DAOD 6002-8, Electronic Authentication and Authorization
Table of Contents
Date of Issue: 2013-08-15
Application: This DAOD is a directive that applies to employees of the Department of National Defence (DND employees) and an order that applies to officers and non-commissioned members of the Canadian Armed Forces (CAF members).
- Assistant Deputy Minister (Finance and Corporate Services) (ADM(Fin CS))
- Assistant Deputy Minister (Information Management) (ADM(IM)) / Chief Information Officer (CIO)
- Director Financial Policy (DFP) for the interpretation of policy requirements for financial transactions using electronic authentication and authorization (EAA); and
- Director Defence Information Management Planning (DDIMP) for EAA system requirements.
audit trail (piste de vérification)
Refers to all the elements and evidence involved in tracking a complete process including authentication or authorization. Elements and evidence include delegation of authority matrices, user profiles and any data and files required to reconstruct the sequence of events and transactions processed. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
electronic authentication (authentification électronique)
Is the process by which an individual (a person, an organization or device) is verified as a unique and legitimate user. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
electronic authorization (autorisation électronique)
Is the process by which an authenticated user is granted the capability to render electronic approvals and discharge those authorities in electronic financial transactions. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
electronic signature (signature électronique)
Means a signature that consists of one or more letters, characters, numbers or other symbols in digital form incorporated in, attached to or associated with an electronic document. (Subsection 31(1) of the Personal Information Protection and Electronic Documents Act)
financial transaction (opération financière)
Is any event, request, action or commitment that has a monetary implication such as the acquisition, disposition or use of assets or resources; the increase or reduction in a liability; or the receipt, payment and disbursement of funds. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
identity management (gestion de l'identité)
The set of principles, practices, policies, processes and procedures used to realize an organization's mandate and its objectives related to identity. (Directive on Identity Management, Treasury Board)
integrity of electronic financial transactions (intégrité des opérations financières électroniques)
Means transactions that are appropriately safeguarded against unauthorized access, authority or disclosure, destruction, removal, modification, repudiation, incompleteness and inaccuracy. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
secure electronic signature (signature électronique sécurisée)
Means an electronic signature that results from the application of a technology or process prescribed by regulations made under subsection 48(1) of the Personal Information Protection and Electronic Documents Act. (Subsection 31(1) of the Personal Information Protection and Electronic Documents Act)
user authentication information (information d'authentification de l'utilisateur)
Includes information to support electronic authentication of a user such as passwords, identifiers, biometrics, shared secrets, usage patterns, etc. (Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board)
3.1 With the continuing advancement of technology and the importance of making operations as effective and efficient as possible, the need to determine the identity of individuals, systems and institutions is crucial in establishing trust in electronic interactions within government and with external partners and allies. EAA is the electronic process that:
- affixes proof of authorization to financial and non-financial transactions;
- contributes to the protection of data integrity; and
- ensures that the authorizer can be identified.
3.2 The validity of EAA is based on sound identity management practices that are aligned with the Treasury Board Directive on Identity Management.
3.3 Part 2 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Secure Electronic Signature Regulations (SESR) provide legal authority for the definition, use and application of electronic signatures (ESs) and secure electronic signatures (SESs) as acceptable alternatives to handwritten signatures within the Government of Canada (GC).
3.4 Treasury Board has established direction on EAA in the Directive on Electronic Authentication and Authorization of Financial Transactions.
3.5 In compliance with the Treasury Board Policy on Financial Management Governance, ADM(Fin CS) has been appointed by the Deputy Minister as the Chief Financial Officer (CFO) for the DND and the CAF.
3.6 Application of EAA for the purpose of financial transactions is subject to ADM(Fin CS) directives, standards and guidance.
3.7 This DAOD is part of the DND and CF IM and IT Policy Framework and should be read in conjunction with other relevant ADM(IM) policies, instructions, directives, standards and guidance.
3.8 The objectives of this DAOD are to:
- ensure DND and CAF EAA practices conform with applicable GC requirements;
- establish the common business functions to which ESs and SESs may be applied; and
- ensure the integrity of electronic financial transactions.
3.9 The expected results of this DAOD are the:
- mitigation of risks associated with the implementation of EAA;
- improved efficiencies in the processing of financial transactions using EAA in support of federal environmental sustainability efforts; and
- increased implementation of EAA in DND and CAF business and operational processes.
Information Resources of Business Value
4.1 All electronic transactions that require EAA, either by ES or SES, are considered information resources of business value, and are therefore subject to DAOD 6001-0, Information Management, and applicable recordkeeping standards and guidance.
4.2 An ES that is not an SES, e.g. an ES used on an email sent on the defence intranet or any networked device, may be used in accordance with the direction of DND and CAF system operational authorities if the enhanced level of assurance provided by SES is not required.
