[Federal Register Volume 68, Number 124 (Friday, June 27, 2003)]
[Proposed Rules]
[Pages 38558-38581]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-16082]



[[Page 38557]]

-----------------------------------------------------------------------

Part VI





Department of Justice





-----------------------------------------------------------------------



Drug Enforcement Administration



-----------------------------------------------------------------------



21 CFR Parts 1305 and 1311



Electronic Orders for Controlled Substances; Proposed Rule and Notice

  Federal Register / Vol. 68, No. 124 / Friday, June 27, 2003 / 
Proposed Rules  

[[Page 38558]]


-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1305 and 1311

[Docket No. DEA-217P]
RIN 1117-AA60


Electronic Orders for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Justice.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: DEA is proposing to revise its regulations to provide an 
electronic equivalent to the DEA official order form, which is legally 
required for all distributions involving Schedule I and II controlled 
substances. These proposed regulations will allow registrants to order 
Schedule I and II substances electronically and maintain the records of 
these orders electronically. The proposed regulations would reduce 
paperwork and transaction times for DEA registrants who handle, sell, 
or buy these controlled substances. This proposed rule has no effect on 
patients' ability to receive prescriptions for controlled substances 
from practitioners, nor on their ability to have those prescriptions 
filled at pharmacies. In fact, this rule will help to ensure the 
appropriate supply of controlled substances throughout the distribution 
system.

DATES: Written comments must be postmarked on or before September 25, 
2003.

ADDRESSES: Comments should be submitted to the Deputy Assistant 
Administrator, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Attention: DEA Federal Register 
Representative/CCR.

FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION:

I. Background
    What is DEA's Legal Authority for these Regulations?
    What are the current requirements for distributing Schedule I 
and II controlled substances?
    Why is this level of control necessary?
    If the current system works to limit diversion, why is a change 
needed?
    What is the Electronic Signatures in Global and National 
Commerce Act?
II. Proposed Approach
    What is DEA's objective with this proposed rule?
    How did DEA develop its approach?
    What approach has DEA selected?
    Why are authentication, nonrepudiation, and message integrity 
requirements necessary?
    What existing technologies meet these proposed criteria?
    Why do other electronic signature systems not meet the 
performance standards?
    Why is a digital signature approach necessary?
    How is a digital certificate an electronic equivalent of a Form 
222?
    In simple terms, how does a digital signature work?
    In simple terms, how would this system work for the user?
    What is a Certification Authority and why is it needed?
    What would the Certification Authority do?
    Who would serve as the Certification Authority?
III. Discussion of the proposed rule on electronic orders
    A. Digital Certificates
    How are digital certificates obtained?
    Who are CSOS Coordinators and what is their role in the digital 
certificate enrollment process?
    How would a person obtain a digital certificate?
    Why does the application need to be notarized?
    How many certificates will be required?
    What is the renewal period for digital certificates?
    What are the requirements for companies that grant power of 
attorney to authorize use of their DEA registrations?
    What systems are required to use a digital signature?
    What systems are required to be able to process a digital 
signature?
    What are the FIPS Standards and why are they needed?
    How is it possible to determine whether a specific system meets 
these criteria?
    What are the requirements for safeguarding private keys?
    What are the conditions that would lead DEA to revoke a 
certificate?
    B. Orders
    What is DEA proposing for electronic orders?
    What are the differences between DEA Form 222 and electronic 
orders?
    What data must be included in an electronic order?
    How can electronic orders be annotated?
    Can an order be endorsed to another supplier?
    Can a centralized processing facility be used?
    What information is a supplier required to report to DEA?
    Why does the reporting period change for electronic orders?
    Can a digital certificate be used to sign orders for Schedule 
III through V controlled substances?
IV. Section by Section Discussion of the Proposed Rule
    How is the proposed rule structured?
    Incorporation by Reference
V. Required Analyses
    Executive Order 12866
    Regulatory Flexibility Act
    Small Business Regulatory Enforcement Fairness Act of 1996
    Paperwork Reduction Act
    Executive Order 12988
    Executive Order 13132
    Unfunded Mandates Reform Act of 1995

I. Background

What Is DEA's Legal Authority for These Regulations?

    DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et 
seq.), as amended. DEA regulations implementing this statute are 
published in title 21 of the Code of Federal Regulations (CFR), part 
1300 to 1399. These regulations are designed to establish a framework 
for the legal distribution of controlled substances to deter their 
diversion to illegal purposes and to ensure that there is a sufficient 
supply of these drugs for legitimate medical purposes.

What Are the Current Requirements for Distributing Schedule I and II 
Controlled Substances?

    The CSA prohibits distribution of Schedule I and II controlled 
substances except in response to a written order from the purchaser on 
a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to 
registrants for this purpose, preprinting on each form the registrant's 
name, registered location, DEA registration number, schedules, and 
business activity. DEA serially numbers the forms and requires 
registrants to maintain and account for all forms issued. Executed and 
unexecuted Forms 222 must be available for DEA inspection. The CSA 
requires that executed Forms 222 be maintained for two years (21 U.S.C. 
828(c)).
    When ordering a Schedule I or II substance, the purchaser must 
provide two copies of the Form 222 to the supplier and retain one copy. 
Upon filling the order, the supplier must annotate both copies of the 
form with details of the controlled substances distributed, retain one 
copy as the official record of the distribution, and send the second 
copy of the annotated Form 222 to DEA. Upon receipt of the order, the 
purchasers must also annotate their copy, noting the quantity of 
controlled substances received and date of receipt.

Why Is This Level of Control Necessary?

    The purpose of DEA's regulations is to establish a framework for 
the legal distribution of controlled substances and to prevent their 
diversion to the illegal markets. Controlled substances are those 
substances listed in the

[[Page 38559]]

schedules of the CSA and 21 CFR 1308.11-1308.15, and generally include 
narcotics, stimulants, depressants, hallucinogens, and anabolic 
steroids that have a high potential for abuse and dependency. DEA's 
regulations require that people involved in the manufacture, 
distribution, research, dispensing, import, and export of controlled 
substances register with DEA, keep track of all stocks of controlled 
substances, and maintain records to account for all stocks received, 
distributed, or otherwise disposed of. For Schedule I and II controlled 
substances, which have the highest potential for abuse and dependency, 
the CSA mandates that distribution can only occur in response to an 
order signed by the purchaser on a form issued to the purchaser by DEA. 
For other schedules, the law requires recordkeeping by both DEA-
registered parties.

If the Current System Works to Limit Diversion, Why Is A Change Needed?

    Although the current regulatory structure limits diversion, it does 
not address or provide for the use of modern computer technologies. DEA 
issued more than five million individual order forms in fiscal year 
2001. Using 2001 as an average year, because both the purchaser and 
supplier must maintain copies of the form for two years, the order 
system requires the maintenance of almost twenty million forms.
    Many, if not most, of the registrants using Form 222 place all of 
their other orders electronically. Many suppliers receive electronic 
notice from their purchasers of their intention to place Schedule I and 
II orders, but the orders cannot be filled until the supplier receives 
the DEA-issued Form 222 from the purchaser. The processing of the Form 
222 takes one to three days from the time the form is completed to the 
time the order is delivered; electronic orders can be processed and 
filled immediately. Industry has asked DEA to provide an electronic 
means to satisfy the legal requirements for order forms. This proposed 
rule is in response to that request and will not only satisfy the 
requirements for Schedule I and II transactions, but may also be used 
for Schedule III through V transactions. Use of this system for all 
controlled substances transactions will facilitate the verification and 
authentication of the registration status of customers.
    In addition, two recent laws, the Government Paperwork Elimination 
Act of 1998 (GPEA) and the Electronic Signatures in Global and National 
Commerce Act of 2000 (E-Sign) require Federal agencies to allow 
electronic recordkeeping and reporting and recognize electronic 
signatures.

What Is the Electronic Signatures in Global and National Commerce Act?

    The Electronic Signatures in Global and National Commerce Act of 
2000, commonly known as E-Sign, was signed into law on June 30, 2000. 
It establishes the basic rules for using electronic signatures and 
records in commerce. E-Sign was enacted to encourage electronic 
commerce by giving legal effect to electronic signatures and records 
and to protect consumers. E-Sign prohibits government agencies from 
denying the legal effect of electronic signatures and records of 
electronic commerce based solely on their electronic nature, but allows 
Federal, state, and local agencies to set performance standards where 
necessary to ensure record integrity and accessibility of records.
    Section 104(a) of E-Sign provides that, subject to the requirements 
of the Government Paperwork Elimination Act of 1998 (GPEA), ``* * * 
nothing in this title limits or supersedes any requirement by a Federal 
regulatory agency, self-regulatory organization, or State regulatory 
agency that records be filed with such agency or organization in 
accordance with specified standards or formats.'' The CSA and 
regulations require that distributions involving Schedule I or II 
controlled substances may be accomplished only when the orders are made 
on forms that DEA issued in triplicate to the purchaser and upon which 
DEA has imprinted the name of the purchaser (21 U.S.C. 828(d)(1) and 21 
CFR 1305.05(a)). The law further provides that ``* * * it shall be 
unlawful for any other person (A) to use such form for the purpose of 
obtaining controlled substances or (B) to furnish such form to any 
person with intent thereby to procure the distribution of such 
substances.'' (21 U.S.C. 828(d)(1)). Of the three copies of the form 
issued, the purchaser and the supplier must each maintain a copy, and 
the supplier must provide a copy to DEA following completion of the 
transaction (21 CFR 1305.13). The CSA and implementing regulations 
clearly establish a specified standard and format that must be adhered 
to in filing records of distributions of Schedule I and II controlled 
substances with DEA, which are not superseded by E-Sign. It should be 
noted that the filing requirement is subject to the requirements of 
GPEA, which requires, in part, that for certain governmental filings, 
an electronic means to satisfy the requirement must be established, to 
the extent practicable, by October, 2003. DEA does anticipate that the 
electronic means to satisfy the order form requirement that is being 
proposed in this rule will be in place by the GPEA deadline.

II. Proposed Approach

What Is DEA's Objective With This Proposed Rule?

    DEA's objective is to develop an approach for electronic orders 
that takes advantage of computer technology without compromising the 
effectiveness of the existing system to limit diversion of controlled 
substances.

How Did DEA Develop Its Approach?

    Before selecting an approach, DEA developed a set of basic 
performance standards that any electronic signature system would have 
to meet to serve as an electronic equivalent of the DEA Form 222 and 
reviewed all of the existing electronic signature technologies. DEA 
also met with representatives from a mix of manufacturers, 
distributors, pharmacies, and other interested parties to identify 
issues with the DEA Form 222 and to identify the information 
technologies (IT) registrants currently use in their ordering process. 
If the proposed rule is to provide the benefits that DEA and industry 
seek, the system should be compatible with existing information 
technology architectures and configurations. The results of DEA's 
meetings are summarized in two documents: Public Key Infrastructure 
Certificate Policy Requirements Analysis and Public Key Infrastructure 
Existing Network Infrastructure Analysis, which are available at http://www.deadiversion.usdoj.gov. Throughout the project, DEA has continued 
to meet with industry to discuss the requirements and to obtain more 
detailed technical input on how the proposed approach could be 
integrated with existing IT systems.

What Approach Has DEA Selected?

    DEA is proposing to include in the rule three performance standards 
that are necessary to ensure that the electronic system is 
substantially equivalent to the DEA Form 222: message/record integrity, 
authentication, and nonrepudiation. DEA has determined that of the 
existing electronic signature technologies, only digital signatures 
using certificates issued through a public key infrastructure (PKI) 
system, operated by DEA, provide for record integrity and can serve as 
the functional equivalent of the form that the CSA mandates DEA to 
provide. If other technologies are

[[Page 38560]]

identified that meet all of the performance standards, DEA will 
consider them and determine whether they could satisfy the CSA mandates 
with respect to order forms.
    The proposed rule would not mandate the use of an electronic 
system, but would provide registrants with an alternative to DEA Form 
222. A DEA-issued digital certificate would contain the information 
that DEA preprints on a Form 222. Each registrant who wants to order 
Schedule I or II controlled substances electronically would need to 
apply to the DEA Certification Authority (CA) for a digital 
certificate.

Why Are Authentication, Nonrepudiation, and Message Integrity 
Requirements Necessary?

    The CSA requires that Schedule I or II controlled substances be 
distributed only in response to signed orders submitted by purchasers 
on a form issued to them by DEA. The paper Form 222 offers a level of 
authentication because DEA issues the form only to a valid registrant 
who is authorized to place the order. Further the order form is bound 
to a specific registrant and location preprinted by DEA on the form. 
The registrant's manual signature on the form provides the element of 
nonrepudiation. The existence of multiple copies held by separate 
parties ensures the integrity of the document.
    With electronic transmission, the importance of authentication, 
nonrepudiation, and message integrity, criteria the current system 
meets, is magnified. It is not difficult to send electronic messages in 
other people's names or intercept, duplicate, or alter messages. Image 
files and read-only files are now relatively easy to copy, alter, and 
replace. If purchasers and suppliers are to be able to use computer 
technology for controlled substance orders, it is critical that they be 
able to trust the system. Suppliers and purchasers must trust that an 
order has not been altered during transmission. Suppliers must trust 
that the purchaser who signed the order is who he or she claimed to be. 
They (and DEA) must be certain that an order they sign or receive has 
not been altered and that no one other than an authorized, DEA-
registered purchaser could have sent it.
    None of the three characteristics is sufficient by itself. If a 
technology provided nonrepudiation and authentication of the signature, 
but the message could be altered, the nonrepudiation and authentication 
would be questionable. For example, if the identity of a purchaser was 
verified and a purchaser used a biometric to electronically sign an 
order, but the document could be altered either during transmission or 
after receipt by the supplier, the purchaser could repudiate the 
document even though it could be proved that a specific registrant had 
signed it. If the message could not be altered, but the identity of the 
signature holder had never been verified or the password or signing key 
could be used by anyone, the integrity of the message would also be 
questionable. In this case, you could prove that a specific order had 
been sent, but not who had actually sent it. To retain the integrity of 
the diversion control system, it is necessary to establish specific 
performance criteria with minimum acceptable standards for any 
technology that is to be used for signing Schedule I and II controlled 
substance orders.

What Existing Technologies Meet These Proposed Criteria?

    At present, only a digital signature based on a public key 
infrastructure (PKI) would provide the authentication, nonrepudiation, 
and message integrity that are necessary to protect these 
communications and prevent alteration of the documents. In a June 2000 
report, ``The Evolving Federal Public Key Infrastructure,'' the Federal 
Public Key Infrastructure Steering Committee described the benefits PKI 
provides as follows:

    Public key technology provides a mechanism to authenticate users 
strongly over closed or open networks, ensure integrity of data 
transmitted over those networks, achieve technical nonrepudiation 
for transactions, and allow strong encryption of information for 
privacy/confidentiality or security purposes. Strongly 
authenticating users is a critical element in securing any 
infrastructure; if you cannot be certain with whom you are dealing, 
there is substantial potential for mischief. Ensuring data integrity 
of data from end-user to end-user makes it more difficult for data 
substitution attacks aimed at servers or hosts to succeed. Technical 
nonrepudiation binds a user to a transaction in a fashion that 
provides important forensic evidence in the event of a later 
problem. Encryption protects private information from being divulged 
even over open networks.

    PKI systems are based on asymmetric cryptography: the holder of the 
digital certificate has a private key, which only the certificate 
holder can access, and a public key, which is available to anyone. What 
one key encrypts, only the other key can decrypt. It is computationally 
infeasible for the two keys to be derived from each other. Only one 
public key will validate signatures made using its corresponding 
private key. Because the private key is held by only one person, it is 
that person's responsibility to ensure that it is not divulged or 
compromised. The method in which PKI systems ensure the integrity of 
the message is explained in detail in the section entitled ``In simple 
terms, how does a digital signature work?''
    A PKI system is more than cryptographic keys. The infrastructure 
component (the ``I'' in PKI) is critical to meeting the criteria for 
authentication, integrity and nonrepudiation. PKI systems are operated 
by a Certification Authority (CA), which is responsible for verifying 
the identity of any applicant for a digital certificate, maintaining 
security, establishing the responsibilities of certificate holders, and 
maintaining a public directory of public keys and an up-to-date 
certificate revocation list. The Certification Authority is a trusted 
third party. Suppliers and purchasers need only trust the CA, in this 
case DEA, to be able to trust each other.

Why Do Other Electronic Signature Systems Not Meet the Performance 
Standards?

