skip to content
Site Navigation
Home
About CSOS
Policies
Enroll in CSOS
Certificate Mangement
Reporting
Developer Utilities
Contact Support

Quick Links

External Links

Q & A's

About CSOS Certificates

Applying for CSOS Certificate

Retrieving CSOS Certificates

Usage of CSOS Certificates

Maintaining your CSOS Certificates

Security and Privacy Concerns

CSOS Reporting

CSOS Software Auditing

DEA E-Commerce Support


About CSOS Certificates


What is a CSOS Certificate?

A CSOS Certificate is a digital identity issued by the DEA's CSOS Certification Authority (CSOS CA) that allows for electronic ordering for Schedule I and II (as well as III-V) controlled substances. A CSOS Certificate is the digital equivalent of the identification information contained on a DEA Form-222.

CSOS Certificates are issued to individuals and are required for electronic ordering of Schedule I and II controlled substances.

Why do I need a CSOS Certificate?

A CSOS Certificate enables DEA Registrants and Power of Attorneys to conduct electronic ordering of controlled substances by providing identification, authentication, and non-repudiation through the use of digital signature technology. While the paper DEA Form-222 ordering process is still allowed, CSOS is the only method for ordering Schedule I and II controlled substances electronically. The benefits of CSOS for end users include:

  • The allowance for electronic ordering of Schedule I and II controlled substances
  • Timely and accurately validation of a purchaser's (CSOS Subscriber's) DEA credentials
  • Reduced number of ordering errors
  • No line item limit on a single order
  • Reduced amount of paper in the ordering process
  • Faster transaction times
  • Lower cost per transaction

Back to Top

Is there a fee for acquiring a CSOS Certificate?

There is no charge by DEA for CSOS Certificates or for participating in any aspect of the CSOS program. However, DEA does not create or supply CSOS enabled ordering software. Suppliers are at liberty to charge for use of the ordering software which they have created or licensed. All questions about ordering software, except with regards to DEA's regulations regarding software, should be directed to your vendor.

Who issues CSOS Certificates?

The CSOS Certification Authority (CSOS CA) is operated by DEA and issues CSOS Certificates to approved DEA Registrants and Power of Attorneys.

Back to Top

What does the term "CSOS Applicant" mean?

A CSOS Applicant is an individual who has submitted a request to obtain, but does not yet hold, a CSOS Certificate.

Back to Top

What does the term "CSOS Subscriber" mean?

A CSOS Subscriber is an individual who has either obtained approval or has already acquired a CSOS Certificate.

Back to Top

Are there different types of CSOS Certificates?

There are two types of CSOS Certificates:

  • CSOS Administrative Certificates are used to digitally sign communications with DEA as well as with other participants in the CSOS community. Administrative Certificates are issued only to CSOS Coordinators and are not valid for electronic ordering.
  • CSOS Signing Certificates are used for digitally signing controlled substance orders. Signing certificates are issued to approved Registrant and Power of Attorney applicants. Approved Coordinator applicants will only be issued a Signing certificate if he/she holds valid Power of Attorney for controlled substance ordering and has requested a Signing certificate on his/her CSOS Certificate Application.

Each CSOS Certificate (both Administrative and Signing) are issued to individual subscribers. Certificates must never be used by anyone other than the individual subscriber (a person, not a location) the certificate was issued to.

Back to Top

Do I need multiple CSOS Certificates?

A separate CSOS Signing Certificate is required for each DEA Registrant number. In cases where a person represents multiple Registrants or DEA Registrant numbers, then multiple Certificates will be issued.

Example 1: An individual representing multiple locations will list each DEA Registration for which he/she would like to be associated on his/her CSOS Certificate Application. For applicants approved for purchasing controlled substances, a separate CSOS Signing Certificate will be issued to that individual for each location. Each CSOS Coordinator will be approved by DEA to fulfill the role of Coordinator for each location, but will be issued only one CSOS Administrative Certificate.

Example 2: A company with multiple locations (DEA Registrations) may order their controlled substances from a central distribution warehouse. In this case, Power of Attorneys would represent multiple Registrants to consolidate the ordering process and each purchaser would need a separate CSOS Certificate for each DEA Registrant.

Back to Top

Who do I contact for CSOS questions and problems?

If you have any questions or wish to report a problem, please contact DEA Diversion E-Commerce Support. E-Commerce Support is available to assist your organization with its CSOS Enrollment.

Back to Top


Applying for CSOS Certificate


Who may apply for a CSOS Certificate?

