New Mexico Administrative Code
Title 1 - GENERAL GOVERNMENT ADMINISTRATION
Chapter 12 - INFORMATION TECHNOLOGY
Part 7 - DIGITAL / ELECTRONIC SIGNATURE
Section 1.12.7.15 - ELECTRONIC FORM OF SIGNATURE

(1) For low risk transactions, any form of signature is acceptable. This includes clicking an on screen button, checking an on-screen box, typing ones name, using a PIN number, or any other reasonable method, so long as it is clear to the signer that such act constitutes a signature, and is not being done for any other purpose.

(2) Evidence of intent to sign may be included either in the record being signed or in the on screen signing process. Shorter or more cursory indicators of intent may be used as necessary to facilitate the signing experience, so long as it is reasonably clear to the signer that they are signing the record, not doing something else.

(3) Any method may be used to associate the signature to the records being signed. This can include establishing a process that could not be completed unless a person has signed; using a process that appends the signature date to the record signed; or establishing a database-type link between the signature date and the records signed.

(4) Any approach to identification and authentication of the signer is acceptable. This includes self-assertion of identity by the signer. Successful authentication at this level requires that the signer prove through a secure authentication protocol that they possess and control the token. However, this level does not require cryptographic methods that block offline attacks. Refer to NIST Special Publication 800-63-2 for additional information related to electronic authentication guidelines.

(5)The system or application must be reasonably trusted to invalidate signature upon modification of the record and provide a secure method to transfer and store the signed record.

(1) For moderate risk transactions, any electronic form of signature is acceptable. This includes clicking an on-screen box, typing ones name, using a PIN number, or any other reasonable method, so long as it is clear to the signer that such act constitutes a signature, and is not being done for any other purpose.

(2) Evidence of intent to sign may be included either in the records being signed or in the on-screen signing process. Clear evidence of intent to sign must be unmistakably provided. Shorter or more cursory indicators of intent should be avoided in favor of clear evidence of intent to facilitate the signing experience, so that it is very clear to the signer that they are signing the record.

(3) Any reasonable method may be used to associate the signature data to the records signed, or establishing a database-type link between the signature data and the records signed. The signing data can then be either attached or appended to the records signed, or a database-type link can be established between the signature data and the record signed.

(4) A single factor remote network authentication is acceptable for medium level risk transactions. There are a wide range of available authentication technologies that can be employed. For example, memorized secret tokens, pre-registered knowledge tokens, look-up secret tokens, out of band tokens and single factor onetime password devises are acceptable. This level requires cryptographic techniques and successful authentication requires that the signer prove through a secure authentication protocol that they control the token. Refer to NIST Special Publication 800-63-2 for additional information related to electronic authentication guidelines.

(5) The system or application must be reasonably trusted to invalidate signature upon modification of the record and provide a secure method to transfer and store the signed record.

(1) For high risk transactions, the only acceptable electronic form of signature is a cryptographically based digital signature created with a private cryptographic key that corresponds to the public key specified in a digital credential list.

(2) Evidence of intent to sign must be included both in the record being signed and in the on-screen signing process. Such evidence of intent to sign must be clearly provided in both places and make it unmistakable to the signer that they are signing the record and the reason that they are signing.

(3) A cryptographic signing process whereby a hash of the content of the record being signed is incorporated into the signature data must be used so there is an intrinsic relationship between the signature data and the record signed. The signing data can then be either attached or appended to the record signed, or a database-type link can be established between the signature data and the record signed.

(4) The signer must be identified and authenticated by reference to a digital certificate that provides at least two authentication factors or is based on proof of possession of a key through a cryptographic protocol.

(5) The system or application must be digitally signed using the identification and authentication specified in 1.12.7.15(4) NMAC that will invalidate signature upon modification of the record and provide a secure method to transfer and store the signed record.