    Other technologies create signatures that are generically referred 
to as electronic signatures. DEA investigated other electronic 
signature technologies, but determined that none of them met all three 
performance criteria. Common electronic signature systems include 
symmetric cryptography technologies and non-cryptographic methods. Any 
of the systems may provide for authentication if the controlling 
authority takes steps to verify the identity of the person using a 
cryptographic key or password, but this verification is not usually a 
key element of systems based on electronic signature technologies. 
Electronic signature systems that rely on symmetric cryptography, where 
both parties to the transaction use the same key, do not meet the 
standard of nonrepudiation. The Federal Public Key Infrastructure 
Steering Committee also noted that symmetric cryptography technology is 
not suitable for systems that have more than a few users.
    None of these electronic signature technologies, by themselves, 
including biometrics, provide for record integrity. With any of the 
existing electronic signature technologies, there would be no assurance 
that the record had not been altered during or after transmission.

Why Is a Digital Signature Approach Necessary?

    After reviewing options, DEA determined that a digital certificate 
issued by DEA is the only ``electronic

[[Page 38561]]

signature'' technology that meets the dual requirements:
    [sbull] The digital certificate provides the message/record 
integrity, authentication, and nonrepudiation that DEA has determined 
are necessary to tie these communications to a specific person and 
prevent alteration of the documents. These standards are substantially 
related to achieving diversion control.
    [sbull] The digital certificate would be the functional equivalent 
of the paper order form, which the CSA requires DEA to issue.
    The digital certificate system DEA is proposing would establish an 
electronic alternative to Form 222 for Schedule I and II controlled 
substances that will allow registrants to retain their current ordering 
systems. Instead of an electronic form, the DEA Certification Authority 
will issue digital certificates, which will serve as an electronic 
equivalent of the Form 222.

How Is a Digital Certificate an Electronic Equivalent of a Form 222?

    The key elements of a Form 222 are that DEA issues them only to 
registrants authorized to order Schedule I and II controlled substances 
and preprints the forms with information that ties the form to a 
specific registrant and location. Only digital certificates issued by 
DEA under the same circumstances as the Form 222 will be allowed for 
signing electronic orders for Schedule I and II controlled substances. 
All of the information currently preprinted on the Form 222 will be 
part of the digital certificate extension data, which will be included 
on each order that is digitally signed. The digital certificate 
attached to an electronic order with the digital signature will create 
the equivalent of the Form 222. To accept an order, the supplier's 
software must perform the validation functions, thus confirming that 
the purchaser is authorized by DEA to order the specified schedules of 
controlled substances.
    This approach will allow registrants to use their current 
electronic order systems provided the systems can be enabled to accept 
and validate the DEA-issued digital certificate/signature information 
and the orders include the information currently required on a Form 
222. DEA has been working with industry to develop code to enable 
existing systems to reduce the cost of implementation.
    DEA will not limit digital certificates to those registrants 
authorized to order Schedule I and II controlled substances. Any DEA 
registrant eligible to order controlled substances will be able to 
obtain a DEA-issued digital certificate; the certificate extension data 
will inform the supplier which schedules a purchaser is authorized to 
order. Although the digital certificates would be required for signing 
and transmitting electronic orders for Schedule I or II controlled 
substances, DEA will encourage registrants to use the certificates to 
sign all electronic orders for controlled substances. Using the DEA-
issued certificates will reduce the burden on suppliers, who must 
verify the purchaser's DEA status; the certificate extension data and 
the validity of the certificate will provide this information.

In Simple Terms, How Does a Digital Signature Work?

    This section provides a simplified description of how a digital 
signature system works. Each certificate holder would have a public 
key, available to anyone, and a private key, which the certificate 
holder must keep secure. The two keys are used by an asymmetric 
encryption algorithm; what one key encrypts, only the other key can 
decrypt. The two keys are different and cannot be practically derived 
from each other.
    When the certificate holder digitally signs an order, the PKI-
enabled software runs the text of the order through a complex algorithm 
that creates a fixed length digest of the document (called a hash). The 
hash is a compact representative image of the document that is often 
referred to as a document ``fingerprint.'' The software then uses the 
private key to encrypt the hash; the encrypted hash is the digital 
signature.
    The purchaser's software transmits a plain text order with the 
encrypted hash and the sender's digital certificate to the supplier. 
When the supplier receives the document, the supplier's software would 
use the sender's public key, which is part of the certificate, to 
decrypt the digital signature. If the public key can decrypt the 
digital signature successfully, the supplier would know that only the 
holder of the private key could have sent the digitally signed order. 
The supplier's software would then use the same hashing algorithm the 
purchaser used to create a second digest (hash) of the plain text 
document received. If the new hash is identical to the hash the 
computer has decrypted, the document has not been altered in 
transmission. If even a single space or letter in the document has been 
changed, the hashes would not match and the document must be considered 
invalid.
    The power of the digital signature approach is that it provides for 
authentication, nonrepudiation, and message/record integrity. The 
supplier can be certain that only a specific certificate holder could 
have signed the document (because the Certification Authority verified 
the identity before issuing the certificate and because the public key 
decrypted the signature) and that the document has not been altered in 
transmission (because the hashes match). In addition, the other 
information included in the digital certificate attached to the order 
(name, address, DEA registration number, business activity, schedules, 
and expiration date) provides the supplier an instant source of 
information to verify the sender's right to issue and sign the order. 
The system also would automatically check the certificate revocation 
list to be sure that the certificate is still valid.
    For a more complete discussion of the technical details of digital 
signatures, and a complete list of approved algorithms, see the Federal 
Information Processing Standard (FIPS) 186-2.

In Simple Terms, How Would This System Work for the User?

    Practical implementations of PKI technology are typically simple 
and transparent for the user, despite the complex technologies 
involved. The complex parts of the system are automatically handled by 
the software system.
    The steps a user would take are as follows:
    [sbull] To obtain a digital certificate, a DEA registrant or a 
person granted power of attorney authority to obtain and sign Schedule 
I and II orders for a registrant would submit proof of identification 
and proof of a current DEA registration to the Certification Authority 
(CA). The applicants would also have to install software to PKI-enable 
their computers or ensure that their network browsers are PKI-enabled. 
Most recent versions of Internet browsers are PKI-enabled.
    [sbull] Once the CA verifies the identification, the CA would send 
the applicant a one-time use access code and password via separate 
channels. The applicant would use the PKI software to generate a key 
pair (public and private keys) and access the Certification Authority 
electronically using the access code and password to request a 
certificate. These keys would be stored in the applicant's computer or 
on a FIPS 140-2 approved secure hardware device. Once generated, the 
Certification Authority must prove that the user has possession of the 
key. For signature public keys, the corresponding private key must sign 
the certificate request. Verification of the signature using the public 
key in the request

[[Page 38562]]

would serve as proof of possession of the private key. The user would 
not need to learn the keys. The user would employ an authentication 
mechanism to access the private key. The authentication mechanism could 
be a user name and password. Although DEA is not requiring use of 
biometrics, DEA recognizes the advantages of biometric passwords to 
ensure that a private key cannot be shared and suggests that 
registrants consider their use.
    [sbull] When the users want to digitally sign an order, they would 
authenticate themselves to access the private key to sign the document. 
Specific procedures may vary depending on the exact nature of the 
system employed, but basically, once the certificate holder has 
accessed the private key, a single key stroke would ``sign'' the 
document. At the keystroke, the software would perform the hashing 
functions and encryption, attach the encrypted hash and digital 
certificate to the plain text order, and transmit.
    At the supplier end, the steps are equally simple:
    [sbull] The supplier would receive the order electronically. The 
digital certificate attached to the order would contain the information 
necessary for the supplier to determine whether the person is eligible 
to write the order received.
    [sbull] The supplier would validate the order.
    [sbull] The supplier's software would automatically check the 
certificate revocation list to verify that the user's certificate had 
not been revoked. It would also verify that the certificate was signed 
with the DEA CA certificate.
    [sbull] The software would use the sender's public key to decrypt 
the signature, obtain the hash, and automatically compare it with the 
hash of the plain text message generated by the supplier's software to 
determine if the file had been altered.
    [sbull] The software system would check the expiration date on the 
certificate to ensure that the certificate had not expired when the 
order was signed.
    [sbull] The software would compare the controlled substances 
ordered with the schedules listed in the certificate to verify that the 
certificate holder is authorized to order the schedule.
    [sbull] Only if all the checks indicate a valid order would the 
system indicate that the order was valid.
    The supplier's system would have to require that all authentication 
and validation steps be carried out before allowing the order to be 
processed.

What Is a Certification Authority and Why Is It Needed?

    In the Form 222 system, DEA issues the forms to registrants, 
providing assurance to suppliers that the orders they receive are from 
registrants authorized to order Schedule I and II controlled 
substances. In a PKI system, a Certification Authority (CA) acts as a 
credible and neutral trusted third party and is central to the 
operation of the digital certificates. Each party (the certificate 
holder and recipient of a digitally signed document) relies on the CA. 
If they trust the CA, they can trust the certificates the Certification 
Authority issues. Without a trusted third party, each recipient would 
have to determine whether each sender could be trusted. A Certification 
Authority makes it possible for a recipient to receive orders from 
persons who have never before placed orders with them and quickly 
determine whether the person has a right to order the substance. This 
process is similar to the Form 222 issued by DEA, which contains 
preprinted registrant information, including the registrant's name, 
address, DEA registration number, and schedules.

What Would the Certification Authority Do?

    The Certification Authority would enroll certificate holders and 
verify the identity of an applicant and the applicant's DEA status 
before issuing a certificate. The Certification Authority would 
maintain a public directory of certificate holders' public keys and a 
Certificate Revocation List (CRL), both of which recipients of 
digitally signed documents must check to verify the validity of a 
certificate. The Certification Authority would operate under a publicly 
available Certificate Policy, a set of rules that covers subjects such 
as obligations of the Certification Authority, the certificate holders, 
and those relying on the Certification Authority for validation; 
enrollment and renewal procedures; operational requirements; security 
procedures; and administration.

Who Would Serve As the Certification Authority?

    Because a digital certificate is the functional equivalent of a 
Form 222 that DEA is required to issue, only DEA can serve as the 
Certification Authority for issuing digital certificates for signing 
electronic orders for Schedule I and II controlled substances. 
Registrants and their designated power of attorney holders (POA) who 
are eligible to sign Forms 222 would apply to the DEA Certification 
Authority and obtain a digital certificate from it. DEA proposes to act 
in this capacity either directly or through a contractor.

III. Discussion of the Proposed Rule on Electronic Orders

A. Digital Certificates

How Are Digital Certificates Obtained?
    Anyone eligible to sign orders for controlled substances would be 
able to apply to the DEA Certification Authority for a digital 
certificate. Under the current rules, DEA requires only orders for 
Schedule I and II substances to be signed. That requirement will not 
change. DEA recognizes, however, the registrants who order or fill 
orders for Schedule III-V substances may want the ability to digitally 
sign these orders. The digital certificate attached to a digitally 
signed order would provide the supplier with instant verification of 
DEA status, which suppliers are required to make a good faith effort to 
determine. Consequently, DEA intends to make digital certificates 
available to registrants who are eligible to order only Schedule III 
through V substances and to employees at Schedule II through V 
registrants who are authorized to issue only Schedule III through V 
orders. The requirements for applying for a digital certificate would 
be the same for any applicant.
Who Are CSOS Coordinators and What Is Their Role in the Digital 
Certificate Enrollment Process?
    CSOS Coordinators are one or more responsible persons designated by 
a DEA registrant to serve as that registrant's recognized agent 
regarding issues pertaining to issuance of, revocation of, and changes 
to digital certificates issued under that registrant's DEA 
registration. These individuals serve as knowledgeable liaisons between 
one or more DEA registered locations and the CSOS Certification 
Authority. While the CSOS Coordinator is the main point of contact 
between the DEA Certification Authority and the DEA registrant, all 
digital certificate activities are the responsibility of the registrant 
with whom the digital certificate is associated. To that end, the CSOS 
Certification Authority will communicate with the CSOS Coordinator 
regarding digital certificate applications, renewals, revocations, and 
other matters. Even when an individual registrant, i.e., an individual 
practitioner, is applying for a digital certificate to order controlled 
substances a CSOS Coordinator must be designated. It is acceptable to 
have the person applying for the registrant digital

[[Page 38563]]

certificate also be designated as the CSOS Coordinator. Once 
designated, the registrant's CSOS Coordinator must identify him or 
herself to the Certification Authority through an application process. 
If a change occurs regarding persons designated as CSOS Coordinators, 
or if a change occurs regarding the registered locations for which a 
CSOS Coordinator is responsible, the Certification Authority must be 
notified. For applicants applying for a CSOS digital certificate, and 
for applicants applying for CSOS power of attorney for a DEA 
registrant, the CSOS Coordinator must verify the applicant's identity, 
review and approve the application package, and submit the completed 
package to the Certification Authority.
How Would a Person Obtain a Digital Certificate?
    [sbull] An applicant for CSOS Coordinator, an applicant for a 
digital certificate for signing controlled substance orders, or an 
applicant for power of attorney would have to submit the following 
documentation: A completed application form (form provided by the 
Certification Authority).
    [sbull] A copy of a government-issued photographic identification 
and of a second identification.
    [sbull] For CSOS Coordinators, a copy of each current DEA 
Certificate of Registration for which the Coordinator will be 
responsible (DEA form 223), if available, or, if the applicant (or 
their employer) has not been issued a DEA registration, the application 
for DEA registration of the applicant or the applicant's employer.
    [sbull] For individuals with power of attorney (POA) to sign 
controlled substances orders, a copy of the power of attorney 
indicating which schedules the person is authorized to order.

    For persons applying as CSOS Coordinators, the completed package 
must be notarized. For persons applying for digital certificates as DEA 
registrants and for persons applying for digital certificates as powers 
of attorney for DEA registrants, the completed package must be provided 
to the registrant's designated CSOS Coordinator who will review and 
approve the application and send it to the Certification Authority. 
Because the application includes signed letters and statements, as well 
as notarization (for CSOS Coordinators only), the application would 
have to be submitted on paper.
    If the Certification Authority approves an application, the 
applicant would receive an access code and password. The access code 
and password would be sent in two segments, each sent by a different 
method. For example, the access code may be mailed while the password 
is e-mailed. The access code and password would be used to submit an 
electronic request for a digital certificate. Prior to submitting the 
request, the applicant would have to obtain software that PKI-enables 
its system and that can generate the public and private key; most 
Internet browsers have this capability. The software would generate a 
public and private key pair. The public key is transmitted to the 
Certification Authority. The Certification Authority would then issue a 
signed digital certificate associated with the applicant's public key 
and a copy of the Certification Authority's public key certificate.
Why Does the Application Need To Be Notarized?
    DEA is proposing that the application for registrant CSOS 
Coordinators be notarized to ensure that the person presenting the 
photo ID is in fact the person signing the application and to legally 
tie the person signing the application to it. CSOS Coordinators serve 
as their registrant's recognized agent regarding issues pertaining to 
issuance of, revocation of, and changes to digital certificates issued 
under that registrant's DEA registration. While all digital certificate 
activities are the responsibility of the registrant with whom the 
digital certificate is associated, within the Controlled Substances 
Order System DEA is placing a high level of trust in the CSOS 
Coordinators associated with each DEA registrant. DEA and its 
Certification Authority must trust the information CSOS Coordinators 
provide to DEA and must trust the actions requested by CSOS 
Coordinators of DEA and its Certification Authority. DEA recognizes 
that notaries may not be able to determine whether the photo ID is 
real. Some state driver's licenses can be obtained in other names with 
relative ease. The package, however, includes not just the photo ID, 
but also copies of each of the registrant's Certificates of 
Registration (DEA form 223) for which the CSOS Coordinator will be 
responsible. These requirements will make it harder for someone to 
present fraudulent information to pose as a CSOS Coordinator with its 
attendant rights and responsibilities.
How Many Certificates Will Be Required?
    The CSA requires that each location where controlled substances are 
manufactured, distributed, or dispensed have a separate registration. 
Forms 222 are issued to specific registrants at specific locations. The 
CSA also requires that where independent controlled substances 
activities occur at the same location, (i.e., manufacturing and 
importation), separate registrations for each activity be maintained at 
the location. To be the equivalent of a Form 222, a digital certificate 
must also be registrant and location specific. Consequently, separate 
digital certificates are required for each DEA registration and for 
each individual authorized to sign orders for each location.
    DEA is aware that some large distributors and chain pharmacies have 
central inventory control and process all orders from a single 
location. At present, these central locations maintain the supplies of 
Form 222 for each of their pharmacies or warehouses and place the 
orders on the appropriate preprinted form. These registrants have asked 
whether it would be possible to have a single digital certificate 
associated with multiple registered locations to ease the burden of 
maintaining multiple certificates. Because a digital certificate is 
linked to one DEA registration number the certificate must be bound to 
the location associated with the registration. It will be possible to 
have multiple certificates linked to a single registration (e.g., 
multiple people with POA for a registrant), but a certificate cannot be 
linked to multiple registered locations. To serve as the electronic 
equivalent of a Form 222, the digital certificate must be location-
specific as the Form 222.
    DEA recognizes that in cases of central ordering systems, a single 
POA may have to obtain more than a thousand separate certificates. DEA 
is proposing two steps that will reduce the burden on these POAs. 
First, POAs applying for multiple certificates would be able to submit 
a single application with a list of the DEA registration numbers for 
which they are applying for certificates. This process would be similar 
to batch renewals of registrations.
    A second step would reduce the burden of obtaining the 
certificates. Normally, each certificate has to be generated 
separately. The POA would have to obtain separate access codes from the 
CA, generate the keys, and access the CA for each certificate. This 
process takes about five minutes per certificate. To reduce the burden 
for POAs applying for large numbers of certificates, DEA is proposing 
to provide software that would include the access codes and functions 
for key generation. The registrant could then install the software and 
allow it to contact the CA and generate all of the certificates

