Answer: For problems with your Login.gov account or identity verification process, please review https://www.login.gov/help/ Section or contact them at https://www.login.gov/contact

Answer:

• Go to https://deaecom.gov/csos2 and click on "Sign Up."
• You will be redirected to Login.gov.
• Log in with your existing Login.gov account.
• If your account meets the CSOS Identity Verification requirements, you will be automatically redirected back to CSOS.
• You will then be able to create your CSOS online profile.

Answer: The DEA Registrant is required to enroll and authorize CSOS Coordinators and Power of Attorneys to enroll, renew, or revoke their CSOS Certificates. The CSOS Coordinator and Power of Attorneys cannot enroll until the Registrant is enrolled.

DEA Registrants
A DEA Registrant is the individual who signed, or is authorized to sign, the most recent application for DEA registration renewal. Registrants are required to approve requests for CSOS certificates for their subordinates (Coordinators and Power of Attorneys).

CSOS Coordinators
A CSOS Coordinator may be any individual in the DEA Registrant's organization and must have their CSOS request approved by the Registrant. Only one Principal Coordinator and one Alternate Coordinator may be enrolled in CSOS for any one DEA Registration number.

Coordinators can approve Power of Attorney requests for enrollment, renewal, or revocation. If Coordinators are not enrolled, the Power of Attorney requests will be assigned to the Registrant.

There are four Coordinator roles: Principal Coordinator, Alternate Coordinator, Administrator Principal Coordinator, and Administrator Alternate Coordinator.

Principal Coordinators and Alternate Coordinators will receive a signing certificate to order medications. Administrator Principal Coordinators and Administrator Alternate Coordinators will not receive a certificate.

CSOS Power of Attorneys
A CSOS Power of Attorney (POA) is any individual with the authority to sign controlled substance orders for a DEA Registrant. The CSOS POA applicant must have their request approved by the CSOS Coordinator for the DEA Registration number(s) being applied for. An organization may enroll an unlimited number of Power of Attorneys in the CSOS Program.

Each Power of Attorney is issued one CSOS Signing Certificate for each DEA Registration number applied for.

Answer: Role descriptions are provided in the previous question, in the CSOS Subscriber Manual, and are also explained during the CSOS Enrollment process on this Web site. If you have further questions about enrolling, DEA E-Commerce Support is available to answer your questions and assist in formulating an enrollment strategy for your organization. Please contact DEA rather than your supplier about CSOS Enrollment.

Answer: To obtain a CSOS Certificate, you need to sign up at https://deaecom.gov/csos2. You will be required to complete online identity verification via Login.gov. After successful identity verification, you will need to create your CSOS online profile. Once your profile is created, you can request a CSOS certificate. Your request will be assigned to the DEA registration authority, your organization's Registrant, or Coordinator. You will be notified via email when your request has been approved or rejected. You can also check the status of your request on the CSOS portal.

Answer: After successful identity verification via Login.gov and CSOS online profile creation, you can easily add, load from a text file, or select more than one DEA registration from the list on the Create Request page.

Answer: You will need a valid state-issued identification, such as a driver's license, social security number, phone number, and email address to complete identity verification. For more information, check the Login.gov documentation at https://www.login.gov/help/verify-your-identity/overview. Additionally, you will need approval from the DEA Registration Authority, your organization's Registrant, or Coordinator.

Answer: For the enrollment, renewal, or revocation process, the modernized CSOS system (https://deaecom.gov/csos2) is compatible with all browsers. For certificate retrieval process, DEA strongly recommends using Internet Explorer (versions 8-11), on Windows 8 and 10 Internet Explorer 11 is only supported in Desktop Mode. CSOS also supports Firefox (versions 15-57, 60-68). Google Chrome has not been thoroughly tested so is not fully supported. To verify your Web browser's version:

• Internet Explorer
  • 1. Open Internet Explorer.
  • 2. In the top menu bar, select Help | About Internet Explorer.
  • 3. Locate the Version number and verify that it is 8 or higher
  • 4. Click OK to close the About Internet Explorer screen.
• Firefox
  • 1. Open Firefox Browser.
  • 2. In the top menu bar, select Help | About Firefox.
  • 3. Locate the version number and verify that it is 15 thru 57. Versions 58 and 59 are not supported.
  • 4. Click the X to close the About Firefox Browser screen.

