(from policy directive 32-110))
1. The implementation of an e-signature system must contain some form of technical non-repudiation services to protect the reliability, authenticity, integrity, and usability, as well as the confidentiality, and legitimate use of the electronically-signed information.
2. The technical non-repudiation services (required in number 1 above) should tie the electronic transaction to the individual or entity in a legally-binding way.
3. The electronic signature process should include, as part of its technical non-repudiation services, audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS.
4. An electronic receipt or some form of electronic acknowledgement of a successful submission of the electronic record and signature should be provided.
5. Section 1708 of GPEA states that information collected from individuals and entities as part of an electronic signature authentication process may only be use to facilitate that electronic communication process between the individual or entity and a federal agency.
6. The implementing office should incorporate a long-term retention and access policy for the use of electronic signatures in electronic records with particular attention paid to the preservation of legal rights.
7. Periodic review and re-evaluation of the electronic signature process must be performed with particular attention paid to continuing changes in technology, law, and policy guidance. |