Electronic Orders for Controlled Substances, 16902-16919 [05-6504]

Agencies

• Drug Enforcement Administration
• Department of Justice

[Federal Register Volume 70, Number 62 (Friday, April 1, 2005)]
[Rules and Regulations]
[Pages 16902-16919]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-6504]



[[Page 16901]]

-----------------------------------------------------------------------

Part II





Department of Justice





-----------------------------------------------------------------------



Drug Enforcement Administration



-----------------------------------------------------------------------



21 CFR Parts 1305 and 1311



Electronic Orders for Controlled Substances and Notice of Meeting; 
Final Rule and Notice

Federal Register / Vol. 70, No. 62 / Friday, April 1, 2005 / Rules 
and Regulations

[[Page 16902]]


-----------------------------------------------------------------------

DEPARTMENT OF JUSTICE

Drug Enforcement Administration

21 CFR Parts 1305 and 1311

[Docket No. DEA-217F]
RIN 1117-AA60


Electronic Orders for Controlled Substances

AGENCY: Drug Enforcement Administration (DEA), Justice.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: DEA is revising its regulations to provide an electronic 
equivalent to the DEA official order form, which is legally required 
for all distributions involving Schedule I and II controlled 
substances. These regulations will allow, but not require, registrants 
to order Schedule I and II substances electronically and maintain the 
records of these orders electronically. The regulations will reduce 
paperwork and transaction times for DEA registrants who handle, sell, 
or buy these controlled substances. This rule has no effect on 
patients' ability to receive prescriptions for controlled substances 
from practitioners, nor on their ability to have those prescriptions 
filled at pharmacies.

DATES: Effective Date: This rule is effective on May 31, 2005. The 
incorporation by reference of certain publications listed in the rule 
is approved by the Director of the Federal Register as of May 31, 2005.

FOR FURTHER INFORMATION CONTACT: Patricia M. Good, Chief, Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Telephone (202) 307-7297.

SUPPLEMENTARY INFORMATION:

I. Background

DEA's Legal Authority for These Regulations

    DEA enforces the Controlled Substances Act (CSA) (21 U.S.C. 801 et 
seq.), as amended. DEA regulations implementing this statute are 
published in Title 21 of the Code of Federal Regulations (CFR), Part 
1300 to 1399. These regulations are designed to establish a framework 
for the legal distribution of controlled substances to deter their 
diversion to illegal purposes and to ensure that there is a sufficient 
supply of these drugs for legitimate medical purposes.

Requirements for Distributing Schedule I and II Controlled Substances

    The CSA prohibits distribution of Schedule I and II controlled 
substances except in response to a written order from the purchaser on 
a form DEA issues (21 U.S.C. 828(a)). DEA issues Form 222 to 
registrants for this purpose, preprinting on each form the registrant's 
name, registered location, DEA registration number, schedules, and 
business activity. DEA serially numbers the forms and requires 
registrants to maintain and account for all forms issued. Executed and 
unexecuted Forms 222 must be available for DEA inspection. The CSA 
requires that executed Forms 222 be maintained for two years (21 U.S.C. 
828(c)).
    When ordering a Schedule I or II substance, the purchaser must 
provide two copies of the Form 222 to the supplier and retain one copy. 
Upon filling the order, the supplier must annotate both copies of the 
form with details of the controlled substances distributed, retain one 
copy as the official record of the distribution, and send the second 
copy of the annotated Form 222 to DEA. Upon receipt of the order, the 
purchasers must also annotate their copy, noting the quantity of 
controlled substances received and date of receipt.

Regulatory History

    Although the paper-based regulatory structure limits diversion, it 
does not address or provide for the use of modern computer 
technologies. DEA issued more than six million individual order forms 
in fiscal year 2003. Because both the purchaser and supplier must 
maintain copies of the form for two years, the order system requires 
the maintenance of more than 24 million forms. Many, if not most, of 
the registrants using Form 222 place all their orders for Schedules 
III-V controlled substances electronically. Many suppliers receive 
electronic notice from their purchasers of their intention to place 
Schedule I and II orders, but the orders cannot be filled until the 
supplier receives the DEA-issued Form 222 from the purchaser. The 
processing of the Form 222 takes one to three days from the time the 
form is completed to the time the order is delivered; electronic orders 
can be processed and filled immediately.

DEA Pilot Project

    Industry asked DEA to provide an electronic means to satisfy the 
legal requirements for order forms. DEA began discussions with the 
regulated industry regarding CSOS standards in 1999. On January 11, 
2002, DEA published a notice in the Federal Register expressing its 
intent to conduct a pilot project to conduct performance verification 
testing of public key infrastructure enabled controlled substances 
orders. This pilot project was conducted in partnership with two 
industry associations--the Health Care Distribution Management 
Association and the National Association of Chain Drug Stores. A total 
of 22 DEA registrants were listed as initial pilot participants. 
Initial pilot objectives were to ascertain the level of compatibility 
and usability of CSOS standards for electronic controlled substances 
ordering applications and to test industry's ability to deploy these 
systems. All technical test objectives were successfully realized in 
early phases of the pilot with registrants demonstrating the ability to 
retrieve and manage their CSOS digital certificates. Where participants 
expressed difficulty or reported undue burden with processes (e.g., 
with initial notarization requirements for enrollment) proposed 
technical standards were reviewed and modified, where possible, without 
compromising necessary nonrepudiation and security services objectives.
    In August 2002, pilot participants began using CSOS certificates in 
simulated environments with DEA providing access to a test suite of 
CSOS certificates. Pilot participants demonstrated the ability to send, 
receive and validate digitally signed controlled substances orders in a 
test environment, and also demonstrated the ability to accurately 
reject orders, as appropriate. Pilot outcomes allowed DEA to identify 
and resolve potential challenges before the controlled substances 
ordering system was proposed. DEA continues to provide test resources 
to industry through the use of its pilot system, allowing continued 
refinement of CSOS applications.

Summary of Proposed Rule

    On June 27, 2003, DEA issued a Notice of Proposed Rulemaking (NPRM) 
in which DEA proposed revisions to its regulations to allow electronic 
orders if those orders were signed using an electronic signature that 
met three criteria--authentication, non-repudiation, and record 
integrity (68 FR 38558). Because only digital signatures based on 
certificates issued by a Certification Authority as part of a public 
key infrastructure (PKI) meet all three criteria, DEA proposed 
requirements that apply to obtaining and using digital certificates.

