FAQ: Are your PDF DRM solutions CFR compliant?

The CFR Part 11 being referred to concerns the criteria under which records and electronic signatures are considered trustworthy, reliable and equivalent to paper records.

The matter of electronic signatures seems problematic since there is no immediate definition as to how these are to be achieved and regulated.  The real intent of a digital signature is a ‘proof of origin’ that demonstrates who the external creator actually is.  To the extent that such things are possible, documents being controlled by Locklizard are inalienably linked to the publisher’s identity which has been verified (payment banking details – and there is little more certain than that).  So their origin is reasonably certain.  Where a covered entity (those having to comply with the regulation) purchases a system for delivering the access control to documents requirement (not specified in detail in the reference) Locklizard provide a comprehensive series of controls to limit and monitor access controls and use, and to actively prevent document misuse by unauthorized parties.

The CFR Part 11 appears to be in a state of flux, and so no supplier would be in a position to state compliance where the strict compliance document is not stable so evaluation against it is not possible.

As regards ‘predicate rules’ these would lie outside the scope of Locklizard services because they apply to the hard copy to electronic copy linkage for keeping required records.  The use of Command Line could be used to provide a transactional log (sometimes referred to as an audit trail) of original documents to protected documents.  That would suffice for the link from the created PDF through to the created PDC.  But it could not authenticate the original PDF and that would be a matter of consideration for the publisher concerned.  Presumably the use of a Document Management System linking all the paper actions through to the electronic versions would be considered adequate for the purpose of demonstrating compliance.

To summarize: Locklizard itself does not use (X.509 type) digital signatures for signing PDC files but controls the use of encryption and allocation of controlled files, achieving the intended requirement of CFR by a different process;  since the status of Part 11 is not yet fixed it is not possible for anyone to claim compliance; it is not clear who would be the certification authority for the process or who would be paying for the cost of certification; Locklizard believe that the controls they provide are adequate to confirm, when taken together with the necessary background document management controls, the origin and authentication of PDC files as being from a given origin and unaltered from source to presentation to the authorized user.