- (a) The department shall maintain an "Approved List of PKI Service Providers" authorized to issue certificates for digitally signed communications sent to state agencies or otherwise provide services in connection with the issuance of certificates. The list may include, but shall not necessarily be limited to, Certification Authorities, Certificate Manufacturers, Registrars, and/or other PKI Service Providers accepted and approved for use in connection with electronic messages transmitted to other state or federal governmental entities. A copy of such list may be obtained directly from the department, or may be obtained electronically via the department's website.
- (b) State agencies shall only accept certificates from PKI Service Providers that appear on the "Approved List of PKI Service Providers."
- (c) The department shall place a PKI Service Provider on the "Approved List of PKI Service Providers" after the PKI Service Provider provides the department with a copy of its current certification practice statement, if any, and a copy of an unqualified performance audit performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (SAS 70) to ensure that the PKI Service Provider's practices and policies are consistent with the requirements of the PKI Service Provider's certification practice statement, if any, and the requirements of this section.
- (d) In order to be placed on the "Approved List of PKI Service Providers" a PKI Service Provider that has been in operation for one year or less shall undergo a SAS 70 Type One audit--A Report of Policies and Procedures Placed in Operation, receiving an unqualified opinion.
- (e) In order to be placed on the "Approved List of PKI Service Providers" a PKI Service Provider that has been in operation for longer than one year shall undergo a SAS 70 Type Two audit--A Report of Policies and Procedures Placed in Operation and Test of Operating Effectiveness, receiving an unqualified opinion.
- (f) In lieu of the audit requirements of subsections (d) and (e) of this section, a PKI Service Provider may be placed on the "Approved List of PKI Service Providers" upon providing the department with documentation issued by a person independent of the PKI Service Provider that is indicative of the security policies and procedures actually employed by the PKI Service Provider and that is acceptable to the department in its sole discretion. The department may request additional documentation relating to policies and practices employed by the PKI Service Provider indicating the trustworthiness of the technology employed and compliance with applicable guidelines published by the department.
- (g) To remain on the "Approved List of PKI Service Providers" a Certification Authority must provide proof of compliance with the audit requirements or other acceptable documentation to the department every two years after initially being placed on the list. In addition, a Certification Authority must provide a copy of any changes to its certification practice statement to the department promptly following the adoption by the Certification Authority of such changes.
- (h) If the department is informed that a PKI Service Provider has received a qualified or otherwise unacceptable opinion following a required audit or if the department obtains credible information that the technology employed by the PKI Service Provider can no longer reasonably be relied upon, or if the PKI Service Provider's certification practice statement is substantially amended in a manner that causes the PKI Service Provider to be non-compliant with the audit requirements of this section, the PKI Service Provider may be removed from the "Approved List of PKI Service Providers" by the department. The effect of the removal of a PKI Service Provider from the "Approved List of PKI Service Providers" shall be to prohibit state agencies from thereafter accepting digital signatures for which the PKI Service Provider issued a certificate or provided services in connection with such issuance for so long as the PKI Service Provider is removed from the list. The removal of a PKI Service Provider from the "Approved List of PKI Service Providers" shall not, in and of itself, invalidate a digital signature for which a PKI Service Provider issued the certificate prior to its removal from the list.
Source Note:The provisions of this §203.25 adopted to be effective November 28, 2004, 29 TexReg 10710; amended to be effective September 20, 2011, 36 TexReg 6143.