OFFICE OF
                         ENVIRONMENTAL
                         INFORMATION
                                                                          February 2009
                                   CROMERR

    Effective Approaches:  Application  Challenges/Solutions

This document presents 17 common challenges identified in CROMERR applications received by
EPA through January 2009. For each challenge, it presents  the CROMERR issue or deficiency,
examples of effective approaches to resolving them, and the EPA-approved systems that use
these effective approaches. This document should be used  by state and local environmental
agency officials and system managers to help them in planning systems that are CROMERR
compliant, preparing CROMERR applications, and, for submitted applications, responding to
notices from EPA of issues and deficiencies.

The application challenges discussed include general application issues, such as missing
information from the CROMERR application cover sheet, and issues associated with specific
CROMERR checklist items, such as not documenting transmission errors under Item 8 of the
CROMERR checklist. General challenges are discussed first, followed by challenges specific to
CROMERR checklist items.

Approved CROMERR applications are available at EPA's CROMERR web site for approved
CROMERR applications. The CROMERR application cover sheet and checklist template are
available at EPA's CROMERR Tools web site.

The examples of effective approaches provided do not include all possible effective approaches.
In addition, the examples may include system-specific details that may not be shared by all
systems identified as using a similar approach.  Some of the language in the examples has been
summarized and edited for brevity and clarity. The examples provided are focused on the issues
and deficiencies identified. They do not necessarily represent a complete answer for the
CROMERR checklist items listed.

             Common Application Challenges: General Application Issues
                      General Application Challenges/Solutions
 1.  Listing of Authorized Programs - 40 CFR § 3.1000
     Common Issues/Deficiencies: The application does not identify the authorized state
     program to be amended or revised to allow e-reporting.

     The state must identify the authorized program to be amended or revised. The authorized
     program must be identified in the Federal Register Notice announcing approval of the
     program revisions. If the applicable program is not accurately identified in the Federal
     Register Notice, then the revisions will not be approved for the correct program.	

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Example of Effective Approaches:

     Applicants should clearly identify the state program to be amended or revised, such as
     RCRA, CWA, CAA, or other program designation. This is most commonly done on the
     application cover sheet. For applications that cover multiple reports under different
     authorized programs, the state should be sure that the indicated applicable programs
     cover all of the reports. For example, the application cover sheet for the Oklahoma
     Department of Environmental Quality Electronic Document Receiving System ("OK DEQ
     EDRS") indicates the name of the state program as RCRA in the name of Report 1  for their
     system as follows: "Report 1: *Regulated Waste Activity Notification (RCRA)."
     Systems Using a Similar Approach:
        •   Delaware DNREC
           ORS
        •   Indiana IDEM eAuth
        •   North Dakota ERIS
OK DEQ EDRS
Texas NetDMR
Texas STEERS
2. Identification of Each Report by CFR Citation - 40 CFR § 3.1000
     Common Issues/Deficiencies: The application does not identify the CFR citation for
     each report received by the system or it does not identify them correctly. The state must
     identify the correct CFR citation for each electronic report received by the system. For
     priority reports, the correct CFR citations are identified in 40 CFR § 3.2000 Appendix 1
     Part 3. The CFR citations will be listed in the Federal Register Notice announcing approval
     of the program revisions.  If the CFR citations are incorrect, the program revisions will not
     be approved.  Applications may also include planned future reports.  By including planned
     future reports, if they are approved, the submitter can avoid the need to amend their
     application or submit a new application when their systems begin accepting them.	
     Examples of Effective Approaches: Applicants should clearly identify the correct
     Federal Register citation for each report received. This is most commonly done on the
     application cover sheet. For example, the cover sheet for the OK DEQ EDRS application
     indicates that the citation for their "Regulated Waste Activity Notification (RCRA)" report is
     40 CFR Part 261.
     Systems Using a Similar Approach:
        •   Delaware DNREC        •  OK DEQ EDRS
           ORS                    •  Texas NetDMR
        •   Indiana IDEM eAuth      •  Texas STEERS
        •   North Dakota ERIS

