Each assessment should contain elements of risk analysis and measurements of other costs and benefits. Most comments on assessment referred to the risk analysis portion.
Risk analyses provide decisionmakers with information needed to understand the factors that can degrade or endanger operations and outcomes and to make informed judgments about what actions need to be taken to reduce risk. Consistent with the Computer Security Act (40 U.S.C. 759 note), Appendix III of OMB Circular No. A-130, "Security of Federal Automated Information Resources," (34 FR 6428, February 20, 1996), Federal managers should design and implement their information technology systems in a manner that is commensurate with the risk and magnitude of harm from unauthorized use, disclosure, or modification of the information in those systems. To determine what constitutes adequate security, a risk-based assessment must consider all major risk factors, such as the value of the system or application, threats, vulnerabilities, and the effectiveness of current and proposed safeguards. Low-risk information processes may need only minimal consideration, while high-risk processes may need extensive analysis. OMB reiterated these principles on June 23, 1999, in OMB Memorandum No. 99-20, "Security of Federal Automated Information Resources," and reminded agencies to continually assess the risk to their computer systems and maintain adequate security commensurate with that risk, particularly as they take increasing advantage of the internet and the world wide web in providing information and services to citizens. (Available at: http://cio.gov/ and http://whitehouse.gov/omb/memoranda/m-99-20.html).
The Commerce Department's National Institute of Standards and Technology (NIST) also recognizes the importance of conducting risk analyses for securing computer-based resources. NIST provides guidance on risk analysis in (available at http://csrc.nist.gov/nistpubs):
More recently, the General Accounting Office published AInformation Security Risk Assessment: Practices of Leading Organizations,@ GAO/AIMD-00-33 (November 1999) (Available at http://www.gao.gov/). This document is intended to help Federal managers implement an ongoing information security risk analysis process by suggesting practical procedures that have been successfully adopted by organizations known for their good risk analysis practices. This document describes various models and methods for analyzing risk, and identifies factors that are important in a risk analysis.
A quantitative risk analysis generally attempts to estimate the monetary cost of risk compared with that of risk reduction techniques based on (1) the likelihood that a damaging event will occur, (2) the costs of potential losses, and (3) the costs of mitigating actions that could be taken. Availability of data affects the extent to which risk analysis results may be quantified reliably. The GAO report recognizes, however, that reliable data on likelihood and risks often may not be available, in which case a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. In this regard, qualitative analyses depend more on the expertise, experience, and good judgment of the Federal managers conducting the analysis. It also may be possible to use a combination of quantitative and qualitative methods.
Other commenters wanted more guidance on how to weigh the risk analysis with other costs and benefits. In combination with the risk analysis, the results of a cost-benefit analysis should be used to judge the practicability of such a process transformation. All major information technology investments are evaluated under the Appendices of OMB Circular No. A-130, "Management of Federal Information Resources" and Part 3 of OMB Circular No. A-11 "Planning, Budgeting, and Acquisition of Capital Assets." Specific guidance on information technology cost-benefit analysis is available from the Capital Planning and IT Investment Committee of the Federal CIO Council in the recently published AROI and the Value Puzzle.@ (Available at: http://cio.gov/). When developing collections of information under the Paperwork Reduction Act, agencies currently address the practicality of electronic submission, maintenance, and disclosure. The GPEA guidance builds on the requirements and scope of the PRA; all transactions that involve Federal information collections covered under the PRA are also covered under GPEA. In addition, agencies should follow OMB Memorandum 00-07 AIncorporating and Funding Security in Information Systems Investments@, issued February 28, 2000, which provides information on building security into information technology investments (also available at: http://cio.gov/).
The Department of Justice commented on the need for each agency to consider the broad range of legal risks involved in electronic transactions. Justice=s comments are especially appropriate for particularly sensitive transactions, including those likely to give rise to civil or criminal enforcement proceedings and we expect them to be further developed in Juctice=s forthcoming practical guidance. The risk analysis process required by the Computer Security Act and by good practice must be tailored to the risks and related mitigation costs that pertain to each system, as understood by the Federal managers most knowledgeable with the systems. When evaluating legal risks, Federal managers should consult with their legal counsel about any specific legal implications due to the use of electronic transactions or documents in the application in question. Agencies should also keep in mind that GPEA specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form. We are not, therefore, prescribing specific Aone size fits all@ requirements applicable to transactions regardless of sensitivity.
