[Federal Register Volume 61, Number 100 (Wednesday, May 22, 1996)]
[Notices]
[Pages 25627-25632]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 96-12748]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket No. 950314073-6067-02]
RIN 0693-ZA07
Approval of Federal Information Processing Standards Publication
161-2, Electronic Data Interchange (EDI)
AGENCY: National Institute of Standards and Technology (NIST),
Commerce.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The purpose of this notice is to announce that the Secretary
of Commerce has approved a revision of Federal Information Processing
Standard (FIPS) 161-1, Electronic Data Interchange (EDI), which will be
published as FIPS Publication 161-2. This revision reflects changes in
the development of voluntary industry standards for Electronic Data
Interchange (EDI), including the planned alignment of the X12 and UN/
EDIFACT families of standards, and provides updated guidance to Federal
agencies in the selection of EDI standards. The revision adopts the HL7
standards for EDI as an alternative for certain healthcare
applications. It also establishes a Federal EDI Standards Management
Committee to harmonize the development of EDI transaction set and
message standards among Federal agencies, and the setting of
governmentwide implementation conventions for EDI applications used by
Federal agencies. FIPS PUB 161-2 supersedes FIPS PUB 161-1 in its
entirety. The announcement section of FIPS 161-2 is provided in this
notice.
On April 3, 1995, notice was published in the Federal Register (60
FR 16854-16857) that a revision of Federal Information Processing
Standard (FIPS) 161-1, Electronic Data Interchange (EDI), was being
proposed for Federal use.
The written comments submitted by interested parties and other
material available to the Department relevant to this standard were
reviewed by NIST. On the basis of this review, NIST recommended that
the Secretary approve the revised standard as Federal Information
Processing Standards Publication (FIPS PUB) 161-2, and prepared a
detailed justification document for the Secretary's review in support
of that recommendation.
The detailed justification document which was presented to the
Secretary, and which includes an analysis of the written comments
received, is part of the public record and is available for inspection
and copying in the Department's Central Reference and Records
Inspection Facility, Room 6020, Herbert C. Hoover Building, 14th Street
between Pennsylvania and Constitution Avenues NW., Washington, DC
20230.
EFFECTIVE DATE: FIPS PUB 161 was effective September 30, 1991.
ADDRESSES: Interested parties may purchase copies of the announcement
section of FIPS 161-2 from the National Technical Information Service
(NTIS). Specific ordering information from NTIS for this standard is
set out in the Where to Obtain Copies Section of the standard.
Documents defining both the X12 and EDIFACT families of standards
are available from DISA, Inc. or from its named contractor. DISA, Inc.
serves as the secretariat for Accredited Standards Committee (ASC) X12
and the Pan American EDIFACT Board (PAEB) and its address and phone
number are as follows: Data Interchange Standards Association, Inc.
(DISA, Inc.), 1800 Diagonal Road, Suite 200, Alexandria, VA 22314-2852.
Telephone (703) 548-7005.
HL7 documents are available from: Health Level Seven, Inc., 3300
Washtenaw Avenue, Suite 227, Ann Arbor, MI 48104. Telephone (313) 677-
7777.
FOR FURTHER INFORMATION CONTACT: Mr. Roy Saltman, telephone (301) 975-
3376, National Institute of Standards and Technology, Gaithersburg, MD
20899.
Dated: May 16, 1996.
Samuel Kramer,
Associate Director.
Federal Information Processing Standards Publication 161-2, 1996 Month
Day, Announcing the Standard for Electronic Data Interchange (EDI)
Federal Information Processing Standards Publications (FIPS PUBS)
are issued by the National Institute of Standards and Technology (NIST)
after approval by the Secretary of Commerce pursuant to Section 5131 of
the Information Technology Management
[[Page 25628]]
Reform Act of 1996 and the Computer Security Act of 1987, Public Law
104-106.
1. Name of Standard. Electronic Data Interchange (EDI) (FIPS PUB
161-2).
