NSF pins hopes on security pilot
- By Paula Shaki Trimble
- Apr 24, 2000
The National Science Foundation will begin testing electronic signature
technology next month that could remove the last impediment to its paperless
proposal process.
Using the Federal Demonstration Partnership (see related story), NSF will join
with 10 universities to test its password-based digital signature system
until July. Unlike the Defense Department and NASA, NSF will hold off on
using public-key infrastructure to certify digital signatures.
The agency, which sponsors science and technology research at academic
institutions, will develop an enhanced password solution that can be used
until PKI becomes more affordable and widely available, NSF officials said.
"We wanted to do something that solved our immediate problem but allowed
us to keep an eye on the future," said Jerry Stuck, deputy director of the
information systems division at NSF.
NSF set a goal of receiving all of its proposals from academic institutions
electronically by Oct. 1. The FastLane system (see related story) is the vehicle
for doing that business digitally, but at least one obstacle remained, Stuck
said.
NSF already receives about 78 percent of its proposals electronically,
but paper certification, or proposal cover sheets, still must be signed
by the researcher and other university officials and mailed within five
days of proposal submission.
"It was a burden on the research institutions and a burden on our staff
to match up the cover sheets with the electronic submissions," Stuck said.
NSF completed a risk assessment with KPMG LLP in December that recommended
that NSF move directly to a PKI solution or enhance the user identification
and password security in lieu of an ink signature, Stuck said.
Public-key technology is a mechanism that enables users to authenticate
their identity and send data confidentially without using shared secrets
such as personal identification numbers (PIN) and passwords, said Richard
Guida, chairman of the Federal PKI Steering Committee. PKI is the infrastructure
used to generate and manage digital certificates that generate public keys.
The cost of PKI was too high for the agency, Stuck said. Instead, NSF
decided to enhance its ID and PIN system with higher levels of security
but leave open the option to move to PKI later, he said.
Under the new system, NSF's four-character PINs will become longer passwords
with mixed characters and numbers as well as encryption.
Each university has an administrator who registers and certifies its
users. In the new password system, the administrator will initialize users
and change passwords if needed.
NSF tends to pursue its own path for information technology initiatives
that have become part of governmentwide contracts because they are not cost-effective
on a small scale, said Linda Massaro, NSF chief information officer and
director of information and resource management.
The Government Paperwork Elimination Act does not dictate what technology
agencies should use for electronic signatures but encourages them to use
the appropriate level of authentification for their applications, Guida
said.
"They're making a decision that the potential for fraud is such that
one does not need the level of security PKI provides," Guida said. "One
of the things we've encouraged agencies to think about, even if they decide
they don't need PKI for an application, is the expectation of interoperability
with PKI."
Agencies should think about whether their digital certificates can be
honored by other agencies, he said. PINs and passwords don't have that capability
because they tend to be managed locally.
Based on the upcoming pilot, NSF plans to institutionalize its electronic
signature approach by Oct. 1. If it's successful, the agency plans to use
electronic signatures for other transactions, Stuck said.