[Federal Register Volume 63, Number 170 (Wednesday, September 2, 1998)]
[Proposed Rules]
[Pages 46728-46732]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-23560]
-----------------------------------------------------------------------
POSTAL SERVICE
39 CFR Parts 501 and 502
Metering Product Submission Procedures
AGENCY: Postal Service.
ACTION: Proposed Procedure.
-----------------------------------------------------------------------
SUMMARY: The Federal Register dated January 7, 1997, reflected proposed
interim product submission procedures for the Information-Based Indicia
Program (IBIP). This revises, clarifies, and expands those proposed
submission procedures to include all postage metering products,
applications, and systems. The terms ``manufacturer'' and ``vendor''
are no longer referenced in these procedures and have been replaced by
the more appropriate term ``Provider.'' Also, since the meter program
administration office title has changed, all references to ``Retail
Systems and Equipment'' have been deleted and replaced by ``Metering
Technology Management.''
DATES: Comments must be received on or before November 2, 1998.
ADDRESSES: Written comments should be mailed or delivered to the
Manager, Metering Technology Management, Room 8430, 475 L'Enfant Plaza
SW, Washington, DC 20260-2444. Copies of all written comments will be
available at the above address for inspection and photocopying between
9 a.m. and 4 p.m. Monday through Friday.
FOR FURTHER INFORMATION CONTACT: Nicholas S. Stankosky, (202) 268-5311.
SUPPLEMENTARY INFORMATION: With the increase of potential postage
application methods and technologies it is essential that submission
procedures be clearly stated and defined. The Postal Service evaluation
process can be effective and efficient if these procedures are followed
explicitly by all suppliers. In this way secure and convenient
technology will be made available to the mailing public with minimal
delay and with the complete assurance that all Postal Service
technical, quality, and security requirements have been met. These
procedures apply to all proposed products and systems, whether the
Provider is new or is currently authorized by the USPS.
39 Code of Federal Regulations Section 501.9, Security Testing,
currently states that ``The Postal Service reserves the right to
require or conduct additional examination and testing at any time,
without cause, of any meter submitted to the Postal Service for
approval or approved by the Postal Service for manufacture and
distribution.'' When the Postal Service elects to retest a previously
approved product, the Provider will be required to resubmit the product
for evaluation according to part or all of the proposed procedures.
Full or partial compliance will be determined by the Postal Service
prior to resubmission by the Provider.
The proposed submission procedures will be referenced in 39 CFR
Parts 501 and 502 but will be published as a separate document as
follows:
Metering Technology Management
Metering Product Submission Procedures
In submitting a metering product for Postal Service evaluation, the
proposed Provider must provide detailed documentation in the following
areas:
Letter of Intent.
Nondisclosure Agreements.
Concept of Operations (CONOPS).
Software and Documentation Requirements.
Provider Infrastructure Plan.
USPS Address Matching System (AMS) CD-ROM Integration.
Product Submission/Testing.
Provider Infrastructure Testing.
Field Test (Beta) Approval (Limited Distribution).
Provider/Product Approval (Full Distribution).
These sections must be completed in sequential order as detailed
below:
1. Letter of Intent
A. The Provider must submit a Letter of Intent to the Manager,
Metering Technology Management (MTM), United States Postal Service, 475
L'Enfant Plaza SW, Room 8430, Washington DC 20260-2444.
The Letter of Intent must include:
(1) Date of correspondence.
(2) Name and address of all parties involved in the proposal: In
addition to the Provider, those responsible for
[[Page 46729]]
assembly, distribution, management of the product/device, hardware/
software development, testing, and other organizations involved (or
expected to be involved) with the product.
(3) Name and phone number of official point of contact for each
company identified.
(4) Proposed Provider's business qualifications (i.e., proof of
financial viability, certifications and representations, proof of
ability to be responsive and responsible).
(5) Product/device concept narrative
(6) Provider infrastructure concept narrative.
(7) Narrative that identifies the internal resources knowledgeable
of current USPS policies, procedures, performance criteria, and
technical specifications, to be used to develop security, audit, and
control features of the proposed product, and
(8) The target Postal Service market segment the proposed product
is envisioned to serve.