2. Category of Standard. Electronic Data Interchange.
3. Explanation.
3.1. Definition and Use of EDI. EDI is the computer-to-computer
interchange of strictly formatted messages that represent documents
other than monetary instruments. EDI implies a sequence of messages
between two parties, either of whom may serve as originator or
recipient. The formatted data representing the documents may be
transmitted from originator to recipient via telecommunications or
physically transported on electronic storage media.
In EDI, the usual processing of received messages is by computer
only. Human intervention in the processing of a received message is
typically intended only for error conditions, for quality review, and
for special situations. For example, the transmission of binary or
textual data is not EDI as defined here unless the data are treated as
one or more data elements of an EDI message and are not normally
intended for human interpretation as part of on-line data processing.
An example of EDI is a set of interchanges between a buyer and a
seller. Messages from buyer to seller could include, for example,
request for quotation (RFQ), purchase order, receiving advice and
payment advice; messages from seller to buyer could include, similarly,
bid in response to RFQ, purchase order acknowledgment, shipping notice
and invoice. These messages may simply provide information, e.g.,
receiving advice or shipping notice, or they may include data that may
be interpreted as a legally binding obligation, e.g., bid in response
to RFQ or purchase order.
EDI is being used also for an increasingly diverse set of concerns,
for example, for interchanges between healthcare providers and
insurers, for travel and hotel bookings, for education administration,
and for government regulatory, statistical and tax reporting.
3.2. Standards Required for EDI. From the point of view of the
standards needed, EDI may be defined as an interchange between
computers of a sequence of standardized messages taken from a
predetermined set of message types. Each message is composed, according
to a standardized syntax, of a sequence of standardized data elements.
It is the standardization of message formats using a standard syntax,
and the standardization of data elements within the messages, that
makes possible the assembling, disassembling, and processing of the
messages by computer.
Implementation of EDI requires the use of a family of interrelated
standards. Standards are required for, at minimum: (a) the syntax used
to compose the messages and separate the various parts of a message,
(b) types and definitions of application data elements, most of
variable length, (c) the message types, defined by the identification
and sequence of data elements forming each message, and (d) the
definitions and sequence of control data elements in message headers
and trailers.
Additional standards may define: (e) a set of short sequences of
data elements called data segments, (f) the manner in which more than
one message may be included in a single transmission, and (g) the
manner of adding protective measures for integrity, confidentiality,
and authentication into transmitted messages.
3.3. Limited Coverage of this Standard. This FIPS covers only EDI.
It does not cover other forms of electronic interchange, for example,
systems of interchange that do not consist of messages taken from a
predetermined set. Additionally, an interchange application including
only one or two predetermined message types using only fixed-length
data elements is excluded from coverage of this FIPS. This FIPS also is
not intended to cover transmissions from medical, laboratory, or
environment-sensing instrumentation.
3.4. The Long-Range Goal for EDI Standards. There are several
different EDI standards in use today, but the achievement of a single
universally-used family of EDI standards is a long-range goal. A single
universally-used family of standards would make use of EDI more
efficient and minimize aggregate costs of use. Specifically, it would
(a) minimize needs for training of personnel in use and maintenance of
EDI standards, (b) eliminate duplication of functionality and the costs
of achieving that duplication now existing in different systems of
standards, (c) minimize requirements for different kinds of translation
software, and (d) allow for a universal set of data elements that would
ease the flow of data among different but interconnected applications,
and thereby maximize useful information interchange.
This FIPS PUB recognizes the reality that some families of EDI
standards were developed to provide solutions to immediate needs, and
that inclusion of the goal of universality in their development would
have unacceptably delayed their availability. However, a future is
envisioned in which the benefits of universality outweigh the sunk
costs in specialized solutions, leading first to cooperation among
standards developers, then to harmonization of standards, and
eventually to a single universally accepted family of EDI standards.
3.5. Adoption of Specific Families of Standards. This FIPS PUB
adopts, with specific conditions specified below, the families of EDI
standards known as X12, UN/EDIFACT and HL7. This FIPS PUB does not
mandate the implementation of EDI systems within the Federal
Government; rather it requires the use of the identified families of
standards with specified constraints when Federal departments or
agencies implement EDI systems.
