Federal Register Notices > Rules - 2003 >  Notice of proposed rulemaking. Electronic Orders for Controlled Substances

Rules - 2003

[Federal Register: June 27, 2003 (Volume 68, Number 124)]
[Proposed Rules]
[Page 38557-38581]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27jn03-38]

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1305 and 1311

[Docket No. DEA-217P]
RIN 1117-AA60

Electronic Orders for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Justice.

ACTION: Notice of proposed rulemaking.

SUMMARY: DEA is proposing to revise its regulations to provide an electronic equivalent to the DEA official order form, which is legally required for all distributions involving Schedule I and II controlled substances. These proposed regulations will allow registrants to order Schedule I and II substances electronically and maintain the records of  these orders electronically. The proposed regulations would reduce paperwork and transaction times for DEA registrants who handle, sell, or buy these controlled substances. This proposed rule has no effect on patients' ability to receive prescriptions for controlled substances from practitioners, nor on their ability to have those prescriptions filled at pharmacies. In fact, this rule will help to ensure the appropriate supply of controlled substances throughout the distribution system.

DATES: Written comments must be postmarked on or before September 25, 2003.

ADDRESSES: Comments should be submitted to the Deputy Assistant Administrator, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Attention: DEA Federal Register Representative/CCR.

FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and Policy Section, Office of Diversion Control, Drug Enforcement Administration, Washington, DC 20537, Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION:

I. Background

What is DEA's Legal Authority for these Regulations?
What are the current requirements for distributing Schedule I and II controlled substances?
Why is this level of control necessary? 
If the current system works to limit diversion, why is a change needed?
What is the Electronic Signatures in Global and National Commerce Act?

II. Proposed Approach

What is DEA's objective with this proposed rule?
How did DEA develop its approach?
What approach has DEA selected?
Why are authentication, nonrepudiation, and message integrity requirements necessary?
What existing technologies meet these proposed criteria?
Why do other electronic signature systems not meet the
performance standards?
Why is a digital signature approach necessary?
How is a digital certificate an electronic equivalent of a Form 222?
In simple terms, how does a digital signature work?
In simple terms, how would this system work for the user?
What is a Certification Authority and why is it needed?
What would the Certification Authority do?
Who would serve as the Certification Authority?

III. Discussion of the proposed rule on electronic orders

A. Digital Certificates

How are digital certificates obtained?
Who are CSOS Coordinators and what is their role in the digital certificate enrollment process?
How would a person obtain a digital certificate?
Why does the application need to be notarized?
How many certificates will be required?
What is the renewal period for digital certificates?
What are the requirements for companies that grant power of attorney to authorize use of their DEA registrations?
What systems are required to use a digital signature?
What systems are required to be able to process a digital signature?
What are the FIPS Standards and why are they needed?
How is it possible to determine whether a specific system meets these criteria?
What are the requirements for safeguarding private keys?
What are the conditions that would lead DEA to revoke a certificate?

B. Orders

What is DEA proposing for electronic orders?
What are the differences between DEA Form 222 and electronic orders?
What data must be included in an electronic order?
How can electronic orders be annotated?
Can an order be endorsed to another supplier?
Can a centralized processing facility be used?
What information is a supplier required to report to DEA?
Why does the reporting period change for electronic orders?
Can a digital certificate be used to sign orders for Schedule III through V controlled substances?

IV. Section by Section Discussion of the Proposed Rule

How is the proposed rule structured?
Incorporation by Reference

V. Required Analyses

Executive Order 12866
Regulatory Flexibility Act
Small Business Regulatory Enforcement Fairness Act of 1996
Paperwork Reduction Act
Executive Order 12988
Executive Order 13132
Unfunded Mandates Reform Act of 1995

I. Background

What Is DEA's Legal Authority for These Regulations?

DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et seq.), as amended. DEA regulations implementing this statute are published in title 21 of the Code of Federal Regulations (CFR), part 1300 to 1399. These regulations are designed to establish a framework for the legal distribution of controlled substances to deter their diversion to illegal purposes and to ensure that there is a sufficient supply of these drugs for legitimate medical purposes.

What Are the Current Requirements for Distributing Schedule I and II Controlled Substances?

The CSA prohibits distribution of Schedule I and II controlled substances except in response to a written order from the purchaser on a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to registrants for this purpose, preprinting on each form the registrant's name, registered location, DEA registration number, schedules, and business activity. DEA serially numbers the forms and requires registrants to maintain and account for all forms issued. Executed and unexecuted Forms 222 must be available for DEA inspection. The CSA requires that executed Forms 222 be maintained for two years (21 U.S.C. 828(c)).

When ordering a Schedule I or II substance, the purchaser must provide two copies of the Form 222 to the supplier and retain one copy. Upon filling the order, the supplier must annotate both copies of the form with details of the controlled substances distributed, retain one copy as the official record of the distribution, and send the second copy of the annotated Form 222 to DEA. Upon receipt of the order, the purchasers must also annotate their copy, noting the quantity of controlled substances received and date of receipt.

Why Is This Level of Control Necessary?

The purpose of DEA's regulations is to establish a framework for the legal distribution of controlled substances and to prevent their diversion to the illegal markets. Controlled substances are those substances listed in the

[[Page 38559]]

schedules of the CSA and 21 CFR 1308.11-1308.15, and generally include narcotics, stimulants, depressants, hallucinogens, and anabolic steroids that have a high potential for abuse and dependency. DEA's regulations require that people involved in the manufacture, distribution, research, dispensing, import, and export of controlled substances register with DEA, keep track of all stocks of controlled substances, and maintain records to account for all stocks received, distributed, or otherwise disposed of. For Schedule I and II controlled substances, which have the highest potential for abuse and dependency, the CSA mandates that distribution can only occur in response to an order signed by the purchaser on a form issued to the purchaser by DEA. For other schedules, the law requires recordkeeping by both DEA-registered parties.

If the Current System Works to Limit Diversion, Why Is A Change Needed?

Although the current regulatory structure limits diversion, it does not address or provide for the use of modern computer technologies. DEA issued more than five million individual order forms in fiscal year 2001. Using 2001 as an average year, because both the purchaser and supplier must maintain copies of the form for two years, the order system requires the maintenance of almost twenty million forms. 

Many, if not most, of the registrants using Form 222 place all of their other orders electronically. Many suppliers receive electronic notice from their purchasers of their intention to place Schedule I and II orders, but the orders cannot be filled until the supplier receives the DEA-issued Form 222 from the purchaser. The processing of the Form 222 takes one to three days from the time the form is completed to the time the order is delivered; electronic orders can be processed and filled immediately. Industry has asked DEA to provide an electronic means to satisfy the legal requirements for order forms. This proposed rule is in response to that request and will not only satisfy the requirements for Schedule I and II transactions, but may also be used for Schedule III through V transactions. Use of this system for all controlled substances transactions will facilitate the verification and authentication of the registration status of customers. 

In addition, two recent laws, the Government Paperwork Elimination Act of 1998 (GPEA) and the Electronic Signatures in Global and National Commerce Act of 2000 (E-Sign) require Federal agencies to allow electronic recordkeeping and reporting and recognize electronic signatures.

What Is the Electronic Signatures in Global and National Commerce Act?

The Electronic Signatures in Global and National Commerce Act of 2000, commonly known as E-Sign, was signed into law on June 30, 2000. It establishes the basic rules for using electronic signatures and records in commerce. E-Sign was enacted to encourage electronic
commerce by giving legal effect to electronic signatures and records and to protect consumers. E-Sign prohibits government agencies from denying the legal effect of electronic signatures and records of electronic commerce based solely on their electronic nature, but allows Federal, state, and local agencies to set performance standards where necessary to ensure record integrity and accessibility of records.

