basedglobalsign

CenterforBiologicsEvaluationandResearchSOPP8119Page1of9SOPP8119:UseofEmailforRegulatoryCommunicationsVersion:7EffectiveDate:February17,2020TableofContentsI.
Purpose1II.
Scope.
1III.
Background.
1IV.
Definitions.
2V.
Policy.
3VI.
Responsibilities.
6VII.
Procedures.
7VIII.
Appendix8IX.
References8X.
History.
9I.
PurposeA.
ThisStandardOperatingPolicyandProcedure(SOPP)servesasaguideforCenterforBiologicsEvaluationandResearch(CBER)staffonthehandlingofregulatoryelectronicmessages(emails).
Regulatoryemailsmaybeeitherinternalcommunicationsormessagesreceivedfromorsenttosponsors/applicantsorothersexternaltoFDA.
II.
ScopeA.
ThisSOPPappliestoallregulatorycommunications.
III.
BackgroundA.
IncreasingoverallproductreviewefficiencyhasbeenasignificantcomponentofthePrescriptionDrugUserFeeAct(PDUFA)fromitsinception.
Additionaleffortstoincreasereviewefficiency,includetheMedicalDeviceUserFeeandModernizationActof2002(MDUFMA),PDUFAandMDUFAreauthorizations,developmentofelectronicsubmissioninfrastructuresuchastheCBERElectronicDocumentRoom(EDR)andtheAgencyElectronicSubmissionGateway(ESG).
Allofthesenecessitatestreamliningthereviewprocess.
CenterforBiologicsEvaluationandResearchSOPP8119Page2of9B.
ThisstreamliningdoesnotdiminishtheFoodandDrugAdministration's(FDA)responsibilityformaintainingacomplete,accurate,andorganizedadministrativefiletoensurethatallregulatoryactions/decisionsareappropriatelydocumented.
AsaFederalAgency,FDAisrequiredtoadministerandmaintainitselectronicrecordsincompliancewith36CFR1236,"electronicRecordsManagement.
"TheOfficeofChiefCounsel(OCC),FDAhasdeterminedthatemailsarelegalcommunicationsacceptableasregulatorysubmissionsuponwhichregulatorydecisionscanbemadeandtransmitted.
C.
InDecember2017,theFDApublishedaguidancedocument,"BestPracticesforCommunicationBetweenINDSponsorsandFDADuringDrugDevelopment,"thatoutlinesemailpracticesthatmustbefollowedbyCBERstaff.
AlthoughthisguidancedocumentiswrittentoaddresscommunicationbetweenInvestigationalNewDrug(IND)sponsorsandFDA,theprinciplesapplytoallregulatorycommunication.
AdditionalguidancepublishedinApril2014,"TypesofCommunicationDuringtheReviewofMedicalDeviceSubmissions",outlinesappropriateuseofemailduringthereviewofmedicaldevicesubmissions.
IV.
DefinitionsA.
AdministrativeFile-Thefileorfilescontainingalldocumentspertainingtoaparticularadministrativeaction,includinginternalworkingmemoranda,andrecommendations.
(21CFR10.
3)B.
AdministrativeRecord–ThedocumentsintheadministrativefileofaparticularadministrativeactiononwhichtheCommissionerreliestosupporttheaction.
(21CFR10.
3)Administrativerecordsincludesponsor/applicantsubmissions,CBER/FDAgenerateddocuments,andCBER/FDAdatabaserecords.
C.
CommercialInformation-Privilegedorconfidentialinformationthatisvaluabledataorinformationwhichisusedinbusinessandisofatypecustomarilyheldinstrictconfidenceorregardedasprivilegedandnotdisclosedtoanymemberofthepublicbythepersontowhomitbelongs.
(21CFR20.
61(b))D.
EmailString–Includesanoriginatingemailandresponses.
Thestringcouldbeseveralcommunicationsbetweentwopeopleorseveralpeopleutilizingthe"replytoall"function.
E.
Recordcopy-Thedocumentthatiskeptonfileasanoriginalorofficialmasterrecordforthetotalretentionperiod.
AccordingtoFDA'sOfficeofChiefCouncil,theoutgoingcorrespondencerecordcopymustbeanexactduplicationofwhatthesponsor/applicantreceives.
Recordcopiesaresometimesreferredtoasthearchivalcopy.
CenterforBiologicsEvaluationandResearchSOPP8119Page3of9F.
Regulatorycommunication–Acommunicationthatcontainsregulatoryinformation,includingcorrespondencegeneratedbyCBER.
Theinclusionofasubmission'ssubmissiontrackingnumber(STN)makesacommunicationregulatoryinnature.
G.
RegulatoryEmail–Anelectronicmessagethatcontainsregulatoryinformation.
Aregulatoryemailmaybeastand-alonemessageoramessagewithanattachedfile.
Theinclusionofasubmission'sSTNmakestheemailregulatory.
H.
RegulatoryInformation–InformationrelatedtoproductsregulatedbyFDA,includingproduct,manufacturing,andfacilityorcompanyinformation,adverseevents,complianceactions,CBER-generatedcorrespondence,etc.
Thesubmission'sSTNisconsideredregulatoryinformation,particularlyifthesubmissionispendingFDAreviewandaction.