[[Page 38564]]

automatically without the applicant having to enter codes individually. 
DEA believes that these steps will facilitate the application and 
certificate generation process while retaining the basic integrity of 
the Form 222 system that links every order to a specific registered 
location.
What Is the Renewal Period for Digital Certificates?
    Digital certificates must be renewed when the DEA registration 
expires. DEA considered requiring annual renewal of digital 
certificates, which is the current industry practice. DEA determined, 
however, that this frequency was not necessary to maintain the security 
of the system and is proposing that certificates be valid for the life 
of the registrant's DEA registration. Certificates cannot be valid 
beyond the life of a DEA registration because the certificate's 
validity is based on having an active DEA registration. Practically, 
therefore, manufacturers, distributors, exporters, researchers, 
chemical analysts, and narcotic treatment programs would have to renew 
annually because their DEA registrations are valid for one year. 
Pharmacies, institutional practitioners, teaching institutions, and 
individual practitioners would have to renew every three years.
    The Certification Authority would notify certificate holders of the 
need to renew the certificate. DEA would permit the digital certificate 
to be renewed online twice after the original application process, so 
long as the certificate holder applies for renewal before the DEA 
registration and digital certificate expire. Upon the third renewal 
request, the digital certificate holders must re-establish their 
identity using the initial application process. Although this process 
is considered a renewal because a new application is not needed, at 
each renewal, a new set of key pairs would be generated and a new 
certificate issued. The Certification Authority would arrange a simple 
online process to renew a certificate. When a certificate holder files 
a renewal request before the DEA registration expires, DEA would not 
issue the new certificate until the Certification Authority has 
determined that the DEA registration on which the certificate is based 
has been renewed.
    If the certificate holder fails to apply for a new certificate 
before the date on which the DEA registration expires, the certificate 
holder would have to submit a new application for a certificate, 
including all of the documents required for an initial application. The 
same is true if the certificate holder's digital certificate is revoked 
for any reason.
What Are the Requirements for Companies That Grant Power of Attorney to 
Authorize Use of Their DEA Registrations?
    As noted above, all registrants must designate a CSOS Coordinator 
to serve as the registrant's recognized agent regarding issues 
pertaining to issuance of, revocation of, and changes to digital 
certificates issued under that registrant's DEA registration. One of 
the responsibilities of the CSOS Coordinator is to oversee the 
application process for persons applying for a digital certificate as 
powers of attorney for a registrant. The CSOS Coordinator(s) will be 
responsible for ensuring that those persons applying for power of 
attorney authority are permitted by the registrant to possess such 
authority. DEA believes that the designation of CSOS Coordinators will 
streamline the power of attorney application process and will provide a 
safeguard to ensure that only personnel authorized by the registrant 
are granted power of attorney digital certificates.
    Registrants who grant power of attorney status to certain employees 
to sign orders would be required to do the following:
    [sbull] Provide a letter granting power of attorney to be submitted 
with the person's application for a digital certificate.
    [sbull] Read the statement of registrant obligations regarding 
power of attorney contained in the subscriber agreement provided by the 
Certification Authority and sign a statement agreeing to meet the 
obligations.
    [sbull] Ensure that powers of attorney use their digital 
certificates appropriately.
    [sbull] Notify the Certification Authority, through the CSOS 
Coordinator responsible for the registered location at which the power 
of attorney works, within 6 hours of revocation of the power of 
attorney.
    [sbull] Notify the Certification Authority, through the CSOS 
Coordinator responsible for the registered location at which the power 
of attorney worked, within 6 hours of the time the person leaves the 
registrant's employ.
    The obligations in the statement of registrant obligations are 
basically to oversee the use of certificates to ensure that they are 
used only by the certificate holder and to notify the Certification 
Authority if a certificate holder is no longer authorized to use the 
registrant's DEA number to order controlled substances.
What Systems Are Required To Use a Digital Signature?
    Any system enabled to handle digital signatures may be used 
provided it meets the following requirements:
    1. The cryptographic module must be FIPS 140-2 validated.
    2. The digital signature system must be FIPS 186-2 validated and 
use the RSA algorithm.
    3. The hash function must be FIPS 180-1 validated.
    4. The system must control the activation of the private key with 
an authentication mechanism.
    5. The system must employ a ten-minute inactivity time period after 
which the certificate holder must re-authenticate to access the private 
key.
    6. For software implementations, when the signing module is 
deactivated, the system must clear the plain text private key from the 
system memory to prevent the unauthorized access to, or use of, the 
private key.
    7. The system must digitally sign and transmit the electronic 
order.
    8. The system must communicate with the Certification Authority 
directory.
    9. The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology (NIST) 
time source.
    10. The system must archive digitally signed files.
    11. The system must create an order that includes the data fields 
listed in proposed Sec.  1305.21(b)--these fields are the same fields 
that exist on the Form 222 that purchasers complete except for the line 
numbers, total number of lines and purchaser information, i.e., name, 
address, DEA registration number, authorized schedules, and business 
activity, all of which are included in the digital certificate which 
must accompany the order.
    The three FIPS standards (discussed in more detail below) are 
needed to ensure the integrity of the key and hash generating systems. 
The fourth item requires that the system control access to the private 
key through a method of authenticating the user. As discussed below, 
DEA is proposing that certificate holders use at least a password and 
user ID combination. If a certificate holder elects to use a biometric 
authentication method, the single biometric (other than voice 
recognition) would be sufficient.
    Item five is needed to ensure that the digital signing capability 
cannot be accessed by someone other than the certificate holder. DEA is 
concerned that a certificate holder authenticate himself or herself to 
the system, open the signing software, and begin signing

[[Page 38565]]

orders. If the certificate holder left the computer while the signing 
system was open, another person could sign orders because the signing 
software generally does not require reauthentication of the user for 
each order once the private key has been accessed. The automatic 
closure of the system if unused for 10 minutes will lessen this threat.
    Item six would ensure that the private key cannot be retrieved from 
the certificate holder's computer memory following its use. Software 
systems may not automatically clear items from memory when the 
application is shut down. Therefore, it is necessary to specify that 
the software clear the private key from the system's memory whenever 
the signing application is closed to ensure that someone cannot recover 
the key.
    Items seven and eight are the basic requirements for a digital 
signature system, the ability to sign a document digitally and 
communicate with the CA.
    Item nine requires the system to have a time system within five 
minutes of the official National Institute of Standards and Technology 
time source. It is important that all users of the CSOS system be 
synchronized to a single, consistent time source.
    Items 10 and 11 are necessary for the system to function as a 
substitute for a Form 222. Item 11 requires the creation of an order 
that includes all of the Form 222 information. Item 10 ensures that the 
system automatically stores and retains the orders.
What Systems Are Required To Be Able To Process a Digital Signature?
    Any system may be used to process an electronic order provided it 
has been enabled to handle digital signatures and that it meets the 
following requirements:
    1. The digital signature system must be FIPS 186-2 validated and 
use the RSA algorithm.
    2. The hash function must be FIPS 180-1 validated.
    3. The system must check the purchaser certificate extension data 
to determine that the controlled substances ordered are on schedules 
the purchaser is eligible to order and that the certificate had not 
expired at the time the order was signed.
    4. The system must decrypt the digital signature using the 
purchaser's public key and determine that an order has not been altered 
in transmission.
    5. The system must check the certificate revocation list and the 
CA's directory automatically and invalidate any order signed with a 
certificate listed on the CRL or not included in the CA directory.
    6. The system must have a time system that is within five minutes 
of the official National Institute of Standards and technology time 
source.
    7. The system must archive the order and include the digital 
certificate linked to the order in the record of each order.
    8. The system must require that all authentication and validation 
steps are carried out prior to allowing the processing of the order to 
be completed. Further, the system will not allow orders that have 
failed to pass any authentication or validation step to be processed.
    9. If the supplier intends to file a summary report of orders 
rather than copies of the actual orders, the system must create a 
report that includes, for each Schedule I and II order, all data fields 
listed in proposed Sec.  1305.28(a) in a format that DEA specifies. 
This provision would allow for compliance with the current paper 
requirement that suppliers forward copy 2 of the DEA Form 222 to the 
nearest DEA office on a monthly basis.
    Items 1 and 2, the three FIPS standards (discussed in more detail 
below), are needed to ensure the integrity of the key and hash 
generating systems. Items 3, 4, 5, and 6 are needed to ensure that the 
system can and does validate each order by checking that the order was 
signed by the certificate holder, that the order has not been altered, 
that the registrant is eligible to order the substances, and that the 
certificate has not expired or been revoked. Item 7 ensures that the 
system automatically stores and retains the orders. Item 9 requires the 
creation of a report that includes all of the Form 222 information.
What Are the FIPS Standards and Why Are They Needed?
    FIPS means Federal Information Processing Standard. FIPS 140-2 is a 
standard entitled ``Security Requirements for Cryptographic Modules.'' 
The standard is produced by the National Institute of Standards and 
Technology (NIST) to lay out general requirements for cryptographic 
modules for computer and telecommunications systems. FIPS 186-2 
specifies algorithms for applications used to generate digital 
signatures. FIPS 180-1 is the Secure Hash Standard. The standards have 
been adopted by the U.S. government and are required for all 
cryptographic-based security systems and digital signature systems that 
are used by or approved by Federal agencies to protect unclassified 
information. DEA, therefore, must require that the software modules 
used for digital signatures comply with these standards. A list of 
vendors whose cryptographic modules have been validated as FIPS 140-2 
compliant may be obtained from the NIST web site at http://csrc.nist.gov/cryptval/140-2/1402vend.htm. Information on FIPS 186-2 
and FIPS 180-1 can be obtained from http://csrc.nist.gov.
    The modules that have been validated as compliant with these 
standards can be used to enable software to handle digital signatures. 
As long as the code in the compliant module is not altered, adding it 
to the software would not alter its validation.
How Is It Possible To Determine Whether a Specific System Meets These 
Criteria?
    Before implementing an electronic system for Schedule I and II 
controlled substances orders, the software system must be certified by 
means of a third-party audit that determines the system performs the 
required functions. Registrants must ensure that any software/system 
that they use for electronic Schedule I and II orders has been 
certified. Certification from the software developer/vendor that the 
product being acquired has received the required audit is sufficient.
    After the initial audit, the developer or vendor would be required 
to have third-party audits whenever the signing or verifying 
functionality is changed to ensure that the software continues to 
function as required. Registrants who implement order systems developed 
by third-party vendors would obtain a certification from the vendor. In 
instances where suppliers provide their customers with ordering 
software for use in this system, it would be the supplier's 
responsibility to ensure this auditing requirement has been satisfied. 
Individual customers of that supplier would not be required to maintain 
a copy of the audit report.
    DEA recognizes that software systems are modified frequently, as 
vendors add services and improve functions. Modifications would need to 
be audited when the modification affects the digital signature or 
validation part of the system. If the modifications relate to other 
functions and do not change the digital signature functions or 
validation functions, modifications would not trigger a need for a 
third-party audit.
What Are the Requirements for Safeguarding Private Keys?
    DEA regulations require that each registrant provide effective 
controls and procedures to guard against theft and diversion of 
controlled substances. This requirement applies to both physical and 
procedural safeguards; a registrant

[[Page 38566]]

must take steps to secure the controlled substances and the 
authorization to obtain and distribute or dispense the controlled 
substances. In this regard, it is important that the private key be 
properly secured, since it is the functional equivalent of both the 
paper DEA Form 222 and the registrant's valid signature on that form.
    All certificate holders must provide secure storage for the private 
key. The private key may be stored on any electronic medium, with 
access controlled by at least a user ID and password. As noted before, 
DEA encourages certificate holders and registrants to use biometric 
passwords instead of user IDs and passwords. Although not a 
requirement, biometric passwords provide a higher level of assurance 
that a private key cannot be used by anyone except the certificate 
holder.
    Although DEA is proposing that certificate holders could store 
private keys on any electronic medium, including a hard drive or a 
disk, DEA encourages registrants to use smart cards or other secure 
hardware devices whose cryptographic modules are FIPS 140-2 validated 
for storing private keys.
    Only the individual to whom a digital certificate is issued may use 
it. The certificate holder must report any loss or compromise of the 
private key or password to the Certification Authority within 6 hours 
of the loss or theft. In addition, the certificate holder is 
responsible for ensuring that others do not have access to the private 
key. The certificate holder must not give any other person the password 
or user ID and must ensure that once the private key has been accessed 
and the system is activated, no one else uses the computer or work 
station until the system is deactivated.
What Are the Conditions That Would Lead DEA To Revoke a Certificate?
    A number of circumstances would require the revocation of a digital 
certificate. The Certification Authority would automatically revoke a 
certificate upon notice that the smart card or other hardware storage 
device has been lost, stolen, or compromised in any fashion, the 
password has been forgotten, or the private key can no longer be 
accessed. The certificate would also be revoked if the CA is notified 
that any of the information in the certificate changed (e.g., name or 
address, or new schedules added). In addition, a registrant must notify 
the Certification Authority whenever a specific individual's power of 
attorney has been revoked, so that the certificate issued in connection 
with the power of attorney can be revoked.
    If a DEA registration is revoked or terminated for any reason, all 
digital certificates linked to that registration would be revoked 
because the validity of the certificate is linked to the validity of 
the DEA registration.
    Any disagreement regarding a certificate revocation may be appealed 
to the Certification Authority in writing. Revocation of a digital 
certificate in and of itself does not affect a registrant's authority 
to handle controlled substances; it only affects the ability to engage 
in electronic transactions that require a digital signature.

B. Orders

    This section discusses the specific requirements that relate to 
electronic orders and how these requirements differ from the current 
rules for Forms 222.
What Is DEA Proposing for Electronic Orders?
    In general, DEA is proposing that purchasers be able to digitally 
sign and transmit electronic orders for Schedule I and II controlled 
substances if they use a digital certificate issued by the DEA 
Certification Authority and comply with the other requirements of 
proposed part 1311 on software and safeguarding of private keys. 
Suppliers would be able to validate and fill electronic orders for 
Schedule I and II controlled substances if they comply with the 
requirements in proposed part 1311 on software.
    Most of the current part 1305 requirements would not change. Orders 
for Schedule I and II substances must be issued only on Form 222 or an 
electronic order signed with a valid digital certificate that the DEA 
Certification Authority issues. The same registrants would be eligible 
to sign and fill orders. Each party to the transaction would retain a 
copy and suppliers would send a copy or a data extract to DEA. DEA Form 
222 will still be available for use. DEA expects that over time most, 
if not all, parties placing and filling orders will choose to use 
electronic orders, but this is not mandatory. Current regulations with 
respect to DEA Form 222 are not changed by this proposed rule.
What Are the Differences Between DEA Form 222 and Electronic Orders?
    There are a number of differences with electronic orders.
    [sbull] Electronic order systems would need to include the data on 
the DEA Form 222, except the line numbers, total number of lines, and 
purchaser information, i.e., name, address, DEA registration number, 
authorized schedules, and business activity, all of which are included 
in the digital certificate which must accompany the order. (A 
discussion of the contents of an electronic order is provided in the 
next section.)
    [sbull] Unlike the paper form, which is limited to purchases of 
Schedule I and II substances, the digitally signed order system may 
also be used for Schedule III through V substances and non-controlled 
prescription drugs.
    [sbull] The DEA Form 222 limits the number of line items ordered to 
10; the number of line items on electronic orders is unlimited.
    [sbull] As discussed later, copies of the electronic orders or a 
report on the orders must be filed with DEA every other business day 
rather than every month.
    [sbull] Electronic records for Schedule I and II controlled 
substances must, by regulation, be maintained separately from other 
records. However, DEA considers electronic records of Schedule I and II 
controlled substances to be maintained separately so long as these 
records are readily retrievable by schedule and controlled substance.
    Each of these differences is discussed in greater detail in 
subsequent sections.
What Data Must Be Included in an Electronic Order?
    The proposed electronic orders would be required to include the 
following data fields:
    (1) A unique number generated by the purchaser to track the order. 
The number must be in the following 9-character format: the last two 
digits of the year, the character ``x'', and six numbers of the 
purchaser's choice.
    (2) The name of the supplier.
    (3) The complete address of the supplier.
    (4) The supplier's DEA registration number (may be completed by 
either the purchaser or the supplier).
    (5) The date the order is signed.
    (6) The name (including strength where appropriate) of the 
controlled substance product.
    (7) The National Drug Code (NDC) number (may be completed by the 
supplier or the purchaser).
    (8) The quantity in a single package or container.
    (9) The number of packages or containers of each item ordered.