The DEA Registrant, authorized CSOS Coordinator(s), and Power of Attorneys granted ordering authority by the DEA Registrant may apply for CSOS Certificates. A CSOS Coordinator is required for each organization as the main point of contact for CSOS. The CSOS Coordinator must be enrolled in CSOS before any Power of Attorney application is processed, however, the Coordinator and POA applications may be submitted at the same time.

DEA Registrants

A DEA Registrant is the individual who signed, or is authorized to sign, the most recent application for DEA Registration renewal. Often, this is the same person who grants Power of Attorney to allow other individuals to. Enrollment in CSOS by the Registrant is optional, and should be limited to only those Registrants who sign controlled substance orders or wish to be Coordinator for his/her organization.

The DEA Registrant must name a CSOS Coordinator on his/her CSOS application. The Registrant may serve the role of Coordinator, or may delegate the role of Coordinator to another individual who must enroll in the CSOS program. If the Registrant wishes to be the Coordinator, he/she should only submit a Registrant application (Form DEA-251) and not a Coordinator application (Form DEA-252).

If serving the role of Coordinator, the Registrant will be issued one CSOS Administrative Certificate for communication purposes. All Registrants will be issued one CSOS Signing Certificate for each DEA Registration number applied for.

CSOS Coordinators

A CSOS Coordinator is required for each DEA Registration number enrolled in the CSOS program. The role of Coordinator may be served by the Registrant, as mentioned above. If the Registrant does not server the role of Coordinator, then the CSOS Coordinator may be any individual in the DEA Registrant's organization and must have his/her CSOS Application signed by the Registrant. Only one Principal Coordinator and one Alternate Coordinator may be enrolled in CSOS for any one DEA Registration number.

Each CSOS Coordinator is issued one CSOS Administrative Certificate for communication purposes. If requested and approved, each Coordinator is issued one CSOS Signing Certificate for each DEA Registration number applied for.

CSOS Power of Attorneys

A CSOS Power of Attorney is any individual with the authority to sign controlled substance orders for a DEA Registrant. The CSOS POA applicant must have his/her application authorized and submitted by the CSOS Coordinator for the DEA Registration number(s) being applied for. An organization may enroll an unlimited number of Power of Attorneys in the CSOS Program.

Each Power of Attorney is issued one CSOS Signing Certificate for each DEA Registration number applied for.

What subscriber role should I apply as?

Role descriptions are provided in the previous question, in the CSOS Subscriber Manual, and are also explained during the CSOS Enrollment process on this Web site. If you have futher questions about enrolling, DEA E-Commerce Support is available to answer your questions and assist in formulating an enrollment strategy for your organization. Please contact DEA rather than your supplier about CSOS Enrollment.

Back to Top

How can I get a CSOS Certificate?

You may apply for a CSOS Certificate through this Web site's Enrollment Process.

Back to Top

How do I apply for more than one CSOS Certificate?

Each CSOS Application has only one field to enter a DEA Registration Number. However, you may attach up to five (5) CSOS Certificate Application Registrant List Addendums to your application. Each addendum (Form DEA-254) allows an applicant to list ten (10) DEA Registration numbers.

Bulk enrollment is required if more than 50 DEA Registration numbers are to be associated with a single applicant. Please contact DEA Diversion E-Commerce Support for assistance with Bulk Enrollment.

Back to Top

What information is needed to request a CSOS Certificate?

Prior to Certificate issuance, an Applicant must submit a properly completed CSOS Certificate application. Steps for requesting a CSOS Certificate can be found on this Web site's Enrollment Process. Please read the instructions carefully and review the checklist found with the applications before submitting an application package. Please note that the requirements for a complete application package vary by applicant type (Registrant, Coordinator, or POA).

Back to Top

Do I need an E-mail address in order to apply for a CSOS Certificate?

Each CSOS applicant must provide an individual E-mail address with his/her Certificate application. This E-mail address will be used for official communications from DEA regarding the subscriber's CSOS Certificate(s).

Shared or group E-mail accounts are not permitted for CSOS Subscribers since important, private information is provided to CSOS Subscribers via E-mail by DEA.

If you do not have a personal E-mail account, you may acquire a free account from an on-line E-mail service provider.

Back to Top

How do I verify that my Web browser version is compliant with CSOS?

DEA strongly recommends using the latest supported version of Internet Explorer (version 9) or Firefox (version 13). Internet Explorer (version 7.0 and above) and Firefox (version 2.0 and above) are the only Web browsers supported by CSOS. CSOS does NOT support Google Chrome. To verify your Web browser's version:

  • Internet Explorer
    • 1. Open Internet Explorer.
    • 2. In the top menu bar, select Help -> About Internet Explorer.
    • 3. Locate the Version number and verify that it is 7 or higher
    • 4. Click OK to close the About Internet Explorer screen.
  • Firefox
    • 1. Open Firefox Browser.
    • 2. In the top menu bar, select Help -> About Firefox.
    • 3. Locate the version number and verify that it is 2 or higher.
    • 4. Click the X to close the About Firefox Browser screen.