In light of all the above comments, we have added greater detail to the practicability aspects of the guidance, and an expanded discussion of cost-benefit analysis and its relation to risk analysis. We have also placed additional emphasis on the need for risk analyses to identify and address the full range of risks, including reasonably expected legal and enforcement risks, and technological risks. Further, we included a reporting mechanism in Part I Section 3 to facilitate the assessment of practicability. Although many of the comments concern the costs and risks of changing to electronic transactions, it is also important to consider the full range of benefits that electronic transactions can provide. Possible benefits include: increased partner participation and customer satisfaction; reduced transaction costs and increased transaction speed; improved record keeping and new opportunities for analysis of information; and greater employee productivity and enhanced quality of their output. An agency =s consideration of risks needs to be balanced with a full consideration of benefits.
II. Comments regarding technology neutrality
A number of comments concerned the emphasis on technology neutrality with regard to the various electronic signature alternatives. They suggested we endorse one electronic signature technology in order to promote interoperability and ease of use. Other commenters disagreed. They expressed concern that promoting one technology requires predicting the direction and future of information technology standards and practices, which is a notoriously difficult task. Further, there are sometimes technologies that naturally fit particular electronic transactions and are easier to implement from a security, privacy, technical, or operational perspective than others. For example, implementing a technology that is easy to use would naturally fit when encouraging citizens to participate in electronic transactions.
We do not believe it would be appropriate to endorse one technology, and we share the concerns of those commenters who argued against such an endorsement. At the same time, we recognize that cryptographically-based digital signatures (i.e., public key technology) hold great promise for ensuring both authentication and privacy in networked interactions, and may be the only technology available that can foster interoperability across numerous applications. There are, however, applications where personal identification numbers (PINs) and other shared secret techniques may well be appropriate. These are generally relatively low risk applications where interoperability is of lesser importance. A number of agencies have successfully used PINs in groundbreaking applications, particularly the Securities and Exchange Commission for regulatory filings and the Internal Revenue Service for tax filings. They have recognized the benefits of using PINs, but at the same time they are planning for an eventual transfer to digital signatures.
Accordingly, the final guidance maintains the basic policy of technology neutrality for automated transactions while recognizing that agencies should select an alternative relative to the risk of the application, and calls on agencies to consider all of the available electronic signature technologies (including the advantages of public key technology) as part of their assessments.
III. Comments regarding records management
Several comments suggested that the guidance should give further emphasis to the role of the National Archives and Records Administration in working with the agencies to address the maintenance, preservation, and disposal of Federal records that are associated with electronic government transactions. We agree. The final guidance explicitly addresses NARA=s role in the area of electronic records management, particularly as it relates to the use of electronic signature technologies.
IV. Comments regarding privacy protection
Some commenters were concerned with the privacy implications of the guidance. They want to ensure that any move to electronic transactions does not encourage the gathering of unnecessary information, and that Federal agencies adequately protect the personal information that does need to be collected. We agree that agencies must incorporate privacy protections when developing electronic processes. Several helpful suggestions were made that have been incorporated into the final guidance. With respect to a commenters= concern that agencies not collect unnecessary information, the Privacy Act requires an agency to Amaintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency.@ 5 U.S.C. 552a(e)(1); see e.g. Reuber v. United States, 829 F. 2d 133, 138-40 (D.C.C. 1987). Furthermore, the collection by agencies of unnecessary information would be contrary to the Paperwork Reduction Act=s mandate that agencies collect only information that is Anecessary for the proper performance of the functions of the agency@ and Ahas practical utility.@ 44 U.S.C. 3508.
V. State, local and non-governmental concerns
A number of comments were received from non-Federal entities. These comments were primarily concerned with the broader implications of the Act itself rather than the draft guidance. Specifically, some governmental entities expressed concern that Federal adoption of routine electronic transactions would require state and local governments to provide equivalent access for citizens. Some commenters were also concerned that they would be required to make all future transactions with the Federal government in an electronic format. Consultations with the state government groups identified above, during and subsequent to the comment period, seem to have alleviated these concerns significantly, particularly as we explained that GPEA contemplates optional rather than mandatory electronic transactions with the Federal government. Agencies are required to provide the option to their transaction partners. Transaction partners are not required to use the electronic option.
What Are the Future Plans for this Guidance?
We intend to place this guidance into an appendix of OMB Circular A-130 as it is updated. OMB=s final procedures and guidance on implementing the Government Paperwork Elimination Act are set forth below.
