Current through 2024-51, December 18, 2024
Section 250-950-8 - DIGITAL SIGNATURE PRODUCT APPROVALA. A Digital Signature product must be approved by the ChiefInformation Officer of the State of Maine in order to be accepted for transactions involving a State Agency. B. The list of approved Digital Signature products for transactions involving a State Agency will be maintained at the Office of Information Technology (OIT) Internet site, and will be updated periodically by the Chief Information Officer. C. Digital Signature product vendors may apply to the ChiefInformation Officer through the OIT Internet site at any time to request acceptance of their products for transactions involving a State Agency. D. In order to be accepted for transactions involving a State Agency, a Digital Signature product must satisfy the requirements of this Rule, including all of the following criteria: 1. It must be based upon the X.509 Public Key Infrastructure;2. It must provide seamless integration with the PDF document format; 3. It must provide seamless integration with Microsoft Active Directory; 4. The interface to the Signer must be either web-based or a free download; 5. The data center must be certified as either "SSAE 16 SOC 2 Type II (American Institute of Certified Public Accounts)" or "FedRAMP compliant Cloud Service Provider (Federal General Services Administration)", 6. All transmission between the Signer's device and the data center must be encrypted to either AES-256 or 3DES (National Institute of Standards and Technology) strength; and 7. The Verification and Tamper-Resistance elements must be embedded within the document, as well as stored in the data center. E. Prior to implementing Digital Signatures, a State Agency must consult with the Chief Information Officer. 29- 250 C.M.R. ch. 950, § 8