The UN/EDIFACT standards may be used for any application, domestic
or international. The X12 standards may be used for any domestic
application. The HL7 standards are adopted as an alternative for
certain healthcare applications, specifically for transmission of
patient records and of clinical, epidemiological, and regulatory data.
HL7 standards are not to be used for healthcare insurance
administrative applications, such as for enrollments, claims, and claim
payments, or for any aspect of the Government procurement cycle, such
as for registration of vendors, RFQ, purchase order, shipping notice,
or payment advice.
The cross-use of data elements is encouraged. A data element
received through one system of EDI standards, or through a non-EDI
interchange, may be re-transmitted as a data element in any of the
approved systems of EDI standards.
The adopted standards were developed by the following
organizations: the X12 standards by Accredited Standards Committee X12
on Electronic Data Interchange (ASC X12), accredited by the American
National Standards Institute (ANSI); the HL7 standards by Health Level
Seven, Inc., an ANSI-accredited standards developer; and the UN/EDIFACT
standards by the United Nations (UN) Economic Commission for Europe--
Working Party (Four) on Facilitation of International Trade Procedures
(UN/ECE/WP.4). Technical input from the United States in the
development of UN/EDIFACT at the UN is through the Pan American EDIFACT
Board (PAEB). The PAEB is separate from ASC X12, and it serves as the
coordinating body for national standards organizations of North,
Central, and South America.
3.6. Status of this FIPS PUB Revision. FIPS PUB 161-2 supersedes
FIPS PUB 161-1 in its entirety. FIPS PUB 161-2
[[Page 25629]]
contains editorial changes, updated references to documents and
organizations, and new guidance to agencies on the selection of
national and international standards and implementation conventions.
This guidance is based on recent voluntary industry standards
activities and on the Federal Government initiative that commenced with
the Presidential Memorandum of October 26, 1993 entitled ``Streamlining
Procurement Through Electronic Commerce.''
4. Approving Authority. Secretary of Commerce.
5. Maintenance Agency. U.S. Department of Commerce, National
Institute of Standards and Technology (NIST), Computer Systems
Laboratory.
6. Cross Index and Related Documents.
6.1. Cross Index.
--FIPS PUB 146-2, Profiles for Open Systems Internetworking
Technologies, May 1995.
6.2. Related Documents.
--ASC X12W/95-137, The ASC X12 Plan for Technical Migration to and
Administrative Alignment With UN/EDIFACT (amended), 5/8/95.
--NIST Special Publication 500-224, Stable Implementation Agreements
for Open System Environment, Version 8, Edition 1, 12/94.
--NIST Special Publication 800-9, Good Security Practices for
Electronic Commerce, Including Electronic Data Interchange, 12/93/.
--Office of Management and Budget (OMB) Circular A-119 (revised),
Federal Participation in the Development and Use of Voluntary
Standards, 10/93.
--UN/ECE/WP.4--Recommendation No. 25 on the Use of the UN/EDIFACT
Standard, 9/95.
6.3. Sources of Documents. For the source of cited NIST
publications, including FIPS PUBS, see Section 13. For the source of
X12, UN/EDIFACT and HL7 documents, see Subsection 10.1.
7. Objectives. The primary objectives of this standard are:
a. to ease the interchange of data sent electronically by use of
common standards that allow for automated message processing;
b. to promote the achievement of the benefits of EDI: reduced
paperwork, fewer transcription errors, faster response time for
procurement and customer needs, reduced inventory requirements, more
timely payment of vendors, and closer coordination of data being
processed on different computers for the same application;
c. to promote migration to a universally used family of EDI
standards, in order to further Government efficiency and to minimize
the cost of EDI implementation by preventing duplication of effort.
8. Applicability.
8.1. Conditions of application. EDI may be employed with any type
of operational data representable as a sequence of data elements that
is needed to be transmitted or received on a repetitive basis by a
Federal agency in the course of its activities. This standard is
applicable to the interchange of such data on a particular subject
within a Federal agency, or between a Federal agency and another
organization (which may be another Federal agency), if (1) The data are
to be transmitted electronically or physically transported between
computers using EDI, and (2) the necessary standard messages meeting
the data requirements of the Federal agency for the subject of the
interchange have been developed and approved, and are acceptable for
use under the conditions set forth in this FIPS PUB.