[[Page 16903]]

    DEA proposed allowing regulated entities who are eligible to order 
Schedule I and II controlled substances to issue and process electronic 
orders if those orders are signed using a digital certificate issued by 
a Certification Authority run by DEA; the approach is called the 
Controlled Substance Ordering System or CSOS. Use of electronic orders 
is optional; registrants may continue to issue orders on Form 222.
    DEA proposed minor organizational revisions to the existing 
requirements in Part 1305 to create subparts. Subpart A includes those 
requirements that apply to all orders. Subpart B covers the 
requirements for handling Form 222 orders. Other than minor editorial 
changes to make the regulations easier to read, the existing 
requirements for paper orders are unchanged. A new subpart C was 
proposed to cover the requirements for issuing and filling electronic 
orders. These requirements parallel those for Form 222 orders, but 
include some differences based on the different constraints on the two 
systems. For example, the regulation specifies the data elements 
required on an electronic order; because these elements are part of the 
Form 222, they are not specified for paper orders. Orders submitted on 
paper must be filled by a single registered location because the 
original order form must be maintained at the distribution location in 
support of the distribution; electronic orders may be divided and 
filled from separate registered locations owned by the same company, 
since the order can be retrieved directly in verifiable form at each 
distributing location.
    In addition to its revision of Part 1305, DEA proposed a new Part 
1311 that includes the requirements for obtaining, storing, using, and 
renewing digital certificates. Registrants and people granted power of 
attorney by registrants to sign orders will be eligible to obtain 
digital certificates. A registrant must appoint a CSOS coordinator who 
will serve as that registrant's recognized agent regarding issues 
pertaining to issuance of, revocation of, and changes to digital 
certificates issued under that registrant's DEA registration. These 
individuals serve as knowledgeable liaisons between one or more DEA 
registered locations and the CSOS Certification Authority (CA). The 
coordinators will collect applications, ensure that they include all of 
the required information, and send them to the CA. Part 1311 also 
specifies the requirements that the digital signature software will 
have to meet to ensure that it is capable of creating and validating 
digitally signed orders.

Procedures for Obtaining a Digital Certificate

    Procedures for enrolling to obtain a digital certificate are 
available on the DEA Diversion Control Program Web site, https://
www.deadiversion.usdoj.gov, and on the DEA E-Commerce Web site at 
https://www.deaecom.gov. Applicants can download the Diversion PKI CSOS 
Enrollment document and the CSOS Subscriber's Manual for guidance on 
enrollment procedures. DEA will begin accepting applications to obtain 
digital certificates May 31, 2005. Upon receiving a completed 
application DEA estimates that it will take the Certification Authority 
10 business days to process the application. DEA's Certification 
Authority will maintain a support line to assist applicants and 
subscribers with issues pertaining to certificate enrollment, issuance, 
revocation, and renewal.

PKI and Digital Certificates

    A public key infrastructure is comprised of a Certification 
Authority, which must verify the identity of applicants before issuing 
digital certificates, and public-private key pairs. PKI systems are 
based on asymmetric cryptography: the holder of the digital certificate 
has a private key, which only the certificate holder can access, and a 
public key, which is available to anyone. What one key encrypts, only 
the other key can decrypt. It is computationally infeasible for the two 
keys to be derived from each other. Only one public key will validate 
signatures made using its corresponding private key. Because the 
private key is held by only one person, it is that person's 
responsibility to ensure that it is not divulged or compromised.
    The DEA Certification Authority (CA) will issue digital 
certificates, which will serve as an electronic equivalent of the Form 
222. DEA must serve as the CA because a digital certificate is the 
functional equivalent of a Form 222 that the CSA requires DEA to issue. 
In the same manner as DEA pre-prints the registration information on 
the paper order forms that are issued to registrants, DEA will enter 
the registration information in extensions within the certificates that 
are issued to registrants and those granted power of attorney by 
registrants.
    As DEA explained in the NPRM, the process of digitally signing an 
order is technically complicated (the software uses several complex 
algorithms to create an encrypted digest of the text), but the user 
needs only to activate the key and then enter one or two key strokes to 
sign an order or validate it. Existing electronic order systems will 
have to be PKI-enabled, which can be done with commercially available 
toolkits. DEA has been working with industry to develop systems and 
procedures that allow PKI-enabling existing systems to reduce the cost 
of implementation.

CSOS Certificates

    All of the information currently preprinted on the Form 222 will be 
part of the extension data of the CSOS digital certificate, which will 
be included with each order that is digitally signed. Attaching the 
digital certificate, with the registration information in the extension 
data, to an electronic order signed with the digital signature is the 
functional equivalent to DEA pre-printing the registrant information on 
the paper forms, thus creating an electronic equivalent of the Form 
222.
    A CSOS certificate will be valid until the DEA registration under 
which it is issued expires or until the CSOS CA is notified that the 
certificate should be revoked. Certificates will be revoked if the 
certificate holder is no longer authorized to sign Schedule I and II 
orders for the registrant, if the information on which the certificate 
is based changes, or if access to the private key has been compromised 
or lost.

II. Discussion of Comments on the NPRM

    DEA received 11 comments on its proposed rule. Commenters included 
the major trade associations representing pharmacies and distributors 
as well as individual companies and one vendor. This section summarizes 
the comments and provides DEA's response.
    Listed schedules. Several commenters were concerned with proposed 
rule language that implied that the digital certificate would include 
extension data that indicated the schedules the certificate holder 
rather than the registrant was authorized to order. The commenters 
stated that it would be an additional burden on suppliers if they had 
to verify the eligibility of the signer, as well as the registrant, to 
order specific schedules.
    DEA has revised the rule language to clarify that only the 
registrant's authorized schedules will be included in the extension 
data. If a registrant limits an individual's signing authority, it is 
incumbent on the registrant to ensure that the individual does not sign 
orders for schedules he/she is not authorized to order. The supplier is 
not required to verify information on schedules beyond confirming that 
the

