It has been 10 years since President Clinton signed the E-Sign Act ("Electronic Signatures in Global and National Commerce Act" (ESIGN)) granting electronic or digital signatures the same legal status as pen and ink signatures. Since that time, many civilian organizations have adopted electronic signatures as the preferred way for signing legal documents and records. Though there are a few instances in the Department of the Navy where electronic signatures have been used, in general, the DON has been slower to implement electronic signature solutions. There are several reasons for this, but the most often mentioned is that there is no clear guidance from the DON on the requirements for implementing an electronic signature solution.
Before we go further, it is important to understand the term "electronic signature." Electronic signature is sometimes confused with the term "digital signature" and it is important to understand the difference. Public Law 106-229, Electronic Signatures in Global and National Commerce Act, of June 30, 2000, defines an electronic signature as "an electronic sound, symbol, or process attached to, or logically associated with, a contract or other record and executed or adopted by a person with the intent to sign a record." This differs from a digital signature, which is an asymmetric key operation where a private key is used to digitally sign an electronic document, and the public key is used to verify the signature. The easy way to remember this is that electronic signatures serve the same purpose as a handwritten signature and show the person adopts the contents of an electronic document or record, while digital signatures are a subgroup of electronic signatures that provides authentication and integrity protection and are used to implement electronic signatures.
The lack of widespread use of electronic signatures and customer feedback identified the need for a DON electronic signature policy. To address this need, the DON Chief Information Officer signed the Secretary of the Navy Instruction 5239.21: "Department of the Navy Electronic Signature Policy," making electronic signatures the preferred means of signing documents and records within the department. By establishing this policy, the DON hopes to provide a catalyst for organizations to start to identify processes requiring handwritten signatures that can be more effectively accomplished electronically by converting them to electronic processes. This policy is not a mandate to replace handwritten signatures, but rather a policy to adopt electronic signatures as the preferred means of signing legal documents and records within the DON. This policy will ensure the DON complies with statutory and Defense Department mandates for paperless processing. It will also help to reduce the DON’s reliance on paper transactions, improve information security and sharing, allow quicker access to documents, and reduce costs and environmental impact.
There are a few highlights in the policy that are important to remember when developing an electronic signature solution. Organizations with applications, systems and business processes that use electronic signatures shall comply with the following.
Implementing electronic signatures is a key tool in the transformation of the department's virtual environments and business processes. The implementation of electronic signatures is essential to the DON's compliance with legislative and DoD mandates for paperless processing while maintaining information security and information sharing capabilities.
- Electronic signatures are to be accomplished using a DoDapproved process that utilizes Public Key Infrastructure (PKI) certificates issued by DoD or a DoD-approved external PKI.
- All electronic signature solutions must be certified and accredited, and tested and approved for conformance by the Joint Interoperability Test Command.
- Conduct a legal review of the adopted application or process to ensure legal sufficiency, reliability and compliance with existing laws and regulations.
- Ensure the integrity of electronically signed documents so that each record can be authenticated, attributed to the signer, and verified to be a full and accurate representation of the transaction to which it attests, to reflect the intent of the signer, and to be complete and unaltered.
- Ensure all of the information required to validate a digital signature remains available for the life of the document.
- Ensure the integrity of an electronically signed document in such a manner that records can be determined to be authentic and reliable by tracking the chain of custody and any changes that may occur (authorized or unauthorized).
Russell Pitcher supports the DON CIO Cybersecurity and Critical Infrastructure Team.