Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access America-- Fulfilling the Vision of Electronic Service Delivery Peter N. Weiss Information Policy and Technology Office of Management and Budget.

Published byGary Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "Access America-- Fulfilling the Vision of Electronic Service Delivery Peter N. Weiss Information Policy and Technology Office of Management and Budget."— Presentation transcript:

1

2 Access America-- Fulfilling the Vision of Electronic Service Delivery Peter N. Weiss Information Policy and Technology Office of Management and Budget peter_weiss@omb.eop.gov

3 Access America Electronic commerce, electronic mail, and electronic benefits transfer sensitive information within government, between the government and private industry and individuals, and among governments. - Vice-President Al Gore, “Access America” -available at: gits.gov

4 NPR (Reinventing Government): Reengineer needed processes, get rid of those no longer needed, and focus on customer service. Electronic forms, commerce, and information security regarded as vital.

5 Government Paperwork Elimination Act (GPEA) P.L. 105-277 (Title VII) Agencies to automate interactions with outside partners/customers within five years to the extent practicable. OMB, in consultation with Commerce and others, to promulgate policies and procedures within 18 months. Procedures are to encourage both electronic filing and electronic recordkeeping, particularly by employers.

6 PRA: Paperwork Reduction Act Reduce the reporting burden on the public. Measures include the number of hours the burden imposes. Pre-GPEA emphasis on electronic forms focused on the process to move the form from paper to electronic. Actual burden is not substantially reduced.

7 Other Applicable Laws n GPRA: Government Performance and Results Act n Clinger-Cohen Act (Information Technology Management Act of 1996)

8 Putting It All Together n Need to reduce burden to the public n Provide customer service in a fundamentally better way n Electronic forms are not, by themselves, necessarily enough GPEA GPRA NPR PRA Clinger-Cohen CUSTOMER SERVICE n LESS TIME TO ACCESS n EASIER TO FILL n FASTER TO SUBMIT n QUICKER RESPONSE AND PROCESSING

9 Opportunities? GPEA provides reason to streamline service delivery Build intelligence into electronic forms to enhance automated processing Electronic signatures further enables electronic processing GPEA, technology and infrastructure combined gives powerful reason to move forward

10 OMB’s Implementing Guidance 64 Fed. Reg. 10896 (Fri., March 5, 1999) Comments due: July 5, 1999 Send e-comments to: gpea@omb.eop.gov

11 Paperwork Elimination Security: weigh the magnitude of the risk and select an appropriate combination of technology and practice to cost-effectively minimize risk and maximize benefits to agency and to customers Computer Security Act risk-based standard

12 Electronic Signature: GPEA Definition (§ 1709(1)) A method of signing an electronic message that-- –(A) identifies and authenticates a particular person as the source of the electronic message; and –(B) indicates such person’s approval of the information contained in the electronic message.

13 Signature: UCC Definition (§ 1-201(39)) Any symbol executed or adopted by a party with present intention to authenticate a writing.

14 Legal Effect and Validity Electronic records submitted or maintained in accordance with procedures developed under this title, or electronic signatures or other forms of electronic authentication used in accordance with such procedures, shall not be denied legal effect, validity, or enforceability because such records are in electronic form. -GPEA, section 1707

15 Factors to Consider in Planning Electronic Systems Nature of the participants to the transaction –interagency, intra-agency, public –level of trust based on experience with other participants or trading partners

16 Type of transaction –type of activity involved in the transaction (administrative, regulatory, law enforcement –contract for goods or services –instrument creating financial or legal liability –involves inherently sensitive or private information Factors to Consider (cont.)

17 Recordkeeping needs regarding the transaction –One-time information request and response –Audit –Potential for dispute by a participant –Potential for dispute by a third party –Evidentiary considerations Factors to Consider (cont.)

18 Privacy in Electronic Commerce These electronic systems must protect the information’s confidentiality, assure that the information is not altered in an unauthorized way, and be available when needed. - Vice-President Al Gore, “Access America”

19 Privacy Act ( 5 U.S.C. 552a) Federal databases containing personal identifying information in support of PINs, biometrics, or digital signatures are “systems of records.” Contractor-maintained databases containing personal identifying information, e.g. contracted CA/RA services, are usually covered “systems of records.” Possible exception if certificates are generally available, e.g. SET.

20 Section 1708 of GPEA Except as provided by law, information collected in the provision of electronic signature services for communications with an executive agency, as provided by this title, shall only be used or disclosed by persons who obtain, collect, or maintain such information as a business or government practice, for the purpose of facilitating such communications, or with the prior affirmative consent of the person about whom the information pertains.

21 Privacy and Disclosure: Basic Principles Electronic authentication should only be required where needed Tailor authentication needs to the transaction and the participants Avoid collecting information that is more detailed than required Inform participants that information collected will be managed consistent with the Privacy Act, Computer Security Act, and any other applicable laws.

