TREASURY DIRECTIVE 87-05

 

Date: April 21, 2001

 

Sunset Review: April 21, 2003

 

Expiration: April 21, 2004

 

SUBJECT: Electronic Commerce Initiatives

 

1. PURPOSE. This directive provides interim guidance for electronic commerce (E-commerce) and electronic business (E-business) for the Department of the Treasury (the Department) and recommends the processes by which Treasury bureaus (bureaus) and Departmental Offices entities (DO) should evaluate and manage any proposed E-commerce initiatives. E-Commerce is a rapidly changing area, and new regulations and rules can be anticipated. It is not the purpose of this directive to supersede or preempt any such regulation or rule.

 

2. SCOPE. This Directive applies to all Treasury bureaus (including DO), except the Treasury Inspector General and the Treasury Inspector General for Tax Administration, engaged in electronic transaction activities. For the purpose of this Directive, a transaction is a transfer of information and should not be limited to financial and statistical data. This Directive includes the following transactions:

 

a. Intra-agency transactions (those occurring within the Department);

 

b. Inter-agency transactions (those occurring between the Department and other federal agencies);

 

c. Transactions between the Department and state or local government agencies;

 

d. Transactions between the Department and a private organization such as contractor, business, university, non-profit organization, or other entity;

 

e. Transactions between the Department and a member of the general public; and,

 

f. Transactions between the Department and a foreign government, foreign private organization, or foreign citizen.

 

g. In addition, this directive applies to the five general categories of transactions:

 

(1) Transactions involving the transfer of funds;

 

(2) Transactions where the parties commit to actions or contracts that may give rise to financial or legal liability;

 

(3) Transactions involving information protected under the Privacy Act of 1974, as amended (P.L. 93579), or other Department-specific statutes obliging that access to the information is restricted;

 

(4) Transactions where the party is fulfilling a legal responsibility which, if not performed, creates a legal liability (criminal or civil); and,

 

(5) Transactions where no funds are transferred, no financial or legal liability is involved and no privacy or confidentiality issues are implicated.

 

3. POLICY. It is the policy of the Department to encourage and promote electronic commerce activities that support its strategic mission and strive to:

 

a. attain a paper-free business environment to the extent practicable;

 

b. use electronic transactions and authentication techniques in Federal payments and collections in accordance with the Government Paperwork Elimination Act of 1999 (P.L. 105-277) (GPEA);

 

c. provide for authentication techniques that include the use of a range of electronic signature alternatives;

 

d. maintain compatibility with the standards and technology for electronic signatures generally used in commerce and industry, and State government, not inappropriately favoring one industry or technology;

 

e. ensure that electronic signatures are as reliable as appropriate for the purpose in question;

 

f. maximize the benefits and minimize the risks and other costs of GPEA initiatives;

 

g. protect the privacy of transaction partners and third parties that have information contained in the transaction;

 

h. ensure compliance with record keeping responsibilities under Treasury records  management requirements, policies and guidance and the Federal Records Act (FRA) of 1950, as amended (P.L. 90620) for electronic records which require that electronic record keeping systems reliably preserve the information submitted and follow the National Archives and Records requirements for records disposition as appropriate; and,

 

i. provide, wherever appropriate, for the electronic acknowledgment of electronic filings that are successfully submitted. Further, it is the policy of the Department that prior to procuring or implementing any Treasury E-commerce solution, bureaus should, to the extent practical:

 

(1) conduct cost-benefit analyses associated with implementing E-commerce technology;

 

(2) ensure that proper management controls are included in the overall implementation and operation of E-commerce activities [See Treasury Directive 40-04, Treasury Internal (Management) Control Program];

 

(3) prepare a written plan for implementation; and,

 

(4) address record-keeping requirements.

 

4. PROCEDURES AND IMPLEMENTATION. Building and deploying electronic systems to complement and replace paper-based and/or manual systems should be consistent with the need to ensure that investments in information technology are economically prudent to accomplish the Department's mission, protect privacy, ensure the security of the data, and maintain required records. A decision to reject the option of electronic filing or record keeping should demonstrate, in the context of a particular application and upon considering relative costs, risks, benefits given the level of sensitivity of the process, and ability to comply with record-keeping requirements that there is no reasonably cost-effective combination of technologies and management controls that can be used to operate the transaction and sufficiently minimize the risk of significant harm.