Section 104(a) of E-Sign provides that, subject to the requirements of the Government Paperwork Elimination Act of 1998 (GPEA), "* * * nothing in this title limits or supersedes any requirement by a Federal regulatory agency, self-regulatory organization, or State regulatory agency that records be filed with such agency or organization in accordance with specified standards or formats.'' The CSA and regulations require that distributions involving Schedule I or II controlled substances may be accomplished only when the orders are made on forms that DEA issued in triplicate to the purchaser and upon which DEA has imprinted the name of the purchaser (21 U.S.C. 828(d)(1) and 21 CFR 1305.05(a)). The law further provides that "* * * it shall be unlawful for any other person (A) to use such form for the purpose of obtaining controlled substances or (B) to furnish such form to any person with intent thereby to procure the distribution of such substances.'' (21 U.S.C. 828(d)(1)). Of the three copies of the form issued, the purchaser and the supplier must each maintain a copy, and the supplier must provide a copy to DEA following completion of the transaction (21 CFR 1305.13). The CSA and implementing regulations clearly establish a specified standard and format that must be adhered to in filing records of distributions of Schedule I and II controlled substances with DEA, which are not superseded by E-Sign. It should be noted that the filing requirement is subject to the requirements of GPEA, which requires, in part, that for certain governmental filings, an electronic means to satisfy the requirement must be established, to the extent practicable, by October, 2003. DEA does anticipate that the electronic means to satisfy the order form requirement that is being proposed in this rule will be in place by the GPEA deadline.

II. Proposed Approach

What Is DEA's Objective With This Proposed Rule?

DEA's objective is to develop an approach for electronic orders that takes advantage of computer technology without compromising the effectiveness of the existing system to limit diversion of controlled substances.

How Did DEA Develop Its Approach?

Before selecting an approach, DEA developed a set of basic performance standards that any electronic signature system would have to meet to serve as an electronic equivalent of the DEA Form 222 and reviewed all of the existing electronic signature technologies. DEA also met with representatives from a mix of manufacturers, distributors, pharmacies, and other interested parties to identify issues with the DEA Form 222 and to identify the information technologies (IT) registrants currently use in their ordering process. If the proposed rule is to provide the benefits that DEA and industry seek, the system should be compatible with existing information technology architectures and configurations. The results of DEA's meetings are summarized in two documents: Public Key Infrastructure Certificate Policy Requirements Analysis and Public Key Infrastructure Existing Network Infrastructure Analysis, which are available at  http://www.deadiversion.usdoj.gov. Throughout the project, DEA has continued to meet with industry to discuss the requirements and to obtain more detailed technical input on how the proposed approach could be integrated with existing IT systems.

What Approach Has DEA Selected?

DEA is proposing to include in the rule three performance standards that are necessary to ensure that the electronic system is substantially equivalent to the DEA Form 222: message/record integrity, authentication, and nonrepudiation. DEA has determined that of the existing electronic signature technologies, only digital signatures using certificates issued through a public key infrastructure (PKI) system, operated by DEA, provide for record integrity and can serve as the functional equivalent of the form that the CSA mandates DEA to provide. If other technologies are

[[Page 38560]]

identified that meet all of the performance standards, DEA will consider them and determine whether they could satisfy the CSA mandates with respect to order forms.

The proposed rule would not mandate the use of an electronic system, but would provide registrants with an alternative to DEA Form 222. A DEA-issued digital certificate would contain the information that DEA preprints on a Form 222. Each registrant who wants to order Schedule I or II controlled substances electronically would need to apply to the DEA Certification Authority (CA) for a digital certificate.

Why Are Authentication, Nonrepudiation, and Message Integrity Requirements Necessary?

The CSA requires that Schedule I or II controlled substances be distributed only in response to signed orders submitted by purchasers on a form issued to them by DEA. The paper Form 222 offers a level of authentication because DEA issues the form only to a valid registrant who is authorized to place the order. Further the order form is bound to a specific registrant and location preprinted by DEA on the form. The registrant's manual signature on the form provides the element of nonrepudiation. The existence of multiple copies held by separate parties ensures the integrity of the document.

With electronic transmission, the importance of authentication, nonrepudiation, and message integrity, criteria the current system meets, is magnified. It is not difficult to send electronic messages in other people's names or intercept, duplicate, or alter messages. Image files and read-only files are now relatively easy to copy, alter, and replace. If purchasers and suppliers are to be able to use computer technology for controlled substance orders, it is critical that they be able to trust the system. Suppliers and purchasers must trust that an order has not been altered during transmission. Suppliers must trust that the purchaser who signed the order is who he or she claimed to be. They (and DEA) must be certain that an order they sign or receive has not been altered and that no one other than an authorized, DEA-registered purchaser could have sent it.

None of the three characteristics is sufficient by itself. If a technology provided nonrepudiation and authentication of the signature, but the message could be altered, the nonrepudiation and authentication would be questionable. For example, if the identity of a purchaser was verified and a purchaser used a biometric to electronically sign an order, but the document could be altered either during transmission or after receipt by the supplier, the purchaser could repudiate the document even though it could be proved that a specific registrant had signed it. If the message could not be altered, but the identity of the signature holder had never been verified or the password or signing key could be used by anyone, the integrity of the message would also be questionable. In this case, you could prove that a specific order had been sent, but not who had actually sent it. To retain the integrity of the diversion control system, it is necessary to establish specific performance criteria with minimum acceptable standards for any technology that is to be used for signing Schedule I and II controlled substance orders.

What Existing Technologies Meet These Proposed Criteria?

At present, only a digital signature based on a public key infrastructure (PKI) would provide the authentication, nonrepudiation, and message integrity that are necessary to protect these
communications and prevent alteration of the documents. In a June 2000 report, "The Evolving Federal Public Key Infrastructure,'' the Federal Public Key Infrastructure Steering Committee described the benefits PKI provides as follows:

Public key technology provides a mechanism to authenticate users strongly over closed or open networks, ensure integrity of data transmitted over those networks, achieve technical nonrepudiation for transactions, and allow strong encryption of information for privacy/confidentiality or security purposes. Strongly authenticating users is a critical element in securing any infrastructure; if you cannot be certain with whom you are dealing, there is substantial potential for mischief. Ensuring data integrity of data from end-user to end-user makes it more difficult for data substitution attacks aimed at servers or hosts to succeed. Technical nonrepudiation binds a user to a transaction in a fashion that provides important forensic evidence in the event of a later problem. Encryption protects private information from being divulged even over open networks.

PKI systems are based on asymmetric cryptography: the holder of the digital certificate has a private key, which only the certificate holder can access, and a public key, which is available to anyone. What one key encrypts, only the other key can decrypt. It is computationally infeasible for the two keys to be derived from each other. Only one public key will validate signatures made using its corresponding private key. Because the private key is held by only one person, it is that person's responsibility to ensure that it is not divulged or compromised. The method in which PKI systems ensure the integrity of the message is explained in detail in the section entitled "In simple terms, how does a digital signature work?''

A PKI system is more than cryptographic keys. The infrastructure component (the "I'' in PKI) is critical to meeting the criteria for authentication, integrity and nonrepudiation. PKI systems are operated by a Certification Authority (CA), which is responsible for verifying the identity of any applicant for a digital certificate, maintaining security, establishing the responsibilities of certificate holders, and maintaining a public directory of public keys and an up-to-date certificate revocation list. The Certification Authority is a trusted third party. Suppliers and purchasers need only trust the CA, in this case DEA, to be able to trust each other.

