National Permit System

Business Context

National Marine Fisheries Service issues permits to fishing industry individuals and corporations and also to individual recreational fishers.

Permits Types

A wide range of permit types are issued. Some representative examples are:

Business Drivers

Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. It would be a convenience to these participants to offer a one-stop-shop for permits. Also, a one-stop-shop would facilitate maintenance of a single identifier for an industry participant who fishes or processes fish in multiple regions, and it would leverage efforts to improve data quality across regions.

Business Risk in the Permit Context

NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.

Users and functionality

Transactions-data sensitivity and volume

Internal control processes

Threat and Vulnerability Identification

Vulnerability	Threat-source	Threat Action	Category of Harm	Likelihood	Impact
Impersonation in registration and/or transactions	Common Criminal, Identity Thief	Impersonation using stolen identity credentials (registration credentials or NPS identity credentials)	Inconvenience, distress or damage to standing or reputation	Low: general criminals won't have subject area expertise to discover a fraud opportunity and there are probably much more attractive targets	Low: impersonated parties would be likely to notice quickly and impact could be mitigated
Impersonation in registration and/or transactions	Disgruntled industry employee	Impersonation using stolen identity credentials (registration credentials or NPS identity credentials)	Inconvenience, distress or damage to standing or reputation	Moderate: an employee would have the means, but risk exposure is not significantly different in electronic transactions than it is in paper transactions	Low: impersonated parties would be likely to notice and impact could be mitigated
Impersonation in registration and/or transactions	Competitor	Impersonation using stolen identity credentials (registration credentials or NPS identity credentials)	Inconvenience, distress or damage to standing or reputation	Low: a competitor might have an opportunity to profit from fraud, but risk exposure is not significantly different in electronic transactions than it is in paper transactions	Low: impersonated parties would be likely to notice and impact could be mitigated
Repudiation to escape accountability	Customer (fisher or processor)	Signer claims "I didn't sign that"	Inconvenience, distress or damage to standing or reputation	Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for failure to file the repudiated document	Low: agency might expend effort
			Financial loss or agency liability
			Harm to agency programs or public interest
			Unauthorized release of sensitive information
			Civil or criminal violations
			Inconvenience, distress or damage to standing or reputation
			Financial loss or agency liability
			Harm to agency programs or public interest
			Unauthorized release of sensitive information
			Civil or criminal violations
			Inconvenience, distress or damage to standing or reputation
			Financial loss or agency liability
			Harm to agency programs or public interest
			Unauthorized release of sensitive information
			Civil or criminal violations
			Inconvenience, distress or damage to standing or reputation
			Financial loss or agency liability
			Harm to agency programs or public interest
			Unauthorized release of sensitive information
			Civil or criminal violations