The following persons are eligible to obtain a CSOS digital certificate from the DEA Certification Authority to sign electronic orders for controlled substances.
(a) The person who signed the most recent DEA registration application or renewal application and a person authorized to sign a registration application.
(b) A person granted power of attorney by a DEA registrant to sign orders for one or more schedules of controlled substances.
(a) A CSOS digital certificate issued by the DEA Certification Authority will authorize the certificate holder to sign orders for only those schedules of controlled substances covered by the registration under which the certificate is issued.
(b) When a registrant, in a power of attorney letter, limits a certificate applicant to a subset of the registrant's authorized schedules, the registrant is responsible for ensuring that the certificate holder signs orders only for that subset of schedules.
(a) Each registrant, regardless of number of digital certificates issued, must designate one or more responsible persons to serve as that registrant's CSOS coordinator regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. While the coordinator will be the main point of contact between one or more DEA registered locations and the CSOS Certification Authority, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. Even when an individual registrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated; though in such a case, the individual practitioner may also serve as the coordinator.
(b) Once designated, coordinators must identify themselves, on a one-time basis, to the Certification Authority. If a designated coordinator changes, the Certification Authority must be notified of the change and the new responsibilities assumed by each of the registrant's coordinators, if applicable. Coordinators must complete the application that the DEA Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a government-issued photographic identification.
(2) A copy of each current DEA Certificate of Registration (DEA form 223) for each registered location for which the coordinator will be responsible or, if the applicant (or their employer) has not been issued a DEA registration, a copy of each application for registration of the applicant or the applicant's employer.
(3) The applicant must have the completed application notarized and forward the completed application and accompanying documentation to the DEA Certification Authority.
(c) Coordinators will communicate with the Certification Authority regarding digital certificate applications, renewals and revocations. For applicants applying for a digital certificate from the DEA Certification Authority, and for applicants applying for a power of attorney digital certificate for a DEA registrant, the registrant's Coordinator must verify the applicant's identity, review the application package, and submit the completed package to the Certification Authority.
(a) To obtain a certificate to use for signing electronic orders for controlled substances, a registrant or person with power of attorney for a registrant must complete the application that the DEA Certification Authority provides and submit the following:
(1) Two copies of identification, one of which must be a government-issued photographic identification.
(2) A current listing of DEA registrations for which the individual has authority to sign controlled substances orders.
(3) A copy of the power of attorney from the registrant, if applicable.
(4) An acknowledgment that the applicant has read and understands the Subscriber Agreement and agrees to the statement of subscriber obligations that DEA provides.
(b) The applicant must provide the completed application to the registrant's coordinator for CSOS digital certificate holders who will review the application and submit the completed application and accompanying documentation to the DEA Certification Authority.
(c) When the Certification Authority approves the application, it will send the applicant a one-time use reference number and access code, via separate channels, and information on how to use them. Using this information, the applicant must then electronically submit a request for certification of the public digital signature key. After the request is approved, the Certification Authority will provide the applicant with the signed public key certificate.
(d) Once the applicant has generated the key pair, the Certification Authority must prove that the user has possession of the key. For public keys, the corresponding private key must be used to sign the certificate request. Verification of the signature using the public key in the request will serve as proof of possession of the private key.
(a) Only the certificate holder may access or use his or her digital certificate and private key.
(b) The certificate holder must provide FIPS-approved secure storage for the private key, as discussed by FIPS 140-2, 180-2, 186-2, and accompanying change notices and annexes, as incorporated by reference in § 1311.08.
(c) A certificate holder must ensure that no one else uses the private key. While the private key is activated, the certificate holder must prevent unauthorized use of that private key.
(d) A certificate holder must not make back-up copies of the private key.
(e) The certificate holder must report the loss, theft, or compromise of the private key or the password, via a revocation request, to the Certification Authority within 24 hours of substantiation of the loss, theft, or compromise. Upon receipt and verification of a signed revocation request, the Certification Authority will revoke the certificate. The certificate holder must apply for a new certificate under the requirements of § 1311.25.
A purchaser of Schedule I and II controlled substances must obtain a separate CSOS certificate for each registered location for which the purchaser will order these controlled substances.
(a) A CSOS certificate holder must generate a new key pair and obtain a new CSOS digital certificate when the registrant's DEA registration expires or whenever the information on which the certificate is based changes. This information includes the registered name and address, the subscriber's name, and the schedules the registrant is authorized to handle. A CSOS certificate will expire on the date on which the DEA registration on which the certificate is based expires.
(b) The Certification Authority will notify each CSOS certificate holder 45 days in advance of the expiration of the certificate holder's CSOS digital certificate.
