Authentication of the Federal Register

Charley Barth

Director, Office of the Federal Register

United States Government

2

Off

ice

of t

he

Fed

eral

Reg

iste

r

• Federal Register Act approved in 1935• Make executive legislation accessible to citizens

– Publish a gazette containing the orders of the Executive Branch

• Began statutory partnership between Office of the Federal Register (OFR) and Government Printing Office (GPO)

• OFR placed under the National Archives and Records Administration (NARA)

• Provided for public inspection of all documents filed with the OFR.

• Currently have 12 publications– Administer the Electoral College process– Administer the Constitutional Amendment ratification process

Background/History of the OFR

3

Off

ice

of t

he

Fed

eral

Reg

iste

r

• First Register was published on March 14, 1936 • First volume was 16 pages

• Published every working day, “Official Gazette of the United States Government”

• Provides legal notice of administrative rules, notices and presidential documents

• Average Daily Federal Register = 150 pages‒ Total pages in 2013 = 80,462

• Final rules published in the FR become part of the Code of Federal Regulations (CFR). Over 180,000 pages

• Available on-line since 1994, Web 2.0 version since 2010• Authentication of the digital FR began in 2009

Background/History of theFederal Register (FR)

4

Off

ice

of t

he

Fed

eral

Reg

iste

r

• GPO is as an Affiliated Archive of NARA and therefore the Official Federal Register resides on their platform (paper and electronic)

• Affiliated Archives receives physical custody of the records, while NARA retains legal custody and, along with it, ultimate responsibility for them.

• For this privilege, the affiliate, through a formal agreement with NARA, agrees to house, maintain, service and authenticate the (digital) records

GPO, Affiliated Archives &OFR partner

5

Off

ice

of t

he

Fed

eral

Reg

iste

r

• By Law, the OFR partners with GPO; OFR publishes the content, GPO prints and distributes the content to include online, digital format and authentication.

• GPO implements four measures to assure integrity and authenticity of FR content.1. Digital Signatures on PDF files

2. Cryptographic Hash Values on Metadata

3. Evidence of the Trusted Digital Repository through the FDsys archive

4. Demonstration of Chain of Custody

Basic Components ofGPO Digital Authentication

6

Off

ice

of t

he

Fed

eral

Reg

iste

rDigital Signatures on PDF Files

Digital signature technology is used to add a visible Seal of Authenticity to authenticated and certified PDF documents

Digital signature and certification assures users that the PDF file has not been altered since being digitally signed and made available by GPO

7

Off

ice

of t

he

Fed

eral

Reg

iste

r

• Upon submission to GPO, a number is generated for each content file that is unique to the data inside the file

• The SHA-256 hash value (Algorithm) recorded in metadata is used to detect changes to content files

• Any change that occurs results in a new hash value

• Users can search for content on FDsys and use hash values, with publicly available tools, to check that content

Cryptographic Hash Values

8

Off

ice

of t

he

Fed

eral

Reg

iste

rCryptographic Hash Values

9

Off

ice

of t

he

Fed

eral

Reg

iste

r

• GPO uses best practices for establishing authenticity of content and maintaining integrity within FDsys

• GPO is working towards certification as a Trusted Repository– GPO utilized the Trustworthy Repositories Audit

and Certification: Criteria and Checklist (TRAC)– Security controls are in place that may allow

authorized users to submit new content and change descriptive metadata, but it is not possible to open a file in the repository and make changes to content

Trusted Digital Repository

10

Off

ice

of t

he

Fed

eral

Reg

iste

r

• GPO provides a chain of custody• Each significant event in the lifecycle of

content is recorded in PREMIS metadata• Records contain the content source, changes

that have occurred since the content was created or acquired, and who has custody of the content

Chain of Custody

11

Off

ice

of t

he

Fed

eral

Reg

iste

rChain of Custody –

Events Recorded in GPO PREMIS

Software Activities Human Agent Activities

• Message Digest Calculation• Crypto Digest Calculation• Ingestion• Fixity Check• Rendition Creation• ACP Creation• Digital Signature

Assignment• Parsing

• Rendition Upload• Rendition Deletion• Submission• Public Access Restriction• Replacement• AIP Nominated for Deletion• AIP Approved for Deletion

12

Off

ice

of t

he

Fed

eral

Reg

iste

r

• Pros:– GPO is able to utilize the widely used and trusted document

standard (PDF)– Use of Digital Signatures in conjunction with Cryptographic Hash

increases level of assurance– Provides quick visible confidence to end-users– It’s fast, secure, authentic, less risky & less costly in the long run!

• Cons:– Upfront costs of Digital Signatures may be cost prohibitive for

some organizations – If majority of your customer base prefers paper version

(traditional customers will doubt the integrity of online)– Some providers have limited storage options and use proprietary

software

Pros and Cons of usingDigital Signatures

13

Off

ice

of t

he

Fed

eral

Reg

iste

r

• Paper version well preserved since 1936 (thru 1985)– Paper is well cared for in compliant, archival centers (NARA

standard 36 CFR Part 1228, Subpart K)– Theft and Fire are biggest challenge

• From 1985 to 1994, we used microfiche– Silver Halide process can last 500 years– Virtually impossible to mutilate

• From 1995 to current, the electronic version on FDsys is the official record copy– Storage (expense and trusted providers/cloud)– Compromised content (via internal/external hacking)– Best formats 25, 50, 100 years from now? (risk of migrating

data from format to format)

Biggest challenges to preserving the Federal Register?

14

Off

ice

of t

he

Fed

eral

Reg

iste

r

• All digital materials published by the OFR and available on GPO’s FDsys utilize the same authentication

• For more information, go to:– Authenticity of Electronic Federal Government

Publications, http://www.gpo.gov/pdfs/authentication/authenticationwhitepaper2011.pdf

– Overview of GPO’s Authentication Program, http://www.gpo.gov/pdfs/authentication/authenticationoverview.pdf

• NARA Record storage standard:– http://www.gpo.gov/fdsys/pkg/CFR-2000-title36-v

ol3/xml/CFR-2000-title36-vol3-part1228-subpartK.xml

Authentication/Preservation of our other legal publications

15

Off

ice

of t

he

Fed

eral

Reg

iste

r

Thank you for your time!

Questions ?