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
3. Attorney General Certification Statement - 40 CFR § 3.1000(b)(l)(i)
     Common Issues/Deficiencies: The application does not include a certification of
     sufficient legal authority to implement electronic reporting signed by the State Attorney
     General or a designee. The State Attorney General or a designee must certify that the
     state has sufficient legal authority to implement electronic reporting before the application
     can be approved.	
     Examples of Effective Approaches:  An example of a signed certification is available in
     the approved OK DEQ EDRS application.  It can be found at:
     http://epa.QOv/cromerr/Oklahoma%20Application%20Docs/Attachl2%20Attornev%20
     Statement.doc
     Systems Using a Similar Approach:
        •   Delaware DNREC
           ORS
        •   Indiana IDEM eAuth
•  North Dakota ERIS
   OK DEQ EDRS
•  Texas NetDMR
Texas STEERS

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
  Common Application Challenges: Issues Associated with CROMERR Checklist Items
                       Common Checklist Challenges/Solutions
1. (Item 1: Identity-proofing of registrant) (e-signature cases only) - 40 CFR §
3.2000(b)(5)(vii)(C)	
     Common Issues/Deficiencies: No description of business processes for storing paper
     signature agreements (subscriber agreements).

     Systems using the subscriber agreement alternative must store the agreements so they
     are protected from alteration and destruction for as long as there may be any
     enforcement interest in the signatures executed with the associated electronic signature
     device. Note that this item must be addressed only for reports that require an electronic
     signature, including  priority reports, where the system requires a paper electronic
     signature agreement to be signed by users. This is most commonly used by systems
     using CROMERR checklist item l.b.alt.	
     Examples of Effective Approaches:

     Example approach used by the Indiana IDEM eAuth system (this information was
     provided under Item 2 and supporting documentation from the Indiana IDEM eAuth
     CROMERR Checklist):

     The eA-AppAdmin ensures the signature agreement, the Sponsor Letter, and identity-
     proofing procedure documentation (if appropriate) are stored in a paper-based filing
     system until such time as all documents are scanned and the images stored in  IDEM's
     Virtual File Cabinet (VFC) document management system. The  VFC will rely on the FileNet
     document management software to provide the foundation functionality for capture,
     storage, and access to the documents. The VFC capture application, web application, and
     web portal will access the FileNet repository through the use of FileNet user accounts
     which have been set up with the necessary access controls to ensure secure input and
     retrieval of documents within the VFC. The quality assurance process for capture of
     documentation by the VFC will be  accomplished through the implementation of thorough
     operational procedures implemented by IDEM staff. In addition, the VFC application
     contains several safeguards to allow for the assurance of  quality and accuracy during the
     capture process.  The signature agreement, Sponsor Letter, and identity-proofing
     procedure documentation shall be retained for a period of 5 years after being notified of
     the applicant's departure from his/her sponsoring organization  by a company official.	
     Systems  Using a Similar Approach:
           Indiana IDEM eAuth
OK DEQ EDRS

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Example 2 of Effective Approaches:

     Example approach used by the EPA NetDMR system (this information was provided under
     Item 1 and supporting documentation for the EPA NetDMR CROMERR Checklist):

     Paper copies of the NPDES permit with signature are received by the Regional Office
     responsible for permitting and will remain on file along with any delegation of authority as
     required by  40 CFR 122.22. EPA Regions with primacy for administering the NPDES
     program using NetDMR will also receive signed  subscriber agreements from individuals
     requesting the ability to sign DMRs electronically for particular permits. Upon receipt of
     the subscriber agreement, the Regional Office will verify the permit limits and the
     signatures on the subscriber agreement through direct contact with the facility. The
     Regional Office will verify that the "Cognizant Official" is in the ICIS-NPDES database for
     every facility the user includes in the subscriber agreement and that has been verified  by
     the Region. The Regional Office will retain a paper copy of the subscriber agreement on
     file according to item #lb-alt. Upon verification, the Regional Office will assign the
     appropriate  level of access in NetDMR.	
     Systems Using a Similar Approach:
        •  Delaware DNREC
           ORS
        •  Texas NetDMR
EPA CDX
EPA NetDMR
2. (Item 2: Determination of registrant's signing authority) (e-signature cases only)
- 40 CFR § 3.2000(b)(5)(vii)	
     Common Issues/Deficiencies: Incomplete description of processes for determining a
     registrant's signing authority. Missing detail often includes:
        •  how the signing authority of registrants was verified;
        •  where multiple verification methods are described, specification of which users are
           subject to verification and which methods of verification are used.

