[Federal Register Volume 64, Number 89 (Monday, May 10, 1999)]
[Notices]
[Page 25039]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-11714]
[[Page 25039]]
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-6339-7]
Notice of FIPS Waiver
AGENCY: Environmental Protection Agency.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The Chief Information Officer for the Environmental Protection
Agency has granted an extension to the Agency of its waiver (published
at 62 FR 17187, effective March 21, 1997) to use the RSA
cryptographical features provided in Lotus Notes in lieu of the Secure
Hashing Standard (FIPS PUB 180-1), Digital Signature Standard (FIPS PUB
186), and Data Encryption Standard (FIPS PUB 46-2). This waiver is
pursuant to section 111(d)(3) of the Federal Property and Services Act
of 1949, as amended.
DATES: This waiver extension takes effect on April 9, 1999 and is valid
until January 1, 2002. If the vendor incorporates Federal standards
into the core product prior to January 1, 2002, EPA will end the waiver
early at that time.
FOR FURTHER INFORMATION CONTACT:
Mark Day, Office of Information Resources Management, 401 M Street SW
(3401), Washington, DC 20460, 202-260-4465.
SUPPLEMENTARY INFORMATION: Federal Information Processing Standards
publications (FIPS PUBS) for the Secure Hashing Standard (FIPS PUB 180-
1), Digital Signature Standard (FIPS PUB 186-1), and the Data
Encryption Standard (FIPS PUB 46-2) establish standards for generating
digital signatures (which can be used to verify authenticity) and for
the encryption of sensitive information transmitted and stored
electronically. These FIPS publications also allow Federal agencies to
waive them under certain circumstances:.
A waiver may be granted if compliance with a standard would
adversely affect the accomplishment of the mission of an operator of
a Federal computer system; or compliance with a standard would cause
a major adverse financial impact on the operator which is not offset
by Government-wide savings.
The Chief Information Officer for the Environmental Protection
Agency (EPA) has granted a waiver of FIPS PUBS 180-1, 186-1, and 46-2
to enable EPA to use the build-in cryptographic features of the
groupware product Lotus Notes. The installed version of Lotus Notes,
currently used by EPA, does not employ FIP standard cryptography.
Rather it uses cryptography that enjoys widespread use in the private
sector, domestically and internationally. This cryptography is Message
Digest 2 (MD-2), the Rivest, Shamir, and Adelman (RSA) signature
algorithm, and RC-4 symmetric encryption algorithm.
EPA determined that the cryptographic protection embedded in Lotus
Notes provides an appropriate level of security to protect the
unclassified information used, communicated, and stored by EPA. Upon
reviewing RSA's cryptographic capabilities, Agency personnel have
concluded that if properly implemented, Lotus Notes provides a full
range of security functionality that fully satisfies Agency
requirements.
The additional costs required to purchase and maintain FIPS-
complaint products that provide equivalent security functionality as
that provided by non-standard, but commercially acceptable cryptography
found in Lotus Notes is a significant factor underlying the granting of
this waiver. The acquisition costs for either software- or hardware-
based products that implement existing Federal cryptographic standards
are unnecessary. By using the cryptography embedded in Lotus Notes, EPA
is able to avoid unnecessary costs, while utilizing security
functionality widely accepted by the public and private sectors.
In accordance with FIPS requirements, notice of this waiver has
been sent to the National Institute of Standards and Technology, the
Committee on Government Reform and Oversight of the House of
Representatives, and the Committee on Government Affairs of the Senate.
Dated: April 9, 1999.
Alvin M. Pesachowitz,
Acting Assistant Administrator and Chief Information Officer.
[FR Doc. 99-11714 Filed 5-7-99; 8:45 am]
BILLING CODE 6560-50-M
