TREASURY
DIRECTIVE 87-05
DATE:
April 21, 2001
Sunset
Review:
April 21, 2005
SUBJECT:
Electronic
Commerce Initiatives
1. PURPOSE. This directive provides interim guidance for
electronic commerce (E-commerce) and electronic business (E-business) for the
Department of the Treasury (the Department) and recommends the processes by
which Treasury bureaus (bureaus) and Departmental Offices entities (DO) should
evaluate and manage any proposed E-commerce initiatives. E-Commerce is a
rapidly changing area, and new regulations and rules can be anticipated. It is
not the purpose of this directive to supersede or preempt any such regulation
or rule.
2. SCOPE. This Directive applies to all Treasury bureaus
(including DO), except the Treasury Inspector General and the Treasury
Inspector General for Tax Administration, engaged in electronic transaction
activities. For the purpose of this Directive, a transaction is a transfer of
information and should not be limited to financial and statistical data. This
Directive includes the following transactions:
a. Intra-agency
transactions (those occurring within the Department);
b. Inter-agency
transactions (those occurring between the Department and other federal
agencies);
c. Transactions
between the Department and state or local government agencies;
d. Transactions
between the Department and a private organization such as contractor, business,
university, non-profit organization, or other entity;
e. Transactions
between the Department and a member of the general public; and,
f. Transactions
between the Department and a foreign government, foreign private organization,
or foreign citizen.
g. In
addition, this directive applies to the five general categories of
transactions:
(1) Transactions
involving the transfer of funds;
(2) Transactions
where the parties commit to actions or contracts that may give rise to
financial or legal liability;
(3) Transactions
involving information protected under the Privacy Act of 1974, as amended (P.L.
93579), or other Department-specific statutes obliging that access to the
information is restricted;
(4) Transactions
where the party is fulfilling a legal responsibility which, if not performed,
creates a legal liability (criminal or civil); and,
(5) Transactions
where no funds are transferred, no financial or legal liability is involved and
no privacy or confidentiality issues are implicated.
3. POLICY. It is the policy of the Department to
encourage and promote electronic commerce activities that support its strategic
mission and strive to:
a. attain a
paper-free business environment to the extent practicable;
b. use
electronic transactions and authentication techniques in Federal payments and
collections in accordance with the Government Paperwork Elimination Act of 1999
(P.L. 105-277) (GPEA);
c. provide
for authentication techniques that include the use of a range of electronic
signature alternatives;
d. maintain
compatibility with the standards and technology for electronic signatures
generally used in commerce and industry, and State government, not
inappropriately favoring one industry or technology;
e. ensure
that electronic signatures are as reliable as appropriate for the purpose in
question;
f. maximize
the benefits and minimize the risks and other costs of GPEA initiatives;
g. protect
the privacy of transaction partners and third parties that have information
contained in the transaction;
h. ensure
compliance with record keeping responsibilities under Treasury records management requirements, policies and
guidance and the Federal Records Act (FRA) of 1950, as amended (P.L. 90620) for
electronic records which require that electronic record keeping systems
reliably preserve the information submitted and follow the National Archives
and Records requirements for records disposition as appropriate; and,
i. provide,
wherever appropriate, for the electronic acknowledgment of electronic filings
that are successfully submitted. Further, it is the policy of the Department
that prior to procuring or implementing any Treasury E-commerce solution,
bureaus should, to the extent practical:
(1) conduct
cost-benefit analyses associated with implementing E-commerce technology;
(2) ensure
that proper management controls are included in the overall implementation and
operation of E-commerce activities [See Treasury Directive 40-04, Treasury
Internal (Management) Control Program];
(3) prepare
a written plan for implementation; and,
(4) address
record-keeping requirements.
4. PROCEDURES AND IMPLEMENTATION. Building and deploying
electronic systems to complement and replace paper-based and/or manual systems
should be consistent with the need to ensure that investments in information
technology are economically prudent to accomplish the Department's mission,
protect privacy, ensure the security of the data, and maintain required
records. A decision to reject the option of electronic filing or record keeping
should demonstrate, in the context of a particular application and upon
considering relative costs, risks, benefits given the level of sensitivity of
the process, and ability to comply with record-keeping requirements that there
is no reasonably cost-effective combination of technologies and management
controls that can be used to operate the transaction and sufficiently minimize
the risk of significant harm.
