11 July 2003 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: July 11, 2003 (Volume 68, Number 133)] [Notices] [Page 41370-41374] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr11jy03-63] [[Page 41370]] ======================================================================= ----------------------------------------------------------------------- GENERAL SERVICES ADMINISTRATION [2003-N02] E-Authentication Policy for Federal Agencies; Request for Comments AGENCY: Office of Electronic Government and Technology, GSA. ACTION: Notice of policy and request for comments. ----------------------------------------------------------------------- SUMMARY: The General Services Administration, in coordination with the Office of Management and Budget (OMB) request comments on the attached draft policy on E-Authentication for Federal Agencies. GSA has coordinated this draft policy with OMB and will work closely with OMB in reviewing comments and issuing the final policy. In this draft policy, GSA is requiring that agencies implement this E-Authentication Policy, which establishes four assurance levels to create a Governmentwide standard framework for determining what is required to access a particular Government transaction online. DATES: To ensure consideration of comments, comments must be in writing and received by GSA no later than August 11, 2003. ADDRESSES: Comments on this notice should be addressed to Ms. Von Harrison, General Services Administration; Office of Electronic Government and Technology (MEI), Washington, DC 20405. You are encouraged to submit these comments by facsimile to (202) 501-6455, or by electronic mail to egov.taskforce@gsa.gov. FOR FURTHER INFORMATION CONTACT: Ms. Von Harrison, General Services Administration, Office of Electronic Government and Technology (MEI), Washington, DC 20405; or by phone at (202) 273-0721. SUPPLEMENTARY INFORMATION: As required by the Government Paperwork Elimination Act of 1998 (Public Law 105-277), most transactions currently accomplished by filing a Government paper form will be converted to an electronic format. These transactions will require some type of identity verification or authentication before taking place. It is also important that these electronic transactions incorporate the appropriate level of security. This attached GSA policy guidance provides agencies with a policy for the use of electronic authentication (or e-authentication) in electronic transactions. As the Federal Government works to expand the use of information technology and e-government, trust in electronic transactions is especially critical. This memorandum establishes a four level approach for authentication to ensure trustworthy electronic transactions and to fulfill Federal privacy and information security requirements. These four levels reflect an increasing degree of confidence in the identity presented and represent a range of authentication technologies. This guidance will promote for the public-- [sbull] Use of a standard set of criteria for assessing e- government transactions authentication requirements; [sbull] Consistent terminology when discussing authentication and levels of assurance; [sbull] Secure, easy-to-use, and consistent method for managing identity in electronic transactions with the Government; [sbull] Burden reduction in Government services and Government filings; [sbull] Reuse of credentials for access to multiple Government services; [sbull] Clearly understood criteria for access to particular Government services; and [sbull] Protection against fraud in online transactions with the Government. Having a consistent e-authentication process and policy guidance will enable Federal Agencies to-- [sbull] Reduce authentication system development and acquisition costs, and reallocate labor resources used to develop such systems; [sbull] Reduce the burden on the public in complying with repeated, duplicate or inconsistent processes of identity proofing; [sbull] Make consistent authentication decisions; [sbull] Promote public trust in the use of online service delivery; [sbull] Use existing and future e-authentication processes, within their organizations or those that are available Governmentwide; and [sbull] Reduce the number and type of electronic credentials that Federal employees, citizens, and businesses need to conduct business electronically with the Government. This guidance updates the Procedures and Guidance for Implementing the Government Paperwork Elimination Act (GPEA) issued by the Office of Management and Budget (OMB), which requires agencies to provide the option for electronic filing and electronic signature capabilities for Government activities and services unless it is not practicable to do so by October 2003. The GPEA implementation guidance (found at: http://www.whitehouse.gov/omb/memoranda/m00-10.html , April 25, 2000), provided agencies with guidance on the risk factors agencies should consider in planning and implementing electronic transactions. This e- authentication policy updates the GPEA guidance to take in account current e-authentication practices, including the impacts of the E- Authentication E-Government Initiative and recent National Institute of Standards and Technology (NIST) standards. NIST will be issuing companion technical guidance on this issue. This guidance reflects substantial work of the E-Authentication Initiative and the Federal CIO Council in FY 2003. Accordingly, CIOs are responsible for assuring all agencies or cross agency teams that implemented electronic authentication solutions or are planning to use shared authentication services are applying this policy. All existing transactions/systems which require authentication of their users must complete an e-authentication risk assessment and be categorized into one of the described assurance levels by September 15, 2005. Agencies should complete the e-authentication risk assessment process in the following order: [sbull] The E-Government Initiatives (who have already started the process described in this guidance) must be completed by October 1, 2003. [sbull] Systems classified as ``major'' should be completed by September 15, 2004. [sbull] New authentication solutions should begin to be categorized within 90 days of the completion of the final E-Authentication Technical Guidance. The results of the authentication risk assessment must be made publicly available through the agency Web site, the Federal Register, or other means (e.g., upon request). As part of the E-Authentication Initiative, E-Authentication will post the results of the assessments at a central location to allow for public access. In addition, the Business Compliance One Stop Initiative will be working with agencies' applications that concern small businesses. Agencies will be asked to report on their process as part of the requirements of Section 203 of the E-Government Act in the annual E-Government Act report due annually on September 15th beginning in 2004. Your cooperation and comments are appreciated. [[Page 41371]] Dated: July 8, 2003. G. Martin Wagner, Associate Administrator for Governmentwide Policy. Draft E--Authentication Policy for Federal Agencies Section 1: Introduction Section 2: Assurance Levels Section 3: Determining Assurance for Credential Service Providers Section 4: Implementing an Authentication Process Section 5: Effective Dates of Guidance 1. Introduction 1.1. Summary [sbull] This guidance should be applied to all Federal electronic transactions requiring authentication, except those that are national security systems as defined in 44 U.S.C. 3542(b)(2). [sbull] This guidance does not stipulate which technology solutions should be implemented for each assurance level. The Department of Commerce's National Institute for Standards and Technology (NIST) is developing complementary e-authentication technical guidance that will be used by agencies to determine appropriate technology solutions, based on the process described in this guidance. [sbull] Agencies are required to review existing and categorize new electronic transactions to ensure that these transactions comply with this guidance. [sbull] As detailed in Section 9c of OMB's GPEA guidance, agencies should continue to minimize the likelihood of denial or repudiation of the information individuals transmit electronically. As an element of assessing the risks that are relevant to the required assurance level, agencies must consider how they plan to minimize the likelihood of repudiation by ensuring the user's approval of the information transmitted in electronic transactions. General guidance on minimizing the likelihood of repudiation is included in Section 8c of the OMB Procedures and Guidance on Implementing GPEA. [sbull] This guidance does not directly apply to authorization. Authentication focuses on establishing a person's identity, based on the reliability of the credential he or she offers; while authorization focuses on what actions that identity, at that level of assurance, is permitted to do. Decisions concerning authorization are and should remain the purview of the electronic business process owner. [sbull] Authentication is an inherent part of an electronic signature; however this guidance does not cover ``intent to sign,'' or when an agency uses authentication credentials as an electronic signature. For more information on electronic signatures, please consult OMB's guidance on implementing GPEA and the Electronic Signatures in Global and National Commerce Act (found at: http://www.whitehouse.gov/omb/memoranda/m00-15.html , September 25, 2000). [sbull] Agencies should implement an e-authentication process using the following steps, described in Section 2.2: (1) Conduct a risk assessment as explained in Part II of the GPEA guidance and Section 2 of this guidance, (2) match identified risks with assurance levels, and (3) determine implementation technology based on the e-authentication technical guidance. [sbull] Each step of the authentication process--from identity proofing, to issuance of a credential, to technical and administrative management and use of the credential by an application, and ultimately to record keeping and auditing-- influences whether the process conforms to the desired assurance level. There are many layers of risk related to authentication. This guidance document is intended to assist agencies in identifying and analyzing risks associated specifically with the improper authentication of users of electronic transactions. These risks are highly dependent on the type of application and transactions offered. [sbull] This document does not address risks that are associated with the improper management of authentication controls or processes, or risks to the underlying authentication technical architecture or infrastructure. This document does not confer, and may not be used to support, any right on behalf of any person or entity against the United States or its agencies or officials. [sbull] This guidance does not refer to the authentication of systems or between services (for example, security socket layer (SSL) authentication). Instead, it is focusing on the attribute or identity authentication of individuals who are authenticated for Government services online. 1.2. Overview This document provides agencies with guidance on electronic identity and attribute authentication (or e-authentication). E- authentication is the process of establishing confidence in both identities and attributes after being electronically presented to an information system. Individual authentication is the process of establishing an understood level of confidence that an identifier refers to a specific individual. Attribute authentication is the process of establishing an understood level of confidence that an attribute applies to a specific individual. The process of e- authenticating an individual may involve establishing the individual's unique identity (identity authentication) or establishing that the individual is a member of a group (such as a military veteran or U.S. citizen) (attribute authentication). For a complete list of definitions, refer to the Report of the National Research Council ``Who Goes There? Authentication Through the Lens of