I.
SecureEmail–anelectronicmessagesentfromasponsor/applicantthathasexchangedsecurecertificateswithFDA.
Securecertificatestypicallyincludetheentirecorporateororganizationstructureofasponsor/applicantorasubsetofusers.
Secureemailmakesuseofencryptiontechnologyduringtransmissionanddecryptionuponreceiptusingapublickeywithinthecertificate.
InstructionsonhowanorganizationmayobtainasecureemailcertificateareincludedinAppendixA.
J.
TradeSecrets-Consistsofanycommerciallyvaluableplan,formula,process,ordevicethatisusedforthemaking,preparing,compounding,orprocessingoftradecommoditiesandthatcanbesaidtobetheend-productofeitherinnovationorsubstantialeffortandhasadirectrelationshipbetweenthetradesecretandtheproductiveprocess.
(21CFR20.
61(a))V.
PolicyA.
SecureEmailUse1.
CBERpersonnelareresponsibleforprotectingcompanyconfidential,tradesecretandproprietaryinformation.
Therefore,CBER-generatedregulatorycommunicationsareonlysenttorecipientsviasecureemail.
Ifrecipientsdonothavesecureemail,regulatorycommunicationswillbesentbyU.
S.
postalserviceorcommercialcarrierwithafollow-upfacsimileallowedasarapidmeansoftransmittingtheinformation.
a.
Exceptions-thefollowingareexceptionsandcommunicationforthesepurposesdonotrequireemailtobesecure:CenterforBiologicsEvaluationandResearchSOPP8119Page4of9i.
RequestsforIndividualPatientINDsunderExpandedAccess,includingforemergencyuseandforoncologyproducts.
ii.
CompassionateUseIDEs.
iii.
RequestsforEmergencyUseAuthorizations(EUAs)andPre-EUAs.
iv.
Responsestorequestsforinformationthataregeneralinnature,suchasprovidinginformationinaguidancedocument,logisticalinformationabouthowtoattendameetingattheWhiteOakcampusorwheretofindinformationontheFDAwebsite.
v.
Emergencyalternativeproceduresorexemptionsunder21CFR640.
120.
b.
CBERstaffwillutilizeavailableinternalresourcestovalidatewhetheranyoneexternaltoFDAhasestablishedsecureemailwiththeAgency(refertoJA820.
05:SecureEmailVerificationandEmailBestPracticesforRegulatoryCommunicationsforinformation).
c.
RequeststoestablishsecureemailwithFDAshouldbesenttoSecureEmail@fda.
hhs.
gov.
B.
IncomingRegulatoryEmails1.
SubmissionsrequiredtobeinelectronicformatasdescribedinFDA'sguidancedocument"ProvidingRegulatorySubmissionsinElectronicFormat–SubmissionsUnderSection745A(a)oftheFederalFood,Drug,andCosmeticAct"shouldbesubmittedelectronicallyineCTDformatviatheElectronicSecureGateway(ESG).
Submissionsforbloodandbloodcomponents(notrequiredtobeineCTDformat)shouldbesubmittedasdirectedontheFDA'seSubmitterwebsite(https://www.
fda.
gov/ForIndustry/FDAeSubmitter/default.
htm).
2.
Formalsubmissions(e.
g.
,newINDs,originalBLAs,etc.
,),informationthatisunsolicited,orthatFDAdidnotagreetoreceiverelatedtopendingapplicationsarenottobetransmittedviaemail,unlessaserioussafetyissueisinvolved.
a.
Anysuchemailswillnotbeacceptedorincludedintheadministrativefile.
Regulatoryactions/decisionswillnotbemadebasedonthesetypesofemails.
CenterforBiologicsEvaluationandResearchSOPP8119Page5of9i.
TheCBERrecipientwillrespond(eitherbyteleconorviasecureemail)toacknowledgereceiptoftheemailandtoletthesponsor/applicantknowtheappropriatemeansofsubmission,e.
g.
,ESG,eSubmitter.
ii.
Emailsreceivedfromthesponsor/applicantandnotacceptedastheofficialdocumentarenottrackedinCBER'sregulatorydatabases.
iii.
SuchemailswillbedeletedfromOutlookmailboxesaftercontactingthesponsor/applicanttopreventinadvertentdisclosure.
iv.
CBERpersonnelshoulddiscouragesponsors/applicantsfromprovidingemailswithoutpriorapproval.
b.
Exception–CBERwillacceptformalINDsubmissionsviaemailforIndividualPatientUseundertheExpandedAccessprovisionsfoundat21CFR312.
310[alsoreferredtoassinglepatientexpandedaccess(SPIND)].
i.
Foroncologyproductrelatedsubmissionsthatarereceivedfrom"ProjectFacilitate,"CBERstaffmustfollowtheproceduresbelowforincomingregulatoryemailstoensureproperuploadingintoCBER'sEDRinatimelymanner.
ii.
SPINDssubmittedbyasponsor/investigatormaybeemailedtoCBERSPIND@fda.
hhs.
gov.
Allnewsubmissionsshouldbeclearlyidentifiedinthesubjectlineasanewrequest,e.
g.
,OriginalSubmissionSPIND.
AnysubsequentINDamendmentsshouldincludetheassignedINDnumberinthesubjectline,e.
g.