John T. Spotila
AdministratorOffice of Information and Regulatory Affairs
April 25, 2000
M-00-10
MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES
FROM: | Jacob J. Lew Director |
SUBJECT: | OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act |
This document provides Executive agencies with the guidance required under Sections 1703 and 1705 the Government Paperwork Elimination Act (GPEA), P. L. 105-277, Title XVII. GPEA requires agencies, by October 21, 2003, to provide for the (1) option of electronic maintenance, submission, or disclosure of information, when practicable as a substitute for paper; and (2) use and acceptance of electronic signatures, when practicable. GPEA specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form.
GPEA is an important tool in fulfilling the vision of improved customer service and governmental efficiency through the use of information technology. This vision contemplates widespread use of the Internet and its World Wide Web, with Federal agencies transacting business electronically as commercial enterprises are doing. Members of the public who wish to do business this way may avoid traveling to government offices, waiting in line, or mailing paper forms. The Federal government can also save time and money transacting business electronically.
This guidance also implements part of the President=s memorandum of December 17, 1999, AElectronic Government,@ which calls on Federal agencies to use information technology in ensuring that governmental services and information are easily accessible to the American people. Among other things, the President charged the Administrator of General Services, in coordination with appropriate agencies and organizations, to assist agencies in developing private, secure, and effective communication across agencies and with the public through the use of digital signature technology.
Creating more accessible and efficient government requires public confidence in the security of the government's electronic information communication and information technology systems. Electronic commerce, electronic mail, and electronic benefits transfer can involve the exchange of sensitive information within government, between government and private industry or individuals, and among governments. Electronic systems must be able to protect the confidentially of citizens= information, authenticate the identity of the transacting parties to the degree required by the transaction, guarantee that the information is not altered in an unauthorized way, and provide access when needed.
To reach these goals, agencies must meet objectives outlined by GPEA guidance. First, each agency must build on their existing efforts to implement electronic government by developing a plan and schedule that implement, by the end of Fiscal Year 2003, optional electronic maintenance, submission, or transactions of information, when practicable as a substitute for paper, including through the use of electronic signatures when practicable. Agencies must submit a copy of the plan to OMB by October 2000 and coordinate the plan and schedule with their strategic IT planning activities that support program responsibilities consistent with the budget process (as required by OMB Circular A-11).
Attachment
Implementation of the Government Paper Work Elimination Act contains:
PART I. What policies and procedures should agencies follow?
Section 1. What GPEA policies should agencies follow?
Section 2. What GPEA procedures should agencies follow?
Section 3. How should agencies implement these policies and procedures?
Part II. How can agencies improve service delivery and reduce burden through the use of electronic signatures and electronic transactions?
Section 1. Introduction and background.
Section 2. What is an "electronic signature?"
Section 3. How should agencies assess the risks, costs, and benefits?
Section 4. What benefits should agencies consider in planning and implementing electronic signatures and electronic transactions?
Section 5. What risk factors should agencies consider in planning and implementing electronic signatures or electronic transactions?
Section 6. What privacy and disclosure issues affect electronic signatures and electronic transactions?
Section 7. What are current electronic signature technologies?
Section 8. How should agencies implement electronic signatures and electronic transactions?
Section 9. Summary of the procedures and checklist.
PART I. What policies and procedures should agencies follow?
Section 1. What GPEA policies should agencies follow?
The Government Paperwork Elimination Act (GPEA) requires Federal agencies, by October 21, 2003, to provide individuals or entities the option to submit information or transact with the agency electronically and to maintain records electronically when practicable. GPEA specifically states that electronic records and their related electronic signatures are not to be denied legal effect, validity, or enforceability merely because they are in electronic form. It also encourages Federal government use of a range of electronic signature alternatives.
Sections 1703 and 1705 of GPEA charge the Office of Management and Budget (OMB) with developing procedures for Executive agencies to follow in using and accepting electronic documents and signatures, including records required to be maintained under Federal programs and information that employers are required to store and file with Federal agencies about their employees. These procedures reflect and are to be executed with due consideration of the following policies:
Section 2. What GPEA procedures should agencies follow?
Section 3. How should agencies implement these policies and procedures?
(2) For each agency information system identified in the plan required in #1 above, consider relative costs, risks, and benefits given the level of sensitivity of the process(es) that the system supports. Agency considerations of cost, risk, and benefit, as well as any measures taken to minimize risks, should be commensurate with the level of sensitivity of the transaction. Low-risk information processes may need only minimal consideration, while high-risk processes may need extensive analysis.
