Upload
genevieve-peachey
View
218
Download
2
Embed Size (px)
Citation preview
Authentication of the Federal Register
Charley Barth
Director, Office of the Federal Register
United States Government
2
Off
ice
of t
he
Fed
eral
Reg
iste
r
• Federal Register Act approved in 1935• Make executive legislation accessible to citizens
– Publish a gazette containing the orders of the Executive Branch
• Began statutory partnership between Office of the Federal Register (OFR) and Government Printing Office (GPO)
• OFR placed under the National Archives and Records Administration (NARA)
• Provided for public inspection of all documents filed with the OFR.
• Currently have 12 publications– Administer the Electoral College process– Administer the Constitutional Amendment ratification process
Background/History of the OFR
3
Off
ice
of t
he
Fed
eral
Reg
iste
r
• First Register was published on March 14, 1936 • First volume was 16 pages
• Published every working day, “Official Gazette of the United States Government”
• Provides legal notice of administrative rules, notices and presidential documents
• Average Daily Federal Register = 150 pages‒ Total pages in 2013 = 80,462
• Final rules published in the FR become part of the Code of Federal Regulations (CFR). Over 180,000 pages
• Available on-line since 1994, Web 2.0 version since 2010• Authentication of the digital FR began in 2009
Background/History of theFederal Register (FR)
4
Off
ice
of t
he
Fed
eral
Reg
iste
r
• GPO is as an Affiliated Archive of NARA and therefore the Official Federal Register resides on their platform (paper and electronic)
• Affiliated Archives receives physical custody of the records, while NARA retains legal custody and, along with it, ultimate responsibility for them.
• For this privilege, the affiliate, through a formal agreement with NARA, agrees to house, maintain, service and authenticate the (digital) records
GPO, Affiliated Archives &OFR partner
5
Off
ice
of t
he
Fed
eral
Reg
iste
r
• By Law, the OFR partners with GPO; OFR publishes the content, GPO prints and distributes the content to include online, digital format and authentication.
• GPO implements four measures to assure integrity and authenticity of FR content.1. Digital Signatures on PDF files
2. Cryptographic Hash Values on Metadata
3. Evidence of the Trusted Digital Repository through the FDsys archive
4. Demonstration of Chain of Custody
Basic Components ofGPO Digital Authentication
6
Off
ice
of t
he
Fed
eral
Reg
iste
rDigital Signatures on PDF Files
Digital signature technology is used to add a visible Seal of Authenticity to authenticated and certified PDF documents
Digital signature and certification assures users that the PDF file has not been altered since being digitally signed and made available by GPO
7
Off
ice
of t
he
Fed
eral
Reg
iste
r
• Upon submission to GPO, a number is generated for each content file that is unique to the data inside the file
• The SHA-256 hash value (Algorithm) recorded in metadata is used to detect changes to content files
• Any change that occurs results in a new hash value
• Users can search for content on FDsys and use hash values, with publicly available tools, to check that content
Cryptographic Hash Values
9
Off
ice
of t
he
Fed
eral
Reg
iste
r
• GPO uses best practices for establishing authenticity of content and maintaining integrity within FDsys
• GPO is working towards certification as a Trusted Repository– GPO utilized the Trustworthy Repositories Audit
and Certification: Criteria and Checklist (TRAC)– Security controls are in place that may allow
authorized users to submit new content and change descriptive metadata, but it is not possible to open a file in the repository and make changes to content
Trusted Digital Repository
10
Off
ice
of t
he
Fed
eral
Reg
iste
r
• GPO provides a chain of custody• Each significant event in the lifecycle of
content is recorded in PREMIS metadata• Records contain the content source, changes
that have occurred since the content was created or acquired, and who has custody of the content
Chain of Custody
11
Off
ice
of t
he
Fed
eral
Reg
iste
rChain of Custody –
Events Recorded in GPO PREMIS
Software Activities Human Agent Activities
• Message Digest Calculation• Crypto Digest Calculation• Ingestion• Fixity Check• Rendition Creation• ACP Creation• Digital Signature
Assignment• Parsing
• Rendition Upload• Rendition Deletion• Submission• Public Access Restriction• Replacement• AIP Nominated for Deletion• AIP Approved for Deletion
12
Off
ice
of t
he
Fed
eral
Reg
iste
r
• Pros:– GPO is able to utilize the widely used and trusted document
standard (PDF)– Use of Digital Signatures in conjunction with Cryptographic Hash
increases level of assurance– Provides quick visible confidence to end-users– It’s fast, secure, authentic, less risky & less costly in the long run!
• Cons:– Upfront costs of Digital Signatures may be cost prohibitive for
some organizations – If majority of your customer base prefers paper version
(traditional customers will doubt the integrity of online)– Some providers have limited storage options and use proprietary
software
Pros and Cons of usingDigital Signatures
13
Off
ice
of t
he
Fed
eral
Reg
iste
r
• Paper version well preserved since 1936 (thru 1985)– Paper is well cared for in compliant, archival centers (NARA
standard 36 CFR Part 1228, Subpart K)– Theft and Fire are biggest challenge
• From 1985 to 1994, we used microfiche– Silver Halide process can last 500 years– Virtually impossible to mutilate
• From 1995 to current, the electronic version on FDsys is the official record copy– Storage (expense and trusted providers/cloud)– Compromised content (via internal/external hacking)– Best formats 25, 50, 100 years from now? (risk of migrating
data from format to format)
Biggest challenges to preserving the Federal Register?
14
Off
ice
of t
he
Fed
eral
Reg
iste
r
• All digital materials published by the OFR and available on GPO’s FDsys utilize the same authentication
• For more information, go to:– Authenticity of Electronic Federal Government
Publications, http://www.gpo.gov/pdfs/authentication/authenticationwhitepaper2011.pdf
– Overview of GPO’s Authentication Program, http://www.gpo.gov/pdfs/authentication/authenticationoverview.pdf
• NARA Record storage standard:– http://www.gpo.gov/fdsys/pkg/CFR-2000-title36-v
ol3/xml/CFR-2000-title36-vol3-part1228-subpartK.xml
Authentication/Preservation of our other legal publications