National Permit System
E-signature Evaluation
Business Context, Transaction Types and Volume
NMFS requires the use of permits or registrations by participants in U.S. federally regulated fisheries. Permits to fish in waters of the United States and international waters are authorized by various statutes and laws, primarily the Magnuson-Stevens Fishery Conservation and Management Act (Public Law 94-265, as variously amended, most recently by the Magnuson-Stevens Fishery Conservation and Management Reauthorization Act (P.L. 109-479)) (MSA); High Seas Fishery Management and Conservation Act; and the Northern Pacific Halibut Act (Halibut Act). The most used permitting authority, the MSA, provides authority for issuance of permits for foreign fishing; or, under § 303(A) Limited Access Privilege Programs (LAPPs) or § 303(b) as a discretionary provision under authority of a Fishery Management Plan: for vessels, vessel operators, or processors.
Permits and licensing provide means to verify appropriate participation and allocation of resources. For example, foreign participation is limited in most U.S. fisheries. Permits are fundamental to limited access privilege programs (LAPP), also known as individual transferable quota or individual fishing quota (IFQ), which are increasingly used as instruments to manage fisheries from the perspectives of optimum yield and economic viability. Permits facilitate collection of critical harvest, effort, and economic data and are fundamental to enforcing compliance with record-keeping and reporting laws and regulations. Permits are also critical for analytic purposes such as determining economic dependence on fisheries, studying fishery development and collapse, assessing status of stocks, and as the basis of allocation decisions.
A wide range of permit types are issued. Some representative examples are the AFA Inshore Cooperative Permit, which permits fishing for Pollock in the Bering Sea/Aleutian Islands under section 1 of the Fisherman's Collective Marketing Act of 1934 (15 U.S.C. 521), and the Federal Processor Permit, required for a shoreside processor or stationary floating processor (SFP) under 50 CFR 679.4.
At any given time, and depending on how they are counted, NMFS manages approximately 125,000 active commercial fishing permits and registrations, and another 10,000 subsistence permits. (For more detail see NPS Leadership Council Subgroup July 2008.ppt.) Transaction volumes vary by type of permit. Permit renewal requirements vary, some permits are transferable, some fisheries are open for additional entries, which means new permit applications are possible, while other fisheries are managed under limited access privilege programs and don't have new permit applications. The current estimate for annual transaction volume (including new applications, renewals, and transfers) is 100,000. Initially perhaps twenty percent of those transactions will be submitted online, but over time the ratio of online to paper will probably reverse, eventually leading to eighty percent online transactions. There is potential for exponential growth in the number of permits if recreational fishers are required to obtain federal fishing permits.
Business Drivers
Fisheries are managed regionally, but, many participants in the fishing industry are national or multinational in scope. The National Permits System (NPS) Project is a high profile NMFS project aimed at harmonizing the different permit systems across the agency. From this system all regional permit offices will standardize the collection of fees, automate the issuance of commercial fishing permits, and share readily available data from a single national source. In addition, constituents will benefit from a uniform agency permitting process, automated and streamlined online access, and improved customer service.
In order for NMFS offices to be able to issue permits to applicants who apply online via NPS, the system must be able to offer complete electronic renditions of permit application forms that are offered on paper. Since many of these application forms require the applicant to sign a completed application form to affirm that the information placed on the form is correct, NPS needs to implement an e-signature feature to ensure that the data being received electronically is valid and legally binding.
From the permit holder perspective, the drivers for holding a permit are participation in harvesting or processing of a public resource. Further, some permits (e.g., LAPPs) grant exclusive access to a public resource. Participation in harvest or processing without required permits, or, falsifying information on applications, or failure to meet record-keeping and reporting requirements, are all crimes subject to penalties including fines, loss of catch and other assets, loss of licenses or permits, etc. Business drivers for using the new online system (with e-signature) include faster cycle time, immediate feedback for invalid data entry, and online access to status information during the permit processing phase.
Business Risk in the Permit Context
Considerations of business risk may benefit from categorization according to FIPS 199 which provides a common framework for expressing information security concerns throughout the federal government. This system has a FIPS 199 security categorization as follows:
- Low confidentiality requirements -- loss of confidentiality would be expected to have a limited adverse effect on organizational operations, assets, or individuals. A breach of confidentiality would damage our relationship with our constituency and could impact our ability to collect accurate data with which to manage fisheries. This could cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. It could also expose us to litigation and professional disrepute.
