[Federal Register Volume 62, Number 4 (Tuesday, January 7, 1997)]
[Notices]
[Pages 1001-1004]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 97-256]
-----------------------------------------------------------------------
POSTAL SERVICE
Information Based Indicia Program Interim Product Submission
Procedures
AGENCY: Postal Service.
ACTION: Notice of proposed procedures with request for comments.
-----------------------------------------------------------------------
SUMMARY: There are approximately 1.5 million postage meters in use in
the United States, which collectively account for approximately $20
billion in postal revenue annually. For several years the Postal
Service has been
[[Page 1002]]
actively pursuing a solution of the problem of inadequate postage meter
security. To respond to the threat of fraudulent use of meters by
physical tampering, the Postal Service intends to decertify and remove
from the market, in risk-driven phases, all mechanical and electro-
mechanical postage meters. Another problem the Postal Service has faced
is that currently available meter indicia are susceptible to
counterfeiting. The Postal Service is exploring using current
technology special purpose units such as computers and independent
printers to provide prepaid postage. This notice describes interim
product submission procedures for the Information Based Indicia Program
(IBIP) which the Postal Service is developing to support these
corrective efforts.
DATES: Comments on the proposed procedures must be received on or
before February 6, 1997.
ADDRESSES: Copies of the all draft specifications published to date
under the Information Based Indicia Program may be obtained from: Terry
Goss, United States Postal Service, 475 L'Enfant Plaza SW, Room 8430,
Washington, DC 20260-6807, (202)-268-3757. Mail or deliver written
comments to: Manager, Retail Systems and Equipment, United States
Postal Service, 475 L'Enfant Plaza SW, Room 8430, Washington DC 20260-
6807. Copies of all written comments may be inspected and photocopied
between 9 a.m. and 4 p.m., Monday through Friday, at the above address.
FOR FURTHER INFORMATION CONTACT: Terry Goss, (202) 268-3757.
SUPPLEMENTARY INFORMATION: The Information Based Indicia Program (IBIP)
is a Postal Service initiative supporting the development and
implementation of a new form of postage indicia. The Postal Service
envisions that the new indicium standard may eventually support new or
existing products and services. Specific products and services have not
been determined. An IBIP indicium (Federal Register Volume 61 Number
128 Tuesday, July 2, 1996) substitutes for a postage stamp or a postage
meter imprint as evidence of the fact that postage has been paid on
mailpieces. An IBIP Postal Security Device indicium (Federal Register
Volume 61 Number 128 Tuesday, July 2, 1996) provides cryptographic
signature, financial accounting, indicium creation, device
authorization, and audit functions. An IBIP Host System indicium
(Federal Register Volume 61 Number 209 Monday, October 28, 1996)
creates the indicium using data provided by the Postal Security Device
and the user, supports communications with the vendor's infrastructure,
provides a user interface, employs current postage rates, supports use
of standardized addresses, and maintains records regarding host system
use.
The goal for IBIP is to provide an environment in which customers
can apply postage through new technologies that improve postal revenue
security. This requires a new form of postage indicia and the adoption
of standards to facilitate industry investment and product development.
The manufacture and use of postage meters is governed by Postal
Service regulations (see 39 CFR Part 501; Domestic Mail Manual P030).
With the development of new proposed specifications under the IBI
Program that increases product security along with integrating advances
in technology, a new approach to product submission is required. This
new interim approach for product submission procedures covers product/
devices intended to meet IBIP specifications. Please note this proposed
procedure applies to product service providers of IBI products/devices.
It does not apply to users of IBI product/devices nor producers of mail
bearing the IBI as a form of evidence of postage.
As explained in detail below, there are nine steps proposed for the
Interim IBIP product submission process. These steps are entitled: (1)
Letter of Intent, (2) Non-Disclosure Agreements, (3) Concept of
Operations, (4) Documentation Requirement, (5) Vendor Infrastructure
Plan, (6) Product Submission/Testing, (7) Vendor Infrastructure
Testing, (8) Field Test (Beta) Approval (Limited Distribution), and (9)
Vendor/Product Approval (Full Distribution).
