New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 7 - DIGITAL / ELECTRONIC SIGNATURE
Section 1.12.7.15 - ELECTRONIC FORM OF SIGNATURE
Universal Citation: 1 NM Admin Code 1.12.7.15
Current through Register Vol. 35, No. 18, September 24, 2024
A.Low risk transactions.
(1) For low risk
transactions, any form of signature is acceptable. This includes clicking an on
screen button, checking an on-screen box, typing ones name, using a PIN number,
or any other reasonable method, so long as it is clear to the signer that such
act constitutes a signature, and is not being done for any other
purpose.
(2) Evidence of intent to
sign may be included either in the record being signed or in the on screen
signing process. Shorter or more cursory indicators of intent may be used as
necessary to facilitate the signing experience, so long as it is reasonably
clear to the signer that they are signing the record, not doing something
else.
(3) Any method may be used to
associate the signature to the records being signed. This can include
establishing a process that could not be completed unless a person has signed;
using a process that appends the signature date to the record signed; or
establishing a database-type link between the signature date and the records
signed.
(4) Any approach to
identification and authentication of the signer is acceptable. This includes
self-assertion of identity by the signer. Successful authentication at this
level requires that the signer prove through a secure authentication protocol
that they possess and control the token. However, this level does not require
cryptographic methods that block offline attacks. Refer to NIST Special
Publication 800-63-2 for additional information related to electronic
authentication guidelines.
(5)The
system or application must be reasonably trusted to invalidate signature upon
modification of the record and provide a secure method to transfer and store
the signed record.
B.Moderate risk transactions.
(1) For moderate risk transactions, any
electronic form of signature is acceptable. This includes clicking an on-screen
box, typing ones name, using a PIN number, or any other reasonable method, so
long as it is clear to the signer that such act constitutes a signature, and is
not being done for any other purpose.
(2) Evidence of intent to sign may be
included either in the records being signed or in the on-screen signing
process. Clear evidence of intent to sign must be unmistakably provided.
Shorter or more cursory indicators of intent should be avoided in favor of
clear evidence of intent to facilitate the signing experience, so that it is
very clear to the signer that they are signing the record.
(3) Any reasonable method may be used to
associate the signature data to the records signed, or establishing a
database-type link between the signature data and the records signed. The
signing data can then be either attached or appended to the records signed, or
a database-type link can be established between the signature data and the
record signed.
(4) A single factor
remote network authentication is acceptable for medium level risk transactions.
There are a wide range of available authentication technologies that can be
employed. For example, memorized secret tokens, pre-registered knowledge
tokens, look-up secret tokens, out of band tokens and single factor onetime
password devises are acceptable. This level requires cryptographic techniques
and successful authentication requires that the signer prove through a secure
authentication protocol that they control the token. Refer to NIST Special
Publication 800-63-2 for additional information related to electronic
authentication guidelines.
(5) The
system or application must be reasonably trusted to invalidate signature upon
modification of the record and provide a secure method to transfer and store
the signed record.
C. High risk transactions.
(1) For high risk
transactions, the only acceptable electronic form of signature is a
cryptographically based digital signature created with a private cryptographic
key that corresponds to the public key specified in a digital credential
list.
(2) Evidence of intent to
sign must be included both in the record being signed and in the on-screen
signing process. Such evidence of intent to sign must be clearly provided in
both places and make it unmistakable to the signer that they are signing the
record and the reason that they are signing.
(3) A cryptographic signing process whereby a
hash of the content of the record being signed is incorporated into the
signature data must be used so there is an intrinsic relationship between the
signature data and the record signed. The signing data can then be either
attached or appended to the record signed, or a database-type link can be
established between the signature data and the record signed.
(4) The signer must be identified and
authenticated by reference to a digital certificate that provides at least two
authentication factors or is based on proof of possession of a key through a
cryptographic protocol.
(5) The
system or application must be digitally signed using the identification and
authentication specified in 1.12.7.15(4) NMAC that will invalidate signature
upon modification of the record and provide a secure method to transfer and
store the signed record.
Disclaimer: These regulations may not be the most recent version. New Mexico may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.