Answer: A required trust relationship is established using the CA Certificates. The DEA E-Commerce Certification Authority issues the CSOS Sub Certification Authority Certificate. The CSOS Sub CA issues CSOS Subscriber Certificates. For a subscriber's CSOS Certificate to be recognized as valid, both CA certificates must be installed on the ordering or order validating computer.

Answer: CSOS Certificate activation notices can be expected approximately 3-4 business days from the final approval date. Check the CSOS user portal for the latest request status.

Answer: A request can be rejected for various reasons, such as your affiliation with the requested organization or your role within the organization. Depending on the role you apply for, your request will be assigned to the DEA Registration Authority, the organization's Registrant, or the organization's Coordinator for approval.

Answer: Once your CSOS Certificate is ready to be retrieved (downloaded), you will receive an E-mail activation notice. One notice will be sent for each Certificate that you have been issued. This notice will contain an Access Code, which you will need to retrieve your Certificate.

An accompanying postal mail activation notice will be sent on the same day as your E-mail(s). One postal mail activation notice will be sent for each Certificate issued. For cases where multiple activation notices have been received, each postal mailed document must be matched with its associated E-mail activation notice. The E-mail and postal mailed activation notices may be matched using either the DEA Registration number or Certificate Serial Number.

Use the information in your postal mail activation notice along with the Access Code from the accompanying E-mail to retrieve your Certificate from the DEA E-Commerce Web site.

Answer: You will download your Certificate(s) from the Web page listed on your postal mail activation notice. The following resources are available to assist you with Certificate retrieval.

• Certificate retrieval instructions
• CSOS Subscriber Manual

Answer: Multiple activation notices indicate that multiple Certificates have been issued. Reasons for multiple Certificates being issued include the following scenarios:

• Registrant, coordinators, and POAs are issued one CSOS Certificate for each DEA Number.

Answer: Locate your E-mail address in the mailed document and verify that it is correct.

• If the E-mail address is incorrect, please contact the Support Desk.
• If the E-mail address is correct, the activation E-mail my have been sent to your E-mail client's junk mail folder. Please look for an E-mail from regauth@deaecom.gov. If you are unable to locate the activation E-mail, please contact the DEA E-Commerce Support Team and request that the E-mail be re-sent.

Answer: Please verify that you are entering the Web Site Username and Web Site Password as indicated on the postal mail activation notice for your Certificate. The Web Site Password is case sensitive, so it must be typed exactly as it appears on your postal mail activation notice.

An error stating 'You are unauthorized to access this page' will be received after entering an incorrect Website Username or Website Password multiple times. If this error is received:

• Close your Web browser
• Re-Open the browser and access the DEA E-Commerce Certificate Retrieval Web site.
• Click the Retrieve a CSOS Certificate button
• Re-enter your Web site Username and Website Password

Answer: The Web site Username and Web site Password are indicated on the postal mail activation notice. The Username and Password are case sensitive.

Answer: When a Subscriber's CSOS Certificate is ready to be activated/retrieved, the subscriber will receive activation notices via E-mail and postal mail. The E-mailed activation notice will contain the Certificate's Access Code. The postal mail activation notice contains the Certificate's Access Code Password. The Access Code and Access Code Password are unique for each Certificate.

Answer: Each Certificate has a unique Access Code and a unique Access Code Password. If you have received multiple activation E-mails, please inspect each Access Code number carefully, because it does differ from the other Certificate's Access Codes.

Answer: This error can be caused by a number of issues:

• The activation information has expired
• Verify that it has not been 60 days from the date printed on the top right corner of the postal mailed activation notice
• Call Diversion E-commerce Support if your activation information has expired.
• The certificate has already been activated
• Each Certificate may only be activated once (since activation generates the private key associated with the Certificate).
• Please call Diversion E-Commerce Support for assistance with verify whether your Certificate has been activated already.
• The Access Code and Password have been entered incorrectly
• Typically, an incorrect access code or password will result in error 3274 or 3290. However, we have seen (-1666) be the result of an incorrect access code and/or password.

Answer: The above error number indicates one of the following issues:

• An incorrect Access Code or Access Code Password was entered
• The Access Code and Access Code Password do not match. If you received multiple activation notices (for multiple certificates), the notices you are using must contain matching DEA Registration numbers or Admin Cert ID Numbers.