Performing the assessment to
evaluate electronic signature alternatives should not be viewed as an isolated
activity or an end in itself. Bureaus should draw from and feed into the
interrelated requirements of the Paperwork Reduction Act of 1980, as amended
(P.L. 96-511) (PRA), the Privacy Act, the Computer Security Act of 1987, as
amended (P.L. 100-235) (CSA), the Government Performance and Results Act of
1993 (P.L. 103-62), the Information Technology Management Reform Act of 1996
(P.L. 104-106), the Federal Managers Financial Integrity Act of 1982 (P.L.
97-255), the Federal Record Act, and the Chief Financial Officers Act of 1990,
as amended (P.L. 101-576), the Government Paperwork Elimination Act of 1999
(P.L. 105-277), the Electronic Signatures in Global and National Commerce Act
(P.L. 106-229), as well as Office of Management and Budget (OMB) Circular
A-l30, "Management of Federal Information Resources" (February 8,
1996), National Institute of Standards and Technology's Special Publications,
the 800s series, Presidential Decision Directive 63, "Protecting America's
Critical Infrastructures," July 1,1997, and the Rehabilitation Act,
Section 508 (29 U.S.C. § 794d). Further, in addition to serving as a guide for
selecting the most appropriate technologies, the assessment of costs and
benefits should be designed so that it can be used to generate a business case
and verifiable return on investment to support decisions regarding overall
programmatic direction, investment decisions, and budgetary priorities. In
doing so, bureaus should consider the effects on the public, its needs, and its
readiness to move to an electronic environment.
In implementing the above
policies and procedures, bureaus should consider the procedures and guidance
issued by OMB on April 25, 2000 in M-00-10 and OMB's Final Instructions for
Plans to Implement the Government Paperwork Elimination Act issue on July 26,
2000 (see section 12. j and k).
5. SECURITY OF ELECTRONIC SIGNATURE AND ELECTRONIC
TRANSACTIONS. In enacting GPEA, Congress addressed the legality and
validity of electronic signature, banner, password or other electronic
authentication for electronic records submitted or maintained in accordance
with procedures developed under GPEA, and determined that electronic signature
or other forms of electronic authentication used in accordance with such
procedures, must not be denied legality, validity, or enforceability because
such records are in electronic form. In determining whether an electronic
signature is sufficiently reliable for a particular purpose, bureaus risk
analyses need at a minimum to consider the relationships between the parties,
the value of the transaction, the risk of intrusion, and the likely need for
accessible, persuasive information regarding the transaction at some later
date.
The goal of information
security, as recognized by GPEA, PRA, CSA, and the Privacy Act, is to protect
the integrity and confidentiality of electronic records and transactions that
enable business operations. Different security approaches offer varying levels
of assurance in an electronic environment and are appropriate depending on a
balance between the benefits from electronic information transfer and the risk
of harm if the information is compromised. Among these approaches (in an
ascending level of assurance) are: so-called "shared secrets"
methods, e.g., personal identification numbers or passwords; digitized
signatures or biometrics means of identification, such as fingerprints, retinal
patterns, and voice recognition; and, cryptographic digital signatures.
The Department encourages
using combinations of approaches (e.g., digital signatures with biometrics)
because they may provide even higher levels of assurance than single approaches
alone. Deciding which to use in an application depends first upon finding a
balance between the risks associated with the loss, misuse, or compromise of
the information, and the benefits, costs, and effort associated with deploying
and managing the increasingly secure methods to mitigate those risks. This
balance should be struck recognizing that achieving absolute security is likely
to be highly improbable in most cases and prohibitively expensive if possible.
At a minimum, bureaus should
consider the following security tools and measures: firewalls, password
management and access control, intrusion management, physical security,
business continuity planning, change management, privacy assurance, regular
reviews, reconciliation, back-up facility and exception reports. Additional
security consideration include: public key infrastructure, digital signatures,
smart cards, secure electronic transactions, secure socket layer and
non-repudiation (see references 12.c and
12.d).
