The National Marine Fisheries Service Policy Directive 32-110, "Use and Implementation of Electronic Signatures" outlines the following requirements for an approved electronic signature system:
- Technical non-repudiation services
- Legally binding the electronic transaction to an entity
- Providing chain of custody audit trails
- Providing an electronic receipt or acknowledgment of a successful submission
- Collecting only necessary information in the electronic signature authentication process
- Create a long-term retention and access policy
- Periodic review and re-evaluation of the electronic signature process
This sections documents design details that address these requirements.
Binding the Transaction to an Entity and Non-repudiation
Requirements 1 and 2 above are addressed in the design of three component parts of the system:
- identity assertion, person proofing, and registration
- terms and conditions and signing ceremony
- document binding and document integrity
The Hawaii Longline Logbook E-signature Evaluation has concluded that OMB Assurance Level 1 (little or no confidence in the asserted identity) was appropriate for the Hawaii Longline Logbook. This was a considered decision justified by low likelyhood of occurrence, mostly low impact of harm, and multiple and strong mitigating controls, including: multiple and sometimes counter-balancing sources of information; permitted entities with an ongoing trusted relationship with NMFS; a rigorous certification process for e-logbook applications; and unique identifiers on each e-logbook submission. Although the evaluation concluded that an OMB Assurance Level 1 was appropriate, registration to submit logbooks electronically and association of e-logbook registration with fishing permits are features of the proposed system. But since the existing permit process does not explicitly verify an individual's identity these features do not qualify the proposed system as OMB level 2.
The proposed identity assertion, person proofing, and registration starts with a permit holder completing a NMFS electronic logbook agreement, establishing a linkage between the permit, the permit holder, and the fishing vessel operator who is authorized to submit electronic logbooks for that permit. more?... (See Identity Assertion, Person Proofing and Registration for a broader discussion of these issues and alternatives.)
Terms and conditions presented during registration and the signing ceremony contribute to binding the transaction to the entity and non-repudiation. (See terms and conditions and signing ceremony for a broader discussion of these issues and alternatives.) Terms and conditions specified during the registration process include the following statement on the paper form just above the required signature block:
Terms and conditions presented during the signing ceremony (when the vessel operator has entered logbook data into the e-logbook program and is saving the data or when the vessel operator is exporting data to portable media for submission to NMFS) includes the following statement just above the required signature block:
Technically the transaction data is bound to entity identity data by a shared identifier (permit number) in the registration data (electronic logbook agreement), the permit database, and in e-logbook submissions. Further binding could be established by asking the e-logbook vendor to correlate customer identities to the unique keys which are embedded in each installation of certified e-logbook software. (See document binding and integrity for a broader discussion of these issues and alternatives.)
Technical controls for document integrity and audit trails also contribute to binding the transaction to the entity and non-repudiation, but those controls are more appropriately discussed in the next section.
Providing Chain of Custody Audit Trails
NMFS policy directive 32-110 specifies "...audit trails that ensure the chain of custody for the transaction. These audit trails should identify the sending location, sending individual or entity, date and time stamp of receipt, and other measures that will ensure the integrity of the document. These audit trails must validate the integrity of the transaction and prove: (1) that the connection between the submitter and NMFS has not been tampered with; and (2) how the document was controlled upon receipt by NMFS."
The proposed design implements the following audit trail controls:
- the NMFS employee who received the portal media will return to the office, login, and run a data import process
- the data import process will record where and when the portable media was delivered, who delivered it and who received it. The NMFS data import program will record this information, the time that the data import was run, and the raw uninterpreted contents of the submitted e-logbook file(s) into a NMFS database.
- These audit trail data items should be written to audit trail tables by the data import application using a database account which has insert privileges to the database but does not have update or delete privileges. (And update and delete privileges on the audit trail tables should be carefully controlled by the database administrator.)
- after the this audit trail information is recorded the import program can proceed to interpret the e-logbook data stream and insert the data into NMFS operational database(s).