Digital Autopen Playbook
The Delegated Digital Signature Working Group of the Federal Chief Information Security Officer Council Identity, Credential, and Access Management Subcommittee developed this playbook to outline the process for a federal agency to implement a digital autopen for Federal Register documents.
|Version Number||Date||Change Description|
This playbook outlines the process for an agency to implement a Digital Autopen for Federal Register documents. Federal regulatory agencies issue regulations based on laws enacted by Congress or an executive power. Those regulations may be digitally signed and submitted electronically to the Office of the Federal Register (OFR) for publication. OFR requires all documents submitted for publication to be signed by an official authorized to act for the agency. When an official is unavailable or unable to sign a document, they may authorize another agency employee to use a digital autopen to affix the official’s digital signature to the document. This playbook assumes that the agency has existing rules governing the delegation of authority and builds upon such rules to outline a three-step process to create a digital autopen to sign a Federal Register document.
- Define the agency process to delegate signing Federal Register documents.
- Define controls to ensure the certificate and associated key are used only for the intended purpose.
- Obtain a role-based digital signature certificate from a Federal Public Key Infrastructure (PKI) Shared Service Provider.
This playbook recommends using a role-based signature certificate issued to a hardware device (e.g., smart card, USB hardware device, or other FIPS–140 Level 2 certified hardware) from a Federal PKI Certification Authority. Federal Agency Certification Authorities may also issue this certificate on their own. The digital autopen certificate can only digitally sign documents. An agency should consider additional controls to limit its use only to sign Federal Register documents. This playbook supports OMB Circular A-130 goals, including developing and implementing processes to support employee digital signatures.
Send any questions on the process to ICAM at gsa.gov.
- Authorizing sponsor – The federal official authorized to sign Federal Register documents.
- Digital autopen - The digital equivalent of a physical autopen solution.
- Digital autopen certificate - A Federal PKI role-based digital signature certificate used to sign Federal Register documents when approved by the authorizing sponsor.
- Digital autopen recipient - The person identified by the authorizing sponsor to use the digital autopen to affix the authorizing sponsor’s signature to a Federal Register document.
- Federal PKI - The Federal PKI is a network of certification authorities (CAs) that issue, PIV credentials and person identity certificates, PIV-Interoperable credentials and person identity certificates, and other person identity certificates. For more information n the Federal PKI contact FPKI at gsa.gov.
- Federal Register document - A document drafted for the express purpose of publication in the Federal Register.
- Office of the Federal Register (OFR) - The agency responsible for publishing the Federal Register.
The Delegated Digital Signature Working Group of the Federal Chief Information Security Officer Council ICAM Subcommittee developed this Playbook. U.S. Federal Executive Branch agencies can use this Playbook to supplement existing electronic signature policy and implement specific procedures to create a digital autopen to sign Federal Register documents. This Playbook is not official policy, mandated action, or provides authoritative information technology terms. It includes best practices to supplement existing federal policies and builds upon Office of Management and Budget Memorandum 19-17, A-130, and existing FICAM guidance and playbooks. Subject areas with intersecting scopes, such as delegations of authority, certificate issuance procedures, and internal controls are considered only to the extent that they relate to a digital autopen.
This playbook reflects the contributions of the Delegated Digital Signature working group of the Federal Chief Information Security Officer Council Identity, Credential, and Access Management Subcommittee. The working group was co-chaired by the Internal Revenue Service and the General Services Administration. Contributing members include:
- Department of Agriculture
- Department of Health and Human Services
- Department of Homeland Security
- Department of State
- Department of Veterans Affairs
- General Services Administration
- Government Printing Office
- Internal Revenue Service
- National Archives and Records Administration
Appendix B includes recommended policy and guidance updates identified by the working group.
The Digital Autopen
Federal agencies must publish documents in the Federal Register for various reasons. Only federal employees with the proper authority may sign those documents. This authority is referred to as the Authorizing Sponsor in this document. When that Authorizing Sponsor is unavailable, they may authorize the use of a digital autopen to affix their signature to a Federal Register document. Multiple reasons exist why an authorizing sponsor may be unavailable.
- No access to technology that can leverage a PIV card or digital signature certificate.
- Travel situations outside of normal working hours that require Federal Register submission.
- Efficiency when multiple documents must be signed.
The OFR outlines signing requirements in the Document Drafting Handbook. There are three main requirements.
- The signer must be a federal employee with the authority to act for an agency. Laws or Executive Orders define which agency is the regulatory body, while an agency determines who has the authority to sign Federal Register documents.
- The title in the signature block must be related to the authority to sign the document. It cannot include honorary titles or titles associated with a different agency role.
- The signature block must match the signer’s full name as it appears in the digital signature certificate subject name. See the OFR Document Drafting Handbook for accepted variations. The Personal Identity Verification (PIV) card is a primary means for digitally signing a document.