,AmendmenttoINDxxxxx.
3.
ForMDUFAsubmissions,includingBLAsubmissionsforIVDdevices,mostofwhicharesubjecttotheeCopyrequirementsformedicaldevicesasrequiredbySection745A(b)oftheFederalFood,Drug,andCosmeticAct(FD&CAct),addedbysection1136oftheFoodandDrugAdministrationSafetyandInnovationAct(FDASIA)(Pub.
L.
112-144),incomingemailswillbeacceptedandthenmanagedaccordingtoDCCProcedureGuide26:UseofEmailforRegulatoryCommunicationsexceptthatemailswithmanyorlargeattachmentsshouldbesubmittedonelectronicmediathroughDCC.
NotethatforMDUFAsubmissions,prioragreementontheacceptanceofincomingemailisimplicitbasedontheeCopyProgramforMedicalDeviceSubmissionsandotherguidancespertainingtomedicaldevicecommunications.
C.
OutgoingRegulatorySecureEmailsCenterforBiologicsEvaluationandResearchSOPP8119Page6of91.
CBERstaffwillsendoutgoingemailscontainingregulatoryinformation(seedefinitionabove)onlythroughsecureemailforallproducttypes,includingMDUFA/devicesubmissions.
2.
EmailsmustbesentfromofficialFDAemailaccountsonlyastheyaresecure.
3.
Theemail'ssubjectlinewillclearlydefinethetopicaddressedinthecommunicationandtherelatedsubmissiontrackingnumber(STN),ifassigned.
4.
CBERstaffisdiscouragedfromcreatingemailstringswhencommunicatinginformationtooutsideorganizationsregardingregulatoryinformation.
Ifanemailstringmustbeusedanditcontainsanattachmentwithinformationusedinregulatorydecisionmaking,theattachmentmustbeincludedinthefinaldocumentation.
5.
CBERgeneratedregulatorylettersthataresignedandlockedusingthePIVbadgemaybeissuedtothesponsor/applicantbysecureemail(refertoSOPP8116:UseofElectronicSignaturesforRegulatoryDocumentsandJA820.
01:GuideforCBER'sElectronicSignatureProcess).
Note:theemailwiththeletterattachedthatissenttotheapplicantorsponsorshouldnotbeuploadedtotheEDR.
6.
Outgoingsecureemailmaybeusedinplaceoftelephonecommunicationtorelayregulatoryissuesandrequestsforinformation.
7.
Communicationsviasecureemailshouldincludeonlyinformationpertinenttothereferencedapplicationorarelatedprecursorsubmission(e.
g.
,pre-INDorMasterFile).
Exceptionswouldincludeatrans-BLAorabundledsubmission,i.
e.
,multiplesubmissions"bundled"consistentwithMDUFAprovisionsforbundlingandthecitingofpredicates.
VI.
ResponsibilitiesA.
DocumentControlCenter(DCC)1.
Processanyemailsubmissions/amendmentsasappropriateforthesubmissiontype.
2.
Sendloadnotificationswhendocumentloadingiscomplete.
B.
RegulatoryProjectManager(RPM)1.
ProvideCBER'sDCCwithafullelectronicversionofemailsacceptedasregulatorysubmissions.
Note:thisonlyappliestosubmissionsnotrequiredtobeinelectronicformatasdescribedinPolicySectionB(2),above.
CenterforBiologicsEvaluationandResearchSOPP8119Page7of92.
EnsureallemailcommunicationsarecapturedintheappropriateregulatorydatabaseandimportedintoCBER'sEDR.
3.
Sendregulatorycommunicationsviasecureemailonlyandensurecorrectrecipientisselectedifauto-completefunctionofMSOutlookisused.
C.
CBERrecipients(ofemailsfromsponsors/applicants)andauthorsofsecureemail1.
IncludetheRPMonalloutgoingsecureemailspertainingtoaregulatorysubmission.
2.
Ensureemailisonlysenttorecipientsthathavesecureemailandthatcorrectrecipientisselectedifauto-completefunctionofMSOutlookisused.
3.
Provideinformationabouthowtoobtainsecureemailtothosethatneedinstructions(seeAppendixA).
4.
EnsureincomingemailsubmissionsmeettheacceptabilityrequirementsdescribedinthePolicySectionofthisSOPP.
5.
Respondtothesponsor/applicantintheappropriatetimeframesasdocumentedintheproceduressection.
6.
ForwardallemailsthatdidnotincludetheRPMofaregulatorysubmissionasanaddresseewithinonebusinessdaytotheRPMandremindthesponsor/applicanttoincludetheappropriateRPMonallfutureemails.
7.
Processinternalemailsthatcaptureregulatoryactionsordecisionsaspartoftheadministrativefile,i.
e.
,logthemintotheappropriateregulatorydatabaseandtheEDR.
8.
Documentallemailsappropriatelyasdescribedintheproceduressection.
9.
SetOut-of-Officereplieswithanavailablepointofcontactfortimeperiodsawayfromemailonedayormore.
VII.
ProceduresA.
IncomingRegulatoryEmails1.
Notifythesponsor/applicantbyphonewithinonebusinessdayofreceiptofanemailifitisinadequateorcannotberead.
