FAQs on CSOS Auditing

Frequently Asked Questions

  1. What is Drummond Group, Inc. (DGI)?
  2. What is CSOS?
  3. Which CSOS services does DGI offer?
  4. What does an audit consist of?
  5. Who needs to be audited?
  6. What is the importance of CSOS auditing?
  7. What do I look for in a certifying organization?
  8. What are the steps to testing the DEA Audit requirements?
  9. Where can I get more information about CSOS?


1) What is Drummond Group Inc. (DGI)?

Drummond Group Inc. is the trusted interoperability test lab offering global testing services throughout the product life cycle. In addition to interoperability testing services, Drummond Group offers test lab services including CSOS auditing, QA, conformance, and test consulting. Founded in 1999, DGI represents best-of-breed on linking technologies, standards and interoperability issues with the needs of vertical industries such as automotive, consumer product goods, healthcare, financial services, government, petroleum, pharmaceutical and retail.

2) What is CSOS?

The Controlled Substances Ordering System (CSOS) is an electronic commerce initiative overseen by the U.S. Drug Enforcement Administration (DEA) which provides an automated alternative to the current paper-intensive process required for the purchase and distribution of Level I and II controlled substances.

In the current paper-based process, paper forms must be created or updated at every registered shipping location when controlled drugs are transferred. With CSOS, the DEA is defining a system based on digital signatures which allows for the paper forms, known as Form 222, to be replaced by digital messages often referred to as e222 or electronic 222 forms. Purchasers and suppliers may now use either of these methods, paper-based or electronic forms, to fulfill DEA requirements that prevent illegal diversion of controlled drugs.

The DEA proposed rule for CSOS includes technical and business requirements for products used to digitally sign, transmit or receive e222 forms. Software companies that provide these products must participate in an initial audit of the product and additional audits when changes are made to the core digital signing technology. End user companies that build in-house CSOS systems for digital signing, transmission or receipt of e222 forms also must be audited.

3) Which CSOS services does DGI offer?

As an independent, neutral third party, DGI offers two types of CSOS Services.

  1. DGI offers CSOS Auditing services certifying software products-with-version for compliance with DEA rules for sections 1311.55b and 1311.55c. CSOS Auditing Certification is proof that software offerings can enable purchasers and suppliers to interchange e222 forms in a predictable and secure manner compliant with DEA requirements.
  2. In addition to CSOS Audits conducted with the highest level of assurance, Drummond Group also offers pre-audit consulting (conducted with minimal assurance) to work with companies who are developing CSOS implementations to ensure they are working towards the CSOS compliance in the Audit

4) What does an audit consist of?

The CSOS Audit is conducted on pre-installed, off-the-shelf commercial software or in some cases, on in-house built systems by the end-user:

  • Confirmation that products-with-version have been issued seals of compliance to FIPS (Federal Information Processing Standards). FIPS sets best practices and prescribes specific computer software algorithms approved by the federal government to insure data security.
  • The ability to digitally sign, transmit and receive e222 forms in a FIPS enabled mode. Auditing will confirm that the products can perform digital signature functions while using only FIPS required methods.
  • The ability of products to execute fundamental digital signature processing including applications of digital signature, validating a business partner's digital signature using that business partner's public key and validation of message integrity.
  • The products' ability to recognize and act on invalid digital signatures and invalid digital certificates that have expired or have been revoked by the DEA.


5) Who needs to be audited?

The proposed rule requires that systems developers or vendors must be audited. If you are developing an in-house system that digitally signs, transmits or receives e222 forms, your system must also be audited. If you are purchasing a product that digitally signs, transmits or receives e222 forms, the software vendor that provides the system must be audited and provide you with proof of certification for that product-with-version.

For both systems developers and vendors, an additional audit is required whenever signing or verifying functionality is changed.

NOTE: All organizations handling Level I and II controlled substances are ultimately responsible for ensuring that they fully comply with DEA regulations regarding handling of Level I and II substances. Using software which has received CSOS certification in and by itself does not exempt organizations handling Level I and II controlled substances of this responsibility.

6) What is the importance of CSOS auditing?

The DEA requires that any applications used to digitally sign, transmit and/or receive CSOS orders must be audited by an independent third party. See QA 7 for more info.

7) What do I look for in a certifying organization?

The certifying organization should have experience in testing and auditing security related software standards, in particular the use of digital signature technology. Drummond Group has audited the majority of the current CSOS software used in the Pharmaceutical Distribution Industry today!

