The FDA’s Electronic Submissions Gateway (ESG) was released in 2006 to streamline electronic regulatory submissions to the FDA, including adverse event reports, new drug applications, license applications and many more. The FDA has a list of all supported document types and their associated centers here.
Bringing this process online allows the FDA to “process regulatory information automatically, functioning as a single point of entry for receiving and processing all electronic submissions in a highly secure environment.” This saves time on both the submitter and recipient end, while ensuring the right documents get to the right people in a timely, secure manner.
There are two methods for submitting to the ESG:
- WebTrader portal – a web interface for lower volume submitters, where users can log in and submit documents.
- AS2 (Applicability Statement 2) – a system-to-system or gateway-to-gateway option for batch or higher volume submissions. This option requires gateway software implementation on the submitter’s end.
Both methods can be used within the same organization. The FDA has considerations to help you choose which method to use here, including whether you have the internal resources available to install and configure the AS2 Gateway.
How Are FDA ESG Submissions Secured?
The FDA ESG leverages PKI and digital certificates to secure these communications – encrypting transmissions, ensuring only intended recipients can read the message, authenticating the sender, supporting non-repudiation, and creating a tamper-evident seal on the contents. Before you can submit using either the WebTrader or AS2 methods, you need to obtain the appropriate type of digital certificate.
Digital Certificates for End Users
Every user who intends to submit documents via the ESG WebTrader portal or via the AS2 gateway-to-gateway option needs to obtain a personal digital certificate. As per the FDA, ESG WebTrader accounts cannot be shared and individuals are limited to one account. The certificate binds the user’s email (and optionally name and company name) to a pair of cryptographic keys that are used to encrypt and digitally sign the submission. This functionality is what enables the security benefits mentioned above:
- only the FDA (the intended recipient) can actually read your submission;
- they can verify that it was actually you that sent the submission (by seeing your third-party-verified email/name in the certificate); and
- a warning message will be shown if any changes have been made to the submission since it was digitally signed.
SSL Certificates for AS2 Servers
If you decide to use the AS2 method for submitting, where you set up your own gateway software and server rather than using the WebTrader online interface, the FDA requires you to use SSL to secure that server. Installing an SSL Certificate on your server identifies it and encrypts the data transmitted between it and the FDA’s systems.
How to Use your Personal Certificate to Submit to the ESG
The FDA has fairly comprehensive documentation for setting up your ESG accounts and we highly recommend you consult their materials throughout the process:
- FDA ESG User Guide.
- Setting up a WebTrader Account Checklist: follow these steps from the FDA if you plan to use the WebTrader portal for submissions.
- Setting up an AS2 Account Checklist: follow these steps from the FDA if you want to set up an AS2 Gateway for submissions.
- Tutorials from the FDA: learn how to send a test submission and register for a test account, both of which are required steps in the checklists mentioned above.
However, they do not go into much detail when it comes to certificates. For example, to set up your test account, they specify you’ll need to know the file location of your digital certificate. What does that mean?
We get a lot of questions from ESG users, many of whom are using certificates for the first time. To supplement the materials from the FDA, we’ve put together the following certificate-centric articles to help:
- Download and install your certificate: follow these steps after your certificate has been issued. The first few steps are specific to GlobalSign, but after that, they apply to any certificate using the Certificate Import Wizard (native to Windows).
- Export your public key: follow these steps to export the public key of your certificate, which you will need to provide to the FDA. This is actually what they are asking for in that question above – the file location of your digital certificate.
- Update your public key: follow these steps if you had to reissue or renew your certificate (i.e. get a new certificate after your current one expires). These instructions are for users that already have FDA ESG accounts.
Using certificates doesn’t have to be complicated, but I understand there can be a bit of a learning curve if you’ve never encountered them before. I hope this article helps clear things up for those of you working with the FDA ESG for the first time – or for the veterans that could use a refresher. If you have any other questions, please don’t hesitate to contact us.