CBERwillreachadecisiononwhethertheemailshouldberesent,rejected,referredtoDCC,orshouldbesubmittedinanotherformat.
[RPM,CBERrecipient]CenterforBiologicsEvaluationandResearchSOPP8119Page8of92.
Remindthesponsor/applicantthatallemailsshouldbesubmittedtotheappropriateRPM.
[CBERrecipient]a.
ForwardtheemailwithinonebusinessdaytotheRPMforprocessing.
[CBERrecipient]3.
IfCBERagreedtoacceptasubmissionastheofficialdocument,ifitisaMDUFAproductcommunicationorifitisanoncologyproductSinglePatientINDunderexpandedaccess,provideCBER'sDocumentControlCenter(DCC)withafullelectronicversionoftheemailperDCCProcedureGuide26:UseofEmailforRegulatoryCommunications.
[RPMordesignee]B.
OutgoingRegulatoryEmails1.
AlwaysincludetheRPMasacourtesycopy(cc:)onsecureemailssenttosponsors/applicantsrelatedtoaregulatorysubmissionandinformthesponsor/applicantinthesecureemailtoincludetheRPMonanyresponsesorfutureemails,iftheRPMwasnotincludedintheoriginalemail.
[CBERrecipient,author]2.
Determinetheappropriatecommunicationtypefortheemailfordataentrypurposes.
Emailswillbeenteredasteleconsonlyiftheinformationwouldgenerallyhavebeendiscussedinatelecon.
RefertoSOPP8104:DocumentationofTelephoneContactswithRegulatedIndustryforadditionalinformation.
[CBERrecipient,authororRPMordesignee]VIII.
AppendixA.
AppendixA:SecureEmailSetupIX.
ReferencesA.
ReferencesbelowareCBERInternal:1.
DCCProcedureGuide#22:ProcedureforProcessing,Routing,andStoringElectronicSubmissions2.
DCCProcedureGuide#26:UseofEmailforRegulatoryCommunications3.
JA820.
01:GuideforCBER'sElectronicSignatureProcess4.
JA820.
05:SecureEmailVerificationandEmailBestPracticesforRegulatoryCommunicationsB.
ReferencesbelowcanbefoundontheInternet:1.
21CFR601.
14CenterforBiologicsEvaluationandResearchSOPP8119Page9of92.
GuidanceforIndustryandReviewStaff:BestPracticesforCommunicationBetweenINDSponsorsandFDADuringDrugDevelopment3.
SOPP8104:DocumentationofTelephoneContactswithRegulatedIndustry4.
GuidanceforIndustryandFoodandDrugAdministrationStaff:TypesofCommunicationsDuringtheReviewofMedicalDeviceSubmissions5.
GuidanceforIndustryandFoodandDrugAdministrationStaff:eCopyProgramforMedicalDeviceSubmissions6.
SOPP8116:UseofElectronicSignaturesforRegulatoryDocumentsX.
HistoryWritten/RevisedApprovedByApprovalDateVersionNumberCommentMonserChristopherJoneckis,PhDFebruary17,20207RevisedtoexemptallrequestsforindividualpatientexpandedaccessINDsMonserChristopherJoneckis,PhDAugust26,20196RevisedtochangeemailpolicyforallsinglepatientINDsandcorrectedtypographicalerrors.
MartinChristopherJoneckis,PhDJune4,20195RevisedtochangeemailpolicyforoncologyproductSinglePatientINDsMonserChristopherJoneckis,PhDApril14,20194RevisedtobeconsistentwithSOPP8116RehkopfChristopherJoneckis,PhDSeptember27,20183RevisedtoincludeuseofsecureemailandupdateBPWG/RMCCRobertA.
Yetter,PhDFebruary11,20092RevisedtoincludeadditionalinformationonsecureemailThomasRobertA.
Yetter,PhDSeptember12,20081FirstIssuanceofthisSOPPCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage1of10SOPP8119AppendixA:SecureEmailSetupForFDAtosendregulatoryinformationviaemail,theemailmustbesenttoaSecureE-mailpartner,toallowFDAtodigitallysignandencryptthemessage.
RequeststoestablishsecureemailwithFDAshouldbesenttoSecureEmail@fda.
hhs.
gov.
AdequatetimeshouldbeallottedforSecureEmailset-upbeforeexpectingemailresponsesfromFDA.
TosetupsecureemailwiththeFDAyoumusthaveanon-ISPemaildomain.
Thus,@yahoo.
com,@gmail.
com,@hotmail.
com,@earthlink.
net,@verizon.
net,etc.
,accountscannotbesecured.
Ifyouhaveanon-ISPemaildomain:TherearetwowaystosecurelysendemailtoandfromtheFDA:1.
S/MIMEEncryptiona.
S/MIMEencryptionisdifficulttosetup,use,andmaintainaseverythingisdoneattheworkstationlevel.
Typically,yourcertificatewillneedtoberepurchased/renewedonce-a-year.
ThiswillrequirethenewcertificatetobeinstalledonyourworkstationandcoordinationwiththeFDAtoattachittoyourSecureEmailprofile.
Thus,overa5yearperiod,youwillswitchoutyourcertificate5times.