Privacy'' (found at: http://www.nap.edu/books/0309088968/html/, March 31, 2003). E-authentication is the first step in the related process of deciding what an individual ought to be allowed to do, called ``authorization.'' Authentication focuses on establishing a person's identity, based on the reliability of the credential he or she offers; while authorization focuses on what actions that identity is permitted to do. Agencies providing the e-government services need to determine how certain they need to be in the identity of an individual and identify the risks inherent in a particular transaction. This guidance will provide the framework for the identified risks to be mapped to the desired assurance level that the authentication technology selected must satisfy. As described in OMB Circular A-130, Management of Federal Information Resources, agencies must prepare and update a strategy that identifies and mitigates risks associated with each information system; Section 5 of the GPEA guidance detailed the risk factors agencies should consider in planning and implementing electronic transactions. This new e-authentication guidance expands on Section 5 by-- [sbull] Instructing agencies how to implement an e- authentication process by outlining a process for assessing risk, and determining the requisite level of identity assurance; and [sbull] Describing four discrete (and increasing) levels of identity assurance. 2. Assurance Levels 2.1. Description of Assurance Levels For the purposes of e-government transactions, this guidance describes four assurance levels for authentication. In this context, assurance is defined as how much confidence the relying party has that the electronic identity credential presented is done so by the person whose identity is asserted by the credential. These levels are each appropriate for different classes of electronic transactions. In general, informal or lower value transactions will require less stringent assurance levels. Higher value or legally significant transactions will require more stringent assurance levels. 2.2. How To Determine an Assurance Level Step 1: Agencies should conduct a systematic risk assessment of the transaction. The risk assessment will determine the required assurance level and will measure the relative severity of the potential harm to the agency or user of the e-government application and other transaction participants in the event of an improperly validated or unauthorized authentication. Each of the 4 levels described in Section 2.4 contains a profile of consequential risks. The more severe the likely consequences, the more confidence required in the asserted electronic identity in order to engage in a transaction, and, therefore, the higher the assurance level required. The definition of each assurance level is directly correlated to the degree of confidence or certainty that the agency must have in the identity of the user. Assurance levels are the vital link between the risk assessments of applications and the selection of authentication solutions. Agencies should consider a wide range of possible scenarios in seeking to determine what risks are associated with their business process. It is better to be over inclusive than under inclusive in conducting this analysis. Risk analysis is to some extent a creative process, in which agencies must consider harms that might result from, among other causes, technical failures, malignant third parties, public misunderstandings, and human error. Step 2: Match identified risks with assurance levels. The results of the risk assessment should be summarized, and then [[Page 41372]] be directly compared to these profiles. The closest match to one of the level profiles will determine the assurance level. In determining the required assurance level, an agency should initially identify risks inherent in the transactional process without considering the particular technologies used to implement authentication for that transaction. For example if during a medical procedure, the misuse of a user's electronic identity/credentials might result in risk to the user's personal safety, then, following this guidance, the agency would assign a level 4 assurance to this transaction, even if potential financial loss or other consequences are minimal. In making this determination, business process owners should seek to use the minimum assurance level that meets their risk requirements. Step 3: Determine implementation technology based on the e- authentication technical guidance. After the assurance level has been determined, the agency should refer to the e-authentication technical guidance for the process requirements corresponding to that level. After the technical solution is chosen, a final validation should be conducted to confirm that the required assurance level of the end-to-end user to agency process has been operationally achieved. Note that authorization determines whether or not the authenticated has rights to complete the transaction. Note that some technology solutions may create or compound particular risks. Thus, after selecting a specific solution, the agency should validate that the performance of the authentication process itself actually meets the identity assurance requirements for the transaction as part of required security procedures (e.g., certification and accreditation). 