Back to Top

Why do I need to accept the CA Certificates?

A required trust relationship is established using the CA Certificates. The DEA E-Commerce Certification Authority issues the CSOS Sub Certification Authority Certificate. The CSOS Sub CA issues CSOS Subscriber Certificates. For a subscriber's CSOS Certificate to be recognized as valid, both CA certificates must be installed on the ordering or order validating computer.

Back to Top

What is a CSA Power of Attorney Letter and where can I find a sample?

The Code of Federal Regulations permits a Registrant to allow an individual to order Schedule I and II Controlled Substances on his/her behalf by granting Power of Attorney to the individual. All Coordinator and Power of Attorney CSOS applicants are required to submit a photocopy of his/her Power of Attorney letter. A sample letter may be obtained on this Web site:

Back to Top

How long after I apply for a CSOS Certificate will I receive it?

CSOS Certificate activation notices can be expected approximately six weeks from the date the application package is sent to DEA. Incomplete, inaccurate, or invalid application packages will take longer to process and may be denied and returned by DEA.

  • Complete application packages typically take 7-10 business days to be processed
  • Activation notices are sent to the applicant
    • Postal mail activation notice: Sent to the Coordinator for the DEA Registration. Please allow up 7-10 business days for this notice to arrive.
    • E-mail activation notice: Sent to the subscriber upon Certificate approval.

Back to Top

Why was my application rejected?

An application can be rejected based on the following reasons:

  • Missing application information
  • Information provided is not consistent with the DEA's Controlled Substance Act (CSA) Database

DEA's CSOS Registration Authority communicates application deficiencies with the applicant. Please contact DEA Diversion E-Commerce Support with any questions.

Back to Top

It's been two (2) weeks since I've submitted my application and have not received a notification letter, what do I do?

A CSOS Application is typically processed within one month of the date it was submitted to DEA.

Back to Top


Retrieving CSOS Certificates


How will I receive my CSOS Certificate?

Once your CSOS Certificate is ready to be retrieved (downloaded), you will receive an E-mail activation notice. One notice will be sent for each Certificate that you have been issued. This notice will contain an Access Code, which you will need to retrieve your Certificate.

An accompanying postal mail activation notice will be sent on the same day as your E-mail(s). One postal mail activation notice will be sent for each Certificate issued. For cases where multiple activation notices have been received, each postal mailed document must be matched with its associated E-mail activation notice. The E-mail and postal mailed activation notices may be matched using either the DEA Registration number or Certificate Serial Number.

Use the information in your postal mail activation notice along with the Access Code from the accompanying E-mail to retrieve your Certificate from the DEA E-Commerce Web site.

Back to Top

How do I download and install my CSOS Certificate?

You will download your Certificate(s) from the Web page listed on your postal mail activation notice. The following resources are available to assist you with Certificate retrieval.

Back to Top

Why have I received multiple activation notices?

Multiple activation notices indicate that multiple Certificates have been issued. It is possible for multiple Certificates to be issued even though you submitted only one enrollment application. Reasons for multiple Certificates being issued include the following scenarios:

  • Registrant subscribers are issued one CSOS Signing Certificate for each DEA Registration number indicated on his/her application, and one CSOS Administrative Certificate if the Registrant is fulfilling the role of Coordinator.
  • Coordinator subscribers with signing authority, who are issued one CSOS Signing Certificate for each DEA Registration number indicated on his/her application, and one CSOS Administrative Certificate.
  • Any subscriber who enrolled with more than one DEA Registration number.

Back to Top

I have received a postal mailed activation notice. Why haven't I received an E-mail?

Locate your E-mail address in the mailed document and verify that it is correct.

  • If the E-mail address is incorrect, please contact the Support Desk.
  • If the E-mail address is correct, the activation E-mail my have been sent to your E-mail client's junk mail folder. Please look for an E-mail from regauth@deaecom.gov. If you are unable to locate the activation E-mail, please contact the DEA E-Commerce Support Team and request that the E-mail be re-sent.

Back to Top

Why can't I log in to the Web site?

or

Why did I receive the error "You are unauthorized to access this page"?

Please verify that you are entering the Web Site Username and Web Site Password as indicated on the postal mail activation notice for your Certificate. The Web Site Password is case sensitive, so it must be typed exactly as it appears on your postal mail activation notice.

