Friday, October 31, 2014

Far Electronic Signature Needs

In addition to traditional ink, Federal Acquisition Regulations permit the use of proper electronic signatures.


The Federal Acquisition Regulation (FAR) is the document that regulates purchases and acquisitions by the federal government. At nearly 2,000 pages, the FAR sets out rules and procedures that federal agencies must follow in making purchases, and also establishes certain standards that must be followed by businesses seeking to qualify as federal suppliers.


The FAR permits the use of electronic signatures, and encourages electronic commerce whenever it is "practicable" or reduces costs.


FAR Signature Requirements


The FAR states that only a designated contract officer can sign and thereby execute a purchasing contract on behalf of the U.S. federal government.


Similarly, the contract requires the signature of the individual contractor, or an authorized officer of the counterparty. The FAR (Subpart 4.1) outlines the types of signatures required from different types of counterparties.


According to the FAR definition (Subpart 2.1): " 'Signature' or 'signed' means the discrete, verifiable symbol of an individual that, when affixed to a writing with the knowledge and consent of the individual, indicates a present intention to authenticate the writing. This includes electronic symbols."


Electronic signatures in the FAR


The FAR explicitly permits the use of electronic signatures, and more broadly encourages the use of e-commerce "whenever practicable or cost-effective." FAR Subpart 4.502 states that: "Agencies may accept electronic signatures and records in connection with Government contracts."


The FAR does not specify the technical characteristics that electronic signatures or digital signing certificates must bear. However, it does require that agencies using e-commerce processes must ensure that their systems maintain data confidentiality, and properly authenticate users and documents. Subpart 4.5 also makes reference to standards developed by the National Institute of Standards and Technology (NIST).


Other relevant regulations


The Electronic Signatures in Global and National Commerce Act (ESIGN) was enacted in 2000, and helped standardize U.S. government policy regarding electronic signatures. The regulations can be read in their entirety in Title 15, Chapter 96 of the U.S. Code (15 USC Chapter 96).


ESIGN defines an electronic signature to mean: "an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record."


This is the meaning borne by the term 'electronic signature' throughout the FAR and in other U.S. federal laws.


NIST technical requirements


NIST's Federal Information Processing Standards Publication 186-3 (FIPS 186-3) of 2009 is the latest revision and elaboration of the specifications for the Digital Signature Standard (DSS), originally adopted in 1994 by the Department of Commerce and imposed government-wide.


The document is extremely detailed, and contains in-depth description and discussion of the mathematics and algorithms that underlie digital signature creation and security.


It is important to remember that while every "digital signature" is a form of electronic signature, there are valid electronic signatures that do not qualify as bona fide "digital signatures."