W. Va. Code R. § 153-30-7
Current through Register Vol. XLI, No. 36, September 6, 2024
Section 153-30-7 - Selection of Existing Federal Certificate Authority Program as State Authority and Repository; Purchase of Certificates; Fees; Revocation of Authorization7.1. The Secretary of State may designate and authorize as the official state certificate authority and repository an existing federal certificate authority and repository program, providing: 7.1.1. The program permits the acquisition and use of electronic signature certificates by state and local government agencies for their employees and by individuals for transactions with those agencies at or below the rate established for the federal program;7.1.2. The program has published a certificate policy or certificate practice statement that establishes comprehensive requirements for the security of all aspects of the system, including the physical and technical security of the software and hardware and the security requirements for authorized personnel.7.1.3. The program uses a comprehensive requirements evaluation process for selection of qualifying certificate authorities.7.1.4. The program authorizes one or more entities or vendors to provide the services of certificate authority, repository and registration authority;7.1.5. Each authorized certificate authority manages the application, issuance and revocation of a certificate that complies with the certificate policy of the program.7.1.6. Each authorized certificate authority offers subscriptions for certificates through the federal program that meet, at a minimum, the security requirements of the Office of Technology, as may be amended from time to time.7.1.7. The program requires an audit of each authorized certificate authority.7.1.8. The Secretary of State may ask or enter into an agreement with the Office of Technology to validate that the program meets the standards outlined in subsections 7.1.1 through 7.1.7 of this section and to report the validation to the Secretary of State via a form prescribed by the Secretary of State.7.2. Designation and authorization of the federal certificate authority and repository program as the state certificate authority shall substitute the requirements of the federal certificate authority and repository program for the requirements of the state certificate authority, repository and other requirements stated in sections nine through twenty-one of this rule. The certificate policy or certificate practice statement of the federal program shall control the form, application, issuance, expiration, suspension, and revocation of certificates and shall control the record keeping, record retention and audit requirements of the certificate authority and repository.7.3. The Secretary of State may initiate a procurement process to establish a statewide contract with any or all of the certificate authorities authorized under the federal certificate authority and repository program, and only those authorized entities may be qualified to bid. The Secretary of State may defer to the Office of Technology his or her authority to initiate the procurement process. 7.3.1. The contract may establish the purchase price of one or more types of electronic signature certificates for a subscription of a specified term, and that price shall be inclusive of the services performed as the registration authority, certificate authority and repository for the term of the subscription.7.3.2. The contract may include pricing for individual certificates and for business certificates if offered by the authorized certificate authorities.7.3.3. The contract may include pricing for single certificates and bundles of certificates at preferred rates.7.3.4. The contract shall allow an agency to purchase certificates for use by agency employees and agency customers at an established contract rate; and an agency may require payment or reimbursement for certificates issued to customers.7.4. The Secretary of State may ask or enter into an agreement with the Office of Technology, through its chief technology officer or his or her designee, to submit to him or her on April 1, 2022, and annually thereafter, a report that outlines the following: 7.4.1. Affirmation that the requirements of the state's official certificate authority and repository are still valid or any changes to the requirements;7.4.2. A listing of state agencies and their subdivisions currently using electronic signature certificates; and7.4.3. Any future uses, changes or updates relating to the development, implementation, or use of electronic signatures that the state should take into consideration for its benefit.7.5. The Secretary of State may revoke any agency approval or program authorization designated under this section if the approval or program fails to continue operation or fails to meet the requirements of the Secretary of State or the Office of Technology. 7.5.1. The Secretary of State may ask or enter into an agreement with the Office of Technology to inform him or her of any information that could contribute to the revocation of an agency approval or authorized program.7.5.2. The Secretary of State shall publish a notice in the State Register of the intent to revoke the authority of the program to act as state certificate authority and repository at least ninety days before the revocation takes effect and shall additionally send notice to each state agency or state agency subdivision currently using electronic signature certificates.7.5.3. Upon revocation of the designation of a state certificate authority and repository, an agency that accepts electronic signatures issued by that entity may determine whether to continue to accept those electronic signatures or establish a date after which those signatures will no longer be accepted, and shall give notice in conjunction with the electronic filing information of the agency's intent.W. Va. Code R. § 153-30-7