    The digital certificate attached to the order provides the 
purchaser's name, registered location, DEA registration number, 
business activity, and schedules.
How Can Electronic Orders Be Annotated?
    Because the original order has been digitally signed, it cannot be 
altered.

[[Page 38567]]

The supplier and purchaser, both of whom are required to ``annotate'' 
the file with information on the substances shipped and received, would 
have to create a separate record with the needed information and 
electronically link the record of the required information to the 
original order. The supplier's linked file would have to contain 
packages shipped and date shipped and any other item on the order that 
the supplier completes. The purchaser's linked file would have to 
contain the number of packages received and the date received. The 
software must archive both the original and the linked record. The 
original and linked records constitute the complete order form, the 
equivalent of a Form 222 that has been annotated. The same process 
would apply to partially filled orders, endorsed orders, or canceled 
orders; the records of these actions must be linked to the original 
order and maintained as a record of the transaction. Both the purchaser 
and the supplier must keep the original digitally signed order and the 
linked files for a period of two years.
Can An Order Be Endorsed to Another Supplier?
    DEA allows suppliers to endorse a DEA Form 222 to another supplier 
if the first supplier cannot fill the order. This requires the initial 
supplier to record on the back of each copy of the DEA Form 222 the 
name and address of the second supplier, and the signature of a person 
authorized by that initial supplier to obtain and execute order forms. 
Paper orders must be endorsed in their entirety; a supplier cannot fill 
part of the order and endorse the rest to a second supplier because the 
paper 222 must accompany the order.
    Electronically, both complete and partial endorsement would be 
possible. To endorse the whole order to a second supplier, the initial 
supplier would make a copy of the incoming order, link the copy to a 
record of the name and address of the secondary supplier, then 
digitally sign the copy of the order and the linked file using his or 
her DEA issued digital certificate. The initial supplier may then 
transmit the original order and linked endorsement record to the 
secondary supplier. As an alternative, the initial supplier could fill 
part of the order, create a linked record indicating what had been 
filled, then endorse the remainder of the order to a second supplier, 
adding a second linked record with the second supplier's name and 
address, and digitally signing the order and linked records. The 
secondary supplier would have to validate both the purchaser's and the 
initial supplier's digital certificates before filling the order.
    Because the customer can easily generate a new electronic order, 
the supplier may simply choose to notify the purchaser that the order 
cannot be filled or filled in its entirety, allowing the purchaser to 
directly place the order electronically with another supplier. The 
supplier would then create a linked record voiding all or part of the 
order.
Can a Centralized Processing Facility Be Used?
    DEA has determined that with electronic orders, it is possible for 
a distributor to process an order centrally and have separate 
registered locations belonging to the same distributor fill parts of 
the order. DEA is, therefore, proposing to allow purchasers to transmit 
orders to a specific supplier. The supplier may initially process the 
orders (e.g., entry of the order into the computer system, billing 
functions, inventory identification, etc.) centrally at any location, 
regardless of its registration with DEA. Following centralized 
processing, the order is distributed to one or more registered 
locations maintained by the supplier for filling. The registrant must 
maintain control of the processing of the order at all times. This 
proposed approach to decentralized filling of orders applies only to 
registered locations that belong to the same company. This approach 
would allow distributors to maximize the efficiency of their 
distribution system without compromising the system of control of 
Schedule I and II substances.
What Information Is a Supplier Required To Report To DEA?
    Under the current regulations, suppliers must send DEA copies of 
filled DEA Forms 222 on a monthly basis. With electronic orders, DEA is 
proposing that suppliers submit copies of the electronic orders and 
linked records to DEA every other business day based on when the order 
is filled; these orders may include information on substances other 
than Schedule I and II substances. In lieu of submitting copies of 
orders, suppliers may submit a daily report that contains the following 
information on Schedule I and II controlled substances from each 
electronic order:
    (1) The supplier's name.
    (2) The supplier's complete address.
    (3) The supplier's DEA registration number.
    (4) The purchaser's name.
    (5) The purchaser's complete address.
    (6) The purchaser's DEA registration number.
    (7) The schedules the purchaser is authorized to receive.
    (8) The purchaser's business activity.
    (9) The unique tracking number the purchaser assigned to the order.
    (10) The date the order was signed.
    (11) The name of the controlled substance product.
    (12) The National Drug Code (NDC) number of the controlled 
substance.
    (13) The quantity in a single package or container.
    (14) The number of packages or containers of each item ordered.
    (15) The number of packages or containers shipped.
    (16) The date shipped.
Because any orders or reports sent to DEA must be readable by DEA 
offices, DEA intends to specify, before the rule is final, the formats 
in which the information may be submitted. DEA requests comments on 
which software platforms and systems registrants would be likely to use 
to submit either the electronic orders or reports.
Why Does the Reporting Period Change for Electronic Orders?
    In the paper system, DEA serially numbers all order forms. DEA 
requires that copy 2 of these order forms be submitted to the 
Administration on a monthly basis. DEA's requirements under the paper 
system are such that all order forms issued to any registrant must be 
accounted for. All forms issued by DEA are traceable to the specific 
registrant to whom they were issued. In addition, currently mandated 
supplier reports to DEA contain the order form number involved in all 
transactions completed. This ensures that Schedule I and II controlled 
substances will not be distributed without DEA's knowledge. Due to the 
significant volume of paper involved in the current process, DEA 
requires copy 2 of the Form 222 to be forwarded to DEA once monthly to 
limit the paper handling. This monthly reporting has little effect on 
DEA's ability to monitor and track all orders by serial number.
    The electronic system does not involve the use of serially 
numbered, DEA-issued forms. Consequently, DEA's ability to track and 
account for orders must rely on timely reports by the suppliers. DEA 
determined that the 30-day reporting period is too long for electronic 
orders. Because all order reporting would be handled electronically, 
the daily transmission of reports should represent a minimal burden on 
suppliers.

[[Page 38568]]

Can a Digital Certificate be Used to Sign Orders for Schedule III 
through V Controlled Substances?
    A digital certificate may be used to sign orders for other 
substances including Schedule III through V controlled substances. DEA 
encourages the use of the DEA digital certificate to sign all 
controlled substances orders. Using a DEA issued digital certificate to 
order Schedule III through V substances provides the supplier with 
confirmation of the customer's registration status in compliance with 
21 CFR 1301.74(a).

IV. Section by Section Discussion of the Proposed Rule

How Is the Proposed Rule Structured?

    DEA is proposing to revise part 1305 and add a new part for digital 
certificates, new Part 1311, as follows:
    [sbull] DEA is proposing to revise the entire part 1305 to 
incorporate requirements for the use of electronic orders. Part 1305 
requirements would be grouped into three subparts: Subpart A would 
include general requirements that apply to both Form 222 and electronic 
orders. Subpart B would include requirements for DEA Form 222 
transactions. Subpart C would include requirements for electronic 
orders.
    [sbull] Part 1311--DEA is proposing to add a new part that would 
provide the requirements for the following:
    [sbull] Performance standards for electronic signatures and 
electronic transmission.
    [sbull] Applications for digital certificates.
    [sbull] Number of certificates required.
    [sbull] Renewal of certificates.
    [sbull] Safeguarding of certificates.
    [sbull] Use of digital signatures.
    [sbull] Software requirements for handling digital signatures.
    In part 1305, Sections 1305.01 and 1305.02 remain unchanged.
    Section 1305.03 is proposed to be revised to explain that either 
Form 222 or an electronic order that complies with part 1311 could be 
used.
    Section 1305.04 is proposed to be revised to include the power of 
attorney requirements currently found in 21 CFR 1305.07.
    Section 1305.05 is redesignated as 1305.11, and includes specific 
references to DEA Form 222.
    Section 1305.06 is redesignated as 1305.12, and includes specific 
references to DEA Form 222.
    Section 1305.07 is removed.
    Section 1305.08 is redesignated as Section 1305.05, and includes 
specific references to DEA Form 222.
    Sections 1305.09-1305.15 are redesignated as Sections 1305.13-
1305.19, and include specific references to DEA Form 222.
    Section 1305.16 is redesignated as Section 1305.06.
    To accommodate the new electronic order requirements, Sections 
1305.21-1305.28 are proposed to be added as follows:
    Section 1305.21 discusses requirements for electronic orders.
    Section 1305.22 discusses procedures for filling electronic orders.
    Section 1305.23 discusses endorsing electronic orders.
    Section 1305.24 discusses central processing of orders.
    Section 1305.25 discusses unaccepted and defective electronic 
orders.
    Section 1305.26 discusses lost electronic orders.
    Section 1305.27 discusses preservation of electronic orders.
    Section 1305.28 discusses canceling and voiding electronic orders.
    Section 1305.29 discusses reporting electronic orders to DEA.

                                          Part 1305 Distribution Table
----------------------------------------------------------------------------------------------------------------
         Old section                                              New section
----------------------------------------------------------------------------------------------------------------
1305.01--Scope of part 1305..  1305.01--Scope of part 1305.
1305.02--Definitions.........  1305.02--Definitions.
1305.03--Distributions         1305.03--Distributions requiring order forms.
 requiring order forms.
1305.04--Persons entitled to   1305.04--Persons entitled to obtain and execute order forms.
 obtain forms order form.
1305.05--Procedure for         1305.11--Procedure for obtaining DEA Forms 222.
 obtaining order forms.
1305.06--Procedure for         1305.12--Procedure for executing DEA Forms 222.
 executing order forms.
1305.07--Power of attorney...  1305.04(c)--Power of attorney.
1305.08--Persons entitled to   1305.05--Persons entitled to fill DEA Forms 222.
 fill order forms.
1305.09--Procedure for         1305.13--Procedure for filling DEA Forms 222.
 filling order forms.
1305.10--Procedure for         1305.14--Procedure for endorsing DEA Forms 222.
 endorsing order forms.
1305.11--Unaccepted and        1305.15--Unaccepted and defective DEA Forms 222.
 defective order forms.
1305.12--Lost and stolen       1305.16--Lost and stolen DEA Forms 222.
 order forms.
1305.13--Preservation of       1305.17--Preservation of DEA Forms 222.
 order forms.
1305.14--Return of unused      1305.18--Return of unused DEA Forms 222.
 order forms.
1305.15--Cancellation and      1305.19--Cancellation and voiding of DEA Forms 222.
 voiding of order forms.
1305.16--Special procedure     1305.06--Special procedure for filling certain DEA Forms 222.
 for filling certain order
 forms.


------------------------------------------------------------------------
                          New sections (added)
-------------------------------------------------------------------------
1305.21--Requirements for electronic orders.
1305.22--Procedure for filling electronic orders.
1305.23--Endorsing electronic orders.
1305.24--Central processing of orders.
1305.25--Unaccepted and defective electronic orders.
1305.26--Lost electronic orders.
1305.27--Preservation of electronic orders.
1305.28--Cancelling and voiding electronic orders.
1305.29--Reporting to DEA
------------------------------------------------------------------------

    Part 1311 is proposed to be added to provide requirements for 
obtaining, handling, and using digital certificates. Note that DEA is 
proposing, in a separate notice, rules for obtaining, handling, and 
using digital certificates to sign controlled substance prescriptions. 
Because the requirements are the same in some instances, some of the 
proposed sections cover both orders and prescriptions.
    Section 1311.01 discusses the scope of the new part.
    Section 1311.02 is proposed to add definitions of the following:
    [sbull] Biometric authentication.
    [sbull] Cache
    [sbull] Certification Authority
    [sbull] Certificate policy
    [sbull] Certificate revocation list
    [sbull] Digital certificate
    [sbull] Digital signature
    [sbull] Electronic signature
    [sbull] FIPS
    [sbull] Key pair
    [sbull] NIST
    [sbull] Private key
    [sbull] Public Key
    The definitions are taken from other government documents that 
define these terms.
    Section 1311.05 proposes to specify the performance standards 
required for electronic signatures and transmission.
    Section 1311.08 proposes to incorporate by reference FIPS 140-2, 
FIPS 180-1, and FIPS 186-2.

[[Page 38569]]

    Section 1311.20 proposes to specify the application requirements 
for obtaining a digital certificate.
    Section 1311.30 proposes to provide the requirements for using and 
storing a digital certificate.
    Section 1311.40 proposes to specify the number of certificates 
needed.
    Section 1311.45 proposes to specify when a new certificate must be 
obtained.
    Section 1311.50 proposes to provide requirements for registrants 
that grant power of attorney authority.
    Section 1311.55 proposes to specify requirements for recipients 
handling electronic orders prior to filling them.
    Section 1311.60 proposes to specify software requirements for 
handling electronic orders.
    Section 1311.65 proposes recordkeeping requirements.
Incorporation by Reference
    The following standards are proposed to be incorporated by 
reference:
    [sbull] FIPS 140-2, Security Requirements for Cryptographic 
Modules.
    [sbull] FIPS 180-1, Secure Hash Standard.
    [sbull] FIPS 186-2, Digital Signature Standard.
    These standards are available from the National Institute of 
Standards and Technology, Computer Security Division, Information 
Technology Laboratory, National Institute of Standards and Technology, 
100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at 
http://csrc.nist.gov/.

V. Required Analyses

Executive Order 12866

    Under Executive Order 12866 (58 FR 51735, October 4, 1993), DEA 
must determine whether a regulatory action is ``significant'' and, 
therefore, subject to OMB review and the requirements of the Executive 
Order. The Order defines ``significant regulatory action'' as one that 
is likely to result in a rule that may:
    (1) Have an annual effect on the economy of $100 million or more or 
adversely affect in a material way the economy, a sector of the 
economy, productivity, competition, jobs, the environment, public 
health or safety, or state, local, or tribal government or communities.
    (2) Create a serious inconsistency or otherwise interfere with an 
action taken or planned by another agency.
    (3) Materially alter the budgetary impact of entitlements, grants, 
user fees, or loan programs or the rights and obligations of recipients 
thereof.
    (4) Raise novel legal or policy issues arising out of legal 
mandates, the President's priorities, or the principles set forth in 
the Executive Order.
    Since the proposed rule would not impose costs of $100 million a 
year and will in fact reduce the burden on DEA registrants, DEA does 
not consider this rule to be an economically significant regulatory 
action as defined. However, this rule has been reviewed by the Office 
of Management and Budget.
    DEA did, in the course of developing the proposed rules, consider 
the costs and benefits of the proposed rule.
    DEA registration figures indicate that approximately 101,000 
registrants are likely to issue or fill orders. Those issuing orders 
include pharmacies, hospitals and clinics, practitioners, teaching 
institutions, exporters, researchers, chemical analysts, narcotic 
treatment programs, distributors, and manufacturers. Distributors, 
manufacturers, and importers fill most orders for Schedule I and II 
controlled substances. The universe of digital certificate holders is 
larger than the universe of registrants because everyone with power of 
attorney authority will need to obtain a digital certificate. For 
purposes of this analysis, DEA assumed that manufacturers and 
distributors would have an average of six certificate holders per 
registered location; pharmacies, hospitals, clinics, teaching 
institutions, and exporters, an average of two. The four chain 
pharmacies that process orders centrally for their 9,900 pharmacies are 
assumed to have six certificate holders each. All other registrants are 
assumed to have a single person associated with a registration seeking 
a digital certificate. Overall, DEA estimates that approximately 
160,000 digital certificates will be requested.
    The primary costs in the current system are completing the Form 222 
and mailing it to the supplier, requisitioning Forms 222, entering the 
data from the form, annotating the forms, logging and tracking forms, 
archiving the annotated forms, and sending them to DEA. Table 1 shows 
the unit time estimates and costs for mailing orders and requisitions 
(Operations and Maintenance (O&M) costs). Table 2 presents the estimate 
to total annual cost of the Form 222 system.