 

Performing the assessment to evaluate electronic signature alternatives should not be viewed as an isolated activity or an end in itself. Bureaus should draw from and feed into the interrelated requirements of the Paperwork Reduction Act of 1980, as amended (P.L. 96-511) (PRA), the Privacy Act, the Computer Security Act of 1987, as amended (P.L. 100-235) (CSA), the Government Performance and Results Act of 1993 (P.L. 103-62), the Information Technology Management Reform Act of 1996 (P.L. 104-106), the Federal Managers Financial Integrity Act of 1982 (P.L. 97-255), the Federal Record Act, and the Chief Financial Officers Act of 1990, as amended (P.L. 101-576), the Government Paperwork Elimination Act of 1999 (P.L. 105-277), the Electronic Signatures in Global and National Commerce Act (P.L. 106-229), as well as Office of Management and Budget (OMB) Circular A-l30, "Management of Federal Information Resources" (February 8, 1996), National Institute of Standards and Technology's Special Publications, the 800s series, Presidential Decision Directive 63, "Protecting America's Critical Infrastructures," July 1,1997, and the Rehabilitation Act, Section 508 (29 U.S.C. § 794d). Further, in addition to serving as a guide for selecting the most appropriate technologies, the assessment of costs and benefits should be designed so that it can be used to generate a business case and verifiable return on investment to support decisions regarding overall programmatic direction, investment decisions, and budgetary priorities. In doing so, bureaus should consider the effects on the public, its needs, and its readiness to move to an electronic environment.

 

In implementing the above policies and procedures, bureaus should consider the procedures and guidance issued by OMB on April 25, 2000 in M-00-10 and OMB's Final Instructions for Plans to Implement the Government Paperwork Elimination Act issue on July 26, 2000 (see section 12. j and k).

 

5. SECURITY OF ELECTRONIC SIGNATURE AND ELECTRONIC TRANSACTIONS. In enacting GPEA, Congress addressed the legality and validity of electronic signature, banner, password or other electronic authentication for electronic records submitted or maintained in accordance with procedures developed under GPEA, and determined that electronic signature or other forms of electronic authentication used in accordance with such procedures, must not be denied legality, validity, or enforceability because such records are in electronic form. In determining whether an electronic signature is sufficiently reliable for a particular purpose, bureaus risk analyses need at a minimum to consider the relationships between the parties, the value of the transaction, the risk of intrusion, and the likely need for accessible, persuasive information regarding the transaction at some later date.

 

The goal of information security, as recognized by GPEA, PRA, CSA, and the Privacy Act, is to protect the integrity and confidentiality of electronic records and transactions that enable business operations. Different security approaches offer varying levels of assurance in an electronic environment and are appropriate depending on a balance between the benefits from electronic information transfer and the risk of harm if the information is compromised. Among these approaches (in an ascending level of assurance) are: so-called "shared secrets" methods, e.g., personal identification numbers or passwords; digitized signatures or biometrics means of identification, such as fingerprints, retinal patterns, and voice recognition; and, cryptographic digital signatures.

 

The Department encourages using combinations of approaches (e.g., digital signatures with biometrics) because they may provide even higher levels of assurance than single approaches alone. Deciding which to use in an application depends first upon finding a balance between the risks associated with the loss, misuse, or compromise of the information, and the benefits, costs, and effort associated with deploying and managing the increasingly secure methods to mitigate those risks. This balance should be struck recognizing that achieving absolute security is likely to be highly improbable in most cases and prohibitively expensive if possible.

 

At a minimum, bureaus should consider the following security tools and measures: firewalls, password management and access control, intrusion management, physical security, business continuity planning, change management, privacy assurance, regular reviews, reconciliation, back-up facility and exception reports. Additional security consideration include: public key infrastructure, digital signatures, smart cards, secure electronic transactions, secure socket layer and non-repudiation (see references 12.c and

12.d).

