GSA outlines four e-authentication assurance levels
The General Services Administration will require agencies to adopt one of four assurance levels for electronic authorization for all e-government projects and major IT systems that conduct transactions by the end of fiscal 2004.
GSA, which will release its proposed policy in tomorrow’s Federal Register, asks agencies to perform risk assessments on the 25 Quicksilver e-government projects by Oct. 1 and all major systems by Sept. 15, 2004, to determine which assurance levels would be appropriate. GSA said most of the Quicksilver initiatives
already have finished their risk assessments and determined the level of assurance they need.
Using e-authentication will help agencies establish confidence in both the identities of users and the authenticity of data in transactions with government information systems, GSA said.
In addition to the proposed policy, the National Institute of Standards and Technology will publish technical recommendations to help agencies determine the technologies they need to meet the assurance levels, the notice said.
GSA detailed assurance levels as:Level 1: Little or no assurance is placed in the identity of the user, such as a citizen logging on to a customized Web page.Level 2: It is highly probable that the user’s identity is accurate, such as a federal employee taking courses through an online education site. GSA said only minor damage would occur if someone falsely identified himself or herself.Level 3: For official transactions that require a high degree of confidence that the user is authentic. GSA said an example of such a user would be a patent attorney who reports and updates data online with the Patent and Trademark Office.Level 4: For official transactions that call for the utmost confidence that the user is authentic. For instance, a law enforcement official accessing a criminal database.
Agency business owners should consider “all direct and indirect consequences” when assessing risks based on the four assurance levels, GSA said.
Connect with the GCN staff on Twitter @GCNtech.