6. FINANCIAL SYSTEMS SECURITY PLANS AND CERTIFICATION.
All new or major upgrades to existing financial systems should be formally
certified through a comprehensive evaluation of the technical and non-technical
security features prior to operation. The certification, made as part of and in
support of the accreditation process, will determine the extent to which a
particular design and implementation meet a specified set of security
requirements. Treasury Directive P 71-10, Chapter VI
"Department of the
Treasury Security Manual," (October 1992) should be reviewed for detailed
information regarding the guidelines and procedures for certification.
7. AUDIT CONSIDERATIONS. As computer technology has
advanced, Treasury bureaus have become increasingly dependent on computerized
information systems to carry out their operations and to process, maintain, and
report essential information. Bureaus should be aware of auditors' concern with
the adequacy of internal controls in and around these operating systems. The
following general methodology used by auditors should serve as a guide for
bureaus to assess computer-related controls and involves evaluating:
a. general
controls at the entity or installation level;
b. general
controls as they are applied to the application(s) being examined, such as a
payroll system or a loan accounting system; and,
c. application
controls, which are the controls over input, processing, and output of data
associated with individual applications. The general and application controls
should be effective to help ensure the reliability, appropriate
confidentiality, and availability of critical automated information.
Primary objectives for
general controls are to safeguard data, protect computer application programs,
protect system software from unauthorized access, and ensure continued computer
operations in case of unexpected interruptions. The effectiveness of general
controls is a significant factor in determining the effectiveness of
applications controls. Without effective general controls, application controls
may be rendered ineffective by circumvention or modification. Application
controls are directly related to individual computerized applications. They
help ensure that transactions are valid, properly authorized, and completely
and accurately processed and reported. When performed as part of a financial
statement audit, an assessment of computer-related controls is part of a
comprehensive effort to evaluate both the controls over and reliability of
reported financial data.
d. Application
controls include programmed control techniques, such as automated edits, and
manual follow-up of computer-generated reports, such as reviews of reports
identifying rejected or unusual items. These controls are generally designed to
prevent, detect, and correct errors and irregularities as transactions flow
through the financial information systems, and involve ensuring that:
(1) data
prepared for entry are complete, valid, and reliable;
(2) data
are converted to an automated form and entered into the application accurately,
completely, and on time; and,
(3) data
are processed by the application completely and on time, and in accordance with
established requirements.
e. output is
protected from unauthorized modification or damage and distributed in accordance
with prescribed policies.
f. audit
trail is important in an information technology environment. It is not feasible
to envisage that a totally paperless system will have all the key controls to
ensure that an adequate audit trail is maintained. Documentation is critical as
the paper trail is reduced. Whatever management decides is critical should be
secured in hard copy form. An electronic audit trail should have the ability to
follow a transaction from end-to-end and identify all critical steps. Testing
of the audit trail should ensure that any errors/irregularities could be
promptly identified and corrected.
8. PRIVACY OF DATA. Before collecting and maintaining
information about individuals, a determination should be made as to whether the
Privacy Act applies to the information as defined in the Act and OMB
guidelines. A program office should contact the bureau's Privacy Act Officer
for assistance in determining the application of the Privacy Act to a
collection of information. A criminal penalty applies for maintaining a Privacy
Act system of records that has not been properly noticed in the Federal
Register.
9. RETENTION OF FINANCIAL DOCUMENTS/ELECTRONIC DATA.
Treasury bureaus should follow the guidance of TD 80-05 and TD P 80-05, which
address statutory record requirements. In addition, retention of financial
documents should also follow the relevant guidance provided by the General
Accounting Office. Unless otherwise stated, these requirements apply to all
electronic information systems and should be adhered to by Treasury bureaus.