To remove the likelihood or appearance of biased auditing, certifying organizations should be verifiably neutral companies that do not themselves produce or market CSOS products and do not have business partnerships with companies that produce or market CSOS products.

The proposed rule requires the use of an independent, third-party in section 1311.55(d): "For systems used to process CSOS orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section."

8) What are the steps to testing the DEA Audit requirements?

The security modules of a CSOS product-with-version must be FIPS 140-2 certified to at least Level I and must include FIPS Certified digital signature and secure hash algorithm implementations.

The auditing process will verify compliance to CSOS through a series of positive and negative physical tests of the product-with-version. Please contact DGI by email This e-mail address is being protected from spambots. You need JavaScript enabled to view it. or phone 512-826-2938.

9) Where can I get more information about CSOS?

For more information about CSOS, please visit the DEA website: http://www.deadiversion.usdoj.gov/ecomm/index.html 



Participating Companies and Test Communities


 /n software   ABEO Solutions, Inc.   Accumedic Computer Systems, Inc.   Addison Health Systems, Inc.   ADS Technologies, Inc.   AdvantaChart Inc.   Agastha, Inc.   AllegianceMD Software, Inc.   Allscripts   Alma Information Systems, Inc.   AlphaCM, Inc.   AltaPoint Data Systems, LLC   American Business Systems, LLC   American Well   Anasazi Software, Inc.   AppMed, Inc.   Arcron Systems, Inc.   Argyle Medical Software   Aurora Health Care, Inc.   Axway   Bogardus Medical Systems, Inc.   BridgeGate   Bridgeware   Businet, LLC   CA   California Medical Systems   CareEvolution, Inc.   ChartLogic, Inc.   CISCO   Clarkson Eyecare   Cleo Communications   Clinigence   CMR   CodoniX   Community Health Network (Indianapolis, Indiana) ClearPractice   Compinia IT Services   Comtron Inc.   Corepoint Health   Criterions LLC   Crowell Systems   CSC   Custom Software Systems, Inc.   Cyclops Vision Corporation DigiDMS, Inc.   Data Strategies, Inc.   DataNet Solutions, Inc.   Defran Systems, Inc.   Dell – Boomi   Descartes   DigiDMS, Inc.   Diversified Ophthalmics, Inc.   Doc-tor.com, LLC   doc2MD, Inc.   DocuTAP   DocuTrac, Inc.   DSS, Inc.   e-MDs   E-Z BIS, Inc.   E2open   Easy Billing Systems   eCareSoft Inc.   eCast Corporation   eHana   eHealthCare Systems, Inc.   eHealthFiles, Inc.   EHR Doctors, Inc.   ElationEMR   Elekta – IMPAC Medical Systems, Inc.   Emdeon Inc.   EMedicalNotes, LLC   Empower   EMRlogic Systems   Enable Healthcare Inc., (EHI)   Encite, Inc.   EndoSoft, LLC   Entrust   EPOWERdoc, Inc.   Estuary Electronic Health Records   ExitCare, LLC   Exscribe, Inc.   EXTOL International, Inc.   EXTOL   Eyecom3 / HealthLine Systems, Inc.   EyeMD EMR Healthcare Systems, Inc.   EZnotes, Inc.   Falcon, LLC.   Forte Holdings Life Systems Software   Forte Holdings   FutureNet Technologies Corporation   GE Healthcare   GEMMS ONE   Gen-SourceRX   General Electric Healthcare IT   GeniusDoc, Inc.   GXS   H-DOX   HCA – Information Technology & Services, Inc.   Health Administration Systems, Inc.   Health Care DataWorks   Healthcare Management Systems, Inc.   HealthFusion   HealthPort, LLC   HealthTrio, LLC   Hewlett-Packard Company   HHT International, Inc.   Holt Systems, Inc.   Hospital Systems   IBM   ICAN Solutions, Inc.   ICANotes, LLC   iChartsMD   iMed Software Corporation   iMedicWare, Inc. ifa united i-tech Inc.   iMedX, Inc.   InfoQuest Systems, Inc.   Infor-Med Corporation   Inforia, Inc.   