CSOS is an electronic commerce initiative overseen by the U.S. Drug Enforcement Administration (DEA) to provide an automated alternative to the current paper-intensive process required for purchasing and distributing Level I and II controlled substances.
CSOS Auditing certification is proof that software offerings can enable purchasers and suppliers to interchange e222 forms in a predictable and secure manner compliant with DEA requirements.
As a neutral third party, Drummond Group provides CSOS Auditing services such as delivering certification for software products-with-version in compliance with DEA rules.
What You Need to Know about
Get Answers to Frequently Asked Questions that pertain to CSOS Auditing
Frequently Asked Questions on CSOS Auditing
Drummond Group is the trusted interoperability test lab offering global testing services throughout the product life cycle. In addition to interoperability testing services, Drummond Group offers test lab services including CSOS auditing, QA, conformance, and test consulting. Founded in 1999, Drummond Group represents best-of-breed on linking technologies, standards and interoperability issues with the needs of vertical industries such as automotive, consumer product goods, healthcare, financial services, government, petroleum, pharmaceutical and retail.
The Controlled Substances Ordering System (CSOS) is an electronic commerce initiative overseen by the U.S. Drug Enforcement Administration (DEA) that provides an automated alternative to the current paper-intensive process required for the purchase and distribution of Level I and II controlled substances.
In the current paper-based process, paper forms must be created or updated at every registered shipping location when controlled drugs are transferred. With CSOS, the DEA is defining a system based on digital signatures which allows for the paper forms, known as Form 222, to be replaced by digital messages often referred to as e222 or electronic 222 forms. Purchasers and suppliers may now use either of these methods, paper-based or electronic forms, to fulfill DEA requirements that prevent illegal diversion of controlled drugs.
The DEA proposed rule for CSOS includes technical and business requirements for products used to digitally sign, transmit or receive e222 forms. Software companies that provide these products must participate in an initial audit of the product and additional audits when changes are made to the core digital signing technology. End user companies that build in-house CSOS systems for digital signing, transmission or receipt of e222 forms also must be audited.
As an independent, neutral third party, Drummond Group offers two types of CSOS Services.
- Drummond Group offers CSOS Auditing services certifying software products-with-version for compliance with DEA rules for sections 1311.55b and 1311.55c. CSOS Auditing Certification is proof that software offerings can enable purchasers and suppliers to interchange e222 forms in a predictable and secure manner compliant with DEA requirements.
- In addition to CSOS Audits conducted with the highest level of assurance, Drummond Group also offers pre-audit consulting (conducted with minimal assurance) to work with companies who are developing CSOS implementations to ensure they are working towards the CSOS compliance in the Audit
The CSOS Audit is conducted on pre-installed, off-the-shelf commercial software or in some cases, on in-house built systems by the end-user:
- Confirmation that products-with-version have been issued seals of compliance to FIPS (Federal Information Processing Standards). FIPS sets best practices and prescribes specific computer software algorithms approved by the federal government to insure data security.
- The ability to digitally sign, transmit and receive e222 forms in a FIPS enabled mode. Auditing will confirm that the products can perform digital signature functions while using only FIPS required methods.
- The ability of products to execute fundamental digital signature processing including applications of digital signature, validating a business partner’s digital signature using that business partner’s public key and validation of message integrity.
- The products’ ability to recognize and act on invalid digital signatures and invalid digital certificates that have expired or have been revoked by the DEA.
The proposed rule requires that systems developers or vendors must be audited. If you are developing an in-house system that digitally signs, transmits or receives e222 forms, your system must also be audited. If you are purchasing a product that digitally signs, transmits or receives e222 forms, the software vendor that provides the system must be audited and provide you with proof of certification for that product-with-version.
For both systems developers and vendors, an additional audit is required whenever signing or verifying functionality is changed.
NOTE: All organizations handling Level I and II controlled substances are ultimately responsible for ensuring that they fully comply with DEA regulations regarding handling of Level I and II substances. Using software which has received CSOS certification in and by itself does not exempt organizations handling Level I and II controlled substances of this responsibility.
The DEA requires that any applications used to digitally sign, transmit and/or receive CSOS orders must be audited by an independent third party. See QA 7 for more info.
The certifying organization should have experience in testing and auditing security related software standards, in particular the use of digital signature technology. Drummond Group has audited the majority of the current CSOS software used in the Pharmaceutical Distribution Industry today!
To remove the likelihood or appearance of biased auditing, certifying organizations should be verifiably neutral companies that do not themselves produce or market CSOS products and do not have business partnerships with companies that produce or market CSOS products.
The proposed rule requires the use of an independent, third-party in section 1311.55(d): “For systems used to process CSOS orders, the system developer or vendor must have an initial independent third-party audit of the system and an additional independent third-party audit whenever the signing or verifying functionality is changed to determine whether it correctly performs the functions listed under paragraphs (b) and (c) of this section.”
The security modules of a CSOS product-with-version must be FIPS 140-2 certified to at least Level I and must include FIPS Certified digital signature and secure hash algorithm implementations.
The auditing process will verify compliance to CSOS through a series of positive and negative physical tests of the product-with-version. Please contact Drummond Group by email Info2@drummondgroup.com.