4.3 Subject to the delegated authority of the individual signing the email or otherwise authorizing a request, possible ES uses include:
- financial system adjustments in the Defence Resource Management Information System (DRMIS);
- expenditure initiation amount changes to electronic procurement requests when a total is higher than the estimate in the original electronic procurement request;
- proof of expenditure initiation, e.g. for certain acquisition card transactions or local purchase orders;
- commitment and decommitment requests in accordance with Financial Administration Manual (FAM), Chapter 1016-2, Expenditure Planning and Initiation – FAA Section 32;
- budget transfers; and
- leave, travel and operational expenditures within the area of responsibility of the individual.
4.4 An SES must meet the requirements set out in the PIPEDA and SESR. An SES is:
- considered equivalent to a handwritten signature for any authorization related to requirements under the provision of a federal law;
- admissible in evidence; and
- recognizable and can be accepted by third parties outside of the DND and the CAF.
Electronic Financial Transactions
4.5 DND employees and CAF members who complete financial transactions using EAA, or use electronic financial systems making use of EAA, must comply with:
- sections 76 to 81 of the Financial Administration Act (FAA);
- the Treasury Board Directive on Losses of Money or Property; and
- applicable financial policies issued by the ADM(Fin CS).
Other EAA Uses
4.6 A level one (L1) advisor establishing the use of EAA for a non-financial business function in their assigned functional area or for CAF operations:
- must respect the assigned functional areas of other L1 advisors; and
- should seek legal advice before applying any ES or SES for that use.
Consequences of Non-Compliance
5.1 Non-compliance with this DAOD may have consequences for both the DND and the CAF as institutions, and for DND employees and CAF members as individuals. Suspected non-compliance will be investigated. The nature and severity of the consequences resulting from actual non-compliance will be commensurate with the circumstances of the non-compliance. Consequences of non-compliance may include one or more of the following:
- the ordering of the completion of appropriate learning, training or professional development;
- the entering of observations in individual performance evaluations;
- increased reporting and performance monitoring;
- the withdrawal of any authority provided under this DAOD to a DND employee or CAF member;
- the reporting of suspected offences to responsible law enforcement agencies;
- the liability of Her Majesty in right of Canada;
- the application of specific consequences as set out in applicable laws, codes of conduct, and DND and CAF policies and instructions; and
- other administrative or disciplinary action or both.
Note – In respect of the compliance of DND employees, see the Treasury Board Framework for the Management of Compliance for additional information.
5.2 Wilful failure by a DND employee or CAF member to comply with the FAA may result in charges being laid under that Act or sections 121, 122, 322 and 380 of the Criminal Code.
5.3 A loss of public money or property resulting from the misuse of an EAA by a person may result in the person being liable to pay for the loss.
5.4 Failure by a DND or CAF organization to comply with this DAOD may result in limitations or removal of the organization's authorization to manage public money or property.
6.1 The following table identifies the responsibilities associated with this DAOD:
|The …||is or are responsible for …|
|DFP and DGIMTSP||
|DND employees and CAF members||
Acts, Regulations, Central Agency Policies and Policy DAOD
- Access to Information Act
- Criminal Code
- Financial Administration Act
- Library and Archives of Canada Act
- Personal Information Protection and Electronic Documents Act
- Electronic Alternatives Regulations for the Purposes of the Federal Real Property and Federal Immovables Act
- Secure Electronic Signature Regulations
- Policy on Evaluation, Treasury Board
- Policy on Financial Management Governance, Treasury Board
- Policy on Government Security, Treasury Board
- Policy on Information Management, Treasury Board
- Policy on Internal Audit, Treasury Board
- Policy on Internal Control, Treasury Board
- Policy on Management of Information Technology, Treasury Board
- Policy on the Duty to Accommodate Persons with Disabilities in the Federal Public Service, Treasury Board
- Directive on Electronic Authentication and Authorization of Financial Transactions, Treasury Board
- Directive on Identity Management, Treasury Board
- Directive on Losses of Money or Property, Treasury Board
- Secure Electronic Signatures and Recognized Certification Authorities, Treasury Board
- Values and Ethics Code for the Public Service, Treasury Board
- DAOD 6002-0, Information Technology
- DAOD 5005-2, Delegation of Authorities for Civilian Human Resources Management
- DAOD 6000-0, Information Management and Information Technology
- DAOD 6001-0, Information Management
- DAOD 6002-2, Acceptable Use of the Internet, Defence Intranet, Computers and Other Information Systems
- DAOD 6003-0, Information Technology Security
- FAM Chapter 1016-2, Expenditure Planning and Initiation – FAA Section 32
Report a problem or mistake on this page
- Date modified: