About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

AFMD-93-70R 1 (1993-05-04)

handle is hein.gao/gaocrptaaam0001 and id is 1 raw text is: United States General Accounting Office Washington, D.C. 20548 Accounting and Financial Management Division B-253174 May 4, 1993 Mr. Charles E. Tompkins, III Deputy Program Manager Reserve Component Automation System Department of the Army Dear Mr. Tompkins: This letter responds to your March 5, 1993, request that we sanction the electronic authentication system used in the Reserve Component Automation System (RCAS) for financial applications. RCAS processes unclassified and classified data. Based on the material provided with your letter and discussions with your staff, we have concluded that the electronic signatures generated by this system do not provide the same quality of evidence as the handwritten signatures they are designed to replace. We are unable to sanction your electronic authentication system for financial and contractual purposes because it does not provide reasonable assurance that the signatures generated will meet the criteria outlined in 71 Comp. Gen. 109 (1991). Specifically, we note that your system uses cryptographic algorithms and techniques which have not been approved by either the National Institute of Standards and Technology (NIST) or the National Security Agency (NSA). We do not sanction systems whose algorithms and techniques have not been approved by the appropriate agency. The Computer Security Act assigns to NIST the authority and the responsibility to establish standards for federal computer systems that process sensitive but unclassified information after coordination with NSA. These standards include acceptable methods to ensure the security and privacy of information in those systems. In addition, NSA establishes policies and procedures that must be used for the protection of classified material. Both NIST and NSA have established procedures for the evaluation and approval of cryptographic algorithms for use by the federal government. Although the RCAS contractor's conceptual approach of condensing the data to be signed and then encrypting the condensed value can produce acceptable electronic signatures, the techniques adopted do not follow federal government standards and practices which have been approved by NIST and NSA. Our concerns include the use of (1) proprietary cryptographic and hash algorithms which have not been approved by GAO/AFMD-93-70R RCAS Authentication Page 1

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most