The proposed Interim IBIP product submission procedures [Draft]
include nine steps:
A. Letter of Intent
1. The vendor must submit a letter of intent to the Manager, Retail
Systems and Equipment (RSE), United States Postal Service, 475 L'Enfant
Plaza SW, Room 8430, Washington DC 20260-6807. Include in this letter
of intent (a) Date of correspondence, (b) Name and address of parties
involved in the proposal: manufacturer, assembly, distribution, and
management of the product/device, (c) Name and phone number of official
point of contact for each company identified, (d) Proposed
manufacturers' business qualifications (i.e., certifications and
representations, proof of ability to be responsive and responsible),
(e) a product/device concept narrative, (f) a vendor infrastructure
concept narrative, and (g) the target Postal Service market segment the
proposed IBIP product/device is envisioned to serve.
2. The vendor must submit with the letter of intent a proposed IBIP
product/device development plan of actions and milestones (POA&M) with
a start date coinciding with the date of the letter of intent.
B. Non-Disclosure Agreements
The vendor must sign non-disclosure agreements with the Postal
Service and its agents. These agreements are intended to assure
confidentiality and fairness in business.
C. Concept of Operations
The vendor must submit a ``Concept of Operations'' (CONOPS) that
discusses at a moderate level of detail the features and usage
conditions for the proposed product/device. Vendors should provide five
hard copies and one electronic copy on a PC-formatted 3.5`` floppy
disk. The CONOPS should cover the following areas at a minimum:
1. System Overview
(a) Concept Overview/Business Model
(b) Concept of Production Administration
(c) PC Postage System (hardware/software)
(1) Features
(2) Components
(d) Product Lifecycle Overview
(e) Adherence to Industry Standards
2. Proposed PC Postage System Components--Details
(a) Postal Security Device Features and Functions
(b) Host System Features and Functions
(c) Other components required for normal use conditions
3. Proposed PC Postage Product Lifecycle
(a) Manufacture
(b) USPS certification of product/device
(c) Production
(d) Distribution
(e) Product/device licensing and registration
(f) Initialization
(g) Product/Device Authorization and Installation
(h) Postage Value Download (PVD) process
(i) Product audits (Device and Host System)
(j) Inspections (print quality assurance)
(k) Device/Product Withdrawal/Replacement
(1) Overall process
(2) Product failure/malfunction procedures
[[Page 1003]]
(l) Scrapped device process
4. Finance Overview
(a) Customer account (lock box) management
(1) Coupon acquisition
(2) Payment
(3) Statement of Account
(4) Refund
(b) Individual product finance account management
(1) Postage Value Download
(2) Refund
(c) Daily account reconciliation
(1) Vendor reconciliation
(2) USPS detailed transaction reporting
(d) Periodic summaries
(1) Monthly reconciliation
(2) Other reporting
5. Interfaces
(a) Communications and message interfaces with Postal Infrastructure
(1) PVDs
(2) Scanning Support
(3) Support for Mailpiece spoils
(4) Refunds
(5) Inspections (print quality assurance)
(6) Product Audits
(7) Lost or Stolen Procedures
(b) Communications and message interfaces with USPS financial
institutions
(1) Postage refill
(2) Daily Account reconciliation
(3) Deposit slip management
(4) Refunds
(c) Communications and message interfaces with Customer Infrastructure
(1) Key Management
(2) Product Audits (Device and Host System)
(3) Inspections (print quality assurance)
(d) Message Error Detection and Handling
6. Technical Support and Customer Service
(a) User Training and Support
(b) Software Configuration Management (CM) and update procedures
(c) Hardware CM and update procedures
7. Other
(a) Postal Rate Change Procedures
(b) ZIP+4 CD updates
(c) Physical Security
(d) Personnel Security
Appendix A Security Features
The CONOPS must be accompanied by substantiated market analysis
supporting the target Postal Service market segment the proposed IBIP
product/device is envisioned to serve as identified in the Letter of
Intent.