8.2. Subject Matter. Examples of applications (not necessarily the
subject of current standards) are:
a. vendor search and selection: price/sales catalogs, bids,
proposals, requests for quotations, notices of contract solicitation,
debarment data, trading partner profiles;
b. contract award: notices of award, purchase orders, purchase
order acknowledgments, purchase order changes;
c. product data: specifications, manufacturing instructions,
reports of test results, safety data;
d. shipping, forwarding, and receiving: shipping manifests, bills
of lading, shipping status reports, receiving reports;
e. customs: release information; manifest update;
f. payment information: invoices, remittance advices, payment
status inquiries, payment acknowledgments;
g. inventory control: stock level reports, resupply requests,
warehouse activity reports;
h. maintenance: service schedules and activity, warranty data;
i. tax-related data: tax information and filings;
j. insurance-related data: healthcare claim; mortgage insurance
application;
k. other government activities: communications license application;
court conviction record; hazardous material report; healthcare event
report.
9. Coordination of Federal EDI Standards Development and
Implementation.
9.1. Federal EDI Standards Management Coordinating Committee. There
is established a Federal EDI Standards Management Coordinating
Committee (FESMCC). The FESMCC is established to support the goal of a
single face for the Federal Government to its trading partners in the
use of EDI.
9.1.1. A responsibility of the FESMCC is the selection of
implementation conventions (ICs) to be used with EDI interchanges
between the Federal Government and its trading partners. EDI messages
(also called transaction sets) are approved by standards committees
with allowances for format options, in order to widen the applicability
of the standards to different uses. The purpose of ICs is to select
specific options in EDI standards so that interchanges are completely
determined in format in advance of use.
9.1.2. The basic functions of the FESMCC are:
(a) to adopt Government-wide ICs for use with EDI standards; the
goal is adoption of one IC for each functional application of a message
or transaction set within a given version/release of an EDI standard;
(b) to coordinate Federal agency participation in EDI standards
bodies, to assure adequate consideration of the Government's business
needs and to assure consistency of position; and
(c) to share EDI information among agencies regrading current or
planned implementations to avoid duplicate efforts and streamline the
process.
9.1.3. Voting membership in the FESMCC shall consist of, at
minimum, one representative from each participating Federal Executive
Branch department and independent agency using or planning to use EDI,
plus a representative from NIST. The FESMCC, under its charter and
operating rules (see Subsection 9.1.5), may add additional voting
representatives, including those from the other branches of the Federal
Government. The chair of the FESMCC shall be elected by its membership
and approved by OMB.
9.1.4. The FESMCC shall establish a secretariat in order to
maintain an official registry of approved and draft ICs, provide
controlled access to the registry including electronic remote access
capability, provide a point of contact for publicizing draft ICs and
receiving comments on them, provide a single point for submission of
work requests to standards bodies, and for related functions.
9.1.5. The FESMCC shall establish a charter and operating rules to
assist it in carrying out its identified functions.
9.2. Functional Work Groups.
9.2.1. The FESMCC may establish Functional Work Groups (FWGs) to
consider and recommend ICs in subject
[[Page 25630]]
areas. Examples of subject areas are procurement, finance, logistics,
and healthcare. Requirements for voting membership shall be established
by the FESMCC under its charter and operating rules. The voting members
shall elect a chair.
9.2.2. Each FWG shall recommend, to the full FESMCC, ICs that it
has developed and approved as meeting Federal Government and trading
partner business requirements. FWGs should consult with appropriate
industry groups in the development of ICs.
9.3. Agency Responsibilities.
9.3.1. Agencies shall register ICs that they are using with the
FESMCC secretariat.
9.3.2. Agencies using X12, UN/EDIFACT, or HL7 versions and releases
for which ICs have been established by the FESMCC shall adopt those
ICs. If an IC does not meet business needs, requirements shall be
submitted to the FESMCC. ICs shall be classified as Implementer's
Agreements pursuant to this FIPS PUB, but are not themselves FIPS PUBs.
