Zero-Trust Architecture Is Incomplete Without Digital Signatures

Zero trust is often mistakenly understood as merely a matter of cybersecurity; however, adhering to zero trust is a crucial factor in agency IT modernization.

By Geoff Mroz, Principal Digital Strategist, Adobe

By design, zero trust mandates that all resources, regardless of physical or network location, undergo verification, authentication, and thorough authorization before being allowed access to another resource. The Office of Management and Budget has set 2024 as the target date for the completion of a zero trust architecture throughout the Federal government.

Agencies are simultaneously in the midst of the largest digital transformation they have ever undertaken. The pandemic expedited this change, often resulting in hasty and makeshift solutions. On the path to lasting modernization, zero trust must be assumed in every digital interaction, of which signatures are among the most prolific.

Accelerating the use of e-signatures is a priority identified for all agencies in the “Executive Order on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government.” E-signatures can dramatically reduce paperwork, broaden the accessibility of government services, and streamline cumbersome approval processes.

However, it is imperative that e-signatures meet the security standards set out by the OMB’s zero trust memorandum. In instances where additional levels of assurance (LOA) are necessary, digital signatures are preferable to e-signatures.

What to look for in a digital signature solution  

Security requirements for e-signatures vary by region, agency, data and classifications levels. E-signatures use common authentication methods such as passwords or email verification, but for sensitive information, such minimal precautions are not nearly sufficient.

There are some cases where additional LOA for signer identification are needed, and that’s where digital signatures come in. Digital signatures are a specific type of e-signature that is backed by a digital certificate as proof of a signer’s identity that is cryptographically bound to the signature field using public key infrastructure (PKI).

To achieve this strong security posture, digital signatures must uniquely identify each signer. Furthermore, the signer’s identity must be reconfirmed prior to signing with tools such as a PIN or a secure signature device like a USB token or cloud-based hardware security module. Digital signatures must also demonstrate proof of signing with a tamper-evident seal and have the ability to re-confirm authenticity for at least 10 years.

For agencies seeking to liberate themselves from arduous paper-based authorizations, while also adhering to zero trust’s strict identity and access management standards, digital signatures are an invaluable tool.

Government agencies are eager to adopt digitization practices, such as digital signatures, that will simplify their workload and make the lives of everyday citizens easier. However, security is paramount. To ensure any solutions adopted by agencies to meet their individual security needs, the Federal Risk and Authorization Management Program (FedRAMP) was created.

How FedRAMP authorization provides peace of mind 

FedRAMP authorizes cloud-based solutions for government agencies at Low, Moderate, and High Impact levels. The Moderate Impact level accounts for 80% of authorizations and is designed to protect sensitive data, such as personally identifiable information (PII). Furthermore, the FedRAMP Moderate designation aligns with NIST controls for Zero Trust. Encryption management and is FIPS 140-2 verified, which ensures that cryptographic modules have met NIST security requirements.

With over 325 security controls verified by third-party auditors, agencies can have confidence in their FedRAMP Moderate tools to ensure the protection of sensitive information and compliance with any zero trust architecture.

In every department, at every level, both internally and externally, signatures are required to keep track of approval processes and decision making. In the modern, hybrid world, paper signatures are no longer feasible, and government agencies should not be trapped in the past because their security standards are inherently stricter.

Digital signatures can be used for things like government benefits applications, healthcare forms, and other documents that are part of higher-value, higher-risk, or strictly regulated processes.  A FedRAMP Moderate digital signature solution eases the signing experiences for employees and constituents, meaning public interactions can have the speed, ease, and security that modern government requires.

The modern government mindset  

Additionally, an inevitable factor in the conversation around IT modernization in the federal government is interoperability. With over 100 federal agencies, it is crucial that any new tools integrate seamlessly with existing software and function effectively across agencies.

When considering the capacity for interoperability and integration in federal agencies, digital signature solutions should be compatible with personal ID verification (PIV) cards, common access cards (CAC) and mobile credentials.

When prioritizing efficiency, solutions capable of wrapping document creation, signature capture, tracking, and archiving into a consolidated secure workflow are preferable as they relieve agency employees from the burden of double and triple checking if their documents and download credentials comply with agency rules.

Achieving digital transformation goals, zero trust architecture, and cross-agency collaboration should not be viewed as competing priorities. In fact, the three should be understood as part of the same, modern government mindset. With the right digital signature tool, agencies can satisfy a component of all these objectives at once.

While digitization tools can unlock unprecedented capabilities for government, protecting citizen and agency data is critical. Agency IT leaders should seek out FedRAMP certified solutions that can enable them to work effectively in a digital world, without compromising on security.

About the Author

Geoff is the Principal Digital Strategist at Adobe. In his nearly 14 years with the company, Geoff has been an invaluable solutions consultant who consistently strives for digital innovation. He possesses extensive knowledge of enterprise security architecture, full lifecycle enterprise application development, agile coding, enterprise applications integration, SOA, and UI/X design and construction across a wide range of technical architectures. Perhaps even more important, Geoff has a knack for bringing people, businesses, and technology together to help companies deliver on the promise of digital transformation and creative productivity.

Geoff can be reached online at https://www.linkedin.com/in/geoffreymroz/ and at our company website https://business.adobe.com/solutions/industries/government.html