An error stating 'You are unauthorized to access this page' will be received after entering an incorrect Website Username or Website Password multiple times. If this error is received:

  • Close your Web browser
  • Re-Open the browser and access the DEA E-Commerce Certificate Retrieval Web site.
  • Click the Retrieve a CSOS Certificate button
  • Re-enter your Web site Username and Website Password

Back to Top

Where can I find my Web site Username and Password?

The Web site Username and Web site Password are indicated on the postal mail activation notice. The Username and Password are case sensitive.

Back to Top

Where can I find my Access Code and Access Code password?

When a Subscriber's CSOS Certificate is ready to be activated/retrieved, the subscriber will receive activation notices via E-mail and postal mail. The E-mailed activation notice will contain the Certificate's Access Code. The postal mail activation notice contains the Certificate's Access Code Password. The Access Code and Access Code Password are unique for each Certificate.

Back to Top

Why does my activation notice have a four digit DEA Registration number?

Activation notices (both postal mail and E-mail) may have a four digit number rather than the subscriber's DEA Number. This four digit number indicates that the Certificate is a CSOS Administrative Certificate, which may be used for digitally signing E-mail communications with the CSOS CA, but may not be used for electronic ordering of controlled substances.

Back to Top

Do my certificates have the same Access Code?

Each Certificate has a unique Access Code and a unique Access Code Password. If you have received multiple activation E-mails, please inspect each Access Code number carefully, because it does differ from the other Certificate's Access Codes.

Back to Top

What is a CSP for?

A cryptographic service provider, among many other things, creates the private key associated with the CSOS Certificate being retrieved from the DEA E-Commerce Web site

Back to Top

I do not see any CSP’s listed in the drop down list during retrieval, what do I do?

If you do not see anything displayed in the CSP drop down list, click in the blank area of the field and you will notice an information toolbar displayed at the top of your screen. It says, “This website is attempting to run the following add-on…” Click on the information toolbar and allow the Active X control to run. This will populate the CSP drop down list and you will be able to select ‘Microsoft Enhanced Cryptographic Provider v1.0’. Please note that the page will refresh and you will need to re-enter the e-mailed access code and access code password you received by postal mail. Contact the Support Desk if this does not populate the drop down list.

Back to Top

I receive a Smart Card Service Error, what does it mean?

  • "No smart card readers are currently available. A smart card cannot be selected at this time."
This error may be followed by:

  • "The error '8010002E' occurred. Your certificate request could not be generated."
  • or
  • "The error '8010001D' occurred. Your certificate request could not be generated."
This error will occur if "Microsoft Enhanced Cryptographic Provider v1.0" was not selected as the CSP (Cryptographic Service Provider) when retrieving a CSOS Certificate.

Back to Top

I receive an error '801002E' or '801001D' when retrieving my Certificate. What does this mean?

If you receive the error shown below, an incorrect CSP may have been selected when attempting to retrieve the Certificate. After entering the Certificate's Access Code and Access Code Password, set the CSP drop-down menu to "Microsoft Enhanced Cryptographic Provider v1.0".

"An Error has occurred:

No keypair has been created. Please make sure that you are using Internet Explorer 3.0+, and that the required .DLL is properly installed on the server machine. See your administrator for details. "

Back to Top

I receive an error 'Internal Error (-1666)' when retrieving my Certificate. What does this mean?

This error can be caused by a number of issues:

  • The activation information has expired
    • Verify that it has not been 30 days from the date printed on the top right corner of the postal mailed activation notice
    • Call Diversion E-commerce Support if your activation information has expired.
  • The certificate has already been activated
    • Each Certificate may only be activated once (since activation generates the private key associated with the Certificate).
    • Please call Diversion E-Commerce Support for assistance with verify whether your Certificate has been activated already.
  • The Access Code and Password have been entered incorrectly
    • Typically, an incorrect access code or password will result in error 3274 or 3290. However, we have seen (-1666) be the result of an incorrect access code and/or password.

Back to Top

I receive an error '-3274' after the "Creating a new RSA exchange key" screen. What does this mean?

The above error number indicates one of the following issues:

  • An incorrect Access Code or Access Code Password was entered
  • The Access Code and Access Code Password do not match. If you received multiple activation notices (for multiple certificates), the notices you are using must contain matching DEA Registration numbers or Admin Cert ID Numbers.
Click the Back button on your Web browser and verify the Access Code and Access Code Password.

Back to Top

I receive an error '-3290' after the "Creating a new RSA exchange key" screen. What does this mean?

  • "An Error has occurred:
    (-3290) Incorrect or invalid authentication token."