An agency may delegate the authority to electronically sign a document to someone with an official executive agency billet to sign a document, such as a Deputy Secretary or General Counsel. An agency may delegate a signature to an appropriate authority named in a Federal Register document (see Figure 1).
Figure 1. Named Delegation Example
However, in some circumstances, only the federal executive has the authority to sign a Federal Register document. The Federal Register document may face various legal challenges if not signed by the proper authority. This paper proposes a second option when the Authorizing Sponsor completes an official agency delegation of authority process to authorize the use of a digital autopen. A digital autopen leverages a Federal PKI role-based digital signature certificate. This option is the method proposed by this paper and the focus for the remainder of this paper.
A digital signature is a cryptographically secure electronic signature. An agency achieves the cryptographic component by using a PKI certificate. For more information on the difference between electronic and digital signatures, see the Federal CIO Council guidance on the Use of Electronic Signatures in Federal Organization Transactions. An agency can request a role-based digital signature certificate from a Federal PKI Shared Service Provider. A PIV card is issued to a single person and not shared under any circumstance.
This playbook outlines the process for federal agencies to create a Federal Register digital autopen process. It outlines controls around the digital autopen certificate to meet the OFR’s digital signature requirements for Federal Register documents and federal cybersecurity. For instructions on digitally signing a Federal Register document, see the FICAM Playbook Digitally Sign an Office of the Federal Register Document.
An agency may implement or update a process by following these three playbook steps.
- Define the agency process to delegate signing Federal Register documents.
- Define controls to ensure the certificate and associated key are used only for the intended purpose.
- Obtain a role-based digital signature certificate from a PKI Shared Service Provider.
Send any process questions or concerns to ICAM at gsa.gov.
Step 1. Define the Agency Process
This section is written for executive staff to understand an overall digital autopen process. An agency owns the process for identifying authorized individuals and delegating authority to others. This playbook builds on the assumption that agencies have a defined process for Federal Register documents, which should be updated to include the extra steps and guidance to leverage a digital autopen. At the end of this step, agency executive staff will have the following deliverables.
- A delegation of authority through an agency policy.
- A digital autopen standard operating procedure.
- Signed user agreements from the Authorizing Sponsor and Digital Autopen Recipient.
- Senior security official approval.
Delegate Authority Through An Agency Policy
An agency has the authority and should have an existing process to delegate specific agency activity. An agency should follow its existing delegation process to delegate digitally signing Federal Register documents. This paper will not outline how to create a delegation process. Agencies should involve their General Counsel’s Office for advice and recommendations on the agency’s authority and delegation process.
Develop a Standard Operating Procedure
An agency must define the delegation process, including maintaining, auditing, and measuring the process through a standard operating procedure. Collaborate in the early stages of development with your technology and security officials to create an agreeable process within the agency’s risk appetite. The rules or Standard Operating Procedure should include the following elements.
- An agency policy that delegates the Federal Register signing authority to leverage a digital autopen.
- A process to receive delegation approval and affix a digital autopen signature to a document. See Appendix C for an example of a decision document.
- A process to obtain a role-based certificate. Required and optional controls are in Step 2.
See Appendix C for sample templates including standard operating procedures.
A user must understand their responsibilities and the requirements to use and protect a digital autopen certificate. See the Appendix C for an example of a user agreement. An agency may define additional annual training or refresher requirements. The user signs the agreement to obtain a certificate.
The final step involves an agency defining the issuance request procedures. The issuance document is signed by the agency’s senior security official such as the Chief Security Officer or Chief Information Security Office. As part of the issuance, the requesting office may submit the following verification documents:
- An agency policy delegating signing authority to an office or a designated individual.
- The requesting office document identifies the digital autopen recipient.
- The current version of a digital autopen standard operating procedure.
- Verify this request doesn’t exceed the maximum number of allowed delegates.
- A signed user agreement.
The agency senior security official or designate verifies the request with supporting documentation and approves or disapproves as appropriate. Once the request is approved, the agency stores the evidence for audit or review purposes and submits the required information to their certificate issuer. See Appendix C for an issuance request example.
Step 2. Define Controls
This section is written for security and risk managers to identify specific controls to mitigate digital autopen unintended use risks. An agency should define and implement controls to ensure the digital autopen certificate is only used for its intended purpose. Controls may include a combination of physical or logical controls to limit how or when a digital autopen certificate is used. Agencies should integrate these controls into an existing audit process. Agencies must adopt the following required administrative and certificate controls.
Required Administrative Controls
- Review the digital autopen standard operating procedures annually, or more frequently (Template).
- Before digital autopen issuance, verify the authorizing sponsor and each digital autopen recipient have a valid PIV card.
