United States Department of Justice
Drug Enforcement Administration
Controlled Substance Ordering System (CSOS)
SUBSCRIBERS MUST READ THIS SUBSCRIBER AGREEMENT BEFORE APPLYING FOR, ACCEPTING, OR USING A DEA DIGITAL CERTIFICATE. IF YOU DO NOT AGREE TO THE TERMS OF THIS SUBSCRIBER AGREEMENT, A CERTIFICATE WILL NOT BE ISSUED IN YOUR NAME.
THIS SUBSCRIBER AGREEMENT will become effective on the date you submit the certificate application to the designated DEA Registration Authority (RA). By submitting this Subscriber Agreement (and certificate application) you are requesting that the DEA RA issue a public key certificate (a digital signing certificate) to you and are expressing your agreement to the terms of this Subscriber Agreement.
You understand that your use and reliance on the CSOS certificate is subject to the terms and conditions set forth below. By CLICKING ON THE "ACCEPT" BUTTON BELOW, you (a) agree to be bound by the terms and conditions of this Agreement (Subscriber Agreement), the DEA Diversion Control E-Commerce System Certificate Policy (CP), and the DEA Regulations specified in Title 21, Code of Federal Regulations, Part 1300 to the end, and (b) represent and warrant to the DEA that the information you provided during the application process is accurate, current, complete and not misleading,
IF YOU CHOOSE NOT TO ACCEPT THIS AGREEMENT, WHICH INCLUDES THE CERTIFICATE POLICY, THEN CLICK THE "DECLINE" BUTTON BELOW.
2. Subscriber Enrollment Procedures
You may download a certificate application from www.DEAecom.gov or request an application via mail from:
Drug Enforcement Administration
Washington, DC 20537
a) Return the completed application form to your CSOS Coordinator as specified in the DEA Diversion Control E-Commerce PKI CP. CSOS Coordinators shall submit completed application forms to the CSOS Registration Authority. Applications should be mailed to the address listed above.
b) You will be notified via mail or e-mail regarding the status of your application. If approved for a certificate, your CSOS Coordinator will be notified of your acceptance and will be mailed a one-time access code in a tamper-evident envelope that your CSOS Coordinator will distribute to you. This envelope must not have been opened prior to your receipt. You will receive a password that will be provided to you separately, via your email account that you provided on the application form. Do not share your access code or password with anyone.
c) Upon receipt of both the access code and password, you will find the instructions to obtain the CSOS CA certificate and your digital signing certificate online from www.DEAecom.gov.
3. Identification Information
a) You agree that any corrected or updated information you submit is true and complete.
b) If any information included in the Subscriber’s CSOS certificate changes, or if any circumstances would make the information in the Subscriber’s CSOS certificate inaccurate or misleading, you agree to update your information within 48 hours to your CSOS Coordinator, who shall then notify the CSOS RA via written communication at the address stated above.
4. Your Obligations
Submit Correct Information. You represent and warrant to the DEA that all of the information you have submitted to them is accurate, current, complete, and not misleading. You agree that you will immediately inform the DEA if any information submitted during the application process changes or becomes false or misleading.
Review Your Certificate (Certificate Acceptance). The contents of your certificate will be based on information you provided to the DEA. If you are uncertain whether the information you provided was accurate, you should verify that the information is correct with the CSOS RA.
The DEA will notify you and your CSOS Coordinator when your certificate is ready for retrieval. When you download or retrieve your certificate, you will once again be presented with the contents of your certificate, and you agree to review and verify the accuracy of the information contained in your certificate and to notify the DEA immediately of any inaccuracies. You acknowledge and agree that when you use your certificate or the key pair corresponding to your certificate, you (a) accept and agree to the responsibilities identified in this Agreement and the Certificate Policy, and (b) represent and warrant that (i) all information in your certificate is accurate, current, complete, and not misleading, and (ii) You are not aware of any fact material to the reliability of those representations that has not been previously communicated to the DEA.