B. The Provider must submit with the Letter of Intent a proposed
product development plan of actions and milestones (POA&M) with a start
date coinciding with the date of the Letter of Intent. Reasonable
progress must be shown against these stated milestones.
C. The Manager, Metering Technology Management, will acknowledge in
writing the receipt of the Provider's Letter of Intent and will
designate a Postal Service point-of-contact. Upon receipt of this
acknowledgment, the Provider may continue with the sequential
requirements of the product submission process.
2. Nondisclosure Agreements
These agreements are intended to ensure confidentiality and
fairness in business. The Postal Service is not obligated to provide
product submission status to any parties not identified in the Letter
of Intent. After obtaining signed nondisclosure agreements, the
Provider may continue with the sequential requirements of the product
submission process.
3. Concept of Operations (CONOPS)
A. The Provider must submit a Concept of Operations (CONOPS) that
discusses at a moderate level of detail the features and usage
conditions for the proposed product. The Provider should submit 10
serialized hard copies and one electronic copy of a PC-formatted 3.5''
floppy disk. Additionally, the Provider must also submit a detailed
process model, supporting each CONOPS section. Note: The Postal Service
will not be obligated to provide consulting guidance on any current
Postal Service policy, procedure, performance criteria, or
specification beyond publicly available publications.
B. The CONOPS should cover the following areas at a minimum:
(1) System Overview.
(a) Concept overview/business model.
(b) Concept of production/maintenance administration.
(c) For Information-Based Indicia (IBI) products, a PC Postage
system design.
(i) Postal Security Device (PSD) implementation (stand-alone, LAN,
WAN, Hybrid).
(ii) Features.
(iii) Components including the digital signature algorithm.
(d) Product lifecycle overview.
(e) Adherence to industry standards such as FIPS 140-1, as
determined by the USPS.
(2) For Proposed IBI PC Postage Product-Details.
(a) PSD features and functions.
(b) Host system features and functions.
(c) Other components required for normal use conditions.
(3) Product Lifecycle.
(a) Manufacture.
(b) USPS certification of product/device.
(c) Production.
(d) Distribution.
(e) Product/device licensing and registration.
(f) Initialization.
(g) Product authorization and installation.
(h) Postage Value Download (PVD) process.
(i) Product and support system audits.
(j) Inspections.
(k) Product withdrawal/replacement.
(i) Overall process.
(ii) Product failure/malfunction procedures.
(l) Scrapped product process.
(4) Finance Overview.
(a) Customer account management.
(i) Payment methods.
(ii) Statement of account.
(iii) Refund.
(b) Individual product finance account management.
(i) PVD.
(ii) Refund.
(c) Daily account reconciliation.
(i) Provider reconciliation.
(ii) USPS-detailed transaction reporting.
(d) Periodic summaries.
(i) Monthly reconciliation.
(ii) Other reporting as required by the Postal Service.
(5) Interfaces.
(a) Communications and message interfaces with postal
infrastructure.
(i) PVDs.
(ii) Refunds.
(iii) Inspections.
(iv) Product audits.
v) Lost or stolen product procedures.
(b) Communications and message interfaces with applicable USPS
financial functions.
(i) Postage settings including those done remotely.
(ii) Daily account reconciliation.
(iii) Refunds.
(c) Communication and message interfaces with Customer
Infrastructure.
(i) Key management.
(ii) Product audits (device and host system).
(iii) Inspections.
(d) Message error detection and handling.
(6) Technical Support and Customer Service.
(a) User training and support.
(b) Software Configuration Management (CM) and update procedures.
(c) Hardware CM and update procedures.
(7) Other.
(a) Postal rate change procedures.
(b) Address Management System ZIP+4 CD-ROM updates.
(c) Physical security.
(d) Personnel/site security.
C. Supplementary requirements, Concept of Operations:
(1) The CONOPS must be accompanied by substantiated market analysis
supporting the target Postal Service market segment the proposed
product is envisioned to serve as identified in the Letter of Intent.
