Page 137 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 137
Accelerating the use of e-signatures is a priority identified for all agencies in the “Executive Order on
Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” E-
signatures can dramatically reduce paperwork, broaden the accessibility of government services, and
streamline cumbersome approval processes.
However, it is imperative that e-signatures meet the security standards set out by the OMB’s zero trust
memorandum. In instances where additional levels of assurance (LOA) are necessary, digital signatures
are preferable to e-signatures.
What to look for in a digital signature solution
Security requirements for e-signatures vary by region, agency, data and classifications levels. E-
signatures use common authentication methods such as passwords or email verification, but for sensitive
information, such minimal precautions are not nearly sufficient.
There are some cases where additional LOA for signer identification are needed, and that’s where digital
signatures come in. Digital signatures are a specific type of e-signature that is backed by a digital
certificate as proof of a signer’s identity that is cryptographically bound to the signature field using public
key infrastructure (PKI).
To achieve this strong security posture, digital signatures must uniquely identify each signer.
Furthermore, the signer’s identity must be reconfirmed prior to signing with tools such as a PIN or a
secure signature device like a USB token or cloud-based hardware security module. Digital signatures
must also demonstrate proof of signing with a tamper-evident seal and have the ability to re-confirm
authenticity for at least 10 years.
For agencies seeking to liberate themselves from arduous paper-based authorizations, while also
adhering to zero trust’s strict identity and access management standards, digital signatures are an
invaluable tool.
Government agencies are eager to adopt digitization practices, such as digital signatures, that will
simplify their workload and make the lives of everyday citizens easier. However, security is paramount.
To ensure any solutions adopted by agencies to meet their individual security needs, the Federal Risk
and Authorization Management Program (FedRAMP) was created.
How FedRAMP authorization provides peace of mind
FedRAMP authorizes cloud-based solutions for government agencies at Low, Moderate, and High Impact
levels. The Moderate Impact level accounts for 80% of authorizations and is designed to protect sensitive
data, such as personally identifiable information (PII). Furthermore, the FedRAMP Moderate designation
aligns with NIST controls for Zero Trust. Encryption management and is FIPS 140-2 verified, which
ensures that cryptographic modules have met NIST security requirements.
137