22 Practical Implications/Good Practices Collect it only if you need it. Disclose conditions and limits of use. Provide reasonable personal access with ability to correct and/or update. Articulate and disclose protective policies and measures. Destroy personal information when no longer needed; important to determine appropriate retention period.

23 Electronic Commerce Trust Requirements Authentication - ensure that transmissions and their originators are authentic (identity). Data integrity - ensure that exchanged data is not reasonably subject to intentional or unintentional alteration. Confidentiality - limit access to authorized entities.

24 Authentication/Identity Techniques Personal Identification Numbers (PINS) Automated teller machines (with token) IRS TeleFile, SEC EDGAR (without token) Cryptographic Digital Signatures Public and private sector pilots, some production applications Biometrics Can be used in conjunction with digital signatures Others: SSL, S/MIME, route certificates

25 What do they have in common ? PINs, Digital Signatures, and Biometrics require the collection or maintenance of identifying information: Directly: Employee to employer Taxpayer to IRS, Applicant to SSA Or indirectly: Subscriber to Certification/Registration Authority

26 How do they differ? PINs and biometrics/signature dynamics tend to be one to one within a single application, i.e. automates the stovepipes. Cryptographic digital signatures can be used for multiple applications utilizing digital certificates as a component of a Public Key Infrastructure, i.e. can cut across stovepipes.

27 The bottom line: Designing an automated system with better authentication and privacy than paper-based systems is not difficult, BUT...

28 ...it must be perceived by the user, oversight, and advocacy communities as being better. –Yoda Learn from others’ experiences! Case in point: SSA’s PEBES

29 Electronic Commerce Sources "Access America" - Government Information Technology Services Board http://www.gits.gov "Framework for Global Electronic Commerce" http://www.ecommerce.gov Federal Public Key Infrastructure Steering Committee http://gits-sec.treas.gov

30 Overview of Current Electronic Signature Technologies

31 Personal ID Number (“PIN”) User enters name and password, or PIN. PIN is a “shared secret” (known both to the user and to the system) System checks the PIN to authenticate the user.

32 Smart Card Plastic card containing an embedded chip that generates, stores and/or processes data Computer reads data from the chip when the user enters a PIN or biometric identifier Assists with implementation

33 Digitized Signature Graphical image of a handwritten signature Software compares a graphical image with the digitized representation May be combined with PIN or biometric for higher level of security

34 Shared Private Key (Symmetric) Cryptography User –signs document and –verifies signature using the same secret key (long string of numbers) Secret key is shared between the sender and the recipient, thus not the best authentication mechanism

35 Public/Private Key (Asymmetric Cryptography) - Digital Signatures Two keys, mathematically linked One is kept private, other is made public Private not deducible from public For digital signature: One key signs, the other validates For confidentiality: One key encrypts, the other decrypts

36 Digital Signature Overview

37 Access with Trust Describes an essential technological and institutional means of fostering safe, secure electronic interactions, a “Public Key Infrastructure,” or PKI, using cryptographic-based “digital signatures.” Available at: gits-sec.treas.gov

38 Challenges Registration/identity proofing Private keys in hardware vs. software Interoperability within Federal agencies Interoperability outside Federal agencies Digital signature acceptance Directory management Making “the business case”

39 What PK Technology Allows Authentication Non-repudiation Data integrity Confidentiality

40 The Critical Questions How can the recipient know with certainty the sender’s public key? (to validate a digital signature) How can the sender know with certainty the recipient’s public key? (to send an encrypted message)

41 The Answer: A PK Certificate A document which is - Digitally signed by a Certification Authority, Based on identity-proofing done by a Registration Authority, Containing the individual’s public key, Some form of the individual’s identity, and A finite validity period

42 Public Key Infrastructure Registration Authorities to identity proof users Certification Authorities to issue certificates and CRLs Repositories (publicly available data bases) to hold certificates and CRLs Separate from CRLs, mechanisms for status checking of certificates (OCSP)

43 Agency Implementation Use and manage electronic signature technology to: – maximize the ability to authenticate the identity of the originator –ensure integrity of the contents of the filing

44

Download ppt "Access America-- Fulfilling the Vision of Electronic Service Delivery Peter N. Weiss Information Policy and Technology Office of Management and Budget."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.

Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Public Key Infrastructure (PKI) Hosting Services.

Public Key Infrastructure (PKI) Hosting Services.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Electronic Government: Law, Policy, and Practice Jonathan P. Womer Information Policy and Technology Office of Management and Budget

Electronic Government: Law, Policy, and Practice Jonathan P. Womer Information Policy and Technology Office of Management and Budget
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Chapter 17 Controls and Security Measures

Chapter 17 Controls and Security Measures
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.

Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
NDSU Lunchbytes Are They Really Who They Say They Are? Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

Similar presentations

Ads by Google