[[Page 16904]]

registrant is authorized to order the schedules.
    Attaching the digital certificate. One commenter expressed concern 
about the statements in the preamble that a digital certificate be 
attached to each order.
    Because the digital certificate serves as the equivalent of the 
CSA-mandated form, the certificate, with its extension data, must be 
attached to each order. Including the certificate with each order 
ensures that, just as with the paper forms, an accurate copy of the DEA 
registration information for the customer is with the order. It should 
be noted that the requirement that the digital certificate be attached 
to the order applies to when the order is transmitted by the purchaser 
to the supplier. Once orders have been archived, each order does not 
have to have the specific digital certificate attached, as long as the 
certificate is associated with the order. Thus, an archive may have one 
copy of a specific certificate that is associated with a number of 
orders that have been archived, provided that retrieval of an order 
includes a copy of the certificate.
    FIPS 140-1. Commenters noted that the proposed rule referenced FIPS 
140-2, but did not mention FIPS 140-1, causing concern that systems 
validated and approved under 140-1 might not be allowed under the new 
standard. They were further concerned because the rule did not specify 
the security level required. Commenters stated that requiring a 
standard beyond security level 1 would cause difficulties for 
participants.
    FIPS 140-2 grandfathers FIPS 140-1; any system validated and 
approved under FIPS 140-1 is considered to be approved and validated 
under FIPS 140-2. Therefore, the regulatory provision that 
implementations be certified under FIPS 140-2 incorporates, by 
reference, any implementations previously certified under FIPS 140-1. 
With respect to the security level required, DEA agrees with comments 
that Security Level 1 is appropriate and has included it in the final 
rule.
    Commenters objected to the requirement that the private keys be 
stored on a FIPS-approved module. As DEA explained in the NPRM, 
government agencies must adopt FIPS requirements for any federal 
system, such as CSOS. DEA, therefore, must require that storage of keys 
be on FIPS-approved systems. While DEA encourages the use of 
smartcards, biometrics, or other secure hardware devices for private 
key storage within the CSOS architecture, use of such devices is 
voluntary. The regulations only require that the private key be stored 
on a FIPS-approved cryptographic module.
    Power of Attorney. A number of commenters raised issues related to 
the power of attorney (POA) provisions. Several suggested that the 
existing requirement that the POA letter be signed by the person who 
signed the most recent registration application is impractical for 
companies that have national or regional distribution operations. Other 
commenters suggested that the application for a digital certificate, 
handled through the CSOS coordinator, could replace the POA letter and 
process.
    The intent of this rulemaking is to establish an electronic means 
of satisfying the order form requirements--not to change the existing 
order form requirements. DEA did not propose to change the POA 
requirement or process, which was established to ensure that all 
activities by a registrant with respect to order forms be under the 
ultimate control of one responsible individual within the registrant. 
Any concerns regarding existing requirements with respect to POA will 
have to be considered in a separate action; they are beyond the scope 
of this CSOS rulemaking.
    With respect to the suggestion that application for a digital 
certificate serve as a substitute for granting power of attorney, DEA 
wishes to note that the granting of power of attorney is an explicit 
legal act of assignment of authority from an authorized individual to 
another; accepting the application for a digital certificate as a 
substitution would make the assignment implicit, which would not be 
acceptable to DEA. Any assignment of the authority to obtain and 
execute order forms on behalf of a registrant must be an explicit legal 
act.
    One commenter noted that the language in Sec.  1305.12(d) that 
states that orders must be signed by a person authorized to sign an 
application for registration was wrong and should state that orders 
must be signed either by a person who is authorized to sign a 
registration application or a person granted POA to sign orders. DEA 
agrees and has changed the rule.
    Tracking number. Several commenters stated that the format of the 
unique tracking number that a registrant assigns to an order was 
incorrect, that the last two digits of the year should come first. DEA 
agrees and has corrected the rule.
    Order contents. Commenters suggested several changes to the 
requirements for order contents. DEA agrees that the complete address 
of the supplier could be provided by either the purchaser or the 
supplier and has changed the rule. Similarly, DEA agrees that the order 
could include either the National Drug Code (NDC) number or the drug 
name. DEA emphasizes that the system used to view the orders must 
provide the drug description if the NDC code is used in the order.
    Linked records. Commenters objected to the use of the phrase 
``electronically linked'' records because they think that links could 
be electronic or manual. In technical discussions with DEA, industry 
clarified that their concern was that DEA might interpret 
``electronically linked'' to require active rather than passive links, 
where all order data are linked automatically. Passive links would 
allow the data to be stored in separate databases linked by one or more 
data elements common to all records.
    DEA emphasizes that it is not requiring any specific type of link; 
DEA's only concern is that if it requests copies of orders (e.g., for a 
particular customer or substance), the registrant must be able to 
produce the requested records (i.e., both the electronic orders and the 
linked distribution records) upon request in a format that an agent can 
read and understand. DEA has revised the rule to clarify that 
``readable format'' means that a person, not a computer, can easily 
read the documents.
    Corrections. Several commenters identified changes needed to 
correct regulatory language. In Sec.  1305.22(c)(1), DEA proposed that 
suppliers should verify the signature and order by ``having'' software 
that complies with Part 1311. The commenter recommended ``using'' 
instead of ``having.'' DEA agrees and has made the change.
    Commenters stated that the proposed language in Sec.  1305.25(b) 
and (c) that requires the supplier to provide a reason for not filling 
the order was inconsistent with the existing rule. DEA agrees and has 
changed the language to clarify that a supplier must notify a purchaser 
that an order will not be filled, however, the supplier does not need 
to provide a reason for refusing to fill an order.
    Commenters asked DEA to make the definition of digital certificate 
specific to CSOS. DEA disagrees. The definition is intended to be 
general and will cover more than CSOS certificates. In the regulatory 
text, however, DEA has added ``CSOS'' before digital certificate 
wherever the certificate is limited to the CSOS certificate.
    One commenter asked whether ``a registrant's recognized agent'' was 
different from a CSOS coordinator. The two are the same; DEA has 
revised the