Why Do Other Electronic Signature Systems Not Meet the Performance Standards?

Other technologies create signatures that are generically referred to as electronic signatures. DEA investigated other electronic signature technologies, but determined that none of them met all three performance criteria. Common electronic signature systems include symmetric cryptography technologies and non-cryptographic methods. Any of the systems may provide for authentication if the controlling authority takes steps to verify the identity of the person using a cryptographic key or password, but this verification is not usually a key element of systems based on electronic signature technologies. Electronic signature systems that rely on symmetric cryptography, where both parties to the transaction use the same key, do not meet the standard of nonrepudiation. The Federal Public Key Infrastructure Steering Committee also noted that symmetric cryptography technology is not suitable for systems that have more than a few users.

None of these electronic signature technologies, by themselves, including biometrics, provide for record integrity. With any of the existing electronic signature technologies, there would be no assurance that the record had not been altered during or after transmission.

Why Is a Digital Signature Approach Necessary?

After reviewing options, DEA determined that a digital certificate issued by DEA is the only "electronic

[[Page 38561]]

signature'' technology that meets the dual requirements:

• The digital certificate provides the message/record integrity, authentication, and nonrepudiation that DEA has determined are necessary to tie these communications to a specific person and prevent alteration of the documents. These standards are substantially related to achieving diversion control.
   
• The digital certificate would be the functional equivalent of the paper order form, which the CSA requires DEA to issue. 

The digital certificate system DEA is proposing would establish an electronic alternative to Form 222 for Schedule I and II controlled substances that will allow registrants to retain their current ordering systems. Instead of an electronic form, the DEA Certification Authority will issue digital certificates, which will serve as an electronic equivalent of the Form 222.

How Is a Digital Certificate an Electronic Equivalent of a Form 222?

The key elements of a Form 222 are that DEA issues them only to registrants authorized to order Schedule I and II controlled substances and preprints the forms with information that ties the form to a specific registrant and location. Only digital certificates issued by DEA under the same circumstances as the Form 222 will be allowed for signing electronic orders for Schedule I and II controlled substances. All of the information currently preprinted on the Form 222 will be part of the digital certificate extension data, which will be included on each order that is digitally signed. The digital certificate attached to an electronic order with the digital signature will create the equivalent of the Form 222. To accept an order, the supplier's software must perform the validation functions, thus confirming that the purchaser is authorized by DEA to order the specified schedules of controlled substances.

This approach will allow registrants to use their current electronic order systems provided the systems can be enabled to accept and validate the DEA-issued digital certificate/signature information and the orders include the information currently required on a Form 222. DEA has been working with industry to develop code to enable existing systems to reduce the cost of implementation.

DEA will not limit digital certificates to those registrants authorized to order Schedule I and II controlled substances. Any DEA registrant eligible to order controlled substances will be able to obtain a DEA-issued digital certificate; the certificate extension data will inform the supplier which schedules a purchaser is authorized to order. Although the digital certificates would be required for signing and transmitting electronic orders for Schedule I or II controlled substances, DEA will encourage registrants to use the certificates to sign all electronic orders for controlled substances. Using the DEA-issued certificates will reduce the burden on suppliers, who must verify the purchaser's DEA status; the certificate extension data and the validity of the certificate will provide this information.

In Simple Terms, How Does a Digital Signature Work?

This section provides a simplified description of how a digital signature system works. Each certificate holder would have a public key, available to anyone, and a private key, which the certificate holder must keep secure. The two keys are used by an asymmetric encryption algorithm; what one key encrypts, only the other key can decrypt. The two keys are different and cannot be practically derived from each other.

When the certificate holder digitally signs an order, the PKI-enabled software runs the text of the order through a complex algorithm that creates a fixed length digest of the document (called a hash). The hash is a compact representative image of the document that is often referred to as a document "fingerprint.'' The software then uses the private key to encrypt the hash; the encrypted hash is the digital signature.

The purchaser's software transmits a plain text order with the encrypted hash and the sender's digital certificate to the supplier. When the supplier receives the document, the supplier's software would use the sender's public key, which is part of the certificate, to decrypt the digital signature. If the public key can decrypt the digital signature successfully, the supplier would know that only the holder of the private key could have sent the digitally signed order. The supplier's software would then use the same hashing algorithm the purchaser used to create a second digest (hash) of the plain text document received. If the new hash is identical to the hash the computer has decrypted, the document has not been altered in transmission. If even a single space or letter in the document has been changed, the hashes would not match and the document must be considered invalid.

The power of the digital signature approach is that it provides for authentication, nonrepudiation, and message/record integrity. The supplier can be certain that only a specific certificate holder could have signed the document (because the Certification Authority verified the identity before issuing the certificate and because the public key decrypted the signature) and that the document has not been altered in transmission (because the hashes match). In addition, the other information included in the digital certificate attached to the order (name, address, DEA registration number, business activity, schedules, and expiration date) provides the supplier an instant source of information to verify the sender's right to issue and sign the order. The system also would automatically check the certificate revocation list to be sure that the certificate is still valid.

For a more complete discussion of the technical details of digital signatures, and a complete list of approved algorithms, see the Federal Information Processing Standard (FIPS) 186-2.

In Simple Terms, How Would This System Work for the User?

Practical implementations of PKI technology are typically simple and transparent for the user, despite the complex technologies involved. The complex parts of the system are automatically handled by the software system.

The steps a user would take are as follows:

• To obtain a digital certificate, a DEA registrant or a person granted power of attorney authority to obtain and sign Schedule I and II orders for a registrant would submit proof of identification and proof of a current DEA registration to the Certification Authority (CA). The applicants would also have to install software to PKI-enable their computers or ensure that their network browsers are PKI-enabled. Most recent versions of Internet browsers are PKI-enabled.
   
• Once the CA verifies the identification, the CA would send the applicant a one-time use access code and password via separate channels. The applicant would use the PKI software to generate a key pair (public and private keys) and access the Certification Authority electronically using the access code and password to request a certificate. These keys would be stored in the applicant's computer or on a FIPS 140-2 approved secure hardware device. Once generated, the Certification Authority must prove that the user has possession of the key. For signature public keys, the corresponding private key must sign the certificate request. Verification of the signature using the public key in the request

[[Page 38562]]

would serve as proof of possession of the private key. The user would not need to learn the keys. The user would employ an authentication mechanism to access the private key. The authentication mechanism could be a user name and password. Although DEA is not requiring use of biometrics, DEA recognizes the advantages of biometric passwords to ensure that a private key cannot be shared and suggests that registrants consider their use.

• When the users want to digitally sign an order, they would authenticate themselves to access the private key to sign the document. Specific procedures may vary depending on the exact nature of the system employed, but basically, once the certificate holder has accessed the private key, a single key stroke would "sign'' the document. At the keystroke, the software would perform the hashing functions and encryption, attach the encrypted hash and digital certificate to the plain text order, and transmit.