 

6. FINANCIAL SYSTEMS SECURITY PLANS AND CERTIFICATION. All new or major upgrades to existing financial systems should be formally certified through a comprehensive evaluation of the technical and non-technical security features prior to operation. The certification, made as part of and in support of the accreditation process, will determine the extent to which a particular design and implementation meet a specified set of security requirements. Treasury Directive P 71-10, Chapter VI

"Department of the Treasury Security Manual," (October 1992) should be reviewed for detailed information regarding the guidelines and procedures for certification.

 

7. AUDIT CONSIDERATIONS. As computer technology has advanced, Treasury bureaus have become increasingly dependent on computerized information systems to carry out their operations and to process, maintain, and report essential information. Bureaus should be aware of auditors' concern with the adequacy of internal controls in and around these operating systems. The following general methodology used by auditors should serve as a guide for bureaus to assess computer-related controls and involves evaluating:

 

a. general controls at the entity or installation level;

 

b. general controls as they are applied to the application(s) being examined, such as a payroll system or a loan accounting system; and,

 

c. application controls, which are the controls over input, processing, and output of data associated with individual applications. The general and application controls should be effective to help ensure the reliability, appropriate confidentiality, and availability of critical automated information.

 

Primary objectives for general controls are to safeguard data, protect computer application programs, protect system software from unauthorized access, and ensure continued computer operations in case of unexpected interruptions. The effectiveness of general controls is a significant factor in determining the effectiveness of applications controls. Without effective general controls, application controls may be rendered ineffective by circumvention or modification. Application controls are directly related to individual computerized applications. They help ensure that transactions are valid, properly authorized, and completely and accurately processed and reported. When performed as part of a financial statement audit, an assessment of computer-related controls is part of a comprehensive effort to evaluate both the controls over and reliability of reported financial data.

 

d. Application controls include programmed control techniques, such as automated edits, and manual follow-up of computer-generated reports, such as reviews of reports identifying rejected or unusual items. These controls are generally designed to prevent, detect, and correct errors and irregularities as transactions flow through the financial information systems, and involve ensuring that:

 

(1) data prepared for entry are complete, valid, and reliable;

 

(2) data are converted to an automated form and entered into the application accurately, completely, and on time; and,

 

(3) data are processed by the application completely and on time, and in accordance with established requirements.

 

e. output is protected from unauthorized modification or damage and distributed in accordance with prescribed policies.

 

f. audit trail is important in an information technology environment. It is not feasible to envisage that a totally paperless system will have all the key controls to ensure that an adequate audit trail is maintained. Documentation is critical as the paper trail is reduced. Whatever management decides is critical should be secured in hard copy form. An electronic audit trail should have the ability to follow a transaction from end-to-end and identify all critical steps. Testing of the audit trail should ensure that any errors/irregularities could be promptly identified and corrected.

 

8. PRIVACY OF DATA. Before collecting and maintaining information about individuals, a determination should be made as to whether the Privacy Act applies to the information as defined in the Act and OMB guidelines. A program office should contact the bureau's Privacy Act Officer for assistance in determining the application of the Privacy Act to a collection of information. A criminal penalty applies for maintaining a Privacy Act system of records that has not been properly noticed in the Federal Register.

 

9. RETENTION OF FINANCIAL DOCUMENTS/ELECTRONIC DATA. Treasury bureaus should follow the guidance of TD 80-05 and TD P 80-05, which address statutory record requirements. In addition, retention of financial documents should also follow the relevant guidance provided by the General Accounting Office. Unless otherwise stated, these requirements apply to all electronic information systems and should be adhered to by Treasury bureaus.

 

10. RESPONSIBILITIES. As E-commerce activities expand, it is anticipated that the following responsibilities will be modified and enhanced, as will the organizations that carry them out.