- Moderate integrity requirements -- among other things data from this system could be involved in allocation of individual fishing quotas. Individual fishing quotas have value, and it is critical to maintain access controls, change tracking, and auditability. The moderate level is specified to recognize that loss of integrity could result in significant financial harm to individuals.
- Low availability requirements -- a temporary loss of availability would be expected to have a limited adverse effect. Transactions dependent on this data are not particularly time-sensitive, and business requirements could be met via manual methods during a temporary system outage.
NIST 800-30: Risk Management Guide for Information Technology Systems defines risk as a function of the likelihood of a given threat-source's exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. The threat and vulnerability identification process that follows is based on NIST 800-30.
Users and functionality
Permit holders range from large multinational corporations to small family businesses. But generally fishing and processing permit holders are technologically sophisticated, as the fishing industry is competitive and participants have strong incentives to leverage available technology. However, fishing is frequently a lifestyle choice of action-oriented individualists, and most of the participants would rather be on deck fishing than in the wheelhouse complying with record-keeping and report requirements. It is probably safe to assume that technology that makes record-keeping and reporting compliance less burdensome will be well accepted, while any technology that increases the burden would be unacceptable.
Data sensitivity and security
Information collected pursuant to requirements of the MSA, including permit application information, is protected by its confidentiality provisions at § 402 and under its implementing regulations at 50 CFR Part 600 Subpart E, including NOAA Administrative Order (NAO) 216-100. Additional protections of the Privacy Act and FOIA apply to such data as well as those collected under the Halibut Act.
Mitigating controls
Perhaps the most significant mitigating control in commercial fisheries transactions is that both parties to the transaction (typically the fisher and the fish processor) are permitted entities and each has some responsibility for accurate and complete record-keeping and reporting (for example, the fisher may be required to keep a logbook showing fishing efforts and catch, while the processor is required to report fish purchased). In these transactions it is typical for the parties to the transactions to have opposite and balancing interests (for example, when a fisher is selling fish to a processor, the fisher wants the amount paid to be high, while the processor wants the amount paid to be low). These multiple sources of information and counter-balanced incentives tend to make deception more difficult to initiate and sustain. This mitigating control may not have as much effect on permitting as it does in catch reporting, but, it is still significant, because there is overlap in reporting of permit numbers, vessel and operator names, landing dates, etc. The industry understands that data collected from different sources is compared and cross-referenced.
Another mitigating control is that under the authority of the Debt Collection Improvement Act (31 U.S.C. 7701), NMFS would collect Tax Identification Number information from individuals in order to issue, renew, or transfer fishing permits or to make nonpermit registrations. Verification of name and Tax Idenfication Number will provide significant confidence that the party is who they claim to be.
In the National Permit System registration will be open to new permit applicants, existing permit holders, and agents of both. From the system perspective, there is little difference between permit holders and agents of permit holders. (Agents should file a notarized letter of authorization from each permit owner that the agent represents. The permit owner is responsible for transactions pertaining to their permit, and if they have delegated to an agent without submitting the authorization letter, that doesn't absolve them of any responsibility.) New permit applicants will not be identifiable with the same level of assurance as existing permit holders, but, as the permit application is processed, the confidence in the permit holder's identity will grow. And as a new permit applicant starts out with no value in the system, there is little at risk for these participants whose identity is less certain.
Existing permit holders may have considerable value in the system; for example, they may own fisheries quota that has significant market value. These existing permit holders must demonstrate knowledge of a secret permit access code (PAC) which was mailed by USPS mail to the permit owner's address of record. After a participant has registered and associated their permits with their username (through knowledge of one or more PACs), then the participant can access potentially sensitive permit information as well as renew or transfer permits. There are further opportunities for mitigating controls in business processes, so the e-signature process does not necessarily have to address all of the transaction risk.
New permit applications generally involve processing rigor commiserate with the value of the permit. Permits for fisheries with low economic opportunity and/or low risk to the public resource generally receive a low level of scrutiny. Permits for fisheries with high economic opportunity and/or high risk to the public resource receive considerable scrutiny. In many cases this involves confirming vessel ownership with the US Coast Guard, verifying participation in prior fisheries through previously submitted state or federal fish tickets or logbooks, confirmation of business ownership, etc.
