CSOS Compliance Audit - Final Report Cyclone Commerce Cyclone CSOS 5.3
Prepared & Facilitated By: DRUMMOND GROUP INC. www.drummondgroup.com
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone Commerce CSOS 5.3 – CSOS Compliance Audit Final Report
page 1
Table of Contents Cover Letter ......................................................................................................... 3 Notice ................................................................................................................... 4 Audited Party........................................................................................................ 5 Introduction .......................................................................................................... 6 Basis for Audit Criteria............................................................................................................................... 6 The Audit Process ..................................................................................................................................... 6 FIPS Validation Audit .................................................................................................................. 6 Physical testing ........................................................................................................................... 6 Archive of Audit Artifacts............................................................................................................. 7 Issuance of the Final Report and Audit Certificate ..................................................................... 7
Audit Results Summary........................................................................................ 8 Required and Optional Features ............................................................................................................... 8
Audit Details ......................................................................................................... 9 Signer FIPS Validation Audit ..................................................................................................................... 9 Receiver FIPS Validation Audit ................................................................................................................. 9 Signer Positive Transmission .................................................................................................................. 10 Receiver Positive Validation .................................................................................................................... 10 Receiver Negative Security Validation .................................................................................................... 11 Receiver DEA Registration Number Validation ....................................................................................... 12 Signer Private Key Storage and Access ................................................................................................. 13 Signer Order Archival .............................................................................................................................. 14 Receiver Order Archival .......................................................................................................................... 14
About Drummond Group Inc. ............................................................................. 15
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 2
Cover Letter DRUMMOND GROUP Inc. is pleased to announce that Cyclone CSOS 5.3 has successfully passed the Audit requirements as established by the U.S. Drug Enforcement Administration (DEA) and as set forth below for a Drummond Certifiedtm Controlled Substances Ordering System. To fully understand what successfully completing the Audit means regarding the use of the product in production, please read this document carefully. Sincerely, Rik Drummond CEO, Drummond Group Inc.
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone Commerce CSOS 5.3 – CSOS Compliance Audit Final Report
page 3
Notice Drummond Group Inc. (DGI) acting as a neutral, independent 3rd party conducts interoperability testing, conformance testing and auditing in a neutral test environment for various companies and organizations ("Participant"). Any publication of the participating companies name is not an endorsement of the Participant or its products or services. DGI makes no warranties, either express or implied, regarding any facet of the business conducted by the Participant.
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone Commerce CSOS 5.3 – CSOS Compliance Audit Final Report
page 4
Audited Party
Cyclone Commerce http://www.cyclonecommerce.com Product name: Cyclone CSOS 5.3
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 5
Introduction The U.S. Drug Enforcement Administration (DEA) requires products that are used to digitally sign and or verify digital signatures of electronic controlled substance (CSOS) orders be audited by an independent third party. Basis for Audit Criteria The basis for the audit are two critical sections of the DEA final rule concerning electronic controlled substance orders, which are codified as the Code Of Federal Regulations Title 21 Parts 1311.55.b and 13.11.55.c. Please refer to the following link to access the DEA document which spells out the rules: http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-6504.pdf
The Audit Process DGI conducts CSOS Audits by sending an Auditor to the Audited Party’s facilities and has the Audited Party execute the CSOS Audit Test Plan designed to document the use of FIPS validated security methods and to physically demonstrate the Product’s compliance to DEA defined Required and Optional features. The Audited party makes available proof of the use of a FIPS validated security module and proof that the module is being used in FIPS mode in accordance with DEA requirements and FIPS implementation guidance. The Audited party provides two computer systems with one system acting as the Buyer / Order Signer and the second system acting as the Supplier / Order Receiver. The Audited party must use DEA provided CSOS digital certificates during all Audit processes. The Audit process is composed of four key aspects: •
FIPS Validation Audit The audited product’s code is examined for proof that it is utilizing a FIPS 140-2 Level 1 validated security module and that the security module is being invoked in FIPS mode, and that FIPS approved cryptographic algorithms are actually being utilized.
•
Physical testing In the presence of DGI CSOS third-party auditors, the audited product physically demonstrates digital signature, transmission and signature verification through a series of tests designed to prove that the Product
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 6
can successfully sign, transmit, receive and verify Orders in compliance with DEA required and optional features. •
Archive of Audit Artifacts Artifacts from the physical tests are archived. Artifacts include product screen shots, auditor notes, copies of FIPS certifications, computer software code and build files.
•
Issuance of the Final Report and Audit Certificate This report and an associated Audit Certificate are issued to the audited party for the product-name-with-version. The Audit Certificate is made publicly available.