At the supplier end, the steps are equally simple:

• The supplier would receive the order electronically. The digital certificate attached to the order would contain the information necessary for the supplier to determine whether the person is eligible to write the order received.
• The supplier would validate the order.
• The supplier's software would automatically check the certificate revocation list to verify that the user's certificate had not been revoked. It would also verify that the certificate was signed with the DEA CA certificate.
• The software would use the sender's public key to decrypt the signature, obtain the hash, and automatically compare it with the hash of the plain text message generated by the supplier's software to determine if the file had been altered.
• The software system would check the expiration date on the certificate to ensure that the certificate had not expired when the order was signed.
• The software would compare the controlled substances ordered with the schedules listed in the certificate to verify that the certificate holder is authorized to order the schedule.
• Only if all the checks indicate a valid order would the system indicate that the order was valid.

The supplier's system would have to require that all authentication and validation steps be carried out before allowing the order to be processed.

What Is a Certification Authority and Why Is It Needed?

In the Form 222 system, DEA issues the forms to registrants, providing assurance to suppliers that the orders they receive are from registrants authorized to order Schedule I and II controlled substances. In a PKI system, a Certification Authority (CA) acts as a credible and neutral trusted third party and is central to the operation of the digital certificates. Each party (the certificate holder and recipient of a digitally signed document) relies on the CA. If they trust the CA, they can trust the certificates the Certification Authority issues. Without a trusted third party, each recipient would have to determine whether each sender could be trusted. A Certification Authority makes it possible for a recipient to receive orders from persons who have never before placed orders with them and quickly determine whether the person has a right to order the substance. This process is similar to the Form 222 issued by DEA, which contains preprinted registrant information, including the registrant's name, address, DEA registration number, and schedules.

What Would the Certification Authority Do?

The Certification Authority would enroll certificate holders and verify the identity of an applicant and the applicant's DEA status before issuing a certificate. The Certification Authority would maintain a public directory of certificate holders' public keys and a Certificate Revocation List (CRL), both of which recipients of digitally signed documents must check to verify the validity of a certificate. The Certification Authority would operate under a publicly available Certificate Policy, a set of rules that covers subjects such as obligations of the Certification Authority, the certificate holders, and those relying on the Certification Authority for validation; enrollment and renewal procedures; operational requirements; security procedures; and administration.

Who Would Serve As the Certification Authority?

Because a digital certificate is the functional equivalent of a Form 222 that DEA is required to issue, only DEA can serve as the Certification Authority for issuing digital certificates for signing electronic orders for Schedule I and II controlled substances. Registrants and their designated power of attorney holders (POA) who are eligible to sign Forms 222 would apply to the DEA Certification Authority and obtain a digital certificate from it. DEA proposes to act
in this capacity either directly or through a contractor.

III. Discussion of the Proposed Rule on Electronic Orders

A. Digital Certificates

How Are Digital Certificates Obtained?

Anyone eligible to sign orders for controlled substances would be able to apply to the DEA Certification Authority for a digital certificate. Under the current rules, DEA requires only orders for Schedule I and II substances to be signed. That requirement will not change. DEA recognizes, however, the registrants who order or fill orders for Schedule III-V substances may want the ability to digitally sign these orders. The digital certificate attached to a digitally signed order would provide the supplier with instant verification of DEA status, which suppliers are required to make a good faith effort to determine. Consequently, DEA intends to make digital certificates available to registrants who are eligible to order only Schedule III through V substances and to employees at Schedule II through V registrants who are authorized to issue only Schedule III through V orders. The requirements for applying for a digital certificate would be the same for any applicant.

Who Are CSOS Coordinators and What Is Their Role in the Digital Certificate Enrollment Process?

CSOS Coordinators are one or more responsible persons designated by a DEA registrant to serve as that registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. These individuals serve as knowledgeable liaisons between one or more DEA registered locations and the CSOS Certification Authority. While the CSOS Coordinator is the main point of contact between the DEA Certification Authority and the DEA registrant, all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated. To that end, the CSOS Certification Authority will communicate with the CSOS Coordinator regarding digital certificate applications, renewals, revocations, and other matters. Even when an individual registrant, i.e., an individual practitioner, is applying for a digital certificate to order controlled substances a CSOS Coordinator must be designated. It is acceptable to have the person applying for the registrant digital

[[Page 38563]]

certificate also be designated as the CSOS Coordinator. Once designated, the registrant's CSOS Coordinator must identify him or herself to the Certification Authority through an application process. If a change occurs regarding persons designated as CSOS Coordinators, or if a change occurs regarding the registered locations for which a CSOS Coordinator is responsible, the Certification Authority must be notified. For applicants applying for a CSOS digital certificate, and for applicants applying for CSOS power of attorney for a DEA registrant, the CSOS Coordinator must verify the applicant's identity, review and approve the application package, and submit the completed package to the Certification Authority.

How Would a Person Obtain a Digital Certificate?

• An applicant for CSOS Coordinator, an applicant for a digital certificate for signing controlled substance orders, or an applicant for power of attorney would have to submit the following documentation: A completed application form (form provided by the Certification Authority).
• A copy of a government-issued photographic identification and of a second identification.
• For CSOS Coordinators, a copy of each current DEA Certificate of Registration for which the Coordinator will be responsible (DEA form 223), if available, or, if the applicant (or their employer) has not been issued a DEA registration, the application for DEA registration of the applicant or the applicant's employer.
• For individuals with power of attorney (POA) to sign controlled substances orders, a copy of the power of attorney indicating which schedules the person is authorized to order.

For persons applying as CSOS Coordinators, the completed package must be notarized. For persons applying for digital certificates as DEA registrants and for persons applying for digital certificates as powers of attorney for DEA registrants, the completed package must be provided to the registrant's designated CSOS Coordinator who will review and approve the application and send it to the Certification Authority. Because the application includes signed letters and statements, as well as notarization (for CSOS Coordinators only), the application would have to be submitted on paper.

If the Certification Authority approves an application, the applicant would receive an access code and password. The access code and password would be sent in two segments, each sent by a different method. For example, the access code may be mailed while the password
is e-mailed. The access code and password would be used to submit an electronic request for a digital certificate. Prior to submitting the request, the applicant would have to obtain software that PKI-enables its system and that can generate the public and private key; most Internet browsers have this capability. The software would generate a public and private key pair. The public key is transmitted to the Certification Authority. The Certification Authority would then issue a signed digital certificate associated with the applicant's public key and a copy of the Certification Authority's public key certificate.

Why Does the Application Need To Be Notarized?

DEA is proposing that the application for registrant CSOS Coordinators be notarized to ensure that the person presenting the photo ID is in fact the person signing the application and to legally tie the person signing the application to it. CSOS Coordinators serve as their registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. While all digital certificate activities are the responsibility of the registrant with whom the digital certificate is associated, within the Controlled Substances Order System DEA is placing a high level of trust in the CSOS Coordinators associated with each DEA registrant. DEA and its Certification Authority must trust the information CSOS Coordinators provide to DEA and must trust the actions requested by CSOS Coordinators of DEA and its Certification Authority. DEA recognizes that notaries may not be able to determine whether the photo ID is
real. Some state driver's licenses can be obtained in other names with relative ease. The package, however, includes not just the photo ID, but also copies of each of the registrant's Certificates of Registration (DEA form 223) for which the CSOS Coordinator will be responsible. These requirements will make it harder for someone to present fraudulent information to pose as a CSOS Coordinator with its attendant rights and responsibilities.

How Many Certificates Will Be Required?

The CSA requires that each location where controlled substances are manufactured, distributed, or dispensed have a separate registration. Forms 222 are issued to specific registrants at specific locations. The CSA also requires that where independent controlled substances activities occur at the same location, (i.e., manufacturing and importation), separate registrations for each activity be maintained at the location. To be the equivalent of a Form 222, a digital certificate must also be registrant and location specific. Consequently, separate digital certificates are required for each DEA registration and for each individual authorized to sign orders for each location.