       Table 1.--Unit Time and Fixed Cost Assumptions for Form 222
------------------------------------------------------------------------
                    Activity                         Hours     O&M cost
------------------------------------------------------------------------
Purchaser:
    Requisition forms...........................       0.05        $0.37
    Complete and express ship orders............       0.25        11.25
    Complete and mail orders....................       0.25         0.37
    Annotate file...............................       0.05
    Log and file forms..........................       0.033
Supplier:
    Annotate forms..............................       0.083
    Enter and file forms........................       0.25
    Log and track forms, prepare for mailing to        9           17.25
     DEA........................................
------------------------------------------------------------------------


                         Table 2.--Total Annual Hours and Costs for the Form 222 System
----------------------------------------------------------------------------------------------------------------
                                                                            Total capital and
              Activity                   Total hours      Total labor cost       O&M cost            Total
----------------------------------------------------------------------------------------------------------------
Completing and mailing orders.......          1,334,648       $100,232,000         $5,853,000       $106,085,000
Requisitioning Form 222s............              3,467            260,000             26,000            286,000
Annotating and filing...............          2,224,413         99,364,000            405,000         99,768,000
Sending orders to DEA...............             85,428          3,008,000            164,000          3,172,000
                                     --------------------
    Total...........................          3,647,956        202,864,000          6,447,000        209,311,000
----------------------------------------------------------------------------------------------------------------

    The proposed system of digital certificates would impose initial 
implementation costs and on-going costs. People seeking a digital 
certificate would have to complete the application, generate keys, 
learn how to use the

[[Page 38570]]

digital certificate, and implement the software systems to handle 
electronic orders. Based on a pilot project (67 FR 1507, January 11, 
2002), DEA assumes that completing the application, which is primarily 
collecting paperwork, and generating keys and learning to use the 
system would take about 1.5 hours per applicant. DEA further assumes 
that a limited number of registrants (estimated at 256) would develop 
or purchase their software systems. These registrants are likely to be 
manufacturers, chain drug stores, and distributors. DEA assumes that 
they would provide the software to other registrants. The ongoing costs 
include the time required to digitally sign and validate the order and 
the time to annotate the order. Tables 3 and 4 provide the unit time 
estimates for initial and annual compliance of the electronic system. 
Tables 5 and 6 present total costs for initial and annual compliance.

            Table 3.--Unit Time and Fixed Cost Assumptions for Electronic Orders--Initial Compliance
----------------------------------------------------------------------------------------------------------------
                  Task                              Entity                   Hours/person           Fixed cost
----------------------------------------------------------------------------------------------------------------
Complete application....................  Supplier..................  0.72/1.24[hairsp]*........  ..............
                                          Purchaser.................
Generate keys...........................  Supplier..................  0.10......................  ..............
                                          Purchaser.................
Learn to use system.....................  Purchaser.................  0.417.....................  ..............
                                          Supplier..................
Implementing software...................  Supplier..................  40/firm...................  ..............
                                          Purchaser.................  8.00/firm.................  ..............
                                          Practitioner..............  0.50......................  ..............
Notarize and mail application...........  ..........................  ..........................          $2.37
----------------------------------------------------------------------------------------------------------------
* Higher value is for the CSOS coordinator.


                          Table 4.--Unit Costs for Electronic Orders--Annual Compliance
----------------------------------------------------------------------------------------------------------------
                Activity                             Entity                            Unit hours
----------------------------------------------------------------------------------------------------------------
Signing orders..........................  Purchaser..................  0.006/order.
Validating orders.......................  Supplier...................  0.004/order.
                                          Purchaser..................  0.025/order.
Annotating orders.......................  Supplier...................  0.042/order.
Sending orders to DEA...................  Supplier...................  0.05/every 2nd day.
Renewing certificate....................  Purchaser..................  0.083/person.
                                          Supplier...................
Renewing certificate (every third         Purchaser..................  0.36 hour/person.
 renewal).                                Supplier...................
----------------------------------------------------------------------------------------------------------------


               Table 5.--Total Initial Compliance Hours and Costs for the Electronic Order System
----------------------------------------------------------------------------------------------------------------
                                                                    Total labor    Total capital
                                                    Total hours        cost        and O&M cost     Total cost
----------------------------------------------------------------------------------------------------------------
Supplier:
    Complete Application........................           3,649        $224,000          $2,400        $226,000
    Implement software..........................             304         758,000  ..............         758,000
    Generate keys...............................             452          28,000  ..............          28,000
    Learn to use system.........................           1,884         119,000  ..............         119,000
Purchaser:
    Complete Application........................         150,424      11,312,000         252,000      11,564,000
    Implement software..........................         400,307      15,113,000  ..............      15,113,000
    Generate keys...............................          15,561       1,169,000  ..............       1,169,000
    Learn to use system.........................          32,870       2,469,000  ..............       2,469,000
Software Developers.............................         512,000      39,250,000  ..............      39,250,000
                                                 -----------------
        Total...................................       1,127,000      70,440,000         254,000      70,694,000
----------------------------------------------------------------------------------------------------------------


                Table 6.--Total Annual Compliance Hours and Costs for the Electronic Order System
----------------------------------------------------------------------------------------------------------------
                                                                    Total labor    Total capital
                                                    Total hours        cost        and O&M cost     Total cost
----------------------------------------------------------------------------------------------------------------
Supplier/Purchaser:
    Sign orders.................................          29,659      $2,227,000  ..............      $2,227,000
Supplier:
    Validate orders.............................          22,244       1,401,000  ..............       1,401,000
    Collect and send to DEA.....................           5,960         375,000  ..............         375,000
    Annotate....................................         222,411      14,007,131  ..............      14,007,131
    Renew certificate...........................             377          24,000  ..............          24,000
Purchaser:
    Annotate....................................         133,465      10,023,000  ..............      10,023,000
    Renew certificate...........................           4,833         363,000  ..............         363,000

[[Page 38571]]

 
Software Developer..............................         157,012       3,060,000         353,000       3,414,000
                                                 -----------------
        Total...................................         575,992      31,481,000         353,000      31,834,000
----------------------------------------------------------------------------------------------------------------

    To estimate costs over the first ten years, DEA assumed that 
implementation would be phased in over the first five years (i.e., it 
would be five years before all registrants were using the electronic 
order system). DEA also assumed that the number of orders would 
increase six percent annually. The six percent increase is based on the 
average annual increase in orders over the last six years. The total 
cost of both systems was estimated using a seven percent and a three 
percent discount rate. Table 7 presents the ten-year total cost of the 
Form 222 system, the electronic system, and the combined systems as the 
electronic system is phased in over the first five years as well as the 
annualized cost of the three systems over ten years.

                               Table 7.--Total Cost Over Ten Years (Present Value)
----------------------------------------------------------------------------------------------------------------
                                                                                  Combined phase-   Electronic
                                                                   Paper system         in            system
----------------------------------------------------------------------------------------------------------------
Total (7%).....................................................    2,002,634,000    $628,668,000    $316,786,000
Annualized (7%)................................................      285,131,000      89,508,000      45,103,000
Total (3%).....................................................    2,383,841,000     696,134,000     375,314,000
Annualized (3%)................................................      279,450,000      81,608,000      43,998,000
----------------------------------------------------------------------------------------------------------------

    Over the full ten-year period, the electronic system (phased in 
over five years) will reduce costs to registrants by about $1.4 
billion. The primary reason for the savings is that ordering and 
filling controlled substances orders takes substantially less time when 
the orders are electronic.
    Another way to look at this cost savings is to consider the costs 
of filling out a Form 222 versus creating the order electronically and 
digitally signing it. Although purchasers need to complete an order as 
a part of doing business, DEA has estimated that it takes a purchaser 
15 minutes to complete the Form 222, in triplicate, by hand or with a 
typewriter. The Form 222 may contain only Schedule I and II controlled 
substances. Consequently, purchasers must complete it separately from 
other orders being sent to the same supplier. Some purchasers report 
that they now routinely transmit all of their orders electronically, 
including their orders for Schedule I and II controlled substances, and 
complete the Form 222 to document the order for DEA. In comparison, 
applying a digital signature to an order, which may contain non-
controlled substances, is estimated to take 20 seconds. Leaving aside 
all other costs, purchasers will be saving more than 14 minutes per 
order. In addition, suppliers must enter the orders into their systems. 
Both suppliers and purchasers must annotate and file the orders. Over 
ten years, the time saved in completing, validating, annotating, and 
filing orders is estimated to be approximately 42 million hours, an 89 
percent reduction. The electronic system will have time associated with 
initial compliance that will offset some of the hours savings, but DEA 
registrants should benefit from a far more efficient ordering system.
    Electronic orders will also provide a number of other benefits that 
cannot be quantified. Purchasers will be able to create single unified 
controlled substance orders to their suppliers. With Forms 222, 
purchasers must create the separate Form 222 for the Schedule I and II 
controlled substances and complete other orders for all other 
controlled substance purchases from a particular supplier. If a 
purchaser needs more than 10 Schedule I or II substances, multiple 
Forms 222 must be completed because the form is limited to ten items. 
With the electronic orders, they will be able to submit a single order 
covering all controlled substances and other prescription drugs being 
purchased from the supplier. The combined orders should reduce the 
orders that need to be logged, tracked, and handled by both purchasers 
and suppliers.
    Electronic orders should also bring faster receipt of controlled 
substances. Under the present system, the purchaser has the choice of 
sending the order by overnight service at considerable cost, mailing it 
and waiting several days, or sending the order back with the delivery 
truck, which may not be returning directly to the distributor. In most 
cases, the purchaser is likely to have to wait at least two days and 
possibly four or five days when the order is mailed or is shipped back 
by truck. If the distributor that receives the order cannot fill it, 
the distributor may endorse it to another distributor and ship it on to 
another distribution point, further delaying the final shipment. 
Electronic orders will be received almost instantly and can be shipped 
the same day. This speed may allow purchasers to order only when they 
need an item and limit the quantity of controlled substances that they 
stock. Limiting the quantity of Schedule I and II controlled substances 
in stock reduces the possibility of diversion and the cost of security.
    With the Form 222, if a supplier cannot fill all of an order, the 
supplier may endorse the entire order over to another supplier. The 
order cannot be divided and filled in part by one supplier and in part 
by a second, even if both suppliers belong to the same company. Because 
each location holds a separate registration, a distributor with 
multiple locations must maintain stocks of all Schedule I and II 
controlled substances at each location to be able to fill orders for 
these substances from that location. With electronic orders, DEA will 
allow a distributor with a central distribution system to divide an 
order and ship parts of the order from different distribution points. 
New orders will not need to be generated because the central computer 
system can track each item in the order and ensure that it is shipped 
to the appropriate registrant only once. DEA and the

[[Page 38572]]

supplier will have the records necessary to maintain the closed system 
of control while allowing the supplier to take advantage of its own 
system of distribution.
    A copy of the economic analysis for this proposed rule can be 
obtained by contacting the Liaison and Policy Section, Office of 
Diversion Control, Drug Enforcement Administration, Washington, DC 
20537, Telephone (202) 307-7297 or on the Diversion Control Program web 
site, http://www.deadiversion.usdoj.gov. DEA solicits comments on the 
economic analysis and the reasonableness of the assumptions.

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act of 1980, Federal agencies must 
evaluate the impact of rules on small entities and consider less 
burdensome alternatives. As discussed in the previous section DEA has 
conducted a preliminary cost benefit analysis on this proposal. As part 
of that analysis, DEA evaluated the impact on small entities. DEA has 
determined that this rule would affect a substantial number of small 
entities. DEA estimates that about one third of the manufacturers and 
hospitals, 40 percent of clinics and pharmacies would meet the Small 
Business Administration definition of ``small business.'' Practitioners 
and narcotic treatment programs are all assumed to be small.
    The proposed rule, however, would reduce the burden for registrants 
over time. DEA, in developing its approach, considered the impact on 
small businesses and has tried to design an approach that will impose 
the least costs on businesses consistent with meeting the mandate of 
the CSA. DEA considered developing an electronic Form 222, which would 
have been the most direct way to meet the mandate of the CSA for a form 
issued by DEA. DEA worked extensively with the regulated community 
throughout the development of this proposal, and realized that 
requiring the use of a specific form would force businesses to alter 
their established electronic ordering systems to accommodate a form 
that might not be consistent with their software platforms. DEA decided 
that such changes would be unnecessarily costly. Instead, DEA has 
proposed a system for digital signatures that can be added to any 
software platform and, therefore, would require limited reprogramming.
    DEA, as part of its economic analysis, considered the costs of the 
existing system and the proposed approach for small entities. The 
annualized costs of the Form 222 system for the smallest entities 
(clinics with less than $100,000 in revenues), are less than 1.45 
percent of annual revenues; for these clinics, the annual costs of the 
proposed rule are about 0.15 percent of annual revenues. For most small 
entities affected by the rule, the cost of the electronic system will 
be less than 0.1 percent of revenues or sales. Consequently, the Acting 
Administrator hereby certifies that this rulemaking has been drafted in 
accordance with the Regulatory Flexibility Act (5 U.S.C. 605(b)), has 
reviewed this regulation, and by approving it certifies that this 
regulation will not have a significant economic impact on a substantial 
number of small entities.
    A copy of the small business analysis for this proposed rule, which 
is section 7 of the economic analysis, can be obtained from the 
Diversion Control Program web site or by contacting the Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Telephone (202) 307-7297.

Small Business Regulatory Enforcement Fairness Act of 1996

    This rule is not a major rule as defined by Section 804 of the 
Small Business Regulatory Enforcement Fairness Act of 1996. This rule 
will not result in an annual effect on the economy of $100,000,000 or 
more; a major increase in costs or prices; or significant adverse 
effects on competition, employment, investment, productivity, 
innovation, or on the ability of United States-based companies to 
compete with foreign-based companies in domestic and export markets.

Paperwork Reduction Act

    The Department of Justice (DOJ), Drug Enforcement Administration 
(DEA) has submitted the following information collection requests to 
the Office of Management and Budget (OMB) for review and approval in 
accordance with the Paperwork Reduction Act of 1995. Under the 
Paperwork Reduction Act, DEA is required to estimate the burden hours 
and other costs of any requirement for recordkeeping and reporting over 
a three-year period. Therefore, DEA is proposing the revision of an 
existing collection of information U.S. Official Order Forms for 
Schedules I and II Controlled Substances (Accountable Forms), Order 
Form Requisition, and the creation of a new collection of information 
Reporting and Recordkeeping for Digital Certificates under the 
Paperwork Reduction Act of 1995. This process is conducted in 
accordance with 5 CFR 1320.11. The Information Collection Request has 
been submitted to the Office of Management and Budget for review under 
section 307 of the Paperwork Reduction Act. Comments should be 
submitted to the Office of Information and Regulatory Affairs of OMB, 
Attention: Desk Officer for the Department of Justice.
    Written comments and suggestions are requested from the public and 
affected agencies concerning the proposed collections of information.
    Comments should address one or more of the following four points:
    1. Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the agency, 
including whether the information will have practical utility;
    2. Evaluate the accuracy of the agency's estimate of the burden of 
the proposed collection of information, including the validity of the 
methodology and assumptions used;
    3. Enhance the quality, utility, and clarity of the information to 
be collected; and
    4. Minimize the burden of the collection of information on those 
who are to respond, including through the use of appropriate automated, 
electronic, mechanical, or other technological collection techniques or 
other forms of information technology, e.g., permitting electronic 
submission of responses.
    If you have comments, especially on the estimated public burden or 
associated response time, suggestions, or need a copy of the proposed 
information collection instrument with instructions, if applicable, or 
additional information, please contact Patricia M. Good, Chief, Liaison 
and Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Telephone (202) 307-7297.

Overview of U.S. Official Order Forms for Schedules I and II Controlled 
Substances (Accountable Forms), Order Form Requisition Information 
Collection

    (1) Type of information collection: Revision of existing 
collection.
    (2) The title of the form/collection: U.S. Official Order Forms for 
Schedule I and II Controlled Substances (Accountable Forms), Order Form 
Requisition.
    (3) The agency form number, if any, and the applicable component of 
the Department sponsoring the collection:
    Form No.: DEA Form 222, U.S. Official Order Forms for Schedule I 
and II Controlled Substances (Accountable Forms).