Permit renewals receive somewhat less scrutiny than new applications, but renewals are processed in the context of a rich ongoing relationship among the permit holder, the permit holder's partners in business transactions, and the agency, and deceptions with respect to an individual's identity would be difficult to sustain in this context.
Permit transfers receive scrutiny comensurate with the complexity of the relevant fisheries management plan. For the more complex fisheries management regimes, changes to permit ownership patterns may have ripple effects.
Finally, note that no financial information, and minimal Personally Identifying Information, are stored in this system.
Threat and Vulnerability Identification
(see Categories of Harm and Impact Definitions)
Vulnerability |
Threat-source |
Threat Action |
Category of Harm |
Likelihood of Occurrence |
Impact of Harm |
E-signature Cost Benefit Assessment |
|---|---|---|---|---|---|---|
System unavailability |
Error, component failure, or act of God |
Power failure, network failure, computer component failure, operator error, software failure, capacity constraint, etc. |
Inconvenience, distress or damage to standing or reputation |
Moderate: failures will happen, but competently managed systems typically have availability records of 99% or better. Agency staff use due diligence to secure systems and reduce vulnerabilities, including daily data backups, etc. |
Low: permit processing is not a time-critical operation, and a paper-based alternative will continue to be an option. Even a systemic failure would be a short-term inconvenience. Smaller scale failures, for instance a failure that prevents online access for one user, would be a minor inconvenience. |
N.A. (E-signature has no effect, positive or negative, on this vulnerability) |
" |
Vandal |
Internet security exploit such as denial-of-service attack |
Inconvenience, distress or damage to standing or reputation |
Low: this is not an high-profile Internet system and should not be a particularly attractive target. Also, if necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Low: even in the event of a systemic failure unavailability would be a short-term inconvenience |
N.A. |
System misuse |
System administrator, operator, or other agency user |
Abuse of insider knowledge and access for unauthorized use or release of information |
Unauthorized release of sensitive information |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations. |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff have significant incentives to behave appropriately and periodic training in ethics and computer security |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
System compromise |
Vandal |
Internet security exploit circumventing security controls |
Unauthorized release of sensitive information |
Low: agency staff use due diligence to secure systems and reduce vulnerabilities. For example, all internet traffic with the system is conducted over a secure (SSL) connection. Also this is not an high-profile Internet system and should not be a particularly attractive target. If necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Moderate: at worst, a release of personal or commercially sensitive information to unauthorized parties resulting in loss of confidentiality with an expected serious adverse effect on organizational operations. |
N.A. |
" |
" |
" |
Civil or criminal violations |
Low: agency staff use due diligence to secure systems and reduce vulnerabilities. Also this is not an high-profile Internet system and should not be a particularly attractive target. If necessary, the system could be hosted in a data center with an incident response capability that could deal with all but the most sophisticated attacks. |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
N.A. |
Failure to permit |
Customer (fisher or processor) |
Fisher or processor fails to acquire required permits prior to participating in regulated activities |
Harm to agency programs or public interests |
Low: commercial fishers and processors know the rules and understand the risks of non-compliance, and the extensive mitigating controls make it difficult to initiate and maintain a commercial operation "below the radar" |
Moderate: fishing or processing without agency oversight may facilitate overfishing with significant damage to public interests |
N.A. |
Impersonation in registration and/or transactions |
Common criminal/identity thief |
Impersonation using stolen identity credentials, with fraudulent application, renewal or transfer |
Inconvenience, distress or damage to standing or reputation |
Low: it would be difficult to initiate and maintain a fraud when there are so many mitigating controls including business licenses, vessel registrations, proof of prior participation in fisheries, and transactions with other permitted parties |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely |
" |
" |
" |
Unauthorized release of sensitive information |
Low: successful identity theft could result in compromise of sensitive information from the victim's permit records |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely |
Impersonation in registration and/or transactions |
Disgruntled industry employee or competitor |
Impersonation using stolen identity credentials, with fraudulent renewal or transfer, resulting in unwarranted suspension or revocation of an otherwise valid permit |
Financial loss |