9.3.3. Agencies using or planning to use EDI shall designate
representatives to the FESMCC and each relevant FWG.
9.3.4. Agencies requiring new EDI standards or changes to existing
EDI standards to meet their business needs shall submit their
requirements to the appropriate standards bodies and shall
simultaneously submit their requirements to the FESMCC and relevant
FWGs for coordination. Procedures and forms for submission of new
requirements through ASC X12 are specified in Standing Document (SD) 2,
Operations Manual, and SD6, Operations Manual for UN/EDIFACT Standards.
These manuals are available from Data Interchange Standards
Association, Inc. (DISA, Inc.). Procedures and forms for submission of
new requirements for UN/EDIFACT standards directly through the PAEB are
also available from DISA, Inc. HL7 operating procedures are specified
in its bylaws, available from Health Level Seven, Inc.
10. Specifications. Documents are available that define the X12,
UN/EDIFACT, and HL7 standards and provide information about the
standards organizations and their standards development processes.
Developments are continuing in each of these families of standards.
10.1. Source of Documents. Documents concerning both the X12 and
UN/EDIFACT families of standards are available from DISA, Inc. or from
its named contractor. DISA, Inc. serves as the secretariat for ASC X12
and the PAEB and may be contacted at:
Address: Data Interchange Standards Association, Inc., 1800 Diagonal
Road--Suite 200, Alexandria, VA 22314-2852,
Phone: (703) 548-7005
A list of available standards publications, as well as descriptive
material, prices and ordering procedures, may be found in the most
recent DISA, Inc. Publications Catalog.
HL7 documents are available from:
Address: Health Level Seven, Inc., 3300 Washtenaw Avenue, Suite 227,
Ann Arbor, MI 48104,
Phone: (313) 677-7777
10.2. ASC X12 Documents. X12 standards are published periodically
with revisions and updates, and standards included in a publication may
have one of two possible statuses:
(1) Draft Standards for Trial Use (DSTUs); these are fully approved
by ASC X12, and are typically published as ``releases'' at one-year
intervals. DSTU Version 3, Release 4, identified as 003040, was
published in 12/93; Version 3, Release 5, identified as 003050, was
published in 12/94. The next release, identified as 003060, is
available as of 1/96.
(2) American National Standards (ANSs); these are fully approved by
ASC X12 and by ANSI, and are typically published as ``versions'' at
intervals of three to five years. ANS Version 3, 3/92, is functionally
equivalent to DSTU Version 2, Release 4. It is expected that ANS
Version 4, planned for 1997, will be functionally equivalent to DSTU
Version 3, Release 7, identified as 003070.
10.3. UN/EDIFACT Documents. UN/EDIFACT standards are published
periodically with revisions and updates, and standards included in a
publication may have one of two possible statuses:
(1) Status 1, approved for trial use. A set of documents identified
as UN/EDIFACT Draft Messages and Directories, Version D.95A, was
published in 5/95. This document also included Status 2 messages. A new
set of standards, identified as D.95B and also including Status 2
messages, was approved in 9/95.
(2) Status 2, fully approved by UN/ECE/WP.4. The set of Status 2
documents may be referred to as the UN Trade Data Interchange Directory
(UNTDID). The last published version of Status 2 standards only, S.93A,
was issued in 5/94. See also Subsection 11.4 for additional information
on UN/EDIFACT Status 2.
10.4. HL7 Documents. HL7 standards are published as a single
volume. The current set is Version 2.2, published 12/94. A new Version
2.3 is planned for Fall 1996. HL7 standards also have one of two
possible statuses:
(1) HL7 standards, approved by the membership of HL7 but not yet
approved by ANSI.
(2) American National Standards (ANSs); these are fully approved by
HL7 and by ANSI.
11. Implementation.
11.1. Schedule for Adoption. FIPS PUB 161 was effective on
September 30, 1991. Federal agencies that are not using EDI for subject
matter for which X12, UN/EDIFACT, and HL7 standards have been approved
and issued shall utilize only those standards in EDI systems that they
procure or develop, subject to the qualifications of Subsections 3.5,
11.3, 11.4 and 11.5. Agencies that are using those standards shall
continue to do so, subject to the same qualifications. Agencies that
were using other standards on or after September 30, 1991 shall be
governed by Subsection 11.6.
