NSF pins hopes on security pilot

The National Science Foundation will begin testing electronic signature technology next month that could remove the last impediment to its paperless proposal process.

Using the Federal Demonstration Partnership (see related story), NSF will join with 10 universities to test its password-based digital signature system until July. Unlike the Defense Department and NASA, NSF will hold off on using public-key infrastructure to certify digital signatures.

The agency, which sponsors science and technology research at academic institutions, will develop an enhanced password solution that can be used until PKI becomes more affordable and widely available, NSF officials said.

"We wanted to do something that solved our immediate problem but allowed us to keep an eye on the future," said Jerry Stuck, deputy director of the information systems division at NSF.

NSF set a goal of receiving all of its proposals from academic institutions electronically by Oct. 1. The FastLane system (see related story) is the vehicle for doing that business digitally, but at least one obstacle remained, Stuck said.

NSF already receives about 78 percent of its proposals electronically, but paper certification, or proposal cover sheets, still must be signed by the researcher and other university officials and mailed within five days of proposal submission.

"It was a burden on the research institutions and a burden on our staff to match up the cover sheets with the electronic submissions," Stuck said.

NSF completed a risk assessment with KPMG LLP in December that recommended that NSF move directly to a PKI solution or enhance the user identification and password security in lieu of an ink signature, Stuck said.

Public-key technology is a mechanism that enables users to authenticate their identity and send data confidentially without using shared secrets such as personal identification numbers (PIN) and passwords, said Richard Guida, chairman of the Federal PKI Steering Committee. PKI is the infrastructure used to generate and manage digital certificates that generate public keys.

The cost of PKI was too high for the agency, Stuck said. Instead, NSF decided to enhance its ID and PIN system with higher levels of security but leave open the option to move to PKI later, he said.

Under the new system, NSF's four-character PINs will become longer passwords with mixed characters and numbers as well as encryption.

Each university has an administrator who registers and certifies its users. In the new password system, the administrator will initialize users and change passwords if needed.

NSF tends to pursue its own path for information technology initiatives that have become part of governmentwide contracts because they are not cost-effective on a small scale, said Linda Massaro, NSF chief information officer and director of information and resource management.

The Government Paperwork Elimination Act does not dictate what technology agencies should use for electronic signatures but encourages them to use the appropriate level of authentification for their applications, Guida said.

"They're making a decision that the potential for fraud is such that one does not need the level of security PKI provides," Guida said. "One of the things we've encouraged agencies to think about, even if they decide they don't need PKI for an application, is the expectation of interoperability with PKI."

Agencies should think about whether their digital certificates can be honored by other agencies, he said. PINs and passwords don't have that capability because they tend to be managed locally.

Based on the upcoming pilot, NSF plans to institutionalize its electronic signature approach by Oct. 1. If it's successful, the agency plans to use electronic signatures for other transactions, Stuck said.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.