For state agencies: All state agencies must consult with the Chief Information Officer before contracting with an approved digital signature vendor. User education is a critical component for ensuring the viability of digital signatures and the integrity of digital signatures rests upon the confidentiality of authentication credentials.
For digital signature vendors: To become an approved vendor, the product must meet the following criteria.
- It must be based upon the X.509 Public Key Infrastructure;
- It must provide seamless integration with the PDF document format;
- It must provide seamless integration with Microsoft Active Directory;
- The interface to the Signer must be either web-based or a free download;
- The data center must be certified as either "SSAE 16 Type II (American Institute of Certified Public Accounts)" or "FedRAMP compliant Cloud Service Provider (Federal General Services Administration)".
- All transmission between the Signer's device and the data center must be encrypted to the AES-256 (National Institute of Standards and Technology) strength; and
- The Verification and Tamper-Resistance elements must be embedded within the document, as well as stored in the data center
Any vendor seeking approval must complete and submit the Request for Product Acceptance (PDF) .
- Digital Signature Rule (Word)
- Approved Products: Adobe Sign, DocuSign, PandaDoc, and RightSignature
- For the Executive Branch, the CIO has limited the Digital Signature portfolio to Adobe Sign and DocuSign.