(3) Based on the considerations in #2 each agency in its plan must include:
(b) A brief description of the information processes being automated. In addition, the description must:
1. Indicate whether further risk management measures are appropriate.
2. Where such measures are appropriate, indicate when and how a combination of information security practices, authentication technologies, management controls, or other business processes for each application will be practicable. In addition, if a particular application is not practicable for conversion to electronic interaction as part of the plan, agencies should explain the reasons and report any strategy to make such conversion practicable.
(c) The date of automation for the information process(es). If the implementation is judged to be not practicable by October 2003, that conclusion may be noted instead of the date. The dates should reflect the prioritization based on achievability and net benefit as discussed in #1 above.
(4) Consistent with the plan take measures (including, if necessary, amending regulations or policies to remove impediments to electronic transactions) to: (a) implement optional electronic submission, maintenance, or disclosure of information and the use of any necessary electronic signature alternatives; and (b) permit private employers who have record keeping responsibilities imposed by the Federal government to store and file information pertaining to their employees electronically.
(5) Ensure that measures taken under the plan reflect appropriate information system confidentiality and security in accordance with the Privacy Act, the Computer Security Act, as amended, and the guidance contained in OMB Circular A-130, Appendices I and III; and ensure that these measures use, to the maximum extent practicable, technologies that are either prescribed in Federal Information Processing Standards promulgated by the Secretary of Commerce or are supported by voluntary consensus standards as defined in OMB Circular A-119, AFederal Participation in the Development and Use of Voluntary Consensus Standards and Conformity Assessment Activities,@ (63 FR 8546; February 19, 1998).
(6) Report progress annually against the plan (including any appropriate revisions to the schedule) above along with annual performance reporting required under OMB Circular A-11.
(7) Consider the record keeping functionality of any systems that store electronic documents and electronic signatures, to ensure users have appropriate access to the information and can meet the agency=s record keeping needs.
(8) In developing collections of information under the Paperwork Reduction Act, address whether optional electronic submission, maintenance, or disclosure of information (including the electronic storage and filing by employers of information about their employees) would be practicable as a means of decreasing the burden and/or increasing the practical utility of the collection.
The Department of Commerce must promulgate, in consultation with the agencies and OMB, Federal Information Processing Standards as appropriate to further the specific goals of GPEA. The Department should also develop guidance in the area of authentication technologies and implementations, including cryptographic digital signature technology, with assistance from the Chief Information Officers Council and the Public Key Infrastructure Steering Committee.
The Department of the Treasury must develop, in consultation with the agencies and OMB, policies and practices for the use of electronic transactions and authentication techniques for use in Federal payments and collections and ensure that they fulfill the goals of GPEA.
The Department of Justice must develop, in consultation with the agencies and OMB, practical guidance on legal considerations related to agency use of electronic filing and record keeping.
The National Archives and Records Administration must develop, in consultation with the agencies and OMB, policies and guidance on the management, preservation, and disposal of Federal records associated with electronic government transactions, and must give particular consideration to records issues associated with the use of electronic signature technologies.
The General Services Administration must support agencies' implementation of digital signature technology and related electronic service delivery.
OMB must provide continuing guidance and oversight for the implementation of GPEA, including through its review of collections of information under the Paperwork Reduction Act.
Part II. How can agencies improve service delivery and reduce burden through the use of electronic signatures and electronic transactions?
This part provides Federal managers with basic information to assist in planning for an orderly and efficient transition to electronic government. Agencies should begin their planning promptly to ensure compliance with the timetable in GPEA.
Section 1. Introduction and background.
The guidance builds on the requirements and scope of the Paperwork Reduction Act of 1995 (PRA). According to the PRA agencies must, "consistent with the Computer Security Act of 1987 (CSA) (40 U.S.C. 759 note), identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency." 44 U.S.C. 3506(g)(3). In addition, we note that all transactions that involve Federal information collections covered under the PRA are also covered under GPEA.
(1) so-called "shared secrets" methods (e.g., personal identification numbers or passwords),
(2) digitized signatures or biometric means of identification, such as fingerprints, retinal patterns, and voice recognition, and
(3) cryptographic digital signatures (discussed in more detail in Section 7).
