NOTE:

COMMENTS REGARDING ANY FEDERAL REGISTER NOTICE MUST BE SENT TO THE ADDRESS
INDICATED IN THE DOCUMENT. ANY COMMENTS ON THE RAPID INFORMATION BULLETIN
BOARD SYSTEM (RIBBS) ABOUT ANY FEDERAL REGISTER NOTICES WILL NOT BE USED
OR CONSIDERED IN THE COURSE OF ANY RULE MAKING.

-------------------------------------------------------------------------------
===============================================================================
[Federal Register: January 7, 1997 (Volume 62, Number 4)]
[Notices]               
[Page 1001-1004]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]

-----------------------------------------------------------------------


POSTAL SERVICE
 
Information Based Indicia Program Interim Product Submission 
Procedures

AGENCY: Postal Service.

ACTION: Notice of proposed procedures with request for comments.

-----------------------------------------------------------------------

SUMMARY: There are approximately 1.5 million postage meters in use in 
the United States, which collectively account for approximately $20 
billion in postal revenue annually. For several years the Postal 
Service has been

[[Page 1002]]

actively pursuing a solution of the problem of inadequate postage meter 
security. To respond to the threat of fraudulent use of meters by 
physical tampering, the Postal Service intends to decertify and remove 
from the market, in risk-driven phases, all mechanical and electro-
mechanical postage meters. Another problem the Postal Service has faced 
is that currently available meter indicia are susceptible to 
counterfeiting. The Postal Service is exploring using current 
technology special purpose units such as computers and independent 
printers to provide prepaid postage. This notice describes interim 
product submission procedures for the Information Based Indicia Program 
(IBIP) which the Postal Service is developing to support these 
corrective efforts.

DATES: Comments on the proposed procedures must be received on or 
before February 6, 1997.

ADDRESSES: Copies of the all draft specifications published to date 
under the Information Based Indicia Program may be obtained from: Terry 
Goss, United States Postal Service, 475 L'Enfant Plaza SW, Room 8430, 
Washington, DC 20260-6807, (202)-268-3757. Mail or deliver written 
comments to: Manager, Retail Systems and Equipment, United States 
Postal Service, 475 L'Enfant Plaza SW, Room 8430, Washington DC 20260-
6807. Copies of all written comments may be inspected and photocopied 
between 9 a.m. and 4 p.m., Monday through Friday, at the above address.

FOR FURTHER INFORMATION CONTACT: Terry Goss, (202) 268-3757.

SUPPLEMENTARY INFORMATION: The Information Based Indicia Program (IBIP) 
is a Postal Service initiative supporting the development and 
implementation of a new form of postage indicia. The Postal Service 
envisions that the new indicium standard may eventually support new or 
existing products and services. Specific products and services have not 
been determined. An IBIP indicium (Federal Register Volume 61 Number 
128 Tuesday, July 2, 1996) substitutes for a postage stamp or a postage 
meter imprint as evidence of the fact that postage has been paid on 
mailpieces. An IBIP Postal Security Device indicium (Federal Register 
Volume 61 Number 128 Tuesday, July 2, 1996) provides cryptographic 
signature, financial accounting, indicium creation, device 
authorization, and audit functions. An IBIP Host System indicium 
(Federal Register Volume 61 Number 209 Monday, October 28, 1996) 
creates the indicium using data provided by the Postal Security Device 
and the user, supports communications with the vendor's infrastructure, 
provides a user interface, employs current postage rates, supports use 
of standardized addresses, and maintains records regarding host system 
use.
    The goal for IBIP is to provide an environment in which customers 
can apply postage through new technologies that improve postal revenue 
security. This requires a new form of postage indicia and the adoption 
of standards to facilitate industry investment and product development.
    The manufacture and use of postage meters is governed by Postal 
Service regulations (see 39 CFR Part 501; Domestic Mail Manual P030). 
With the development of new proposed specifications under the IBI 
Program that increases product security along with integrating advances 
in technology, a new approach to product submission is required. This 
new interim approach for product submission procedures covers product/
devices intended to meet IBIP specifications. Please note this proposed 
procedure applies to product service providers of IBI products/devices. 
It does not apply to users of IBI product/devices nor producers of mail 
bearing the IBI as a form of evidence of postage.
    As explained in detail below, there are nine steps proposed for the 
Interim IBIP product submission process. These steps are entitled: (1) 
Letter of Intent, (2) Non-Disclosure Agreements, (3) Concept of 
Operations, (4) Documentation Requirement, (5) Vendor Infrastructure 
Plan, (6) Product Submission/Testing, (7) Vendor Infrastructure 
Testing, (8) Field Test (Beta) Approval (Limited Distribution), and (9) 
Vendor/Product Approval (Full Distribution).
    The proposed Interim IBIP product submission procedures [Draft] 
include nine steps:

A. Letter of Intent

    1. The vendor must submit a letter of intent to the Manager, Retail 
Systems and Equipment (RSE), United States Postal Service, 475 L'Enfant 
Plaza SW, Room 8430, Washington DC 20260-6807. Include in this letter 
of intent (a) Date of correspondence, (b) Name and address of parties 
involved in the proposal: manufacturer, assembly, distribution, and 
management of the product/device, (c) Name and phone number of official 
point of contact for each company identified, (d) Proposed 
manufacturers' business qualifications (i.e., certifications and 
representations, proof of ability to be responsive and responsible), 
(e) a product/device concept narrative, (f) a vendor infrastructure 
concept narrative, and (g) the target Postal Service market segment the 
proposed IBIP product/device is envisioned to serve.
    2. The vendor must submit with the letter of intent a proposed IBIP 
product/device development plan of actions and milestones (POA&M) with 
a start date coinciding with the date of the letter of intent.

B. Non-Disclosure Agreements

    The vendor must sign non-disclosure agreements with the Postal 
Service and its agents. These agreements are intended to assure 
confidentiality and fairness in business.

C. Concept of Operations

    The vendor must submit a ``Concept of Operations'' (CONOPS) that 
discusses at a moderate level of detail the features and usage 
conditions for the proposed product/device. Vendors should provide five 
hard copies and one electronic copy on a PC-formatted 3.5`` floppy 
disk. The CONOPS should cover the following areas at a minimum:

1. System Overview

(a) Concept Overview/Business Model
(b) Concept of Production Administration
(c) PC Postage System (hardware/software)
    (1) Features
    (2) Components
(d) Product Lifecycle Overview
(e) Adherence to Industry Standards

2. Proposed PC Postage System Components--Details

(a) Postal Security Device Features and Functions
(b) Host System Features and Functions
(c) Other components required for normal use conditions

3. Proposed PC Postage Product Lifecycle

(a) Manufacture
(b) USPS certification of product/device
(c) Production
(d) Distribution
(e) Product/device licensing and registration
(f) Initialization
(g) Product/Device Authorization and Installation
(h) Postage Value Download (PVD) process
(i) Product audits (Device and Host System)
(j) Inspections (print quality assurance)
(k) Device/Product Withdrawal/Replacement
    (1) Overall process
    (2) Product failure/malfunction procedures

[[Page 1003]]

(l) Scrapped device process

4. Finance Overview

(a) Customer account (lock box) management
    (1) Coupon acquisition
    (2) Payment
    (3) Statement of Account
    (4) Refund
(b) Individual product finance account management
    (1) Postage Value Download
    (2) Refund
(c) Daily account reconciliation
    (1) Vendor reconciliation
    (2) USPS detailed transaction reporting
(d) Periodic summaries
    (1) Monthly reconciliation
    (2) Other reporting

5. Interfaces

(a) Communications and message interfaces with Postal Infrastructure
    (1) PVDs
    (2) Scanning Support
    (3) Support for Mailpiece spoils
    (4) Refunds
    (5) Inspections (print quality assurance)
    (6) Product Audits
    (7) Lost or Stolen Procedures
(b) Communications and message interfaces with USPS financial 
institutions
    (1) Postage refill
    (2) Daily Account reconciliation
    (3) Deposit slip management
    (4) Refunds
(c) Communications and message interfaces with Customer Infrastructure
    (1) Key Management
    (2) Product Audits (Device and Host System)
    (3) Inspections (print quality assurance)
(d) Message Error Detection and Handling

6. Technical Support and Customer Service

(a) User Training and Support
(b) Software Configuration Management (CM) and update procedures
(c) Hardware CM and update procedures

7. Other

(a) Postal Rate Change Procedures
(b) ZIP+4 CD updates
(c) Physical Security
(d) Personnel Security
Appendix A Security Features
    The CONOPS must be accompanied by substantiated market analysis 
supporting the target Postal Service market segment the proposed IBIP 
product/device is envisioned to serve as identified in the Letter of 
Intent.