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 7
Audit Results Summary The Audit was executed onsite at the premises of the audited party during the week of May 9, 2005. DGI acting as an independent third party, administered the Audit over the Cyclone Commerce product named Cyclone CSOS 5.3 to determine the products compliance to requirements as defined the United States Drug Enforcement Administration (DEA) for systems used to digitally sign, receive, verify and create linked records for electronic Controlled Substances Orders. One additional Audit Case (Test Plan Audit Case 14.1) was executed by the Audited Party on May 25, 2005, as it required the use of a DEA issued test certificate that was not made available to the Audited Party until May 18, 2005. The product successfully passed all Audit Cases including all required features and several additional features that the DEA has stated are optional for a commercial CSOS Product. Required and Optional Features The DEA defined requirements are separated into absolute required features and optional features. The reason that some features are optional is to allow for scenarios where the feature may be implemented by systems designed and built by the end user, as opposed to a commercial software vendor. The product proved compliance to all DEA requirements as both a sender and a receiver of electronic controlled substance orders. Required Features: Signer FIPS Validation Audit
Passed
Receiver FIPS Validation Audit
Passed
Signer Positive Transmission
Passed
Receiver Positive Validation
Passed
Receiver Negative Security Validation
Passed
Receiver DEA Registration Number Validation
Passed
Optional Features: Signer Private Key Storage and Access
Passed
Signer Order Archival
Passed
Receiver Order Archival
Passed
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 8
Audit Details Signer FIPS Validation Audit Receiver FIPS Validation Audit The product passed Audit for these DEA required features. DEA requires that the security module used to digitally sign and or verify digital signature of controlled substance orders must be FIPS 140-2 Level 1 validated. The Audit confirmed that Cyclone CSOS 5.3 product is in fact physically utilizing a FIPS validated security module product named Entrust Authoritytm Security Toolkit for Javatm v7.0 This security module was issued a FIPS 140-2 Level 1 validation on Nov. 16, 2004. A copy of the FIPS validation certificate for this security module may be viewed at http://csrc.nist.gov/cryptval/140-1/140crt/140crt479.pdf. Onsite auditors confirmed through observation of software code and physical demonstrations of the product that the audited product: Is utilizing a FIPS validated security module to digitally sign CSOS orders. Is utilizing FIPS approved signature and hash algorithms, RSA and SHA-1 when digitally signing CSOS Orders. Is encrypting the private key for storage using a FIPS approved encryption algorithm, 3DES. Is storing the private key on a FIPS validated cryptographic module per DEA requirements and FIPS implementation guidance. Is utilizing a FIPS validated security module when verifying signature of digitally signed CSOS orders. Is utilizing FIPS approved signature and hash algorithms, RSA and SHA-1 when verifying the signature of digitally signing CSOS Orders Is utilizing the security module in FIPS mode Archived artifacts for these features include: Screen shots of computer software code confirming the security module is being invoked in FIPS mode Screen shots of system logs confirming the security module is being invoked in FIPS mode Screen shots of computer software code confirming that security module functions are being physically invoked; including invocation of FIPS approved algorithms for digital signing and digital signature verification
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 9
Signer Positive Transmission Receiver Positive Validation The Product passed Audit for these DEA required features. DEA requires that a CSOS Product acting as a Buyer system be capable of signing and transmitting a CSOS Order and a CSOS Product acting as a Supplier system be capable of receiving and verifying the digital signature applied to the Order. DEA requires that only DEA issued digital certificates be used to digitally sign CSOS Orders. When verifying digital signature of an Order, the Supplier system must use the public key associated with the private key of the message signer. Verification of digital signature confirms that the message was signed with a private key directly associated with the public key and that the contents of the message were not changed or corrupted after the signature was applied. Onsite auditors observed physical demonstration of the process of creating the order including a user signing into the system and signing the order, the digitally signed order was then transmitted from the Buyer system to the Supplier system where the Order’s digital signature was successfully verified. During the Audit process, the Product repeatedly demonstrated successful signature, transmission, reception and signature verification of CSOS Orders in order to demonstrate particular Audit Cases. The Audit confirmed that Cyclone CSOS 5.3 product is in fact physically capable of digital signature and transmission of CSOS orders per DEA requirements and is capable of receiving and validating digitally signed CSOS Orders in compliance with DEA requirements. Archived artifacts for these features include: Screen shots of the prepared CSOS Order on Buyer side machine Screenshot of received individual order in the list on Supplier machine Digital copies of the physical inbound and outbound messages Digital copies of computer software code that implements digital signing on the Buyer side Digital copies of the system logs from Buyer side verifying that message is being signed with FIPS approved algorithms Digital copies of the system logs from Supplier side verifying that message signature is being verified via FIPS approved algorithms
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 10
