Section



[Code of Federal Regulations]
[Title 21, Volume 1]
[Revised as of April 1, 2005]
From the U.S. Government Printing Office via GPO Access
[CITE: 21CFR1311.55]

[Page 146-147]
 
                         TITLE 21-FOOD AND DRUGS
 
   CHAPTER II--DRUG ENFORCEMENT ADMINISTRATION, DEPARTMENT OF JUSTICE
 
PART 1311_DIGITAL CERTIFICATES--Table of Contents
 
Subpart B_Obtaining and Using Digital Certificates for Electronic Orders
 
Sec. 1311.55  Requirements for systems used to process digitally signed orders.

    (a) A CSOS certificate holder and recipient of an electronic order 
may use any system to write, track, or maintain orders provided that the 
system has been enabled to process digitally signed documents and that 
it meets the requirements of paragraph (b) or (c) of this section.
    (b) A system used to digitally sign Schedule I or II orders must 
meet the following requirements:
    (1) The cryptographic module must be FIPS 140-2, Level 1 validated, 
as incorporated by reference in Sec. 1311.08.
    (2) The digital signature system and hash function must be compliant 
with FIPS 186-2 and FIPS 180-2, as incorporated by reference in Sec. 
1311.08.
    (3) The private key must be stored on a FIPS 140-2 Level 1 validated 
cryptographic module using a FIPS-approved encryption algorithm, as 
incorporated by reference in Sec. 1311.08.
    (4) The system must use either a user identification and password 
combination or biometric authentication to access the private key. 
Activation data must not be displayed as they are entered.
    (5) The system must set a 10-minute inactivity time period after 
which the certificate holder must reauthenticate the password to access 
the private key.
    (6) For software implementations, when the signing module is 
deactivated, the system must clear the plain text private key from the 
system memory to prevent the unauthorized access to, or use of, the 
private key.
    (7) The system must be able to digitally sign and transmit an order.
    (8) The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology time 
source.
    (9) The system must archive the digitally signed orders and any 
other records required in part 1305 of this chapter, including any 
linked data.
    (10) The system must create an order that includes all data fields 
listed under Sec. 1305.21(b) of this chapter.
    (c) A system used to receive, verify, and create linked records for 
orders signed with a CSOS digital certificate must meet the following 
requirements:
    (1) The cryptographic module must be FIPS 140-2, Level 1 validated, 
as incorporated by reference in Sec. 1311.08.
    (2) The digital signature system and hash function must be compliant 
with FIPS 186-2 and FIPS 180-2, as incorporated by reference in Sec. 
1311.08.
    (3) The system must determine that an order has not been altered 
during transmission. The system must invalidate any order that has been 
altered.
    (4) The system must validate the digital signature using the 
signer's public key. The system must invalidate any order in which the 
digital signature cannot be validated.
    (5) The system must validate that the DEA registration number 
contained in the body of the order corresponds to the registration 
number associated with the specific certificate by separately generating 
the hash value of the registration number and certificate subject 
distinguished name serial number and comparing that hash value to the 
hash value contained in the certificate extension for the DEA 
registration number. If the hash values are not

[[Page 147]]

equal the system must invalidate the order.
    (6) The system must check the Certificate Revocation List 
automatically and invalidate any order with a certificate listed on the 
Certificate Revocation List.
    (7) The system must check the validity of the certificate and the 
Certification Authority certificate and invalidate any order that fails 
these validity checks.
    (8) The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology time 
source.
    (9) The system must check the substances ordered against the 
schedules that the registrant is allowed to order and invalidate any 
order that includes substances the registrant is not allowed to order.
    (10) The system must ensure that an invalid finding cannot be 
bypassed or ignored and the order filled.
    (11) The system must archive the order and associate with it the 
digital certificate received with the order.
    (12) If a registrant sends reports on orders to DEA, the system must 
create a report in the format DEA specifies, as provided in Sec. 
1305.29 of this chapter.
    (d) For systems used to process CSOS orders, the system developer or 
vendor must have an initial independent third-party audit of the system 
and an additional independent third-party audit whenever the signing or 
verifying functionality is changed to determine whether it correctly 
performs the functions listed under paragraphs (b) and (c) of this 
section. The system developer must retain the most recent audit results 
and retain the results of any other audits of the software completed 
within the previous two years.