[[Page 16905]]

rule to replace registrant's recognized agent with CSOS coordinator.
    Central Ordering. A commenter asked whether the Sec.  1305.22(f) 
requirement to ship to the registered location of the purchaser allowed 
for shipment to a different registered location if the order was issued 
by a central ordering facility. A number of firms issue orders for all 
their registered locations from a central location which may not, 
itself, be registered. Each order, however, can be for only one 
specific registered location and the supplier must ship to that 
location. If the registered location identified within the order 
deviates from that identified within the digital certificate, the 
supplier cannot fill the order; a new order must be requested from the 
purchaser.
    Commenters also recommended that for central processing of orders 
that DEA allow either the central location or the location filling part 
of the order to create the record. DEA agrees that either location may 
create the record and has revised the rule. DEA's concern is not with 
the creation of the record, but with its maintenance. The registrant 
that distributes a controlled substance must maintain a full record of 
the order and make it available for DEA on request.
    One commenter raised the issue of linking a single certificate to 
multiple locations. As DEA explained in the NPRM, DEA understands the 
concern and has taken steps to reduce the burden for individuals who 
hold keys for many locations, but to serve as an equivalent of a Form 
222, each digital certificate must be specific to a single registered 
location.
    Endorsed, lost, and canceled orders. Commenters questioned whether 
the proposed rule for endorsing electronic orders could be implemented, 
noting that the requirements were confusing and cumbersome. DEA has 
reviewed this issue and agrees with the commenters that endorsing 
electronic orders in a manner that provides adequate safeguards may be 
technically too complicated. Consequently, DEA has decided to not allow 
endorsement of electronic orders. Because orders are rarely endorsed 
and the almost instantaneous communication of electronic orders and 
confirmations mean that a purchaser will learn that the supplier cannot 
fill all or part of an order shortly after the order is submitted, DEA 
does not expect this to pose any significant problem for registrants. 
The purchaser can quickly issue a new electronic order to another 
supplier for any items the first supplier cannot fill. Finally, if the 
order is originally submitted to a firm that processes orders 
centrally, the central processing supplier can fill the order from 
multiple locations without endorsement.
    Commenters also stated that the meaning of Sec.  1305.26 on lost 
orders was confusing and requested that only the purchaser maintain 
records of lost orders. DEA agrees and has revised the rule to specify 
that a supplier need maintain only those orders that the supplier 
fills.
    Commenters stated that suppliers should not be required to maintain 
records of orders that are canceled. DEA agrees. Suppliers are only 
required to maintain records of orders that they fill. Suppliers need 
not return the electronic order to the purchaser, however, the supplier 
must notify the purchaser of the cancellation of the order. Commenters 
also said that purchasers should be able to use any method to notify 
the supplier that an order was canceled. DEA disagrees. Notification of 
an order cancellation must be written so that the purchaser can 
maintain a verifiable record. Written notification includes paper, 
facsimile, or electronically transmitted notifications such as e-mail; 
notification by telephone is not allowed.
    Validity of a signature. Commenters asked whether it was feasible 
to determine whether a signature was valid at the time of signing. 
Commenters were particularly concerned that, if there was a delay in 
processing an order, they should be able to reject an order if the 
signature was no longer valid at the time of shipping.
    The purpose of the requirement for consistent time systems is to 
allow suppliers to determine whether a signature was valid at the time 
of signing. If a digital signature was valid on Friday when the order 
was signed, but expired on Monday, DEA considers that the order is 
valid. Unless DEA or the purchaser has notified a supplier that orders 
issued by a specific person should not be filled, an order signed with 
a digital certificate that was valid at the time of signing is a valid 
order. A registrant may choose not to fill the order for any reason; if 
registrants want to require that the signature still be valid at the 
time of filling, they may do so. Suppliers have the option of imposing 
more stringent standards. As a secondary note, DEA wishes to stress 
that once a supplier has validated a signature on an order, it is not 
necessary to re-validate the signature prior to actually shipping the 
order to the purchaser.
    Time period for reporting key compromise or loss of privilege. 
Commenters objected to the requirement that they report loss, theft, or 
compromise of the key within 24 hours of such loss, theft, or 
compromise, and that they report a certificate holder's loss of signing 
privilege within six hours. They also stated that they wanted to be 
able to report loss of signing privilege in advance (e.g., when they 
learn an employee will be leaving the firm on a certain date). They 
stated that the 24-hour and 6-hour time frames were unrealistic and 
could result in notifications filed outside of business hours.
    Registrants may notify the CA in advance of revocations. DEA agrees 
that the 24-hour period should be within 24 hours of substantiation of 
key compromise, etc., and has changed the rule. On the 6-hour 
notification, DEA disagrees with the commenters. DEA believes it is 
important that the CA be notified as soon as someone's signing 
privileges are revoked. The digital certificate is the equivalent of a 
Form 222--a former employee still in possession of their digital 
certificate and keys would have all they needed to generate orders that 
would be otherwise indistinguishable from legitimate orders. In the 
paper world, this concern does not exist since a former employee would 
no longer have access to the order forms and, thus, could not engage in 
any mischief. DEA notes that the CA will be staffed 24/7 so there is no 
need to wait until the next business day. An e-mail to the CA that is 
digitally signed by the coordinator or registrant will be sufficient 
notification.
    Certification Authority. Commenters raised concerns about the DEA 
CA being run by a contractor and asked about the safety of information. 
DEA emphasizes that although a contractor may be used to carry out the 
day-to-day operations of the CA, the contractor will operate under 
direct DEA supervision and control. All Federal contractors are subject 
to the same legal requirements as government employees in regard to 
protection of information. DEA may use information submitted in its 
investigations, but the information would not be released for other 
purposes.
    Reports to DEA. Commenters objected to the requirement that 
suppliers file reports on orders with DEA every other business day. 
They stated that this frequency of filing would not provide them with 
an opportunity to review and correct minor discrepancies. With paper 
orders, DEA knows which registrants have executed Form 222, which 
provides a control on the system. DEA needs frequent reports on 
electronic orders because it has no other means of determining who is 
ordering and in what volume. DEA recognizes that some

[[Page 16906]]