D. Documentation Requirements

    1. The vendor must submit to the Postal Service a detailed design 
document of the product/device. FIPS 140-1 Appendix A provides a 
checklist summary of documentation requirements for the FIPS 140-1 
standard. Additionally, the Postal Service requires design 
documentation which includes, but is not limited to, the following:

(a) Full source code of all software involved in the IBIP Postal 
Security Device and the IBIP Host System,
(b) Operations manuals for product usage,
(c) Interface description documents for all proposed communications 
interfaces,
(d) Maintenance manuals,
(e) Schematics,
(f) Product initialization procedures,
(g) Finite state machine models/diagrams,
(h) Block diagrams,
(i) Security features descriptions, and
(j) Cryptographic operations descriptions.

    Detailed references for much of this documentation is listed in 
FIPS 140-1 Appendix A. The Postal Service will determine the number of 
copies needed of the aforementioned documentation based on review of 
the CONOPS.
    2. The vendor must submit a test plan that, if passed by a product/
device, provides compliance by the product/device with all Postal 
Service requirements and FIPS 140-1 requirements, as applicable to 
IBIP. The test plan must list the parameters to be tested, test 
equipment, procedures, test sample sizes, and test data formats. Also, 
the plan must include detailed descriptions, specifications, design 
drawings, schematic diagrams, and explanations of the purposes for all 
special test equipment and non-standard or non-commercial 
instrumentation. Finally, this test plan must include a proposed 
schedule of major test milestones.

 E. Vendor Infrastructure Plan

    The Vendor must submit a Vendor Infrastructure Plan which describes 
how you will meet or enforce the processes and procedures described in 
your concept of operations. This includes but is not limited to a 
detailed description of all Information Based Indicia Program and 
Postal Service related operations, computer systems, and interfaces 
with both customers and the Postal Service that the vendor shall use in 
manufacturing, producing, distribution, customer support, product/
device life cycle, inventory control, print readability quality 
assurance, and reporting on IBIP product/devices.

F. Product Submission/Testing

    1. The vendor must submit, of each product/device requested for 
approval, a minimum of five combinations of each product/device to the 
Postal Service for evaluation and review. The vendor must provide 
directly, or through lease or rental, any equipment required for use in 
conjunction with the proposed product/device needed to represent usage 
conditions as proposed in the CONOPS (see section C).
    2. The vendor must supply the Postal Service with sample mailpieces 
that represent the range of impression styles possible (including Ad 
plates) and envelop (size) types, envelop (paper) types, envelop 
colors, and envelop styles acceptable to the IBIP product/device 
submitted for testing. Separate sample mailpieces from each printer 
driver supported by the IBIP product/device will be required. 
Quantities of sample mailpieces required for testing will be determined 
by the Postal Service based on product/device characteristics.
    3. The vendor must submit simultaneously to IBIP product/device 
submission to the Postal Service the identical IBIP product/device to a 
laboratory accredited under the National Voluntary Laboratory 
Accreditation Program (NVLAP) for product/device FIPS 140-1 
certification, as applicable. Upon completion of this evaluation, the 
Postal Service requires the following be forwarded directly from the 
accredited laboratory to the Manager, Retail Systems & Equipment for 
review:
    (a) A copy of letter of recommendation to the National Institute of 
Standards and Technology (NIST) of the United States of America.
    (b) Copies of all proprietary and non-proprietary reports and 
recommendations generated.
    (c) A copy of NIST issued certificate.
    Additional Security Testing Note: The Postal Service reserves the 
right to require or conduct additional examination and testing at any 
time, without cause, of any IBIP product/device submitted to the Postal 
Service for approval or approved by the Postal Service for manufacture 
and distribution.

