WSR 98-16-031
PERMANENT RULES
SECRETARY OF STATE
[Filed July 29, 1998, 1:45 p.m.]
Date of Adoption: July 24, 1998.
Purpose: Changes and clarifications to the Washington Electronic Authentication Act, chapter 19.34 RCW.
Citation of Existing Rules Affected by this Order: Repealing WAC 434-180-235; and amending WAC 434-180-130, 434-180-200, 434-180-215, 434-180-240, and 434-180-245.
Statutory Authority for Adoption: Chapter 19.34 RCW, including RCW 19.34.030, 19.34.040, 19.34.100, 19.34.400, 19.34.500 and chapter 33, Laws of 1998.
Adopted under notice filed as WSR 98-13-100 on June 17, 1998.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, amended 0, repealed 0; Federal Rules or Standards: New 0, amended 0, repealed 0; or Recently Enacted State Statutes: New 1, amended 1, repealed 1.
Number of Sections Adopted at Request of a Nongovernmental Entity: New 0, amended 0, repealed 0.
Number of Sections Adopted on the Agency's Own Initiative: New 1, amended 5, repealed 1.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, amended 4, repealed 0.
Number of Sections Adopted Using Negotiated Rule Making: New 0, amended 0, repealed 0; Pilot Rule Making: New 0, amended 0, repealed 0; or Other Alternative Rule Making: New 0, amended 0, repealed 0.
Effective Date of Rule: Thirty-one days after filing.
July 24, 1998
Tracy Guerin
Deputy Secretary of State
OTS-2269.1
AMENDATORY SECTION (Amending WSR 97-24-053, filed 11/26/97, effective 12/27/97)
WAC 434-180-130 Fees. Fees for services performed by the secretary of state are established in the following amounts:
(1) For application for a license as a certification authority:
(a) For the applicant's first year doing business as a licensed certification authority in this state: One thousand four hundred dollars;
(b) For the applicant's second year doing business as a licensed certification authority in this state: One thousand eight hundred dollars; and
(c) For the applicant's third or subsequent year doing business as a licensed certification authority in this state: Two thousand eight hundred dollars.
(2) For recognition as a repository, in addition to the license issuance or renewal fee paid pursuant to this section:
(a) For the applicant's first year doing business as a recognized repository in this state: One thousand four hundred dollars;
(b) For the applicant's second year doing business as a recognized repository in this state: One thousand eight hundred dollars; and
(c) For the applicant's third or subsequent year doing business as a recognized repository in this state: Two thousand eight hundred dollars.
(3) For recognition of a foreign license((, either:
(a) Two thousand eight hundred dollars; or
(b) Upon certification by the issuer of the foreign license
that the applicant has been licensed as a certification authority
in that jurisdiction for less than three years, the fee that
would be due under subsection (1) of this section for a
Washington license under the same circumstances. No applicant
may file under this subsection (b) more than two times)): One-half of the otherwise applicable fee as set forth under
subsection (1) or (2) of this section.
(4) For qualification of operative personnel:
(a) For administering and scoring the examination required by WAC 434-180-215(3), fifty dollars per individual; and
(b) For qualifying operative personnel pursuant to WAC 434-180-215 and 434-180-220, other than (or in addition to) administering and scoring the examination, twenty-five dollars per individual.
[Statutory Authority: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111 and 19.34.400. 97-24-053, § 434-180-130, filed 11/26/97, effective 12/27/97.]
AMENDATORY SECTION (Amending WSR 97-24-053, filed 11/26/97, effective 12/27/97)
WAC 434-180-200 Application for license as a certification authority. Any person desiring to be licensed as a certification authority must file an application pursuant to this chapter demonstrating compliance with the requirements of RCW 19.34.100. To apply for a license, an applicant must submit all of the following:
(1) A completed application form as prescribed by WAC 434-180-210;
(2) The fee or fees provided by WAC 434-180-130;
(3) A certificate that shows the applicant as subscriber and is published in a recognized repository;
(4) A suitable guaranty, described by WAC 434-180-225, unless the applicant is a self-insured city, a self-insured county, or the department of information services of the state of Washington;
(5) ((Demonstration of sufficient working capital, pursuant
to WAC 434-180-235;
(6))) Documentation, in the form of an information systems
audit report, establishing that the applicant has the use of a
trustworthy system as defined by WAC 434-180-360. The audit
required by this subsection shall be performed pursuant to WAC
434-180-240, except that it is not required to establish anything
more than that the applicant has the use of a trustworthy system;
(((7))) (6) Materials establishing, to the satisfaction of
the secretary that each person listed as operative personnel has
qualified to act as operative personnel pursuant to WAC 434-180-215; and
(((8))) (7) A written certification practice statement as
described in WAC 434-180-330.
[Statutory Authority: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111 and 19.34.400. 97-24-053, § 434-180-200, filed 11/26/97, effective 12/27/97.]
NEW SECTION
WAC 434-180-203 Designation of confidential information. Any certification authority, recognized repository, or applicant for licensure or recognition who believes that any information submitted to the secretary is legally exempt from public disclosure, inspection, or copying pursuant to law may designate such records upon submission to the secretary. Such designation does not conclusively establish the application of any exemption, but will assist the secretary in correctly responding to requests for public records. Any designation shall specify the precise information the party regards as subject to an exemption, and precise statute establishing the exemption.
[]
AMENDATORY SECTION (Amending WSR 97-24-053, filed 11/26/97, effective 12/27/97)
WAC 434-180-215 Certification of operative personnel. The secretary shall not issue or renew a license as a certification authority unless the licensee documents that every individual employed or acting as operative personnel qualifies to act as operative personnel. This documentation shall include:
(1) Receipt of a completed form, signed by the individual under penalty of perjury, stating:
(a) The name (including all other names used in the past), date of birth, and business address of the individual;
(b) That the individual has not been convicted within the
past ((fifteen)) seven years of a felony and has never been
convicted of a crime involving fraud, false statement, or
deception in any jurisdiction; and
(c) If the individual has resided in any nation other than the United States during the previous five years, the name of that nation and the period of residency.
(2) A criminal background check supporting the declaration required by subsection (1) of this section. This requirement is excused as to any individual for whom documentation satisfying this paragraph was submitted within the previous two years, even if the individual has changed employment. This check must include both of the following:
(a) A criminal background check compiled by a private sector provider, documenting a background check reasonably sufficient to disclose any criminal convictions within the previous seven years in any state or federal jurisdiction in the United States, its territories, or possessions, and any other jurisdiction specified pursuant to subsection (1)(c) of this section. This background check must contain information that is current to within thirty days of its date of submission; and
(b) The certified results of a criminal background check
performed by the Washington state patrol or law enforcement
agency where the operative personnel reside and are employed for
the previous ((fifteen)) seven years, dated not more than thirty
days prior to submission or such other jurisdictions as the
secretary may reasonably request. Such check shall be performed
using the individual's fingerprints.
(3) Satisfactory completion by the individual of a written examination demonstrating knowledge and proficiency in following the requirements of the Washington Electronic Authentication Act and these rules. The secretary shall develop an open book written test covering the subject matter of the act, and provide it upon request, which may include electronic access. The secretary may update or modify the test from time to time. The secretary shall indicate at the top of the test the percentage or number of questions that must be answered correctly in order to constitute satisfactory completion. No individual may take the examination more than once within a period of thirty days. A certification by the secretary that an individual has successfully completed this examination shall be valid for two years, and shall continue to satisfy the requirements of this subsection even if the individual changes employment.
(4) A licensed certification authority must remove a person from performing the functions of operative personnel immediately upon learning that the person has been convicted within the past fifteen years of a felony or has ever been convicted of a crime involving fraud, false statement, or deception, and must notify the secretary of this action within three business days.
[Statutory Authority: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111 and 19.34.400. 97-24-053, § 434-180-215, filed 11/26/97, effective 12/27/97.]
AMENDATORY SECTION (Amending WSR 97-24-053, filed 11/26/97, effective 12/27/97)
WAC 434-180-240 Compliance audits. (1) A licensed certification authority shall obtain a compliance audit at least once every year. The auditor shall issue an opinion evaluating the degree to which the certification authority conforms to the requirements of this chapter and of chapter 19.34 RCW. If the certification authority is also a recognized repository, the audit must include the repository.
(2) For purposes of the opinion required by this section, the auditor shall exercise reasonable professional judgment as to whether a condition that does not strictly comply with legal requirements is or is not material, taking into consideration the circumstances and context. Noncompliance as to any of the following shall be deemed material, in addition to any others the auditor may judge to be material:
(a) Any condition of noncompliance with statute or rule that relates to the validity of a certificate;
(b) Any employee performing the functions of operative personnel who has not qualified pursuant to WAC 434-180-215;
(c) Any material indication that the certification authority has used any system other than a trustworthy system.
(3) An audit may be performed by any licensed certified public accountant, or, in the case of a public agency, by the Washington state auditor. For purposes of this section, licensed certified public accountants include any person holding a certified public accountant certificate issued pursuant to chapter 18.04 RCW, or any licensee under any equivalent law of any other jurisdiction. Any auditor, or group of auditors, performing an audit pursuant to this section shall include at least one individual who has been issued a current and valid certificate as either a certified information systems auditor, by the information systems audit and control foundation, or as a certified information systems security professional, by the International Information Systems Security Certification Consortium. The names of all individuals possessing such certificates shall be disclosed in the audit report, or in a cover letter accompanying that report.
(4) The certification authority shall file a copy of the audit report with the secretary, prior to the date the certification authority must renew its license pursuant to WAC 434-180-205. At the certification authority's option, it shall be sufficient to file a portion of the report if that report summarizes all audit exceptions and conditions of noncompliance (including, but not limited to, those stated in subsection (2) of this section) stated in the full report, and bears the auditor's signature. The report may be filed electronically, if it is validly digitally signed by the auditor, using a licensed certification authority. The secretary shall publish the report, or summary, in the certification authority disclosure record it maintains for the certification authority.
[Statutory Authority: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111 and 19.34.400. 97-24-053, § 434-180-240, filed 11/26/97, effective 12/27/97.]
AMENDATORY SECTION (Amending WSR 97-24-053, filed 11/26/97, effective 12/27/97)
WAC 434-180-245 Recognition of foreign licenses. (1) A certification authority licensed as such by a governmental entity other than the state of Washington, may act as a licensed certification authority in Washington only if, in addition to meeting any other requirements established by law for the transaction of business, it either:
(a) Obtains a license as a certification authority from the secretary; or
(b) Provides to the secretary a certified copy of a license issued by a governmental entity whose licensing or authorization requirements the secretary has found to be substantially similar to those of Washington, together with the fee required by WAC 434-180-130. A license recognized under this subsection shall be valid in Washington only during the time it is valid in the issuing jurisdiction.
(2) The secretary may certify that the licensing or authorization requirements of another jurisdiction are substantially similar to those of Washington if, in order to obtain a license, the controlling law of the other jurisdiction requires that a licensed certification authority:
(a) Issue certificates based upon a system of public key cryptography using a trustworthy system. The law or administrative rule of another jurisdiction must establish standards determining what constitutes a trustworthy system. Those standards may differ from Washington's standards as set forth under WAC 434-180-360 as long as they are substantially similar in purpose and result;
(b) Provide a suitable guaranty in an amount of at least twenty-five thousand dollars;
(c) Employ as operative personnel only individuals who have demonstrated knowledge and proficiency in the requirements of the law regarding digital signatures, and who are free of felony criminal conviction for a minimum of seven years; and
(d) Be subject to a legally established system of enforcement of licensure requirements.
(3) If the requirements of another jurisdiction fail to be certified as substantially similar to those of Washington only because they do not satisfy subsection (2)(c) of this section, then the secretary shall recognize the license of a particular certification authority licensed by that jurisdiction if the certification authority complies with subsection (1)(b) of this section and, in addition, employs as operative personnel only individuals whom the secretary has certified pursuant to WAC 434-180-215.
(4) The secretary shall publish in the State Register, and make available upon request, a list of those jurisdictions which the secretary has certified pursuant to subsection (2) of this section. If a jurisdiction is not included in the list most recently published in the State Register, the secretary shall consider whether certification of such jurisdiction should be added, upon request of either the jurisdiction or a certification authority licensed by that jurisdiction and upon receipt of an English language copy of the applicable laws and regulations of that jurisdiction.
[Statutory Authority: RCW 19.34.030, 19.34.040, 19.34.100, 19.34.111 and 19.34.400. 97-24-053, § 434-180-245, filed 11/26/97, effective 12/27/97.]
REPEALER
The following section of the Washington Administrative Code is repealed:
WAC 434-180-235 Sufficient working capital.