CFR - Section 1311 Digital Certificates

DEA Diversion Control Program Logo and Banner

DIVERSION PROGRAMS

APPLICATIONS & ON-LINE FORMS

ARCOS

CHEMICALS

CONTROLLED SUBSTANCE SCHEDULES

REPORTS REQUIRED BY 21 CFR

RESOURCES

CAREER OPPORTUNITIES

DEA MAILING ADDRESSES

DRUGS/CHEMICALS OF CONCERN

e-COMMERCE INITIATIVES

FEDERAL REGISTER NOTICES

MEETINGS & EVENTS

OFFICES & DIRECTORIES

PROGRAM DESCRIPTION

PUBLICATIONS

QUESTIONS & ANSWERS

REGULATIONS & CODIFIED CSA

SIGNIFICANT GUIDANCE DOCUMENTS

LINKS

FEDERAL AGENCIES & RELATED

INDUSTRY RELATED

PUBLIC INTEREST

To view PDF documents

External links included in this website should not be construed as an official endorsement of the views contained therein.

Regulations & Codified CSA > CFR > Section 1311 Digital Certificates

Code of Federal Regulations

PART 1311 DIGITAL CERTIFICATES

Subpart A General

1311.01 Scope.
1311.02 Definitions.
1311.05 Standards for technologies for electronic transmission of orders.
1311.08 Incorporation by reference.

Sec. 1311.01 Scope.

This part sets forth the rules governing the use of digital signatures and the protection of private keys by registrants.

Sec. 1311.02 Definitions.

For the purposes of this chapter:

Biometric authentication means authentication based on measurement of the individual's physical features or repeatable actions where those features or actions are both unique to the individual and measurable.

Cache means to download and store information on a local server or hard drive.

Certificate Policy means a named set of rules that sets forth the applicability of the specific digital certificate to a particular community or class of application with common security requirements.

Certificate Revocation List (CRL) means a list of revoked, but unexpired certificates issued by a Certification Authority.

Certification Authority (CA) means an organization that is responsible for verifying the identity of applicants, authorizing and issuing a digital certificate, maintaining a directory of public keys, and maintaining a Certificate Revocation List.

CSOS means controlled substance ordering system. Digital certificate means a data record that, at a minimum:

(1) Identifies the certification authority issuing it;
(2) Names or otherwise identifies the certificate holder;
(3) Contains a public key that corresponds to a private key under the sole control of the certificate holder;
(4) Identifies the operational period; and
(5) Contains a serial number and is digitally signed by the Certification Authority issuing it.

Digital signature means a record created when a file is algorithmically transformed into a fixed length digest that is then encrypted using an asymmetric cryptographic private key associated with a digital certificate. The combination of the encryption and algorithm transformation ensure that the signer's identity and the integrity of the file can be confirmed.

Electronic signature means a method of signing an electronic message that identifies a particular person as the source of the message and indicates the person's approval of the information contained in the message.

FIPS means Federal Information Processing Standards. These Federal standards, as incorporated by reference in Sec. 1311.08, prescribe specific performance requirements, practices, formats, communications protocols, etc., for hardware, software, data, etc.

FIPS 140-2, as incorporated by reference in Sec. 1311.08, means a Federal standard for security requirements for cryptographic modules.

FIPS 180-2, as incorporated by reference in Sec. 1311.08, means a Federal secure hash standard.

FIPS 186-2, as incorporated by reference in Sec. 1311.08, means a Federal standard for applications used to generate and rely upon digital signatures.

Key pair means two mathematically related keys having the properties that:

(1) One key can be used to encrypt a message that can only be decrypted using the other key; and
(2) Even knowing one key, it is computationally infeasible to discover the other key.

NIST means the National Institute of Standards and Technology.

Private key means the key of a key pair that is used to create a digital signature.

Public key means the key of a key pair that is used to verify a digital signature. The public key is made available to anyone who will receive digitally signed messages from the holder of the key pair.

Public Key Infrastructure (PKI) means a structure under which a Certification Authority verifies the identity of applicants, issues, renews, and revokes digital certificates, maintains a registry of public keys, and maintains an up-to-date Certificate Revocation List.

Sec. 1311.05 Standards for technologies for electronic transmission of orders.

(a) A registrant or a person with power of attorney to sign orders for Schedule I and II controlled substances may use any technology to sign and electronically transmit orders if the technology provides all of the following:

(1) Authentication: The system must enable a recipient to positively verify the signer without direct communication with the signer and subsequently demonstrate to a third party, if needed, that the sender's identity was properly verified.

(2) Nonrepudiation: The system must ensure that strong and substantial evidence is available to the recipient of the sender's identity, sufficient to prevent the sender from successfully denying having sent the data. This criterion includes the ability of a third party to verify the origin of the document.

(3) Message integrity: The system must ensure that the recipient, or a third party, can determine whether the contents of the document have been altered during transmission or after receipt.

(b) DEA has identified the following means of electronically signing and transmitting order forms as meeting all of the standards set forth in paragraph (a) of this section.

(1) Digital signatures using Public Key Infrastructure (PKI) technology.

(2) [Reserved]

Sec. 1311.08 Incorporation by reference.

(a) The following standards are incorporated by reference:

(1) FIPS 140-2, Security Requirements for Cryptographic Modules, May 25, 2001, as amended by Change Notices 2 through 4, December 3, 2002.

(i) Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, September 23, 2004.

(ii) Annex B: Approved Protection Profiles for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, November 4, 2004.

(iii) Annex C: Approved Random Number Generators for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, January 31, 2005.

(iv) Annex D: Approved Key Establishment Techniques for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, February 23, 2004.

(2) FIPS 180-2, Secure Hash Standard, August 1, 2002, as amended by change notice 1, February 25, 2004.

(3) FIPS 186-2, Digital Signature Standard, January 27, 2000, as amended by Change Notice 1, October 5, 2001.

(b) These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/.

(c) These incorporations by reference were approved by the Director of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. Copies may be inspected at the Drug Enforcement Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call (202) 741-6030, or go to: http:// www.archives.gov/federal--register/code--of--federal--regulations/ibr-- locations.html.

HOME