Ifyouchangeworkstationsorwhenyourenewyourdigitalcertificate,youroldcertificatesmustbepreservedotherwiseyouwilllosetheabilitytoreadoldencryptedemails.
IfyouhaveaBlackberry(orothermobiledevice),youwillnotbeabletoreadtheencryptedemailsunlessyouinstalltheBlackberry(orsimilar)S/MIMEapplicationandcopyyourcertificateover.
Anynewcertificateswillneedtobecopiedover.
ForeachFDAuserormailboxyouwishtosecurelycommunicatewith,aone-timesetupprocessisrequiredtocreateanFDAOutlookcontactandcorrespondingFDAproxycertificate.
S/MIMEissetuponaperuserbasis.
Thus,ifyouwish10ofyouruserstosendsecureemailtotheFDA,thentheyeachhavetobeconfiguredindividually.
Youremailservermayapplydisclaimersorlegalnoticesonalloutboundemails.
Anexceptionwillneedtobeappliedtotheemailserver'stransportruletoavoiddoingthiswhensendingtotheFDA.
ThereasonisdisclaimersaffecthowS/MIMEprotectedemailisrepackaged.
ThesealternationscannotbeprocessedcorrectlybytheFDAS/MIMEEmailFirewall.
Therefore,addthedisclaimersviayouremailclient(i.
e.
makeitpartofyourdefaultsignature.
)Ifyourorganizationrequiresthesedisclaimerstobeappendedbyyouremailserver,thenyoucannotuseS/MIMEandmustuseTLS.
CenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage2of10b.
S/MIMEdoeshavethefollowingadvantages:Technicallyadeptuserscansetthisupthemselvesandnotinvolvetheiremailadministrators.
"End-to-end"encryptioncanbeachieved.
Thus,fromyouremailclienttoanFDAinternalS/MIMEEmailFirewall,themessageisencrypted.
Thisencryptionistypicallypreservedregardlessoftheintermediateinfrastructure.
EmailsenttoandreceivedfromtheFDAwillremainencryptedinyourInbox.
Thus,evenifyouremailsarestolen,theywillremainencrypted.
Aoneyeardigitalid(emailcertificate)foronepersonisaround$60.
Afterthecertificateispurchasedandinstalled,typicalsetupwithaknowledgeableITstaffisacouplehours.
Afterthefirstuserinyourorganizationissetup,theFDAS/MIMEinstructionscanbesharedanduserscansetupthemselves;nointerventionbytheFDAEmailTeamisrequired.
2.
SecureSMTPoverTLSencryptiona.
SecureSMTPoverTLSencryption(RFC3207)isfarsimplertosetupfromtheuserperspective.
Theconfigurationisdoneattheemailserverlevelandonlyinvolvesyouremailadministrator.
Itwillbeyouremailadministrator'sresponsibilitytoensurealltheintermediatelinksbetweenyourinfrastructureandtheFDA(andvice-versa)areTLSencrypted.
EveryoneatyourorganizationwillbeabletosendemailsecurelytotheFDA.
AoneyearDigiCertSSLcertificateis$175.
Athreeyearcertificateis$420.
Ifyourorganization'semailsystemisallinternal,thentotalsetuptimeis:-Certificatepurchaseandreceiptistypicallyonetotwodaysastheprovidermayneedtoperformverification.
-CertificateinstallationandTLSsetupwithaknowledgeableemailadministratorisacoupleofhoursandafewemails.
Ifpartsofyourorganization'semailsystemareoutsourced,thensetuptimemaybeconsiderablylongerascoordinationwithathirdpartyandmultiplelinksareinvolved.
S/MIMEInstructionsListedbelowisanoverviewofthestepsofsettingupS/MIMEencryptionwiththeFDA.
1.
TheFDAproxyS/MIMEserverhasbeentestedwiththefollowingclients:Windows10withOutlook2016TheseinstructionshavebeentestedwithWindows10andOutlook2016.
PreviousversionsofWindowsandOutlookhaveworked.
Therefore,youneedtoadapttheseinstructionstoyourparticularCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage3of10combinationofWindowsandOutlook.
Forassistance,pleasecontactyourlocalITHelpDeskresources.
MacOSX10.
12.
3(Sierra)withOutlook2016TheseinstructionshavebeentestedwithMacSierraandOutlook2016.
ItisunlikelypreviousversionsofOutlookwillworkcorrectly.
ItisunknownifpreviousversionsofMacwillwork.
Forassistance,pleasecontactyourlocalITHelpDeskresources.
2.
ObtainandinstalladigitalIDfromaCertificateAuthoritythathasagoodreputation(i.
e.
GlobalSign,DigiCert,etc.
)(IfalreadyhaveadigitalIDonanothercomputer,youshouldusethatcertificateanditsprivatekeyotherwiseyouwillnotbeabletoreadolder,encryptedemails.
)https://www.
globalsign.
com/secure-email/SHA256certificatesarethecurrentstandard.
IfyouhaveanolderSHA1certificatethathasnotyetexpired,youmaycontinuetousethat.
Ifyouarethefirstinyouremaildomain(i.
e.
@yourcompany.
com)torequestS/MIMESecureEmail,pleaseproceedtostep#3otherwise,proceedtostep#4.