Click the Back button on your Web browser and verify the Access Code and Access Code Password.

Answer:

• "An Error has occurred:
  (-3290) Incorrect or invalid authentication token."

The following error indicates that an incorrect Access Code and/or Access Code Password have been entered. Please re-enter your Access Code (from E-mail) and Access Code Password (from postal mail). If you received multiple activation notices, please verify that the E-mail and postal mail activation notices (which you are taking your Access Code and Access Code Password from) have matching DEA Registration numbers and Certificate Serial Numbers.

Answer: Certificates, by default, are placed in the Certificate Store of the browser used to activate them.

To view Certificates that were activated using Internet Explorer:

• In the Internet Explorer menu bar, select Tools -> Internet Options
• Switch to the Content tab
• Click the Certificates button
• Successfully retrieved CSOS Certificates will be in the Personal tab and are issued by "CSOS CA"

To view Certificates that were activated using Firefox:

• Firefox downloads the certificate to a .p12 file in the users Downloads folder.
• To load the certificate into the Microsoft Certificate store double click the .p12 file and follow the Certificate Import Wizard.
• To view the certificate after importing. Open Internet Explorer Tools/Internet Options/Content tab, Click Certificates.

Answer: CSOS Certificates must be exported if they are to be installed on another computer. To export Certificates that were activated using Internet Explorer:

• Open Internet Explorer export instructions

To export Certificates that were activated using Firefox:

Open Firefox export instructions

Answer: CSOS uses digital certificates, which never need to be printed. The Certificate is a file stored on the computer that will be used to digitally sign electronic orders of controlled substances.

Answer: Once your Certificate has been retrieved, you will need to set up your ordering software. Typically, most subscribers will need to contact a wholesaler or distributor in order to set up software.

Answer: Yes, you may set a password for a Certificate that does not have one. You may also use the following steps to re-set an existing password. These instructions are intended for Certificates not already installed in wholesaler software. Please contact Diversion E-Commerce Support for assistance if your Certificate is already installed in wholesaler software.

• Step 1: Export the Certificate from the Internet browser.
• Internet Explorer export instructions
• Firefox export instructions
• Step 2: Import the Certificate back into the browser's Certificate store and set the password
• Internet Explorer import instructions
• Firefox import instructions
• Step 3: Delete the certificate file that had been exported. Do not delete the certificate that is in the browser's certificate store.

Answer: Your CSOS Signing Certificate must be installed on any computer used to place electronic orders for controlled substances. Certificates may be installed on multiple computers. In order to copy a Certificate from the computer used to activate it onto another computer, you must do the following:

• Step 1: Export the Certificate from the computer used to activate it onto USB stick
• Internet Explorer export instructions
• Firefox export instructions
• Step 2: Contact your wholesaler for directions on how to install your certificate into their software

Answer:

• Step 1: Export the Certificate from the computer used to activate it onto USB stick
• Internet Explorer export instructions
• Firefox export instructions
• Step 2: Contact your wholesaler for directions on how to install your certificate into their software

Answer: Paper 222 forms are not used when placing electronic orders for controlled substances. Registrants are strongly encouraged to maintain a backup supply of 222 forms. Instances where one might need to fall back on paper ordering include:

• CSOS Certificate expiration or revocation - the certificate is no longer valid for electronic ordering.
• Computer failure - the ordering computer crashes, has software malfunctions, no longer has an internet connection, or is stolen.

Answer: For Certificates activated using Internet Explorer:

• In the Internet Explorer menu bar, select Tools -> Internet Options
• Switch to the Content tab
• Click the Certificates button
• Double-click on your CSOS Certificate found under the Personal tab
• In the Certificate window, select the Details tab

Scroll down to the Public Key field and refer to the entry under the Value column (i.e. RSA (2048 bits) will be displayed for a certificate with an encryption level of 2048).
For Certificates activated using Firefox:

• In the menu bar, select Tools -> Options
• Verify that the Advanced icon is selected on the top of the screen
• Select the Encryption tab
• Click on the View Certificates button
• Double-click on your certificate under the U.S. Government category (click the + to expand if necessary)
• From the Certificate Viewer window, select the Details tab
• Under the Certificate Fields table, scroll to and select the Certificate Signature Value field
• In the Field Value table, the top line of the entry will provide the encryption level of your CSOS certificate (i.e. Size: 128 Bytes/2048 Bits will be displayed for a certificate with an encryption level of 2048).