 

a. The Fiscal Assistant Secretary and the Financial Management Service are responsible for developing consultation with other federal agencies and OMB, policies and practices for the use of electronic transactions and authentication techniques for use in Federal payments and collections to ensure that they fulfill the goals of GPEA (see Notes: Federal Register/Vol. 66, No.2, page 394, Wednesday, January 3, 2001).

 

b. The Assistant Secretary for Management/Chief Financial Officer (ASM&CFO) is responsible for promoting and encouraging the attainment of a paper-free business environment throughout the Department. The ASM&CFO will motivate bureaus to provide individuals or entities the option to submit information or transact with it electronically and maintain records electronically when practicable, by October 21, 2003.

 

c. The Deputy Assistant Secretary for (Information Systems) and Chief Information Officer (DASIS/CIO) is responsible for:

 

(1) Ensuring that the use of electronic transactions and authentication techniques by the bureaus in accordance with GPEA;

 

(2) Ensuring that the bureaus maintain compatibility with the standards and technology for electronic signatures, and that electronic signatures are as reliable as appropriate;

 

(3) Ensuring that information security, on a department-wide basis, protects the integrity and confidentiality of electronic records and transactions that enable business operations;

 

(4) Ensuring that bureaus' E-commerce initiatives are coordinated so as to eliminate duplication of effort and maximize cost effectiveness.

 

d. The Deputy Chief Financial Officer (DCFO) is responsible for ensuring that the bureaus engaging in E-commerce activities have incorporated appropriate risk management measures.

 

11. AUTHORITIES

 

a. Government Paperwork Elimination Act of 1999 (P.L. 105-277);

 

b. Paperwork Reduction Act of 1995, as amended (P.L. 104-13; 44 U.S.C. 3501 et seq);

 

c. Privacy Act of1974, as amended (P.L. 93-579);

 

d. Computer Security Act of 1987, as amended (P.L. 100-235);

 

e. Government Performance and Results Act of 1993 (P.L. 103-62);

 

f. Information Technology Management Reform Act of 1996 (Clinger-Cohen Act) (P.L. 104-106);

 

g. Federal Managers Financial Integrity Act of 1982 (P.L. 97-255);

 

h. Federal Records Act of 1950, as amended (P.L. 90-620);

 

i. Chief Financial Officers Act of 1990, as amended (P.L. 101-576);

 

j. OMB Circular A-119, "Federal Participation in the Development and Use of Voluntary Consensus Standards and Conformity Assessment Activities," (February 1998);

 

k. OMB Circular A-130, "Management of Federal Information Resources" (February 8,1996);

 

l. OMB Circular A-II, "Preparation and Submission of Budget Estimates" (July 1999)

 

m. OMB Circular A-I27, "Financial Management Systems" (July 30, 1993);

 

n. "Electronic Records Management," National Archives and Records Administration Regulations (36 CFR Part 1234); and,

 

o. Electronic Signatures in Global and National Commerce Act (P.L. 106-229).

 

12. REFERENCES.

 

a. Treasury Directive 40-04, Treasury Internal (Management) Control Program.

 

b. GAO Standards for Internal Control in the Federal Government (November 1999).

 

c. Treasury Directive P 71-10, "Department of the Treasury Security Manual".

 

d. Treasury Directive 25-04, "The Privacy Act of 1974."

 

e. Treasury Directive 25-05, "The Freedom of Information Act."

 

f. GAO/AIMD-12.19.6, "Federal Information System Controls Audit Manual."

 

g. Treasury Directive 80-05, "Records and Information Management Program."

 

h. Treasury Directive P 80-05, "Records and Information Management Manual."

 

i. Treasury CFO Council's E-Commerce - Glossary, ''http://www.intranettreas.gov/tcfo/

internet/cfo_council/glossary.pdf

 

j. M-00-10, "OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act," dated April 25, 2000.

 

k. "Final instructions for the Plans to Implement the Government Paperwork Elimination Act", dated July 27,2000.

 

13. OFFICE OF PRIMARY INTEREST. Deputy Assistant Secretary for Information Systems/Chief Information Officer.

 

/S/

James J. Flyzik

Acting Assistant Secretary for Management

and Chief Information Officer