     There must be a specifiable process for verifying a registrant's signing authority. Note
     that this item must be addressed only for reports that require an electronic signature,
     including priority reports.	

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Examples of Effective Approaches:

     Example approach used by the Texas NetDMR system:

     TCEQ staff will use due diligence when processing signed Subscriber Agreements. TCEQ
     will, to the best of its ability, validate the information provided to assure accuracy and
     that it is appropriate for the requestor to be granted signatory authority for the specified
     permits. If needed, they will contact the facility to address the matter or may compare
     the authority stated on the agreement with previously emailed hard-copy reports. Once
     this review is complete, the TCEQ will assign the user's account the appropriate NetDMR
     signatory permission. Furthermore, periodic inspections by TCEQ field staff may include
     validation of the authorized facility representative who signed the subscriber agreement
     to evaluate compliance with signatory authority requirements. If circumstances indicate a
     claimed authority may not be appropriate, this will trigger an administrative review.	
     Systems Using a Similar Approach:
           Delaware DNREC
           ORS
           Indiana IDEM eAuth
           OK DEQ EDRS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
3. (Item 3: Issuance (or registration) of a signing credential in a way that protects it
from compromise) (e-signature cases only) - 40 CFR § 3.2000(b)(5)(i)	
     Common Issues/Deficiencies: Incomplete description of security for signature devices
     such as passwords stored on their systems. Missing detail often includes:
         •   where the devices are stored;
         •   who has access to them;
         •   how they are protected from being altered or deleted;
         •   whether they are encrypted (or hashed);
         •   if encrypted, what encryption techniques are used and how the encryption keys
            are protected.

     Signature devices must be stored on the system so that they are  protected from
     compromise, tampering, and deletion. Note that this item must be addressed only for
     reports that require an electronic signature, including priority reports.	

-------
            QFFiCEOF
            ENVIRONMENTAL
            INFORMATION
Example 1 of Effective Approaches:

Example approach using a public key infrastructure (PKI) certificate used by the OK DEQ
EDRS system:
The private key generated by the DEQ Certificate Authority Server (Microsoft Certificate
Server) is required to utilize the certificate to sign a document. The private key is
encrypted by the certificate authority server when it is generated, using industry standard
PKCS methodology (128-bit RSA). When signatories wish to utilize the certificate to sign a
document, they will be  prompted for the password needed to decrypt the private key for
use.  Certificates issued by DEQ will not be usable with any software package that does
not support private key passwords, as  those packages will not be able to decrypt the key
for use. This provides an added layer of security for the digital signature certificate by
requiring both a valid private key and a password to decrypt that private key prior to use.

As an additional layer of protection, users must select and answer 5 knowledge-based
questions from a list of 20. Each question and answer pair will be combined into a  hash
and stored on the server. Without the appropriate question and answer combination, the
hash cannot be recreated, and authentication will fail. DEQ stores only the question
selected and a hash of  the question and answer combination. The SHA-256 algorithm will
be used to generate the stored hash.

To obtain a certificate,  users must submit a wet-ink signed Electronic Signature
Agreement (ESA)  form  to DEQ. If the ESA is approved, DEQ will notify the  applicant via
email that the request has been approved and that the certificate package  is available for
download. To obtain the certificate, the user must click the hyperlink to the SSL-secured
ERS  portal that is provided in  the email. Then, the user must  log onto the ERS portal
using the strong password provided at the time of request, and  correctly answer two
randomly selected (using the millisecond as the seed of the random function) out of the
five questions. Note that to obtain the  certificate, the  requestor must log in using the
hyperlink provided in the notification email, as this hyperlink contains a 32-character
unique identifier (System Generated GUID) download key used to obtain the certificate.
The hyperlink takes the user to the portal login page and provides the server with
redirection information  (download key) to be used to access the certificate. The certificate
package will then  be available for download. Once the certificate is obtained, users must
provide their private key password each time they wish to sign a document.	
Systems Using a Similar Approach:
   »  OK DEQ EDRS
EPA CDX