(c) If a CSOS certificate holder applies for a renewal before the certificate expires, the certificate holder may renew electronically twice. For every third renewal, the CSOS certificate holder must submit a new application and documentation, as provided in § 1311.25.
(d) If a CSOS certificate expires before the holder applies for a renewal, the certificate holder must submit a new application and documentation, as provided in § 1311.25.
(a) A registrant that grants power of attorney must report to the DEA Certification Authority within 6 hours of either of the following (advance notice may be provided, where applicable):
(1) The person with power of attorney has left the employ of the institution.
(2) The person with power of attorney has had his or her privileges revoked.
(b) A registrant must maintain a record that lists each person granted power of attorney to sign controlled substances orders.
(a) The recipient of a digitally signed order must do the following before filling the order:
(1) Verify the integrity of the signature and the order by having the system validate the order.
(2) Verify that the certificate holder's CSOS digital certificate has not expired by checking the expiration date against the date the order was signed.
(3) Check the validity of the certificate holder's certificate by checking the Certificate Revocation List.
(4) Check the certificate extension data to determine whether the sender has the authority to order the controlled substance.
(b) A recipient may cache Certificate Revocation Lists for use until they expire.
(a) A CSOS certificate holder and recipient of an electronic order may use any system to write, track, or maintain orders provided that the system has been enabled to process digitally signed documents and that it meets the requirements of paragraph (b) or (c) of this section.
(b) A system used to digitally sign Schedule I or II orders must meet the following requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1 validated, as incorporated by reference in § 1311.08.
(2) The digital signature system and hash function must be compliant with FIPS 186-2 and FIPS 180-2, as incorporated by reference in § 1311.08.
(3) The private key must be stored on a FIPS 140-2 Level 1 validated cryptographic module using a FIPS-approved encryption algorithm, as incorporated by reference in § 1311.08.
(4) The system must use either a user identification and password combination or biometric authentication to access the private key. Activation data must not be displayed as they are entered.
(5) The system must set a 10-minute inactivity time period after which the certificate holder must reauthenticate the password to access the private key.
(6) For software implementations, when the signing module is deactivated, the system must clear the plain text private key from the system memory to prevent the unauthorized access to, or use of, the private key.
(7) The system must be able to digitally sign and transmit an order.
(8) The system must have a time system that is within five minutes of the official National Institute of Standards and Technology time source.
(9) The system must archive the digitally signed orders and any other records required in part 1305 of this chapter, including any linked data.
(10) The system must create an order that includes all data fields listed under § 1305.21(b) of this chapter.
(c) A system used to receive, verify, and create linked records for orders signed with a CSOS digital certificate must meet the following requirements:
(1) The cryptographic module must be FIPS 140-2, Level 1 validated, as incorporated by reference in § 1311.08.
(2) The digital signature system and hash function must be compliant with FIPS 186-2 and FIPS 180-2, as incorporated by reference in § 1311.08.
(3) The system must determine that an order has not been altered during transmission. The system must invalidate any order that has been altered.
(4) The system must validate the digital signature using the signer's public key. The system must invalidate any order in which the digital signature cannot be validated.
(5) The system must validate that the DEA registration number contained in the body of the order corresponds to the registration number associated with the specific certificate by separately generating the hash value of the registration number and certificate subject distinguished name serial number and comparing that hash value to the hash value contained in the certificate extension for the DEA registration number. If the hash values are not equal the system must invalidate the order.
(6) The system must check the Certificate Revocation List automatically and invalidate any order with a certificate listed on the Certificate Revocation List.
(7) The system must check the validity of the certificate and the Certification Authority certificate and invalidate any order that fails these validity checks.
(8) The system must have a time system that is within five minutes of the official National Institute of Standards and Technology time source.
(9) The system must check the substances ordered against the schedules that the registrant is allowed to order and invalidate any order that includes substances the registrant is not allowed to order.
(10) The system must ensure that an invalid finding cannot be bypassed or ignored and the order filled.
(11) The system must archive the order and associate with it the digital certificate received with the order.
(12) If a registrant sends reports on orders to DEA, the system must create a report in the format DEA specifies, as provided in § 1305.29 of this chapter.
(d) For systems used to process CSOS orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section. The system developer must retain the most recent audit results and retain the results of any other audits of the software completed within the previous two years.
(a) A supplier and purchaser must maintain records of CSOS electronic orders and any linked records for two years. Records may be maintained electronically. Records regarding controlled substances that are maintained electronically must be readily retrievable from all other records.
(b) Electronic records must be easily readable or easily rendered into a format that a person can read. They must be made available to the Administration upon request.
(c) CSOS certificate holders must maintain a copy of the subscriber agreement that the Certification Authority provides for the life of the certificate.