DEA is aware that some large distributors and chain pharmacies have central inventory control and process all orders from a single location. At present, these central locations maintain the supplies of Form 222 for each of their pharmacies or warehouses and place the orders on the appropriate preprinted form. These registrants have asked whether it would be possible to have a single digital certificate associated with multiple registered locations to ease the burden of maintaining multiple certificates. Because a digital certificate is linked to one DEA registration number the certificate must be bound to the location associated with the registration. It will be possible to have multiple certificates linked to a single registration (e.g., multiple people with POA for a registrant), but a certificate cannot be linked to multiple registered locations. To serve as the electronic equivalent of a Form 222, the digital certificate must be location-specific as the Form 222.

DEA recognizes that in cases of central ordering systems, a single POA may have to obtain more than a thousand separate certificates. DEA is proposing two steps that will reduce the burden on these POAs. First, POAs applying for multiple certificates would be able to submit 
a single application with a list of the DEA registration numbers for which they are applying for certificates. This process would be similar to batch renewals of registrations.

A second step would reduce the burden of obtaining the certificates. Normally, each certificate has to be generated separately. The POA would have to obtain separate access codes from the CA, generate the keys, and access the CA for each certificate. This process takes about five minutes per certificate. To reduce the burden for POAs applying for large numbers of certificates, DEA is proposing to provide software that would include the access codes and functions for key generation. The registrant could then install the software and allow it to contact the CA and generate all of the certificates

[[Page 38564]]

automatically without the applicant having to enter codes individually. DEA believes that these steps will facilitate the application and certificate generation process while retaining the basic integrity of the Form 222 system that links every order to a specific registered location.

What Is the Renewal Period for Digital Certificates?

Digital certificates must be renewed when the DEA registration expires. DEA considered requiring annual renewal of digital certificates, which is the current industry practice. DEA determined, however, that this frequency was not necessary to maintain the security of the system and is proposing that certificates be valid for the life of the registrant's DEA registration. Certificates cannot be valid beyond the life of a DEA registration because the certificate's validity is based on having an active DEA registration. Practically, therefore, manufacturers, distributors, exporters, researchers, chemical analysts, and narcotic treatment programs would have to renew annually because their DEA registrations are valid for one year. Pharmacies, institutional practitioners, teaching institutions, and individual practitioners would have to renew every three years.

The Certification Authority would notify certificate holders of the need to renew the certificate. DEA would permit the digital certificate to be renewed online twice after the original application process, so long as the certificate holder applies for renewal before the DEA registration and digital certificate expire. Upon the third renewal request, the digital certificate holders must re-establish their identity using the initial application process. Although this process is considered a renewal because a new application is not needed, at each renewal, a new set of key pairs would be generated and a new certificate issued. The Certification Authority would arrange a simple online process to renew a certificate. When a certificate holder files a renewal request before the DEA registration expires, DEA would not issue the new certificate until the Certification Authority has determined that the DEA registration on which the certificate is based has been renewed.

If the certificate holder fails to apply for a new certificate before the date on which the DEA registration expires, the certificate holder would have to submit a new application for a certificate, including all of the documents required for an initial application. The same is true if the certificate holder's digital certificate is revoked for any reason.

What Are the Requirements for Companies That Grant Power of Attorney to Authorize Use of Their DEA Registrations?

As noted above, all registrants must designate a CSOS Coordinator to serve as the registrant's recognized agent regarding issues pertaining to issuance of, revocation of, and changes to digital certificates issued under that registrant's DEA registration. One of the responsibilities of the CSOS Coordinator is to oversee the application process for persons applying for a digital certificate as powers of attorney for a registrant. The CSOS Coordinator(s) will be responsible for ensuring that those persons applying for power of attorney authority are permitted by the registrant to possess such authority. DEA believes that the designation of CSOS Coordinators will streamline the power of attorney application process and will provide a safeguard to ensure that only personnel authorized by the registrant are granted power of attorney digital certificates.

Registrants who grant power of attorney status to certain employees to sign orders would be required to do the following:

• Provide a letter granting power of attorney to be submitted with the person's application for a digital certificate.
• Read the statement of registrant obligations regarding power of attorney contained in the subscriber agreement provided by the Certification Authority and sign a statement agreeing to meet the obligations.
• Ensure that powers of attorney use their digital certificates appropriately.
• Notify the Certification Authority, through the CSOS Coordinator responsible for the registered location at which the power of attorney works, within 6 hours of revocation of the power of attorney.
• Notify the Certification Authority, through the CSOS Coordinator responsible for the registered location at which the power of attorney worked, within 6 hours of the time the person leaves the registrant's employ.

The obligations in the statement of registrant obligations are basically to oversee the use of certificates to ensure that they are used only by the certificate holder and to notify the Certification Authority if a certificate holder is no longer authorized to use the registrant's DEA number to order controlled substances.

What Systems Are Required To Use a Digital Signature?
Any system enabled to handle digital signatures may be used
provided it meets the following requirements:

1. The cryptographic module must be FIPS 140-2 validated.
2. The digital signature system must be FIPS 186-2 validated and use the RSA algorithm.
3. The hash function must be FIPS 180-1 validated.
4. The system must control the activation of the private key with an authentication mechanism.
5. The system must employ a ten-minute inactivity time period after which the certificate holder must re-authenticate to access the private key.
6. For software implementations, when the signing module is deactivated, the system must clear the plain text private key from the system memory to prevent the unauthorized access to, or use of, the private key.
7. The system must digitally sign and transmit the electronic order.
8. The system must communicate with the Certification Authority directory.
9. The system must have a time system that is within five minutes of the official National Institute of Standards and Technology (NIST) time source.
10. The system must archive digitally signed files.
11. The system must create an order that includes the data fields listed in proposed § 1305.21(b)--these fields are the same fields that exist on the Form 222 that purchasers complete except for the line numbers, total number of lines and purchaser information, i.e., name, address, DEA registration number, authorized schedules, and business activity, all of which are included in the digital certificate which must accompany the order.

The three FIPS standards (discussed in more detail below) are needed to ensure the integrity of the key and hash generating systems. The fourth item requires that the system control access to the private key through a method of authenticating the user. As discussed below, DEA is proposing that certificate holders use at least a password and user ID combination. If a certificate holder elects to use a biometric authentication method, the single biometric (other than voice recognition) would be sufficient.

Item five is needed to ensure that the digital signing capability cannot be accessed by someone other than the certificate holder. DEA is concerned that a certificate holder authenticate himself or herself to the system, open the signing software, and begin signing

[[Page 38565]]

orders. If the certificate holder left the computer while the signing system was open, another person could sign orders because the signing software generally does not require reauthentication of the user for each order once the private key has been accessed. The automatic closure of the system if unused for 10 minutes will lessen this threat. 

Item six would ensure that the private key cannot be retrieved from the certificate holder's computer memory following its use. Software systems may not automatically clear items from memory when the application is shut down. Therefore, it is necessary to specify that the software clear the private key from the system's memory whenever the signing application is closed to ensure that someone cannot recover the key.

Items seven and eight are the basic requirements for a digital signature system, the ability to sign a document digitally and communicate with the CA.

Item nine requires the system to have a time system within five minutes of the official National Institute of Standards and Technology time source. It is important that all users of the CSOS system be synchronized to a single, consistent time source.

Items 10 and 11 are necessary for the system to function as a substitute for a Form 222. Item 11 requires the creation of an order that includes all of the Form 222 information. Item 10 ensures that the system automatically stores and retains the orders.