(2) The CONOPS must include a list and a detailed explanation of
any proposed deviations from USPS performance criteria or
specifications. Any proposed deviation to audit and control functions
required by current USPS policy, procedure, performance criteria, or
specification must be accompanied by an independent assessment by a
nationally recognized accounting firm attesting to the proposed
auditing method. The report of this information is to be signed by an
officer of the accounting firm.
D. USPS Response:
(1) The USPS will acknowledge, in writing, receipt of the CONOPS
and perform an initial review. The USPS will provide the Provider with
a written summary of the CONOPS review. Authorization to continue with
the product submission process, or a listing of CONOPS requirements
that are not met will be provided by the USPS in the written review.
(2) If, in the opinion of the USPS, it is determined that extensive
CONOPS deficiencies do exist, the USPS, at the
[[Page 46730]]
discretion of the Manager, Metering Technology Management, may return
the CONOPS to the Provider without further review. It will then be
incumbent on the Provider to resubmit a corrected CONOPS.
(3) Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
(4) For submissions, the USPS will appoint an IBIP Product Review
Control Officer. All communications between the Provider and the USPS
are to be coordinated through the IBIP Product Review Control Officer.
4. Software and Documentation Requirements
A. The Provider must submit to the Postal Service five copies of
executable code and one copy of full source code for all software.
B. The Provider must submit a detailed design document of the
product. This must include the proposed IBIP indicia design, which must
be approved by the Manager, Metering Technology Management. FIPS 140-1
Appendix A provides a checklist summary of documentation requirements
for the FIPS 140-1 standard. Additionally, the Postal Service requires
design documentation that includes, but is not limited to, the
following:
(1) Operations manuals for product usage.
(2) Interface description documents for all proposed communications
interfaces.
(3) Maintenance manuals.
(4) Schematics.
(5) Product initialization procedures.
(6) Finite state machine models/diagrams.
(7) Block diagrams.
(8) Security features descriptions.
(9) Cryptographic operations descriptions.
Detailed references for much of this documentation is listed in the
FIPS 140-1 Appendix A. The Postal Service will determine the number of
copies needed of the aforementioned documentation based on the CONOPS
review. The USPS will notify the Provider of the required number of
copies. The required number of copies are to be uniquely numbered for
control purposes.
C. The Provider must submit a comprehensive test plan that
validates that the product meets all Postal Service requirements and
FIPS 140-1. The test plan must list the parameters to be tested, test
equipment, procedures, test sample sizes, and test data formats. Also,
the plan must include detailed descriptions, specifications, design
drawings, schematic diagrams, and explanations of the purposes for all
special test equipment and nonstandard or noncommercial
instrumentation. Finally, this test plan must include a proposed
schedule of major test milestones.
D. USPS Response:
(1) The Provider must submit a benchmark assessment plan. USPS
Engineering will provide reference standards, performance criteria,
specifications, etc., to be used as a basis for the Provider to produce
this plan.
(2) The USPS will acknowledge in writing receipt of the Provider's
design and test plans and perform an initial review. The USPS will
provide the Provider with a written summary of the design plan and test
plan reviews. Authorization to continue with the product submission
process, or a listing of design plan requirements or test plan
requirements that are not met, and perhaps other deficiencies, will be
provided by the USPS in the written review.
(3) If, in the sole opinion of the USPS, it is determined that
extensive design plan or test plan deficiencies do exist, the USPS at
the discretion of the Manager, Metering Technology Management, may
return the plans to the Provider without further review. It will then
be incumbent on the Provider to resubmit corrected plans.
(4) Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
5. Provider Infrastructure Plan
A. The Provider Infrastructure Plan may be submitted concurrently
with the design and test plans, or after written acknowledgment from
the USPS indicating the plans successfully met the requirements of the
product submission process.
B. The Provider must submit a Provider Infrastructure Plan that
describes how the processes and procedures described in the CONOPS will
be met or enforced. This includes, but is not limited to, a detailed
description of all Provider and Postal Service related operations,
computer systems, and interfaces with both customers and the Postal
Service that the Provider shall use in manufacturing, producing,
distribution, customer support, product/device lifecycle, inventory
control, print readability quality assurance, and reporting.