[[Page 38573]]

    DEA-222a: Order Form Requisition.
    Applicable component of the Department sponsoring the collection: 
Office of Diversion Control, Drug Enforcement Administration, U.S. 
Department of Justice.
    (4) Affected public who will be asked or required to respond, as 
well as a brief abstract:
    Primary: Business or other for-profit.
    Other: Non-profit, state and local governments.
    Abstract: DEA-222 is used to transfer or purchase Schedule I and II 
controlled substances and data is needed to provide an audit of 
transfer and purchase. DEA-222a Requisition Form is used to obtain the 
DEA-222 Order Form. Persons may also digitally sign and transmit orders 
for controlled substances electronically, using a digital certificate. 
Orders for Schedule I and II controlled substances are archived and 
transmitted to DEA. Respondents are DEA registrants eligible to handle 
these controlled substances.
    (5) An estimate of the total number of respondents and the amount 
of time estimated for an average respondent to respond/reply: DEA 
estimates that the proposed rule would affect 100,000 registrants. The 
average time for requisitioning Form 222 is 0.05 hours. The average 
time for completing, annotating and filing paper orders for both 
purchasers and suppliers is 0.333 hours. Suppliers spend, on average, 9 
hours a month logging and tracking order forms and preparing the 
mailing to DEA. The average time for signing and annotating electronic 
orders is estimated to be 0.031 hours per order for purchasers; the 
average time for validating and annotating electronic orders is 
estimated to be 0.046 hours per order for suppliers, who also spend 
0.05 hours every other business day sending orders to DEA.
    (6) An estimate of the total public burden (in hours) associated 
with the collection: As registrants adopt the proposed electronic 
ordering, the annual burden hours would average 1.9 million hours a 
year. During this period, DEA assumes that 20 percent of orders would 
be electronic in year 1, 60 percent in year 2, and 80 percent in year 
3, based on a 6% growth rate for orders per year.

Overview of Reporting and Recordkeeping for Digital Certificates 
Information Collection

    (1) Type of information collection: New collection.
    (2) The title of the form/collection: Reporting and Recordkeeping 
for Digital Certificates.
    (3) The agency form number, if any, and the applicable component of 
the Department sponsoring the collection:
    Form No.: (numbers not yet assigned).
    New CSOS DEA Registrant Certificate Application.
    New CSOS Principal Coordinator/Alternate Coordinator Certificate 
Application.
    New CSOS Power of Attorney Certificate Application.
    Applicable component of the Department sponsoring the collection: 
Office of Diversion Control, Drug Enforcement Administration, U.S. 
Department of Justice.
    (4) Affected public who will be asked or required to respond, as 
well as a brief abstract:
    Primary: Business or other for-profit.
    Other: Non-profit, state and local governments.
    Abstract: Persons use these forms to apply for DEA-issued digital 
certificates to order Schedule I and II controlled substances. 
Certificates must be renewed upon renewal of the DEA registration to 
which the certificate is linked. Certificates may be revoked at the 
discretion of the registrant.
    (5) An estimate of the total number of respondents and the amount 
of time estimated for an average respondent to respond/reply: DEA 
estimates that the proposed rule would affect 100,000 registrants and 
160,000 certificate holders. The average time for completing the 
application for a digital certificate to order controlled substances is 
estimated to be from 0.72 hours to 1.24 hours. Certificate renewal is 
estimated to take 0.083 hours.
    (6) An estimate of the total public burden (in hours) associated 
with the collection: As registrants adopt the proposed electronic 
ordering, the annual burden hours would average 167,000 hours a year. 
During this period, DEA assumes that 80 percent of the potential 
certificate holders will apply for a digital certificate.
    If additional information is required regarding these collections 
of information, contact: Robert B. Briggs, Department Clearance 
Officer, Information Management and Security Staff, Justice Management 
Division, United States Department of Justice, Patrick Henry building, 
Suite 1600, 601 D Street, NW., Washington, DC 20530.

Executive Order 12988

    This regulation meets the applicable standards set forth in 
Sections 3(a) and 3(b)(2) of Executive Order 12988 Civil Justice 
Reform.

Executive Order 13132

    This rulemaking does not preempt or modify any provision of state 
law; nor does it impose enforcement responsibilities on any state; nor 
does it diminish the power of any state to enforce its own laws. 
Accordingly, this rulemaking does not have federalism implications 
warranting the application of Executive Order 13132.

Unfunded Mandates Reform Act of 1995

    This rule will not result in the expenditure by State, local, and 
tribal governments, in the aggregate, or by the private sector, of 
$100,000,000 or more in any one year, and will not significantly or 
uniquely affect small governments. Therefore, no actions were deemed 
necessary under the provisions of the Unfunded Mandates Reform Act of 
1995.

List of Subjects

21 CFR 1305

    Drug traffic control, Reporting and recordkeeping requirements.

21 CFR 1311

    Administrative practice and procedure, Certification authorities, 
Controlled substances, Digital certificates, Drug traffic control, 
Electronic signatures, Prescription drugs, Reporting and recordkeeping 
requirements.



    For the reasons set out above, 21 CFR part 1305 is proposed to be 
revised, and part 1311 is proposed to be added as follows:



    1. Part 1305 is revised to read as follows:

PART 1305--ORDERS FOR SCHEDULE I AND II CONTROLLED SUBSTANCES

Subpart A--General Requirements
1305.01 Scope of part 1305.
1305.02 Definitions.
1305.03 Distributions requiring a Form 222 or digitally signed 
electronic order.
1305.04 Persons entitled to order Schedule I and II controlled 
substances.
1305.05 Persons entitled to fill orders for Schedule I and II 
controlled substances.
1305.06 Special procedure for filling certain orders.
Subpart B--DEA Form 222
1305.11 Procedure for obtaining DEA Forms 222.
1305.12 Procedure for executing DEA Forms 222.
1305.13 Procedure for filling DEA Forms 222.
1305.14 Procedure for endorsing DEA Forms 222.
1305.15 Unaccepted and defective DEA Forms 222.
1305.16 Lost and stolen DEA Forms 222.

[[Page 38574]]

1305.17 Preservation of DEA Forms 222.
1305.18 Return of unused DEA Forms 222.
1305.19 Cancellation and voiding of DEA Forms 222.
Subpart C--Electronic Orders
1305.21 Requirements for electronic orders.
1305.22 Procedure for filling electronic orders.
1305.23 Endorsing electronic orders.
1305.24 Central processing of orders.
1305.25 Unaccepted and defective electronic orders.
1305.26 Lost electronic orders.
1305.27 Preservation of electronic orders.
1305.28 Canceling and voiding electronic orders.
1305.29 Reporting to DEA.

    Authority: 21 U.S.C. 821, 828, 871(b), unless otherwise noted.

Subpart A--General Requirements


Sec.  1305.01  Scope of part 1305.

    This part sets forth procedures governing the issuance, use, and 
preservation of orders for Schedule I and II controlled substances.


Sec.  1305.02  Definitions.

    Any term contained in this part shall have the definition set forth 
in the Act or part 1300 of this chapter.


Sec.  1305.03  Distributions requiring a Form 222 or a digitally signed 
electronic order.

    Either a DEA Form 222 or its electronic equivalent as set forth in 
subpart C of this part and Part 1311 of this chapter is required for 
each distribution of a Schedule I or II controlled substance except for 
the following:
    (a) Distributions to persons exempted from registration under Part 
1301 of this chapter.
    (b) Exports from the United States which conform with the 
requirements of the Act.
    (c) Deliveries to a registered analytical laboratory or its agent 
approved by DEA.
    (d) Delivery from a central fill pharmacy, as defined in Sec.  
1300.01(b)(43), to a retail pharmacy.


Sec.  1305.04  Persons entitled to order Schedule I and II controlled 
substances.

    (a) Only persons who are registered with DEA to handle controlled 
substances listed in Schedules I or II, and persons who are registered 
with DEA to export these substances may obtain and use DEA Form 222 
(order forms) or issue electronic orders for these substances. Persons 
not registered to handle controlled substances listed in Schedule I or 
II and persons registered only to import controlled substances are not 
entitled to obtain Form 222 or issue electronic orders for these 
substances.
    (b) An order for Schedule I or II controlled substances may be 
executed only on behalf of the registrant named on the order and only 
if his or her registration for the substances being purchased has not 
expired or been revoked or suspended.
    (c) A registrant may authorize one or more individuals, whether or 
not located at his or her registered location, to issue orders for 
Schedule I and II controlled substances on the registrant's behalf by 
executing a power of attorney for each such individual, provided that:
    (1) The power of attorney is retained in the files, with executed 
Forms 222 where applicable, for the same period as any order bearing 
the signature of the attorney. The power of attorney must be available 
for inspection together with other order records.
    (2) A registrant may revoke any power of attorney at any time by 
executing a notice of revocation.
    (3) The power of attorney and notice of revocation must be similar 
to the following format:
    Power of Attorney for DEA Forms 222 and electronic orders

------(Name of registrant)

------(Address of registrant)

------(DEA registration number)
    I,------(name of person granting power), the undersigned, who am 
authorized to sign the current application for registration of the 
above-named registrant under the Controlled Substances Act or 
Controlled Substances Import and Export Act, have made, constituted, 
and appointed, and by these presents, do make, constitute, and 
appoint------(name of attorney-in-fact), my true and lawful attorney 
for me in my name, place, and stead, to execute applications for Forms 
222 and to sign orders for Schedule I and II controlled substances, in 
accordance with section 308 of the Controlled Substances Act (21 U.S.C. 
828) and part 1305 of Title 21 of the Code of Federal Regulations. I 
hereby ratify and confirm all that said attorney must lawfully do or 
cause to be done by virtue hereof.
-----------------------------------------------------------------------
(Signature of person granting power)

I,--------(name of attorney-in-fact), hereby affirm that I am the 
person named herein as attorney-in-fact and that the signature affixed 
hereto is my signature.

(signature of attorney-in-fact)

Witnesses:
1.--------------------

2.--------------------
    Signed and dated on the ------day of -------- (year), at --------.
    Notice of Revocation.
    The foregoing power of attorney is hereby revoked by the 
undersigned, who is authorized to sign the current application for 
registration of the above-named registrant under the Controlled 
Substances Act or the Controlled Substances Import and Export Act. 
Written notice of this revocation has been given to the attorney-in-
fact--------this same day.
-----------------------------------------------------------------------
(Signature of person revoking power)

Witnesses:
1.--------------------.
2.-------------------- .
    Signed and dated on the -------- day of --------, (year), at ------
--.
    (4) A power of attorney must be executed by the following persons:
    (i) When on paper, the person who signed the most recent 
application for DEA registration or reregistration; the person to whom 
the power of attorney is being granted; and two witnesses.
    (ii) [Reserved.]
    (5) A power of attorney must be revoked by the following persons:
    (i) When on paper, the person who signed the most recent 
application for DEA registration or reregistration, and two witnesses.
    (ii) [Reserved.]


Sec.  1305.05  Persons entitled to fill orders for Schedule I and II 
controlled substances.

    An order for Schedule I and II controlled substances, whether on a 
DEA Form 222 or an electronic order, may be filled only by a person 
registered with DEA as a manufacturer or distributor of controlled 
substances listed in Schedule I or II or as an importer of such 
substances, except for the following:
    (a) A person registered with DEA to dispense such substances, or to 
export such substances, if he/she is discontinuing business or if his/
her registration is expiring without reregistration, may dispose of any 
controlled substances listed in Schedule I or II in his/her possession 
with a DEA Form 222 or an electronic order in accordance with Sec.  
1301.52 of this chapter.
    (b) A purchaser who has obtained any controlled substance in 
Schedule I or II by either a DEA Form 222 or an electronic order may 
return the substance to the supplier of the substance with either a DEA 
Form 222 or an electronic order from the supplier.
    (c) A person registered to dispense Schedule II substances may 
distribute the substances to another dispenser with either a DEA Form 
222 or an electronic order only in the circumstances described in Sec.  
1307.11 of this chapter.
    (d) A person registered or authorized to conduct chemical analysis 
or research

[[Page 38575]]

with controlled substances may distribute a controlled substance listed 
in Schedule I or II to another person registered or authorized to 
conduct chemical analysis, instructional activities, or research with 
such substances with either a DEA Form 222 or an electronic order, if 
the distribution is for the purpose of furthering the chemical 
analysis, instructional activities, or research.
    (e) A person registered as a compounder of narcotic substances for 
use at off-site locations in conjunction with a narcotic treatment 
program at the compounding location, who is authorized to handle 
Schedule II narcotics, is authorized to fill either a DEA Form 222 or 
an electronic order for distribution of narcotic drugs to off-site 
narcotic treatment programs only.


Sec.  1305.06  Special procedure for filling certain orders.

    A supplier of carfentanil, etorphine hydrochloride, or 
diprenorphine, if he or she determines that the purchaser is a 
veterinarian engaged in zoo and exotic animal practice, wildlife 
management programs, or research, and is authorized by the 
Administrator to handle these substances, may fill the order in 
accordance with the procedures set forth in Sec.  1305.17 except that:
    (a) A DEA Form 222 or an electronic order for carfentanil, 
etorphine hydrochloride, and diprenorphine must contain only these 
substances in reasonable quantities, and
    (b) The substances must be shipped, under secure conditions using 
substantial packaging material with no markings on the outside that 
would indicate the content, only to the purchaser's registered 
location.

Subpart B--DEA Form 222


Sec.  1305.11  Procedure for obtaining DEA Forms 222.

    (a) DEA Forms 222 are issued in mailing envelopes containing either 
seven or fourteen forms, each form containing an original, duplicate, 
and triplicate copy (respectively, Copy 1, Copy 2, and Copy 3). A 
limit, which is based on the business activity of the registrant, will 
be imposed on the number of DEA Forms 222, which will be furnished on 
any requisition unless additional forms are specifically requested and 
a reasonable need for such additional forms is shown.
    (b) Any person applying for a registration that would entitle him 
or her to obtain a DEA Form 222 may requisition such forms by so 
indicating on the application form; a DEA Form 222 will be supplied 
upon the registration of the applicant. Any person holding a 
registration entitling him or her to obtain a DEA Form 222 may 
requisition such forms for the first time by contacting any Division 
Office or the Registration Unit of the Administration. Any person 
already holding a DEA Form 222 may requisition additional forms on DEA 
Form 222a, which is mailed to a registrant approximately 30 days after 
each shipment of DEA Forms 222 to that registrant, or by contacting any 
Division Office or the Registration Unit of the Administration. All 
requisition forms (DEA Form 222a) must be submitted to the DEA 
Registration Unit.
    (c) Each requisition must show the name, address, and registration 
number of the registrant and the number of books of DEA Forms 222 
desired. Each requisition must be signed and dated by the same person 
who signed the most recent application for registration or for 
reregistration, or by any person authorized to obtain and execute DEA 
Forms 222 by a power of attorney under Sec.  1305.04(c).
    (d) DEA Forms 222 will be serially numbered and issued with the 
name, address, and registration number of the registrant, the 
authorized activity, and schedules of the registrant. This information 
cannot be altered or changed by the registrant; any errors must be 
corrected by the Registration Unit of the Administration by returning 
the forms with notification of the error.


Sec.  1305.12  Procedure for executing DEA Forms 222.

    (a) A purchaser must prepare and execute a DEA Form 222 
simultaneously in triplicate by means of interleaved carbon sheets that 
are part of the DEA Form 222. DEA Form 222 must be prepared by use of a 
typewriter, pen, or indelible pencil.
    (b) Only one item may be entered on each numbered line. An item 
must consist of one or more commercial or bulk containers of the same 
finished or bulk form and quantity of the same substance. The number of 
lines completed must be noted on that form at the bottom of the form, 
in the space provided. DEA Forms 222 for carfentanil, etorphine 
hydrochloride, and diprenorphine must contain only these substances.
    (c) The name and address of the supplier from whom the controlled 
substances are being ordered must be entered on the form. Only one 
supplier may be listed on any form.
    (d) Each DEA Form 222 must be signed and dated by a person 
authorized to sign an application for registration. The name of the 
purchaser, if different from the individual signing the DEA Form 222, 
must also be inserted in the signature space.
    (e) Unexecuted DEA Forms 222 may be kept and may be executed at a 
location other than the registered location printed on the form, 
provided that all unexecuted forms are delivered promptly to the 
registered location upon an inspection of such location by any officer 
authorized to make inspections, or to enforce, any Federal, State, or 
local law regarding controlled substances.