What Systems Are Required To Be Able To Process a Digital Signature?

Any system may be used to process an electronic order provided it has been enabled to handle digital signatures and that it meets the following requirements:

1. The digital signature system must be FIPS 186-2 validated and use the RSA algorithm.
2. The hash function must be FIPS 180-1 validated.
3. The system must check the purchaser certificate extension data to determine that the controlled substances ordered are on schedules the purchaser is eligible to order and that the certificate had not expired at the time the order was signed.
4. The system must decrypt the digital signature using the purchaser's public key and determine that an order has not been altered in transmission.
5. The system must check the certificate revocation list and the CA's directory automatically and invalidate any order signed with a certificate listed on the CRL or not included in the CA directory.
6. The system must have a time system that is within five minutes of the official National Institute of Standards and technology time source.
7. The system must archive the order and include the digital certificate linked to the order in the record of each order.
8. The system must require that all authentication and validation steps are carried out prior to allowing the processing of the order to be completed. Further, the system will not allow orders that have failed to pass any authentication or validation step to be processed.
9. If the supplier intends to file a summary report of orders rather than copies of the actual orders, the system must create a report that includes, for each Schedule I and II order, all data fields listed in proposed § 1305.28(a) in a format that DEA specifies. This provision would allow for compliance with the current paper requirement that suppliers forward copy 2 of the DEA Form 222 to the nearest DEA office on a monthly basis.

Items 1 and 2, the three FIPS standards (discussed in more detail below), are needed to ensure the integrity of the key and hash generating systems. Items 3, 4, 5, and 6 are needed to ensure that the system can and does validate each order by checking that the order was signed by the certificate holder, that the order has not been altered, that the registrant is eligible to order the substances, and that the certificate has not expired or been revoked. Item 7 ensures that the system automatically stores and retains the orders. Item 9 requires the creation of a report that includes all of the Form 222 information.

What Are the FIPS Standards and Why Are They Needed?

FIPS means Federal Information Processing Standard. FIPS 140-2 is a standard entitled "Security Requirements for Cryptographic Modules.'' The standard is produced by the National Institute of Standards and Technology (NIST) to lay out general requirements for cryptographic modules for computer and telecommunications systems. FIPS 186-2 specifies algorithms for applications used to generate digital signatures. FIPS 180-1 is the Secure Hash Standard. The standards have been adopted by the U.S. government and are required for all cryptographic-based security systems and digital signature systems that are used by or approved by Federal agencies to protect unclassified information. DEA, therefore, must require that the software modules used for digital signatures comply with these standards. A list of vendors whose cryptographic modules have been validated as FIPS 140-2 compliant may be obtained from the NIST web site at  http://csrc.nist.gov/cryptval/140-2/1402vend.htm. Information on FIPS 186-2 and FIPS 180-1 can be obtained from http://csrc.nist.gov.

The modules that have been validated as compliant with these standards can be used to enable software to handle digital signatures. As long as the code in the compliant module is not altered, adding it to the software would not alter its validation.

How Is It Possible To Determine Whether a Specific System Meets These Criteria?

Before implementing an electronic system for Schedule I and II controlled substances orders, the software system must be certified by means of a third-party audit that determines the system performs the required functions. Registrants must ensure that any software/system that they use for electronic Schedule I and II orders has been certified. Certification from the software developer/vendor that the product being acquired has received the required audit is sufficient.

After the initial audit, the developer or vendor would be required to have third-party audits whenever the signing or verifying functionality is changed to ensure that the software continues to function as required. Registrants who implement order systems developed by third-party vendors would obtain a certification from the vendor. In instances where suppliers provide their customers with ordering software for use in this system, it would be the supplier's responsibility to ensure this auditing requirement has been satisfied. Individual customers of that supplier would not be required to maintain a copy of the audit report.

DEA recognizes that software systems are modified frequently, as vendors add services and improve functions. Modifications would need to be audited when the modification affects the digital signature or validation part of the system. If the modifications relate to other functions and do not change the digital signature functions or validation functions, modifications would not trigger a need for a third-party audit.

What Are the Requirements for Safeguarding Private Keys?

DEA regulations require that each registrant provide effective controls and procedures to guard against theft and diversion of controlled substances. This requirement applies to both physical and procedural safeguards; a registrant

[[Page 38566]]

must take steps to secure the controlled substances and the authorization to obtain and distribute or dispense the controlled substances. In this regard, it is important that the private key be properly secured, since it is the functional equivalent of both the paper DEA Form 222 and the registrant's valid signature on that form. All certificate holders must provide secure storage for the private key. The private key may be stored on any electronic medium, with access controlled by at least a user ID and password. As noted before, DEA encourages certificate holders and registrants to use biometric passwords instead of user IDs and passwords. Although not a requirement, biometric passwords provide a higher level of assurance that a private key cannot be used by anyone except the certificate holder.

Although DEA is proposing that certificate holders could store private keys on any electronic medium, including a hard drive or a disk, DEA encourages registrants to use smart cards or other secure hardware devices whose cryptographic modules are FIPS 140-2 validated for storing private keys.

Only the individual to whom a digital certificate is issued may use it. The certificate holder must report any loss or compromise of the private key or password to the Certification Authority within 6 hours of the loss or theft. In addition, the certificate holder is responsible for ensuring that others do not have access to the private key. The certificate holder must not give any other person the password or user ID and must ensure that once the private key has been accessed and the system is activated, no one else uses the computer or work station until the system is deactivated.

What Are the Conditions That Would Lead DEA To Revoke a Certificate?

A number of circumstances would require the revocation of a digital certificate. The Certification Authority would automatically revoke a certificate upon notice that the smart card or other hardware storage device has been lost, stolen, or compromised in any fashion, the password has been forgotten, or the private key can no longer be accessed. The certificate would also be revoked if the CA is notified that any of the information in the certificate changed (e.g., name or address, or new schedules added). In addition, a registrant must notify the Certification Authority whenever a specific individual's power of attorney has been revoked, so that the certificate issued in connection with the power of attorney can be revoked.

If a DEA registration is revoked or terminated for any reason, all digital certificates linked to that registration would be revoked because the validity of the certificate is linked to the validity of the DEA registration.

Any disagreement regarding a certificate revocation may be appealed to the Certification Authority in writing. Revocation of a digital certificate in and of itself does not affect a registrant's authority to handle controlled substances; it only affects the ability to engage in electronic transactions that require a digital signature.

B. Orders

This section discusses the specific requirements that relate to electronic orders and how these requirements differ from the current rules for Forms 222.

What Is DEA Proposing for Electronic Orders?

In general, DEA is proposing that purchasers be able to digitally sign and transmit electronic orders for Schedule I and II controlled substances if they use a digital certificate issued by the DEA Certification Authority and comply with the other requirements of proposed part 1311 on software and safeguarding of private keys. Suppliers would be able to validate and fill electronic orders for Schedule I and II controlled substances if they comply with the requirements in proposed part 1311 on software.

Most of the current part 1305 requirements would not change. Orders for Schedule I and II substances must be issued only on Form 222 or an electronic order signed with a valid digital certificate that the DEA Certification Authority issues. The same registrants would be eligible to sign and fill orders. Each party to the transaction would retain a copy and suppliers would send a copy or a data extract to DEA. DEA Form 222 will still be available for use. DEA expects that over time most, if not all, parties placing and filling orders will choose to use electronic orders, but this is not mandatory. Current regulations with respect to DEA Form 222 are not changed by this proposed rule.

