Digital Autopen Playbook pinpoints how agencies can leverage technology for digital signatures

Each day, federal agencies publish documents in the Federal Register—including proposed rules, final rules, public notices, and presidential actions.

Many federal web managers have a role in submitting documents to the Office of the Federal Register at the National Archives and Records Administration (NARA) for publication on FederalRegister.gov. Security and authenticity are always a top priority for these documents, especially when it comes to signatures.

Thankfully, the days of being forced to wait for an authorizing sponsor to return from a conference or vacation — where they can’t access the technology to use a federal identification card for their signature — are gone. Now when that sponsor is unavailable, they may authorize the use of a `digital autopen` to add their digital signature to a Federal Register document. Digital signatures ensure that signatures are verified, authentic, and legitimate, and a digital autopen allows authorized individuals to ensure better workflow efficiency and timely submission to the Federal Register.

The Identity, Credential, and Access Management Subcommittee created the Digital Autopen Playbook as a practical guide to help federal agencies create and use a digital autopen for Federal Register documents. It outlines controls around the digital autopen certificate to meet the Office of the Federal Register’s digital signature requirements for Federal Register documents and cybersecurity.

The playbook includes the three steps that allow federal agencies to create and implement a Federal Register digital autopen process: 

1. Define the agency process to delegate signing Federal Register documents.
2. Define controls to ensure the certificate and associated key are used only for the intended purpose.
3. Obtain a role-based digital signature certificate from a public key infrastructure (PKI) shared service provider.

An agency must define the delegation process, including maintaining, auditing, and measuring the process through a standard operating procedure. The rules, or standard operating procedure, can be found in the playbook. 

Agencies are encouraged to tailor the playbook to fit their unique organizational structure, requirements, and mission needs. The Subcommittee also encourages agencies and other information technology program participants, such as cybersecurity program managers, to tailor this playbook to fit their unique organizational structure, mission, and technical requirements.