5 June 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[Federal Register: June 5, 1998 (Volume 63, Number 108)]
[Notices]
[Page 30794-30795]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr05jn98-159]

=======================================================================
-----------------------------------------------------------------------

SOCIAL SECURITY ADMINISTRATION


The Chief Information Officer of the Social Security
Administration Grants to the Social Security Administration a Waiver
From the Use of Certain Federal Information Processing Standards

AGENCY: Social Security Administration (SSA).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The Chief Information Officer of the Social Security
Administration grants to SSA a waiver from the use of the following
Federal Information Processing Standards (FIPS):
    1. The Secure Hashing Standard (FIPS 180-1);
    2. The Digital Signature Standard (FIPS 186); and
    3. The Data Encryption Standard (FIPS 46-2).
    This waiver is granted pursuant to authority granted to the
Secretary of Commerce by 40 U.S.C. section 1441, and delegated to the
Commissioner of Social Security in the above referenced FIPS
Publications. This authority was redelegated by the Commissioner of
Social Security to the Agency's Chief Information Officer. This waiver
is granted to allow SSA to use commercial off-the-shelf cryptographic
products such as those produced by RSA Data Security, Inc., in lieu of
products conforming with the above-cited FIPS.

DATES: This waiver was effective January 26, 1998, and will remain in
effect until the commercial off-the-shelf cryptographic products
selected by SSA come under a FIPS or until it is rescinded by the
Agency's Chief Information Officer.

FOR FURTHER INFORMATION CONTACT: Joan Hash, Systems Security Officer,
Social Security Administration, Room 3206 Annex Building, 6401 Security

[[Page 30795]]

Boulevard, Baltimore, Maryland 21235. Phone (410) 965-2765.

SUPPLEMENTARY INFORMATION: The FIPS cited above establish Federal
standards for generating digital signatures, encrypting sensitive
information transmitted over open networks such as the Internet, and
storing this information electronically. Each of the cited FIPS also
allows the heads of Federal Agencies to waive the use of the FIPS if
certain conditions are met.
    A waiver shall be granted by an Agency head only when:
    a. Compliance with a standard would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system, or
    b. Cause a major adverse financial impact on the operator that is
not offset by Government-wide savings.
    The Agency's Chief Information Officer has determined that
compliance with the referenced FIPS would adversely affect the
accomplishment of the mission of the SSA and accordingly has granted a
waiver from the use of the referenced FIPS.
    SSA has a customer base of over 260,000,000 people, including
individuals, businesses, small employers, organizations, and other
Federal, State, and local government agencies. To accomplish the
mission of serving these customers cost effectively, SSA is pursuing
the use of electronic service delivery technologies, including the
Internet.
    SSA has found that an increasingly large number of its customers
prefer to work with the Agency directly through Internet services. To
effectively serve them, SSA must use commercially accepted and
available off-the-shelf products. The above referenced FIPS provide for
the use of products which have not gained wide acceptance commercially,
and these standards are not incorporated in commercial off-the-shelf
products. Notably, the Internet Browsers published by MICROSOFT and
NETSCAPE, together representing 93% of the publicly used browsers, do
not use the algorithms published in the referenced FIPS.
    Therefore, SSA is granted a waiver from the use of the
cryptographic requirements contained in the referenced FIPS in order to
allow the Agency to use commercially available and accepted off-the-
shelf products.
    In accordance with FIPS requirements, notice of this waiver will be
sent to the National Institute of Standards and Technology, the
Committee on Government Reform and Oversight of the House of
Representatives, and the Committee on Governmental Affairs of the
Senate.

    Dated: January 26, 1998.
John R. Dyer,
Chief Information Officer, Social Security Administration.
[FR Doc. 98-14902 Filed 6-4-98; 8:45 am]
BILLING CODE 4190-29-P