(a) The department shall maintain an "Approved List of PKI Service Providers" authorized to issue certificates for digitally signed communications sent to state agencies or otherwise provide services in connection with the issuance of certificates. The list may include, but shall not necessarily be limited to, Certification Authorities, Certificate Manufacturers, Registrars, and/or other PKI Service Providers accepted and approved for use in connection with electronic messages transmitted to other state or federal governmental entities. A copy of such list may be obtained directly from the department, or may be obtained electronically via the department's website.
(b) State agencies shall only procure, or otherwise implement, certificates from PKI Service Providers that appear on the "Approved List of PKI Service Providers."
(c) The department shall determine whether to place a PKI Service Provider on the "Approved List of PKI Service Providers" after the PKI Service Provider provides the department with a copy of its current certification practice statement, if any, and a copy of an examination report performed in accordance with standards set in the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagement No. 16 (SSAE 16) (or a successor AICPA standard) to ensure that the PKI Service Provider's practices and policies are consistent with the requirements of the PKI Service Provider's certification practice statement, if any, and the requirements of this section.
(d) In order to be placed on the "Approved List of PKI Service Providers" a PKI Service Provider that has been in operation for one year or less shall undertake a SSAE 16 Service Organization Control (SOC) 2 Type 1 examination (or a successor AICPA standard) and the results of the examination must be deemed satisfactory by the department.
(e) In order to be placed on the "Approved List of PKI Service Providers" a PKI Service Provider that has been in operation for longer than one year shall undertake a SSAE 16 Service Organization Control (SOC) 2 Type 2 examination (or a successor AICPA standard) and the results of the examination must be deemed satisfactory by the department.
(f) In lieu of the examination requirements of subsections (d) and (e) of this section, a PKI Service Provider may be placed on the "Approved List of PKI Service Providers" upon providing the department with documentation issued by a person independent of the PKI Service Provider that is indicative of the security policies and procedures actually employed by the PKI Service Provider and that is acceptable to the department in its sole discretion. The department may request additional documentation relating to policies and practices employed by the PKI Service Provider indicating the trustworthiness of the technology employed and compliance with applicable department guidelines.
(g) To remain on the "Approved List of PKI Service Providers" a Certification Authority must provide proof of compliance with the examination requirements or other acceptable documentation to the department every two years after initially being placed on the list. In addition, a Certification Authority must provide a copy of any changes to its certification practice statement to the department promptly following the adoption by the Certification Authority of such changes.
(h) If the department is informed that a PKI Service Provider is no longer in full compliance following a required examination and the non-compliance is deemed to be material by the department, or if the department obtains credible information that the technology employed by the PKI Service Provider can no longer reasonably be relied upon, the PKI Service Provider may be removed from the "Approved List of PKI Service Providers" by the department. The effect of the removal of a PKI Service Provider from the "Approved List of PKI Service Providers" shall be to prohibit state agencies from thereafter accepting digital signatures for which the PKI Service Provider issued a certificate or provided services in connection with such issuance for so long as the PKI Service Provider is removed from the list. The removal of a PKI Service Provider from the "Approved List of PKI Service Providers" shall not, in and of itself, invalidate a digital signature for which a PKI Service Provider issued the certificate prior to its removal from the list.
Source Note: The provisions of this §203.25 adopted to be effective November 28, 2004, 29 TexReg 10710; amended to be effective September 20, 2011, 36 TexReg 6143; amended to be effective March 4, 2013, 38 TexReg 1353