2.3. Assurance Levels: Descriptions and Examples This section describes the four assurance levels. The levels represent ranges of confidence in an electronic identity presented to an agency by means of a credential. The levels are numbered from 1 to 4, with 1 being minimal assurance and 4 being the highest level of identity assurance. For each level, there is a description and examples. The description and examples will assist the agency in identifying the appropriate level of assurance required to authorize a transaction. The key part of each description is a risk profile. This is a description of certain consequential risks that may ensue to participants in a transaction when there is an authentication error. Level 1--Minimal Assurance Description At level 1, little or no assurance is placed in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 1 might result in at most-- [sbull] Minimal inconvenience to any party; and [sbull] No financial loss to any party; and [sbull] Minimal distress being caused to any party; and [sbull] Minimal damage to any party's standing or reputation; and [sbull] No risk of harm to agency programs or other public interests; and [sbull] No risk of civil or criminal violations; and [sbull] No release of personal, U.S. government sensitive, or commercially sensitive data to unauthorized parties; and [sbull] No risk to any party's personal safety. Examples Examples of transactions that might merit level 1 authentication include-- [sbull] A user presents a self registered user ID or password to the United States Department of Education web page, which allows customization of a Web site to create a ``My.ED.gov'' page. There are some possible risks associated with this situation; for example, a third party who gained unauthorized access to such a user ID and password might be able to draw inferences about the user's business interests or plans or the user's personal situation based on the types of information in which the user has an interest. Unless the website is subject to a high degree of customization, however, these risks are probably very minimal. [sbull] A user participates in an online discussion on the whitehouse.gov website. Assuming that the forum is not one that addresses sensitive or private information, there are no obvious risks associated with this situation. Level 2--Low Assurance Description Level 2 is appropriate for transactions in which it is sufficient that, on the balance of probabilities, there is confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 2 might result in-- [sbull] Minor inconvenience to any party; or [sbull] Minor financial loss to any party; or [sbull] Minor damage to any party's standing or reputation; or [sbull] Minor distress being caused to any party; or [sbull] Minor risk of harm to agency programs or other public interests; or [sbull] A risk of civil or criminal violations of a nature that would not ordinarily be subject to agency enforcement efforts; or [sbull] A minor release of personal, or commercially sensitive data to unauthorized parties; and [sbull] No release of U.S. government sensitive data to unauthorized parties; and [sbull] No risk to any party's personal safety. Examples Examples of transactions that might merit level 2 assurance include-- [sbull] A user engages in online learning on the Gov Online Learning Center at golearn.gov. There is a need for authentication such that the user is recognized by the training service and be connected to the appropriate place in the course or given relevant assignment grades, when training affects compensation or promotion. The only risk associated with this transaction is that a third party will gain access to grading information, causing harm to the privacy interests or reputation of the student. If the agency determines, in the context of the particular program, that any such harm will be minor, the transaction is level 2. [sbull] A user accesses their Social Security retirement account information online. Level 3--Substantial Assurance Description Level 3 is appropriate for transactions that are official in nature, and for which there is a need for high confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 3 might result in-- [sbull] Significant inconvenience to any party; or [sbull] Significant financial loss to any party; or [sbull] Significant damage to any party's standing or reputation; or [sbull] Significant distress being caused to any party; or [sbull] Significant harm to agency programs or other public interests; or [sbull] A risk of civil or criminal violations that may be subject to agency enforcement efforts; or [sbull] A significant release of personal, U.S. government sensitive, or commercially sensitive data to unauthorized parties; and [sbull] No risk to any party's personal safety. Examples Examples of transactions that might merit level 3 assurance include: [sbull] A patent attorney company reports and updates data on- line with the Patent and Trademark Office that would be of great value as competitive intelligence. [sbull] A major contractor or supplier maintains an account with a General Services Administration Contracting Officer for a large government procurement involving significant government expenditures. [sbull] A First Responder accesses a disaster management reporting website to report an incident and to share incident operational information, and to coordinate incident response activities. Level 4--High Assurance Description Level 4 is appropriate for transactions that are official in nature for which there is a need for very high confidence in the asserted electronic identity of the transacting party. In particular, an authentication error of a user's identity at level 4 might result in-- [sbull] Considerable inconvenience to any party; or [sbull] Considerable financial loss to any party; or [sbull] Considerable damage to any party's standing or reputation; or [sbull] Considerable distress being caused to any party; or [sbull] Considerable harm to agency programs or other public interests; or [sbull] A risk of civil or criminal violations that are of special importance to the agency enforcement program; or [sbull] A damaging release of extensive personal, U.S. government sensitive, or commercially sensitive data to third parties; or [sbull] A risk to any party's personal safety. Examples Examples of transactions that may require level 4 assurance include-- [[Page 41373]] [sbull] A State or local law enforcement official accesses a law enforcement database containing information about the criminal records of individuals. Unauthorized access would violate the legal privacy rights of individuals or compromise investigations. [sbull] A VA pharmacist dispenses a controlled drug. He/She would need full assurance that a qualified doctor had signed the prescription. In this case, the pharmacist's actions on the transaction carries criminal liability that the prescription was the correct drug(s), in the correct quantity, and that the prescription was validated before filling the prescription. 