REPUBLIC OF THE PHILIPPINES DEPARTMENT OF INFORMATION AND COMMUNICATIONS TECHNOLOGY perartent orper No.2 34 APR O14 2024 SUBJECT: GUIDELINES ON THE USE OF THE PHILIPPINE NATIONAL. PUBLIC KEY INFRASTRUCTURE (PNPKI) DIGITAL SIGNATURES IN THE DEPARTMENT OF INFORMATION AND COMMUNICATIONS TECHNOLOGY In the exigency of the service and pursuant to the provisions of Republic Act (RA) No. 8792, or the “Electronic Commerce Act of 2000’, Executive Order (EO) No. 810, s. 2009,! RA No. 11032 or the “Ease of Doing Business and Eificient Government Service Delivery Act of 2018”, Commission on Audit (COA) Circular No. 2021-006, and Government Procurement Policy Board (GPPB) Resolution No. 16- 2019, this Order is issued to establish the guidelines on the use of the Philippine National Public Key Infrastructure (PNPKI) digital signatures on all official and internal documents, transactions, communications, and processes in the Department of Information and Communications Technology wicty: I. SCOPE AND APPLICATION ‘This policy applies to all internal electronic documents and automated documentation systems and/or processes and other Departmental transactions such as, but not limited to, memoranda, correspondences, Department Circulars or Orders, Special/Office Orders, bidding and procurement documents, administrative, legal and finance actions, and other management information system processes. Internal system owners must adopt the requirements of this policy in any major upgrades or modernization efforts of its systems such as, but not limited to, the Program Management Information System and the Human Resource Management Information System. All DICT officials and employees required and authorized to sign any official document (ie, documents, forms, correspondences, and/or emails) for electronic government transactions pursuant to, RA No, 11032, COA Circular No. 2021-006 or GPPB Resolution No, 16-2019 shall be governed by these guidelines. I DEFINITION OF TERMS As used in this Order, the following terms shall be defined as follows: 1. Certificate Revocation List ~ refers to a list of digital certificates that would have been compromised, revoked, or are expired. + Executive Order No. 810, 2008, Institutionaizing the Certification Scheme for Digital Signatures and Directing the Application of Digital Signatures in E-Government Services. 2COA Gireular No. 2021-006, Guidelines on the Use of Electronic Documents, Electronic Signatures, and Digital Signatures in Government Transactions. 3 GPPB Resolution No. 16-2019, Approval ofthe Use of Digital Signature in Procurement Related Documents. (Carls P, Gaia Avenue Diliman, Quezon City 1103, Philippines +632 8920-0101 | wor diet gow phDigital Certificate ~ a .p12 file issued by the DICT-PNPKI containing the user’s personal information just like an ordinary ID, only in this case, itis digital. It is used to encrypt, authenticate, or digitally sign an email and document. Digital Signature — refers to a secure type of electronic signature consisting of a transformation of an electronic document or an electronic data message using an asymmetric or public cryptosystem such that a person having the initial untransformed electronic document and the signer’s public key can accurately determines a. Whether the transformation was created using the private key that corresponds to the signer’s public key; and b, Whether the initial electronic document had been altered after the transformation was made. Electronic Document ~ refers to information or the representation of information, data, figures, symbols, or other modes of written expression, described or however represented, bby which a right is established, or an obligation extinguished, or by which a fact may be proved and affirmed, which is received, recorded, transmitted, stored, processed, retrieved, or produced electronically.> Electronic Signature - refers to any distinctive mark, characteristic, and/or sound in electronic form, representing the identity of a person and attached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document®. For purposes of this Order, an electronic signature is an electronic indication of a person’s intent to agree to the content of a document or a set of data to which the signature relates. Like its handwritten counterpart in the offline world, an electronic signature is a legal concept capturing the signatory's intent to be bound by the terms of the signed document? Key Pair - refers to the two mathematically related keys, the public, and private keys. Whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key and vice versa. Public and private keys are paired for secure communication, such as email. Private Key — is a bit of code that is paired with a public key to set off algorithms for text encryption and decryption. It is created as part of public key cryptography during asymmetric-key encryption and used to decrypt and transform a message into a readable format. A private key is also known as a secret key. Public Key —is also a bit of code used to encrypt data. The key is provided by the Certificate Authority and is made available to everyone through a directory or email Public Key Infrastructure (PKI) ~ is an infrastructure that secures communications among individuals and government entities. This way, the government's delivery of services to citizens and businesses becomes safer, faster, and more efficient. +Rule2 § 1(@), Rules on Electronic Evidence, A.M. No. 01-7-01-SC, July 17,2001 * Section 5(9), RA 8792 - lectronic Commerce Act of 2000. ® Section 5(), Id. 7 Buropean Commission, What is an electronic signature? Available at hiips:/c.curopa.cu/digital-building- Dlocks/wikincisplay/DIGITALWhattisteSignature, Page2 of 6mL. ROLES AND RESPONSIBILITIES a ‘The Digital Certificate Division (DCD), under the Cybersecurity Bureau, shall be the lead. unit to roll-out, implement and facilitate the application, processing, and issuance of DICT’s PNPKI digital certificates, in coordination with all designated PNPKI Registration Authority Officers (RAOs) and Registration Authority Assistants (RAs) in the DICT Regional Offices. It shall: a. Develop and implement security measures, policies, and practices for the protection of digital certificates; b. Keep updated the Certificate Revocation List, and inform COA Auditors of revocation or expiration without renewal of digital certificates; and Implement a security awareness program to train DICT officers and employees on the acceptable use of digital signatures on electronic documents. Designated PNPKI RAOs, with the assistance of the RAAs in the DICT Regional Offices and in coordination with the DCD, shall process the application, approval, issuance, renewal, and revocation of digital signatures and certificates of personnel within their respective area of responsibilty. ‘The Chief of the DCD, under the supervision of the Director of the Cybersecurity Bureau, has overall responsibility for administering the implementation of the PNPKI security ‘measute, policies, and practices, and shall be the focal person forall matters pertaining to igital signing implementation. ‘The designated PNPKI System Administrators are authorized to install, configure, ‘maintain and update trustworthy systems, but with controlled access to security-related. information. ‘The designated PNPKI RAOs are responsible for approving end-user/subscriber certificate generation, revocation, and renewal. The designated PNPKI RAAs shall provide support to the RAO in the assessment, documentation, and consolidation of received applications. The prescribed prerequisites and qualifications for designated PNPKTRAO and RAA are as follows: i, Employment under the purview of DICT, except in the case of the RAO, who is ‘required to hold a permanent position. fi, Successful completion of the PNPKIRA Training program and the attainment of certification thereof. iil, Passed the requisite psychometric examination. ‘The designation of eligible PNPKI RAO and RAA shall be formalized through an office order issued by the overseeing Senior Executive Offical. ‘The DICT Internal System Owners, which pertain to the Bureau, Service, Regional, or Project Directors, shall evaluate their paper-based processes to identify those which are good business cases for migrating to digital processes and shall issue office orders or formulate guidelines for the implementation of the migration, which shall be in line with the DICT’s digital signature policy, procedures, and associated guidelines. ‘The DICT Records Custodians or designated staff of each Bureau, Service, Regional Office, or Project Management Team shall store and archive digitally signed documents emanating from their respective office and, if necessary, print physical copies thereof, pursuant to the provisions of this Department Order. Page ofGUIDELINES FOR USING PNPKI DIGITAL CERTIFICATE AND DIGITAL SIGNATURES 1. Scope of Authority - DICT officials and employees are authorized to use their respective PNPKI digital certificates on official documents within their scope of responsibility and authority. Each shall be responsible for the custody and proper use thereof in a safe and secure manner. 2 Validity of Digitally Signed Documents ~ Holders of PNPKI certificates may affix their respective PNPKCI digital signatures, in lieu of wet signatures, on the following documents: a. Intemally issued office documents; b. Department Cizculars or Orders; Special Office Orders; Financial Documents; e. Administrative actions; £ Documents generated by Intemal Management Information Systems of the Department; & Correspondences with DICT offices, including between and amongst the Central and Regional Offices; J. Electronic documents intended for external use; i Procurement-related documents defined in the GPPB Resblution No. 16-2019; and Government permits and licenses, provided that there is compliance with the requirements as set forth in the Electronic Commerce Act of 2000. 3. Final Version of Digitally Signed Documents — Digitally signed documents shall be considered the final version once they are released or transmitted to their intended recipients. The digitally signed documents shall be passed through emails to have a trace. 