Sec.  1305.13  Procedure for filling DEA Forms 222.

    (a) A purchaser must submit Copy 1 and Copy 2 of the DEA Form 222 
to the supplier and retain Copy 3 in the purchaser's files.
    (b) A supplier may fill the order, if possible and if the supplier 
desires to do so, and must record on Copies 1 and 2 the number of 
commercial or bulk containers furnished on each item and the date on 
which the containers are shipped to the purchaser. If an order cannot 
be filled in its entirety, it may be filled in part and the balance 
supplied by additional shipments within 60 days following the date of 
the DEA Form 222. No DEA Form 222 is valid more than 60 days after its 
execution by the purchaser, except as specified in paragraph (f) of 
this section.
    (c) The controlled substances must be shipped only to the purchaser 
and the location printed by the Administration on the DEA Form 222, 
except as specified in paragraph (f) of this section.
    (d) The supplier must retain Copy 1 of the DEA Form 222 for his or 
her files and forward Copy 2 to the Special Agent in Charge of the Drug 
Enforcement Administration in the area in which the supplier is 
located. Copy 2 must be forwarded at the close of the month during 
which the order is filled. If an order is filled by partial shipments, 
Copy 2 must be forwarded at the close of the month during which the 
final shipment is made or the 60-day validity period expires.
    (e) The purchaser must record on Copy 3 of the DEA Form 222 the 
number of commercial or bulk containers furnished on each item and the 
dates on which the containers are received by the purchaser.
    (f) DEA Forms 222 submitted by registered procurement officers of 
the Defense Supply Center of the Defense Logistics Agency for delivery 
to armed services establishments within the United States may be 
shipped to locations other than the location printed on the DEA Form 
222, and in partial shipments at different times not to exceed six 
months from the date of the

[[Page 38576]]

order, as designated by the procurement officer when submitting the 
order.


Sec.  1305.14  Procedure for endorsing DEA Forms 222.

    (a) A DEA Form 222, made out to any supplier who cannot fill all or 
a part of the order within the time limitation set forth in Sec.  
1305.13, may be endorsed to another supplier for filling. The 
endorsement must be made only by the supplier to whom the DEA Form 222 
was first made, must state (in the spaces provided on the reverse sides 
of Copies 1 and 2 of the DEA Form 222) the name and address of the 
second supplier, and must be signed by a person authorized to obtain 
and execute DEA Forms 222 on behalf of the first supplier. The first 
supplier may not fill any part of an order on an endorsed form. The 
second supplier may fill the order, if possible and if the supplier 
desires to do so, in accordance with Sec.  1305.13 (b), (c), and (d), 
including shipping all substances directly to the purchaser.
    (b) Distributions made on endorsed DEA Forms 222 must be reported 
by the second supplier in the same manner as all other distributions 
except that where the name of the supplier is requested on the 
reporting form, the second supplier must record the name, address, and 
registration number of the first supplier.


Sec.  1305.15  Unaccepted and defective DEA Forms 222.

    (a) A DEA Form 222 must not be filled if it either of the following 
apply:
    (1) The order is not complete, legible, or properly prepared, 
executed, or endorsed.
    (2) The order shows any alteration, erasure, or change of any 
description.
    (b) If a DEA Form 222 cannot be filled for any reason under this 
section, the supplier must return Copies 1 and 2 to the purchaser with 
a statement as to the reason (e.g., illegible or altered).
    (c) A supplier may for any reason refuse to accept any order and if 
a supplier refuses to accept the order, a statement that the order is 
not accepted is sufficient for purposes of this paragraph.
    (d) When a purchaser receives an unaccepted order, Copies 1 and 2 
of the DEA Form 222 and the statement must be attached to Copy 3 and 
retained in the files of the purchaser in accordance with Sec.  
1305.17. A defective DEA Form 222 may not be corrected; it must be 
replaced by a new DEA Form 222 for the order to be filled.


Sec.  1305.16  Lost and stolen DEA Forms 222.

    (a) If a purchaser ascertains that an unfilled DEA Form 222 has 
been lost, he or she must execute another in triplicate and attach a 
statement containing the serial number and date of the lost form, and 
stating that the goods covered by the first DEA Form 222 were not 
received through loss of that DEA Form 222. Copy 3 of the second form 
and a copy of the statement must be retained with Copy 3 of the DEA 
Form 222 first executed. A copy of the statement must be attached to 
Copies 1 and 2 of the second DEA Form 222 sent to the supplier. If the 
first DEA Form 222 is subsequently received by the supplier to whom it 
was directed, the supplier must mark upon the face ``Not accepted'' and 
return Copies 1 and 2 to the purchaser, who must attach it to Copy 3 
and the statement.
    (b) Whenever any used or unused DEA Forms 222 are stolen or lost 
(otherwise than in the course of transmission) by any purchaser or 
supplier, the purchaser or supplier must immediately upon discovery of 
the theft or loss, report the theft or loss to the Special Agent in 
Charge of the Drug Enforcement Administration in the Divisional Office 
responsible for the area in which the registrant is located, stating 
the serial number of each form stolen or lost.
    (c) If the theft or loss includes any original DEA Forms 222 
received from purchasers and the supplier is unable to state the serial 
numbers of such DEA Forms 222, the supplier must report the date or 
approximate date of receipt and the names and addresses of the 
purchasers.
    (d) If an entire book of DEA Forms 222 is lost or stolen, and the 
purchaser is unable to state the serial numbers of the DEA Forms 222 in 
the book, the purchaser must report, in lieu of the numbers of the 
forms contained in such book, the date or approximate date of issuance.
    (e) If any unused DEA Form 222 reported stolen or lost is 
subsequently recovered or found, the Special Agent in Charge of the 
Drug Enforcement Administration in the Divisional Office responsible 
for the area in which the registrant is located must immediately be 
notified.


Sec.  1305.17  Preservation of DEA Forms 222.

    (a) The purchaser must retain Copy 3 of each executed DEA Form 222 
and all copies of unaccepted or defective forms with each statement 
attached.
    (b) The supplier must retain Copy 1 of each DEA Form 222 that it 
has filled.
    (c) DEA Forms 222 must be maintained separately from all other 
records of the registrant. DEA Forms 222 are required to be kept 
available for inspection for a period of two years. If a purchaser has 
several registered locations, the purchaser must retain Copy 3 of the 
executed DEA Form 222 and any attached statements or other related 
documents (not including unexecuted DEA Forms 222, which may be kept 
elsewhere under Sec.  1305.12(d)), at the registered location printed 
on the DEA Form 222.
    (d) The supplier of carfentanil, etorphine hydrochloride, and 
diprenorphine must maintain DEA Forms 222 for these substances 
separately from all other DEA Forms 222 and records required to be 
maintained by the registrant.


Sec.  1305.18  Return of unused DEA Forms 222.

    If the registration of any purchaser terminates (because the 
purchaser ceases legal existence, discontinues business or professional 
practice, or changes the name or address as shown on the purchaser's 
registration) or is suspended or revoked under Sec.  1301.36 of this 
chapter for all controlled substances listed in Schedules I and II for 
which the purchaser is registered, the purchaser must return all unused 
DEA Forms 222 for such substances to the nearest office of the 
Administration.


Sec.  1305.19  Cancellation and voiding of DEA Forms 222.

    (a) A purchaser may cancel part or all of an order on a DEA Form 
222 by notifying the supplier in writing of such cancellation. The 
supplier must indicate the cancellation on Copies 1 and 2 of the DEA 
Form 222 by drawing a line through the canceled items and printing 
``canceled'' in the space provided for number of items shipped.
    (b) A supplier may void part or all of an order on a DEA Form 222 
by notifying the purchaser in writing of such voiding. The supplier 
must indicate the voiding in the manner prescribed for cancellation in 
paragraph (a) of this section.

Subpart C--Electronic Orders


Sec.  1305.21  Requirements for electronic orders.

    (a) To be valid, an electronic order for a Schedule I or II 
controlled substance must be signed by the purchaser with a digital 
signature issued to the purchaser, or the purchaser's agent, by DEA as 
provided in part 1311 of this chapter.
    (b) The following data fields must be included on an electronic 
order for Schedule I and II controlled substances:
    (1) A unique number the purchaser assigns to track the order. The 
number must be in the following 9-character format: X, the last two 
digits of the year, and six characters as selected by the purchaser.

[[Page 38577]]

    (2) The name of the supplier.
    (3) The complete address of the supplier.
    (4) The supplier's DEA registration number (may be completed by 
either the purchaser or the supplier).
    (5) The date the order is signed.
    (6) The name (including strength where appropriate) of the 
controlled substance product.
    (7) The National Drug Code (NDC) number (may be completed by either 
the purchaser or the supplier).
    (8) The quantity in a single package or container.
    (9) The number of packages or containers of each item ordered.
    (c) An electronic order may include controlled substances that are 
not in Schedules I and II and non-controlled substances.


Sec.  1305.22  Procedure for filling electronic orders.

    (a) A purchaser must submit the order to a specific supplier. The 
supplier may initially process the order (e.g., entry of the order into 
the computer system, billing functions, inventory identification, etc.) 
centrally at any location, regardless of its registration with DEA. 
Following centralized processing, the order is distributed to one or 
more registered locations maintained by the supplier for filling. The 
registrant must maintain control of the processing of the order at all 
times.
    (b) A supplier may fill the order for a Schedule I or II controlled 
substance, if possible and if the supplier desires to do so and is 
authorized to do so under Sec.  1305.04.
    (c) A supplier must do the following before filling the order:
    (1) Verify the integrity of the signature and the order by having 
software that complies with part 1311 of this chapter validate the 
order.
    (2) Verify that the digital certificate has not expired.
    (3) Check the validity of the certificate holder's certificate by 
checking the Certificate Revocation List. The supplier may cache the 
Certificate Revocation List until it expires.
    (4) Verify the certificate holder's eligibility to order the 
controlled substances by checking the certificate extension data.
    (d) The supplier must retain an electronic record of every order, 
and, linked to each order, a record of the number of commercial or bulk 
containers furnished on each item and the date on which the supplier 
shipped the containers to the purchaser. The linked record must also 
include any data on the original order that the supplier completes. 
Software used to handle digitally signed orders must comply with part 
1311 of this chapter.
    (e) If an order cannot be filled in its entirety, a supplier may 
fill it in part and supply the balance by additional shipments within 
60 days following the date of the order. No order is valid more than 60 
days after its execution by the purchaser, except as specified in 
paragraph (h) of this section.
    (f) A supplier must ship the controlled substances to the 
registered location of the purchaser, except as specified in paragraph 
(h) of this section.
    (g) When a purchaser receives a shipment, the purchaser must create 
a record of the quantity of each item received and the date received. 
The record must be electronically linked to the original order and 
archived.
    (h) Registered procurement officers of the Defense Supply Center of 
the Defense Logistics Agency may order controlled substances for 
delivery to armed services establishments within the United States. 
These orders may be shipped to locations other than the registered 
location, and in partial shipments at different times not to exceed six 
months from the date of the order, as designated by the procurement 
officer when submitting the order.


Sec.  1305.23  Endorsing electronic orders.

    (a) If a supplier cannot fill all or a part of an electronic order 
within 60 days of the date of the order, the supplier may endorse the 
order to a supplier owned by another registrant for filling. Only the 
supplier to whom the order was first made may endorse the order to 
another supplier. To endorse the order the first supplier must do the 
following:
    (1) Make an electronic copy of the original order.
    (2) Create a linked record to the copy with the name, address, and 
DEA registration number of the second supplier.
    (3) Digitally sign the linked record and copy using a DEA-issued 
digital certificate that meets the requirements in part 1311 of this 
chapter.
    (b) The first supplier may endorse a partial order or an order in 
its entirety. The first supplier must transmit both the original order 
and the signed copy and linked record of the order to the second 
supplier indicating, where necessary, the partial filling of the 
original order. The second supplier must fill the order, if possible 
and if he/she desires to do so, in accordance with the requirements of 
this part concerning electronic orders.
    (c) Distributions made on endorsed orders must be reported by the 
second supplier in the same manner as all other distributions except 
that where the name of the supplier is requested in the report, the 
second supplier must record the name, address, and registration number 
of the first supplier.


Sec.  1305.24  Central processing of orders.

    (a) A supplier that has one or more registered locations and 
maintains a central processing computer system in which orders are 
stored may have one or more of the supplier's registered locations fill 
an electronic order if the supplier does the following:
    (1) Assigns each item on the order to a specific registered 
location for filling.
    (2) Has each location filling part of the order create a record 
linked to the central file noting both which items the location filled 
and the location identity.
    (3) Ensures that no item is filled by more than one location.
    (4) Maintains the original order with all linked records on the 
central computer system.
    (b) A company that has central processing of orders must assign 
responsibility for filling parts of orders only to registered locations 
that the company owns and operates.


Sec.  1305.25  Unaccepted and defective electronic orders.

    (a) No electronic order may be filled if:
    (1) The required data fields have not been completed.
    (2) The order is not signed using a digital certificate issued by 
DEA.
    (3) The digital certificate being used was expired or had been 
revoked prior to signature.
    (4) The purchaser's public key will not decrypt the digital 
signature.
    (5) The validation of the order shows that the order is invalid for 
any reason.
    (b) If an order cannot be filled for any reason under this section, 
the supplier must notify the purchaser and provide a statement as to 
the reason (e.g., improperly prepared or altered). A supplier may, for 
any reason, refuse to accept any order, and if a supplier refuses to 
accept the order, a statement that the order is not accepted is 
sufficient for purposes of this paragraph.
    (c) When a purchaser receives a rejected electronic order from the 
supplier, the purchaser must electronically link the statement of 
reasons for rejection to the original. The original and the statement 
must be retained in accordance with Sec.  1305.26 of this part.
    (d) Neither a purchaser nor a supplier may correct a defective 
order; the purchaser must issue a new order for the order to be filled.

[[Page 38578]]

Sec.  1305.26  Lost electronic orders.

    (a) If a purchaser determines that an unfilled electronic order has 
been lost before or after receipt, the purchaser must provide, to the 
supplier, a signed statement containing the unique tracking number and 
date of the lost order and stating that the goods covered by the first 
order were not received through loss of that order.
    (b) If the purchaser executes an order to replace the lost order, 
the purchaser must electronically link an electronic record of the 
second order and a copy of the statement with the record of the first 
order and retain them.
    (c) If the supplier to whom the order was directed subsequently 
receives the first order, the supplier must make an electronic record, 
indicate that it is ``Not Accepted,'' and return it to the purchaser. 
The purchaser must link the returned order to the record of that order 
and the statement.


Sec.  1305.27  Preservation of electronic orders.

    (a) A purchaser must, for each order filled, retain the original 
signed order and all linked records for that order for two years. The 
purchaser must also retain all copies of each unaccepted or defective 
order and each linked statement.
    (b) A supplier must retain each original order filled and the 
linked records for two years.
    (c) If electronic order records are maintained on a central server, 
the records must be readily retrievable at the registered location.


Sec.  1305.28  Canceling and voiding electronic orders.

    A supplier may void all or part of an electronic order by notifying 
the purchaser of the voiding. If the entire order is voided, the 
supplier must make an electronic copy of the order, indicate on the 
copy ``Void,'' and return it to the purchaser. The purchaser must 
retain an electronic copy of the voided order. To partially void an 
order, the supplier must indicate on the annotated copy that nothing 
was shipped for each item voided.


Sec.  1305.29  Reporting to DEA.

    A supplier must, for each electronic order filled, forward either a 
copy of the electronic order or an electronic report of the order in 
such format as DEA may specify to DEA every other business day. For 
suppliers who choose to submit a report rather than copies, the report 
must include the following data fields for each order filled:
    (a) The supplier's name.
    (b) The supplier's complete address.
    (c) The supplier's DEA registration number.
    (d) The purchaser's name.
    (e) The purchaser's complete address.
    (f) The purchaser's DEA registration number.
    (g) The schedules the purchaser is authorized to receive.
    (h) The purchaser's business activity.
    (i) The unique tracking number the purchaser assigned to the order.
    (j) The date the order was signed.
    (k) The name of the controlled substance product.
    (l) The National Drug Code (NDC) number of the controlled 
substance.
    (m) The quantity in a single package or container.
    (n) The number of packages or containers of each item ordered.
    (o) The number of packages or containers shipped.
    (p) The date shipped.
    2. Part 1311 is added to read as follows:

PART 1311--DIGITAL CERTIFICATES

Subpart A--General
1311.01 Scope.
1311.02 Definitions.
1311.05 Standards for technologies for electronic transmission of 
orders.
1311.08 Incorporation by reference.
Subpart B--Obtaining and Using Digital Certificates
1311.10 Eligibility to obtain a digital certificate.
1311.15 Limitations on digital certificates.
1311.16 Coordinators for controlled substances order system digital 
certificate holders.
1311.20 Requirements for obtaining a digital certificate for signing 
orders.
1311.30 Requirements for storing and using a private key for 
digitally signing orders.
1311.40 Number of certificates needed.
1311.45 Renewal of certificates.
1311.50 Requirements for registrants that allow powers of attorney 
to obtain digital certificates under their DEA registration.
1311.55 Requirements for recipients of digitally signed orders.
1311.60 Requirements for systems used to process digitally signed 
orders.
1311.65 Recordkeeping.

