5 January 2001. Thanks to SM.
[Federal Register: January 3, 2001 (Volume 66, Number 2)] [Notices] [Page 394-397] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr03ja01-80] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Fiscal Service Electronic Authentication Policy AGENCY: Financial Management Service, Fiscal Service, Treasury. ACTION: Notice of publication of policies and practices for the use of electronic transactions and authentication techniques in Federal payments and collections. ----------------------------------------------------------------------- SUMMARY: The Office of Management and Budget (OMB), as part of its procedures to implement the Government Paperwork Elimination Act (GPEA), directed the Department of the Treasury (Treasury) to develop, in consultation with Federal agencies and OMB, policies and practices for the use of electronic transactions and authentication techniques in Federal financial transactions, including payments and collections. In accord with this directive, Treasury is publishing this Electronic Authentication Policy. FOR FURTHER INFORMATION CONTACT: Gary Grippo, Director, Electronic Commerce, Financial Management Service, Department of the Treasury, 401 14th Street, S.W., Washington, DC 20227, (202) 874-6816, gary.grippo@fms.treas.gov. SUPPLEMENTARY INFORMATION: The Government Paperwork Elimination Act (GPEA), Public Law 105-227, Title XVII, was signed into law on October 21, 1998. GPEA requires Federal agencies to allow individuals and entities, when practicable, the option of submitting information to or transacting business with the agency by electronic means. On May 2, 2000, the Office of Management and Budget (OMB) issued procedures and guidelines for the implementation of the Act. 65 FR 25508. That guidance directed the Department of the Treasury (Treasury) to develop policies and practices to be followed by agencies when making Federal payments and collections electronically, as well as other financial transactions. In particular, Treasury was directed to address the authentication of the identity of parties to such transactions, in furtherance of the goals of GPEA in these policies and practices. Pursuant to this directive, on March 15, 2000, Treasury forwarded to OMB for circulation among Government agencies a draft policy document outlining the principles and guidelines for the use of electronic authentication techniques for Federal payment, collection and collateral transactions. In response to comments received from Government agencies on the draft policy document, Treasury has revised the guidance accordingly. The final policy document is reproduced below. The most current version of the policy may be found on the Financial Management Service website at: http://www.fms.treas.gov/ eauth/index.html. Given the rapidly changing nature of electronic commerce, electronic authentication techniques and the related technology infrastructure, Treasury views this policy guidance as a dynamic document which may be revised as necessary, and will accept comments at any time. Changes to this policy will be published as Notices in the Federal Register, as necessary, and posted to the FMS website. Electronic Authentication Policy Payment, Collection, and Collateral Transactions Background Discussion Purpose: This policy sets forth principles on the use of electronic authentication techniques, including digital signatures, for Federal payment, collection, and collateral transactions conducted over open networks such as the Internet. Federal payment and collection transactions include all transactions intended to effect a credit or a debit to an account, including transactions executed by Non-Treasury Disbursing Offices. Federal collateral transactions include all electronic messages or instructions to pledge, deposit, release, or claim collateral used to secure public funds. These payment, collection, and collateral transactions may be between the Federal Government and non-Federal entities, as well as transactions between Federal entities. Scope: This policy applies to applications that use open networks, including the Internet, since access to these networks is unrestricted and Federal users and trading partners must be authenticated accordingly. This policy is not intended to apply to transactions over closed networks, i.e., legacy financial networks where the networking infrastructure and access to it is owned or controlled by the Government, the Federal Reserve, or private financial institutions. Focus is also placed on the use of public key cryptographic techniques, which can provide for robust electronic authentication, and on the manner in which Federal agencies must go about obtaining public key digital certificates for payment, collection, and collateral transactions. (It should be noted that in establishing such guidance, our intent is not necessarily to dictate that a particular certification authority provider be used, but rather to try to follow a general principle that offers agencies some choice, particularly where commercial certification authorities must be relied upon). In addition to public key cryptography, the policy covers other forms of remote electronic authentication and electronic signatures, including but not limited to knowledge-based authentication (Personal Identification Numbers (PINs) and passwords) and biometrics. Goals of Authentication. The goals of authentication are to protect the integrity of Federal payment, collection, and collateral transactions by (1) ensuring that transactions are conducted only by authorized individuals, (2) pinpointing accountability and liability for transactions, (3) providing assurances to the public about the identity of Federal servers and systems on open networks, and (4) receiving assurances about the identity of commercial servers and systems on open networks. The different electronic authentication techniques achieve these goals with varying degrees of robustness. In addition, the use of the Internet with appropriate electronic authentication techniques offers new opportunities to expand the use of the payments system. For example, digital signatures may allow finance officers to authorize Automated Clearing House (ACH) and wire transfer payments on-line, permitting the end users access to otherwise closed bank payment networks. These techniques will also permit electronic payments to be made peer-to-peer for the first time, using mechanisms such as electronic checks and electronic cash. Techniques. Electronic authentication techniques include, but are not limited to, the following:Knowledge based authentication, or shared secrets, such as PINs and passwords; [[Page 395]] Biometrics, such as fingerprint, voice, and eye characteristics; Secure tokens, such as smart cards; Cryptography, including digital signatures, challenge- response protocols (e.g., the ``handshake'' protocol in Secure Sockets Layer), and message authentication codes; Digitized signatures, including digital images of handwritten signatures and signature dynamics (i.e., measurements of the direction, pressure, speed, and other attributes of a handwritten signature). These electronic authentication techniques provide varying levels of security and non-repudiation. In practice, however, a robust authentication system will make use of multiple techniques in combination, such as the use of a PIN to unlock and apply a digital signature private key held on a smart card. While the scope of this policy is limited to payment, collection, and collateral transactions, these techniques may be applied to other types of financial transactions conducted over open networks, such as secure remote access to financial systems, and transmission of accounting data. Finally, it is important to note that the policy sets forth a model for determining the robustness of electronic authentication for particular types of transactions, but does not generally dictate that a specific technique or system be used. (The lone exception to this approach is a requirement for public key digital signatures for transactions determined to be in the high risk category.) In this sense, the document is limited to policy guidance, and does not address specific constructs for implementing electronic authentication techniques or supporting their interoperability, such as the potential use of the Federal Bridge Certification Authority in support of interoperating public key infrastructures, or the use of the BioAPI specification for biometric implementations. We recognize, however, that as authentication mechanisms and the ways in which they interoperate mature, it may be appropriate to incorporate additional guidance into the policy. The policy will be updated as necessary as such matters develop. Electronic Authentication Techniques for Federal Payment, Collection, and Collateral Transactions Section 1. Title Use of Electronic Authentication Techniques for Federal Payment, Collection, and Collateral Transactions Section 2. Scope This policy applies to all Federal payment, collection, and collateral transactions, as defined herein, conducted over open networks such as the Internet, including those transactions executed by statutory Non-Treasury Disbursing Offices (NTDO) and delegated NTDOs. Section 3. Definitions (a) Banking industry standards means standards promulgated by the X9 Accredited Standards Committee for Financial Services. (b) Certificate means a secure digital document that binds a public cryptographic key to a person (or organization) in order to provide a measure of proof that the person is who he or she claims to be in a transaction. (c) Certification authority means an entity trusted to issue digital certificates. (d) Collateral transaction means any message, instruction, request, or authorization that is intended to pledge, deposit, move, release, claim, or otherwise manage collateral used to secure public funds. (e) Collection means a transaction entry, object, or instruction, or a transaction request or authorization, that is intended to effect a credit of funds to the Treasury, an account at a Treasury designated depositary, or any other account holding public funds. (f) Cryptographic credential means an electronic document or object containing a cryptographic key which provides evidence of authority to conduct a transaction and/or provides assurance that a system or person is what or who it claims to be. A public key digital certificate is an example of a cryptographic credential. (g) Delegated NTDO means a Non-Treasury Disbursing Office whose authority to disburse public funds has been delegated at the discretion of the Treasury. (h) Federal standards means Federal Information Processing Standards (FIPS) promulgated by the National Institute of Standards and Technology (NIST) and standards promulgated by the Treasury Department. (i) Financial agent means a commercial financial institution designated by the Treasury to act as a depositary of public money or financial agent of the Government, under the provisions