The following error indicates that an incorrect Access Code and/or Access Code Password have been entered. Please re-enter your Access Code (from E-mail) and Access Code Password (from postal mail). If you received multiple activation notices, please verify that the E-mail and postal mail activation notices (which you are taking your Access Code and Access Code Password from) have matching DEA Registration numbers and Certificate Serial Numbers.

Back to Top

Where is my CSOS Certificate stored?

Certificates, by default, are placed in the Certificate Store of the browser used to activate them.

To view Certificates that were activated using Internet Explorer:

  • In the Internet Explorer menu bar, select Tools -> Internet Options
  • Switch to the Content tab
  • Click the Certificates button
  • Successfully retrieved CSOS Certificates will be in the Personal tab and are issued by "CSOS CA"

To view Certificates that were activated using Firefox:

  • In the menu bar, select Tools -> Options
  • Verify that Advanced is selected on the left side of the screen
  • Select the Encryption tab and click View Certificates.
  • Click the Authorities tab.
  • Any CSOS Certificates will appear in the U.S. Government category (click the + to expand if necessary).

Back to Top

How do I export my Certificate(s)?

CSOS Certificates must be exported if they are to be installed on another computer. To export Certificates that were activated using Internet Explorer:

To export Certificates that were activated using Firefox:

Back to Top

Do I need to print my Certificate(s)?

CSOS uses digital certificates, which never need to be printed. The Certificate is a file stored on the computer that will be used to digitally sign electronic orders of controlled substances.

Back to Top

After retrieving, what do I do with my Certificate(s)?

Once your Certificate has been retrieved, you will need to set up your ordering software. Typically, most subscribers will need to contact a wholesaler or distributor in order to set up software.

Back to Top

I did not set a password for my Certificate, can I still set one?

Yes, you may set a password for a Certificate that does not have one. You may also use the following steps to re-set an existing password. These instructions are intended for Certificates not already installed in wholesaler software. Please contact Diversion E-Commerce Support for assistance if your Certificate is already installed in wholesaler software.

Back to Top

What computer(s) should my Certificate(s) be installed on?

Your CSOS Signing Certificate must be installed on any computer used to place electronic orders for controlled substances. Certificates may be installed on multipled computers. In order to copy a Certificate from the computer used to activate it onto another computer, you must do the following:

Back to Top

How do I move my Certificate to a different computer?

Back to Top

Do I still need paper 222 forms?

Paper 222 forms are not used when placing electronic orders for controlled substances. Registrants are strongly encouraged to maintain a backup supply of 222 forms. Instances where one might need to fall back on paper ordering include:

  • CSOS Certificate expiration or revocation - the certificate is no longer valid for electronic ordering.
  • Computer failure - the ordering computer crashes, has software malfunctions, no longer has an internet connection, or is stolen.

Back to Top

How do I determine the encryption level of my CSOS Certificate?

For Certificates activated using Internet Explorer:

  • In the Internet Explorer menu bar, select Tools -> Internet Options
  • Switch to the Content tab
  • Click the Certificates button
  • Double-click on your CSOS Certificate found under the Personal tab
  • In the Certificate window, select the Details tab
  • Scroll down to the Public Key field and refer to the entry under the Value column (i.e. RSA (2048 bits) will be displayed for a certificate with an encryption level of 2048).

For Certificates activated using Firefox Version 2.0-13:

  • In the menu bar, select Tools -> Options
  • Verify that the Advanced icon is selected on the top of the screen
  • Select the Encryption tab
  • Click on the View Certificates button
  • Double-click on your certificate under the U.S. Government category (click the + to expand if necessary)
  • From the Certificate Viewer window, select the Details tab
  • Under the Certificate Fields table, scroll to and select the Certificate Signature Value field
  • In the Field Value table, the top line of the entry will provide the encryption level of your CSOS certificate (i.e. Size: 128 Bytes/2048 Bits will be displayed for a certificate with an encryption level of 2048).

Back to Top


Usage of CSOS Certificate


How is a CSOS Certificate used?

CSOS Certificates may only be used by the owner of the certificate. CSOS Signing Certificates are loaded into a CSOS enabled ordering software system and are used for digitally signing controlled substance orders. CSOS Signing Certificates may also be used to digitally sign communications (typically E-mails) with the CSOS Registration Authority or other CSOS Subscribers.

Back to Top

What CSOS software should I use?

DEA may not recommend vendors for CSOS enabled ordering software. Pharmacies may contact their distributors. Trade associations such as the HDMA provide guidance on software vendors. You may also use a search engine to look up "Controlled Substance Ordering System software."

Back to Top

Who is authorized to place controlled substance orders using a CSOS Certificate?

