[Federal Register Volume 64, Number 158 (Tuesday, August 17, 1999)]
[Notices]
[Pages 44760-44766]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 99-21242]
=======================================================================
-----------------------------------------------------------------------
POSTAL SERVICE
Postage Evidencing Product Submission Procedures
AGENCY: Postal Service.
ACTION: Proposed Procedure.
-----------------------------------------------------------------------
SUMMARY: The Federal Register, dated September 2, 1998, provided
proposed product submission procedures for all postage evidencing
products, including those in the Information Based Indicia Program
(IBIP). In response to the solicitation of public comments, only one
submission was received. The comments in this submission were
considered in making the changes incorporated in the current version.
The current proposed procedures revise, clarify, and expand the earlier
proposed procedures to include a new section on approval of product
changes and a new section addressing intellectual property issues. The
proposed procedures now indicate where steps in the product submission
process can be concurrent rather than sequential and discuss the Postal
Service response. Providers are asked to update documentation to
reflect the ``as approved'' product prior to final approval. The
current proposed procedures address all postage evidencing products,
including, but not limited to, traditional meter products and IBI
products. However, changes clarify which requirements apply only to
IBIP products and not to traditional meter products. A requirement was
added for a document describing how the Address Matching System (AMS)
CD-ROM will be integrated in an IBIP Open System product. A requirement
was added to the comprehensive test plan to include a test of the
physical security of the Provider's site and firewall where applicable,
and of the processes for administrative access and configuration
control. Requirements were also added with respect to the
responsibilities of the laboratories testing products with
cryptographic modules.
DATES: Comments must be received on or before October 18, 1999.
ADDRESSES: Written comments should be mailed or delivered to the
Manager, Metering Technology Management, Room 8430, 475 L'Enfant Plaza
SW, Washington DC 20260-2444. Copies of all written comments will be
available at the above address for inspection and photocopying between
9 a.m. and 4 p.m. Monday through Friday.
FOR FURTHER INFORMATION CONTACT: Nicholas S. Stankosky, (202) 268-5311.
SUPPLEMENTARY INFORMATION: With the expansion of postage application
methods and technologies, it is essential that product submission
procedures for all postage evidencing products be clearly stated and
defined. The Postal Service evaluation process can be effective and
efficient if these procedures are followed explicitly by all suppliers.
In this way, secure and convenient technology will be made available to
the mailing public with minimal delay and with the complete assurance
that all Postal Service technical, quality, and security requirements
have been met. These procedures apply to all proposed postage
evidencing products and systems, whether the Provider is new or is
currently authorized by the Postal Service.
39, Code of Federal Regulations (CFR) Section 501.9, Security
Testing, currently states, ``the Postal Service reserves the right to
require or conduct additional examination and testing at any time,
without cause, of any meter submitted to the Postal Service for
approval or approved by the Postal Service for manufacture and
distribution.'' For products meeting the performance criteria for
postage evidencing under the Information Based Indicia Program (IBIP),
including PC Postage products, the equivalent section is 39 CFR Section
502.10, Security Testing, published as a proposed rule in the Federal
Register, September 2, 1998. When the Postal Service elects to retest a
previously approved product, the Provider will be required to resubmit
the product for evaluation according to part or all of the proposed
procedures. Full or partial compliance with the procedures will be
determined by the Postal Service prior to resubmission by the Provider.
The proposed submission procedures will be referenced in 39 CFR
Parts 501 and 502 but will be published as a separate document as
Metering Technology Management, Postage Evidencing Product Submission
Procedures.
1. Product Submission Procedures
In submitting any postage evidencing product for Postal Service
evaluation, the proposed Provider must provide detailed documentation
and comply with requirements in the following areas:
Letter of Intent
Nondisclosure Agreements
Concept of Operations (CONOPS)
Software and Documentation Requirements
Provider Infrastructure Plan
USPS Address Matching System (AMS) CD-ROM Integration
Product Submission/Testing
Provider Infrastructure Testing
Field Test (Beta) Approval (Limited Distribution)
Provider/Product Approval (Full Distribution)
The Provider shall indicate the specific requirement(s) addressed
by each document submitted in compliance with these Postage Evidencing
Product Submission Procedures. The Postal Service requests that the
documentation includes a matrix showing where each specific requirement
is addressed. Documentation shall be in English and formatted for
standard letter size (8.5'' x 11'') paper, except for engineering
drawings, which shall be folded to the required size. Where
appropriate, documentation shall be marked as ``Confidential.'' The
steps in the Postage Evidencing Product Submission Procedures must be
completed in sequential order, except as detailed below.
1.1. Letter of Intent
The Provider must submit a Letter of Intent to the Manager,
Metering Technology Management, United States Postal Service, 475
L'Enfant Plaza SW, Room 8430, Washington DC 20260-2444.
A. The Letter of Intent must include:
(1) Date of correspondence.
(2) Name and address of all parties involved in the proposal. In
addition to the Provider, the parties listed shall
[[Page 44761]]
include those responsible for assembly, distribution, management of the
product/device,\1\ hardware/firmware/software development, testing, and
other organizations involved (or expected to be involved) with the
product, including suppliers of significant product components.
---------------------------------------------------------------------------
\1\ When speaking generically about processes, etc., the term
``product'' is used. However, the term ``product'' includes
``product/device.''
---------------------------------------------------------------------------
(3) Name and phone number of official point of contact for each
company identified.
(4) Provider's business qualifications (i.e., proof of financial
viability, certifications and representations, proof of ability to be
responsive and responsible).
(5) Product/device concept narrative.
(6) Provider infrastructure concept narrative.
(7) Narrative that identifies the internal resources knowledgeable
of current Postal Service policies, procedures, performance criteria,
and technical specifications to be used to develop security, audit, and
control features of the proposed product.
(8) The target Postal Service market segment the proposed product
is envisioned to serve.
B. The Provider must submit with the Letter of Intent a proposed
product development plan of actions and milestones (POA&M) with a start
date coinciding with the date of the Letter of Intent. Reasonable
progress must be shown against these stated milestones.
C. The Manager, Metering Technology Management, will acknowledge in
writing the receipt of the Provider's Letter of Intent and will
designate a Postal Service point-of-contact. Upon receipt of this
acknowledgment, the Provider may continue with the sequential
requirements of the product submission process.
1.2. Nondisclosure Agreements
These agreements are intended to ensure confidentiality and
fairness in business. The Postal Service is not obligated to provide
product submission status to any parties not identified in the Letter
of Intent. After obtaining signed nondisclosure agreements, the
Provider may continue with the sequential requirements of the product
submission process.
1.3. Concept of Operations
A. The Provider must submit a Concept of Operations (CONOPS) that
discusses at a moderate level of detail the features and usage
conditions for the proposed product. The Provider should submit 10
serialized hard copies and one electronic copy on a PC-formatted 3.5''
floppy disk. Additionally, the Provider must also submit a detailed
process model supporting each CONOPS section.
Note: The Postal Service will not be obligated to provide
consulting guidance on any current Postal Service policy, procedure,
performance criteria, or specification beyond publicly available
publications.
B. At a minimum, the CONOPS should cover the following areas:
(1) System Overview
(a) Concept overview/business model
(b) Concept of production/maintenance administration
(c) For Information Based Indicia (IBI) PC Postage products, the
system design overview, including:
(i) Postal Security Device (PSD) implementation (stand-alone, LAN,
WAN, hybrid)
(ii) Features
(iii) Components, including the digital signature algorithm
(d) Product lifecycle overview
(e) Adherence to industry standards, such as Federal Information
Processing Standard (FIPS) 140-1, as required by the Postal Service
(2) For proposed IBI PC Postage products, the system design details,
including:
(a) PSD features and functions
(b) Host system features and functions
(c) Other components required for normal use conditions
(3) Product Lifecycle
(a) Manufacturer
(b) Postal Service certification of product/device
(c) Production
(d) Distribution
(e) Product/device licensing and registration
(f) Initialization
(g) Product authorization and installation
(h) Postage Value Download (PVD) process
(i) Product and support system audits
(j) Inspections
(k) Product withdrawal/replacement
(i) Overall process
(ii) Product failure/malfunction procedures
(l) Scrapped product process
(4) Finance Overview
(a) Customer account management
(i) Payment methods
(ii) Statement of account
(iii) Refund
(b) Individual product finance account management
(i) PVD
(ii) Refund
(c) Daily account reconciliation
(i) Provider reconciliation
(ii) Postal Service detailed transaction reporting
(d) Periodic summaries
(i) Monthly reconciliation
(ii) Other reporting, as required by the Postal Service
(5) Interfaces
(a) Communications and message interfaces with Postal Service
infrastructure, including but not limited to:
(i) PVDs
(ii) Refunds
(iii) Inspections
(iv) Product audits
(v) Lost or stolen product procedures
(b) Communications and message interfaces with applicable Postal
Service financial functions, including but not limited to:
(i) Postage settings, including those done remotely
(ii) Daily account reconciliation
(iii) Refunds
(c) Communication and message interfaces with Customer
Infrastructure, including but not limited to:
(i) Cryptographic key management
(ii) Product audits (device and host system)
(iii) Inspections
(d) Message error detection and handling
(6) Technical Support and Customer Service
(a) User training and support
(b) Software Configuration Management (CM) and update procedures
(c) Hardware/firmware CM and update procedures
(7) Other
(a) Change control procedures
(b) Postal rate change procedures
(c) Address Management System ZIP+4 CD-ROM updates, if applicable
(d) Physical security
(e) Personnel/site security
C. Supplementary requirements, CONOPS.
(1) The CONOPS must be accompanied by substantiated market analysis
supporting the target Postal Service market segment the proposed
product is envisioned to serve, as identified in the Letter of Intent.
(2) The CONOPS must include a list and a detailed explanation of
any proposed deviations from Postal Service performance criteria or
specifications. Any proposed deviation to audit and control functions
required by current Postal Service policy, procedure, performance
criteria, or specification must be accompanied by an independent
assessment by a nationally recognized, independent, certified
[[Page 44762]]
public accounting firm attesting to the proposed auditing method. The
report of this information is to be signed by an officer of the
accounting firm.
D. Postal Service response.
(1) The Postal Service will respond in a timely manner.
(2) For each submission, the Postal Service will appoint a Product
Review Control Officer. All communications between the Provider and the
Postal Service are to be coordinated through the Product Review Control
Officer.
(3) The Postal Service will acknowledge, in writing, receipt of the
CONOPS and perform an initial review. The Postal Service will provide
the Provider with a written summary of the CONOPS review. In the
written review, the Postal Service will provide authorization to
continue with the product submission process, or a listing of CONOPS
requirements that are not met.
(4) If, in the sole opinion of the Postal Service, it is determined
that significant CONOPS deficiencies do exist, the Postal Service, at
the discretion of the Manager, Metering Technology Management, may
return the CONOPS to the Provider without further review. It will then
be incumbent on the Provider to resubmit a corrected CONOPS.
(5) The Provider may continue with the product submission process
upon receipt of authorization to proceed from the Postal Service.
1.4. Software and Documentation Requirements
A. The Provider must submit to the Postal Service five copies of
executable code and one copy of full and source code for all software
included in the product.
B. The Provider must submit a detailed design document of the
product. For IBI products, this shall include the proposed IBIP indicia
design, which must be approved by the Manager, Metering Technology
Management.
C. Additionally, depending on the product, the Postal Service
requires design documentation that includes, but is not limited to, the
following:
(1) Operations manuals for product usage
(2) Interface description documents for all proposed communications
interfaces
(3) Maintenance manuals
(4) Schematics
(5) Product initialization procedures
(6) Finite state machine models/diagrams
(7) Block diagrams
(8) Security features descriptions
(9) Cryptographic operations descriptions
Detailed references for much of this documentation are listed in
FIPS 140-1, Appendix A. The Postal Service will determine the number of
copies needed of the aforementioned documentation based on the CONOPS
review. The Postal Service will notify the Provider of the required
number of copies. The required number of copies are to be uniquely
numbered for control purposes.
D. The Provider must submit a comprehensive test plan that will
validate that the product meets all Postal Service requirements and,
where appropriate, the requirements of FIPS 140-1. With respect to the
Provider's internet server, the test plan shall indicate how the
Provider will test to ensure the physical security of the Provider's
server and administrative site and the firewall, and to ensure the
security of the processes for remote administrative access and
configuration control. With respect to the process for initializing
customer accounts, the test plan shall describe the tests for ensuring
secure distribution or transmission of software and cryptographic keys.
The test plan must list the parameters to be tested, test equipment,
procedures, test sample sizes, and test data formats. Also, the plan
must include detailed descriptions, specifications, design drawings,
schematic diagrams, and explanations of the purposes for all special
test equipment and nonstandard or noncommercial instrumentation.
Finally, this test plan must include a proposed schedule of major test
milestones.
E. The Provider must submit a benchmark assessment plan. Postal
Service Engineering will provide reference standards, performance
criteria, specifications, etc., to be used as a basis for the Provider
to produce this plan.
F. Postal Service Response:
(1) The Postal Service will provide its response in a timely
manner.
(2) The Postal Service will acknowledge, in writing, receipt of the
Provider's design and test plans and will perform an initial review.
The Postal Service will furnish the Provider with a written summary of
the design plan and test plan reviews. In the written review, the
Postal Service will provide authorization to continue with the product
submission process, or will provide a listing of design plan
requirements or test plan requirements that are not met, and perhaps
other deficiencies.
(3) If, in the sole opinion of the Postal Service, it is determined
that significant design plan or test plan deficiencies do exist, the
Postal Service, at the discretion of the Manager, Metering Technology
Management, may return the plans to the Provider without further
review. It will then be incumbent on the Provider to resubmit revised
plans that address the identified deficiencies.
(4) The Provider may continue with the product submission process
upon receipt of authorization to proceed from the Postal Service.
1.5. Provider Infrastructure Plan
A. The Provider Infrastructure Plan may be submitted concurrently
with the design and test plans described in paragraph 1.4, Software and
Documentation Requirements. At this point in the product submission
process, the Postal Service will provide additional performance
criteria and specifications for the IBIP public key infrastructure, if
required for the product/device, for use as a basis for the applicable
elements of the Provider's Infrastructure Plan.
B. The Provider must submit a Provider Infrastructure Plan that
describes how the processes and procedures described in the CONOPS will
be met or enforced. This includes, but is not limited to, a detailed
description of all Provider-related and Postal Service-related
operations, computer systems, and interfaces with both customers and
the Postal Service that the Provider shall use in manufacturing,
producing, distribution, customer support, product/device lifecycle,
inventory control, print readability quality assurance, and reporting.
C. Postal Service Response
(1) The Postal Service will respond in a timely manner.
(2) The Postal Service will acknowledge in writing the receipt of
the Provider's Infrastructure Plan and will perform an initial review.
The Postal Service will provide the Provider with a written summary of
the Infrastructure Plan review. In the written review, the Postal
Service will provide authorization to continue with the product
submission process, or a listing of the Infrastructure Plan
requirements that are not met, and perhaps other deficiencies.
(3) If, in the sole opinion of the Postal Service, it is determined
that significant Provider Infrastructure Plan deficiencies do exist,
the Postal Service, at the discretion of the Manager, Metering
Technology Management, may return the Infrastructure Plan to the
Provider without further review. It will then be incumbent on the
Provider to resubmit
[[Page 44763]]
a revised Infrastructure Plan to address the identified deficiencies.
(4) The Provider may continue with the product submission process
upon receipt of authorization to proceed from the Postal Service.
1.6. USPS Address Matching System (AMS) CD-ROM Integration
A. The USPS AMS CD-ROM is a required component of IBIP open
systems. For such systems, the Provider shall initiate an agreement
with the USPS National Customer Support Center (NCSC). This signed
agreement shall describe responsibilities of the AMS CD-ROM supply
chain processes, including roles of the Provider. The only
functionality of the AMS CD-ROM available through an IBIP system shall
be address matching and ZIP+4 coding of input addresses.
B. The Provider shall submit a detailed description of how the USPS
AMS CD-ROM will be integrated in the product, including a description
of the process by which an address is ZIP+4 coded, including all
possible optional and required parameters. The Provider can submit this
information concurrent with submission of the Software and
Documentation Requirements and/or Provider Infrastructure Plan
described above.
C. Any CONOPS or products proposed for which the Provider requests
a variance to the AMS CD-ROM requirements must be approved by the
Manager, Metering Technology Management, prior to proceeding with the
next step in the submission process.
1.7. Product Submission/Testing
A. The product/device Provider must be prepared to submit up to
five complete production systems of each product/device for which
Postal Service evaluation is requested. The required number of
submitted systems will be determined by the Postal Service. The
Provider must provide any equipment required in order to use the
submitted product/device in the manner contemplated by the CONOPS.
Thorough Provider testing of the product prior to submission of the
product to the Postal Service will avoid unnecessary delays in the
review and evaluation process. If, in the opinion of the Postal
Service, it is determined that significant product deficiencies exist,
the Postal Service, at the discretion of the Manager, Metering
Technology Management, may return the product to the Provider without
further review. The Provider would have the option to resubmit a
corrected product.
B. If the product contains a cryptographic module, the Provider
must submit the proposed product to a laboratory accredited under the
National Voluntary Laboratory Accreditation Program (NVLAP) for FIPS
140-1 certification, or equivalent, as authorized by the Postal
Service. Upon completion of the FIPS 140-1 certification, or
equivalent, the Postal Service requires the following to be forwarded
directly from the accredited laboratory to the Manager, Metering
Technology Management for review:
(1) A copy of all information given to the laboratory by the
Provider, including a summary of all information transmitted orally.
(2) A copy of all instructions from the Provider with respect to
what is or is not to be tested for.
(3) A copy of the letter of recommendation for the product as
submitted by the laboratory to the National Institute of Standards and
Technology (NIST) of the United States of America.
(4) Copies of all proprietary and nonproprietary reports and
recommendations generated during the test process.
(5) A copy of the certificate, if any, issued by NIST for the
product.
(6) Written full disclosure identifying any contribution of the
NVLAP laboratory to the design, development, or ongoing maintenance of
the product/device.
C. If the product is submitted to an accredited test laboratory to
meet the requirements of paragraph B, above, the laboratory must meet
all the requirements specified by NIST in the Implementation Guidance
for FIPS PUB 140-1 and the Cryptographic Module Validation Program;
NIST document 150-17, Cryptographic Module Testing; and other documents
issued by NIST to govern the conduct of accredited laboratories.
D. All products submitted to an accredited laboratory for testing
under paragraph B above shall be retained by the laboratory for three
years from date of product approval by the Postal Service.
E. The Provider may submit the product to the Postal Service for
test and evaluation prior to completion of any required FIPS 140-1
testing, provided a letter is submitted from the NVLAP laboratory to
the Postal Service indicating:
(1) That the product is being tested under FIPS 140-1 for the
required security levels, in accordance with the current, relevant
performance criteria.
(2) That the product has a reasonable chance of meeting the FIPS
140-1/USPS security levels.
(3) The timeline for FIPS 140-1 test completion.
F. The Postal Service reserves the right to require or conduct
additional examination and testing at any time, without cause, of any
product submitted to the Postal Service for approval or approved by the
Postal Service for manufacture and distribution.
G. Upon satisfactory completion of the Postal Service testing and
NVLAP laboratory testing (where required), the Postal Service will
provide authorization to continue the product submission process. The
Provider may continue with the product submission process upon receipt
of authorization to proceed from the Postal Service.
1.8. Product Infrastructure Testing
A. Prior to approval for distribution of any product/device, the
Provider must achieve test and approval of all reporting requirements,
including, but not limited to, Postal Service/customer licensing
support, product status activity reporting, total product population
inventory, irregularity reporting, lost and stolen reporting, financial
transaction reporting, account reconciliation, digital certificate
acquisition, product initialization, cryptographic key changes, rate
table changes, print quality assurance, device authorization, device
audit, product audit, and remote inspections.
B. Testing of these activities and functions includes computer-
based testing of all interfaces with the Postal Service, including but
not limited to the following:
(1) Product manufacture and lifecycle (including leased, unleased, new
product/device stock, installation, withdrawal, replacement, key
management, lost, stolen, and irregularity reporting)
(2) Product distribution and initialization (including product
authorization, product initialization, customer authorization, and
product maintenance)
(3) Licensing (including license application, license update, and
license revocation)
(4) Finance (including cash management, individual product financial
accounting, refund management, daily summary reports, daily transaction
reporting, and monthly summary reports)
(5) Audits and inspections, including site audits
C. The Provider must complete a ``Product-Provider Infrastructure-
Financial Institution-USPS Infrastructure'' (Alpha) test involving all
entities in the proposed architecture. At
[[Page 44764]]
a minimum this includes the proposed product, Provider Infrastructure,
financial institution and Postal Service Infrastructure systems and
interfaces. Alpha testing is intended to demonstrate the proposed
product utility, and its functionality and compatibility with other
systems. Alpha testing may be conducted in a laboratory environment.
D. Provider Infrastructure Testing (Alpha) test note: The Postal
Service reserves the right to require or conduct additional examination
and testing at any time, without cause, of any Provider Infrastructure
system supporting a postage evidencing product/device approved by the
Postal Service for manufacture and distribution. Initial Provider
Infrastructure testing and (Alpha) testing schedules will be supported
at the convenience of the Postal Service.
E. Demonstrable evidence of successful completion for each test is
required prior to proceeding.
F. The Provider may continue with the product submission process
upon receipt of authorization to proceed from the Postal Service.
1.9. Field Test (Beta) Approval (Limited Distribution)
A. The Provider will submit a proposed Field (Beta) Test Plan
identifying test parameters, product quantities, geographic location,
test participants, test duration, test milestones, and product recall
plan. The Beta Test Plan will be in accordance with the Beta Test
Strategy in effect for the given product type. The Postal Service will
supply the appropriate Beta Test Strategy to the Provider upon request.
The purpose of the Beta test is to demonstrate the proposed product's
utility, security, audit and control, functionality, and compatibility
with other systems, including mail entry, acceptance and processing, in
a real-world environment. The Beta test will employ available
communications and will interface with current operational systems to
conduct all product functions. The Manager, Metering Technology
Management, will determine acceptance of Provider-proposed Beta Test
Plans based on, but not limited to, assessed risk of the product,
product impact on Postal Service operations, and requirements for
Postal Service resources. Proposed candidates for Beta test
participation must be approved by the Postal Service. Beta test
approval consideration will be based in whole or in part on the
location, mail volume, mail characteristics, and mail origination and
destination patterns.
B. The Provider has a duty to report security weaknesses to the
Postal Service to ensure that each product/device model and every
product/device in service protects the Postal Service against loss of
revenue at all times. Beta participants must agree to a nondisclosure
confidentiality agreement when reporting product security, audit, and
control issues, deficiencies, or failures to the Provider and the
Postal Service. A grant of Field Test Approval (FTA) does not
constitute an irrevocable determination that the Postal Service is
satisfied with the revenue-protection capabilities of the product/
device. After approval is granted to manufacture and distribute a
product/device, no change affecting the basic features or safeguards of
a product/device may be made except as authorized or ordered by the
Postal Service in writing from the Manager, Metering Technology
Management.
C. The Provider may continue with the product submission process
upon receipt of authorization to proceed from the Postal Service.
1.10. Provider/Product Approval (Full Distribution)
A. Upon receipt of the final certificate of evaluation from the
national laboratory, where required, and after obtaining positive
results of internal testing of the product/device, successful
completion of Provider infrastructure testing, Alpha testing,
demonstration of limited distribution activities (Beta testing), and
audits of Provider site security, the Postal Service will
administratively review the submitted product, the Provider
infrastructure, and the Provider/manufacturer qualification
requirements for final approval of full distribution. In preparation
for the administrative review, the Provider shall update any product
submission documentation submitted in compliance with the requirements
of the Postage Evidencing Product Submission Procedure that is no
longer accurate with respect to the product in review.
Note: Copies of Draft 39 CFR Part 502 containing IBIP Provider/
Manufacturer qualification requirements as published in the Federal
Register on September 2, 1998, are available by contacting USPS,
Metering Technology Management, 475 L'Enfant Plaza SW, Room 8430,
Washington DC 20260-2444. Copies of CFR Part 501 pertaining to
postage meters are available also at the above address.
B. The Postal Service may require, at any time, that models/
versions of approved products, and the design and user manuals and
specifications applicable to such product, and any revisions thereof,
be deposited with the Postal Service.
2. Change Control Procedure
2.1. Overview
A. After approval is granted to manufacture and distribute a
product/device, no change affecting the basic features or safeguards of
a product/device may be made except as authorized or ordered by the
Postal Service in writing from the Manager, Metering Technology
Management. The submission of a change proposal and the subsequent test
and acceptance of a product change are designed to ensure not only that
the changed product meets all requirements and performance criteria but
also that the stated changes made to a product do not introduce any
unintended, unidentified, unexpected, or undesirable changes to the
form, fit, function, or security of the product.
B. Once a postage evidencing product/device has received final
approval from the Postal Service, the Provider is required to submit
any change(s) to that product for Postal Service approval. Changes
covered by this process include, but are not limited to, the following:
(1) Changes to the form, fit, function, or security of the product/
device
(2) Changes resulting from new Postal Service regulations, such as an
updated postal rate table
(3) Changes to the software or firmware
(4) Changes to the PSD, for products using such a device
(5) Changes to the physical configuration of the product
(6) Changes to product documentation or packaging
(7) Changes to product distribution methods
(8) Changes to third-party providers of significant product components
C. For an IBI product, the changed product shall be in compliance
with the IBI performance criteria and all other Postal Service
regulations in effect at the time the change is implemented. All
changes to previously approved products must be approved by the Postal
Service before implementation. The Postal Service must also approve the
timetable and procedures for implementing changes.
D. Providers are encouraged to consolidate multiple changes in a
single change proposal to enable the Postal Service to expedite their
review of the changes.
E. The Provider shall fully document all changes, in accordance
with the requirements described in the following sections.
2.2. Provider Responsibilities
A. The Provider shall be responsible for notifying the Postal
Service of any
[[Page 44765]]
proposed changes made as described in Section 2.1. The Provider shall
be responsible for having a Postal Service-approved process for
configuration management of the versions of each approved product. The
Provider's process shall ensure that no changes can be made without
proper tracing of design changes, records of authorization, and
notification to the Postal Service. The Provider is responsible for
submitting a change proposal in accordance with the requirements of
this procedure and for achieving Postal Service approval before
implementing any change.
B. Detailed Provider Actions:
(1) Letter of Intent to Change. The first step in the submission of
a change proposal is to submit a Letter of Intent to Change, similar to
the Letter of Intent described under Product Submission Procedures,
above. The Letter of Intent to Change shall be submitted to the
Manager, Metering Technology Management, United States Postal Service,
475 L'Enfant Plaza SW, Room 8430, Washington DC 20260-2444. The letter
must include:
(a) Date of correspondence.
(b) Name and address of all parties involved in the change
proposal, including those responsible for assembly, distribution,
management of the product/device, hardware/firmware/software
development or testing, and other organizations involved (or expected
to be involved) with the changed product.
(c) Name and phone number of official point of contact for each
party identified above.
(d) Change concept narrative. A description of the proposed change,
identifying any changes to the form, fit, function, or security of the
product.
(e) Discussion of the reasons for the change.
(f) Discussion of the implications of the change for product
security, product identification, and Provider procedures such as
distribution, operations, or financial transactions, as well as any
cost impact and impact on product customers. The document shall also
discuss the impact of the change on Postal procedures such as mail
entry, mail acceptance, and mail processing, as well as the impact on
the interfaces between the Provider and the Postal Service and/or
customers.
(g) An outline of the actions the Provider will take in support of
the change proposal, including a listing of the documentation the
Provider will submit in support of the change, and the testing that
will be performed to ensure the changes meet Postal Service
requirements.
(h) The timetable for submission, test, acceptance, and
implementation of the proposed change.
(i) The procedure for implementation of the proposed change.
(2) Additional documentation. Once the Letter of Intent to Change
is submitted, the Provider shall review the following documents and
submit any changes needed to ensure they are still current. Additional
documentation may be required at the discretion of the Postal Service.
(a) Nondisclosure Agreements
(b) Concept of Operations
(c) Software and Documentation
(d) Provider Infrastructure Plan
(e) USPS Address Matching System (AMS) CD-ROM Integration, if required
for the product.
(3) Testing. The Provider will test the product changes as
described in the Postage Evidencing Product Submission Procedures to
the extent required by the proposed change, in accordance with Postal
Service direction. The Provider shall document the tests performed on
product changes and shall submit this documentation along with
verification of successful completion of the testing.
2.3. Postal Service Responsibilities
A. The Postal Service will execute its responsibilities in a timely
manner.
B. The Postal Service will review the Letter of Intent to Change
and accept or reject each component of the Provider's proposed approach
for product change, documentation submittal and testing, and schedule
for release.
C. The Postal Service will complete testing of the changes as
required to ensure the changes meet Postal Service performance criteria
and provide written comments to the Provider. Approval of the change
will be granted in writing by the Postal Service by the Manager,
Metering Technology Management.
D. The Postal Service reserves the right to determine if a proposed
change is extensive enough to constitute a new product, rather than a
change to a previously approved product. If such a determination is
made, the Provider shall comply with all requirements of the Postage
Evidencing Product Submission Procedures, including field testing.
3. Intellectual Property and License Considerations
A Provider is responsible for determining if and how it can make
products that meet the Postal Service performance criteria or
specifications applicable to the given product/device, in view of
applicable technical, commercial, and legal constraints. Thus, it is
the Provider-not the Postal Service-who is responsible for determining
whether the production and use of a product/device requires the use of
patented technology. If so, the Provider is responsible for resolving
applicable intellectual property issues.
In accordance with this policy, the Postal Service generally will
not evaluate or arbitrate conflicting patent claims by Providers,
publicly assess the validity or scope of the patents that have been
cited with respect to any performance criteria, or offer any opinion as
to whether a license is required under such patents to meet performance
criteria.
Each Provider should seek its own legal counsel with respect to
these matters, and, if it determines that a patent license is required,
should procure one. Companies that are unwilling or unable to acquire
any necessary patent licenses to produce their proposed product should
assess the wisdom of remaining in the market or the possibility of
producing a different type of product.
To implement this policy, the Postal Service may enter into an
agreement (``Agreement'') with the Provider stating that the Provider
is solely responsible for determining, on an ongoing basis, whether its
approved products are subject to any third-party patents. If so, the
Provider must procure any required licenses to allow the Provider to
make, use, sell, or (if applicable) import its products, and to allow
the Provider's customers to use the products to create postage indicia,
apply the indicia to mail, and deposit the mail with the Postal
Service.
Providers would not be responsible under such an Agreement for
procuring any license rights with respect to mailing activities
conducted by the Postal Service. However, each Provider is required to
indemnify the Postal Service for any claims against the Postal Service
based on the Provider's failure to procure necessary patent or other
rights with respect to its product offering.
4. Request for Comment
It is emphasized that the proposed procedures for initial product
submission and changes to already approved products are being published
for comments and are subject to final definition.
Although exempt from the notice and comment requirements of the
Administrative Procedure Act (5 U.S.C. 553 (b), (c)) regarding proposed
rule making by 39 U.S.C. 410 (a), the Postal
[[Page 44766]]
Service invites public comments on the proposed procedures.
Stanley F. Mires,
Chief Counsel, Legislative.
[FR Doc. 99-21242 Filed 8-16-99; 8:45 am]
BILLING CODE 7710-12-P