22.1.1 A mechanism shall be built into the cGaming System to verify the integrity of the Critical Game Software stored at SSM that is deployed to production, including before changes are implemented, as well as on an ongoing basis to ensure the approved software is being used, and to ensure no unauthorized changes are made to the approved software.
At a minimum, the cGaming System must be successfully authenticated:
- Immediately prior to startup;
- Automatically at regular intervals during operation; and,
- On demand by the Operator, or AGCO.
Note: The authentication method will be evaluated on a case-by-case basis and approved by the Registrar based on good industry practices, e.g. calculation of software SHA-1 values which are compared against a protected master list of signatures (i.e. encrypted SHA-1 values).
22.1.2 If the self-authentication fails per 22.1.1 a) and b), the software that fails authentication must enter an error condition, safely stop operation and notify the Operator.
22.1.3 The results of each authentication must be recorded in an unalterable report which is available to the AGCO. This report must include a pass/fail condition with details on which software did not pass the authentication.