Each CSOS certificate is issued to only one individual person. This person, called a CSOS Subscriber, is an individual who enrolled in the CSOS program with DEA and whose name appears in the digital certificate. A digital signature using a CSOS certificate is required when submitting an electronic order for controlled substances. Only the individual subscriber whose name appears in the certificate is authorized to perform this digital signature.

Other individuals are free to request their own CSOS digital certificates for signing controlled substance orders, but may never use someone else's certificate.

This aspect of the CSOS program is a strict requirement by DEA and is governed by the Code of Federal Regulations.

DEA E-Commerce support is available to assist with all questions regarding this matter:

Back to Top


Maintaining your CSOS Certificate


What if my DEA CSOS Certificate is lost, stolen, or damaged?

You should report a lost, stolen, or damaged CSOS Certificate to DEA Diversion E-Commerce Support immediately to formally request revocation of your lost, stolen or damaged CSOS Certificate. The Support Desk will help you to enroll for a new CSOS Certificate. For assistance contact DEA Diversion E-Commerce Support at:

Back to Top

Will my CSOS Certificate ever expire?

CSOS Certificates expire when the DEA Registration to which they are associated expires. The CSOS RA will send an email notifying the Subscriber’s CSOS Coordinator 45 days prior to the expiration date of the Subscriber’s CSOS certificate and will provide instructions on how to process digital certificate renewals.

Back to Top

Can the information in my CSOS Certificate be changed?

Yes and no. Once the CSOS Certificate is issued, the information within that Certificate may not be changed. Should any of the CSOS Subscriber's information change, a new CSOS Certificate with the current Subscriber information must be issued. You are required to request a new Certificate using the updated information and then request that the original Certificate be revoked. For assistance please contact DEA Diversion E-Commerce Support.

Back to Top

Should I save a backup copy of my CSOS Certificate?

Important Federal Regulations do not allow for CSOS Certificates to be backed up. Certificates may be copied and installed into ordering software on multiple computers, but should never be backed up.

Back to Top

I accidentally deleted my CSOS Certificate from my hard drive.

Once your CSOS Certificate has been deleted, damaged or overwritten, there is no way to reactivate your CSOS Certificate. You will need to request a revocation of your CSOS Certificate, and then enroll for a new one. Please contact DEA Diversion E-Commerce Support for assistance.

Back to Top

I have multiple CSOS certificates. How do I differentiate between them?

Certificates may be given a "friendly name" after being retrieved/activated.

  • From Internet Explorer, open the Tools menus and select Internet Options.
  • In Internet Options, select the Content tab and click the Certificates button.
  • Locate and double-click the certificate that is to be named. The certificate can typically be identified based on the expiration date (this date will match the date that the associated DEA Registration expires).
  • With the certificate open, select the Details tab and click Edit Properties.
  • Name the certificate in the Friendly name field. Optionally, enter a description in the Description field.
  • Click the OK button twice to close two screens. Back at the certificates screen, the named certificate will now show a friendly name that assists with identification.

Back to Top


Security and Privacy Concerns

Can someone else use my CSOS Certificate?

No. A CSOS Certificate may only used by the original Certificate applicant, whose name appears in the CSOS Certificate. Any unauthorized access to your CSOS Certificate must be reported immediately to DEA Diversion E-Commerce Support at:

Back to Top

What do I do if someone else has used my CSOS Certificate?

You must report any suspected or actual unauthorized access to your CSOS Certificate to DEA Diversion E-Commerce Support immediately. The CSOS Certificate will be revoked and the Support Desk will assist you in enrolling for a new CSOS Certificate. You may contact the Support Desk at:

Back to Top

Should I have any privacy concerns about the information I have submitted?

Refer to the Privacy Policy.

Back to Top

How will DEA protect my personal information?

Please refer to the Privacy Policy for concerns regarding the protection of your personal information. You may also consult the DEA Diversion E-Commerce Certificate Policy for more detailed information on the policy governing the protection of your personal information.

Back to Top

What purpose does the Access Code and Password serve?

The Access Code and Access Code Password will be used by approved CSOS Certificate applicants to retrieve his/her CSOS Certificate. Therefore, the Access Code and Password are two very key pieces of information supplied to a Subscriber from the CSOS Certification Authority in order to ensure that only the CSOS applicant has the ability to retrieve his/her CSOS Certificates. The applicant must not share his/her Access Code (received via E-mail) with anyone and must not share the information contained in the mailed document from the CSOS Certification Authority with anyone outside of the CSOS Coordinator.

Back to Top

My computer was stolen, what should I do to protect my CSOS Certificate?

