NARA Bulletin 2005-04
March 28, 2005
TO: Heads of Federal agencies
SUBJECT: Availability of electronic records management guidance for PKI digital signature authenticated and secured transaction records
EXPIRATION DATE: March 31, 2008 (per NARA Bulletin 2007-01)
1. What is the purpose of this bulletin?
This bulletin announces the availability of "Records Management Guidance for PKI Digital Signature Authenticated and Secured Transaction Records," which was jointly developed by the National Archives and Records Administration (NARA) and the Federal Public Key Infrastructure Steering Committee's (FPKI SC) Legal/Policy Working Group in response to a Chief Information Officer (CIO) Council request. The guidance is available on the NARA web site at http://www.archives.gov/records-mgmt/policy/pki.html and at the CIO Council web site at http://www.cio.gov/fpkisc. Paper copies will be provided upon request.
2. What is the background to this guidance?
a. NARA had previously developed "Records Management Guidance for Agencies Implementing Electronic Signature Technologies," in response to the Government Paperwork Elimination Act (GPEA) (see http://www.archives.gov/records-mgmt/
policy/electronic-signature-echnology.html). This guidance described recordkeeping requirements for electronic signature-related records.
b. In response to a request from the CIO Council for further assistance beyond that guidance, NARA had also previously developed "Records Management Guidance for PKI-Unique Administrative Records" (see http://www.archives.gov/records-mgmt/policy/pki-guidance.html). This guidance describes PKI-unique administrative records which document functions unique to planning, implementing, operating, auditing, monitoring, and re-organizing/terminating a PKI.
c. In response to a request from the CIO Council for further assistance beyond that guidance, NARA and the FPKI SC conducted focus groups with Federal agency personnel to determine the exact scope, specific to PKI-unique transaction records, that would be most useful to records, legal, and technology personnel.
d. PKI-unique transaction embedded records related specifically to each transaction and that are embedded or referenced within the transaction (e.g., the digital signature, generally the public key certificate and possibly transaction-specific PKI records used for authentication or non-repudiation, such as certificate validation responses).
e. This guidance delineates potential categories of such records that agencies may want to schedule, based on a variety of best practice sources. It has been reviewed and approved by NARA, Office of Management and Budget, Department of Justice, the CIO Council, and the FPKI SC.
3. How is NARA disseminating this guidance to Federal agencies?
In addition to this bulletin, NARA will distribute copies of the guidance to agency records officers and chief information officers.
4. How long is the PKI records management guidance for transaction records valid?
The guidance announced by this bulletin is effective indefinitely. Any changes to the guidance will be issued in a future bulletin.
5. Is further information available?
For further records management information and assistance, Federal agencies may contact the Office of Records Services-Washington, DC, Modern Records Programs at 301-837-1738, or the Office of Regional Records Services at 301-837-2950.
Archivist of the United States