PAM logo

SPS Important Notices

To:  SPS User community and IT Personnel supporting the Secure Payment System (SPS)

Ref:  Windows XP and Java

Please be advised, late summer 2014, the Fiscal Service’s Secure Payment System (SPS) will no longer support Microsoft Windows XP client platform due to Microsoft’s “End Of Life” Support for Windows XP. See Support Microsoft Lifecycle
  1. Microsoft is ending support for Windows XP on April 8, 2014. After this date, security updates for Windows XP will no longer be available (see: windows microsoft windows end-support-help.) Fiscal Service has no plans to support Windows XP after this date for SPS.
  2. Windows XP has technical limitations for being simultaneously compliant with: A) NIST guidance for digital signatures, and B) OMB mandates for NIST FIPS-201 (PIV).
    • NIST now requires that all digital signatures be created using "SHA2" message digest, which replaces the older "SHA1".
    • Driven by NIST FIPS-201 (PIV) and associated OMB guidance, SPS is in the process migrating users from their iKey token credentials to using their agency "PIV badges" as credentials. This process will start in CY2014.
    • To support PIV badge interactions, the SPS client will soon be using Microsoft's "CAPI" interface to interact with PKI token credentials, including both iKeys and PIV badges.
    • Microsoft's CAPI interface provides improved token support in Windows 7 than Windows XP, and better support for SHA2. As a result, the SafeNet drivers used for iKey 2032 tokens do not support SHA2 digital signatures when used with CAPI under XP. There is no such limitation in Windows 7.
    • Starting in SPS releases for late summer 2014, iKey tokens used in Windows XP clients will fail to provide the required cryptographic functions, and access to SPS will fail from Windows XP workstations.

If your Agency uses the SPS Web version of SPS, we are recommending that you move to the SPS Self Contain (SC) version of SPS as soon as possible to alleviate the potential concern/issue stated above. Please note, the Web version of SPS will no longer be supported after the second Quarter of 2014. After this date, the SC version will be the only option supported on Windows XP and Windows 7.

Some security experts are recommending the disabling of Java in the Web Browser which makes it impossible to access SPS from a Web Browser. See http://www.us-cert.gov/ncas/alerts/TA13-064A.

If you have any questions, please contact the SPS Help Desk at (816) 414-2340.


To: IT Personnel Supporting the Secure Payment System (SPS)

Please be advised that there are impending actions related to the Browser/Java access method used with the SPS application. Taking the appropriate action now will help to ensure that your agency has the optimum flexibility and reliability in place to handle your payment certifications to Treasury.

Specifically, over the past three (3) months, there have been several instances where Oracle has had to release Java updates to prevent potential adverse impacts to Web based applications and services. For Oracle to push out releases is not unusual; but, when there are multiple releases within a short period of time it increases the likelihood that your agency could experience a disruption in your use of SPS. This is particularly true if your agency utilizes a Browser Java dependent version of SPS. To mitigate these disruptions, we are strongly recommending that agencies employing the Web version of SPS move to the Self Contained (SC) version of SPS as soon as practicable. It should be noted that the Web version of SPS will no longer be supported after the second quarter of 2014 (end date). After this date, the SC version will be the only option supported on Windows XP and Windows 7 operating systems.

[Note: Some security experts are recommending to simply disable Java in the Web Browser. This action, however, prevents access to SPS.]

If you have any questions, please contact the SPS Help Desk at (816) 414-2340. Following is a list of publications in regard to Java Security issues over the first three (3) months of calendar year 2013.

3/05/2013 - Oracle releases emergency fix for Java zero-day exploit

2/25/2013 - Javas latest security problems: New flaw identified old one attacked

2/06/2013 - How can I restrict the java plugin to run only on certain sites in internet Explorer

2/06/2013 - Controlling Java in internet explorer

1/18/2013 - Latest Java update broken two new sandbox bypass flaws


The August 26, 2012 deployment of SPS contains a feature which allows the creation of individual payments in Regular Check Sub-type Schedules exceeding $9,999,999.99. This feature should not have been made available or included in this release. We ask that you refrain from creating a Regular Check Sub-type payment that exceeds $9,999,999.99. If you have a need to create a check payment that exceeds $9,999,999.99 we ask that you use the "Manual Check" Sub-type Schedule that you used prior to the last release. Whenever possible, use ACH or FedWire, rather than check.