- The digital autopen recipient must be a federal employee.
- The digital autopen recipient must sign a user agreement (Template).
- The authorizing sponsor must separately authorize each use of the digital autopen signature, and the digital autopen recipient must keep a record of each approval (Template).
Required Certificate Controls
- A digital autopen certificate is never issued on a PIV card.
- Issue a digital autopen certificate to a hardware device such as a smart card on GSA’s FIPS 201 Evaluation Program Approved Product List or a FIPS-140 Level 2 certified authenticator or security module.
- If the digital autopen certificate is issued to a smart card:
- It shall be visually distinct from a PIV card.
- It shall not have a photo.
- It shall have the words “digital autopen” or similar to identify the card uniquely.
- Maximum of two digital autopen recipients to one authorizing sponsor.
- Authentication of the authorizing sponsor and digital autopen recipient is performed using their PIV cards.
- The common name in the certificate must state the role of authorizing official such as “Secretary of Homeland Security” or “Secretary Name - Secretary of Homeland Security.”
- The validity period of the digital autopen certificate must:
- not exceed twelve months or
- be set to the associated expiration date of the digital autopen recipient’s PIV card if less than twelve months remains until expiration.
- After issuance, the authorizing sponsor is notified of digital autopen certificate issuance via email or other means of communication.
Due to unique agency risks, the working group identifies the below optional controls for additional consideration. Consider remote work and exigent circumstances before applying a physical location control. For example, limiting use to during working hours will hinder agency signing operations during off hours when the Authorizing Sponsor is not available to digitally sign.
- Develop an automated approval workflow as an automated and auditable mechanism to record when a delegation is given.
Step 3. Obtain a Digital Autopen Certificate
A digital autopen certificate is available from any Federal PKI Shared Service Provider. Federal Agency Legacy PKI may also issue this certificate for their agency. An agency must request a ROLE-BASED SIGNATURE CERTIFICATE. Check with your Homeland Security Presidential Directive-12 Security Office or PIV card issuer if they can issue a role-based certificate. Federal PKI Shared Service Providers are listed as government identity providers on idmanagement.gov. They provide Federal PKI certificates and PIV services.
While OFR accepts any Federal PKI digital signature certificate, this playbook recommends a hardware-based certificate issued to a FIPS-140 Level 2 certified hardware device such as a visually distinct, approved smart card or USB device such as a FIDO authenticator. Below are examples of the Common Name used in digital autopen certificates.
Table 01. Example Common Name in Role-Based Certificate
|Position||Common Name Example||Note|
|Secretary||CN: Secretary of DHS Jane Smith||Exclusive to the Secretary Role.|
|Commissioner||CN: Commissioner FDA John Smith||Exclusive to the Commissioner Role.|
|Administrator||CN: Administrator NASA Jane Smith||Exclusive to the Administrator Role.|
|Director||CN: Director ATF Jane Smith||Exclusive to the Director Role.|
This paper outlines a process for an agency to create and leverage a digital autopen for Federal Register documents. An agency must define its approach in a policy, identify a solution, and then obtain a certificate. This paper recommends an agency use a hardware-based certificate for added security and control. This paper also includes policy recommendations for suggested updates to the OFR Document Drafting Handbook, Federal PKI Certificate Policy, FICAM playbooks, and the CIO Council E-Signature Document.
Appendix A. References
- Office of the Federal Register’s Document Drafting Handbook
- Federal CIO Council & Federal Public Key Infrastructure Policy Authority (FPKIPA) - Use of Electronic Signatures in Federal Organization Transactions
- FICAM Playbook - How to Digitally Sign an Office of the Federal Register Document
- X.509 Certificate Policy for the U.S. Federal PKI Common Policy Framework
Appendix B. Policy Recommendations
The Delegated Digital Signature Working Group identified policy update recommendations to streamline signature processes.
Recommendation 1. Update OFR’s Document Drafting Handbook
Recommendation: Update the Document Drafting Handbook consistent with this paper to clarify guidance on digital autopen signatures. Resolution: Pending final digital autopen paper.
Recommendation 2. Update Federal PKI Certificate Policy for Digital Autopen
Recommendation: Update the Federal Common Policy Certificate Policy for specific procedures to issue a digital autopen certificate. Resolution: The Federal PKI Policy Authority identified existing procedures for role-based certificates are sufficient.
Recommendation 3. Update FICAM Playbook on Digitally Signing an OFR Document
Recommendation: Update the FICAM Playbook - How to Digitally Sign an Office of the Federal Register Document in line with this paper. Resolution: Pending final digital autopen paper.
Recommendation 4. Update the Federal CIO E-Signature Document
Recommendation: Update the Federal CIO E-signature document to reference this paper. Resolution: Pending final digital autopen paper.