What Are the Differences Between DEA Form 222 and Electronic Orders?

There are a number of differences with electronic orders.

• Electronic order systems would need to include the data on the DEA Form 222, except the line numbers, total number of lines, and purchaser information, i.e., name, address, DEA registration number, authorized schedules, and business activity, all of which are included in the digital certificate which must accompany the order. (A discussion of the contents of an electronic order is provided in the next section.)
• Unlike the paper form, which is limited to purchases of Schedule I and II substances, the digitally signed order system may also be used for Schedule III through V substances and non-controlled prescription drugs.
• The DEA Form 222 limits the number of line items ordered to 10; the number of line items on electronic orders is unlimited.
• As discussed later, copies of the electronic orders or a report on the orders must be filed with DEA every other business day rather than every month.
• Electronic records for Schedule I and II controlled substances must, by regulation, be maintained separately from other records. However, DEA considers electronic records of Schedule I and II controlled substances to be maintained separately so long as these
  records are readily retrievable by schedule and controlled substance. Each of these differences is discussed in greater detail in subsequent sections.

What Data Must Be Included in an Electronic Order?

The proposed electronic orders would be required to include the following data fields:

(1) A unique number generated by the purchaser to track the order. The number must be in the following 9-character format: the last two digits of the year, the character "x'', and six numbers of the purchaser's choice.
(2) The name of the supplier.
(3) The complete address of the supplier.
(4) The supplier's DEA registration number (may be completed by either the purchaser or the supplier).
(5) The date the order is signed.
(6) The name (including strength where appropriate) of the controlled substance product.
(7) The National Drug Code (NDC) number (may be completed by the supplier or the purchaser).
(8) The quantity in a single package or container.
(9) The number of packages or containers of each item ordered.

The digital certificate attached to the order provides the purchaser's name, registered location, DEA registration number, business activity, and schedules.

How Can Electronic Orders Be Annotated?

Because the original order has been digitally signed, it cannot be altered.

[[Page 38567]]

The supplier and purchaser, both of whom are required to "annotate'' the file with information on the substances shipped and received, would have to create a separate record with the needed information and electronically link the record of the required information to the original order. The supplier's linked file would have to contain packages shipped and date shipped and any other item on the order that the supplier completes. The purchaser's linked file would have to contain the number of packages received and the date received. The software must archive both the original and the linked record. The original and linked records constitute the complete order form, the equivalent of a Form 222 that has been annotated. The same process would apply to partially filled orders, endorsed orders, or canceled orders; the records of these actions must be linked to the original order and maintained as a record of the transaction. Both the purchaser and the supplier must keep the original digitally signed order and the linked files for a period of two years.

Can An Order Be Endorsed to Another Supplier?

DEA allows suppliers to endorse a DEA Form 222 to another supplier if the first supplier cannot fill the order. This requires the initial supplier to record on the back of each copy of the DEA Form 222 the name and address of the second supplier, and the signature of a person
authorized by that initial supplier to obtain and execute order forms. Paper orders must be endorsed in their entirety; a supplier cannot fill part of the order and endorse the rest to a second supplier because the paper 222 must accompany the order.

Electronically, both complete and partial endorsement would be possible. To endorse the whole order to a second supplier, the initial supplier would make a copy of the incoming order, link the copy to a record of the name and address of the secondary supplier, then digitally sign the copy of the order and the linked file using his or her DEA issued digital certificate. The initial supplier may then transmit the original order and linked endorsement record to the secondary supplier. As an alternative, the initial supplier could fill part of the order, create a linked record indicating what had been filled, then endorse the remainder of the order to a second supplier, adding a second linked record with the second supplier's name and address, and digitally signing the order and linked records. The secondary supplier would have to validate both the purchaser's and the initial supplier's digital certificates before filling the order.

Because the customer can easily generate a new electronic order, the supplier may simply choose to notify the purchaser that the order cannot be filled or filled in its entirety, allowing the purchaser to directly place the order electronically with another supplier. The supplier would then create a linked record voiding all or part of the order.

Can a Centralized Processing Facility Be Used?

DEA has determined that with electronic orders, it is possible for a distributor to process an order centrally and have separate registered locations belonging to the same distributor fill parts of the order. DEA is, therefore, proposing to allow purchasers to transmit orders to a specific supplier. The supplier may initially process the orders (e.g., entry of the order into the computer system, billing functions, inventory identification, etc.) centrally at any location, regardless of its registration with DEA. Following centralized processing, the order is distributed to one or more registered locations maintained by the supplier for filling. The registrant must maintain control of the processing of the order at all times. This proposed approach to decentralized filling of orders applies only to registered locations that belong to the same company. This approach would allow distributors to maximize the efficiency of their distribution system without compromising the system of control of Schedule I and II substances.

What Information Is a Supplier Required To Report To DEA?

Under the current regulations, suppliers must send DEA copies of filled DEA Forms 222 on a monthly basis. With electronic orders, DEA is proposing that suppliers submit copies of the electronic orders and linked records to DEA every other business day based on when the order is filled; these orders may include information on substances other than Schedule I and II substances. In lieu of submitting copies of orders, suppliers may submit a daily report that contains the following information on Schedule I and II controlled substances from each electronic order:

(1) The supplier's name.
(2) The supplier's complete address.
(3) The supplier's DEA registration number.
(4) The purchaser's name.
(5) The purchaser's complete address.
(6) The purchaser's DEA registration number.
(7) The schedules the purchaser is authorized to receive.
(8) The purchaser's business activity.
(9) The unique tracking number the purchaser assigned to the order.
(10) The date the order was signed.
(11) The name of the controlled substance product.
(12) The National Drug Code (NDC) number of the controlled substance.
(13) The quantity in a single package or container.
(14) The number of packages or containers of each item ordered.
(15) The number of packages or containers shipped.
(16) The date shipped.

Because any orders or reports sent to DEA must be readable by DEA offices, DEA intends to specify, before the rule is final, the formats in which the information may be submitted. DEA requests comments on which software platforms and systems registrants would be likely to use to submit either the electronic orders or reports.

Why Does the Reporting Period Change for Electronic Orders?

In the paper system, DEA serially numbers all order forms. DEA requires that copy 2 of these order forms be submitted to the Administration on a monthly basis. DEA's requirements under the paper system are such that all order forms issued to any registrant must be accounted for. All forms issued by DEA are traceable to the specific registrant to whom they were issued. In addition, currently mandated supplier reports to DEA contain the order form number involved in all transactions completed. This ensures that Schedule I and II controlled substances will not be distributed without DEA's knowledge. Due to the significant volume of paper involved in the current process, DEA requires copy 2 of the Form 222 to be forwarded to DEA once monthly to limit the paper handling. This monthly reporting has little effect on DEA's ability to monitor and track all orders by serial number.

The electronic system does not involve the use of serially numbered, DEA-issued forms. Consequently, DEA's ability to track and account for orders must rely on timely reports by the suppliers. DEA determined that the 30-day reporting period is too long for electronic orders. Because all order reporting would be handled electronically, the daily transmission of reports should represent a minimal burden on suppliers.

[[Page 38568]]

Can a Digital Certificate be Used to Sign Orders for Schedule III through V Controlled Substances?

A digital certificate may be used to sign orders for other substances including Schedule III through V controlled substances. DEA encourages the use of the DEA digital certificate to sign all controlled substances orders. Using a DEA issued digital certificate to order Schedule III through V substances provides the supplier with confirmation of the customer's registration status in compliance with 21 CFR 1301.74(a).