For more information, please refer to the 1024 Revocation Background document.

Answer: CSOS Certificates may only be used by the owner of the certificate. CSOS Certificates are loaded into a CSOS enabled ordering software system and are used for digitally signing controlled substance orders.

Answer: DEA may not recommend vendors for CSOS enabled ordering software. Pharmacies may contact their distributors. Trade associations such as the HDMA provide guidance on software vendors. You may also use a search engine to look up "Controlled Substance Ordering System software."

Answer: Each CSOS certificate is issued to only one individual person. This person, called a CSOS Subscriber, is an individual who enrolled in the CSOS program with DEA and whose name appears in the digital certificate. A digital signature using a CSOS certificate is required when submitting an electronic order for controlled substances. Only the individual subscriber whose name appears in the certificate is authorized to perform this digital signature.

Other individuals are free to request their own CSOS digital certificates for signing controlled substance orders, but may never use someone else's certificate.

This aspect of the CSOS program is a strict requirement by DEA and is governed by the Code of Federal Regulations.

DEA E-Commerce support is available to assist with all questions regarding this matter:

• Phone: 1-877-DEA-ECOM (1-877-332-3266) toll free
• E-mail: Click here for Web form

Answer: You should report a lost, stolen, or damaged CSOS Certificate to DEA Diversion E-Commerce Support immediately to formally request revocation of your lost, stolen or damaged CSOS Certificate. The Support Desk will help you to enroll for a new CSOS Certificate. For assistance contact DEA Diversion E-Commerce Support at:

• Phone: 1-877-DEA-ECOM (1-877-332-3266) toll free
• E-mail: Click here for Web form

Answer: CSOS Certificates expire when the DEA Registration to which they are associated expires. CSOS will send an email notifying the Subscriber and Coordinator 45 days prior to the expiration date of the Subscriber’s CSOS certificate.

Answer: Yes and no. Once the CSOS Certificate is issued, the information within that Certificate may not be changed. Should any of the CSOS Subscriber's information change, a new CSOS Certificate with the current Subscriber information must be issued. You are required to request a new Certificate using the updated information and then request that the original Certificate be revoked. For assistance please contact DEA Diversion E-Commerce Support.

Answer:  Federal Regulations do not allow for CSOS Certificates to be backed up. Certificates may be copied and installed into ordering software on multiple computers, but should never be backed up.

Answer: Once your CSOS Certificate has been deleted, damaged or overwritten, there is no way to reactivate your CSOS Certificate. You will need to revoke your CSOS Certificate, and then request a new one. If you need support, please contact DEA Diversion E-Commerce Support for assistance.

Answer: Certificates may be given a "friendly name" after being retrieved/activated.

• From Internet Explorer, open the Tools menus and select Internet Options.
• In Internet Options, select the Content tab and click the Certificates button.
• Locate and double-click the certificate that is to be named. The certificate can typically be identified based on the expiration date (this date will match the date that the associated DEA Registration expires).
• With the certificate open, select the Details tab and click Edit Properties.
• Name the certificate in the Friendly name field. Optionally, enter a description in the Description field.
• Click the OK button twice to close two screens. Back at the certificates screen, the named certificate will now show a friendly name that assists with identification.

Answer: No. A CSOS Certificate may only used by the original Certificate applicant, whose name appears in the CSOS Certificate. Any unauthorized access to your CSOS Certificate must be reported immediately to DEA Diversion E-Commerce Support at:

• Phone: 1-877-DEA-ECOM (1-877-332-3266) toll free
• E-mail: Click here for Web form

Answer: You must report any suspected or actual unauthorized access to your CSOS Certificate to DEA Diversion E-Commerce Support immediately. The CSOS Certificate will be revoked. You may then enroll for a new CSOS Certificate. You may contact the Support Desk at:

• Phone: 1-877-DEA-ECOM (1-877-332-3266) toll free
• E-mail: Click here for Web form

Answer: Refer to the Privacy Policy.