Innovative Medical Practice Solutions, LLC   Inovis   InPracSys™   Instakare Accentia Healthcare Solutions Corporation   Institute for Health Metrics   INTEC Inc.   Intec   Integrated Health Care Solutions   Intelligent Healthcare   Interactive Practice Management Systems dba DocWorks   Interface People, LP   Intivia, Inc.   IntrinsiQ LLC   InTUUN Systems   IQ-EQ Systems, LLC   IRCS, Inc.   iSALUS Healthcare   IsaNetworks, Inc.   Joseph P. Addabbo Family Health Center, Inc.   Kabot Systems   Keiser Computers, Inc.   klipMedical.com   KPMD, Inc.   Lavender & Wyatt Systems, Inc.   Legisym, LLC   Levin Software Technologies, Inc.   LOGICARE® Corporation   LSS Data Systems   M3 Healthcare Solutions   MagView   McKesson   McKesson   McKesson   MD Logic EMR   MDoffice, Inc.   MedcomSoft   MedConnect, Inc.   MedCPU Inc.   Medflow, Inc.   MEDHOST   Medical Messenger   Medical Voice Products, Inc.   Medicity, Inc.   Medicity, Inc.   MedInformatix, Inc   MediRec, LLC   Medisolv Inc.   MediSYS   MEDITECH (Medical Information Technology, Inc.)   MedNet System   Medrium Inc.   Medstreaming   Medtech, Inc.   MedWorxs LLC   MedXLnce, Inc.   Merge Healthcare   MicroFour, Inc.   Microsoft Corporation   Midwest Software, LLC   Mighty Oak Technology   MindLinc-Duke   Mitchell & McCormick, Inc.   Mitochon Systems, inc   Mountain Computer Systems   MxSecure, Inc.   Mychartsonline.com   National Healing Corporation   Navigating Cancer, Inc.   NCG Medical Systems, Inc.   Net Health Systems, Inc.   Netsmart Technologies, Inc.   New Wave Software, Inc.   Nexus Clinical LLC   NTT Soft   ODOS Industries, Inc.   Omedix   Omnicell, Inc.   Open Dental Software   Open Software Solutions, LLC   Oracle   Outcome Sciences, Inc. (Outcome)   Parkview Health System, Inc.   Patagonia Health   PatientClick   PatientNOW   PBO Corp.   PBSI – Positive Business Solutions, Inc.   PCC Physician's Computer Company – Pediatric Software   PCIS GOLD   Penn Medical Informatics Systems, Inc.   Perceptive Software   Phoenix Ortho, LLC   Phyaura, LLC   Phytel, Inc.   Ping Identity   Plexus Information Systems, Inc.   Practice Communications   Practice Fusion   Practice Today   Press Ganey Associates   Procentive   ProComp Software Consultants   ProMed Clinical Systems, LLC   QRS, Inc   Quantros, Inc.   QuikEyes, Inc.   Rabbit Healthcare Systems   Radysans, Inc.   RelayHealth, a division of McKesson Corporation   RWHC QI Program   Sage ScriptRx, Inc.   Salar, Inc.   SAP AG Syncra Systems, Inc.   Secure Infosys LLC Nth Technologies, Inc. Hill-Rom Holdings, Inc.   SEEBURGER AG   Sequel Systems Inc.   SilkOne Inc.   SMARTMD™ Corporation   Smoky Mountain Information Systems, Inc.   Source Medical Solutions   SRSsoft   Sterling Commerce, an IBM Company   Streamline Health, Inc.   Summit Healthcare Services Inc.   Surgical Information Systems   Systemedx Inc   TactusMD™   Tech-Time, Inc.   TechSoft, Inc.   TeleResults   The Echo Group   The Shams Group   The Shams Group   TheraManager LLC   TIBCO Software Inc.   TIBCO   Tools4Medicine, Inc.   Tranquilmoney Inc.   Transentric   TransMed Network Inc.   Trellix Engineering Corp.   UBISECURE   Unibased Systems Architecture, Inc.   Unifi Technologies, Inc.   Unityware   US Oncology   Vanderbilt University   Varian Medical Systems   VipaHealth Solutions, LLC   Virco Lab, Inc.   VisionTree Software, Inc.   WEBeDoctor, Inc.   Welligent, Inc.   Wellogic   Williams Group   Workflow.com, LLC   Xcite Health Corp. and Encounterpro Healthcare Resources Inc.   Xpress Technologies   Yak Digital Corp.   ZipChart, Inc.  









Copyright © 2012 Drummond Group Inc. 
Follow DrummondGrpTest on Twitter