1 / 43

Access America-- Fulfilling the Vision of Electronic Service Delivery

Access America-- Fulfilling the Vision of Electronic Service Delivery. Peter N. Weiss Information Policy and Technology Office of Management and Budget peter_weiss@omb.eop.gov. Access America.

lapis
Download Presentation

Access America-- Fulfilling the Vision of Electronic Service Delivery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access America--Fulfilling the Visionof Electronic Service Delivery Peter N. Weiss Information Policy and Technology Office of Management and Budget peter_weiss@omb.eop.gov

  2. Access America Electronic commerce, electronic mail, and electronic benefits transfer sensitive information within government, between the government and private industry and individuals, and among governments. -Vice-President Al Gore, “Access America” -available at: gits.gov

  3. NPR (Reinventing Government): • Reengineer needed processes, get rid of those no longer needed, and focus on customer service. Electronic forms, commerce, and information security regarded as vital.

  4. Government Paperwork Elimination Act (GPEA) P.L. 105-277 (Title VII) • Agencies to automate interactions with outside partners/customers within five years to the extent practicable. • OMB, in consultation with Commerce and others, to promulgate policies and procedures within 18 months. • Procedures are to encourage both electronic filing and electronic recordkeeping, particularly by employers.

  5. PRA: Paperwork Reduction Act • Reduce the reporting burden on the public. • Measures include the number of hours the burden imposes. • Pre-GPEA emphasis on electronic forms focused on the process to move the form from paper to electronic. • Actual burden is not substantially reduced.

  6. Other Applicable Laws • GPRA: Government Performance and Results Act • Clinger-Cohen Act (Information Technology Management Act of 1996)

  7. Clinger-Cohen PRA NPR GPRA GPEA CUSTOMER SERVICE Putting It All Together • Need to reduce burden to the public • Provide customer service in a fundamentally better way • Electronic forms are not, by themselves, necessarily enough • LESS TIME TO ACCESS • EASIER TO FILL • FASTER TO SUBMIT • QUICKER RESPONSE AND PROCESSING

  8. Opportunities? • GPEA provides reason to streamline service delivery • Build intelligence into electronic forms to enhance automated processing • Electronic signatures further enables electronic processing • GPEA, technology and infrastructure combined gives powerful reason to move forward

  9. OMB’s Implementing Guidance • 64 Fed. Reg. 10896 (Fri., March 5, 1999) • Comments due: July 5, 1999 • Send e-comments to: gpea@omb.eop.gov

  10. Paperwork Elimination • Security: weigh the magnitude of the risk and select an appropriate combination of technology and practice to cost-effectively minimize risk and maximize benefits to agency and to customers • Computer Security Act risk-based standard

  11. Electronic Signature: GPEA Definition (§ 1709(1)) • A method of signing an electronic message that-- • (A) identifies and authenticates a particular person as the source of the electronic message; and • (B) indicates such person’s approval of the information contained in the electronic message.

  12. Signature:UCC Definition (§ 1-201(39)) • Any symbol executed or adopted by a party with present intention to authenticate a writing.

  13. Legal Effect and Validity Electronic records submitted or maintained in accordance with procedures developed under this title, or electronic signatures or other forms of electronic authentication used in accordance with such procedures, shall not be denied legal effect, validity, or enforceability because such records are in electronic form. -GPEA, section 1707

  14. Factors to Consider in Planning Electronic Systems • Nature of the participants to the transaction • interagency, intra-agency, public • level of trust based on experience with other participants or trading partners

  15. Factors to Consider (cont.) • Type of transaction • type of activity involved in the transaction (administrative, regulatory, law enforcement • contract for goods or services • instrument creating financial or legal liability • involves inherently sensitive or private information

  16. Factors to Consider (cont.) • Recordkeeping needs regarding the transaction • One-time information request and response • Audit • Potential for dispute by a participant • Potential for dispute by a third party • Evidentiary considerations

  17. Privacy in Electronic Commerce These electronic systems must protect the information’s confidentiality, assure that the information is not altered in an unauthorized way, and be available when needed. -Vice-President Al Gore, “Access America”

  18. Privacy Act (5 U.S.C. 552a) • Federal databases containing personal identifying information in support of PINs, biometrics, or digital signatures are “systems of records.” • Contractor-maintained databases containing personal identifying information, e.g. contracted CA/RA services, are usually covered “systems of records.” Possible exception if certificates are generally available, e.g. SET.

  19. Section 1708 of GPEA Except as provided by law, information collected in the provision of electronic signature services for communications with an executive agency, as provided by this title, shall only be used or disclosed by persons who obtain, collect, or maintain such information as a business or government practice, for the purpose of facilitating such communications, or with the prior affirmative consent of the person about whom the information pertains.

