Federal Information Processing Standards (FIPS); Extension of Waiver

ACTION:

Notice of FIPS waiver.

SUMMARY:

The Chief Information Officer for the Environmental Protection Agency (EPA) has granted an extension to the waiver (published October 1, 1998, at 63 FR 52693) authorizing the Agency to continue to use the cryptographic features in the commercial software application, Travel Manager Plus. The software's cryptographic features do not comply with Federal Information Processing Standards: 46-3 Data Encryption Standard (DES); 140-1, Security Requirements for Cryptographic Modules; 180-1, Secure Hash Standard; and 186-2, Digital Signature Standard. This waiver is being issued pursuant to the Federal Property and Administrative Services Act of 1949, as amended, 40 U.S.C. 1441.

DATES:

This waiver extension takes effect on November 24, 2000 and expires on January 1, 2004.

FOR FURTHER INFORMATION CONTACT:

Mark Day, Director, Office of Technology, Operations, and Planning, Office of Environmental Information, 401 M Street SW, Mail Code 2831, Washington, DC 20460, 202-260-4465.

SUPPLEMENTARY INFORMATION:

Federal Information Processing Standards (FIPS) 46-3 Data Encryption Standard (DES); 140-1, Security Requirements for Cryptographic Modules; 180-1, Secure Hash Standard; and 186-2, Digital Signature Standard publications establish standards for generating digital signatures (which can be used to verify authenticity) and for the encryption of sensitive information transmitted and stored electronically. As authorized by 40 U.S.C. 1441(c), these FIPS publications permit Federal agencies to waive them under certain circumstances: A waiver may be granted if (1) compliance with a standard would adversely affect the accomplishment of the mission of an operator of a Federal computer system; or (2) compliance with a standard would cause a major adverse financial impact on the operator which is not offset by Governmentwide savings.

Travel Manager Plus is commercial off the shelf (COTS) software that is on the General Services Administration (GSA) schedule. The application complies with a broad range of governmentwide requirements including Travel System Requirements issued by the Joint Financial Management Improvement Program.

EPA plans to deploy Travel Manager Plus agency-wide so that the process of reimbursing EPA employees can be fully automated. In addition to gaining efficiencies, by dramatically shortening the reimbursement process cycle, the Travel Manager Plus software will help ensure that the Agency complies with new legal requirements that travelers be reimbursed promptly.

The EPA Chief Information Officer has granted a waiver from the four FIPS cited above to enable EPA to continue to use the built-in cryptographic features in Travel Manager Plus. EPA determined that the cryptographic protection embedded in Travel Manager Plus provides an appropriate level of security to protect the unclassified information used, communicated, and stored on the system.

If the Agency were to purchase and maintain FIPS-compliant applications for its automated travel reimbursement system, the additional costs would be prohibitive. By relying on the FIPS non-compliant cryptographic features embedded in Travel Manager Plus, EPA will be able to achieve a fully automated travel reimbursement system that has adequate and cost-effective security.

In accordance with FIPS requirements, notice of this waiver has been sent to the National Institute of Standards and Technology, the Committee on Government Reform and Oversight of the House of Representatives, and the Committee on Governmental Affairs of the Senate.