D. Documentation Requirements
1. The vendor must submit to the Postal Service a detailed design
document of the product/device. FIPS 140-1 Appendix A provides a
checklist summary of documentation requirements for the FIPS 140-1
standard. Additionally, the Postal Service requires design
documentation which includes, but is not limited to, the following:
(a) Full source code of all software involved in the IBIP Postal
Security Device and the IBIP Host System,
(b) Operations manuals for product usage,
(c) Interface description documents for all proposed communications
interfaces,
(d) Maintenance manuals,
(e) Schematics,
(f) Product initialization procedures,
(g) Finite state machine models/diagrams,
(h) Block diagrams,
(i) Security features descriptions, and
(j) Cryptographic operations descriptions.
Detailed references for much of this documentation is listed in
FIPS 140-1 Appendix A. The Postal Service will determine the number of
copies needed of the aforementioned documentation based on review of
the CONOPS.
2. The vendor must submit a test plan that, if passed by a product/
device, provides compliance by the product/device with all Postal
Service requirements and FIPS 140-1 requirements, as applicable to
IBIP. The test plan must list the parameters to be tested, test
equipment, procedures, test sample sizes, and test data formats. Also,
the plan must include detailed descriptions, specifications, design
drawings, schematic diagrams, and explanations of the purposes for all
special test equipment and non-standard or non-commercial
instrumentation. Finally, this test plan must include a proposed
schedule of major test milestones.
E. Vendor Infrastructure Plan
The Vendor must submit a Vendor Infrastructure Plan which describes
how you will meet or enforce the processes and procedures described in
your concept of operations. This includes but is not limited to a
detailed description of all Information Based Indicia Program and
Postal Service related operations, computer systems, and interfaces
with both customers and the Postal Service that the vendor shall use in
manufacturing, producing, distribution, customer support, product/
device life cycle, inventory control, print readability quality
assurance, and reporting on IBIP product/devices.
F. Product Submission/Testing
1. The vendor must submit, of each product/device requested for
approval, a minimum of five combinations of each product/device to the
Postal Service for evaluation and review. The vendor must provide
directly, or through lease or rental, any equipment required for use in
conjunction with the proposed product/device needed to represent usage
conditions as proposed in the CONOPS (see section C).
2. The vendor must supply the Postal Service with sample mailpieces
that represent the range of impression styles possible (including Ad
plates) and envelop (size) types, envelop (paper) types, envelop
colors, and envelop styles acceptable to the IBIP product/device
submitted for testing. Separate sample mailpieces from each printer
driver supported by the IBIP product/device will be required.
Quantities of sample mailpieces required for testing will be determined
by the Postal Service based on product/device characteristics.
3. The vendor must submit simultaneously to IBIP product/device
submission to the Postal Service the identical IBIP product/device to a
laboratory accredited under the National Voluntary Laboratory
Accreditation Program (NVLAP) for product/device FIPS 140-1
certification, as applicable. Upon completion of this evaluation, the
Postal Service requires the following be forwarded directly from the
accredited laboratory to the Manager, Retail Systems & Equipment for
review:
(a) A copy of letter of recommendation to the National Institute of
Standards and Technology (NIST) of the United States of America.
(b) Copies of all proprietary and non-proprietary reports and
recommendations generated.
(c) A copy of NIST issued certificate.
Additional Security Testing Note: The Postal Service reserves the
right to require or conduct additional examination and testing at any
time, without cause, of any IBIP product/device submitted to the Postal
Service for approval or approved by the Postal Service for manufacture
and distribution.
G. Vendor Infrastructure Testing
1. Testing of all reporting requirements, including Postal Service/
customer licensing support, IBIP product/device status activity
reporting, total IBIP product/device population inventory, irregularity
reporting, lost and stolen reporting, financial transaction reporting,
account
[[Page 1004]]
reconciliation, digital certificate acquisition, product
initialization, cryptographic key changes, rate table changes, print
quality assurance, device authorization, device audit, product audit,
and remote inspections must be achieved by vendors prior to any
product/device approval for distribution.