10. RESPONSIBILITIES. As E-commerce activities expand, it
is anticipated that the following responsibilities will be modified and
enhanced, as will the organizations that carry them out.
a. The
Fiscal Assistant Secretary and the Financial Management Service are
responsible for developing consultation with other federal agencies and OMB,
policies and practices for the use of electronic transactions and
authentication techniques for use in Federal payments and collections to ensure
that they fulfill the goals of GPEA (see Notes: Federal Register/Vol. 66, No.2,
page 394, Wednesday, January 3, 2001).
b. The
Assistant Secretary for Management/Chief Financial Officer (ASM&CFO) is
responsible for promoting and encouraging the attainment of a paper-free
business environment throughout the Department. The ASM&CFO will motivate
bureaus to provide individuals or entities the option to submit information or
transact with it electronically and maintain records electronically when
practicable, by October 21, 2003.
c. The
Deputy Assistant Secretary for (Information Systems) and Chief Information
Officer (DASIS/CIO) is responsible for:
(1) Ensuring
that the use of electronic transactions and authentication techniques by the bureaus
in accordance with GPEA;
(2) Ensuring
that the bureaus maintain compatibility with the standards and technology for
electronic signatures, and that electronic signatures are as reliable as
appropriate;
(3) Ensuring
that information security, on a department-wide basis, protects the integrity
and confidentiality of electronic records and transactions that enable business
operations;
(4) Ensuring
that bureaus' E-commerce initiatives are coordinated so as to eliminate
duplication of effort and maximize cost effectiveness.
d. The
Deputy Chief Financial Officer (DCFO) is responsible for ensuring that the
bureaus engaging in E-commerce activities have incorporated appropriate risk
management measures.
11. AUTHORITIES
a. Government
Paperwork Elimination Act of 1999 (P.L. 105-277);
b. Paperwork
Reduction Act of 1995, as amended (P.L. 104-13; 44 U.S.C. 3501 et seq);
c. Privacy
Act of1974, as amended (P.L. 93-579);
d. Computer
Security Act of 1987, as amended (P.L. 100-235);
e. Government
Performance and Results Act of 1993 (P.L. 103-62);
f. Information
Technology Management Reform Act of 1996 (Clinger-Cohen Act) (P.L. 104-106);
g. Federal
Managers Financial Integrity Act of 1982 (P.L. 97-255);
h. Federal
Records Act of 1950, as amended (P.L. 90-620);
i. Chief
Financial Officers Act of 1990, as amended (P.L. 101-576);
j. OMB
Circular A-119, "Federal Participation in the Development and Use of
Voluntary Consensus Standards and Conformity Assessment Activities,"
(February 1998);
k. OMB
Circular A-130, "Management of Federal Information Resources"
(February 8,1996);
l. OMB
Circular A-II, "Preparation and Submission of Budget Estimates" (July
1999)
m. OMB
Circular A-I27, "Financial Management Systems" (July 30, 1993);
n. "Electronic
Records Management," National Archives and Records Administration
Regulations (36 CFR Part 1234); and,
o. Electronic
Signatures in Global and National Commerce Act (P.L. 106-229).
12. REFERENCES.
a. Treasury
Directive 40-04, Treasury Internal (Management) Control Program.
b. GAO
Standards for Internal Control in the Federal Government (November 1999).
c. Treasury
Directive P 71-10, "Department of the Treasury Security Manual".
d. Treasury
Directive 25-04, "The Privacy Act of 1974."
e. Treasury
Directive 25-05, "The Freedom of Information Act."
f. GAO/AIMD-12.19.6,
"Federal Information System Controls Audit Manual."
g. Treasury
Directive 80-05, "Records and Information Management Program."
h. Treasury
Directive P 80-05, "Records and Information Management Manual."
i. Treasury
CFO Council's E-Commerce - Glossary, ''http://www.intranettreas.gov/tcfo/
internet/cfo_council/glossary.pdf
j. M-00-10,
"OMB Procedures and Guidance on Implementing the Government Paperwork
Elimination Act," dated April 25, 2000.
k. "Final
instructions for the Plans to Implement the Government Paperwork Elimination
Act", dated July 27,2000.
13. OFFICE OF PRIMARY INTEREST. Deputy Assistant Secretary
for Information Systems/Chief Information Officer.
/S/
James J. Flyzik
Acting Assistant Secretary
for Management
and Chief Information Officer