IV. Section by Section Discussion of the Proposed Rule

How Is the Proposed Rule Structured?

DEA is proposing to revise part 1305 and add a new part for digital certificates, new Part 1311, as follows:

• DEA is proposing to revise the entire part 1305 to incorporate requirements for the use of electronic orders. Part 1305 requirements would be grouped into three subparts: Subpart A would include general requirements that apply to both Form 222 and electronic orders. Subpart B would include requirements for DEA Form 222 transactions. Subpart C would include requirements for electronic orders.
   
• Part 1311--DEA is proposing to add a new part that would provide the requirements for the following:
  • Performance standards for electronic signatures and
    electronic transmission.
  • Applications for digital certificates.
  • Number of certificates required.
  • Renewal of certificates.
  • Safeguarding of certificates.
  • Use of digital signatures.
  • Software requirements for handling digital signatures.

In part 1305, Sections 1305.01 and 1305.02 remain unchanged.

Section 1305.03 is proposed to be revised to explain that either Form 222 or an electronic order that complies with part 1311 could be used.

Section 1305.04 is proposed to be revised to include the power of attorney requirements currently found in 21 CFR 1305.07.

Section 1305.05 is redesignated as 1305.11, and includes specific references to DEA Form 222.

Section 1305.06 is redesignated as 1305.12, and includes specific references to DEA Form 222.

Section 1305.07 is removed.

Section 1305.08 is redesignated as Section 1305.05, and includes specific references to DEA Form 222.

Sections 1305.09-1305.15 are redesignated as Sections 1305.13-1305.19, and include specific references to DEA Form 222.

Section 1305.16 is redesignated as Section 1305.06.

To accommodate the new electronic order requirements, Sections 1305.21-1305.28 are proposed to be added as follows:

Section 1305.21 discusses requirements for electronic orders.
Section 1305.22 discusses procedures for filling electronic orders.
Section 1305.23 discusses endorsing electronic orders.
Section 1305.24 discusses central processing of orders.
Section 1305.25 discusses unaccepted and defective electronic orders.
Section 1305.26 discusses lost electronic orders.
Section 1305.27 discusses preservation of electronic orders.
Section 1305.28 discusses canceling and voiding electronic orders.
Section 1305.29 discusses reporting electronic orders to DEA.

Part 1305 Distribution Table

Part 1311 is proposed to be added to provide requirements for obtaining, handling, and using digital certificates. Note that DEA is proposing, in a separate notice, rules for obtaining, handling, and using digital certificates to sign controlled substance prescriptions. Because the requirements are the same in some instances, some of the proposed sections cover both orders and prescriptions. Section 1311.01 discusses the scope of the new part.
Section 1311.02 is proposed to add definitions of the following:

• Biometric authentication.
• Cache
• Certification Authority
• Certificate policy
• Certificate revocation list
• Digital certificate
• Digital signature
• Electronic signature
• FIPS
• Key pair
• NIST
• Private key
• Public Key

The definitions are taken from other government documents that define these terms.

Section 1311.05 proposes to specify the performance standards required for electronic signatures and transmission.

Section 1311.08 proposes to incorporate by reference FIPS 140-2, FIPS 180-1, and FIPS 186-2.

[[Page 38569]]

Section 1311.20 proposes to specify the application requirements for obtaining a digital certificate.

Section 1311.30 proposes to provide the requirements for using and storing a digital certificate.

Section 1311.40 proposes to specify the number of certificates needed.

Section 1311.45 proposes to specify when a new certificate must be obtained.

Section 1311.50 proposes to provide requirements for registrants that grant power of attorney authority.

Section 1311.55 proposes to specify requirements for recipients handling electronic orders prior to filling them.

Section 1311.60 proposes to specify software requirements for handling electronic orders.

Section 1311.65 proposes recordkeeping requirements.

Incorporation by Reference

The following standards are proposed to be incorporated by reference:

• FIPS 140-2, Security Requirements for Cryptographic Modules.
• FIPS 180-1, Secure Hash Standard.
• FIPS 186-2, Digital Signature Standard.

These standards are available from the National Institute of Standards and Technology, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at http://csrc.nist.gov/.

V. Required Analyses

Executive Order 12866

Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA must determine whether a regulatory action is "significant'' and, therefore, subject to OMB review and the requirements of the Executive Order. The Order defines "significant regulatory action'' as one that is likely to result in a rule that may:

(1) Have an annual effect on the economy of $100 million or more or adversely affect in a material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or state, local, or tribal government or communities.
(2) Create a serious inconsistency or otherwise interfere with an action taken or planned by another agency. 
(3) Materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof.
(4) Raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.

Since the proposed rule would not impose costs of $100 million a year and will in fact reduce the burden on DEA registrants, DEA does not consider this rule to be an economically significant regulatory action as defined. However, this rule has been reviewed by the Office of Management and Budget.

DEA did, in the course of developing the proposed rules, consider the costs and benefits of the proposed rule.

DEA registration figures indicate that approximately 101,000 registrants are likely to issue or fill orders. Those issuing orders include pharmacies, hospitals and clinics, practitioners, teaching institutions, exporters, researchers, chemical analysts, narcotic treatment programs, distributors, and manufacturers. Distributors, manufacturers, and importers fill most orders for Schedule I and II controlled substances. The universe of digital certificate holders is larger than the universe of registrants because everyone with power of attorney authority will need to obtain a digital certificate. For purposes of this analysis, DEA assumed that manufacturers and distributors would have an average of six certificate holders per registered location; pharmacies, hospitals, clinics, teaching institutions, and exporters, an average of two. The four chain pharmacies that process orders centrally for their 9,900 pharmacies are assumed to have six certificate holders each. All other registrants are assumed to have a single person associated with a registration seeking a digital certificate. Overall, DEA estimates that approximately 160,000 digital certificates will be requested.

The primary costs in the current system are completing the Form 222 and mailing it to the supplier, requisitioning Forms 222, entering the data from the form, annotating the forms, logging and tracking forms, archiving the annotated forms, and sending them to DEA. Table 1 shows the unit time estimates and costs for mailing orders and requisitions (Operations and Maintenance (O&M) costs). Table 2 presents the estimate to total annual cost of the Form 222 system.

Table 1.--Unit Time and Fixed Cost Assumptions for Form 222

Table 2.--Total Annual Hours and Costs for the Form 222 System

The proposed system of digital certificates would impose initial implementation costs and on-going costs. People seeking a digital certificate would have to complete the application, generate keys, learn how to use the

[[Page 38570]]

digital certificate, and implement the software systems to handle electronic orders. Based on a pilot project (67 FR 1507, January 11, 2002), DEA assumes that completing the application, which is primarily collecting paperwork, and generating keys and learning to use the system would take about 1.5 hours per applicant. DEA further assumes that a limited number of registrants (estimated at 256) would develop or purchase their software systems. These registrants are likely to be manufacturers, chain drug stores, and distributors. DEA assumes that they would provide the software to other registrants. The ongoing costs include the time required to digitally sign and validate the order and the time to annotate the order. Tables 3 and 4 provide the unit time estimates for initial and annual compliance of the electronic system. Tables 5 and 6 present total costs for initial and annual compliance.

Table 3.--Unit Time and Fixed Cost Assumptions for Electronic Orders--Initial Compliance

* Higher value is for the CSOS coordinator.

Table 4.--Unit Costs for Electronic Orders--Annual Compliance

Table 5.--Total Initial Compliance Hours and Costs for the Electronic Order System