Combinations of approaches (e.g., digital signatures with biometrics) are also possible and may provide even higher levels of assurance than single approaches by themselves. Deciding which to use in an application depends first upon finding a balance between the risks associated with the loss, misuse, or compromise of the information, and the benefits, costs, and effort associated with deploying and managing the increasingly secure methods to mitigate those risks. Agencies must strike a balance, recognizing that achieving absolute security is likely to be highly improbable in most cases and prohibitively expensive if possible.
Section 2. What is an "electronic signature?"
" . . . a method of signing an electronic message that --
(A) identifies and authenticates a particular person as the source of the electronic message; and
(B) indicates such person's approval of the information contained in the electronic message.@ (GPEA, section 1709(1)).
This definition is consistent with other accepted legal definitions of signature. The
term "signature" has long been understood as including "any symbol executed
or adopted by a party with present intention to authenticate a writing." (Uniform
Commercial Code, 1-201(39)(1970)). The "Uniform Electronic Transactions Act," recently
adopted by the National Conference of Commissioners of Uniform State Laws,
and which is being enacted by the States, contains a similar definition (see
http://www.nccusl.org). These flexible definitions permit the use of different
electronic signature technologies, such as digital signatures, personal identifying
numbers, and biometrics (section 7 provides more detail on electronic signature
technologies). While it is the case that, for historical reasons, the Federal
Rules of Evidence are tailored to support the admissibility of paper-based
evidence, the Federal Rules of Evidence have no actual bias against electronic
evidence.
Section 3. How should agencies assess the risks, costs, and benefits?
To evaluate the suitability of electronic signature alternatives for a particular application, the agency needs to perform an assessment. The assessment should include a risk analysis, in cases where the sensitivity of the transaction is sufficiently great, and a cost-benefit analysis. The assessment identifies the particular technologies and management controls best suited to minimizing the risk and cost to acceptable levels, while maximizing the benefits to the parties involved. Often parts of the assessment can be quantified, but some factors - particularly the risk analysis - usually can only be estimated qualitatively.
Availability of data affects the extent to which risk can be reliably quantified. A quantitative approach to risk analysis generally attempts to estimate the monetary cost of risk compared to the cost of risk reduction techniques based on:
(ii) the costs of potential losses, and
(iii) the costs of mitigating actions that could be taken.
Reliable data on likelihood and costs may not be available. In this case a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium, and low. In this regard, qualitative analyses depend more on the expertise, experience, and good judgment of the Federal managers conducting them than on quantified factors.
The same can be true with other costs and benefits. Some factors, such as the value of deterring fraud, are difficult to quantify. If a new automated system is less secure than an old, paper-based system, attempts to commit fraud or to repudiate transactions may increase. It usually is not possible to quantify in monetary terms attitudes such as increased customer satisfaction and willingness to cooperate with an agency, which may result from electronic processes designed to be user-friendly. However, many costs (design, development, and implementation) and benefits (reduced transaction costs, saved time etc.) can be quantified, as is the case for other IT projects. Clearly, then, the assessment should use a combination of quantitative and qualitative methods to judge the practicability of any electronic transaction method and should include a comprehensive risk analysis when warranted by the sensitivity of the data and/or the transaction.
Those alternatives that minimize risk to an acceptable level should be assessed in terms of net benefit to the agency and the customer in order to determine the electronic signature most appropriate for the transaction. If the net benefits are negative, the agency may determine that using an electronic process is not practicable at this time. In any event, all risk analyses are exercises in managerial judgment.
(1) Offering more than one way to communicate electronically may enable more people to conduct electronic transactions. If different partners have different skills and differing security concerns, providing a combination of mechanisms will meet the needs of a greater number of possible partners. While admittedly adding cost, offering multiple alternatives can add greater benefit, as well. Under GPEA, the agency must considered this option whenever it expects to receive over 50,000 electronic submittals (per year) of a particular form.
(2) Electronic transactions can impose costs on the transaction partners. Many electronic signature techniques require specialized computer hardware and technical knowledge. The higher these threshold costs are, the higher the participation costs are for users. Higher costs will tend to narrow the range of potential users, which in turn limits the benefits of electronic communications.
(3) Agencies should assess the costs of developing and maintaining electronic transactions. Information technology costs continue to fall and electronic signature techniques continue to evolve. As a result, the agency should periodically redo its risk and cost-benefit analyses on those programs where electronic transactions were initially deemed impracticable to determine whether costs and/or technologies have changed enough so that electronic transactions have become practicable.