Answer: Please refer to the Privacy Policy for concerns regarding the protection of your personal information. You may also consult the DEA Diversion E-Commerce Certificate Policy for more detailed information on the policy governing the protection of your personal information.

Answer: The Access Code and Access Code Password will be used by approved CSOS Certificate applicants to retrieve his/her CSOS Certificate. Therefore, the Access Code and Password are two very key pieces of information supplied to a Subscriber from the CSOS Certification Authority in order to ensure that only the CSOS applicant has the ability to retrieve his/her CSOS Certificates. The applicant must not share his/her Access Code (received via E-mail) with anyone and must not share the information contained in the mailed document from the CSOS Certification Authority with anyone outside of the CSOS Coordinator.

Answer: You should immediately have your CSOS Certificate(s) stored on that computer revoked. Report the incident to the CSOS Support Desk at:

• Phone: 1-877-DEA-ECOM (1-877-332-3266) toll free
• E-mail: Click here for Web form

The Support Desk will provide you with instructions for enrolling for a new CSOS Certificate.

Answer: There is a new CSOS EDI record format for suppliers submitting transaction records electronically to DEA. Each reporter must enroll for CSOS reporting, after which they will be issued a user name and password. The user name and password may then be used to access a secure CSOS Reporting Web site in order to submit CSOS reports. All suppliers must report CSOS transactions using CSOS Reporting. Please reference our Reporting page for more details.

Answer: All CSOS transactions must be reported by the supplier using CSOS Reporting. Any individual within the supplying organization may enroll the organization in CSOS Reporting. The user name and password issued will be for the organization and will not be specific to the individual. It is up to the Registrant to determine the individual to enroll in the organization in CSOS Reporting. The enrolling individual will become the main point of contact for the DEA Registrant with regards to CSOS Reporting.

Answer: All current ACROS reporters must submit CSOS formatted reports in addition to ARCOS reports for the time being.

Answer: CSOS transactions must be submitted within two (2) business days from when the order was filled. You do not need to submit a CSOS Report if no transactions occurred.

Answer: Please contact DEA Diversion E-Commerce Support as soon as possible.

Answer: The reporting format is documented in the following document:

• CSOS Records Transaction format

Answer: If an erroneous CSOS transaction has been reported, you may resubmit the correct transaction. The new, correct CSOS transaction report will take the place of the old, erroneous report.

Answer: When an order is partially filled one day, with the rest of the order filled later, each line item of the order should be reported according to the day it was filled.

Answer: CSOS transaction records require an NDC number. As with the paper Form-222 system, controlled substance orders may be made using a generic description rather than NDC number. The supplier may use the NDC number for the controlled substance supplied. The ARCOS Registrant Handbook contains NDC numbers by drug category. These numbers may be used when the supplied controlled substance does not have an NDC number.

Answer: A central reporter number is given when a company has multiple facilities, each of which sends their reports to the central office. The central office then sends the reports it to DEA.

For example: Company ABC has 1,000 locations, but 6 central facilities. If these facilities are responsible for reporting, then Company ABC would have 1,000 DEA numbers and 6 central reporter numbers. Therefore, CSOS knows which facility has submitted their reports and who the point of contact for each central facility is.

Answer: Only after enrollment and approval for CSOS Reporting may an existing ARCOS EDI account be used for CSOS Reporting. Optionally, a new account can be issued exclusively for CSOS.

Answer: Your CSOS reporting username and password DO NOT expire. They will be valid as long as you are participating in the CSOS program.

Answer: Please contact DEA Diversion E-Commerce Support.

Answer: Characters 1-80 of both record formats are the product information for the actual product shipped. CSOS Records include an additional set of characters, characters 81-105, which refer to the actual product ordered. The additional fields in the CSOS Record format take into account order substitution and packaging changes.

Examples:

• Based on a prior agreement, if a supplier does not have the ordered controlled substance in stock, they may replace the ordered substance with another comparable substance. In this case, the CSOS transaction record would contain the supplied substance, but also the requested drug information in the additional character fields (characters 81-105).
• If one (1) 500 count package of a controlled substance is ordered, the supplier may fill the order with five (5) 100 count packages if the supplier and requestor have an agreement to make such a replacement. In this case the ordered substance would be recorded in the character 81-105 fields, while the supplied substance would be recorded in the character 1-80 fields.

