CSOS Auditing Frequently Asked Questions (FAQs)
The Controlled Substances Ordering System (CSOS) is an electronic commerce initiative overseen by the U.S. Drug Enforcement Administration (DEA) that provides an automated alternative to the current paper-intensive process required for the purchase and distribution of Level I and II controlled substances.
In the current paper-based process, paper forms must be created or updated at every registered shipping location when controlled drugs are transferred. With CSOS, the DEA is defining a system based on digital signatures which allows for the paper forms, known as Form 222, to be replaced by digital messages often referred to as e222 or electronic 222 forms. Purchasers and suppliers may now use either of these methods, paper-based or electronic forms, to fulfill DEA requirements that prevent illegal diversion of controlled drugs.
The DEA proposed rule for CSOS includes technical and business requirements for products used to digitally sign, transmit or receive e222 forms. Software companies that provide these products must participate in an initial audit of the product and additional audits when changes are made to the core digital signing technology. End user companies that build in-house CSOS systems for digital signing, transmission or receipt of e222 forms also must be audited.
As an independent, neutral third party, Drummond offers two types of CSOS Services.
- Drummond offers CSOS Auditing services certifying software products-with-version for compliance with DEA rules for sections 1311.55b and 1311.55c. CSOS Auditing Certification is proof that software offerings can enable purchasers and suppliers to interchange e222 forms in a predictable and secure manner compliant with DEA requirements.
- In addition to CSOS Audits conducted with the highest level of assurance, Drummond also offers pre-audit consulting (conducted with minimal assurance) to work with companies who are developing CSOS implementations to ensure they are working towards the CSOS compliance in the Audit.
The CSOS Audit is conducted on pre-installed, off-the-shelf commercial software or in some cases, on in-house built systems by the end-user:
- Confirmation that products-with-version have been issued seals of compliance to FIPS (Federal Information Processing Standards). FIPS sets best practices and prescribes specific computer software algorithms approved by the federal government to ensure data security.
- The ability to digitally sign, transmit and receive e222 forms in a FIPS enabled mode. Auditing will confirm that the products can perform digital signature functions while using only FIPS required methods.
- The ability of products to execute fundamental digital signature processing including applications of digital signature, validating a business partner’s digital signature using that business partner’s public key and validation of message integrity.
- The products’ ability to recognize and act on invalid digital signatures and invalid digital certificates that have expired or have been revoked by the DEA.
The proposed rule requires that systems developers or vendors must be audited. If you are developing an in-house system that digitally signs, transmits or receives e222 forms, your system must also be audited. If you are purchasing a product that digitally signs, transmits or receives e222 forms, the software vendor that provides the system must be audited and provide you with proof of certification for that product-with-version.
For both systems developers and vendors, an additional audit is required whenever signing or verifying functionality is changed.
NOTE: All organizations handling Level I and II controlled substances are ultimately responsible for ensuring that they fully comply with DEA regulations regarding handling of Level I and II substances. Using software which has received CSOS certification in and by itself does not exempt organizations handling Level I and II controlled substances of this responsibility.
The certifying organization should have experience in testing and auditing security related software standards, in particular the use of digital signature technology. Drummond has audited the majority of the current CSOS software used in the Pharmaceutical Distribution Industry today!
To remove the likelihood or appearance of biased auditing, certifying organizations should be verifiably neutral companies that do not themselves produce or market CSOS products and do not have business partnerships with companies that produce or market CSOS products.
The proposed rule requires the use of an independent, third-party in section 1311.55(d): “For systems used to process CSOS orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section.”
The security modules of a CSOS product-with-version must be FIPS 140-2 certified to at least Level I and must include FIPS Certified digital signature and secure hash algorithm implementations.
The auditing process will verify compliance to CSOS through a series of positive and negative physical tests of the product-with-version. Please contact Drummond by email at firstname.lastname@example.org.