IT policy viewed through the GPEA lens

As agencies move toward e-government, it's important to see how information technology policies interrelate.

This column seeks to provide assistance in seeing the strategic view of the emerging IT policy environment. Links to many of the policy documents discussed below can be found on the Government Paperwork Elimination Act resources page at the CIO Council E-Government Committee's Web site.

The Office of Management and Budget has published several guidelines on making the transition to virtual government. Foremost among them is OMB's guidance on GPEA, which offers agencies a key overview of OMB's policy perspective for transitioning to e-government.

OMB also issued a GPEA Data Call for consolidating federal activities in the move to e-government. The data call is significant because it provides the basis for developing the federal government's portfolio of IT projects to be adapted to e-government. (Think "capital planning.") For further guidance, a model—or ideal—agency response to the data call also was published.

Certain key federal agencies have supplemented OMB's GPEA guidance, based on their area of expertise:

• The National Archives and Records Administration has developed electronic recordkeeping guidance.
• The Justice Department has developed legal guidance for electronic recordkeeping and legal sufficiency in electronic transactions with the public.
• The National Institute for Standards and Technology has developed key technical guidance on implementing digital signatures and security.
• The Social Security Administration has developed a risk-assessment guide.
• The Treasury Department is developing guidance for financial transactions.

Among Justice's recommendations is for agencies to post a terms and conditions agreement to Web sites that conduct electronic transactions with the public. This is part of a continuing trend to, perhaps, also post a model public use policy on federal agency Web sites.

The model public use policy would include contract terms and conditions, a privacy policy and definitions for appropriate and inappropriate behavior on federal Web sites. Although hacking is an obvious prohibited activity, other issues should be addressed, such as libel, sticking to a chat room topic and using federal agency e-mail lists to advertise.

With such a policy in place, the public would clearly understand the conditions under which they may be blocked or potentially face civil or criminal prosecution. One might also call this the "legal jargon" button.

Closely related to GPEA is the information collections program at OMB. The term "information collections" does not relay the great significance of this program. For example, all tax forms submitted by the public are considered an information collection.

Essentially, GPEA is automating information collections. In the future, information collection certification numbers, the list of GPEA projects and the budget reporting requirements for OMB Circular A-11 will become more integrated.

Whereas GPEA primarily focuses on federal agencies, the Electronic Signatures in Global and National Commerce Act, or E-Sign, focuses on the private sector. Together, GPEA and E-Sign provide a paradigm for establishing the legality of electronic transactions.

E-Sign applies to commercial transactions affecting interstate or foreign commerce, and to transactions regulated by the federal government. To the extent that a federal agency regulates an industry, agency rules must be updated to be consistent with E-Sign.

The umbrella of policy guidance for the IT community is OMB's Circular A-130, which was revised recently. It describes the key issues affecting the development of federal IT systems, including Web-based systems.

Security is probably one the most significant issue to address when delivering products or services over the Web.

Recently, the Government Information Security Act of 1999 (S.1993) updated the security policy environment to include agency auditing requirements. A cost/benefit guide and a guide on return on investment form the fundamental foundation for calculating the cost and benefits of Web projects.

Another cross-government structure has emerged that's often called "the federal bridge." The federal bridge has policy and operational functions for helping agencies use digital certificates across the federal government.

A detailed policy that describes the functions and operations of the federal bridge is available: X.509 Certificate Policy (Microsoft Corp. Word document).

Anyone starting out on understanding digital certificates and digital signatures should take a look at this helpful handbook: "The Evolving Public Key Infrastructure" (Portable Document Format).

Kellett is founder of the federal Web Business Council, co-chairman of the federal WebMasters Forum and is director of GSA's Emerging IT Policies Division.