NSF pins hopes on security pilot

The National Science Foundation will begin testing electronic signature technology next month that could remove the last impediment to its paperless proposal process.

Using the Federal Demonstration Partnership (see related story), NSF will join with 10 universities to test its password-based digital signature system until July. Unlike the Defense Department and NASA, NSF will hold off on using public-key infrastructure to certify digital signatures.

The agency, which sponsors science and technology research at academic institutions, will develop an enhanced password solution that can be used until PKI becomes more affordable and widely available, NSF officials said.

"We wanted to do something that solved our immediate problem but allowed us to keep an eye on the future," said Jerry Stuck, deputy director of the information systems division at NSF.

NSF set a goal of receiving all of its proposals from academic institutions electronically by Oct. 1. The FastLane system (see related story) is the vehicle for doing that business digitally, but at least one obstacle remained, Stuck said.

NSF already receives about 78 percent of its proposals electronically, but paper certification, or proposal cover sheets, still must be signed by the researcher and other university officials and mailed within five days of proposal submission.

"It was a burden on the research institutions and a burden on our staff to match up the cover sheets with the electronic submissions," Stuck said.

NSF completed a risk assessment with KPMG LLP in December that recommended that NSF move directly to a PKI solution or enhance the user identification and password security in lieu of an ink signature, Stuck said.

Public-key technology is a mechanism that enables users to authenticate their identity and send data confidentially without using shared secrets such as personal identification numbers (PIN) and passwords, said Richard Guida, chairman of the Federal PKI Steering Committee. PKI is the infrastructure used to generate and manage digital certificates that generate public keys.

The cost of PKI was too high for the agency, Stuck said. Instead, NSF decided to enhance its ID and PIN system with higher levels of security but leave open the option to move to PKI later, he said.

Under the new system, NSF's four-character PINs will become longer passwords with mixed characters and numbers as well as encryption.

Each university has an administrator who registers and certifies its users. In the new password system, the administrator will initialize users and change passwords if needed.

NSF tends to pursue its own path for information technology initiatives that have become part of governmentwide contracts because they are not cost-effective on a small scale, said Linda Massaro, NSF chief information officer and director of information and resource management.

The Government Paperwork Elimination Act does not dictate what technology agencies should use for electronic signatures but encourages them to use the appropriate level of authentification for their applications, Guida said.

"They're making a decision that the potential for fraud is such that one does not need the level of security PKI provides," Guida said. "One of the things we've encouraged agencies to think about, even if they decide they don't need PKI for an application, is the expectation of interoperability with PKI."

Agencies should think about whether their digital certificates can be honored by other agencies, he said. PINs and passwords don't have that capability because they tend to be managed locally.

Based on the upcoming pilot, NSF plans to institutionalize its electronic signature approach by Oct. 1. If it's successful, the agency plans to use electronic signatures for other transactions, Stuck said.