nmfs fis er esignature project risk analysis october 1, 2008

NMFS FIS EReSignature Project

Risk AnalysisOctober 1, 2008

7/11/2008 2

NMFS eSignature Project TimelinePreliminary Schedule 7/25/08-- Stakeholder Communication Plan, which identifies

stakeholders, the nature of their interest in NFMS eSignature solutions, their issues or concerns, points of contact and methods for keep relevant stakeholders informed and engaged.

8/27/08--Alternatives Analysis for technical approaches to eSignatures

10/1/08--Risk Assessment of pilots and assignment of assurance levels for pilots

10/15 Cost/Benefit Analysis or business plan template prepared according to NMFS procedural directive 32-110-02

10/31/08-Implementation Plan template prepared according to NMFS procedural directive 32-110-02

12/5/2008--Presentation of preliminary results to stakeholders 12/19/2008--Critique of final project documents.

Table of Contents Legal and Policy Context

GPEA OMB Policy NIST Technical Guidance

E-Authentication Risk Assessment National Marine Fisheries Service Pilot Systems E-signature pilot recommendations based on risk assessment Next Steps

Legal and Policy Context for Electronic Authentication

The Electronic Signatures in Global and National Commerce (E-SIGN) Act: legitimates legal standing of e-signatures and

contracts and transactions signed electronically. Technology neutral on e-signatures

Government Paperwork Elimination Act--Section 1709(1) of GPEA reads: “electronic signature” means a method of signing an

electronic message that—(A) identifies and authenticates a particular person as the source of the electronic message; and (B) indicates such person’s approval of the information contained in the electronic message.

E-Government Act of 2002—mostly emphasis on Privacy Impact Assessments

OMB e-Authentication Policy Does not proscribe technologies or even assurance levels

Definitions from NRC’s Who Goes There? Privacy Implications of Authentication.

Attribute describes a property associated with an individual an identity of X” is the set of information about an individual X associated with that individual in a particular identity system Y

Identification is the process of using claimed or observed attributes of an individual to infer who the individual is

Authentication-- is the process of establishing confidence in the truth of some claim Individual authentication is the process of establishing an understood

level of confidence that an identifier refers to a specific individual Attribute authentication is the process of establishing an understood

level of confidence that an attribute applies to a specific individual Identity Authentication is the process of establishing an understood

level of confidence that an identifier refers to an identity

Authorization is the process of deciding what an individual ought to be allowed to do

Five Step Process for Determining Desired

Assurance Level (OMB Policy) Conduct risk assessment Map identified risks to assurance level (Four levels outlined

in next four pages) Select technology based on NIST technical guidance Validate that implemented system has achieved desired

assurance level Periodically reassess system to assure solution produces

desired assurance.

4 Levels of Assurance—Level 1

Little or no confidence--A user presents a self-registered user ID or password to the U.S. Department of Education web page, which allows the user to create a customized “My.ED.gov” page. A third party gaining unauthorized access to the ID or password might infer personal or business information about the individual based upon the customization, but absent a high degree of customization however, these risks are probably very minimal.

Some confidence High confidence Very high confidence


Little or no confidence Some confidence--An agency employee has access

to potentially sensitive personal client information. She authenticates individually to the system at Level 2, but technical controls (such as a virtual private network) limit system access to the system to the agency premises. Access to the premises is controlled, and the system logs her access instances. In a less constrained environment, her access to personal sensitive information would create moderate potential impact for unauthorized release, but the system’s security measures reduce the overall risk to low.

High confidence Very high confidence


Little or no confidence Some confidence High confidence--An agency employee or

contractor uses a remote system giving him access to potentially sensitive personal client information. He works in a restricted-access federal office building. This limits physical access to his computer, but system transactions occur over the Internet. The sensitive personal information available to him creates a moderate potential impact for unauthorized release.

Very high confidence


Little or no confidence Some confidence High confidence Very high confidence--A law enforcement official accesses a

law enforcement database containing criminal records. Unauthorized access could raise privacy issues and/or compromise investigations.

Risk Assessment Process

Two factors Potential harm or impact (Selected examples to follow)

LowModerateHigh

Likelihood of harm or impactLow < 30 percentModerate >30 and < 70 percentHigh > 70 percent

Categories of Harm and Impact from Risk Assessment

Inconvenience, distress or damage to standing or reputation

Financial loss or agency liability Harm to agency programs or public interest Unauthorized release of sensitive information Civil or criminal violations

Impact Examples for NMFS (Source: OMB Policy)

Potential impact of unauthorized release of sensitive information: Low—at worst, a limited release of personal, U.S. government

sensitive, or commercially sensitive information to unauthorized parties resulting in a loss of confidentiality with a low impact (i.e., limited adverse effect on organizational operations if one fishers’ logbook is accessed by another unauthorized fisher)

Moderate—at worst, a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with a moderate impact (i.e., serious adverse impact on organizational operations, which might include delaying an in-progress law enforcement activity).

High—a release of personal, U.S. government sensitive, or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with a high impact (i.e., severe or catastrophic adverse effect on organizational operations, which might include compromising future law enforcement activities).

Impact Examples for NMFS(Source: OMB Policy)

Potential impact of inconvenience, distress, or damage to standing or reputation: Low—at worst, limited, short-term inconvenience, distress or

embarrassment to any party, where NMFS and one or two parties know of a problem, but is not known to the general public.