of the data may be imprecise due to changes in orders, but DEA needs 
frequent submissions of reports to account for all orders generated by 
a given purchasing registrant and as a means to identify and account 
for all outstanding orders for a given registrant.
    Commenters also recommended changes to the information provided in 
the daily reports to make the data elements consistent with ARCOS data 
elements and to add four elements on the substances ordered. DEA agrees 
with the commenters. DEA will specify a format for the report that is 
consistent with the ARCOS reports plus the data fields on what was 
ordered. DEA notes that ARCOS is preparing to allow electronic filing 
of reports; when this occurs, DEA plans to develop a process by which 
the summary reports can be accepted as a substitute for ARCOS reporting 
for Schedule I and II substances, with the usual ARCOS provisions for 
filing corrections.
    Adoption of new technologies. Commenters stated that it was unclear 
how DEA would evaluate new technologies and recommended that DEA 
develop a rapid means for evaluating and approving new technologies. 
DEA understands the commenters' concern, but approval of any new 
technology would be subject to the Administrative Procedure Act 
requirements for public notice and comment prior to adoption. Beyond 
the statutory mandates, DEA thinks it is vital that the regulated 
community have an opportunity to consider and discuss new methods to 
ensure that any new rules can be accommodated by existing systems. 
Although the development of this rule took several years, DEA believes 
that the time was well spent because discussions that DEA and industry 
held made it possible for all parties to identify potential problems 
and find solutions prior to publishing a regulation. DEA does not 
anticipate that review and recognition of suitable alternative 
technologies should take that long.
    Audits. Comments expressed concern about the scope of the third-
party audits and DEA audits. They specifically stated that the reports 
to DEA should not be included in the third-party audits.
    DEA agrees with the commenters that the reports to DEA would not be 
part of third-party audits. The independent third-party audit is 
intended to ensure that the digital signature system functions properly 
for both the supplier and purchaser.
    Reverse Distributors. Several commenters asked how the electronic 
order system will work for reverse distributors. DEA recognizes that 
the ordering system has different characteristics in reverse 
distribution and intends to address issues related to those 
distributions in a separate rulemaking.
    Other Issues. Commenters objected to the mention of biometrics and 
smart cards. DEA notes that certificate holders may want to consider 
using biometric passwords or smart cards, but DEA is not requiring them 
to do so. Keys may be stored on any secure system provided that the 
storage module is approved under FIPS 140-2.
    Commenters questioned the use of ``system.'' DEA agrees with 
commenters that systems for creating and processing digitally signed 
orders may be one or more software systems. As noted above, DEA's 
concern is the integrity and availability of the records of orders, not 
the technologies and software used to create and store the information.
    Commenters asked that DEA include a definition or description of 
the subscriber agreement. DEA does not believe that it is necessary to 
define the subscriber agreement. The DEA CA will provide the agreement, 
appropriately titled, to each certificate holder.
    Commenters objected to the statement in the NPRM that the practical 
implementation of PKI systems is simple. DEA understands and explained 
in the NPRM that the technologies involved in PKI systems are complex, 
but from the user's standpoint, digital signatures are simple because 
so much of the work is actually done by machine. After authenticating 
themselves to the system and activating the key, the signer generally 
digitally ``signs'' the document with a single key stroke.
    One commenter raised issues related to digital certificates for 
pharmacists for use in the electronic prescription system. This issue 
is beyond the scope of this notice; DEA will address the issue when it 
proposes its rule for electronic prescriptions.
    A commenter noted that the five-year transition period used in the 
economic analysis may be optimistic. DEA recognizes that the electronic 
orders may phase in at a different rate; some registrants may continue 
to use Forms 222 indefinitely, as the rule allows. The five-year period 
was simply used to estimate costs to avoid understating those costs.
    One commenter supported the proposed rule, but expressed the hope 
that pharmacies would not bear the cost of implementation. DEA notes 
that use of electronic orders is voluntary. DEA believes that the 
system will provide cost savings to both purchasers and suppliers, but 
no registrant is required to adopt electronic orders.
    One vendor recommended that DEA adopt an approach more consistent 
with the vendor's technology. DEA is not dictating a particular 
technology or PKI implementation. Any approved system that meets the 
criteria for authentication, non-repudiation, and record integrity may 
be used.

Special Note Regarding Certificate Extension Data

    Finally, following publication of the proposed rule, DEA modified 
the specification for the certificate extensions. Certain registrants 
had expressed concerns regarding using the certificates for other 
health care purposes because their DEA registration number appeared in 
plain text in the certificate, thus making it easily accessible to the 
recipient. To address this concern, DEA has modified the certificate 
profile to allow that, in lieu of listing the plain text DEA number, 
the DEA number extension will contain a hash value generated from the 
DEA number and the specific certificate subject distinguished name 
serial number using the SHA-1 hashing algorithm. Because the DEA number 
will no longer be available in plain text in the certificate, DEA is 
modifying the order format requirement in Section 1305.21 to require 
that the purchaser include their DEA registration number in the body of 
the order. Further, Section 1311.55 is being amended to require that a 
supplier must verify that the DEA number listed in the body of the 
order is the same as the DEA number associated with the certificate. 
The verification is necessary to avoid circumstances where a person who 
has been granted POA for multiple registered locations does not 
inadvertently sign an order with the wrong certificate/private key.

III. Discussion of the Final Rule

    Except for the changes discussed above, DEA is adopting the rule as 
proposed. Part 1305 has been reorganized to place requirements that 
apply to all Schedule I and II orders in subpart A; these include old 
Sec. Sec.  1305.01, 1305.02, 1305.03, 1305.04, which retain their 
numbers, old Sec.  1305.07 (power of attorney), which is redesignated 
as Sec.  1305.05, old Sec.  1305.08 (persons entitled to fill orders), 
which is redesignated as Sec.  1305.06, and old Sec.  1305.16 (special 
procedures for filling certain orders), which is redesignated as Sec.  
1305.07. The remainder of old Part 1305 is subpart B, which covers the 
requirements for obtaining, executing, and filling orders on Form 222. 
Subpart B includes old Sec. Sec.  1305.05 and 1305.06 (procedures for 
obtaining and executing

[[Page 16907]]

