Updated for Version 4.15
Submission Certification Overview
...
Below is a list of features in nFORM that are often included as necessary functionality in a CROMERR compliant system:
Requirement | Category | Subcategory |
Allow users to create/register a new user account. This includes information such as name, phone number, physical address and unique login in the form of an email address. | User Management | Profile |
The user login must be unique. | User Management | Login |
The user login cannot be reused. | User Management | Login |
The system must enforce a password strength with the following minimum parameters: | User Management | Password |
The system must provide the ability to automatically expire passwords. | User Management | Password |
The system must maintain a history of all passwords used by the unique user account login in the database, including the date/time the password was created and expired. | User Management | Password |
The system can only allow one active password for a unique user account login, at a given time. | User Management | Password |
All user passwords must be stored in an encrypted format in the database. The format will be a one way, "salted", hash, using the SHA-512 bit algorithm. If needed, the algorithm can utilize the Bcrypt or SHA-3 algorithm, via configuration setting. | User Management | Password |
After a user changes their password, the system will require that the user sign into the system utilizing the new password. | User Management | Password |
To overcome forgotten passwords, allow a user to enter their email address to request a change of their password. In order to initiate the password change process, one of their entered challenge questions will be randomly selected and will be presented. The user must answer the challenge question correctly to initiate the password change. If a challenge question is correctly answered, a new password is randomly generated by the system and emailed to the user's email address. | User Management | Password |
After a user attempts to change their password, the system will send a Password Reset confirmation email to the user. | User Management | Password |
The system must allow an Administrator or Organization Manager to reset a user's password, as required. When an Administrator or Organization Manager initiates the password reset, a new password is randomly generated by the system and emailed to the user's email address. | User Management | Password |
The system must allow a user to change their password, if logged in. When attempting to change the password, the user will be required to enter their current password as well as their new compliant password. | User Management | Password |
Upon registration of a new user, the system must send an email to the user with a hyperlink used to confirm their email address. | User Management | Confirmation |
Allow a user to be assigned to the Electronic Signature role. | User Management | Role Assignment |
Following a successful login to the system, if the user has Electronic Signature rights, the user must be prompted to define their challenge questions and answers. The user is not forced to perform this step immediately; however, the system will not allow the user to certify and submit a form (which requires an electronic signature) until this step is performed. | User Management | Challenge Questions |
Once challenge questions are provided, the user will not have the ability to change the answers through their profile, unless their challenge questions have expired. | User Management | Challenge Questions |
Allow electronic signatory users to establish challenge questions, if not established. | User Management | Challenge Questions |
The system must enforce that challenge questions meet the following parameters: | User Management | Challenge Questions |
They system will allow users to select from a list of 22 challenge questions. | User Management | Challenge Questions |
The date/time a challenge question answer was provided must be tracked. | User Management | Challenge Questions |
A history of challenge questions and answers must be maintained in the database, including question, answer, effective dates, and expiration date. | User Management | Challenge Questions |
Challenge questions asked and the respective answers should be encrypted, per EPA recommendation. | User Management | Challenge Questions |
The system must allow an administrator to expire a user’s challenge questions. | User Management | Challenge Questions |
Challenge question answers must be stored in an encrypted format in the database. The format will be a one way, "salted", hash, using the SHA-512 bit algorithm. If needed, the algorithm can utilize the Bcrypt or SHA-3 algorithm, via configuration setting. | User Management | Challenge Questions |
The system will automatically lock an account if the user attempts to change their password and incorrectly answers the challenge question on five (configurable) consecutive attempts. | User Management | Challenge Questions |
All user session communication must be protected through SSL. | General | Communication |
The Signing page consists of agency-defined electronic signature agreement criteria that each submitter must agree to before they can proceed with the form submission process. The user must individually acknowledge each agreement on the screen before they are allowed to continue. | Submission | Certification |
Each agency must have the ability to customize their electronic signature agreement criteria to meet their requirements. | Submission | Certification |
If all conditions (agreements) are accepted, the user must have the ability to electronically sign the submission, by a randomly selecting one of the five answered challenge question and entering their account password. If a user does not answer the selected challenge question correctly, the system will select the next challenge question, requiring the user to answer the challenge question presented and reentering their password. | Submission | Certification |
The system must provide an automatic lockout mechanism based on a configurable maximum number of electronic signature (challenge question + password) attempts, with 5 being the minimum setting. | Submission | Certification |
At a minimum, the system must present the following agreements to the user signing the submission: | Submission | Certification |
The system must allow a custom certification statement to presented to the user for CROMERR certifications. | Submission | Certification |
The system must support a digital signature process utilizing X509-compatible certificates. At a minimum, it must support a PKCS#12 (PFK) type. | Submission | Signature |
The system must support SSL communication (i.e., strong 256-bit encryption 2048-bit root) for the electronic signature process. Note that the electronic signature certificate is different from that used by the solution to secure its communication (which uses the SSL certificate). | Submission | Signature |
During the form submission process, the system will generate a read-only representation of the form submission and present it on the screen for the Submitter can view the form submission before signing. The read-only representation of the form submission includes all data contained within the form submission as well as the ability to download and/or open any related attachments that the Submitter included in their submission. The Submitter must acknowledge that they have reviewed the form submission prior to completing the form submission process. | Submission | Submission |
The certification statement presented to the signer, including warning of penalties for false certification, must be incorporated into the copy of record for the signed submission. | Submission | Submission |
The system must protect the integrity of the form submission by, not allowing alterations of the form submission content during transmission or after it is received. | Submission | Submission |
The system must protect the integrity of the form submission by, utilizing SSL for the entire form submission process, protecting the system and submission against man-in-the-middle attacks. | Submission | Submission |
The system must protect the integrity of the form submission by sending an email notification after each form submission. This email contains a unique submission number as well as a link to the submission record where the electronically signed CoR can be downloaded. | Submission | Submission |
The information used to populate the read-only representation of the form submission, reviewed by the Submitter during a form submission, must be the exact information used to complete the form submission. No updates to that data previewed can be made after the submission process begins. | Submission | Submission |
The CoR must contain the exact data used to populate the read-only view of the form submission, reviewed by the Submitter during a form submission. | Submission | Submission |
The system must allow the unique user account login, password, challenge question and challenge question response to be used as the electronic signature device. The application must use its private certificate key to digitally sign the hash of the signature device and the CoR to bind the electronic signature to the submitted form. | Submission | Signature |
The electronically signed CoR file created for each submitted form must contain the reported data, header page, related attachments (if applicable), and bound electronic signature. The electronically signed CoR file created for each submitted form will be in the form of a ZIP or PDF file, depending on whether attachments are included in the submission. If no attachments are included in the submission, the submitted form will include one PDF file representing the reported data. This PDF file will include the certificate. If attachments are included in the submission, the submitted form will include one ZIP file which will include one PDF file representing the reported data and all attachments included in the submission. This ZIP file will include the certificate. | Submission | Submission |
The CoR must contain a header page with meta-data from the submission process, including date and time of submission, submission number and submitter name. A watermark indicating the certificate authority used and fingerprint (a unique certificate number) for the electronic signature is also displayed. No passwords, challenge questions/answers, or any other sensitive information is displayed on this header page. The header page is included in the CoR strictly as a clear way of visibly indicating to any viewer of the CoR that the CoR has been successfully electronically signed. The meta-data recorded on the header page is retrieved from the database, so it's not the sole source of this information. | Submission | Submission |
Upon submission of an electronic signature level form, a copy of record of the submission at submission time must be retained. | Submission | Submission |
Following the submission/signature, the system must present the submitter with a confirmation page including a unique Submission Number. | Submission | Submission |
The system must send an acknowledgement email to the email address of the Submitter after every submission. The email will contain the Submitter's name, date and time of submission, subject of email, as well as a unique Submission Number so that the Submitter can further identify the form submission in question. This email contains the unique confirmation number and a description of where to download the CoR within the system, if desired. | Submission | Submission |
Following the submission/signature, the system must provide the ability for the Submitters to view or download the electronically signed copy of the CoR at any time for any form submission (where they are assigned as a contributor to the form submission) from the Submission View page of the nFORM system. | Submission | Submission |
The electronically signed version of the CoR must also be able to be used for verification of signature authenticity, and that no modification to the CoR has been made since initial creation. The system must provide the ability to Verify Authenticity of a COR. | Submission | Submission |
The system must store the CoR (i.e., PDF and associated attachments) as a two-way hash, using the SHA-2 512 bit algorithm. If needed, the algorithm can utilize the Bcrypt or SHA-3 algorithms, via confirmation setting. COR's are protected from deletion or alternation through hashing. | Submission | Submission |
The unique user account login, password, challenge question and challenge question response are used as the electronic signature device. Forms application will use its private certificate key to digitally sign the hash of the signature device and the CoR to bind the electronic signature to the submitted form. The electronic signature device hash for each signer must be added to the Signature Page Properties. | Submission | Submission |
When providing the human readable CoR to a user for download and access, the CoR must first decrypted, using the decryption key. The decryption key must be stored in the application configuration file. | Submission | Submission |
The system must provide the ability to "Rescind" a submission. | Submission | Submission |
The system can provide no function to modify or delete a COR. CORs must be retained indefinitely. | Submission | Submission Management |
The system must provide the ability to view all submissions and their status, including any form submissions that were rescinded. | Submission | Submission Management |
The system must provide the ability to lock a user account. | User Management | Locking |
The system must provide notification to a user, if their account status is changed (e.g., locked and unlocked). | User Management | Locking |
The system must provide the ability to print the COR. | Submission | Submission |
The CoR must be stored in the database in the Binary Large Objects (BLOB) format or on a relevant file system in an encrypted format. | Submission | Submission |
The system must assign each CoR a unique document identifier that is related to the submission. | Submission | Submission |
The system must provide the ability to log items in a database audit table as well as the application event logs. The individual entries in these two logs must be identical in information and format to allow comparison. | User Management | Audit Logging |
The system must log password change attempt to the audit logs, with a pass/fail indicator. | User Management | Audit Logging |
The system must log challenge question change attempt to the audit logs, with a pass/fail indicator. | User Management | Audit Logging |
The system must log electronic signature attempts to the audit logs, including success or fail indicator, and source of issue (challenge question response attempt) if failed attempt. This log will include the challenge question selected as well as the acknowledgements agreed upon. | User Management | Audit Logging |
The system must log submission status changed (rescinded, revised, issued, etc.) to the audit logs. | Submission | Audit Logging |
The system must log email notifications that are sent to the applicant to the audit logs. | Submission | Audit Logging |
The system must log submission processing step status changed to the audit logs. | Submission | Audit Logging |
The system must log when a submission is created to the audit logs. | Submission | Audit Logging |
The system must log when a user changes their login name to the audit logs. | Submission | Audit Logging |
The system must log when a user changes their first/last name to the audit logs. | Submission | Audit Logging |
The system must log when a user changes their phone number to the audit logs. | Submission | Audit Logging |
The system must log when each step of the submission wizard is visited to the audit logs. | Submission | Audit Logging |
The system must log when a user account is locked, and the reason for the lock, to the audit logs. | Submission | Audit Logging |
The system must log when a user account is unlocked to the audit logs. | Submission | Audit Logging |
The system must log when a user account status is changed to the audit logs. | Submission | Audit Logging |
The system must log when a CoR is downloaded to the audit logs. | Submission | Audit Logging |