Frequently Asked Questions

1. What is Drummond Group, Inc. (DGI)? >
2. What is CSOS? >
3. What is DGI's role with CSOS? >
4. What is being audited? >
5. Who needs to be audited?>
6. What is the importance of CSOS auditing? >
7. What do I look for in a certifying organization? >
8. What are the long-term strategies to enable CSOS interoperability? >
9. What are the steps to testing the DEA Audit requirements? >
10. Where can I get more information about CSOS and/or AS2? >

1) What is Drummond Group Inc. (DGI)?
Drummond Group Inc. (DGI) is an independent, privately held company that works with software vendors, vertical industry and the standards community to drive adoption for standards by facilitating vertical industry pilots, interoperability conformance testing and building competitive supply chain strategies. Founded in 1999, DGI represents best-of-breed in the industry on linking horizontal infrastructure technologies, standards and interoperability issues with the needs of vertical industries such as retail, grocery, health care, transportation, government and automotive. For more information, please visit www.drummondgroup.com or email: info2@drummondgroup.com.

DGI's expertise in interoperability testing services and ebusiness standards is reflected in a series of research reports (http://www.drummondgroup.com/html-v2/research.html) designed to provide education and valuable insight into current technology issues and guidance to enterprises seeking the best solutions for their supply chains.

2) What is CSOS?
The Controlled Substances Ordering System (CSOS) is an electronic commerce initiative overseen by the U.S. Drug Enforcement Administration (DEA) which provides an automated alternative to the current paper-intensive process required for the purchase and distribution of Level I and II controlled substances.

In the current paper-based process, paper forms must be created or updated at every registered shipping location when controlled drugs are transferred. With CSOS, the DEA is defining a system based on digital signatures which allows for the paper forms, known as Form 222, to be replaced by digital messages often referred to as e222 or electronic 222 forms. Purchasers and suppliers may now use either of these methods, paper-based or electronic forms, to fulfill DEA requirements that prevent illegal diversion of controlled drugs.

The DEA proposed rule for CSOS includes technical and business requirements for products used to digitally sign, transmit or receive e222 forms. Software companies that provide these products must participate in an initial audit of the product and additional audits when changes are made to the core digital signing technology. End user companies that build in-house CSOS systems for digital signing, transmission or receipt of e222 forms also must be audited.

3) What is DGI's role with CSOS?
As an independent, neutral third party, DGI provides CSOS Auditing services certifying software products-with-version for compliance with DEA rules for sections 1311.55b and 1311.55c. CSOS Auditing Certification is proof that software offerings can enable purchasers and suppliers to interchange e222 forms in a predictable and secure manner compliant with DEA requirements.

In addition, DGI will continue to promote long-term interoperability of CSOS and related systems by working with the software vendor community and end-user corporations to combine DEA requirements with recommendations from industry consortia such as the Healthcare Distribution Management Association (HDMA) to promote implementation of CSOS-compliant production systems.

4) What is being audited?
The CSOS Audit is conducted on pre-installed, off-the-shelf commercial software or in some cases on in-house built systems by the end-user:

• Confirmation that products-with-version have been issued seals of compliance to FIPS (Federal Information Processing Standards). FIPS sets best practices and prescribes specific computer software algorithms approved by the federal government to insure data security.
• The ability to digitally sign, transmit and receive e222 forms in a FIPS enabled mode. Auditing will confirm that the products can perform digital signature functions while using only FIPS required methods.
• The ability of products to execute fundamental digital signature processing including applications of digital signature, validating a business partner's digital signature using that business partner's public key and validation of message integrity.
• The products' ability to recognize and act on invalid digital signatures and invalid digital certificates that have expired or have been revoked by the DEA.

5) Who needs to be audited?
The proposed rule requires that systems developers or vendors must be audited. If you are developing an in-house system that digitally signs, transmits or receives e222 forms, your system must also be audited. If you are purchasing a product that digitally signs, transmits or receives e222 forms, the software vendor that provides the system must be audited and provide you with proof of certification for that product-with-version.

For both systems developers and vendors, an additional audit is required whenever signing or verifying functionality is changed.

NOTE: All organizations handling Level I and II controlled substances are ultimately responsible for ensuring that they fully comply with DEA regulations regarding handling of Level I and II substances. Using software which has received CSOS certification in and by itself does not exempt organizations handling Level I and II controlled substances of this responsibility.

6) What is the importance of CSOS auditing?
The DEA requires that any applications used to digitally sign, transmit and/or receive CSOS orders must be audited by an independent third party. See QA 7 for more info.

7) What do I look for in a certifying organization?
The certifying organization should have experience in testing and auditing security related software standards, in particular the use of digital signature technology.

To remove the likelihood or appearance of biased auditing, certifying organizations should be verifiably neutral companies that do not themselves produce or market CSOS products and do not have business partnerships with companies that produce or market CSOS products.

The proposed rule requires the use of an independent, third-party in section 1311.55(d): "For systems used to process CSOS orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section."

8) What are the long-term strategies to enable CSOS interoperability?
The DEA has not and likely will not in the future make specific requirements concerning exact message formats, exact transport methods or exact business process models for the exchange of e222 forms.

As the pharmaceutical industry begins to utilize CSOS, the need for interoperability will grow. These needs can be addressed through participation in the creation of common practices through industry consortia and through ongoing interoperability testing of common technologies as they are identified.

9) What are the steps to testing the DEA Audit requirements?
The security modules of a CSOS product-with-version must be FIPS 140-2 certified to at least Level I and must include FIPS Certified digital signature and secure hash algorithm implementations.

The auditing process will verify compliance to CSOS through a series of positive and negative physical tests of the product-with-version. Please contact DGI to register for CSOS Auditing.

10) Where can I get more information about CSOS?
For more information about CSOS, please visit the DEA website: http://www.deadiversion.usdoj.gov/ecomm/index.html

For more information about DGI testing, please visit: http://www.drummondgroup.com/html-v2/faq-retail-as2.html