Receiver Negative Security Validation The Product passed Audit for this DEA required feature. DEA requires that a CSOS Product acting as a Supplier system must determine that an order has not been altered during transmission, must invalidate any order that has been altered, must validate the digital signature using the signer’s public key, must invalidate any order in which the digital signature cannot be validated, must check the Certificate Revocation List automatically and invalidate any order with a certificate listed on the Certificate Revocation List and must check the validity of the certificate and the Certification Authority certificate and invalidate any order that fails these validity checks. Onsite auditors observed physical demonstration of negative tests designed to prove compliance to these requirements. The Product was successfully able to demonstrate that Orders that failed validity checks were correctly flagged and not made available for further processing. The Product demonstrated the ability to recognize and correctly act on Orders that failed content integrity checks, Orders that were signed by digital certificate not issued by the DEA, Orders that had been revoked through DEA approved processes, Orders whose associated digital certificates had expired and Orders where the Certification Authority’s digital certificate had been revoked. At the time of the onsite Audit, DEA had not made available test certificates that enable testing of invalid Certification Authority. Test certificates issued by DEA on May 9, 2005 were made available and the Audited Party performed an additional test demonstrating the Product’s ability to recognize and correctly act upon an invalid Certificate Authority per DEA prescribed methods, specifically the Product successfully proved the ability to determine the presence of the CA Certificate in a DEA provided Authority Revocation List and to take correct action in failing the Order. Archived artifacts for these features include: Screenshots of received orders in the summarized lists of orders on Supplier side, showing failed status Screenshots of detailed received orders showing failed status Screenshots of failed Orders with correct error status Digital copies of physical of inbound messages
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 11
Receiver DEA Registration Number Validation The Product passed Audit for this DEA required feature. DEA requires that a CSOS Product acting as a Supplier system must validate that the DEA registration number contained in the body of the order corresponds to the registration number associated with the specific certificate by separately generating the hash value of the registration number and certificate subject distinguished name serial number and comparing that hash value to the hash value contained in the certificate extension for the DEA registration number. If the hash values are not equal the receiving system must invalidate the order. Onsite auditors observed physical demonstration of both positive and negative tests designed to prove compliance to this requirement. The Product was successfully able to demonstrate that an Order with an incorrect DEA Registration number was flagged and correctly reported as failed. Archived artifacts for these features include: Screen shots of the Supplier side user interface showing failed Order with correct error status Digital copy of the physical inbound message
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 12
Signer Private Key Storage and Access The Product passed Audit for this DEA optional feature. DEA requires that a CSOS Product acting as a Buyer system must use either a user identification and password combination or biometric authentication to access the private key. Activation data must not be displayed as they are entered. The system must set a 10-minute inactivity time period after which the certificate holder must re-authenticate the password to access the private key and when the signing module is deactivated, the system must clear the plain text private key from the system memory to prevent the unauthorized access to, or use of, the private key. Onsite auditors observed physical demonstration of the creation of a new user, the new user being associated with a private key. Auditors confirmed that activation data is not displayed. Auditors then confirmed through observation of demonstration that after an administrative change to the user's password, the user was prevented from signing orders. Onsite Auditors observed that the system employs a working timeout facility, and the Product was able to physically demonstrate a 10 minute access timeout as per DEA requirements. Also, the system requires the user to enter the password as each individual CSOS Order is signed, in effect a 3rd party user, other than the authorized user who knows the password, could not take advantage of the fact that the authorized user was already signed in even during the DEA mandated 10 minute period. Onsite Auditors reviewed and obtained digital copies of computer software code that shows that within the Product the object that contains the private key is not referenceable after it is utilized for signature, in effect the object becomes out-ofscope and is available for garbage collection by the underlying Java environment. Auditors note that not only is the memory un-referenceable but that the Private Key data is not made available outside of the limited code that directly invokes the FIPS security module. Archived artifacts for these features include: Screen shots of new user being created Screenshots showing that activation data is not displayed Screenshots of user being required to log in again after inactivity Digital copies of computer software code showing that memory used to temporarily hold Private Key data is un-referenceable outside of a limited scope directly related to invocation of the FIPS validated security module
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 13
Signer Order Archival The Product passed Audit for this DEA optional feature. DEA requires that a CSOS Product acting as a Buyer must archive the digitally signed orders and any other records required in part 1305 of the regulations, including any linked data. Onsite auditors reviewed the archival methods of the Product, finding that Orders are archived on the local file system and that metadata related to individual orders in archived in a database system. Archived artifacts for these features include: Multiple Screen shots of Order archives Receiver Order Archival The Product passed Audit for this DEA optional feature. DEA requires that a CSOS Product acting as a Supplier must archive the order and associate with it the digital certificate received with the order. Onsite auditors reviewed the archival methods of the Product, finding that Orders are archived on the file system and metadata related to individual orders is archived in a database management system. In addition, the Product is capable of demonstrating archival, retrieval and viewing of the digital certificate associated with the Order. Archived artifacts for this feature include: Multiple Screen shots of Order archives Screen shots of archived digital certificate associated with the Order
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 14
About Drummond Group Inc. Drummond Group Inc. (DGI) is an independent, privately held company that works with software vendors, vertical industries and the standards community to drive adoption for standards by conducting interoperability and conformance testing, publishing related strategic research and developing vertical industry strategies. Founded in 1999, DGI represents best-of-breed in the industry on linking horizontal infrastructure technologies, standards and interoperability issues with the needs of vertical industries such as retail, grocery, health care, transportation, government and automotive. For more information, please visit www.drummondgroup.com or email:
[email protected].
Copyright © Drummond Group Inc. 2005
June 08, 2005
Cyclone CSOS 5.3 – CSOS Compliance Audit Final Report
page 15