(4) If the cost-benefit analysis of a proposed solution indicates that the electronic solution is not cost effective, the agency should seek to identify opportunities to reengineer the underlying process being automated. Occasionally, practices and rules under the control of an agency are based on factors or circumstances that may no longer apply. In these cases new practices and rules should be proposed if the changes do not undermine the objective or impair security, and if the changes lead to a more efficient process.
Section 4. What benefits should agencies consider in planning and implementing electronic signatures and electronic transactions?
Benefits from moving to electronic transactions and electronic signatures include reduction in transaction costs for the agency and the transaction partner. Transactions are quicker and it is often easier to access information related to the transaction because it is in electronic form. The electronic form often allows more effective data analysis because the information is easier to access. Better data analysis often improves the operation of the newly electronic transaction. In addition, if many transactions are electronic and data analysis can be done across transactions the benefits can spillover into the rest of the agency as operational awareness of the entire organization is improved. Moreover, business process reengineering should accompany all attempts to facilitate a transaction through information technology. Often the full benefits will be realized only by restructuring the process to take advantage of the technology. Merely moving an existing paper based process to an electronic one is unlikely to reap the maximum benefits from the electronic system.
In order to account for all the benefits associated with electronic transactions, agencies should keep common information technology benefits in mind and look at the benefits realized by other agencies.
(1) Increased speed of the transaction. The partner and the agency may spend less time completing the transaction. The quicker speed combined with putting the transaction online allows real-time help to the transaction partner, providing a benefit not found in a paper based transaction.
(2) Increased partner participation and customer satisfaction. Often a decrease in partner transaction costs leads to more partners completing the transaction. In addition, partners tend to have a more positive view of the process given its speed and ease of use.
(3) Improved record keeping efficiency and data analysis opportunities. If data are easier to access and store then they can enhance program evaluation and expand awareness of the effects of the government program in question.
(4) Increased employee productivity and improved quality of the final product. Electronic transactions tend to have fewer errors because often the system minimizes retyping and automatically detects certain errors. These benefits allow the employees to concentrate more time on other matters.
(5) Greater information benefits to the public. Moving to electronic transactions and electronic signatures often can make the related information more accessible to the public and Freedom of Information Act requests.
(6) Improved security. Designed, implemented, and managed properly, electronic transactions can have fewer opportunities for fraud and more robust security measures than paper and envelope transactions.
(7) Extensive security for highly sensitive information. Even though implementing a more secure electronic signature option often is more expensive initially than implementing less secure alternatives, there could be larger expected benefits if the information being protected is particularly sensitive.
(1) The Internal Revenue Service uses electronic identification to strengthen validation by incorporating electronic links between the user and preexisting data about that user in the agency's records in its TeleFile program. It enables selected taxpayers to file 1040EZs with a touch-tone phone. Taxpayers get Customer Service Numbers (CSNs, i.e., PINs) that they then use to sign their returns and which help to validate their identities to the agency. Even though a CSN is not unique to an individual taxpayer (since it is only five digits long), the IRS authenticates the filer by using other identifying factors, such as the taxpayer's date of birth, taxpayer identification number, and by using additional procedures. This approach is not used over the Internet. Instead, it occurs in short-term connections over telephone lines, an environment where it is comparatively difficult for persons to eavesdrop and steal information or substitute false information.
(2) Taxpayers who transmit their tax returns electronically give high marks to the Internal Revenue Service=s electronic filing programs. The American Customer Satisfaction Index (ACSI) shows customer satisfaction scores for IRS e-file exceed those for both the government and retail sectors and rival those of the financial services sector. For electronic tax return filers, the overall ACSI customer satisfaction index is 74. This surpasses the rating among paper return filers and compares with a government-wide satisfaction rating of 68.6. In addition, 78% of customers with electronic filing experiences say they are more satisfied now than two years ago. Other benefits of the electronic filing program include:
(b) Its accuracy rate of over 99% reduces the chance of getting an error notice from the IRS.
(c) It provides an IRS acknowledgment within 48 hours that the return has been received.