2.4. Additional Considerations Each step of the authentication process--from identity proofing, to issuance of a credential, to management and use of the credential in a well-managed secure application, and ultimately to record keeping and auditing--influences whether the process conforms to the desired assurance level. The level of assurance achieved by each step of the process needs to be considered. The step that provides the lowest level of assurance may often determine the assurance level for the entire authentication process. Ideally each step in the authentication process should be consistent in its strength and robustness. A strong identity proofing process, combined with a strong credential and a robust management practice (including a strong archive and audit process) will contribute to the highest level assurance of identity. However, the best authentication process needs to be supported by well-engineered and tested user and agency software applications. In making the risk assessment, the business process owner must consider all the direct and indirect consequences as presented in the definitions of the levels. Since each assurance level uses the terms ``minimal'', ``minor'', ``significant'', or ``considerable'', the business process owner will need to consider the terms in the context of the parties likely to be affected and their typical views. While it is realized that these terms are subjective, it is expected that these will be solidified through implementation and practice. For example, risk assessments have already been conducted on the E-Government Initiatives to determine their appropriate assurance levels. As stated in OMB's GPEA guidance, properly implemented technologies can offer degrees of confidence in authenticating identity that are greater than a handwritten signature can offer. However, electronic transactions may in some circumstances affect the risk of criminal and civil violations, increase the harms associated with such violations, and complicate redressing such violations. Legal and law enforcement issues are discussed in the Department of Justice's Guide for Federal Agencies on Implementing Electronic Processes (found at http://www.cybercrime.gov/ecommerce.html#GFA , November 2000). Agencies should consider these issues in assigning transactions to particular assurance levels. Violations of the law can present significant policy issues for an agency. The risk assessment process should consider the potential effects of illegal activities or other process failures in light of the agency's enforcement priorities, the agency's programmatic interests, and such broader public interests as national security, the environment, and the proper functioning of markets. Some of these harms are specifically described in each level (such as financial loss or release of personal information); others will depend on a particular agency's programmatic interests. The risk analysis reflects this issue by referring to risks of criminal or civil violations and harm to agency programs or the public interest. In assessing this risk and designing a process, agencies should take into account not just the effects of a single violation or other act, but the possibility of a pattern of actions that might affect agency programs. For instance, if sensitive information could be obtained from an agency website, the agency should consider the effects of a possible pattern of such activity, not just a single action, in assessing risk levels. (Note that unauthorized access to an agency website is itself a criminal offense, see, e.g., 18 U.S.C. 1029, 1030. Agencies should consider the effects and risks associated with such unauthorized access, rather than focusing on the unauthorized access itself, in assessing such risks.) 3. Determining Assurance for Credential Service Providers Credential Service Providers (CSPs) are organizations, both governmental and non-governmental, that issue and in some cases may maintain electronic credentials. CSPs can handle several of the steps in the e-authentication process. Because the CSP's issuance and maintenance policy influences the trustworthiness of an e- authentication process, CSPs will also need to be assessed to determine the e-authentication level to which their credentials pertain. For example, if a CSP follows all process/technology requirements for authentication level 3, a user may use a credential provided by the CSP to authenticate himself for a transaction requiring authentication levels 1, 2, or 3. Additional information on CSPs will be included in both the E-Authentication technical guidance and in separate guidance issued by the E-Authentication E- Government Initiative. 4. Implementing an Authentication Process 4.1. Overview of the E-Authentication Process When determining e-authentication needs, agencies must consider the entire e-authentication process. An agency cannot simply determine the level of credential that will be required to validate a user's identity without also determining how that credential will be processed by the agency business applications. They must determine the requirements for each step in the e-authentication/ authorization process. This process includes the following steps: [sbull] Initial enrollment. [sbull] Repeat visits. [sbull] Verification of identity. [sbull] Transaction management. [sbull] Long term records management. [sbull] Periodic tests of the system. [sbull] Suspension, revocation, reissue. [sbull] Audit. Each of these steps will be explained in more detail in the e- authentication technical guidance. Responsibility for these steps lies with the individual business process owners or designated agency or cross agency authority. 