of 31 CFR 202 and 203. (j) Fiscal agent means a Federal Reserve Bank designated by the Treasury to act as a Government depositary or fiscal agent. (k) Payment means a transaction entry, object, or instruction, or a transaction request or authorization, that is intended to effect a debit of funds against the Treasury, an account at a Treasury designated depositary, or any other account holding public funds. (l) Statutory NTDO means a Non-Treasury Disbursing Office whose authority to disburse public funds is established by statute. (m) Trading partner means any individual, business, organization, or governmental entity that receives funds or collateral from, or sends funds or collateral to, the Federal Government. Section 4. General Principles (a) The Secretary of the Treasury is responsible for promulgating governmentwide policies and practices on the use of electronic authentication techniques, including techniques that rely on public key certificates and other cryptographic credentials, to secure payment, collection, and collateral transactions. (b) Financial agents. All financial agents of the Treasury which use cryptographic authentication in the conduct of Government fiscal operations shall obtain their cryptographic credentials, including certification authority credentials, from the Treasury or, at the discretion of the Treasury, from a fiscal agent. Example: A commercial bank is designated to operate a new cash concentration system for the Treasury, which will collect funds from various receipt accounts and deposit them into the Treasury. The bank sets up a certification authority to issue certificates to the holders of the receipt accounts so that they can use the Internet to authorize the concentration of their receipts. This bank certification authority would operate under a Treasury ``root'' certification authority. The Treasury root certification authority would issue a single certificate validating the agent bank certification authority and the bank's status as a designated agent of the Treasury. The agent bank certification authority would in turn issue the end user certificates. (c) Fiscal agents. Fiscal agents that use cryptographic authentication in the conduct of Government fiscal operations shall obtain their cryptographic credentials, including certification authority credentials, from the Treasury or, at the discretion of the Treasury, shall create and use their own cryptographic credentials. (d) NTDOs. All delegated NTDOs that use cryptographic authentication in the issuance of Federal payments shall obtain their cryptographic credentials, including certification authority credentials, from the Treasury. Certification authority credentials may be granted in the form of a subsidiary certification authority certificate, a cross-certificate, or otherwise. [[Page 396]] Consistent with this provision, delegated NTDOs may issue end user public key certificates. Statutory NTDOs which use cryptographic authentication in the issuance of Federal payments may create and use their own cryptographic credentials, in accordance with all other provisions of this policy. (e) All electronic authentication techniques used in support of Federal payment, collection, and collateral transactions must be based on either Federal standards or banking industry standards. To the extent that Federal or banking industry standards are absent, the Treasury may approve the use of other voluntary consensus body standards. (f) Nothing in this policy is intended to relieve a Federal agency of its responsibility to comply with other Federal systems security guidelines, including OMB Circulars and Federal Information Processing Standards, or to implement appropriate Internet security mechanisms, such as firewalls and intrusion detection programs. (g) The Fiscal Service of the Treasury, acting on behalf of the Secretary of the Treasury, is responsible for implementing and interpreting this policy. Section 5. Risk Model (a) All payment, collection, and collateral transactions must be properly authenticated, in a manner commensurate with the risks of the transaction. For any given Federal agency cash flow or program (e.g., corporate user fees, benefit payments, excise taxes, retail product sales, investment collateral, etc.) Federal agencies shall assess overall risk and determine the appropriate electronic authentication technique in accordance with the following risk model. (1) The three general factors used to determine the overall risk of Federal payment, collection, and collateral transactions are: risk of monetary loss, reputation risk, and productivity risk. (2) The risk of monetary loss is determined using a variety of elements, including but not limited to: (A) Average dollar value of transactions. (B) Loss to the Government. (C) Loss to a consumer. (D) Loss to a business, state or local government, or other trading partner. (E) Rules for reversing and repudiating a transaction (e.g., in the Uniform Commercial Code, the ACH rules, the Code of Federal Regulations, Federal Reserve regulations, Generally Accepted Accounting Principles, or bank network operating procedures). (F) Body of law applied to the transaction. (G) Liability for the transaction (e.g., personal, corporate, insured, or shared). (3) The reputation risk to the Government in the event of a breach or an improper transaction is determined using elements such as: (A) Relationship with the trading partner (e.g., debiting a consumer account vs. intragovernmental payment between