1 DEA CSOS Pilot Conference Call October 31, 2002

2 Agenda nPilot Review: Pilot Organization and Scope nPhase III Review nPhase III Status l Phase III: Accomplished Milestones l Phase III: Team Status/Project Plans l Phase III: Work in Progress/Current Issues nPhase III: Test Planning l Phase III: Suggested Test Scenarios l Phase III: Sample Test Plan nPhase III: Post Test Analysis nPhase III: Schedule nPhase III: Next Steps… nPhase III: Questions…

PHASEIssues & Success Factors 1 – Online Registration (Use DEA-provided activation data to obtain a digital certificate w/ live data) n Technical interoperability nCertificate content review, field length analysis nCertificate portability nDocumentation (Complete and easy to use) 2– Application (Business completes and submits full CSOS enrollment application, DEA Adjudicates app.) n Application ease of use n Consistency with current processes nDEA Adjudication Processes nOrganizational oversight of enrollment/termination process 3 – Order Processing (Business generation, transmission and processing of orders) n Standards for digitally signed transactions n Cost nAddress Field / Record nTransaction integrity, certificate status, credential checks 4 – Reporting (Business generation of periodic CSOS reports) n Frequency n Format 5 – Auditingn Ensure that the business is storing order transactions in a DEA approved manner, and that they can be retrieved. Proposed Pilot Organization and Scope

4 Phase III Review: Development Options: nOption One: Work with vendor/existing infrastructure l Advantages: Leverages existing infrastructure and tools – quicker time from test to implementation ID gaps in current implementation l Disadvantages: Availability of vendor software? nOption Two: Develop own code to generate or receive/validate 850. l Advantages: Some code available that can be “tweaked” l Disadvantages: Not working with existing infrastructure – may not get good idea of implementation costs nOption Three: Hybrid

5 Phase III Review: Development Approach nForm trading teams (purchaser/supplier and, possibly,vendors) nSelect process areas to work with partner l Team A: Purchaser: Test Objective 1: Key Exchange Process Test Objective 2: E-222 Generation Process Test Objective 3: Transmission Process Test Objective 6: Receiving Process l Team B: Supplier: Test Objective 4: E-222 Receipt Process Test Objective 5: Order Validation Process

6 Phase III Status: Accomplished Milestones nMilestones: 850 Transaction Sets Worksheets 850 committee decision on signature approach (external to orders vs. wrapped around orders) Future Process Flow Draft HDMA Survey to determine platforms planned and presently in use Pilot participants established trading partnerships/roles for Phase III testing, developed “project plan” with intended processes.  Work in Progress:  Develop signed transaction to test digital certificate/processes

7 Phase III Status: Team Status/Project Plan n TeamPlatform/ToolsProcesses AmeriSource, McKesson, McQueary, Purdue and Anda purchasing from Mallinckrodt B2B Servers, AS/400, WebMethods and RPG 5.0 and 6.0 Baxter purchasing from Mallinckrodt B2B Servers, AS/400, WebMethods and RPG, Templar and Cyclone 5.0 and 6.0 Osborn and Grove Pharmacies purchasing from McQueary Bros. PC-based 2.0 and 4.0 Dr. Jeffrey St. Cyr purchasing from So. Anesthesia and Surgical Supplier Web-based5.0

8 Phase III Status: Team Status/Project Plan n TeamPlatform/ToolsProcesses McKesson purchasing from Endo INTEL, Cyclone Boomi/SAP, EDI-INT FTP w/ data encryption 2.0/4.0 and 5.0 McKesson, McQuery and NC Mutual Drug purchasing from Abbott Cyclone? Inovis TLE, Sun UNIX, Oracle, IBM Mainframe 2.4, 4.0, 5.0 and 6.0 Amerisource and McKesson purchasing from Purdue TBD Mass. General Hosp. Purchasing from Cardinal Health TBD

9 Phase III Status: Work in Progress/Current Issues nWork In Progress: l Development of application to test signed 850 transaction and selected processes. nIssues: l Vendor software availability? l FIPS certification? Not necessary for pilot purposes. l Need time extension to complete development? Development/Integration complete – 11/01 Industry Test Plan - 11/08 Testing complete – 12/13 l Scale back on development plans to accommodate fewer processes? l Send to with estimated % of development complete and estimate of time extension

10 Phase III: Test Planning nTesting should focus on technology, process flows, and Anticipated Standards. nEach team will select and develop their own tests, based on their available resources. nAfter development, teams will submit a test plan identifying the factors and scenarios that they were able to test – and their results. Sue from Abbott has made available a sample test plan that you can add to/subtract from. nResults will be compiled into a “Gap Analysis” and be used to determine technological limitations and development costs in terms of effort and adoption expectations.

11 Phase III Test Planning: Suggested Test Scenarios (1/4) nProcesses 2.0/3.0 Key Exchange/Trading Partner Setup Scenarios: Certificate (or Cert S/N) is received by trading partner (supplier)? Certificate is correctly imported into PKI application? Received certificate is properly validated by supplier? Supplier is able to compare the extension data with the company’s back-end database and store the certificate?

12 Phase III Test Planning: Suggested Test Scenarios (2/4) nProcess 4.0 Ordering Initiation/Transmission Scenarios: Do the orders contain the elements required by DEA? Is each process step being satisfied successfully? Is signing activation controlled exclusively by the purchaser? Can the purchaser sign an 850? Is the desktop setup to employ a 10-minute inactivity timeout? Is the system clearing the private key from system memory on exit? Are signed orders being saved for archival? Can the purchaser successfully transmit a signed 850 to a supplier? Is the signing system time within 5 minutes of a trusted time source?

13 Phase III Test Planning: Suggested Test Scenarios (3/4) nProcess 5.0 Order Authentication Scenarios: Is extension information in the certificate being validated (shipping, registrant information)? Is the order integrity being checked (not modified since signed)? Is each order being checked against a current CRL? Is the received order being archived after validation? nProcess 6.0 Order Fulfillment Scenarios: Line items in order validated against schedules in certificate? Order information has been archived for CSOS?

14 Phase III Test Planning: Suggested Test Scenarios (4/4) nError-handling (exception processing) Scenarios: Did the certificate pass the integrity check on the hash? Subsequent retransmission of order upon failure of hash? Does the system properly validate the certificate/order? Are expired certificates rejected? Are revoked certificates rejected? Are orders for a substance not authorized on the certificate rejected? If an order has been signed by an invalid CA – is it properly detected? If transmission is interrupted is the order rolled-back? nTest certificates have been created and are on the CSOS Pilot Web site to execute error-handling test scenarios.

15 Phase III: Sample Test Plan – 2.0 Key Exchange

16 Phase III: Post-Test Analysis nCompleted test plan data to be compiled: l Anticipated Standards – determine impact to anticipated standards l Interoperability (working across platforms) – Gap analysis – what vendors will be “ready” to play by next October? FIPS-certified? l Cost – How much effort/resources will it take to modify/develop systems to be ready by October? l Provide “lessons-learned” to industry hoping to engage in CSOS.

17 Phase III Schedule

18 Phase III: Next Steps… nAll “Purchasers” need certificates – contact Margaret Leary at (703) if you do not have one. nVendors may use sample certificate on CSOS Web site (can be ed to them by a participant). n“Bad” test certificates placed on CSOS Web site for testing purposes. nBegin Phase IV – Reporting planning – coordinate with ARCOS

19 Questions?