Answer: Please contact DEA Diversion E-Commerce Support.

Answer: Reverse distribution transactions require a paper form DEA-222 or digitally signed electronic order (using CSOS). The supplier is required to report each transaction. Since only ARCOS participating DEA Registrants are eligible to report CSOS transactions, reverse distribution is not permitted when the supplier is a non-ARCOS participant.

For example, a pharmacy or hospital may only accept a paper 222 order from a reverse distributor or wholesaler when returning controlled substances because the pharmacy/hospital is not able to report this transaction electronically. If the controlled substance supplier in the reverse distribution transaction IS a DEA ARCOS participant, then reverse distribution using an electronic CSOS order is permitted. One scenario where reverse distribution is permitted would be with a DEA ARCOS registered wholesaler fulfilling an order from a reverse distributor.

Answer: Improperly developed software applications, or the use of digital-signing cryptographic modules that are not federally approved, can result in unacceptably high levels of risk, creating the opportunity for the diversion of controlled substances. Just as with other heavily regulated environments (such as with the FDA), DEA requires that a CSOS application audit be performed by an independent auditor to ensure that this risk is mitigated by validating that the software is compliant with the DEA Regulations described in CFR 21.

Answer: CSOS applications must be audited:

• 1) prior to the application being placed into production to ensure that the cryptographic modules and software is in compliance with the regulations
• 2) when changes are made to any portion of the software covered by DEA regulations (see Question How frequently must I have my CSOS application re-audited? below)

Answer: An independent third-party auditor must perform the audit. Ideally, the auditor should have a background with controlled substance ordering systems and DEA regulations (many auditing firms retain legal counsel to interpret the regulations; others will rely on your regulatory department for guidance).

Answer: Auditors must validate that the cryptographic modules are FIPS 140-2 certified (FIPS 140-2 “grandfathers in” FIPS 1401-1 certified modules). Auditors must also validate all aspects of the software that are addressed in the regulations.

Answer: You are not required to have the CSOS application re-audited unless there have been modifications to the software or cryptographic modules that would necessitate an additional audit to validate their compliance. If any changes are made to the CSOS application that are covered under the DEA regulations, the auditor must audit those changes to ensure that the regulations are still being met.

Answer: The proof of compliance rests on the shoulders of the company using the CSOS application. CSOS participants purchasing out-of-the-box (ready-made) solutions should ensure that the vendor has had the application properly audited and should request a copy of the auditor’s results as proof. Application purchasers “inherit” the compliance audit results from the vendor. If the application is significantly modified after purchase and installation, it may need to be re-audited to ensure that DEA regulations are still being met.

Answer: No, you are required to maintain your audit results and provide them to a DEA Diversion Investigator upon request, however you are not required to submit the audit results to DEA in advance of production. DEA’s expectation is that a company will retain the audit test plan, results and auditor’s opinion or attestation letter demonstrating the system complies with the DEA Rule.

Answer: No, DEA recognizes that each system platform is different and so no universal test plan can be developed suitable for use with all systems. Each company or auditing firm will have drafted their own test plan and scripts specific to their platform and application, using the DEA regulations as a basis for any test plan.

Answer: There are several reasons documents will not open. If you receive the following error message "File does not begin with '%PDF-' ", you may be running a version older than Adobe Reader version 6. Rather than attempting to open the form by clicking the link:

• Right click on the link or form icon
• Select 'Save Target As'
• Save the file to your Desktop
• Once the file is done downloading, open it from your desktop

This workaround avoids the issues caused by opening an Adobe form in Internet Explorer.

Answer: Some links on this site open in a new window and require that your Web browser has JavaScript enabled. JavaScript is typically enabled by default. To enable JavaScript in Internet Explorer:

• In Internet Explorer, click the Tools menu and select Internet Options
• Select the Security tab
• Click the Custom Level button
• Near the bottom of the list in the Scripting section is a setting for Active scripting
• The Enable option should be selected
• Click OK to close the Security Settings window
• Click OK to close the Internet Options window
• Close and reopen Internet Explorer

Answer: This Web site, including content, images, and PDF documents, is Section 508 Compliant. Section 508 requires that Federal agencies' electronic and information technology is accessible to people with disabilities. For more information on Section 508 compliancy, please visit https://www.section508.gov