Lesson 6: Registration
Checklist items 1 through 4 are grouped under the Registration Process, where users establish their accounts in the system. This process typically requires users to provide information about them. The system administrator then reviews this information and provides the users with system privileges and signing credentials. Checklist items 1 through 4 represent CROMERR requirements that this registration process must satisfy.
Explore the contents of each section section.
1. Identity-Proofing of Registrant
For users who will sign electronic reports, CROMERR requires that the system determine the individual's identity, usually as a part of the registration process. This identity-proofing is the one CROMERR requirement that is more stringent for users who will sign Priority Reports.
For users who will sign Priority Reports, CROMERR requires that the system establish their identity before accepting reports with their electronic signatures. There are two ways to do this. One is to establish identity through verification by, and attestation of, a disinterested party, based on identifiers—at least one of which is government-issued. The other way is to include the registrant's handwritten signature as part of the electronic signature agreement (ESA) process. Where the ESA is executed on paper with a handwritten signature, it is called a "subscriber agreement."
For users who sign only Non-Priority Reports, CROMERR does not specify when or how the identity proofing must be done, although either method specified for Priority Reports will satisfy the requirement in the non-priority case.
2. Determination of Registrant’s Signing Authority
CROMERR requires the system to determine that users who will sign reports are actually authorized to do so on behalf of the specified regulated entities. This determination is usually based on some combination of the program's existing knowledge of the regulated entities, information submitted by the users or officials of the regulated entities, and some follow-up verification such as phone calls or as a part of routine inspections.
3. Issuance (or Registration) of a Signing Credential in a Way that Protects it from Compromise
CROMERR requires the system to provide users who will sign electronic reports with electronic signature devices (or credentials) to execute their electronic signatures. These devices could be passwords, PINs, PKI certificates associated with private-public key pairs, physical tokens such as a USB device, or devices incorporating biometrics (e.g., fingerprints). Whatever device is issued (or registered), there are two basic requirements that need to be met. The first is to ensure that a device intended for a specific, identified user is issued only to that individual. The second is to ensure that the process of issuing that device—and maintaining a record of it on the system—protects the device from compromise.
4. Electronic Signature Agreement
CROMERR requires that users sign an Electronic Signature Agreement, and this is normally part of the registration process. This agreement must include language that obligates the registrant to protect the credential from compromise, and to immediately report any evidence of compromise to the system administrator. The agreement must also include a statement that the registrant understands that any electronic signature executed with the electronic signature device is as legally binding as a handwritten signature.
- Review the Regulation Language: § 3.2000(b)(5)(v)
- Definition of Electronic Signature Agreement
- Definition of Subscriber Agreement