Forms 222), which are redesignated as Sec. Sec.  1305.11 and 1305.12, 
and old Sec. Sec.  1305.09-1305.15, which are redesignated as 
Sec. Sec.  1305.13-1305.19. These sections include specific references 
to orders on Form 222.
    Subpart C covers the requirements for electronic orders.
    Section 1305.21 specifies that an electronic order must be signed 
with a CSOS digital certificate and that the order may include 
substances other than Schedule I and II controlled substances. The 
section specifies the data fields that must be included in electronic 
orders.
    Section 1305.22 specifies procedures for filling electronic orders.
    Section 1305.23 covers endorsing electronic orders. As discussed 
above, endorsement of electronic orders will not be allowed.
    Section 1305.24 covers central processing of orders. These 
requirements are also different for electronic orders because with 
electronic orders, the supplier may have multiple registered locations 
fill parts of an order provided that the supplying company owns and 
operates all of the locations filling an order.
    Sections 1305.25 and 1305.26 specify the requirements for handling 
unaccepted and defective electronic orders and lost orders.
    Section 1305.27 covers preservation of electronic orders.
    Section 1305.28 covers canceling and voiding electronic orders.
    Section 1305.29 specifies the requirements for reporting electronic 
orders to DEA. Suppliers may submit either a copy of the order and its 
linked records or a report in a format DEA specifies. DEA intends that 
the report will be identical to the ARCOS report in format with four 
additional data elements: the NDC number, quantity, unit, and strength 
ordered.
    New Part 1311 covers the requirements for digital certificates. 
Subpart A includes the scope, definitions, standards for electronic 
orders, and incorporations by reference. Subpart B covers the 
requirements for obtaining and using CSOS digital certificates.
    Section 1311.10 specifies who is eligible to obtain a CSOS 
certificate; Sec.  1311.15 covers the limitation of certificates to the 
schedules authorized for the DEA registration under which the 
certificate is issued. The revised section states that the registrant 
is responsible for ensuring that any person whose signing authority the 
registrant limits abides by those limits.
    Section 1311.20 specifies the requirements for CSOS coordinators.
    Section 1311.25 specifies the requirements for obtaining a CSOS 
certificate.
    Section 1311.30 provides the requirements for using and storing a 
digital certificate.
    Section 1311.35 specifies the number of certificates needed.
    Section 1311.40 specifies when a new certificate must be obtained.
    Section 1311.45 specifies requirements for registrants that grant 
power of attorney authority.
    Section 1311.50 specifies requirements for recipients handling 
electronic orders prior to filling them.
    Section 1311.55 specifies software requirements for handling 
electronic orders.
    Section 1311.60 specifies recordkeeping requirements.

                     Part 1305.--Distribution Table
------------------------------------------------------------------------
              Old section                          New section
------------------------------------------------------------------------
1305.01--Scope of part 1305............  1305.01--Scope of part 1305.
1305.02--Definitions...................  1305.02--Definitions.
1305.03--Distributions requiring order   1305.03--Distributions
 forms.                                   requiring order forms.
1305.04--Persons entitled to obtain and  1305.04--Persons entitled to
 execute order forms.                     obtain and execute order
                                          forms.
1305.05--Procedure for obtaining order   1305.11--Procedure for
 forms.                                   obtaining DEA Forms 222.
1305.06--Procedure for executing order   1305.12--Procedure for
 forms.                                   executing DEA Forms 222.
1305.07--Power of attorney.............  1305.05--Power of attorney.
1305.08--Persons entitled to fill order  1305.06--Persons entitled to
 forms.                                   fill DEA Forms 222.
1305.09--Procedure for filling order     1305.13--Procedure for filling
 forms.                                   DEA Forms 222.
1305.10--Procedure for endorsing order   1305.14--Procedure for
 forms.                                   endorsing DEA Forms 222.
1305.11--Unaccepted and defective order  1305.15--Unaccepted and
 forms.                                   defective DEA Forms 222.
1305.12--Lost and stolen order forms...  1305.16--Lost and stolen DEA
                                          Forms 222.
1305.13--Preservation of order forms...  1305.17--Preservation of DEA
                                          Forms 222.
1305.14--Return of unused order forms..  1305.18--Return of unused DEA
                                          Forms 222.
1305.15--Cancellation and voiding of     1305.19--Cancellation and
 order forms.                             voiding of DEA Forms 222.
1305.16--Special procedure for filling   1305.07--Special procedure for
 certain order forms.                     filling certain DEA Forms 222.
------------------------------------------------------------------------

Incorporation by Reference

    The following standards are incorporated by reference:
     FIPS 140-2, Security Requirements for Cryptographic 
Modules.
     FIPS 180-2, Secure Hash Standard.
     FIPS 186-2, Digital Signature Standard.
    These standards are available from the National Institute of 
Standards and Technology, Computer Security Division, Information 
Technology Laboratory, National Institute of Standards and Technology, 
100 Bureau Drive, Gaithersburg, MD 20899-8930 and are available at 
https://csrc.nist.gov/.

V. Required Analyses

Executive Order 12866

    This regulation has been drafted and reviewed in accordance with 
Executive Order 12866, ``Regulatory Planning and Review'', Section 
1(b), Principles of Regulation. It has been determined that this is a 
``significant regulatory action'' under Executive Order 12866, Section 
3(f), Regulatory Planning and Review, and accordingly this rule has 
been reviewed by the Office of Management and Budget.
    DEA has conducted a cost-benefit analysis of the rule, which the 
Office of Management and Budget has reviewed. The Economic Impact 
Analysis for the proposed rule was posted on the Diversion Control 
Program Web site. That analysis has been updated to account for the 
number of orders expected in 2004 (6,561,000), the first year of 
implementation, and to adjust registrant estimates based on data from 
DEA's ARCOS reporting system. DEA estimates that about 98,000 
registrants order Schedule I and II controlled substances and will 
apply for about 145,000 digital certificates. Over ten years, DEA 
estimates that electronic orders will reduce the annualized cost of 
Schedule I and II orders by $284 million; the annualized costs of 
digital

[[Page 16908]]

certificates are estimated to be $20 million. The annualized net 
benefit of the rule, therefore, is $264 million.
    As discussed in the NPRM, DEA developed estimates of the time 
required for each step in the process of issuing and processing an 
order and used weighted wage rates based on the number of orders 
registrant groups are estimated to issue. DEA estimates that issuing 
and processing a Form 222 order costs purchasers about $26 and 
suppliers about $13. In contrast, issuing and processing a digitally 
signed order will cost about $2.60 for purchasers and $3.00 for 
suppliers. (These costs do not include the cost of obtaining a digital 
certificate or installing software, most of which are one-time costs.) 
The costs for a single registrant vary depending on the number of 
orders issued and filled. DEA estimates that annual costs for Form 222 
orders range from $26 for a registrant who issues a single order to 
more than $184,000 for distributors who both issue and fill orders. The 
annual costs for electronic orders range from $2.60 to about $40,000. 
The initial registrant costs of obtaining a digital certificate range 
from $156 to about $600, varying with the number of applicants a 
registrant has.
    Table 1 presents the total annual hours and costs for the Form 222 
system for 2004 orders. Tables 2-4 present the total annual hours and 
costs for obtaining digital certificates, issuing electronic orders, 
and developing and installing software, if these activities occurred in 
a single year.