    Authority: 21 U.S.C. 821, 828, 829, 871(b), 958(e), 965, unless 
otherwise noted.

Subpart A--General


Sec.  1311.01  Scope.

    This part sets forth the rules governing the use of digital 
signatures and the protection of private keys by registrants.


Sec.  1311.02  Definitions.

    For the purposes of this chapter:
    Biometric authentication means authentication based on measurement 
of the individual's physical features or repeatable actions where those 
features or actions are both unique to the individual and measurable.
    Cache means to download and store information on a local server or 
hard drive.
    Certification Authority (CA) means an organization that is 
responsible for verifying the identity of applicants, authorizing and 
issuing a digital certificate, maintaining a directory of public keys, 
and maintaining a Certificate Revocation List.
    Certificate Policy means a named set of rules that sets forth the 
applicability of the specific digital certificate to a particular 
community or class of application with common security requirements.
    Certificate Revocation List (CRL) means a list of revoked, but 
unexpired certificates issued by a Certification Authority.
    Digital certificate means a data record that, at a minimum, (1) 
identifies the certification authority issuing it; (2) names or 
otherwise identifies the certificate holder; (3) contains a public key 
that corresponds to a private key under the sole control of the 
certificate holder; (4) identifies the operational period; and (5) 
contains a serial number and is digitally signed by the Certification 
Authority issuing it.
    Digital signature means a record created when a file is 
algorithmically transformed into a fixed length digest that is then 
encrypted using an asymmetric cryptographic private key associated with 
a digital certificate. The combination of the encryption and algorithm 
transformation ensure that the signer's identity and the integrity of 
the file can be confirmed.
    Electronic signature means a method of signing an electronic 
message that identifies a particular person as the source of the 
message and indicates the person's approval of the information 
contained in the message.
    FIPS means Federal Information Processing Standards. These Federal 
standards prescribe specific performance requirements, practices, 
formats, communications protocols, etc., for hardware, software, data, 
etc.
    FIPS 140-2 means a Federal standard for security requirements for 
cryptographic modules.
    FIPS 180-1 means a Federal secure hash standard.
    FIPS 186-2 means a Federal standard for applications used to 
generate and rely upon digital signatures.
    Key pair means two mathematically related keys having the 
properties that (1) one key can be used to encrypt a message that can 
only be decrypted

[[Page 38579]]

using the other key and (2) even knowing one key, it is computationally 
infeasible to discover the other key.
    NIST means the National Institute of Standards and Technology.
    Private key means the key of a key pair that is used to create a 
digital signature.
    Public key means the key of a key pair that is used to verify a 
digital signature. The public key is made available to anyone who will 
receive digitally signed messages from the holder of the key pair.
    Public Key Infrastructure means a structure under which a 
Certification Authority verifies the identity of applicants, issues, 
renews, and revokes digital certificates, maintains a registry of 
public keys, maintains an up-to-date certificate revocation list, and 
validates digital certificates.
    PKI means public key infrastructure.


Sec.  1311.05  Standards for technologies for electronic transmission 
of orders.

    (a) A registrant or a person with power of attorney to sign orders 
for Schedule I and II controlled substances may use any technology to 
sign and electronically transmit orders if the technology provides all 
of the following:
    (1) Authentication: The system must enable a recipient to 
positively verify the signer without direct communication with the 
signer and subsequently demonstrate to a third party, if needed, that 
the sender's identity was properly verified.
    (2) Non repudiation: The system must ensure that strong and 
substantial evidence is available to the recipient of the sender's 
identity, sufficient to prevent the sender from successfully denying 
having sent the data. This criterion includes the ability of a third 
party to verify the origin of the document.
    (3) Message integrity: The system must ensure that the recipient, 
or a third party, can determine whether the contents of the document 
have been altered during transmission or after receipt.
    (b) DEA has identified the following means of electronically 
signing and transmitting order forms as meeting all of the standards 
set forth in paragraph (a) of this section.
    (1) Digital signatures using Public Key Infrastructure (PKI) 
technology.
    (2) [Reserved]


Sec.  1311.08  Incorporation by reference.

    (a) The following standards are incorporated by reference:
    (1) FIPS 140-2, Security Requirements for Cryptographic Modules.
    (2) FIPS 180-1, Secure Hash Standard.
    (3) FIPS 186-2, Digital Signature Standard. These standards are 
available from the National Institute of Standards and Technology, 
Computer Security Division, Information Technology Laboratory, National 
Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, 
MD 20899-8930 and are available at http://csrc.nist.gov/ gov/.
    (b) These incorporations by reference will be submitted to the 
Director of the Federal Register in accordance with 5 U.S.C. 552(s) and 
1 CFR part 51. Copies may be inspected at the Drug Enforcement 
Administration, 600 Army Navy Drive, Arlington, VA 22202 or at the 
Office of the Federal Register, 800 North Capitol Street, NW., Suite 
700, Washington, DC 20408-0001.

Subpart B--Obtaining and Using Digital Certificates


Sec.  1311.10  Eligibility to obtain a digital certificate.

    (a) The following persons are eligible to obtain a digital 
certificate from the DEA Certification Authority to sign electronic 
orders for controlled substances.
    (1) The person who signed the most recent DEA registration 
application or renewal application.
    (2) A person granted power of attorney by a DEA registrant to sign 
orders for one or more schedules of controlled substances.
    (b) [Reserved]


Sec.  1311.15  Limitations on digital certificates.

    (a) A digital certificate issued by the DEA Certification Authority 
will authorize the certificate holder to sign orders for only those 
schedules of controlled substances covered by the registration under 
which the certificate is issued.
    (b) When a registrant, in a power of attorney letter, limits a 
certificate applicant to a subset of the registrant's authorized 
schedules, the digital certificate will allow the certificate holder to 
sign orders only for that subset of schedules.


Sec.  1311.16  Coordinators for controlled substances order system 
digital certificate holders.

    (a) Each registrant, regardless of number of digital certificates 
issued, must designate one or more responsible persons to serve as that 
registrant's recognized agent regarding issues pertaining to issuance 
of, revocation of, and changes to digital certificates issued under 
that registrant's DEA registration. While the coordinator will be the 
main point of contact between one or more DEA registered locations and 
the CSOS Certification Authority, all digital certificate activities 
are the responsibility of the registrant with whom the digital 
certificate is associated. Even when an individual registrant, i.e., an 
individual practitioner, is applying for a digital certificate to order 
controlled substances a CSOS Coordinator must be designated.
    (b) Once designated, coordinators must identify themselves, on a 
one-time basis, to the Certification Authority. If a designated 
coordinator changes, the Certification Authority must be notified of 
the change and the new responsibilities assumed by each of the 
registrant's coordinators, if applicable. Coordinators must complete 
the application that the DEA Certification Authority provides and 
submit the following:
    (1) Two copies of identification, one of which must be a 
government-issued photographic identification.
    (2) A copy of each current DEA Certificate of Registration (DEA 
form 223) for each registered location for which the coordinator will 
be responsible, if available, or if the applicant (or their employer) 
has not been issued a DEA registration, a copy of each application for 
registration of the applicant or the applicant's employer.
    (3) The applicant must have the completed application notarized and 
forward the completed application and accompanying documentation to the 
DEA Certification Authority.
    (c) Coordinators will communicate with the Certification Authority 
regarding digital certificate applications, renewals and revocations. 
For applicants applying for a digital certificate from the DEA 
Certification Authority, and for applicants applying for a power of 
attorney digital certificate for a DEA registrant, the registrant's 
Coordinator must verify the applicant's identity, review the 
application package, and submit the completed package to the 
Certification Authority.


Sec.  1311.20  Requirements for obtaining a certificate for a digital 
signature for orders.

    (a) To obtain a certificate to use for signing electronic orders 
for controlled substances, a registrant or person with power of 
attorney for a registrant must complete the application that the DEA 
Certification Authority provides and submit the following:
    (1) Two copies of identification, one of which must be a 
government-issued photographic identification.

[[Page 38580]]

    (2) A current listing of DEA registrations for which the individual 
has authority to sign controlled substances orders.
    (3) A copy of the power of attorney from the registrant, if 
applicable. If the registrant does not authorize the applicant to order 
all schedules allowed under the registrant's registration, the power of 
attorney form or letter must indicate which schedules of controlled 
substances the applicant is authorized to order.
    (4) A signed Subscriber Agreement stating the applicant has read 
and understands the agreement and agrees to the statement of subscriber 
obligations that DEA provides.
    (b) The applicant must provide the completed application to the 
registrant's coordinator for controlled substances order system digital 
certificate holders who will review the application and submit the 
completed application and accompanying documentation to the DEA 
Certification Authority.
    (c) When the Certification Authority approves the application, it 
will send the applicant a one-time use access code and password, via 
separate channels, and information on how to use them. Using this 
information, the applicant must then electronically submit a request 
for certification of the public digital signature key. After the 
request is approved, the Certification Authority will provide the 
applicant with the signed public key certificate and the Certification 
Authority's public key certificate.
    (d) Once the applicant has generated the key pair, the 
Certification Authority must prove that the user has possession of the 
key. For public keys, the corresponding private key must be used to 
sign the certificate request. Verification of the signature using the 
public key in the request will serve as proof of possession of the 
private key.


Sec.  1311.30  Requirements for storing and using a private key for 
digitally signing orders.

    (a) Only the certificate holder may access or use his or her 
digital certificate and private key.
    (b) The certificate holder must provide FIPS-approved secure 
storage for the private key.
    (c) A certificate holder must ensure that no one else uses the 
private key. While the private key is activated, the certificate holder 
must prevent unauthorized use of that private key.
    (d) A certificate holder must not make back-up copies of the 
private key.
    (e) The certificate holder must report the loss, theft, or 
compromise of the private key or the password, via a revocation 
request, to the Certification Authority within 24 hours of discovery of 
the loss, theft, or compromise. Upon receipt and verification of a 
signed revocation request, the Certification Authority will revoke the 
certificate. The certificate holder must apply for a new certificate 
under the requirements of Sec.  1311.20.


Sec.  1311.40  Number of digital certificates needed.

    (a) A purchaser of Schedule I and II controlled substances must 
obtain a separate certificate for each registered location for which 
the purchaser will order these controlled substances.
    (b) [Reserved]


Sec.  1311.45  Renewal of digital certificates.

    (a) A certificate holder must generate a new key pair and obtain a 
new digital certificate when the registrant's DEA registration expires 
or whenever the information on which the certificate is based changes. 
This information includes the registered name and address and the 
schedules the certificate holder is authorized to handle. A certificate 
will expire on the date on which the DEA registration on which the 
certificate is based expires.
    (b) The Certification Authority will notify each certificate holder 
45 days in advance of the expiration of the certificate holder's 
digital certificate.
    (c) If a certificate holder applies for a renewal before the 
certificate expires, the certificate holder may renew electronically 
twice. For every third renewal, the certificate holder must submit a 
new application and documentation, as provided in Sec.  1311.20.
    (d) If a certificate expires before the holder applies for a 
renewal, the certificate holder must submit a new application and 
documentation, as provided in Sec.  1311.20.


Sec.  1311.50  Requirements for registrants that allow powers of 
attorney individual to obtain digital certificates under their DEA 
registration.

    (a) A registrant that grants power of attorney must report to the 
DEA Certification Authority within 6 hours of either of the following:
    (1) The person with power of attorney has left the employ of the 
institution.
    (2) The person with power of attorney has had his or her privileges 
revoked.
    (b) A registrant must maintain a record that lists each person 
granted power of attorney to sign controlled substance orders.


Sec.  1311.55  Requirements for recipients of digitally signed orders.

    (a) The recipient of a digitally signed order must do the following 
before filling the order:
    (1) Verify the integrity of the signature and the order by having 
the software validate the order.
    (2) Verify that the certificate holder's digital certificate has 
not expired by checking the expiration date against the date the order 
was signed.
    (3) Check the validity of the certificate holder's certificate by 
checking the Certificate Revocation List.
    (4) Check the extension data to determine whether the sender has 
the authority to order the controlled substance.
    (b) A recipient may cache Certificate Revocation Lists for use 
until they expire.


Sec.  1311.60  Requirements for systems used to process digitally 
signed orders.

    (a) A certificate holder and recipient of an electronic order may 
use any system to write, track, or maintain orders provided that the 
system has been enabled to process digitally signed documents and that 
it meets the requirements of paragraph (b) or (c) of this section.
    (b) A system used to digitally sign orders must meet the following 
requirements:
    (1) The cryptographic module must be FIPS 140-2 validated.
    (2) The digital signature system and hash function must be 
compliant with FIPS 186-2 and FIPS 180-1.
    (3) The private key must be stored encrypted on a FIPS 140-2 
validated cryptographic module using a FIPS-approved encryption 
algorithm.
    (4) The system must use either a user ID and password combination 
or biometric authentication to access the private key. Activation data 
must not be displayed as they are entered.
    (5) The system must set a 10-minute inactivity time period after 
which the certificate holder must reauthenticate the password to access 
the private key.
    (6) For software implementations, when the signing module is 
deactivated, the system must clear the plain text private key from the 
system memory to prevent the unauthorized access to, or use, of the 
private key.
    (7) The system must be able to digitally sign and transmit an 
order.
    (8) The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology time 
source.
    (9) For orders, the system must archive the digitally signed orders 
and any other records required in Part 1305

[[Page 38581]]

of this chapter, including any linked data.
    (10) For orders, the system must create an order that includes all 
data fields listed under Sec.  1305.21(b) of this chapter.
    (c) A system used to receive, verify, and create linked records for 
orders signed with a digital certificate must meet the following 
requirements:
    (1) The cryptographic module must be FIPS 140-2 validated.
    (2) The digital signature system and hash function must be 
compliant with FIPS 186-2 and FIPS 180-1.
    (3) The system must determine that an order has not been altered 
during transmission. The system must invalidate any order that has been 
altered.
    (4) The system must decrypt the digital signature using the 
sender's public key. The system must invalidate any order that cannot 
be decrypted.
    (5) The system must check the certificate revocation list 
automatically and invalidate any order with a certificate listed on the 
certificate revocation list.
    (6) The system must check the validity of the certificate and the 
Certification Authority certificate and invalidate any order that fails 
these validity checks.
    (7) The system must have a time system that is within five minutes 
of the official National Institute of Standards and Technology time 
source.
    (8) The system must check the substances ordered against the 
schedules that the signer is allowed to order and invalidate any order 
that includes substances the signer is not allowed to order.
    (9) The system must ensure that an invalid finding cannot be 
bypassed or ignored and the order filled.
    (10) The system must archive the order and include the digital 
certificate attached to the order in the record of each order.
    (11) If a registrant sends daily reports on orders to DEA, the 
system must create a report that includes, for each order, all the data 
fields listed under Sec.  1305.28(a) of this chapter.
    (d) For systems used to process orders, the system developer or 
vendor must have an initial independent third-party audit of the system 
and an additional independent third-party audit whenever the signing or 
verifying functionality is changed to determine whether it correctly 
performs the functions listed under paragraphs (b) and (c) of this 
section. The system developer must retain the most recent audit results 
and retain the results of any other audits of the software completed 
within the previous two years.


Sec.  1311.65  Recordkeeping.

    (a) A supplier or purchaser must maintain records of electronic 
orders and any linked records for two years. Records may be maintained 
electronically. Records regarding controlled substances that are 
maintained electronically must be readily retrievable from all other 
records by Schedule and controlled substance name.
    (b) Electronic records must be easily readable or easily rendered 
in a readable format. They must be made available to the Administration 
upon request.
    (c) Certificate holders must maintain a copy of the subscriber 
agreement that the Certification Authority provides for the life of the 
certificate.

    Dated: June 19, 2003.
William B. Simpkins,
Acting Administrator.
[FR Doc. 03-16082 Filed 6-26-03; 8:45 am]
BILLING CODE 4410-09-P