Low: it would be difficult to initiate and maintain a fraud when there are so many mitigating controls including business licenses, vessel registrations, proof of prior participation in fisheries, and transactions with other permitted parties |
Moderate: at worst, a serious unrecoverable financial loss to a permit holder, if the event caused an unwarranted suspension or revocation of an otherwise valid permit, and the victim was forced to forgo opportunity to participate in a fishery |
No net cost or benefit: vulnerability for an attack by a well-informed party is not significantly different in electronic transactions than it is in paper transactions |
" |
" |
Impersonation using stolen identity credentials, with fraudulent submission with intent to incriminate or defame victim |
Inconvenience, distress or damage to standing or reputation |
Low: it would be difficult to initiate and maintain a fraud when there are so many mitigating controls including business licenses, vessel registrations, proof of prior participation in fisheries, and transactions with other permitted parties |
Low: impersonated parties would be likely to notice and when detected, the impact could be effectively mitigated |
No net cost or benefit: vulnerability for an attack by a well-informed party is not significantly different in electronic transactions than it is in paper transactions |
" |
" |
" |
Unauthorized release of sensitive information |
Low: the employee with the means and opportunity already has access to sensitive information and is unlikely to find anything more interesting in permit data |
Low: there isn't a great deal of sensitive information in permit records, and the impact would be limited to the party whose identity has been stolen |
Cost: e-reporting and e-signature present a broader attack surface making impersonation more likely. Note the increased vulnerability to impersonation when the objective is to retrieve sensitive information, which may involve fewer mitigating controls, and less vulnerability when the objective is to apply for permits or transfer permits, where supporting documentation is usually involved. |
" |
Common criminal/identity thief |
Impersonation using stolen identity credentials |
Civil or criminal violations |
Low: it would be difficult to initiate and maintain a fraud when there are so many mitigating controls including business licenses, vessel registrations, proof of prior participation in fisheries, and transactions with other permitted parties |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
Repudiation to escape accountability |
Customer (fisher or processor) |
Signer claims "I didn't sign that" |
Inconvenience, distress or damage to standing or reputation |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Low: agency might expend effort to resolve, but the distress would be limited and short-term |
Cost: despite e-signature's legal standing and agency instructions, there is likely to be a tendency to regard a holographic signature as more significant or more binding. It is likely that the requirement to sign a filing with a holographic signature has more influence on the signer's behavior with respect to their consideration of what they are submitting, their commitment to reporting the truth, and their expectation of being held accountable. Persons signing with an e-signature are likely to understand that it would be difficult to prove what individual executed the e-signature (because credentials are transferable). This is likely to motivate some people to repudiate their e-signature if they are being held accountable for something signed with an e-signature. |
" |
" |
" |
Civil or criminal violations |
Low: in most cases a customer who repudiated an e-signed document submission could then be prosecuted for fishing or processing without proper permits. There will generally be independent evidence of the fishing or processing activity (follow the fish.) |
Moderate: at worst, a risk of civil or criminal violations that may be subject to enforcement efforts |
Cost: criminal e-signature forgery, falsification or misrepresentation will provide new challenges for enforcement investigation and litigation |
E-signature Risk Mitigation
Risk Mitigation Analysis Worksheet (per procedural directive page 9)
Impact Categories |
Significant |
Impact |
Assurance Level |
|---|---|---|---|
Inconvenience, distress or damage to standing or reputation |
No |
Low |
1 |
Financial loss or agency liability |
No |
Mod |
2/3 |
Agency liability |
No |
Mod |
2/3 |
Harm to agency programs or public interests |
No |
Mod |
3 |
Unauthorized release of sensitive information |
No |
Low |
2 |
Personal Safety |
N/A |
N/A |
|
Civil or criminal violations |
No |
Moderate |
3 |
Appropriate OMB Assurance Level to Mitigate Business Risk
Lowest Assurance Level that Mitigates All Impact Categories |
Mitigating Controls |
Appropriate Assurance Level with Consideration of Mitigating Controls |
Proposed E-signature Alternative |
|---|---|---|---|
Level 3---...appropriate for transactions needing high confidence in the asserted identity's accuracy. People may use Level 3 credentials to access restricted web services without the need for additional identity assertion controls. |
Multiple sources of information, some with counter-balancing incentives. |
Level 2---On balance, confidence exists that the asserted identity is accurate. Level 2 credentials are appropriate for a wide range of business with the public where agencies require an initial identity assertion (the details of which are verified independently prior to any Federal action). |