Private Key Protection:
All Subscribers are obligated to:
a) Protect and not share the private signing key. A certificate holder must not make back-up copies of the private key.
b) Protect the user password. Passwords shall not be written down unless it is stored in a locked file to which only you have access to;
c) Notify your CSOS Coordinator of any suspected or actual compromise of the private key and request the revocation of such CSOS certificate within 24 hours, who shall then request a certificate revocation. Subscribers may also submit a digitally signed email notification of suspected key compromise directly to the CSOS RA.
The CSOS CA will not have a copy of your private key corresponding to the public key contained in the digital signing certificate. You understand that the password you establish in your client software is your responsibility and that the password is unknown to the CSOS CA. Furthermore; there is no mechanism for the CSOS RA or CA to find the password.
In the event of a lost password, as in the event of the loss of your private key(s), the CSOS CA can, at your request, revoke your certificate and issue a new access code and password in order to generate a new digital signing public/private key pair with which to create a new CSOS certificate.
CSOS Subscriber certificates shall only be issued to DEA Registrants and those to whom Power of Attorney (POA) has been executed on behalf of the Registrant who are engaged in the transfer of controlled substances between manufacturers, distributors, retail pharmacies, and other registrants.
CSOS Certificates must be used for the signing of electronic transaction orders, however the use of CSOS certificates is not restricted to this single application and may be used for other signing purposes at the Subscriber’s discretion.
You agree and understand that you are required to abide by all restrictions levied upon the use of your private key and certificate.
Revocation of Certificates:
The CSOS Policy Management Authority (PMA), the CSOS Coordinator, Subscriber, and Registrants (for certificates issued to POAs) may revoke the Subscriber’s certificate(s) at any time with notice if any of the following occur:
a) The certificate is superseded by a newer certificate;
b) There is a change of identifying information or affiliation components of any names in the certificate;
c) There is a compromise, or suspected compromise, of the Subscriber’s private key, private key storage media and/or password;
d) You have forgotten your password;
e) The Subscriber or other authorized party, as defined in the DEA Diversion Control E-Commerce System CP, requests that his/her certificate be revoked;
f) The Subscriber has failed to meet his or her obligations under the DEA Diversion Control E-Commerce System CP or Subscriber Agreement;
g) There is a cessation of CA operations.
5. Certificate Expiration
The CSOS certificate shall expire either 3-years from the time of certificate issuance (as displayed in the certificate profile) or upon the expiration of the DEA Registration Certificate, whichever occurs first. Subscribers must renew their CSOS certificate to continue to conduct CSOS business.
6. Terms of Agreement
This Agreement constitutes a renewable contract with a duration of 3-years or until the DEA Registration expires. The contract may be terminated (i) by you at anytime with proper notice to the CSOS RA or (ii) by the DEA at anytime with notice to the Subscriber.
You understand and agree that if any provision of this Agreement is declared by a court to be invalid, illegal, or unenforceable, all other provisions shall remain in full force and effect.
You understand that the CSOS CA will provide CA services 7 days a week, 24 hours per day in accordance with the policies and processes described in the CP with the stipulation that this is not a warranty of 100% availability. Availability may be affected by system maintenance, system repair, or by factors outside the control of the CA.
Requests for the certificate issuance or renewal shall be sent to the Registration Authority at:
Drug Enforcement Administration
Washington, DC 20537
Requests for certificate revocation shall be sent electronically via email to CSOSrevocation@DEAecom.gov or via phone to the Registration Authority at 1-877-DEA-ECOM (1-877-332-3266) toll free.
10. Dispute Resolution and Governing Law
This Agreement shall be governed by and construed in accordance with the laws of the United States of America.
11. Extraordinary Events
The DEA will incur no liability, costs, damages or loss if circumstances beyond its control (such as, but not limited to, fire, flood, delay in the U.S. mail or interference from an outside force) prevent proper execution of any CSOS transactions and the DEA has taken reasonable precautions to avoid these circumstances.
12. Privacy Notification
See Notice and Disclosure of Drug Enforcement Administration (DEA) Office of Diversion Control (OD) – Controlled Substance Ordering System (CSOS) document.
13. Additional Resources
The following documents may be obtained by going to www.DEAdiversion.usdoj.gov:
Return to previous screen
- DEA Diversion Control E-Commerce PKI Certificate Policy (CP), and
- DEA Regulations - Title 21, Code of Federal Regulations, Part 1300