2. Testing of these activities and functions includes computer
based testing of all interfaces with the Postal Service including but
not limited to the following:
a. Product Manufacture and Life Cycle (including leased, unleased, new
meter stock, installation, withdrawal, replacement, key management,
lost, stolen, and irregularity reporting)
b. Product Distribution and Initialization (including device
authorization, product initialization, customer authorization, and
product maintenance)
c. Licensing (including license application, license update and license
revocation)
d. Finance (including lock box account management, individual product
financial accounting, refunds, daily summary reports, daily transaction
reporting, and monthly summary reports)
e. Audits and Inspections
3. The vendor must complete an IBIP Product/Device--Vendor
Infrastructure--Financial Institution--USPS Infrastructure (ALPHA) Test
involving all entities in the proposed architecture; at a minimum this
includes the proposed IBIP product/device, Vendor Infrastructure,
financial institution and USPS Infrastructure systems and interfaces.
ALPHA testing is intended to demonstrate the proposed IBIP product/
devices' utility, functionality and compatibility with other systems,
and may be conducted in a laboratory environment.
Vendor Infrastructure Testing--(ALPHA) Test Note: The Postal
Service reserves the right to require or conduct additional examination
and testing at any time, without cause, of any Vendor Infrastructure
system supporting an IBIP product/device approved by the Postal Service
for manufacture and distribution. Initial Vendor Infrastructure testing
and (ALPHA) testing schedules will be supported at the convenience of
the Postal Service. In addition, as all IBIP products/devices will have
to conform to the Product/ Infrastructure specs, vendors are also
strongly encouraged to initiate dialogue regarding systems
specifications with the Postal Service at the earliest possible date.
H. Field Test (BETA) Approval (Limited Distribution)
1. The vendor will submit a proposed Field Test (BETA) Test Plan
identifying test parameters, product/device quantities, geographic
location, test participants, test duration, test milestones, and
product recall plan (if needed). The purpose of the BETA test is to
demonstrate the proposed IBIP product/devices' utility, functionality
and compatibility with other systems in a real-world environment. The
BETA test will employ available communications and interface with
current operational systems to conduct all IBIP functions. The Manager,
Retail Systems & Equipment will determine acceptance of vendor proposed
BETA Test Plans based on, but not limited to, assessed risk of product/
device, product/device impact on Postal Service operations, and
requirements for Postal Service resources.
2. The vendor has a duty to report security weaknesses to the
Postal Service to ensure that each product/device model and every
product/device in service protects the Postal Service against loss of
revenue at all times. A grant of Field Test Approval (FTA) does not
constitute an irrevocable determination that the Postal Service is
satisfied with the revenue-protection capabilities of the product/
device. After approval is granted to manufacture and distribute a
product/device, no change affecting the basic features or safeguards of
a product/device may be made except as authorized or ordered by the
Postal Service in writing from the Manager, Retail Systems & Equipment.
1. Vendor/Product Approval (Full Distribution)
1. Upon receipt of the final certificate of evaluation from the
national laboratory, and after obtaining positive results of internal
testing of the product/device, successful completion of vendor
infrastructure testing, ALPHA testing, and demonstration of limited
distribution activities (BETA testing), the submitted product/device,
vendor infrastructure and vendor/manufacturer qualification
requirements will be administratively reviewed for final approval.
Note: Copies of Draft 39 Code of Federal Regulation Part 502 containing
IBIP Vendor/Manufacturer qualification requirements are available by
contacting Terry Goss at (202) 268-3757.
2. The Postal Service may require at any time, that models/versions
of approved products/devices, and the design and use manuals and
specifications applicable to such product/devices and any revisions
thereof be deposited with the Postal Service.
It is emphasized that this proposed procedure is being published
for comments and is subject to final definition. Although exempt from
the notice and comment requirements of the Administrative Procedure Act
(5 U.S.C. 553b(c)) regarding proposed rulemaking by 39 U.S.C. 410(a),
the Postal Service invites public comments on the proposed procedures.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 97-256 Filed 1-6-97; 8:45 am]
BILLING CODE 7710-12-P