Moderate—at worst, serious short term or limited long-term inconvenience, distress or damage to the standing or reputation of any party, which might involve one-time negative press reports for the agency.

High—severe or serious long-term inconvenience, distress or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly severe effects or which affect many individuals, like when NFMS loses credibility across a whole region or for stewarding a particular species of fish.)

Impact Examples for NMFS(need to update with input from OLE or General Counsel OLE)(Source: OMB Policy)

The potential impact of civil or criminal violations is: Low—at worst, a risk of civil or criminal violations of a nature that

would not ordinarily be subject to enforcement efforts. Moderate—at worst, a risk of civil or criminal violations that may

be subject to enforcement efforts. High—a risk of civil or criminal violations that are of special

importance to enforcement programs.

Assurance Level Impact Profiles

Potential Impact Categories for Authentication Errors 1 2 3 4

Inconvenience, distress or damage to standing Low Mod Mod High

or reputation

Financial loss or agency liability Low Mod Mod High

Harm to agency programs or public interests N/A Low Mod High

Unauthorized release of sensitive information N/A Low Mod High

Civil or criminal violations N/A Low Mod High

Potential Impact Categories for Authentication Errors OMB E-authentication Policy

NIST Special Publication 800-63

Revisions from draft emphasized further that technology alone does not mitigate risk.

Authentication technology works with policy and process to produce authentication solution

Totality of authentication solution mitigates risks Does not proscribe technical solutions, but provides

an array of options for each level of assurance


Authentication solutions for specified assurance levels Level 1

No identity proofing requirement at this level Anonymous credential OK Some assurance that the same claimant is accessing the

protected transaction or data. Wide range of available authentication technologies to be

employed and allows any of the token methods of Levels 2, 3 or 4, including PINS.

May also use tunneled passwords and challenge/response protocols


Level 2 Identify proofing and registration provides sufficient

assurance for relatively low risk business transactions with low probabilities of moderate impact from risk assessment.

Anonymous credential OK A wide range of available authentication

technologies can be employed at Level 2. Any of the token methods of Levels 3 or 4, including

passwords, are allowable Successful authentication requires that the claimant

prove through a secure authentication protocol (i.e., tunneled password protocol like SSL or TLS) that he or she controls the token.


Tokens are something that the user possesses and controls that may be used to authenticate the claimant’s identity.

The user authenticates to a system or application over a network.

A token shall include some secret information and it is important to provide security for the token.

The three factors often considered as the cornerstones of authentication: Something you know (for example, a password) Something you have (for example, a cryptographic key or

smart card) Something you are (for example, a voice print or other

biometric)


Hard token – a hardware device that contains a protected cryptographic key. Authentication is accomplished by proving possession of the device and control of the key.

Soft token – a cryptographic key that is typically stored on disk or some other media. Authentication is accomplished by proving possession and control of the key. The soft token shall be encrypted under a key derived from a password known only to the user, so knowledge of a password is required to activate the token.

One-time password device token - a personal hardware device that generates “one time” passwords for use in authentication.

Password token – a secret character string that a claimant memorizes and uses to authenticate his or her identity.

NIST Authentication Mapping (Token Type)Level 1

Level 2

Level 3

Level 4

Hard crypto token

Soft crypto token

Zero knowledge password

One-time password device

Strong password

PIN

Note: This is not the assurance level for the authentication solution; just the token

Thoughts on Strong Passwords

“People either choose not to use or make errors in systems that are not designed with their limits in mind; this can result in compromises to privacy.” (NRC Report Finding 4.1)

NMFS Electronic Reporting FIS (should we just lift from wiki or do this by reference?) National Permits Systems

Users and functionality Transactions-data sensitivity and volume Internal control processes

Potential impact: Inconvenience, distress or damage to standing or reputation: Financial loss or agency liability: Harm to agency programs or public interest: Unauthorized release of sensitive information: Civil or criminal violations:

Likelihood of harm or impact: Presumed Assurance level:

NMFS E-Government Systems (cont.) E-logs


Potential impact: Inconvenience, distress or damage to standing

or reputation: Financial loss or agency liability: Harm to agency programs or public interest: Unauthorized release of sensitive information: Civil or criminal violations:


NMFS E-Government Systems (cont.) Fish/Trip Tickets





NMFS E-Government Systems (cont.) TBD





NMFS Risk Mitigation Through E-Authentication Policy

A B

Business process ID proofing through NPS registration process ?

Technology Data encryption (SSL or VPN) for confidentiality User name/password to validate user identity

May combine technologies or all three above to increase assurance level of solution

Recommended eSignature Solution Framework for NMFS NMFS policy, processes and technology provide a strong foundation

for eSignature solutions eSignature technology does not assume all risk mitigation, as existing

policy and process create a comprehensive authentication solution. Assuming any E-Authentication solution will work within existing risk

mitigation processes,NMFS can use PIN and/or password for eSignature and E-Authentication for level 2 assurance for: NPS E-logs Trip/Fish Tickets Planned systems (subject to possible reanalysis)

? ?

Next Steps for Analysis This report contains a set of recommendation for

assurance levels and potential e-authentication solutions Per OMB policy, check periodically that eSignature and

e-authentication solutions provide desired assurance level

Review and revise risk assessment for e-government applications as necessary when impact or probability of risks change

Next Steps for Team ? ?

nmfs fis er esignature project risk analysis october 1, 2008

Documents