Ifyouareunsureifyouarethefirstinyourcompany,youcanproceedwithstep#3.
3.
Sendadigitallysignedonly(noencryption)messageto:To:SecureEmail@fda.
hhs.
govSubject:S/MIMErequestSpecifythatyouwouldliketobeconfiguredtouseS/MIMEwiththeFDAWindows10+Outlook2016clientPresstheOptionstab,andthenpresstheSignbuttonMac10.
12.
3(Sierra)+Outlook2016clientsPresstheOptionstab,thenpressSecurityandthenselectDigitallySignMessageTheFDAEmailTeamwillthenconfigureinternalemailroutingtoallowyouremaildomaintosend/receiveemailfromtheFDAproxyS/MIMEsystem.
WhenyoureceiveconfirmationfromtheFDAEmailTeamthatthishasbeendone,pleaseproceedwiththenextstep…4.
Sendadigitallysignedonly(noencryption)messageto:To:cert-query@fda.
hhs.
govSubject:{theemailaddressoftheFDArecipientyouwishtosecurelycommunicatewith}Windows10+Outlook2016clientCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage4of10PresstheOptionstab,andthenpresstheSignbuttonMac10.
12.
3(Sierra)+Outlook2016clientsPresstheOptionstab,thenpressSecurityandthenselectDigitallySignMessageWithin5minutesyouwillreceiveanemailbackwithaproxyFDAcertificate…5.
Fromthatemail:Windows10+Outlook2016clientIfyouseeayellowtrianglewithanexclamationmarkontherightside:a.
Clickontheyellowtriangle,aDigitalSignatureInvaliddialogboxwillopen.
b.
IntheTrustingtheCertificateAuthority,clickTrustc.
IntheSecurityWarningdialogbox,readthewarningandifyouagree,clickYesd.
RestartOutlook.
IfyoudecidedearlierintheTrustingtheCertificateAuthoritynottoTrusttheFDACertificateAuthority,completethefollowingstepsforeveryFDAcontact:a.
Anewcontactwillopen,pressSavetheninViewSourceclickonOutlook(Contacts)b.
Alargecontactboxwillopenthathasmanyoptions.
Intheribbon,locatetheCertificatesbutton.
c.
Forthefda.
hhs.
gov(proxy)(Default)certificate,clickProperties,thentheTrusttab.
d.
InEditTrust,selectExplicitlyTrustthisCertificatethenOKIfyouseearedribbonontherightside:a.
Opentheemailandlocatethefromfieldandright-clickontheFDAperson'snameandselectAddtoOutlookContactsMac10.
12.
3(Sierra)+Outlook2016clients(https://technet.
microsoft.
com/en-us/library/jj984223(v=office.
16).
aspx)Ifyouseeayellowtrianglewithanexclamationmarkontheleftsidewiththemessage"Thesigningcertificateforthismessageisnotvalidortrusted"a.
ClickontheDetailsbuttonandselectViewSigningCertificateb.
IntheViewCertificatedialogbox,inthetoppane,clickonthefda.
hhs.
govcertificate,theninthebottompane,dragtherootCAcertificatetoyourdesktopCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage5of10c.
OpentheMacKeychainAccessapplet.
d.
Inthetopleftside,selectKeychains/loginandinthebottomleftside,selectCategory/Certificatese.
Draganddropthefda.
hhs.
gov.
cerrootCertificateintotherightpanef.
LocatethenewlycopiedcertificateandintheTrustsection,selectWhenusingthiscertificate:AlwaysTrustCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage6of10g.
Youmaybepromptedforuserusernameandpasswordtoauthorizethechange.
EnterthisandpressUpdateSettingsh.
CloseandrestartOutlook.
i.
TheemailthatwasreceivedearliershouldnolongerdisplaytheyellowtrianglewiththeexclamationmarkandinsteadshouldhaveapadlockandnotationThismessagewasdigitallysignedby…IfyouseeayellowtrianglewithanexclamationmarkontheleftsidewiththemessageThesigningcertificateforthismessageisnotvalidortrustedj.
ClicktheDetailsbuttonandselectAddEncryptionCertificatetoContactsk.
PressOK6.
YouarenowconfiguredtouseS/MIMEsecuredemailwithyourFDAcontact.
IMPORTANT:ItisyourresponsibilitytokeepyourS/MIMEcertificateup-to-date.
Ifyourcertificateexpires,itispossiblethatfutureemailsyoureceivefromtheFDAwillnolongerbeencrypted.
SMTPoverTLSInstructions:FoodandDrugAdministration(FDA)InstructionsforUsingSecureSMTPoverTLSTogetSecureSMTPoverTLS(EnforcedTLS/TLSRequire)workingbetweenyourorganizationandtheFoodandDrugAdministration(FDA),pleasefollowtheinstructionsbelow:Requirements1.
Yourorganization'sconnectionmustsupportSecureSMTPoverTLS(EnforcedTLS/TLSRequire)—TheFoodandDrugAdministration(FDA)onlysupportsSecureSimpleMailTransferProtocol(SMTP)overTransportLayerSecurity(TLS)(EnforcedTLS/TLSRequire)forsecureconnectionsbetweenyourorganizationandtheFDA.
MostmodernMTAsuse"OpportunisticTLS"or"TLSPreferred"whensendingemail.