  20. Privacy and Disclosure: Basic Principles • Electronic authentication should only be required where needed • Tailor authentication needs to the transaction and the participants • Avoid collecting information that is more detailed than required • Inform participants that information collected will be managed consistent with the Privacy Act, Computer Security Act, and any other applicable laws.

  21. Practical Implications/Good Practices • Collect it only if you need it. • Disclose conditions and limits of use. • Provide reasonable personal access with ability to correct and/or update. • Articulate and disclose protective policies and measures. • Destroy personal information when no longer needed; important to determine appropriate retention period.

  22. Electronic Commerce Trust Requirements • Authentication - ensure that transmissions and their originators are authentic (identity). • Data integrity - ensure that exchanged data is not reasonably subject to intentional or unintentional alteration. • Confidentiality - limit access to authorized entities.

  23. Authentication/Identity Techniques • Personal Identification Numbers (PINS) Automated teller machines (with token) IRS TeleFile, SEC EDGAR (without token) • Cryptographic Digital Signatures Public and private sector pilots, some production applications • Biometrics Can be used in conjunction with digital signatures • Others: SSL, S/MIME, route certificates

  24. What do they have in common? PINs, Digital Signatures, and Biometrics require the collection or maintenance of identifying information: • Directly: Employee to employer Taxpayer to IRS, Applicant to SSA • Or indirectly: Subscriber to Certification/Registration Authority

  25. How do they differ? • PINs and biometrics/signature dynamics tend to be one to one within a single application, i.e. automates the stovepipes. • Cryptographic digital signatures can be used for multiple applications utilizing digital certificates as a component of a Public Key Infrastructure, i.e. can cut across stovepipes.

  26. The bottom line: • Designing an automated system with better authentication and privacy than paper-based systems is not difficult, • BUT...

  27. ...it must be perceived by the user, oversight, and advocacy communities as being better. • Yoda • Learn from others’ experiences! Case in point: SSA’s PEBES

  28. Electronic Commerce Sources • "Access America" - Government Information Technology Services Board http://www.gits.gov • "Framework for Global Electronic Commerce" http://www.ecommerce.gov • Federal Public Key Infrastructure Steering Committee http://gits-sec.treas.gov

  29. Overview of Current Electronic Signature Technologies

  30. Personal ID Number (“PIN”) • User enters name and password, or PIN. • PIN is a “shared secret” (known both to the user and to the system) • System checks the PIN to authenticate the user.

  31. Smart Card • Plastic card containing an embedded chip that generates, stores and/or processes data • Computer reads data from the chip when the user enters a PIN or biometric identifier • Assists with implementation

  32. Digitized Signature • Graphical image of a handwritten signature • Software compares a graphical image with the digitized representation • May be combined with PIN or biometric for higher level of security

  33. Shared Private Key (Symmetric) Cryptography • User • signs document and • verifies signature using the same secret key (long string of numbers) • Secret key is shared between the sender and the recipient, thus not the best authentication mechanism

  34. Public/Private Key (Asymmetric Cryptography) - Digital Signatures • Two keys, mathematically linked • One is kept private, other is made public • Private not deducible from public • For digital signature: One key signs, the other validates • For confidentiality: One key encrypts, the other decrypts

  35. Digital Signature Overview

  36. Access with Trust • Describes an essential technological and institutional means of fostering safe, secure electronic interactions, a “Public Key Infrastructure,” or PKI, using cryptographic-based “digital signatures.” • Available at: gits-sec.treas.gov

  37. Challenges • Registration/identity proofing • Private keys in hardware vs. software • Interoperability within Federal agencies • Interoperability outside Federal agencies • Digital signature acceptance • Directory management • Making “the business case”

  38. What PK Technology Allows • Authentication • Non-repudiation • Data integrity • Confidentiality

  39. The Critical Questions • How can the recipient know with certainty the sender’s public key? (to validate a digital signature) • How can the sender know with certainty the recipient’s public key? (to send an encrypted message)

  40. The Answer: A PK Certificate • A document which is - • Digitally signed by a Certification Authority, • Based on identity-proofing done by a Registration Authority, • Containing the individual’s public key, • Some form of the individual’s identity, and • A finite validity period

  41. Public Key Infrastructure • Registration Authorities to identity proof users • Certification Authorities to issue certificates and CRLs • Repositories (publicly available data bases) to hold certificates and CRLs • Separate from CRLs, mechanisms for status checking of certificates (OCSP)

  42. Agency Implementation • Use and manage electronic signature technology to: • maximize the ability to authenticate the identity of the originator • ensure integrity of the contents of the filing

More Related