                         Table 1.--Total Annual Hours and Costs for the Form 222 System
                                                  [2004 orders]
----------------------------------------------------------------------------------------------------------------
                                       Hours           Labor          Capital           O&M            Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
    Complete and send order.....       1,640,250    $139,323,000  ..............      $7,355,000    $146,677,000
    Requisition order...........           3,124         265,000  ..............          23,000         288,000
    Annotate order..............         328,050      27,865,000  ..............  ..............      27,865,000
    File orders.................         109,350       3,087,000        $129,700       2,668,000       4,472,000
Supplier:
    Enter order.................       1,640,250      58,770,000  ..............  ..............      58,770,000
    Annotate order..............         328,050      21,212,000  ..............  ..............      21,212,000
    Compile and send to DEA.....          90,936       3,258,000  ..............         174,000       3,433,000
    File orders.................         109,350       3,918,000         129,700       2,668,000       5,303,000
                                 -----------------
          Total.................       4,249,360     257,698,000         259,000      12,887,000     270,844,000
----------------------------------------------------------------------------------------------------------------


                            Table 2.--Total Hours and Costs for Digital Certificates
----------------------------------------------------------------------------------------------------------------
                                                       Hours           Labor            O&M            Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
    Complete application........................          58,950      $5,007,000  ..............      $5,007,000
    Complete application--coordinator...........          78,755       6,689,000        $638,000       7,328,000
    Generate keys...............................          12,116       1,029,000  ..............       1,029,000
    Learn to use signature......................          20,778       1,765,000  ..............       1,765,000
    Renewal--one year...........................           1,234         105,000  ..............         105,000
    Renewal--3 year-annual......................           3,627         308,000  ..............         308,000
Supplier:
    Complete application........................           3,311         214,000  ..............         214,000
    Complete application--coordinator...........             345          22,000           2,790          25,000
    Generate keys...............................             406          26,000  ..............          26,000
    Learn to use signature......................           2,032         131,000  ..............         131,000
    Renewal.....................................             406          26,000  ..............          26,000
                                                 -----------------
        Total...................................         181,960      15,324,000         641,000      15,965,000
----------------------------------------------------------------------------------------------------------------


                              Table 3.--Total Hours and Costs for Electronic Orders
----------------------------------------------------------------------------------------------------------------
                                                                       Hours        Activities      Total cost
----------------------------------------------------------------------------------------------------------------
Purchaser:
    Sign orders.................................................          36,450       6,561,000      $3,096,000
    Edit and archive............................................         164,025       6,561,000      13,932,000
Supplier:
    Validate orders.............................................          27,338       6,561,000       1,768,000
    Collect and send to DEA.....................................           5,473         109,460         354,000
    Edit and archive............................................         273,375       6,561,000      17,676,000
                                                                 -----------------
        Total...................................................         506,661  ..............      36,826,000
----------------------------------------------------------------------------------------------------------------


[[Page 16909]]


                        Table 4.--Total Hours and Costs for the Electronic Order Software
----------------------------------------------------------------------------------------------------------------
                                                       Hours           Labor            O&M            Total
----------------------------------------------------------------------------------------------------------------
Purchaser:
    Install--chains.............................           8,680        $666,000  ..............        $666,000
    Install software--other.....................         314,408      13,010,000  ..............      13,010,000
    Install--practitioner.......................          43,940       1,818,000  ..............       1,818,000
Supplier:
    Install software............................             280          11,600  ..............          11,600
Software Developer:
    Development.................................         103,600       9,700,000  ..............       9,700,000
    Maintenance.................................          89,000       3,683,000  ..............       3,683,000
    Upgrades....................................          17,800       1,367,000  ..............       1,367,000
    Audit.......................................           2,314          96,000        $593,000         689,000
                                                 -----------------
        Total...................................         580,022      30,352,000         593,000      30,945,000
----------------------------------------------------------------------------------------------------------------

    To estimate costs over the first ten years, DEA assumed that 
implementation would be phased in over the first five years (i.e., it 
would be five years before all registrants were using the electronic 
order system). Based on discussions with industry, the phase-in was 
estimated to occur at 20 percent in the first year, 40 percent in the 
second, 20 percent in the third, and 10 percent each in the fourth and 
fifth years. DEA made the conservative estimate that orders would phase 
in at the same rate as digital certificates. Because a few distributors 
and large chain drug stores supply and order a large proportion of the 
drugs, it is likely that orders will phase in more quickly than digital 
certificates will. A faster phase-in will increase the net benefits; a 
slower rate would lower the benefits.
    DEA also assumed that the number of orders would increase seven 
percent annually. The seven percent increase is based on the average 
annual increase in orders over the last seven years. The total cost of 
both systems was estimated using a seven percent and a three percent 
discount rate. Table 5 presents the ten-year total cost of orders under 
the Form 222 system, the electronic system, and the combined systems as 
the electronic system is phased in over the first five years as well as 
the annualized cost of the three systems over ten years. Table 6 
presents the costs of digital certificates and software needed to 
create digitally signed orders.

                                  Table 5.--Total Cost of Orders Over Ten Years
                                                 [Present value]
----------------------------------------------------------------------------------------------------------------
                                                                                                Combined  phase-
                                                            Paper system    Electronic system          in
----------------------------------------------------------------------------------------------------------------
Total (7%).............................................     $2,699,913,000       $298,086,000       $704,112,000
Annualized (7%)........................................        384,407,000         42,441,000        100,250,000
Total (3%).............................................      3,223,440,000        363,653,000        781,438,000
Annualized (3%)........................................        377,886,000         42,631,000         91,608,000
----------------------------------------------------------------------------------------------------------------


Table 6.--Total Costs of Digital Certificates and Software Over 10 Years
                             [Present value]
------------------------------------------------------------------------
                                                             New costs
------------------------------------------------------------------------
Total (7%)..............................................    $149,308,000
Annualized (7%).........................................      21,258,000
Total (3%)..............................................     172,093,000
Annualized (3%).........................................      20,275,000
------------------------------------------------------------------------