C. USPS Response:
(1) The USPS will acknowledge in writing receipt of the Provider's
Infrastructure Plan and perform an initial review. The USPS will
provide the Provider with a written summary of the Infrastructure Plan
review. Authorization to continue with the product submission process,
or a listing of the Infrastructure Plan requirements that are not met,
and perhaps other deficiencies, will be provided by the USPS in the
written review.
(2) If, in the opinion of the USPS, it is determined that extensive
Provider Infrastructure Plan deficiencies do exist, the USPS at the
discretion of the Manager, Metering Technology Management, may return
the Infrastructure Plan to the Provider without further review. It will
then be incumbent on the Provider to resubmit a corrected
Infrastructure Plan.
(3) Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
6. USPS Address Matching System (AMS) CD-ROM Integration
A. The USPS AMS CD-ROM is a required component of IBIP systems. The
Provider shall initiate an agreement with the USPS National Customer
Support Center (NCSC). This signed agreement shall describe
responsibilities of the AMS CD-ROM supply chain processes, including
roles of the Provider. The only functionality of the AMS CD-ROM
available through an IBIP system is address matching and ZIP+4 coding
of input addresses.
B. Any CONOPS or products proposed where the Provider requests a
variance to the AMS CD-ROM requirements must be approved by the
Manager, Metering Technology Management, prior to proceeding with the
next step in the submission process.
C. A detailed description of the process in which an address is
ZIP+4 coded including all possible optional and required parameters.
7. Product Submission/Testing
A. The Provider must be prepared to submit up to five complete
systems of each product/device requested for approval, to the Postal
Service for evaluation and review. The required number of submitted
systems will be determined by the Postal Service. The Provider must
provide directly, or through lease or rental, any equipment required
for use in conjunction with the proposed product/device needed to
[[Page 46731]]
represent usage conditions as proposed in the CONOPS.
B. The Provider must submit the proposed product to a laboratory
accredited under the National Voluntary Laboratory Accreditation
Program (NVLAP) for FIPS 140-1 certification, or equivalent, as
authorized by the Postal Service. Upon completion of the FIPS 140-1
certification, or equivalent, the Postal Service requires the following
be forwarded directly from the accredited laboratory to the Manager,
Metering Technology Management for review:
(1) A copy of letter of recommendation to the National Institute of
Standards and Technology (NIST) of the United States of America.
(2) Copies of proprietary and nonproprietary reports and
recommendations generated.
(3) A copy of NIST-issued certificate.
(4) Written full disclosure identifying any role of the NVLAP which
contributed to the design, development, or ongoing maintenance of the
product/device.
C. The Provider may submit the product to the USPS for initial
evaluation without the completion of the FIPS 140-1 testing providing a
letter is submitted from the NVLAP lab to the USPS indicating:
(1) The product is being tested under FIPS 140-1 for the required
security levels.
(2) The product has a reasonable chance of meeting the FIPS 140-1/
USPS security levels.
(3) The timeline for FIPS 140-1 test completion.
D. Upon satisfactory completion of FIPS 140-1 testing, or
equivalent, as authorized by the Postal Service, the USPS will
authorize the Provider, in writing, to submit the product to the USPS
for testing and evaluation.
E. The Postal Service reserves the right to require or conduct
additional examination and testing at any time, without cause, of any
product submitted to the Postal Service for approval or approved by the
Postal Service for manufacture and distribution.
F. Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
8. Product Infrastructure Testing
A. Testing of all reporting requirements, including, and not
limited to, Postal Service/customer licensing support, product status
activity reporting, total product population inventory, irregularity
reporting, lost and stolen reporting, financial transaction reporting,
account reconciliation, digital certificate acquisition, product
initialization, cryptographic key changes, rate table changes, print
quality assurance, device authorization, device audit, product audit,
and remote inspections must be achieved by Providers prior to any
product/device approval for distribution.
B. Testing of these activities and functions includes computer-
based testing of all interfaces with the Postal Service including but
not limited to the following:
(1) Product manufacture and life cycle (including leased, unleased,
new meter stock, installation, withdrawal, replacement, key management,
lost, stolen, and irregularity reporting).
(2) Product distribution and initialization (including product
authorization, product initialization, customer authorization, and
product maintenance).
(3) Licensing (including license application, license update and
license revocation).
(4) Finance (including lockbox account management, individual
product financial accounting, refunds, daily summary reports, daily
transaction reporting, and monthly summary reports).
(5) Audits and inspections.
C. The Provider must complete a ``Product--Provider
Infrastructure--Financial Institution--USPS Infrastructure'' (Alpha)
test involving all entities in the proposed architecture; at a minimum
this includes the proposed product, Provider Infrastructure, financial
institution and USPS Infrastructure systems and interfaces. Alpha
testing is intended to demonstrate the proposed product utility,
functionality and compatibility with other systems, and may be
conducted in a laboratory environment.
D. Provider Infrastructure Testing--(Alpha) test note: The Postal
Service reserves the right to require or conduct additional examination
and testing at any time, without cause, of any Provider Infrastructure
system supporting an IBIP product/device approved by the Postal Service
for manufacture and distribution. Initial Provider Infrastructure
testing and (Alpha) testing schedules will be supported at the
convenience of the Postal Service.
E. Demonstrable evidence of successful completion for each test is
required prior to proceeding.
F. Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
9. Field Test (Beta) Approval (Limited Distribution)
A. The Provider will submit a proposed Field Test (Beta) Test Plan
identifying test parameters, product quantities, geographic location,
test participants, test duration, test milestones, and product recall
plan. The purpose of the Beta test is to demonstrate the proposed
product's utility, security, audit and control, functionality, and
compatibility with other systems in a real-world environment. The Beta
test will employ available communications and interface with current
operational systems to conduct all product functions. The Manager,
Metering Technology Management will determine acceptance of Provider-
proposed Beta Test Plans based on, but not limited to, assessed risk of
the product, product impact on Postal Service operations, and
requirements for Postal Service resources. Proposed candidates for Beta
test participation must be approved by the Postal Service. Beta test
approval consideration will be based in whole or in part on the
location, mail volume, mail characteristics, and mail origination and
destination patterns.
B. The Provider has a duty to report security weaknesses to the
Postal Service to ensure that each product/device model and every
product/device in service protects the Postal Service against loss of
revenue at all times. Beta participants must agree to a nondisclosure
confidentiality agreement when reporting product security, audit, and
control issues, deficiencies, or failures to the Provider and the
Postal Service. A grant of Field Test Approval (FTA) does not
constitute an irrevocable determination that the Postal Service is
satisfied with the revenue-protection capabilities of the product/
device. After approval is granted to manufacture and distribute a
product/device, no change affecting the basic features or safeguards of
a product/device may be made except as authorized or ordered by the
Postal Service in writing from the Manager, Metering Technology
Management.
C. Upon receipt of authorization from the USPS to continue the
product submission process, the Provider may continue with the
sequential requirements of the product submission process.
10. Provider/Product Approval (Full Distribution)
A. Upon receipt of the final certificate of evaluation from the
national laboratory, and after obtaining positive
[[Page 46732]]
results of internal testing of the product/device, successful
completion of Provider infrastructure testing, Alpha testing, and
demonstration of limited distribution activities (Beta testing); the
submitted product, Provider infrastructure and Provider/manufacturer
qualification requirements will be administratively reviewed for final
approval. Note: Copies of Draft 39 Code of Federal Regulation Part 502
containing IBIP Provider/Manufacturer qualification requirements are
available by contacting USPS Metering Technology Management, 475
L'Enfant Plaza SW, Room 8430, Washington, DC 20260-2444. Copies of CFR
Part 501 pertaining to postage meters are also available at the above
address.
B. The Postal Service may require at any time, that models/versions
of approved products, and the design and user manuals and
specifications applicable to such product, and any revisions thereof be
deposited with the Postal Service.
It is emphasized that this proposed procedure is being published
for comments and is subject to final definition.
Although exempt from the notice and comment requirements of the
Administrative Procedure Act (5 U.S.C. 553 (b),(c)) regarding proposed
rule making by 39 U.S.C. 410(a) , the Postal Service invites public
comments on the proposed procedures.
Neva R. Watson,
Chief Counsel, Legislative.
[FR Doc. 98-23560 Filed 8-28-98; 3:59 pm]
BILLING CODE 7710-12-P
