The top questions to ask your government eSignature provider in the digital world

In the last few years, eSignatures, among other digitized solutions, slowly slipped into everyday processes. They are present when onboarding, renting an apartment, drafting a contract– you name it. That being said, eSignatures have never been common at the government level.

Up until recently, the government didn’t operate the same way banks or hospitals do. In fact, they have been a little slower than commercial entities to adopt new technologies; however, budget pressure is changing that.

When you think about any type of government process – storing important records, rural development, food services, public services, etc. – they all, at one point or another, used to require paper documents and some form of handwritten signatures. The adoption of digitized workflows accelerated when in-person work halted due to the COVID-19 pandemic.

During this time, most traditional, paper-based signing processes were replaced with modernized eSignatures. Today, the government goes as far as turning to digital identity verification (ID) and remote online notarization (RON) to optimize higher-risk digital processes in the context of remote operations.

For example, in March 2020, the Michigan Department of Technology, Management, and Budget’s (DTMB) Records Management Services deployed OneSpan Sign’s eSignature solution as an interdepartmental shared service to route documents for signature. To date, over 1,000 users have been trained to use OneSpan Sign, with roughly 90 percent of basic use cases taking less than 30 minutes of training.

With this shift to digitized processes and increased use of eSignatures between agencies, security, and compliance must be top of mind. The government is set apart from other industries– their processes have a lot more oversight from numerous regulatory bodies. Government agencies also deal with the most sensitive and significant types of transactions, so it’s important that they remain secure throughout their entire lifecycle.

To find the best eSignature solution in regard to security and identity assurance capabilities, here are the top questions government organizations should ask potential vendors.

Top questions to ask your government eSignature provider

Are you FedRAMP certified?

The first requirement any government agency should look for in an eSignature vendor is whether or not they are FedRAMP certified. FedRAMP basically tells you that if the vendor has this certification, they have addressed their broad-stroke security concerns. In short, they have, at the most basic level, a competent security framework approved on a standardized baseline.

eSignature vendors who operate at this level are obliged to procure solutions that are up to the FedRAMP standard. In order to become certified, the FedRAMP program requires vendors to comply with extensive security requirements that cover many diverse areas of information security, including access control, authentication, cryptography, physical security, and many more.

Vendors have to undergo a security assessment by designated third-party organizations initially upon certification and again afterward on a regular basis to maintain compliance.

Do you support CAC/PIV?

Personal Identity Verification (PIV) credential cards are used government-wide. They’re utilized to access both Federally Controlled Facilities and information systems at the applicable security level. Additionally, Common Access Cards (CAC) are a specific subset of PIV cards used by the U.S. Department of Defense. It would only make sense that government agencies should seek an eSignature vendor that supports CACs/PIVs and other software/hardware authenticators, as they are used often in this line of work.

That said, if a vendor does not support these forms of authentication, it may disrupt government organizations’ workflows, making the process more difficult. Since eSignatures are at the heart of most business transactions, government agencies should be most concerned with how each vendor accommodates the user experience. If the vendor does support these methods, you must also consider whether the implementation is secure.

Do you integrate with SharePoint, Salesforce, and other systems we use?

Most government agencies are not focused heavily on the eSignature tool’s specific functionality, though they want to make sure the tool works in their technology stack. An eSignature vendor’s solution should be compatible with productivity tools that the organization is already using to streamline its workflow.

Seamless integrations of eSignature solutions with applications such as Salesforce and SharePoint are essential because they help to create an optimal, and intuitive user experience.

The integrations ensure signing happens smoothly, with minimum impact on the user flow or experience.

Is it secure?

When it comes to security, government organizations need to look at the broad-stroke security measures of a solution– it’s not enough to be FedRAMP certified. The goal here is to find vendors that provide easy methods that are also secure. For example, intelligent adaptive authentication is a type of security that only adds pressure or friction when it detects it is needed in real-time. This type of security helps to preserve an optimal user experience.

There are two main indicators government agencies should be on the lookout for when choosing a secure eSignature solution: (1) control at the front end and (2) control at the back end. Control at the front end refers to authentication – this ensures only the genuine application or end-user can initiate signing requests. Control at the back end pertains to storing evidence, i.e. encrypting all data exchanged with the application. This guarantees documents cannot be tampered with, and adversaries cannot eavesdrop on sensitive content.

If an eSignature solution has these capabilities, government agencies can take it a step further by looking into other features. These features include, but are not limited to:

• Flexibility: Often, organizations will deploy an eSignature tool to one department but will eventually expand their use across the organization.
• Custom branding: Does the eSignature solution enable your organization to maintain its brand throughout the eSignature process?
• Ease of use: Is the eSignature solution simple to use for all users? Is it accessible?
• Automation and process efficiency: Does the eSignature solution integrate with your organization’s upstream and downstream systems to enable straight-through processing? Are you able to enforce business rules throughout the signing workflow? Is the solution robust enough to allow for optional processing steps such as flexible data capture, document insertion, and multiple signature options?
• Identity assurance: Does the eSignature solution offer various authentication methods to validate known and unknown end-users?
• End-to-end audit trail: Does your eSignature solution make it easy to access details about the transaction to prove compliance?
• Document integrity: Does it create a digital signature for each eSignature?

Conclusion

Looking ahead, as many government organizations and constituents are becoming more accustomed to digital interactions, choosing a vendor that secures the entire agreement process, from identity verification and authentication to signature, is of the utmost importance. These eSignature solutions must have a strong foundation of security and identity assurance capabilities to operate at this level.

When the right eSignature solution is implemented – one that is secure, compliant, and FedRAMP certified – government organizations can secure and automate the workflows that matter most to their agency, ultimately creating better interactions between government and citizens.

This article by Sameer Hajarnis was first published on Solutions Review on November 29, 2023.