Office of the Commissioner, GSA.
Notice of request for comments regarding a renewal to an existing OMB clearance.
Under the provisions of the Paperwork Reduction Act of 1995 (44 U.S.C. Chapter 35), the General Services Administration will be submitting to the Office of Management and Budget (OMB) a request to review and approve a renewal of a currently approved information collection requirement regarding Access Certificates for Electronic Services (ACES). The clearance currently expires on October 31, 2006.
The ACES Program is designed to facilitate and promote secure electronic communications between online automated information technology application systems authorized by law to participate in the ACES Program and users who elect to participate in the program, through the implementation and operation of digital signature certificate technologies. Individual digital signature certificates are issued to individuals based upon their presentation of verifiable proof of identity in an authorized ACES Registration Authority. Business Representative digital signature certificates are issued to individuals based upon their presentation of verifiable proof of identity and verifiable proof of authority from the claimed entity to an authorized ACES Registration Authority.
Public comments are particularly invited on: Whether this collection of Start Printed Page 42094information is necessary and whether it will have practical utility; whether our estimate of the public burden of this collection of information is accurate and based on valid assumptions and methodology; and ways to enhance the quality, utility, and clarity of the information to be collected.
Submit comments on or before: September 25, 2006.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Stephen Duncan, Federal Acquisition Service, at telephone (703) 872-8537 or via e-mail to firstname.lastname@example.org.End Further Info
Submit comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to the Regulatory Secretariat (VIR), General Services Administration, Room 4035, 1800 F Street, NW., Washington, DC 20405. Please cite OMB Control No. 3090-0270, Access Certificates for Electronic Services (ACES), in all correspondence.End Preamble Start Supplemental Information
One of the primary goals of the emerging Government Services Information Infrastructure (GSII) is to facilitate public access to government information and services through the use of information technologies. One of the specific goals of the GSII is to provide the public with a choice of using Internet-based, online access to the automated information technology application systems operated by government agencies; such access will make it easier and less costly for the public to complete transactions with the government. By law, access to some of these automated information technology application systems can be granted only after the agency operating the system is provided with reliable information that the individual requesting such access is who he/she claims to be, and that he/she is authorized such access. The arms-length transactions envisioned by the GSII require implementation of methods for:
1. Reliably establishing and verifying the identity of the individuals desiring to participate in the ACES Program, based primarily upon electronic communications between the applicant and authorized ACES Registration Authority.
2. Issuing to the individuals who have been successfully identified a means that they can use to uniquely identify themselves to the automated information technology application systems participating in the ACES Program.
3. Electronically and securely passing that identity to the automated information technology application system to which the individual is requesting access.
4. Electronically and securely authenticating that identity, through a trusted third party, each time it is presented to an automated information technology application system participating in the ACES Program.
5. Ensuring that the identified individual requesting access to an automated information technology application system has been duly authorized, by the management of that automated information technology application system, to access that system and perform the transactions desired.
6. Ensuring that the information being exchanged between the individual and the automated information technology application system has not been corrupted during transmission.
7. Reducing the ability of the parties to such transactions to repudiate the actions taken.
The current state-of-the-art suggests that digital signature certificate technologies (often referred to as part of “Public Key Infrastructure, or PKI”) provide a reliable and cost efficient means for meeting many of these GSII requirements. Thus, the ACES Program should be understood to represent an effort to implement and continue a PKI through which members of the public who desire to do so can securely communicate electronically with the online automated information technology application systems participating in the ACES Program.
The initial step for any member of the public to take in order to participate in the ACES Program is to submit an application for an ACES certificate to an authorized ACES Registration Authority. In conjunction with application process, the applicant will be required to submit at least:
a. His/her full name.
b. His/her place of birth.
c. His/her date of birth.
d. His/her current address and telephone number.
e. At least three(3) of the following:
i. Current valid state issued driver license number or number of state issued identification card.
ii. Current valid passport number.
iii. Current valid credit card number.
iv. Alien registration number (if applicable).
v. Social Security Number.
vi. Current employer name, address, and telephone number.
f. If the registration is for a business representative certificate, evidence of authorization to represent that business entity.
The information provided during the process of applying for an ACES certificate constitutes the continued information collection activity that is the subject of this Paperwork Reduction Act Notice and request for comments.
A detailed description of the current ACES Program is available on the World Wide Web at http://www.gsa.gov/aces, or through the “FOR FURTHER INFORMATION CONTACT ” listed above.
Please note that all ACES identity information collected from the public is covered by the Privacy Act, the Computer Security Act, and related privacy and security regulations, regardless of whether it is provided directly to an agency of the Federal Government or to an authorized ACES Registration Authority providing ACES-related services under a contract with GSA. Compliance with all of the attending requirements is enforced through binding contracts, periodic monitoring by GSA, annual audits by independent auditing firms, and tri-annual re-accreditation by GSA. Only fully accredited Registration Authorities will be permitted to accept and maintain identity information provided by the public.
The identity information collected will be used only to establish and verify the identity and eligibility of applicants for ACES certificates; no other use of the information is permitted.
Participation in the ACES Program is strictly voluntary, but participation will only be permitted upon presentation of identity information by the applicant, and verification of that information by an authorized ACES Registration Authority.
ACES is designed to permit on-line, arms-length registration through the Internet, which significantly reduces the public’s reporting burden. Based upon preliminary tests run on similar systems for gathering identity-related information from the public (e.g., U.S. Passports, initial issuance of state-issued driver’s license, etc.), the individual reporting burden for providing identity information for the initial ACES certificate is estimated at an average of 15 minutes, including gathering the information together and entering the data into the electronic forms provided by the authorized ACES Registration Authorities.
Service providers participating in the ACES Program may choose to participate in the E-Authentication Services Component (ASC) as a Start Printed Page 42095Credential Service Provider (CSP). As a result and to support the technical requirements of the ASC CSP’s may supply attribute information in Security Assertion Markup Language (SAML) Assertions between the CSP and the Agency e-government application. This applies to SAML based use cases only.
The E-Authentication Service Component leverages credentials from multiple credential providers through certifications, guidelines, standards and policies. The E-Authentication Service Component accommodates assertion based authentication (i.e., authentication of PIN and Password credentials) and certificate-based authentication (i.e., Public Key Infrastructure (PKI) digital certificates, and other forms of strong authentication) within the same environment. The E-Authentication Service Component is aligned with OMB Policy Memorandum M-04-04, EAuthentication Guidance for Federal Agencies (http://www.whitehouse.gov/omb/memoranda/fy04/m04-04.pdf ), which provides policy guidance for identity authentication and establishes four levels of authentication assurance. It is also aligned with National Institute for Standards and Technology (NIST) Special Publication 800-63, Recommendation for Electronic Authentication http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf. This document accompanies and supports OMB M-04-04 and provides technical and procedural requirements for authentication systems which correlate to the four defined authentication assurance levels defined in OMB M-04-04. The E-Authentication Service Component provides the infrastructure for Federal agencies to implement the policies and recommendations of OMB M-04-04 and NIST SP 800-63. These documents as well as other technical, policy, and informational documents and materials can be accessed at the website: http://www.cio.gov/eauthentication.
The Interface Specifications require the following information to be contained in the SAML assertion between the Credential Service Provider and an e-Government Agency Application (AA) which is the relying party to the identity assertion:
Common Name: expressed as First Name, Middle Name, Last Name, suffix surname;
User ID: provided by the CSP so that no two subscribers within a credential service can share the same User ID;
Authentication Assurance Level: i.e., assurance level 1, 2, 3, or 4; and
CSP: CSP is identified in the assertion.
Since the SAML assertion contains only common name and user ID of the end user for the selected CSP, most agencies have determined that a separate activation process is necessary to identify the specific individual as represented in the AA. This generally requires creating a separate query process to identify the end user to the AA. To facilitate the activation process and avoid requiring the end user to reenter the same identifying information multiple times, GSA is also proposing to add the following attribute information to the SAML 1.0 Interface Specifications as optional information:
Partial Social Security Number (SSN): the last four digits of the end users’ SSN;
Date of Birth (DOB): MM/DD/YYYY; and
Physical Address: street address, city, state, and zip code.
The end user name, partial SSN, physical address and DOB are intended to allow the AA to identify the correct end user during the activation process, without necessarily requiring the AA to query the end user for any additional information. AAs will match the last four digits of the identity information in the SAML assertion against the information currently maintained in application records systems. The Interface specification requires that CSPs which do not collect or maintain SSN, DOB, and/or physical address information to enter a null field for these attribute elements. The attribute information contained in the assertion is intended for the purposes of activation, and will not be provided to agencies that do not already have the authority to maintain this attribute information. AAs/records systems that do not collect or maintain the attribute fields of SSN, DOB, or physical address will not be passed that information in the SAML assertion from the CSPs. The EAuthentication AAs can also determine that they do not want to receive the additional attribute information of partial SSN, DOB and physical address and can opt out of receiving this information in the SAML assertions.
The E-Authentication Federation/Service Component does not involve any new collection of information from end users. If a Federal agency chooses to create or modify a records system to maintain information expressed in the SAML assertion, it must establish or amend a system of records (SOR) notice through publication in the Federal Register. Federal agencies that serve as CSPs or AAs may choose to maintain audit logs for browser-based access; such logs may include transaction data associated with the SAML assertion. Such audit logs are used to monitor browser access and are not considered systems of records requiring coverage under the Privacy Act. Once the identity information is known to the AA, the user interacts directly with the AA for business transactions. While the EAuthentication Service Component addresses the need for common infrastructure for authenticating end users to applications, authorization privileges at the application are beyond the scope of the E-Authentication initiative. Authorization and related functionality such as access control and privilege management are left to the application owners. Ensuring trust between the participating entities of the EAuthentication Federation (AAs, CSPs and End users) is core to the mission of the E-Authentication initiative. The EAuthentication Service Component provides:
- Policies and guidelines for Federal authentication;
- Credential assessments and authorizations;
- Technical architecture and documents, including Interface Specifications, for communications within the E-Authentication Federation Network;-
- Interoperability testing of candidate products, schemes or protocols;-
- Business rules for operating within the Federation; and
- Management and control of accepted federation schemes operating within the environment.
The E-Authentication Service Component technical approach has two different architectural techniques, assertion-based authentication and certificate-based authentication. PIN and Password authentications typically use assertion-based authentication, where users authenticate to the selected CSP, which in turn asserts their identity to the AA. Certificate-based authentication relies on X.509v3 digital certificates in a Public Key Infrastructure (PKI) for authentication, and can be used at any assurance level. PKI credentials offer considerable advantages for authentication. Certificates can be validated using only public information. Standards for PKI are also more mature than other authentication technologies and more widely used than the emerging standards for assertion-based authentication of PIN and password credentials. Nevertheless, the Authentication Service Component incorporates both assertion-based and certificate-based authentication to Start Printed Page 42096provide the broadest range of flexibility and choices to Federal agencies and end users.
The General Services Administration (GSA) is responsible for assisting Federal agencies with the implementation and use of digital signature technologies to enhance electronic access to government information and services by all eligible persons. In order to ensure that the ACES program certificates are issued to the proper individuals, GSA will continue to collect identity information from persons who elect to participate in ACES.
D. Annual Reporting Burden
Responses Per Respondent: 1.
Hours Per Response: .25.
Total Burden Hours: 250,000.
Obtaining Copies of Proposals: Requesters may obtain a copy of the information collection documents from the General Services Administration, Regulatory Secretariat (VIR), 1800 F Street, NW., Room 4035, Washington, DC 20405, telephone (202) 501-4755. Please cite OMB Control No. 3090-0270, Access Certificates for Electronic Services (ACES), in all correspondence.Start Signature
Dated: July 18, 2006-
Michael W. Carleton,
Chief Information Officer.
[FR Doc. E6-11760 Filed 7-24-06; 8:45 am]
BILLING CODE 6820-DH-S