G. Vendor Infrastructure Testing

    1. Testing of all reporting requirements, including Postal Service/
customer licensing support, IBIP product/device status activity 
reporting, total IBIP product/device population inventory, irregularity 
reporting, lost and stolen reporting, financial transaction reporting, 
account

[[Page 1004]]

reconciliation, digital certificate acquisition, product 
initialization, cryptographic key changes, rate table changes, print 
quality assurance, device authorization, device audit, product audit, 
and remote inspections must be achieved by vendors prior to any 
product/device approval for distribution.
    2. Testing of these activities and functions includes computer 
based testing of all interfaces with the Postal Service including but 
not limited to the following:

a. Product Manufacture and Life Cycle (including leased, unleased, new 
meter stock, installation, withdrawal, replacement, key management, 
lost, stolen, and irregularity reporting)
b. Product Distribution and Initialization (including device 
authorization, product initialization, customer authorization, and 
product maintenance)
c. Licensing (including license application, license update and license 
revocation)
d. Finance (including lock box account management, individual product 
financial accounting, refunds, daily summary reports, daily transaction 
reporting, and monthly summary reports)
e. Audits and Inspections
    3. The vendor must complete an IBIP Product/Device--Vendor 
Infrastructure--Financial Institution--USPS Infrastructure (ALPHA) Test 
involving all entities in the proposed architecture; at a minimum this 
includes the proposed IBIP product/device, Vendor Infrastructure, 
financial institution and USPS Infrastructure systems and interfaces. 
ALPHA testing is intended to demonstrate the proposed IBIP product/
devices' utility, functionality and compatibility with other systems, 
and may be conducted in a laboratory environment.
    Vendor Infrastructure Testing--(ALPHA) Test Note: The Postal 
Service reserves the right to require or conduct additional examination 
and testing at any time, without cause, of any Vendor Infrastructure 
system supporting an IBIP product/device approved by the Postal Service 
for manufacture and distribution. Initial Vendor Infrastructure testing 
and (ALPHA) testing schedules will be supported at the convenience of 
the Postal Service. In addition, as all IBIP products/devices will have 
to conform to the Product/ Infrastructure specs, vendors are also 
strongly encouraged to initiate dialogue regarding systems 
specifications with the Postal Service at the earliest possible date.

H. Field Test (BETA) Approval (Limited Distribution)

    1. The vendor will submit a proposed Field Test (BETA) Test Plan 
identifying test parameters, product/device quantities, geographic 
location, test participants, test duration, test milestones, and 
product recall plan (if needed). The purpose of the BETA test is to 
demonstrate the proposed IBIP product/devices' utility, functionality 
and compatibility with other systems in a real-world environment. The 
BETA test will employ available communications and interface with 
current operational systems to conduct all IBIP functions. The Manager, 
Retail Systems & Equipment will determine acceptance of vendor proposed 
BETA Test Plans based on, but not limited to, assessed risk of product/
device, product/device impact on Postal Service operations, and 
requirements for Postal Service resources.
    2. The vendor has a duty to report security weaknesses to the 
Postal Service to ensure that each product/device model and every 
product/device in service protects the Postal Service against loss of 
revenue at all times. A grant of Field Test Approval (FTA) does not 
constitute an irrevocable determination that the Postal Service is 
satisfied with the revenue-protection capabilities of the product/
device. After approval is granted to manufacture and distribute a 
product/device, no change affecting the basic features or safeguards of 
a product/device may be made except as authorized or ordered by the 
Postal Service in writing from the Manager, Retail Systems & Equipment.

1. Vendor/Product Approval (Full Distribution)

    1. Upon receipt of the final certificate of evaluation from the 
national laboratory, and after obtaining positive results of internal 
testing of the product/device, successful completion of vendor 
infrastructure testing, ALPHA testing, and demonstration of limited 
distribution activities (BETA testing), the submitted product/device, 
vendor infrastructure and vendor/manufacturer qualification 
requirements will be administratively reviewed for final approval. 
Note: Copies of Draft 39 Code of Federal Regulation Part 502 containing 
IBIP Vendor/Manufacturer qualification requirements are available by 
contacting Terry Goss at (202) 268-3757.
    2. The Postal Service may require at any time, that models/versions 
of approved products/devices, and the design and use manuals and 
specifications applicable to such product/devices and any revisions 
thereof be deposited with the Postal Service.
    It is emphasized that this proposed procedure is being published 
for comments and is subject to final definition. Although exempt from 
the notice and comment requirements of the Administrative Procedure Act 
(5 U.S.C. 553b(c)) regarding proposed rulemaking by 39 U.S.C. 410(a), 
the Postal Service invites public comments on the proposed procedures.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 97-256 Filed 1-6-97; 8:45 am]
BILLING CODE 7710-12-P