11.2. Acceptance of UN/EDIFACT by ASC X12. In January 1995, ASC
X12, by a membership vote, approved the ASC X12 Plan for Technical
Migration to and Administrative Alignment With UN/EDIFACT. This plan
was modified at the February 1995 plenary meeting of ASC X12. Key
features of the modified Alignment Plan are:
(1) Draft standards based on X12-syntax or on UN/EDIFACT syntax may
be submitted by ASC X12 to ANSI for processing as ANSs.
(2) X12 Release 003070 shall form the basis of Version 4 of draft
proposed X12 American National Standards (ANSs).
(3) After the release of Version 4, ASC X12 shall continue for a
period of time, in accordance with the plan, to develop, maintain,
approve and publish X12-syntax transaction sets and supporting
documents.
(4) An ASC X12 ballot shall be conducted in 1998 to determine if
X12-syntax transaction set development should be terminated. If the
ballot for termination is not approved, a three-year repeating cycle
shall occur thereafter, until no new X12-syntax transaction sets are
being developed.
11.3. Selection of a Family of Standards.
11.3.1. Different families of EDI standards are distinct, although
performing similar functions; the existence of one does not preclude
the others. Equivalent functionality may be obtained in any system by
the addition, if required, of new or revised message formats and data
elements. Software that assembles and disassembles messages and
transaction sets, called translation software, is widely available,
often for more than one system in the
[[Page 25631]]
same package. In selecting a family of standards for domestic
applications, agencies should attempt to maximize Government economy
and efficiency and to minimize the costs imposed on U.S. businesses.
11.3.2. For any domestic application with a non-Government partner,
and for related intra-Government applications, selection of a family of
standards shall take into account the prevailing family used in the
industry of the interchange partners for the application. However, UN/
EDIFACT standards shall be employed for new or significantly upgraded
interchanges in the absence of demonstrably higher costs, or at the
request of interchange partners providing a significant fraction of
interchange traffic. Continued long-term use and maintenance of more
than one family of standards is unacceptably inefficient.
11.3.3. For international applications except as specified in
Subsection 11.3.4, planning for migration to the UN/EDIFACT family of
standards shall commence at this time if that family is not currently
being used. A timetable for conversion to UN/EDIFACT of existing
international implementations shall be set as applicable standards and
software become available. New or significantly upgraded interchanges
shall employ only standards using UN/EDIFACT.
11.3.4. The HL7 family of standards may be used for international
applications in the fields of public health and health regulatory
information, pursuant to agreements of international organizations
whose membership includes representation of national or multi-national
governmental health agencies. However, users shall coordinate with the
developers of UN/EDIFACT, in order to prevent duplication of effort,
provide for cross-use of data elements, and provide a path for
harmonization and eventual migration or coalescence.
11.4. Use of Category (1) Standards. UN/EDIFACT Status 1 standards,
X12 DSTUs, and HL7 standards not yet approved by ANSI are defined as
Category (1) standards. UN/EDIFACT Status 2 standards and ANSs
submitted by ASC X12 and HL7 are defined as Category (2) standards.
Federal agencies shall use only Category (1) or Category (2) standards
for EDI implementations. Industry practice is to use Category (1)
standards; these represent the latest consensus and are available
sooner than the corresponding full standards of Category (2).
Consequently, Category (1) standards are preferred, but not mandated at
this time. Note: There is a possibility that UN/EDIFACT Status 2
standards will be eliminated by UN/ECE/WP.4. In that case, UN/EDIFACT
Status 1 standards would be required when UN/EDIFACT is implemented.
11.5. Continued Use of Existing Approved Implementations. An
existing implementation of any version of an approved standard
specified in Subsections 3.5, 11.3 and 11.4 may continue to be used as
long as it continues to meet the business needs of the using agency and
its interchange partners. Significant upgrades of existing
implementations shall be to versions and releases for which ICs have
been approved by the FESMCC, if any are available.
