Digital Autopen Playbook pinpoints how agencies can leverage technology for digital signatures

How to create and use a digital autopen for Federal Register documents
May 23, 2023

Each day, federal agencies publish documents in the Federal Register—including proposed rules, final rules, public notices, and presidential actions.

The GSA logo in white, at the bottom of a blue square.

Many federal web managers have a role in submitting documents to the Office of the Federal Register at the National Archives and Records Administration (NARA) for publication on FederalRegister.gov. Security and authenticity are always a top priority for these documents, especially when it comes to signatures.

Thankfully, the days of being forced to wait for an authorizing sponsor to return from a conference or vacation — where they can’t access the technology to use a federal identification card for their signature — are gone. Now when that sponsor is unavailable, they may authorize the use of a `digital autopen` to add their digital signature to a Federal Register document. Digital signatures ensure that signatures are verified, authentic, and legitimate, and a digital autopen allows authorized individuals to ensure better workflow efficiency and timely submission to the Federal Register.

The blue and white seal for the U.S. CIO Council. It has an abstract gray eagle and 12 gray stars in the center.

The Identity, Credential, and Access Management Subcommittee created the Digital Autopen Playbook as a practical guide to help federal agencies create and use a digital autopen for Federal Register documents. It outlines controls around the digital autopen certificate to meet the Office of the Federal Register’s digital signature requirements for Federal Register documents and cybersecurity.

The playbook includes the three steps that allow federal agencies to create and implement a Federal Register digital autopen process: 

  1. Define the agency process to delegate signing Federal Register documents.
  2. Define controls to ensure the certificate and associated key are used only for the intended purpose.
  3. Obtain a role-based digital signature certificate from a public key infrastructure (PKI) shared service provider.

An agency must define the delegation process, including maintaining, auditing, and measuring the process through a standard operating procedure. The rules, or standard operating procedure, can be found in the playbook. 

Agencies are encouraged to tailor the playbook to fit their unique organizational structure, requirements, and mission needs. The Subcommittee also encourages agencies and other information technology program participants, such as cybersecurity program managers, to tailor this playbook to fit their unique organizational structure, mission, and technical requirements.

Note

Connect with others in the digital identity field. Email icam@gsa.gov to join the Digital Identity Community of Practice. Include “Join the Digital Identity Community” in the subject line.

Visit IDManagement.gov to explore its resources for vendors, program managers, and acquisition professionals.