    In addition to the cost savings, electronic orders will also 
provide a number of other benefits that cannot be quantified. 
Purchasers will be able to create and send single unified controlled 
substance orders to their suppliers. With Forms 222, purchasers must 
create the separate Form 222 for the Schedule I and II controlled 
substances and complete other orders for all other controlled substance 
purchases from a particular supplier. If a purchaser needs more than 10 
Schedule I or II substances, multiple Forms 222 must be completed 
because the form is limited to ten items. With the electronic orders, 
they will be able to submit a single order covering all controlled 
substance and other prescription drugs being purchased from the 
supplier. The combined orders should reduce the orders that need to be 
logged, tracked, and handled by both purchasers and suppliers.
    Electronic orders should also bring faster receipt of controlled 
substances. Under the present system, the purchaser has the choice of 
sending the order by overnight service at considerable cost, mailing it 
and waiting several days, or sending the order back with the delivery 
truck, which may not be returning directly to the distributor. In most 
cases, the purchaser is likely to have to wait at least two days and 
possibly four or five days when the order is mailed or is shipped back 
by truck. If the distributor that receives the order cannot fill it, 
the distributor may endorse it to another distributor and ship it on to 
another distribution point, further delaying the final shipment. 
Electronic orders will be received almost instantly and can be shipped 
the same day. This speed may allow purchasers to order only when they 
need an item and limit the quantity of controlled substances that they 
stock. Limiting the quantity of Schedule I and II controlled substances 
in stock reduces the possibility of diversion and the cost of security.
    With the Form 222, if a supplier cannot fill all of an order, the 
supplier may endorse the entire order over to another supplier. The 
order cannot be divided and filled in part by one supplier and in part 
by a second, even if both suppliers belong to the same company. Because 
each location holds a separate registration, a distributor with 
multiple locations must maintain stocks of all Schedule I and II 
controlled substances at each location to be able to fill orders for 
these substances from that location. Some distributors have created 
centralized systems where all orders are

[[Page 16910]]

processed through the central distribution office, which then transmits 
parts of the orders to the warehouses that hold specific items. The 
Form 222 system cannot take advantage of this arrangement because the 
paper must accompany the order. With electronic orders, DEA will allow 
a distributor with a central distribution system to divide an order and 
ship parts of the order from different distribution points. New orders 
will not need to be generated because the central computer system can 
track each item in the order and ensure that it is shipped to the 
appropriate registrant only once. DEA and the supplier will have the 
records necessary to maintain the closed system of control while 
allowing the supplier to take advantage of its own system of 
distribution.
    A copy of the Economic Impact Analysis of the Electronic Orders 
Rule is available on the Diversion Control Program's Web site.

Regulatory Flexibility Act

    The Regulatory Flexibility Act (5 U.S.C. 601-612) requires Federal 
agencies to determine whether regulations have a significant economic 
impact on a substantial number of small entities or have a 
disproportionate effect on small entities. DEA, as part of its economic 
analysis, considered the costs of the existing system and the 
electronic system on small entities. The annualized costs of the Form 
222 system for the smallest entities (Narcotic Treatment Programs with 
less than $100,000 in revenues), are 1.66 percent of annual revenues; 
for these registrants, the annual costs of the electronic orders are 
about 0.24 percent of annual revenues. For most small entities affected 
by the rule, the cost of the electronic system will be less than 0.1 
percent of revenues or sales. Consequently, the Deputy Administrator 
hereby certifies that this rulemaking has been drafted in accordance 
with the Regulatory Flexibility Act (5 U.S.C. 605(b)), has reviewed 
this regulation, and by approving it certifies that this regulation 
will not have a significant economic impact on a substantial number of 
small entities.
    A copy of the small business analysis for this proposed rule, which 
is section 7 of the economic analysis, can be obtained from the 
Diversion Control Program web site or by contacting the Liaison and 
Policy Section, Office of Diversion Control, Drug Enforcement 
Administration, Washington, DC 20537, Telephone (202) 307-7297.

Small Business Regulatory Enforcement Fairness Act of 1996

    This rule has been determined to be a major rule as defined by 
Section 804 of the Small Business Regulatory Enforcement Fairness Act 
of 1996. This rule will result in an annual effect on the economy of 
$100,000,000 or more, but will not impose a major increase in costs or 
prices; or significant adverse effects on competition, employment, 
investment, productivity, innovation, or on the ability of United 
States-based companies to compete with foreign-based companies in 
domestic and export markets. In fact, this rule will result in a 
significant reduction in the cost of ordering Schedule I and II 
controlled substances.

Paperwork Reduction Act

    The Department of Justice (DOJ), Drug Enforcement Administration 
(DEA) submitted the following information collection requests to the 
Office of Management and Budget (OMB) for review and approval in 
accordance with the Paperwork Reduction Act of 1995. Under the 
Paperwork Reduction Act, DEA is required to estimate the burden hours 
and other costs of any requirement for recordkeeping and reporting over 
a three-year period. Therefore, DEA proposed the revision of an 
existing collection of information U.S. Official Order Forms for 
Schedules I and II Controlled Substances (Accountable Forms), Order 
Form Requisition, (OMB Control # 1117-0010), and the creation of a new 
collection of information Reporting and Recordkeeping for Digital 
Certificates under the Paperwork Reduction Act of 1995. This process is 
conducted in accordance with 5 CFR 1320.11. The Information Collection 
Request was submitted to the Office of Management and Budget for review 
under section 307 of the Paperwork Reduction Act.

Overview of U.S. Official Order Forms for Schedules I and II Controlled 
Substances (Accountable Forms), Order Form Requisition Information 
Collection

    (1) Type of information collection: Revision of existing 
collection.
    (2) The title of the form/collection: U.S. Official Order Forms for 
Schedule I and II Controlled Substances (Accountable Forms), Order Form 
Requisition.
    (3) The agency form number, if any, and the applicable component of 
the Department sponsoring the collection:
    Form No.: DEA Form 222, U.S. Official Order Forms for Schedule I 
and II Controlled Substances (Accountable Forms)
    DEA Form 222a: Order Form Requisition
    Applicable component of the Department sponsoring the collection: 
Office of Diversion Control, Drug Enforcement Administration, U.S. 
Department of Justice
    (4) Affected public who will be asked or required to respond, as 
well as a brief abstract:
    Primary: Business or other for-profit.
    Other: Non-profit, state and local governments.
    Abstract: DEA-222 is used to transfer or purchase Schedule I and II 
controlled substances and data are needed to provide an audit of 
transfer and purchase. DEA-222a Requisition Form is used to obtain the 
DEA-222 Order Form. Persons may also digitally sign and transmit orders 
for controlled substances electronically, using a digital certificate. 
Orders for Schedule I and II controlled substances are archived and 
transmitted to DEA; both the supplier and purchaser must retain records 
for two years.
    (5) An estimate of the total number of respondents and the amount 
of time estimated for an average respondent to respond/reply: DEA 
estim