You should immediately have your CSOS Certificate(s) stored on that computer revoked. Report the incident to the CSOS Support Desk at:

The Support Desk will provide you with instructions for enrolling for a new CSOS Certificate.

Back to Top


CSOS Reporting


How will I report my CSOS transactions?

There is a new CSOS EDI record format for suppliers submitting transaction records electronically to DEA. Each reporter must enroll for CSOS reporting, after which they will be issued a user name and password. The user name and password may then be used to access a secure CSOS Reporting Web site in order to submit CSOS reports. All suppliers must report CSOS transactions using CSOS Reporting. Please reference our Reporting page for more details.

Back to Top

Who should enroll in CSOS Reporting?

All CSOS transactions must be reported by the supplier using CSOS Reporting. Any individual within the supplying organization may enroll the organization in CSOS Reporting. The user name and password issued will be for the organization and will not be specific to the individual. It is up to the Registrant to determine the individual to enroll in the organization in CSOS Reporting. The enrolling individual will become the main point of contact for the DEA Registrant with regards to CSOS Reporting.

Back to Top

I currently submit ARCOS reports, what should I do now?

All current ACROS reporters must submit CSOS formatted reports in addition to ARCOS reports for the time being.

Back to Top

How often must I submit CSOS Reports?

CSOS transactions must be submitted within two (2) business days from when the order was filled. You do not need to submit a CSOS Report if no transactions occurred.

Back to Top

What should I do if a system error prevents us from submitting a CSOS Report?

Please contact DEA Diversion E-Commerce Support as soon as possible.

Back to Top

Where can I find the CSOS Records Transaction format?

The reporting format is documented in the following document:

Back to Top

How should I report errors in CSOS transaction?

If an erroneous CSOS transaction has been reported, you may resubmit the correct transaction. The new, correct CSOS transaction report will take the place of the old, erroneous report.

Back to Top

How should I report transactions that are filled over multiple days?

When an order is partially filled one day, with the rest of the order filled later, each line item of the order should be reported according to the day it was filled.

Back to Top

What NDC number should be used when a controlled substance is ordered using a generic description?

CSOS transaction records require an NDC number. As with the paper Form-222 system, controlled substance orders may be made using a generic description rather than NDC number. The supplier may use the NDC number for the controlled substance supplied. The ARCOS Registrant Handbook contains NDC numbers by drug category. These numbers may be used when the supplied controlled substance does not have an NDC number.

Back to Top

What is a Central Reporter Number?

A central reporter number is given when a company has multiple facilities, each of which sends their reports to the central office. The central office then sends the reports it to DEA.

For example: Company ABC has 1,000 locations, but 6 central facilities. If these facilities are responsible for reporting, then Company ABC would have 1,000 DEA numbers and 6 central reporter numbers. Therefore, CSOS knows which facility has submitted their reports and who the point of contact for each central facility is.

Back to Top

Can I use my ARCOS reporting username and password for CSOS reporting?

Only after enrollment and approval for CSOS Reporting may an existing ARCOS EDI account be used for CSOS Reporting. Optionally, a new account can be issued exclusively for CSOS.

Back to Top



How long will my CSOS reporting username and password be valid?

Your CSOS reporting username and password DO NOT expire. They will be valid as long as you are participating in the CSOS program.

Back to Top



What if I lose my CSOS reporting username and password?

Please contact DEA Diversion E-Commerce Support.

Back to Top



How is the ARCOS transaction record format different from CSOS transaction records format?

Characters 1-80 of both record formats are the product information for the actual product shipped. CSOS Records include an additional set of characters, characters 81-105, which refer to the actual product ordered. The additional fields in the CSOS Record format take into account order substitution and packaging changes.

Examples:

  • Based on a prior agreement, if a supplier does not have the ordered controlled substance in stock, they may replace the ordered substance with another comparable substance. In this case, the CSOS transaction record would contain the supplied substance, but also the requested drug information in the additional character fields (characters 81-105).
  • If one (1) 500 count package of a controlled substance is ordered, the supplier may fill the order with five (5) 100 count packages if the supplier and requestor have an agreement to make such a replacement. In this case the ordered substance would be recorded in the character 81-105 fields, while the supplied substance would be recorded in the character 1-80 fields.

Back to Top



Who do I contact for CSOS Reporting questions and problems?

Please contact DEA Diversion E-Commerce Support.

Back to Top

Does CSOS permit reverse distribution?

Reverse distribution transactions require a paper form DEA-222 or digitally signed electronic order (using CSOS). The supplier is required to report each transaction. Since only ARCOS participating DEA Registrants are eligible to report CSOS transactions, reverse distribution is not permitted when the supplier is a non-ARCOS participant.