(3) The General Services Administration, Federal Technology Service conducted the FTS2001 Procurement in a totally paperless environment. Beginning with the Request for Proposals (RFP) release, which was digitally signed and posted on the internet along with a utility for verifying the signature, through the issuance of the contracts to the winning bidders in an electronic signing ceremony, no paper changed hands at any time during the process. Bids from the offerors were delivered on a single CD, in contrast with the previous FTS2000 solicitation that required several pallets of documentation for each submission. It is estimated that the paper equivalent of this bid would have resulted in a stack of paper approximately 5 stories high. This electronic process resulted in efficiencies and savings to the government of approximately $1,500,000 in time previously required to process paperwork. The paperless process was enabled by issuing each potential bidder a cryptographically-based digital signature certificate housed on a hardware token.
(4) EDGAR, the Electronic Data Gathering, Analysis, and Retrieval system, performs automated collection, validation, indexing, acceptance, and forwarding of submissions by companies and others who are required by law to file forms with the U.S. Securities and Exchange Commission (SEC). Its primary purpose is to increase the efficiency and fairness of the securities market for the benefit of investors, corporations, and the economy by accelerating the receipt, acceptance, dissemination, and analysis of time-sensitive corporate information filed with the agency. Other benefits include:
(b) Free SEC web site experiences over half a million hits daily, many from individuals trying to improve the quality of their investment decisions by examining disclosure documents. Prior to EDGAR, individuals simply could not afford the typical, minimum cost of $25 per document.
(c) Full search capability allows improved ability to identify incidents of new or unusual conditions in the reports that are filed and allow rapid access to the information.
(5) The U.S. Customs Service automated much of the information transactions with its import-export partners. It has allowed improved accuracy, efficiency, speed, and the ability to analyze the electronically filed data which has led to enforcement improvements. The Automated Commercial System (ACS) is the system used to track, control, and process all commercial goods imported into the United States. ACS facilitates merchandise processing, significantly cuts costs, and reduces paperwork requirements for both Customs and the trade community.
Section 5. What risk factors should agencies consider in planning and implementing electronic signatures or electronic transactions?
Properly implemented electronic signature technologies can offer degrees of confidence in authenticating identity that are greater than a handwritten signature can offer. These digital tools should be used to control risks in a cost-effective manner. In determining whether an electronic signature is sufficiently reliable for a particular purpose, agency risk analyses need at a minimum to consider the relationships between the parties, the value of the transaction, the risk of intrusion, and the likely need for accessible, persuasive information regarding the transaction at some later date. In addition, agencies should consider any other risks relevant to the particular process. Once these factors are considered separately, an agency should consider them together to evaluate the sensitivity to risk of a particular process, relative to the benefit that the process can bring.
Section 6. What privacy and disclosure issues affect electronic signatures and electronic transactions?
Section 1708 of GPEA limits the use of information collected in electronic signature services to communications with a Federal agency. It directs agencies and their staff and contractors not to use such information for any purpose other than for facilitating the communication. Exceptions exist if the person (or entity) that is the subject of the information provides affirmative consent to the additional use of the information, or if such additional use is otherwise provided by law. Accordingly, agencies should follow several privacy principles:
Section 7. What are current electronic signature technologies?
Questions regarding the following should be directed to the Department of Commerce. This section addresses two categories of security: 1) Non-cryptographic methods of authenticating identity; and 2) cryptographic control methods. The non-cryptographic approach relies solely on an identification and authentication mechanism that must be linked to a specific software platform for each application. Cryptographic controls may be used for multiple applications, if properly managed, and may encompass both authentication and encryption services. A highly secure implementation may combine both categories of technologies. The spectrum of electronic signature technologies currently available is described below.
(1) To be effective, each of these methods requires agencies to develop a series of policy documents that provide the important underlying framework of trust for electronic transactions and which facilitate the evaluation of risk. The framework identifies how well the user=s identity is bound to his authenticator (e.g., his password, fingerprint, or private key). By considering the strength of this binding, the strength of the mechanism itself, and the sensitivity of the transaction, an agency can determine if the level of risk is acceptable. If an agency has experience with the technology, existing policies and documents may be available for use as guidance. Where the technology is new to an agency, this may require additional effort.
(2) While digital signatures (i.e. public key/private key) are generally the most certain method for assuring identity electronically, the policy documents must be established carefully to achieve the desired strength of binding. The framework must identify how well the signer's identity is bound to his or her public key in a digital certificate (identity proofing). The strength of this binding depends on the assumption that only the owner has sole possession of the unique private key used to make signatures that are validated with the public key. The strength of this binding also reflects whether the private key is placed on a highly secure hardware token, such as a smart card, or is encapsulated in software only; and how difficult it is for a malefactor to deduce the private key using cryptographic methods (which depends upon the key length and the cryptographic strength of the key-generating algorithm).