Federal agencies, and voluntary vs. mandatory transactions). (B) Public visibility and public perception of programs. (C) History or patterns of problems or abuses. (D) Consequences of a breach or improper transaction (e.g., normal exception handling vs. imposition of penalties). (4) Productivity risk associated with a breach or improper transaction is determined using elements such as: (A) Time criticality of transactions (e.g., entitlement payment vs. contractor payment). (B) Scope of system and number of transactions (e.g., national or governmentwide system vs. localized system). (C) Number of system users or dependents. (D) Backup and recovery procedures. (E) Claims and dispute resolution procedures. (b) Assessing the combined risk factors (monetary loss, reputation risk, and productivity risk) determines the risk category of a cash flow, program, or system. For purposes of Federal payment, collection, and collateral transactions, there are four risk categories: high, moderate, low, and negligible. The risk category indicates the robustness of the electronic authentication technique that must be used. Authentication rules for each of the risk categories are listed below. High and moderate risk transactions require multi-factor authentication, where at least two electronic authentication techniques must be used in combination, such as digital signature with a PIN protecting the signing key. (1) High Risk. (A) Multi-factor authentication is required, including a digital signature. (B) Private cryptographic keys must be generated, stored, and used in a secure cryptographic hardware module. (C) Certification authorities must operate under the Government's direct policy authority. (2) Moderate Risk. (A) Multi-factor authentication is required. (B) Private cryptographic keys may be stored in software. (C) Certification authorities which are under the policy authority of a commercial entity meeting the requirements of this policy may be used. (3) Low Risk. Single factor authentication must be used, such as a PIN or a software based SSL client certificate. (4) Negligible Risk. Transactions may occur without an electronic authentication technique. (c) Federal agencies must apply the risk categories, determined using the three risk factors, to all payment, collection, and collateral transactions using open networks. (d) In determining risk categories, Federal agencies should take into account programmatic controls which mitigate the intrinsic risks of conducting transactions over an open network. (For example, a consumer who submits an Internet payment for goods in a Government auction may have to appear in person with identification to retrieve the goods. This may argue for a lower category of risk for the Internet transaction.) (e) The risk category determined for a set of transactions represents the minimum security required. Federal agencies may apply the requirements of a higher risk category, or a stronger authentication technique, at their option. Agencies should contact Mr. Gary Grippo of the Financial Management Service, (202) 874-6816, gary.grippo@fms.treas.gov, with any questions about the application of this risk-based model. Section 6. Collections Policies (a) Federal collections systems and servers that cryptographically authenticate themselves to Federal trading partners during financial transactions must receive their cryptographic credentials from or through the Treasury or the Treasury Financial agent that processes the collection. Example: An agency sets up a Web site to receive credit card numbers for the payment of fines. A public key certificate on the Web server provides citizens with an assurance that the collection Web site is operated by the Federal Government. Since this is a credit card collection, the agency would obtain its server certificate from one of the Financial Management Service's designated financial agent banks that processes credit cards and makes available to the agency certificates from one or more commercial or government certificate authorities. This financial agent bank is the entity sponsoring the agency into the credit card system and is liable for the agency's transactions. (b) Federal collections systems and servers that cryptographically authenticate themselves to Federal [[Page 397]] trading partners during financial transactions must generate, store, and use their private cryptographic keys in a secure cryptographic hardware module. (c) In processing collection transactions from Federal trading partners that have a risk category other than ``Negligible,'' Federal agencies shall only trust cryptographic credentials issued or honored by the institution that maintains the trading partner's transaction account, or issued by a Federal agency. Example: A small business goes to a Federal Web site to enroll in a repayment program for a Federal loan. The business digitally signs an electronic form indicating that the Federal agency may initiate ACH debits against its bank account to repay the loan, and then transmits the signed form along with its certificate to the Federal agency. The Federal agency determines that the certificate was issued by an independent commercial certification authority. The Federal agency rejects the enrollment under this policy, because the certification authority has no connection to the consumer's banking relationship. Dated: December 22, 2000. Kenneth R. Papaj, Acting Commissioner, Financial Management Service. [FR Doc. 01-79 Filed 1-2-01; 8:45 am] BILLING CODE 4810-35-P