4.2. Use of Anonymous Credentials Anonymous credentials may be appropriate when it is not necessary that authentication be associated with a known personal identity (as opposed to identity authentication). To protect privacy, it is important to balance the need to know who is communicating with Government with a citizen's right to privacy. This includes ensuring that information is used only in the manner in which individuals have been assured it will be used. In some cases, it may be desirable to preserve the anonymity of individuals and it may be sufficient for the purposes of an application to authenticate that-- [sbull] The user is a member of a group; and/or [sbull] The user is the same individual who supplied or created information in the first place; and/or [sbull] A particular user is entitled to use a particular pseudonym. These anonymous credentials will have limited application. In some cases, individuals would have an anonymous as well as a non- anonymous credential. Anonymous credentials can be used up until level 3. 4.3. Information Sharing and the Privacy Act When developing authentication processes, agencies must consider the requirements for managing security in the collection and storage of information associated with the process of validating a user's identity. As required by the E-Government Act of 2002 (Public Law 107-347), section 208, 44 U.S.C. Sec. 3604, agencies are required to conduct privacy impact assessments for electronic information systems and collections, which includes when authentication technology is newly applied to an electronic information system. The following information is captured in most e-authentication processes: [sbull] Information regarding the individuals/ businesses/ governments using the E-Gov service. [sbull] Electronic user credentials (i.e., some combination of public key certificates, user identifiers, passwords, and Personal Identification Numbers). [sbull] Transaction information associated with user authentication, including credential validation method. [sbull] Audit Log/Security information. Some of this information includes personal information as defined by the Privacy Act and, systems that use the information are considered systems of records that must meet all requirements of the Privacy Act and the E-Government Act. Data collected and stored during the authentication process should only be accessible routinely to systems administrators and to auditors. As required by the Privacy Act, access to the system of [[Page 41374]] records must be provided to registered users to allow them to see and/or change personal information about them maintained in the system of records. Information from the system of records should not be shared routinely outside of legitimate needs as permitted or required by law for the administration and control of the authentication process. In order to authenticate a user, it may be necessary for an agency providing an E-Gov service to obtain additional information about that user through the CSP that issued the user his/her credential. In such a case, the CSP must ask the user for permission and be granted that permission by the user to provide the specified information to the e-gov service provider. Disclosure of the additional information by the CSP to the e-gov application or service may also be established prior to the time of the transaction, if it is outlined in the terms of the relationship between the user and the CSP. 4.4. Cost Considerations In most cases, higher levels of assurance require more costly credentials; however minimizing the number of credentials can create cost savings. Section 3 of the GPEA guidance provides additional information on assessing risks, costs, and benefits. In-person proofing is most likely more expensive. The e-authentication technical guidance will provide alternatives for addressing some of the authentication levels that may help agencies to better manage the costs of authentication. 4.5. Relationship to Other Guidance 4.5.1. Federal Bridge Certification Authority Federal Bridge levels will be mapped to the assurance levels described in this document. Since these assurance levels take into account a wide range of authentication solutions, the levels described in this guidance differ from the levels established by the Federal Bridge Certification Authority (FBCA) Certificate Policy. For example, levels 1 and 2 in this e-authentication policy are primarily reserved for non-cryptographic authentication solutions not covered by the FBCA. However, it is likely that some public key infrastructure (PKI) solutions and the FBCA Rudimentary Certificate Policy will map to level 1 or level 2. The FBCA Basic Certificate Policies and the FBCA Medium Certificate Policies will fall in level 3, while FBCA High Certificate Policy will fall into level 4. 4.5.2. Federal Information Processing Standards Publication 199 While this E-Authentication Guidance addresses the consequential risk in making an authentication error, NIST is in the process of developing much broader risk levels for Federal information and Information Systems. NIST is in the process of developing a Federal Information Processing Standards Publication (FIPS) 199, ``Standards for Security Categorization of Federal Information and Information Systems'' promulgated under the E-Government Act of 2002 (Public Law 107-347). The standards establish three levels of risk (low, moderate, and high) for each of the stated security objectives (confidentiality, integrity, and availability) relevant to securing Federal information and information systems. It is expected that these levels established in FIPS 199 will map to the levels in the e-authentication guidance. When an authentication error might cause a loss of confidentiality, integrity or availability, then-- [sbull] If the risk as defined in FIPS 199 is low, authentication assurance levels 1 through 4 are sufficient; [sbull] If the risk as defined in FIPS 199 is moderate, authentication assurance level 3 or 4 should be used; and [sbull] If the risk as defined in FIPS 199 is high, authentication assurance level 4 should be used. 5. Effective Dates of This Guidance The Effective Dates for this guidance is 30 days after issuance as final policy. Additional information can be found in the supplemental information above. [FR Doc. 03-17634 Filed 7-10-03; 8:45 am]