For example, a pharmacy or hospital may only accept a paper 222 order from a reverse distributor or wholesaler when returning controlled substances because the pharmacy/hospital is not able to report this transaction electronically. If the controlled substance supplier in the reverse distribution transaction IS a DEA ARCOS participant, then reverse distribution using an electronic CSOS order is permitted. One scenario where reverse distribution is permitted would be with a DEA ARCOS registered wholesaler fulfilling an order from a reverse distributor.

Back to Top


CSOS Software Auditing


Why is DEA requiring an audit of my CSOS software application?

Improperly developed software applications, or the use of digital-signing cryptographic modules that are not federally approved, can result in unacceptably high levels of risk, creating the opportunity for the diversion of controlled substances. Just as with other heavily regulated environments (such as with the FDA), DEA requires that a CSOS application audit be performed by an independent auditor to ensure that this risk is mitigated by validating that the software is compliant with the DEA Regulations described in CFR 21.

Back to Top



When am I required to have my CSOS application audited?

CSOS applications must be audited:

  • 1) prior to the application being placed into production to ensure that the cryptographic modules and software is in compliance with the regulations
  • 2) when changes are made to any portion of the software covered by DEA regulations (see Question How frequently must I have my CSOS application re-audited? below)

Back to Top



Who should audit the application?

An independent third-party auditor must perform the audit. Ideally, the auditor should have a background with controlled substance ordering systems and DEA regulations (many auditing firms retain legal counsel to interpret the regulations; others will rely on your regulatory department for guidance).

Back to Top



What parts of the CSOS application must be audited?

Auditors must validate that the cryptographic modules are FIPS 140-2 certified (FIPS 140-2 “grandfathers in” FIPS 1401-1 certified modules). Auditors must also validate all aspects of the software that are addressed in the regulations.

Back to Top



How frequently must I have my CSOS application re-audited?

You are not required to have the CSOS application re-audited unless there have been modifications to the software or cryptographic modules that would necessitate an additional audit to validate their compliance. If any changes are made to the CSOS application that are covered under the DEA regulations, the auditor must audit those changes to ensure that the regulations are still being met.

Back to Top



What if I purchase my CSOS application from a vendor?

The proof of compliance rests on the shoulders of the company using the CSOS application. CSOS participants purchasing out-of-the-box (ready-made) solutions should ensure that the vendor has had the application properly audited and should request a copy of the auditor’s results as proof. Application purchasers “inherit” the compliance audit results from the vendor. If the application is significantly modified after purchase and installation, it may need to be re-audited to ensure that DEA regulations are still being met.

Back to Top



Am I required to submit my audit results to DEA?

No, you are required to maintain your audit results and provide them to a DEA Diversion Investigator upon request, however you are not required to submit the audit results to DEA in advance of production. DEA’s expectation is that a company will retain the audit test plan, results and auditor’s opinion or attestation letter demonstrating the system complies with the DEA Rule.

Back to Top



Is there an auditing test plan available from DEA?

No, DEA recognizes that each system platform is different and so no universal test plan can be developed suitable for use with all systems. Each company or auditing firm will have drafted their own test plan and scripts specific to their platform and application, using the DEA regulations as a basis for any test plan.

Back to Top




DEA E-Commerce Web site


Why can't I open the Adobe PDF application forms?

There are several reasons the application forms will not open. If you receive the following error message "File does not begin with '%PDF-' ", you may be running Adobe Reader version 6. Rather than attempting to open the form by clicking the link:

  • Right click on the link or form icon
  • Select 'Save Target As'
  • Save the file to your Desktop
  • Once the file is done downloading, open it from your desktop
This workaround avoids the issues caused by opening an Adobe form in Internet Explorer.

Back to Top



Why don't some of the links on this site work?

Some links on this site open in a new window and require that your Web browser has JavaScript enabled. JavaScript is typically enabled by default. To enable JavaScript in Internet Explorer:

  • In Internet Explorer, click the Tools menu and select Internet Options
  • Select the Security tab
  • Click the Custom Level button
  • Near the bottom of the list in the Scripting section is a setting for Active scripting
  • The Enable option should be selected
  • Click OK to close the Security Settings window
  • Click OK to close the Internet Options window
  • Close and reopen Internet Explorer

Back to Top



Is this site accessible to the visually impaired?

This Web site, including content, images, and PDF documents, is Section 508 Compliant. Section 508 requires that Federal agencies' electronic and information technology is accessible to people with disabilities. For more information on Section 508 compliancy, please visit http://www.section508.gov

Back to Top



Return to previous screen