SUBTITLE A: REGULATION OF BUSINESS
CHAPTER I: DEPARTMENT OF CENTRAL MANAGEMENT SERVICES
PART 105 ELECTRONIC COMMERCE SECURITY ACT
SECTION 105.20 ROLES OF THE DEPARTMENT, THE STATE POLICY AUTHORITY, THE LOCAL REGISTRATION AUTHORITY AND OTHER STATE AGENCIES
Section 105.20 Roles of the Department, the State Policy Authority, the Local Registration Authority and Other State Agencies
a) Department of Central Management Services
1) State Certification Authority/Certification Authority
A) Under Section 25-105 of the Act, the Department has the exclusive authority to specify the policies and procedures for certifying the security of digital records and signatures used by State agencies and persons conducting business with State agencies. CMS performs two essential functions:
i) authenticating the identity of the person who will be named on a certificate (i.e., the subscriber) and verifying that the subscriber possesses the private key that corresponds to the public key to be listed on the certificate; and
ii) issuing and digitally signing the subscriber's certificate.
B) The Department issues a Certificate Policy (CP) and a Certification Practices Statement (CPS) that describe various policies and procedures relating to the issuance of certificates and the use of digital signatures.
2) State Operational Authority
The Director of CMS, as chief administrative officer of the State OA, has delegated the responsibility of overseeing day-to-day operations to the State Operational Authority.
3) Standards
In determining the security of electronic record and signature procedures, the Department relies on the Federal Information Processing Standards (FIPS) established by the Information Technology Laboratory of the National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 100 Bureau Drive, Stop 1070, Gaithersburg MD 20899-1070, http://www.itl.nist.gov/fipspubs/ (2007, no later amendments or editions included).
b) State Policy Authority
1) The PA will advise the Department on developing and maintaining the CP and CPS. The PA will include representatives of such State entities as the Comptroller's Office, State universities and agencies under the Governor and representatives of local government.
2) The PA may review technologies and submit them for CMS consideration as a qualified security procedure to be certified by CMS.
c) Local Registration Authority
1) CMS, as RA, is responsible for authenticating the identity of a subscriber before a certificate is issued. Under the CP and CPS, CMS may delegate RA functions and some CA functions to a Local Registration Authority (LRA). For purposes of the CP and CPS, an LRA is responsible for authenticating the identification of subscribers for a CA. For example, a State university may authenticate the identity of faculty, staff and students who have applied for a certificate.
2) Qualification of LRAs
A) Initial Qualification. Each participating State agency, and other entities as determined by CMS, with the advice of the PA, may nominate one or more individuals to serve as LRAs for that entity. Prospective LRAs must return a completed LRA application form and a signed LRA agreement (wet signature or digitally signed) to CMS. Applicant individuals must submit to a Department of State Police criminal history background check. If the background check reveals that the applicant has been convicted of a criminal offense, the applicant is subject to disqualification at the discretion of CMS, with the advice of the PA.
B) Ongoing Qualification. If a qualified LRA is formally accused of a criminal offense, the applicant must, within 3 days after being charged, notify CMS, which will notify the PA. CMS will periodically conduct random criminal history background checks of LRAs to assure compliance with the ongoing reporting requirements of this subsection (c)(2)(B).
C) Disqualification. LRA privileges may be denied, suspended or revoked at the discretion of CMS, with the advice of the PA. Reasonable notice and opportunity for hearing under Section 105.60 shall be provided. Grounds for denial, suspension or revocation of LRA privileges include, but are not limited to:
i) Conviction of a criminal offense.
ii) Failure to cooperate fully in any investigation by CMS.
iii) Failure to comply with the Act, this Part, the CP and the CPS.
iv) Separation from, or reassignment within, the sponsoring entity.
v) Refusal or inability to diligently complete the obligations of an LRA.
d) Other State Agencies
Under the Act, other State agencies may act as a CA provided that their certification program is conducted in accordance with all the rules, procedures and policies specified by CMS. A State agency that assumes the role of CA can do so only with respect to its own employees and persons conducting business with that agency.