The Controlled Substances Ordering System (CSOS) is cross-certified with the Federal Bridge Certification Authority (FBCA). The FBCA sets guidelines that CSOS must follow in order to maintain its cross-certification. Recently, the FBCA has updated its policies to align key-length requirements with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57, Recommendations for Key Management.
NIST SP 800-57 offers authoritative recommendations for encryption algorithms implemented on federal government information systems. For systems utilizing the RSA encryption algorithm for digital signatures, NIST SP 800-57 recommends a key-length of 2048-bits. Prior to October 2008, CSOS certificates were issued with the RSA encryption algorithm for digital signatures, using a key-length of 1024-bits. Commencing in October 2008, certificates utilizing the stronger 2048-bit key-length were distributed to new and renewing CSOS participants.
The FBCA has set a deadline of December 31, 2010 by which all certificates of cross-certified systems, including CSOS, must meet NIST SP 800-57 recommendations. As certificates have a 3-year lifetime, certificates issued between January 1, 2008 and September 30, 2008 do not comply with the recommended key-length.
All certificates in use that have been signed and generated with 1024-bit keys must be revoked prior to January 1, 2011.