| (a) The department shall maintain an "Approved List
of PKI Service Providers" authorized to issue certificates for digitally
signed communications sent to institutions of higher education or
otherwise provide services in connection with the issuance of certificates.
The list may include, but shall not necessarily be limited to, Certification
Authorities, Certificate Manufacturers, Registrars, and/or other PKI
Service Providers accepted and approved for use in connection with
electronic messages transmitted to other state or federal governmental
entities. A copy of such list may be obtained directly from the department,
or may be obtained electronically via the department's website.
(b) Institutions of higher education shall only procure,
or otherwise implement, certificates from PKI Service Providers that
appear on the "Approved List of PKI Service Providers."
(c) The department shall determine whether to place
a PKI Service Provider on the "Approved List of PKI Service Providers"
after the PKI Service Provider provides the department with a copy
of its current certification practice statement, if any, and a copy
of an examination report performed in accordance with standards set
in the American Institute of Certified Public Accountants (AICPA)
Statement on Standards for Attestation Engagement No. 16 (SSAE 16)
(or a successor AICPA standard) to ensure that the PKI Service Provider's
practices and policies are consistent with the requirements of the
PKI Service Provider's certification practice statement, if any, and
the requirements of this section.
(d) In order to be placed on the "Approved List of
PKI Service Providers" a PKI Service Provider that has been in operation
for one year or less shall undertake a SSAE 16 Service Organization
Control (SOC) 2 Type 1 examination (or a successor AICPA standard)
and the results of the examination must be deemed satisfactory by
the department.
(e) In order to be placed on the "Approved List of
PKI Service Providers" a PKI Service Provider that has been in operation
for longer than one year shall undertake a SSAE 16 Service Organization
Control (SOC) 2 Type 2 examination (or a successor AICPA standard)
and the results of the examination must be deemed satisfactory by
the department.
(f) In lieu of the examination requirements of subsections
(d) and (e) of this section, a PKI Service Provider may be placed
on the "Approved List of PKI Service Providers" upon providing the
department with documentation issued by a person independent of the
PKI Service Provider that is indicative of the security policies and
procedures actually employed by the PKI Service Provider and that
is acceptable to the department in its sole discretion. The department
may request additional documentation relating to policies and practices
employed by the PKI Service Provider indicating the trustworthiness
of the technology employed and compliance with applicable department
guidelines.
(g) To remain on the "Approved List of PKI Service
Providers" a Certification Authority must provide proof of compliance
with the examination requirements or other acceptable documentation
to the department every two years after initially being placed on
the list. In addition, a Certification Authority must provide a copy
of any changes to its certification practice statement to the department
promptly following the adoption by the Certification Authority of
such changes.
(h) If the department is informed that a PKI Service
Provider is no longer in full compliance following a required examination
and the non-compliance is deemed to be material by the department,
or if the department obtains credible information that the technology
employed by the PKI Service Provider can no longer reasonably be relied
upon, the PKI Service Provider may be removed from the "Approved List
of PKI Service Providers" by the department. The effect of the removal
of a PKI Service Provider from the "Approved List of PKI Service Providers"
shall be to prohibit institutions of higher education from thereafter
accepting digital signatures for which the PKI Service Provider issued
a certificate or provided services in connection with such issuance
for so long as the PKI Service Provider is removed from the list.
The removal of a PKI Service Provider from the "Approved List of PKI
Service Providers" shall not, in and of itself, invalidate a digital
signature for which a PKI Service Provider issued the certificate
prior to its removal from the list.
|
| Source Note: The provisions of this §203.45 adopted to be effective November 28, 2004, 29 TexReg 10710; amended to be effective September 20, 2011, 36 TexReg 6143; amended to be effective March 4, 2013, 38 TexReg 1353 |
