E-Signature Components & Controls — §11.200

Electronic Signature Components and Controls. Electronic signatures that are not based upon biometrics shall employ at least two distinct identification components, such as an identification code and password, in accordance with §11.200. The following controls shall be implemented based on the signing context: (a) for electronic signatures executed during a single continuous period of controlled system access (a single signing session), the first signing shall require all identification components (e.g., both user ID and password); subsequent signings during the same session may use at least one component (e.g., password only) that is uniquely executable only by the individual, provided the session has not been interrupted or terminated; (b) for electronic signatures executed during periods that are not part of a single continuous session, each signing instance shall require all identification components (e.g., both user ID and password); (c) the system shall be configured to determine when a signing session has ended or been interrupted (e.g., through session timeout, user logout, or system lock), thereby requiring full re-authentication for subsequent signatures; (d) each identification component shall be distinct — the identification code shall uniquely identify the individual, and the password or other component shall be known only to the individual and the system; (e) for biometric-based electronic signatures, the biometric shall be designed to ensure that it cannot be used by anyone other than the genuine owner; and (f) the configuration of electronic signature components, session management rules, and signing behavior shall be documented in the system design specifications and verified during validation.