11.6. Continued Use of Other EDI Standards. Under the initial issue
of this FIPS, Federal agencies using ``industry-specific'' EDI
standards were permitted to use those standards for five years from
September 30, 1991, i.e., until September 30, 1996. Agencies were
permitted to use ``industry-specific'' EDI standards beyond five years
only if no equivalent X12 or UN/EDIFACT standards, as appropriate, were
approved and issued by September 30, 1995. If an equivalent and
appropriate standard were issued after the latter date, agencies were
given one year to convert. These provisions remain in effect for all
application areas except health care.
For healthcare applications, agencies may use EDI standards other
than UN/EDIFACT, X12, or HL7 through September 30, 1997. Other
standards may be used beyond that date only if no functionally
equivalent standards that meet the conditions of use specified in
Subsections 3.5, 11.3 and 11.4 are approved and issued by September 30,
1996. If a Category (1) standard meeting business requirements and
allowable conditions of use is first issued after the latter date,
agencies have one year to convert following the issuance of the release
containing the implementable standard.
Requirements for submission of proposed new or revised standards
are specific in Subsection 9.3.4.
11.7. Security and Authentication. Agencies shall employ risk
management techniques to determine the appropriate mix of security
controls needed to protect specific data and systems. The selection of
controls shall take into account procedures required under applicable
laws and regulations.
Optional tools and techniques for implementation of security and
authentication may be provided by ASC X12 and UN/ECE/WP.4 for use in
connection with their respective families of standards. Agencies may
utilize these tools and techniques, and/or they may utilize other
methods in systems supporting the EDI data interchange. Methods and
procedures implemented shall be consistent with applicable FIPS PUBS
and guidance documents issued in NIST.
12. Waivers. Under certain exceptional circumstances, the heads of
Federal departments and agencies may approve waivers to Federal
Information Processing Standards (FIPS). The head of such agency may
redelegate such authority only to a senior official designated pursuant
to Section 3506(a) of Title 44, U.S. Code.
Waivers shall be granted only when:
a. Compliance with a standard would adversely affect the
accomplishment of the mission of an operator of a Federal computer
system, or
b. Cause a major adverse affect the accomplishment of the mission
of an operator which is not offset by Government-wide savings.
Agency heads may act upon a written waiver request containing the
information detailed above. Agency heads may also act without a written
waiver request when they determine that conditions for meeting the
standard cannot be met. Agency heads may approve waivers only by a
written decision which explains the basis on which the agency head made
the required finding(s). A copy of each such decision, with procurement
sensitive or classified portions clearly identified, shall be sent to:
National Institute of Standards and Technology; Attn: FIPS Waiver
Decisions, Technology Building, Room B-154; Gaithersburg, MD 20899.
In addition, notice of each waiver granted and each delegation of
authority to approve waivers shall be sent promptly to the Committee on
Government Reform and Oversight of the House of Representatives and the
Committee on Governmental Affairs of the Senate and shall be published
promptly in the Federal Register.
When the determination on a waiver applies to the procurement of
equipment and/or services, a notice of the waiver determination must be
published in the Commerce Business Daily as part of the notice of
solicitation for offers of an acquisition or, if the waiver
determination is made after that notice is published, by amendment to
such notice.
A copy of the waiver, any supporting documents, the document
approving the waiver and any supporting and accompanying documents,
with such deletions as the agency is authorized and decides to make
under 5 U.S.C. Sec. 552(b), shall be part of the procurement
documentation and retained by the agency.
[[Page 25632]]
13. Where to Obtain Copies of NIST Publications. Copies of this
publication and NIST publications referenced in Section 6 are for sale
by the National Technical Information Service (NTIS), U.S. Department
of Commerce, Springfield, VA 22161; phone (703) 487-4650. When ordering
this publication, refer to Federal Information Processing Standards
Publication 161-2 (FIPSPUB161-2), and title. Payment may be made by
check, money order, or NTIS deposit account.
[FR Doc. 96-12748 Filed 5-21-96; 8:45 am]
BILLING CODE 3510-CN-M