A Public Key Infrastructure (PKI) is one mechanism to support the binding of public keys with the user=s identity. A PKI can provide the entire policy and technical framework for the systematic and diligent issuance, management and revocation of digital certificates, so that users who wish to rely on someone=s certificate have a firm basis to check that the certificate has not been maliciously altered, and to confirm that it remains active (i.e., has not been revoked because of loss or compromise of the corresponding private key). This same infrastructure provides the basis for interoperability among different agencies or entities, so that a person=s digital certificate can be accepted for transactions by organizations external to the one that issued it.
(3) By themselves, digitized (not digital) signatures, PINs, biometric identifiers, and other shared secrets do not directly bind identity to the contents of a document as do digital signatures which actually use the document information to make the signature. For shared secrets to bind the user=s identity to the document, they must be used in conjunction with some other mechanism. Biometric identifiers such as retinal patterns used in conjunction with digital signatures can offer far greater proof of identify than pen and ink signatures.
(4) While not as robust as biometric identifiers and digital signatures, PINs have the decided advantage of proven customer and citizen acceptance, as evidenced by the universal use of PINs for automated teller machine transactions. PINs combined with encrypted Internet sessions, particularly through the use of Secure Sockets Layer technology on the World Wide Web, are very popular for retail consumer transactions requiring credit card or other personal authenticating information. This may well be suited for a variety of government applications. Also, secure Web browsers are increasingly being designed to accommodate digital signatures, making this approach a possible interim step towards implementing the more robust authentication provided by digital signatures.
(5) It is important to remember that technical factors are but one aspect to be considered when an agency plans to implement electronic signature-based applications. Other important aspects are considered in the following sections.
Section 8. How should agencies implement electronic signatures and electronic transactions?
After the agency has conducted the assessment and identified an appropriate electronic signature technology alternative that may be used to secure an automated business process, the agency will proceed to implement this decision. For any electronic transaction, agencies should collect and record adequate information regarding the content, process, and identities of the parties involved. In doing so, agencies should consider the following:
As a matter of efficiency, arrangements with large numbers of customers may be best accomplished by setting forth an agency's terms and conditions in a policy or regulation. Arrangements with smaller numbers of customers may lend themselves to one or more agreements, using a document referred to as a "terms and conditions" agreement. These agreements can ensure that all conditions of submission and receipt of data electronically are known and understood by the submitting parties. This is particularly the case where terms and conditions are not spelled out in agency programmatic regulations.
Agencies should develop well-documented mechanisms and procedures to tie transactions to an individual in a legally binding way. For example, the integrity of even the most secure digital signature rests on the continuing confidentiality of the private key, so instituting procedures for ensuring the confidentiality of the private key would be in an agency=s interest. Similarly, in the case of electronic signatures based on the use of shared secrets like PINs or passwords, the integrity of the transaction depends on the user not disclosing the shared secret, so an agency should have procedures for encouraging the maintenance of the PIN=s integrity. If a defendant is later charged with a crime based on an electronically signed document, he or she would have every incentive to show a lack of control over (or loss of) the private key or PIN, or in the case of a PIN, that the government failed to protect the PIN on its computer system. Indeed, if that defendant plans to commit fraud, he or she may intentionally compromise the secrecy of the key or PIN, so that the government would later have a more difficult time uniquely linking him or her to the electronic transaction. Promulgating policies and procedures that ensure the integrity of security tools helps counter such fraudulent attempts.
Thus, transactions which appear to be at high risk for fraud, e.g., one-time high-value transactions with persons not previously known to an agency, may require extra safeguards or may not be appropriate for electronic transactions. One way to mitigate this risk might be to require that private keys be generated and kept on hardware tokens, making possession of the token a critical requirement. Another way to guard against fraud is to include other identifying data in the transaction that links the key or PIN to the individual, preferably something not readily available to others.
It is also important to establish that the user of the digital signature or PIN/password is fully aware of obligations he or she is agreeing to by signing at the time of signature. This can be ensured by programming appropriate ceremonial banners into the software application that alert the individual of the gravity of the action she is about to undertake. The presence of such banners can later be used to demonstrate to a court that the user was fully informed of and aware of what he or she was signing.
Section 9. Summary of the procedures and checklist.
To summarize the process and restate the principles that agencies should employ to evaluate authentication mechanisms (electronic signatures) for electronic transactions and documents, the following steps apply: