PART 1311 DIGITAL CERTIFICATES
Obtaining and Using Digital Certificates for Electronic
Orders
Subpart B
Sec. 1311.10 Eligibility to obtain a CSOS
digital certificate.
The following persons are eligible to obtain a CSOS digital
certificate from the DEA Certification Authority to sign
electronic orders for controlled substances.
(a) The person who signed the most recent DEA registration
application or renewal application and a person authorized to
sign a registration application.
(b) A person granted power of attorney by a DEA registrant to
sign orders for one or more schedules of controlled substances.
Sec. 1311.15 Limitations on CSOS digital
certificates.
(a) A CSOS digital certificate issued by the DEA
Certification Authority will authorize the certificate holder to
sign orders for only those schedules of controlled substances
covered by the registration under which the certificate is
issued.
(b) When a registrant, in a power of attorney letter, limits
a certificate applicant to a subset of the registrant's
authorized schedules, the registrant is responsible for ensuring
that the certificate holder signs orders only for that subset of
schedules.
Sec. 1311.20 Coordinators for CSOS digital
certificate holders.
(a) Each registrant, regardless of number of digital
certificates issued, must designate one or more responsible
persons to serve as that registrant's CSOS coordinator regarding
issues pertaining to issuance of, revocation of, and changes to
digital certificates issued under that registrant's DEA
registration. While the coordinator will be the main point of
contact between one or more DEA registered locations and the
CSOS Certification Authority, all digital certificate activities
are the responsibility of the registrant with whom the digital
certificate is associated. Even when an individual registrant,
i.e., an individual practitioner, is applying for a digital
certificate to order controlled substances a CSOS Coordinator
must be designated; though in such a case, the individual
practitioner may also serve as the coordinator.
(b) Once designated, coordinators must identify themselves,
on a one-time basis, to the Certification Authority. If a
designated coordinator changes, the Certification Authority must
be notified of the change and the new responsibilities assumed
by each of the registrant's coordinators, if applicable.
Coordinators must complete the application that the DEA
Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a
government- issued photographic identification.
(2) A copy of each current DEA Certificate of Registration
(DEA form 223) for each registered location for which the
coordinator will be responsible or, if the applicant (or their
employer) has not been issued a DEA registration, a copy of
each application for registration of the applicant or the
applicant's employer.
(3) The applicant must have the completed application
notarized and forward the completed application and
accompanying documentation to the DEA Certification Authority.
(c) Coordinators will communicate with the Certification
Authority regarding digital certificate applications, renewals
and revocations. For applicants applying for a digital
certificate from the DEA Certification Authority, and for
applicants applying for a power of attorney digital certificate
for a DEA registrant, the registrant's Coordinator must verify
the applicant's identity, review the application package, and
submit the completed package to the Certification Authority.
Sec. 1311.25 Requirements for obtaining a
CSOS digital certificate.
(a) To obtain a certificate to use for signing electronic
orders for controlled substances, a registrant or person with
power of attorney for a registrant must complete the application
that the DEA Certification Authority provides and submit the
following:
(1) Two copies of identification, one of which must be a
government- issued photographic identification.
(2) A current listing of DEA registrations for which the
individual has authority to sign controlled substances orders.
(3) A copy of the power of attorney from the registrant, if
applicable.
(4) An acknowledgment that the applicant has read and
understands the Subscriber Agreement and agrees to the
statement of subscriber obligations that DEA provides.
(b) The applicant must provide the completed application to
the registrant's coordinator for CSOS digital certificate
holders who will review the application and submit the completed
application and accompanying documentation to the DEA
Certification Authority.
(c) When the Certification Authority approves the
application, it will send the applicant a one-time use reference
number and access code, via separate channels, and information
on how to use them. Using this information, the applicant must
then electronically submit a request for certification of the
public digital signature key. After the request is approved, the
Certification Authority will provide the applicant with the
signed public key certificate.
(d) Once the applicant has generated the key pair, the
Certification Authority must prove that the user has possession
of the key. For public keys, the corresponding private key must
be used to sign the certificate request. Verification of the
signature using the public key in the request will serve as
proof of possession of the private key.
Sec. 1311.30 Requirements for storing and
using a private key for digitally signing orders.
(a) Only the certificate holder may access or use his or her
digital certificate and private key.
(b) The certificate holder must provide FIPS-approved secure
storage for the private key, as discussed by FIPS 140-2, 180-2,
186-2, and accompanying change notices and annexes, as
incorporated by reference in Sec.
1311.08.
(c) A certificate holder must ensure that no one else uses
the private key. While the private key is activated, the
certificate holder must prevent unauthorized use of that private
key.
(d) A certificate holder must not make back-up copies of the
private key.
(e) The certificate holder must report the loss, theft, or
compromise of the private key or the password, via a revocation
request, to the Certification Authority within 24 hours of
substantiation of the loss, theft, or compromise. Upon receipt
and verification of a signed revocation request, the
Certification Authority will revoke the certificate. The
certificate holder must apply for a new certificate under the
requirements of Sec. 1311.25.
Sec. 1311.35 Number of CSOS digital
certificates needed.
A purchaser of Schedule I and II controlled substances must
obtain a separate CSOS certificate for each registered location
for which the purchaser will order these controlled substances.
Sec. 1311.40 Renewal of CSOS digital
certificates.
(a) A CSOS certificate holder must generate a new key pair
and obtain a new CSOS digital certificate when the registrant's
DEA registration expires or whenever the information on which
the certificate is based changes. This information includes the
registered name and address, the subscriber's name, and the
schedules the registrant is authorized to handle. A CSOS
certificate will expire on the date on which the DEA
registration on which the certificate is based expires.
(b) The Certification Authority will notify each CSOS
certificate holder 45 days in advance of the expiration of the
certificate holder's CSOS digital certificate.
(c) If a CSOS certificate holder applies for a renewal before
the certificate expires, the certificate holder may renew
electronically twice. For every third renewal, the CSOS
certificate holder must submit a new application and
documentation, as provided in Sec.
1311.25.
(d) If a CSOS certificate expires before the holder applies
for a renewal, the certificate holder must submit a new
application and documentation, as provided in Sec. 1311.25.
Sec. 1311.45 Requirements for registrants
that allow powers of attorney to obtain CSOS digital
certificates under their DEA registration.
(a) A registrant that grants power of attorney must report to
the DEA Certification Authority within 6 hours of either of the
following (advance notice may be provided, where applicable):
(1) The person with power of attorney has left the employ
of the institution.
(2) The person with power of attorney has had his or her
privileges revoked.
(b) A registrant must maintain a record that lists each
person granted power of attorney to sign controlled substances
orders.
Sec. 1311.50 Requirements for recipients of
digitally signed orders.
(a) The recipient of a digitally signed order must do the
following before filling the order:
(1) Verify the integrity of the signature and the order by
having the system validate the order.
(2) Verify that the certificate holder's CSOS digital
certificate has not expired by checking the expiration date
against the date the order was signed.
(3) Check the validity of the certificate holder's
certificate by checking the Certificate Revocation List.
(4) Check the certificate extension data to determine
whether the sender has the authority to order the controlled
substance.
(b) A recipient may cache Certificate Revocation Lists for
use until they expire.
Sec. 1311.55 Requirements for systems used
to process digitally signed orders.
(a) A CSOS certificate holder and recipient of an electronic
order may use any system to write, track, or maintain orders
provided that the system has been enabled to process digitally
signed documents and that it meets the requirements of paragraph
(b) or (c) of this section.
(b) A system used to digitally sign Schedule I or II orders
must meet the following requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1
validated, as incorporated by reference in Sec.
1311.08.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-2, as incorporated by
reference in Sec. 1311.08.
(3) The private key must be stored on a FIPS 140-2 Level 1
validated cryptographic module using a FIPS-approved
encryption algorithm, as incorporated by reference in Sec.
1311.08.
(4) The system must use either a user identification and
password combination or biometric authentication to access the
private key. Activation data must not be displayed as they are
entered.
(5) The system must set a 10-minute inactivity time period
after which the certificate holder must reauthenticate the
password to access the private key.
(6) For software implementations, when the signing module
is deactivated, the system must clear the plain text private
key from the system memory to prevent the unauthorized access
to, or use of, the private key.
(7) The system must be able to digitally sign and transmit
an order.
(8) The system must have a time system that is within five
minutes of the official National Institute of Standards and
Technology time source.
(9) The system must archive the digitally signed orders and
any other records required in part
1305 of this chapter, including any linked data.
(10) The system must create an order that includes all data
fields listed under Sec.
1305.21(b) of this chapter.
(c) A system used to receive, verify, and create linked
records for orders signed with a CSOS digital certificate must
meet the following requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1
validated, as incorporated by reference in Sec.
1311.08.
(2) The digital signature system and hash function must be
compliant with FIPS 186-2 and FIPS 180-2, as incorporated by
reference in Sec. 1311.08.
(3) The system must determine that an order has not been
altered during transmission. The system must invalidate any
order that has been altered.
(4) The system must validate the digital signature using
the signer's public key. The system must invalidate any order
in which the digital signature cannot be validated.
(5) The system must validate that the DEA registration
number contained in the body of the order corresponds to the
registration number associated with the specific certificate
by separately generating the hash value of the registration
number and certificate subject distinguished name serial
number and comparing that hash value to the hash value
contained in the certificate extension for the DEA
registration number. If the hash values are not equal the
system must invalidate the order.
(6) The system must check the Certificate Revocation List
automatically and invalidate any order with a certificate
listed on the Certificate Revocation List.
(7) The system must check the validity of the certificate
and the Certification Authority certificate and invalidate any
order that fails these validity checks.
(8) The system must have a time system that is within five
minutes of the official National Institute of Standards and
Technology time source.
(9) The system must check the substances ordered against
the schedules that the registrant is allowed to order and
invalidate any order that includes substances the registrant
is not allowed to order.
(10) The system must ensure that an invalid finding cannot
be bypassed or ignored and the order filled.
(11) The system must archive the order and associate with
it the digital certificate received with the order.
(12) If a registrant sends reports on orders to DEA, the
system must create a report in the format DEA specifies, as
provided in Sec.
1305.29 of this chapter.
(d) For systems used to process CSOS orders, the system
developer or vendor must have an initial independent third-party
audit of the system and an additional independent third-party
audit whenever the signing or verifying functionality is changed
to determine whether it correctly performs the functions listed
under paragraphs (b) and (c) of this section. The system
developer must retain the most recent audit results and retain
the results of any other audits of the software completed within
the previous two years.
Sec. 1311.60 Recordkeeping.
(a) A supplier and purchaser must maintain records of CSOS
electronic orders and any linked records for two years. Records
may be maintained electronically. Records regarding controlled
substances that are maintained electronically must be readily
retrievable from all other records.
(b) Electronic records must be easily readable or easily
rendered into a format that a person can read. They must be made
available to the Administration upon request.
(c) CSOS certificate holders must maintain a copy of the
subscriber agreement that the Certification Authority provides
for the life of the certificate.