OtherTLSconfigurationssuchasOpportunisticTLSorTLSPreferredarenotconsideredsecureemailfortworeasons:a.
OpportunisticTLSopensthepossibilityofman-in-the-middleattacks—RefertoRFC3207,Section6(http://www.
ietf.
org/rfc/rfc3207.
txt)b.
IfMessageTransferAgents(MTAs)aretoobusyorexceedtheirglobalTLSconnectionlimit,MTAscandropTLSandsendorreceivethemessageincleartextwhichisnotsecure.
Therefore,theFDAwillonlysupportSecureSMTPoverTLS(EnforcedTLS/TLSRequire)forsecureconnections.
CenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage7of101.
Yourorganization'scertificatekeysmustbeofsufficientlengthtomeettheFIPS140-2requirementsandyourMTAmusthaveciphersuitesthatarecompatiblewithFIPS140-2.
Refertohttp://csrc.
nist.
gov/publications/PubsFIPS.
html.
PleaseNotethefollowing:Bydefault,Office365willuseopportunisticTLS–theFDAdoesnotconsiderthisconnectiontobesecure,andinsteadmandatestheuseofTLSrequired.
Pleaseseebelow–youshouldbeabletorequestthatyourhostsetupthenecessaryTLSrequiredconnectorstothevariousFDAdomains/sub-domains.
Asof12/13/2012,KeriosConnectdoesnotappeartosupport"TLSRequire"connection;organizationsusingthisemailserverwillneedtouseS/MIMEencryptioninstead.
InstructionsPleasereadthefollowinginstructionscarefullyandfollowthemtoensureasecureend-to-endconnectionbetweenyourcompanyandtheFDA.
1.
Forin-houseemailservers:OnyouremailserverormailapplianceobtainandinstallacommercialgradecertificatesuchasVerisignorThawte.
DigicertisalowercostalternativethatistrustedbyourMTA.
Donotuseaself-signedcertificateoraprivateCAsignedcertificate.
Inthefuture,theFDAwillbeenablingFIPS140-2ontheInternet-facingMTA's.
Therefore,youmustensurethatyourcertificatekeysaregeneratedwithsufficientlength.
IfusingRSAastheasymmetricalgorithm,youmustuseatleasta2048-bitkeysizewhengeneratingthepublic/privatekeys.
OnyourMTA,youmustensurethatyouhaveciphersuitesthatarecompatiblewithFIPS140-2.
http://csrc.
nist.
gov/publications/PubsFIPS.
htmlWheninstallingthecertificateitisimportanttoinstallanyintermediate/issuingCA's(therootcertisoptional).
Failuretoinstalltheintermediate/issuingCA'smayresultinacertificateverification/validationfailure:"unabletogetlocalissuercertificate".
Note:IfyouuseaBarracudaMTA,youmayneedtocombineyourleafandintermediate/issuingCAcertificatesintoasingle.
pemfile,installit,andthenreboottheappliance.
YourcertificateshouldhavethenamesspecifiedinyourexternalDNS.
Thus,ifyourexternalDNSnameissmtp.
pharma.
com,thatshouldbetheCommonNameand,ifyouusethem,oneoftheSubjectAlternativeNames.
Or,ifyouareusingmultipleemailservers,youcanuseawildcardcertificatebyspecifying*.
pharma.
comforyourCommonName.
TheFDAwillusetheMTA(s)specifiedinyourorganization'sMXrecordsandwillnotcreatespecialroutesto"TLSonly"MTA(s).
PartoftheverificationprocessistodoareverseDNSlookuponyourmailserver/appliancespecifiedbyyourorganization'sMXrecords.
Thus,ifsmtp.
pharma.
comisat100.
100.
15.
16,thenareverselookupofCenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage8of10100.
100.
15.
16shouldreturnsmtp.
pharma.
com.
YoucanonlyhaveonePTRrecordperIPaddress.
YoumaywanttoverifyyourTLSconfigurationwithhttp://www.
checktls.
com/perl/TestReceiver.
pl.
Putyouremailaddressinandfor"LevelofOutput"select"CertDetail".
Addressanyissuesthatarehighlightedinyellow.
Oneproblemthiswebsitetoolhasisthatitdoesnotverifywildcardcertificates.
However,theFDA'sMTAwillacceptwildcardcertificates.
Therefore,althoughthiswebsite'sTLSverificationmethodsdifferslightlyfromtheFDA'smethods;itisusefulinidentifyingthemajorityofTLSproblems.
ItmaybehelpfultoexaminehowTLSissetup(MXrecords,Public-Keykeylength,etc.
)ontheFDA'sboundaryMTAs.
Toexaminethis,gotohttp://www.
checktls.
com/perl/TestReceiver.
pl,typein:SecureEmail@fda.
hhs.
govandfor"LevelofOutput",select"CertDetail".
TheFDAMTA'suseDigiCertcertificates.
ThisshouldbetrustedbymostMTA's.
However,ifyouneedtoinstalltherootcertificate,youcandownloadithere:https://www.
digicert.
com/CACerts/DigiCertGlobalRootCA.
crt2.
Certificates:Configureyourorganization'sMTAtouse"TLSrequire"whensendingtotheFDA.