If you have any questions, please call the FMS Payment Management Call Center at 855-868-0151, press 2 for Federal Agency payment questions, then press 2 for SPS.


The SPS Application requires that all SPS Installations be periodically updated to satisfy the SPS security requirements. In particular, the following components of a SPS Installation are required to be “Up to date”: the SPS policy file, SPS Certificate Keystore, and the preferred Java Plug-in software. An “SPS Software Update Alert” screen is displayed during SPS Login when a SPS Installation is “Out of Date” with respect to any of the required components.

A new release of SPS Application will be deployed over the weekend of August 25, 2012. Failure to update your installation before August 25, 2012 may prevent users from logging into the SPS Application. Please contact your SPS Helpdesk (email: KFC SPS Help Desk and phone: (816) 414-2340 if you need copies of the latest SPS install CD (dated Feb 2012).


TO FPA’s

On Tuesday May 29, 2012, Fedwire payments will now be streamed through a new Interface (OFAC screening) to your ending recipient banks. To be pro-active in this process and to potentially stop situations where your Fedwire payments may reject, please keep the following in mind as there is a new requirement for Fedwire product code (Bank Transfer (BTR)) and also re-emphasizing when to use a Type Code 10 (Domestic entity) versus a Type Code 15 (Foreign entity) with your Fedwire payments.

PRODUCT CODES RULES Change

BTR PRODUCT CODE (BTR) - BANK TO BANK TRANSFER. If an agency uses a BTR product code, the payment must have a “name” in the Beneficiary name field (BNF) or the payment will get rejected when the payment goes through OFAC screening. More information on this new change (being process through OFAC) is on the SPS Web Page now.

NOTE: If the Agency use the BTR product code, the agency “must” enter a beneficiary name in the Beneficiary Name field (BNF) when the payment is being created by a Data Entry Operator. If the Agency uses third party software to create payments, the same rules apply. More information on this change is also now on our SPS Web pages (see below)

http://fms.treas.gov/sps/index.html

http://fms.treas.gov/sps/notices.html

TYPE CODES RULES for Fedwire Payments
TYPE CODE 10 - Type code 10 is used to transfer funds to U.S. domestic banks.
TYPE CODE 15 - Type code 15 is used for sending wire payments to a foreign bank.

Note: The KFC SPS Help Desk nor the KFC Customer Service help desk that supports Fedwire processing (among all your payment processing ) will not know if the receiving bank of the Fedwire funds being sent is a foreign bank or not. Your accounting department will need to verify and confirm if the receiving entity is indeed a foreign entity.

Thanks for your cooperation.


Starting Tuesday, May 29, SPS Same Day Payments will be processed by FMS through a new payment channel. This new channel improves the existing payment process by adding "OFAC Sanctions screening" (see http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx). To correctly perform OFAC Sanctions screening, all SPS Same Day Payments are now required to provide the "Name of Customer or Bank recipient" in the Beneficiary Name (BNF) data field. If not, payments are subject to "rejection" and would need to be re-entered again with the missing information using a different schedule number. Please note this additional requirement as your Data Entry Operators enter payment information and before your Certifying Officer certifies the schedules to Treasury. The SPS data entry screen validations will be updated in the near future to automatically enforce this requirement.

Also effective on Tuesday, May 29, 2012, the Kansas City Financial Center will be the sole processing center for all U.S. Treasury Fedwire payments. Therefore, ABA numbers 0210-3003-3 TREAS PHIL FIN CTR and 0210-3004-6 TREAS SF FIN CTR will no longer send Funds transactions. Please contact the Kansas City Financial Center for Fedwire payment inquiries at (816) 414-2100. For instructions on returning wires, please contact the Philadelphia Financial Center (PFC) at (215) 516-8043.

If you have any questions, please contact your Servicing Regional Financial Center.


Starting Tuesday, May 29, SPS Same Day Payments will be processed by FMS through a new payment channel. This new channel improves the existing payment process by adding "OFAC Sanctions screening"
(see http://www.treasury.gov/resource-center/sanctions/Pages/default.aspx)
To correctly perform OFAC Sanctions screening, all SPS Same Day Payments are now required to provide the "Name of Customer or Bank recipient" in the Beneficiary Name (BNF data field). If not, payments are subject to "rejection" and would need to be re-entered again with the missing information using a different schedule number. Please note this additional requirement as your Data Entry Operators enter payment information and before your Certifying Officer certifies the schedules to Treasury. The SPS data entry screen validations will be updated in the near future to automatically enforce this requirement. new

If you have any questions, please contact your Servicing Regional Financial Center.


FedWire Payments Temporary Roll Back to the Philadelphia and San Francisco Financial Centers

The purpose of this notice is to inform you that effective opening of business on Thursday, March 29, 2012, FedWire payment processing, returned payments and accounting activity will revert back to the Regional Financial Center (RFC) that processed your same-day FedWire payments prior to Monday, March 26, 2012. You will not need to change how you are currently making FedWire payments. However, should you have questions regarding your FedWire payments or returns please contact your servicing RFC (i.e. Philadelphia or San Francisco).

We will send out a follow-up notice once we establish a new transition date. We appreciate your patience and apologize for any inconvenience this may have caused.


New Version of Java

A new version of Java (1.6.0_29) has recently been released by Oracle. Our initial testing has revealed issues using this new version to access some of the FMS PKI Applications ( ITS, ASAP, etc). Please note, our initial testing of this new Java version to access SPS and ITRA applications did not reveal any issues. If you use SPS and ITRA only, you will not be impacted by this new version of JAVA.

If your agency has users that access FMS PKI applications other than SPS or ITRA, we recommend that you do not upgrade to Java version 1.6.0_29 until further notice. We are actively pursuing a fix to this issue and we will notify you when the fix has been deployed.


Java Plug-in

The new Java Plug-in, version 1.6.0_23, is available for download at: http://www.oracle.com/technetwork/java/javase/downloads/index.html.

For "Web SPS" users, we recommend that you update to this latest version of the Java Plug-in. Uninstall the existing Java Plug-in, install Java Plug-in version 1.6.0_23, and then run the "SPS Updater" from our latest installation CD labeled "SPS Combo CD" (dated June 2010). A limited testing of SPS Application revealed no issues with this new version of Java Plug-in. Please contact your Regional Servicing RFC if you have any questions.


To SPS Users: All Roles Update
           Subject: User inactivity
    Importance: Very High

It is highly recommended that all SPS users log into SPS (at least once) every few months to keep their SPS installation up-to-date, their user profile active and to also assist them with remembering their password.

If a SPS user's account has not been accessed (a successful login) within a 13 month period, the SPS user's account can be terminated. If the user's SPS account has been terminated due to inactivity (no login within the 13 month period), the user must undergo the full SPS registration process again.

FMS has a current IT Security Standard that states:

If any user account has not been accessed in 13 months or more, the account will be removed from the system. This applies to FMS employees and contractors, intermittent employees, external users, citizen users, and consumers, (AC0229)

If an account is removed due to inactivity, the user must reapply for access. (AC0230)

To comply with this standard, a monthly listing is generated of all SPS users who have not logged into the SPS Application in 13 months or longer (as computed from the signing date of their most recent electronic Rules of Behavior (RoB) agreement).

The SPS users identified in this monthly listing will be put in "inactive" status or completely removed from SPS. Either of these actions will prevent the user from accessing SPS. Users who still need access to SPS, will need to contact their Servicing RFC for more instructions.

If you have any questions, please contact your Servicing RFC.


A new "Business Critical Patch Update Advisory" for Java Plug-in was released by Sun/Oracle on October 12, 2010. See http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

The new Java Plug-in, version 1.6.0_22, is available for download at http://www.oracle.com/technetwork/java/javase/downloads/index.html.

For "Web SPS" users, we recommend that you update to this latest version of the Java Plug-in -- uninstall the existing Java Plug-in, install Java Plug-in version 1.6.0_22, and then run the "SPS Updater" from our latest installation CD labeled "SPS Combo CD" (dated June 2010). A limited testing of SPS Application revealed no issues with this new version of Java Plug-in. Please contact your Regional Servicing RFC if you have any questions.

This update should be performed on all machines (including desktop, laptop, dialup and COOP computers) running Web SPS.

For "Self-Contained SPS" users, this update is not required.


Please make sure that all machines used to access SPS (including this one) are updated, on or before Monday September 27, 2010, with the most current version of SPS using the latest "SPS Installation CD" dated June 2010. If you are receiving a "SPS Software Update Alert" popup when logging into SPS, your machine has not been updated yet. For more information contact your Servicing Regional Financial Center.


In May 2009, we provided the new "SPS Schedule Upload 440 File format" that provided the data formats for both "GWA Reporter ALCs" and "Non-GWA Reporter ALCs". We did this in an effort to be pro-active and to give your agency a head start on building to the new format for becoming a GWA Reporter ALC.

However, we were recently made aware of additional enhancements which need to be incorporated into this upload format. These enhancements include additional fields for capturing the "Garnishment Indicator data element, IAT payment elements, data elements to support Payment Repository Initiative, data elements to allow "Credit" adjustments from Payees, etc. Because these additions are still being finalized and when implemented would cause significant changes to the version we provided, we are withdrawing this version until an updated version can be finalized. We regret this inconvenience and we highly recommend that agencies stop any current development efforts to build towards the previously provided version of the 440 GWA version file format.

We will notify you all when we have an approved version of the updated 440 format. We are also working on an XML version of the updated 440 format to be made available at the same time.

If you have any questions, please contact your Servicing Regional Financial Center.


Java Security Alert

There is a security exploit in the Java plug-in versions 1.6.0_10 through 1.6.0_19 that will affect users of Web-SPS. For more information, see: http://www.kb.cert.org/vuls/id/886582 and http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html.

If you are accessing SPS using "SPS Self-Contained" method, this note does not apply to you.

We strongly recommend all Web-SPS users to follow one of the two options listed here:

Option One: (Preferred Option - use SPS Self-Contained)

Uninstall any and all Java JRE Plug-in versions on your desktop and install "SPS Self-Contained" version from our latest installation CD labeled "SPS Combo CD" (dated July 2009). Please see the instructions on the installation CD. Use the "SPS Self-Contained" icon on your desktop to launch SPS Application. If you need a Java JRE Plug-in on your desktop (for applications other than SPS), please install Java JRE 1.6.0_20 available at the following URL: http://java.sun.com/javase/downloads/index.jsp. If there are any compatibility issues with this new version of JRE, please consult your application provider(s).

Option Two: (For users who prefer to use Web-SPS)

Uninstall any and all Java JRE Plug-in versions on your desktop and install Java JRE 1.6.0_20 available at the following URL: http://java.sun.com/javase/downloads/index.jsp. Then install "SPS Updater" available from our latest installation CD labeled "SPS Combo CD" (dated July 2009). Please see the instructions on the installation CD. Login to Web-SPS as before, but note that you will be prompted with a "SPS Software Update Alert" indicating that "Software Java Plug-In 1.6.0_11" is "Out of Date". Please click on "Skip..." button to proceed with login into SPS. This alert message will disappear after the next release of SPS scheduled for May 24, 2010. If there are any compatibility issues with this new version of JRE with any applications including SPS, please consult your application provider(s).

A new SPS Installation CD (dated May 2010) that uses Java JRE 1.6.0_20 for Web-SPS is being developed now and will be distributed to all SPS users shortly.

Please note that you have to update to Java JRE 1.6.0_20 just once, even if you are a user of multiple FMS Applications such as SPS, ASAP, ITS, TCIS, etc.

If you have any questions, please contact your primary servicing RFC.


   Last Updated:  March 14, 2014