Policies, Procedures, and Forms Updates

Manuals

ASM Revision: Use of Signature Devices and Digital Signature Technology

Effective June 21, 2018, the Postal Service™ is revising the Administrative Support Manual (ASM) to introduce digital signature technology for Postal Service use, and its applicability, roles, and responsibilities. The Postal Service authorizes and approves user accounts for approved digital signature technology within eAccess.

Administrative Support Manual (ASM)

* * * * * 

1 Postal Organization

* * * * * 

112 Delegations of Authority

* * * * * 

[Revise the title of 112.4 to read as follows:]

112.4 Use of Signature Devices and Digital Signature Technology

112.41 General

[Revise the text of 112.41 to read as follows:]

This section provides policy and procedures to establish and manage signature devices and digital signature technologies used in the Postal Service. The policy requires Postal Service officers, executives, and managers to authorize the use of such devices that reproduce their signatures, to delegate in writing the authority to use them, and to control and monitor their use. Only Postal Service-approved digital signature technologies and signature devices may be used to provide signatory authority within the Postal Service. Postal Service officers, executives, and managers authorize and monitor user accounts for digital signature technology within eAccess.

112.42 Policy

[Revise the text of 112.42 to read as follows:]

Postal Service officers, executives, and managers are responsible and accountable for the security and uses of devices containing reproductions of their signatures. They must determine the appropriate use of each device and establish a process to manage the use, which must include written delegation of authority to specified individuals for use of each device. These signature reproduction devices may be used to sign various documents within the Postal Service with the exception of contracts, interagency agreements, strategic alliances, sales agreements, and documents that commit the Postal Service to any expenditure.

When a handwritten signature is required to bind the Postal Service, only a Postal Service-approved digital signature technology or traditional ink signature is authorized as the means for such an action, to include the execution of contracts, interagency agreements, strategic alliances, and sales agreements. An approved digital signature technology may also be used to denote signature and approval of other types of documents within the Postal Service.

To use other signature devices not covered in this policy (see 112.431), or integrate a digital signature technology solution, you must send a request to the Corporate Information Security Office for review and the Chief Information Officer for approval. These devices may include solutions based on biometrics or other devices or technologies that generate a signature and apply it electronically to a document.

* * * * * 

[Revise the title of 112.431 to read as follows:]

112.431 Signature Devices Covered

* * * * * 

[Revise the title and text of 112.432 to read as follows:]

112.432 Digital Signature Technology

Digital signatures are an encrypted digital code appended to an electronic document to verify that it was created by a known source and has not been altered. Use of these technologies ensure authentication, data integrity, and non-repudiation of the individual’s signature. As stated in 112.42, in addition to traditional ink signatures, only Postal Service-approved digital signature technologies are authorized as a means for executing contracts, interagency agreements, strategic alliances, sales agreements, or documents that commit the Postal Service to any expenditures. Only authorized individuals may use these digital signature technologies for signatory purposes.

112.44 Responsibility

112.441 Officers, Executives, and Managers

[Revise the text of 112.441 to read as follows:]

Postal Service officers, executives, and managers are responsible for complying with the policy and procedures for delegating signature authority for the use of signature devices and authorizing eAccess accounts for use of an approved digital signature technology.

112.442 Corporate Information Security Office

[Revise the text of 112.442 to read as follows:]

The Corporate Information Security Office or representative is responsible for approving use of any signature devices not covered in 112.431 and new digital signature technology solutions described in 112.432.

112.443 Chief Information Officer

[Revise the text 112.443 to read as follows:]

The Chief Information Officer or representative is responsible for approving use of any signature devices not covered in 112.431 and new digital signature technology solutions described in 112.432.

112.45 Procedures for Managing Use of Signature Devices

112.451 Obtain Approval

* * * * * 

[Revise item a. to read as follows:]

a. Prepare a written request defining the number and types of signature devices and the conditions under which each device will be used, and work with the appropriate CISO personnel to determine the necessary controls and monitoring to be implemented.

* * * * * 

112.452 Delegate a Signature Solution Authority

[Revise the first sentence of 112.452 to read as follows:]

Upon obtaining approval for a signature device, the requester will issue a written delegation of authority to the individual authorized to affix his or her signature.***

* * * * * 

[Add new 112.47 to read as follows:]

112.47 Procedures for Managing Use of Digital Signature Technology

Officers, executives, and managers have the authority to implement within their organizations the use of a Postal Service-approved digital signature technology for the purpose of signing documents. User accounts are authorized and managed through eAccess. The user’s account may not be used by or delegated to another user. Managers must review access granted to users under their supervision to ensure that the access is still required by users to perform their duties. The minimum acceptable review schedule is on a semiannual basis; more frequent reviews should be scheduled based on information sensitivity (see Handbook AS-805, Information Security, 9-3.2.5, Periodic Review of Access Authorization).

* * * * * 

The Postal Service will incorporate these revisions into the next online update of the ASM, which is available on the PolicyNet website:

n Go to blue.usps.gov.

n In the left-hand column under “Essential Links,” click PolicyNet.

n Click Manuals.

The direct URL for the Postal Service PolicyNet website is blue.usps.gov/cpim.