4, Storage, Integrity, and Authenticity — Digitally signed documents shall be stored in a secured file format, such as-Portable Document Format (PDF). Additionally, to ensure the integrity and authenticity of the contents, digitally signed documents must have the following attributes: a. All digital signatures must indicate “valid” both with respect to the signer’s identity and the PNPI digital certificate used. This can be done by clicking on the document's digital signatures and checking through the application (e.g., Adobe Reader, Foxit, etc). b. All digital signatures must at least have a label such as but not limited to “Digitally signed by: < common name of signatory>" or any similar label/s signifying that it isa digital signature. 5. Mixed Signing of Documents ~ In cases where mixed signing occurs in a single document, the signer is responsible for ensuring the authenticity of the document before he/she signs it in digital or wet form. Mixed signing occurs when a document was either: a. Initially wet signed which was thereafter scanned/photographed and later digitally signed, or b. Digitally signed which was thereafter printed out and later wet signed, 6 Printouts of Digitally Signed Documents — Physical printouts of digitally signed documents shall show markings or proof that the original copy of the document is digitally signed. To achieve this, the approach is to attach markings to the back of each page of the Page sof 6v. printed document, which contains the statement: "The original document exists in digital format and has been digitally signed." or an equivalent wording that serves the same purpose. IE feasible, 2 QR code that directs to the original digital copy may be included as marking. 1. Security Measures ~The subscriber of PNPKI digital certificates shall be responsible for keeping the security and integrity of the duly issued .p12 file by storing Its passphrase ina safe location. 8 Misuse or Abuse of Digital Signatures ~ Misuse or abuse of digital signatures, including but not limited to, signing on behalf of another person, falsifying signatures, or using. Aigital signatures on unauthorized documents, will be subject to necessary administrative sanctions, in accordance with applicable laws, rules, and regulations, Renewal of Expired Digital Certificate - The subscriber will be notified via email at least ‘one month before the expiration of his/her digital certificate. The subscriber must then submit to the concerned (Regional or Central) PNPKI team an email request for renewal, along with an updated application form, pursuant to Department Order No, 053 series of 2020. 10. Revocation of Digital Certificate - The subscriber must submit a duly accomplished revocation form to their respective (Regional or Central) PNPKI Team in the following instances: a. If the digital certificate ts compromised (i, forgotten password, lost certificate, etc.) . In case of a breach or security compromise in the device that stores the digital certificate; or ¢. Ifthe subscriber is leaving as DICT personnel (either from plantilla, contractual, or job order) due to resignation, retirement, or service termination, Should the subscriber fail to submit the revocation form on the last day of his/her service as DICT personnel, the DICT Human Resource Management Division (HRMD) or their HIRRegional counterparts, as the case may be, shall ile the request for revocation on behalf of the subscriber. 11. Suspension/Blacklisting of Digital Certificates ~ The PNPKI shall suspend subscriber accounts and/or blacklistrevoke issued digital certificates, should any of the following, instances occur: a. The PNPKI obiains evidence that the certificate was misused or abused. b. The PNPKI confirms a material change in the information contained in the certificate. ¢. The PNPKI determines or confirms that any information appearing in the certificate is inaccurate, 4d. The PNPKI confirms that there is clear evidence that the specific method used to generate the private key was flawed. e The PNPKI confirms that the subscriber did not adhere to the “Subscriber Obligations” stated in the Subscribers Agreement, ISSUANCE OF MANAGEMENT REPRESENTATION / POLICY STATEMENT In line with Item IV (B)(4) of COA Circular No, 2021-006, the DICT, through the Office of the Undersecretary for Support Services, shall inform the COA Auditor of these internal Pages ofrules through the submission of a Management Representation/Policy Statement on the issue of signatures on electronic documents in the operations, VL MISCELLANEOUS PROVISIONS 1. Repeating Clause— All other orders, departmental issuances, or parts thereof that are inconsistent with this policy are hereby amended, modified, repealed or superseded or modified accordingly. 2. Effectivity— This policy shall be effective immediately upon its posting in the DICT's bulletin boards and other official internal communication mechanism, Alll DICT Offices and attached agencies (i. the National Telecommunications Commission, ‘National Privacy Commission, and Cybercrime Investigation and Coordination Center) are hereby directed to adopt this Order to ensure standard and automated document signing and intact electronic records. Alll other departmental issuances inconsistent herewith are hereby revoked, superseded, amended, and/or modified accordingly. This Order takes effect immediately and shall remain in force until further orders. AD) svavjonniey Jere (GUIDELINES ON THE USE OF THE PHILIPPINE NATIONAL PUBLIC KEY INFRASTRUCTURE (PNPKI) DIGITAL SIGNATURES IN THE DEPARTMENT OF INFORMATION AND COMMUNICATIONS TECHNOLOGY Page 6of6