ThefollowingaretheFDAnamespacesthatmayneedtobeconfiguredonacustomTLS"send"or"SMTP"connector(ifusingExchange)fda.
hhs.
govfda.
govcber.
fda.
govcder.
fda.
govcdrh.
fda.
govcfsan.
fda.
govcvm.
fda.
govnctr.
fda.
govoc.
fda.
govoci.
fda.
govora.
fda.
govAtthistimedonotconfigureMTLSwiththeFDA.
Thisisnotcurrentlysupported.
IfyouuseExchangeasyourinternet-edgeMTA,youmayfindthefollowinghelpful:TLSwithExchange2003:http://support.
microsoft.
com/kb/829721TLSwithExchange2007/2010:Ifyouconfigureacustom"TLSRequire"sendconnector,thenyouwillneedtorunthisPowerShellcommand:CenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage9of10Set-SendConnector–identity"nameofconnector"-RequireTLS:$trueFollowingtherecommendationsinIETFRFC7525:MTAsmustnotnegotiateSSLv3(duetoPOODLErisk).
TLS1.
0and1.
1donotsupportsomeofthestrongciphers,shouldbeusedonlywhenTLS1.
2orhigherversionisnotavailable.
Implementationsshouldnotusesymmetricciphersuiteswithkeylengthlessthan256bits.
IncaseofRSA,theminimumis2048bits.
3.
OutsourcedServices:Isanypartofyouremailflow(sendingorreceiving)outsourcedIsyouremailhostedbya3rdpartyIfsothenyoumayneedtocontactyourproviderforassistance.
TheywillalsoneedtoensurethatanylinksthatconnectthroughtheInternetfromtheFDAtoyouareencrypted.
Forexample:SendingtotheFDAa.
Doyouusea"smarthost"onyourin-houseemailserverIfso,youshouldensurethattheconnectionbetweenyouremailserverandthesmarthostis"TLSRequire"(not"TLSPreferred")encrypted.
Also,thehopbetweenyour"smarthost"andtheFDAshouldalsobe"TLSRequire"encrypted(not"TLSPreferred").
Anylinksthatyour"smarthost"providerexposestotheInternetwhenroutingyouremailshouldalsobeencrypted.
b.
Ifyouremailserversarehosted,doesyouremailclienthaveanencryptedconnectiontothehostedemailserverAlso,youwillneedtocontactyouremailvendortoensurethatanyemailsenttotheFDAdomains(listedabove)issentonly"TLSRequire".
ReceivingfromtheFDATheFDAcanonlyguaranteethatthefirstlinkbetweentheFDAandtheserversspecifiedinyourpublicMXrecordsare"TLSRequire"encrypted,beyondthatitisyourresponsibilitytoensuretheremaininglinksareencrypted.
Thus:a.
WheredoyourDNSMXrecordspointIftheypointtooutsourcedservers,youwillneedtocontactthevendortoensurethatwhentheyrouteyouremailovertheInternetthatthepathisover"TLSRequire"links.
ThesamewouldapplyifyourMXrecordspointtooutsourcedanti-virus/anti-spamservers.
Whentheydelivertheemailtoyou,itshouldbedoneover"TLSRequire"links.
IfyouuseGoogleGSuite,pleasenotethefollowing:https://support.
google.
com/a/answer/2520500hl=enKeepinmindthatwheneveryouswitchemailand/oranti-malwareprovidersthattheaboveprecautionsareadheredto.
ThiswillensurethatanyInternetlinksareencrypted.
CenterforBiologicsEvaluationandResearchSOPP8119AppendixAPage10of10IfyourproviderrequiresanyinformationonhowtheFDAisconfigured(CertificateAuthorityused,certificatekeysize,IPaddresses,etc.
),thengotohttp://www.
checktls.
com/perl/TestReceiver.
pl,typein:SecureEmail@fda.
hhs.
govandfor"LevelofOutput"select"CertDetail".
4.
TestMessagetoFDA:Sendmeanemailindicatingthe"TLSRequire"hasbeensetupoutgoingtoFDA.
Checkyourmessagetrackinglogs.
IfthemessagefailstogetdeliveredtotheFDA,recheckyourconfiguration.
5.
TestMessagefromFDA:WhenIreceivethatemail,andafteryourconfigurationisverified,IwillcorrespondinglyswitchtheFDA'soutgoingconnectiontoyourorganizationto"TLSRequire"andsendyouanemail.
Ifthereareanyissues,Iwilldroptheconnectionbackto"TLSPreferred"andcontactyou.
6.
S/MIMEUsage:IfTLSisworkingandyouarecurrentlyusingproxyS/MIMEwiththeFDA:a.
YourS/MIMEsecureemailconfigurationwillberemovedfromtheFDAservers.
b.
YouwillneedtoremovetheFDAproxycertificatefromyourusers'OutlookFDAcontacts(iftheseexist)andinstructyourusersnottopress"encrypt"whensendingtotheFDAasencryptionwillbehandledautomaticallyfromtheserver-side.
CertificateRenewalReminder:Asasuggestion,youmaywanttocreateacalendarreminderonemonthbeforeyourTLScertificateisduetoexpire.
Thistimeframewouldbesufficienttimetorenewandinstallyournewcertificate.