-------
            QFFiCEOF
            ENVIRONMENTAL
            INFORMATION
Example 2 of Effective Approaches:

Example approach using PIN/'password used by the Indiana IDEM eAuth system:

The eAuth system supports e-signature credentials for use via the real-time input and
validation of a user's eAuth Enabled Application (eA-EApp) identity credential. User access
and information exchanged with the eAuth system and all eA-EApp's is performed over
Secure Socket Layer (SSL) connections. Negotiation of the version of SSL used for secure
sessions is controlled through server configuration files. At registration, users specify
their selection of an eAuth/eA-EApp user ID and password. The eAuth/eA-EApp user ID is
automatically entered on the signature agreement submitted by the user. Users must
select a password that will not be easily guessed (e.g., names, children's names,
birthdays), and passwords must be at least eight characters long and contain a mix of
numbers and upper/lower-case letters. Compliance with this guideline is automatically
enforced by the eAuth system. Users must adhere and must explicitly acknowledge
adherence to strict policies governing access to an eA-EApp, including policies for
password protection and reporting account compromise.  Users must also select and
answer 5 knowledge-based questions from a list of 20.

User IDs are stored  in the eA-EApp registration/security database, and passwords are
securely stored by applying a one-way hash  (SHA-256) to the password, and storing  the
resulting Hex value, as well as a creation date timestamp, in the registration/security
database. Upon subsequent logins, user authentication is accomplished through a
comparison of the one-way hash value of the session-specific user-supplied password
with the hash value  of the most recently  established password. To independently secure
each knowledge-based answer, the system concatenates the user ID, question number
and user-supplied answer, hashes (SHA-256) the concatenated value, and stores the Hex
value of the  resulting hash, as well as a creation date timestamp, in the
registration/security database. Use of the eAuth/eA-EApp User ID in the hash
computation ensures that the supplied answers are tied to a particular eAuth/eA-EApp
account.

Users must answer a secret question to access their account profile. All user changes to
an account profile for a facility immediately disable access to that facility. The eA-
AppAdmin is notified via system function(s) of the change. The account owner is also
notified, via email, of all account profile changes. Thus the original owner of the
registered email address will continue to  receive account profile modification notifications,
even in the event the account is compromised. The account owner must undergo another
round of identity-proofing before the eA-AppAdmin will reactivate the account. A change
to the user's registered email is handled as a special case. The new email address is not
used for notifications (i.e. the vetted email continues to be the email address utilized for
user notifications), until the eA-AppAdmin completes the new identity-proofing and re-
enables the user's account. At that time, the new email address becomes the email of
record.

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Systems Using a Similar Approach:
        •  Delaware DNREC         •  Texas STEERS
           ORS
           Indiana IDEM eAuth
           Texas NetDMR
   EPA CDX
   EPA NetDMR
4. (Item 3: Issuance (or registration) of a signing credential in a way that protects it
from compromise) (e-signature cases only)  - 40 CFR § 3.2000(b)(5)(i)	
     Common Issues/Deficiencies:  No description of requirements for password or PIN
     strength when this is being used as the signature device, or—if requirements are
     described—no description of how system enforces those requirements.

     System must enforce requirements for PIN/password strength where this is being used as
     the signature device. Note that this item must be addressed only for reports that require
     an electronic signature, including priority reports, where the system requires a paper
     electronic signature agreement to be signed by users.	
     Examples of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     The password must be a strong password, at least 8 characters long and containing at
     least 3 of the following four types of characters: upper case, lower case, numbers, and
     punctuation. This password is created and validated for acceptability during the
     completion of the Electronic Signature Agreement Application online.	
     Systems Using a Similar Approach:
        •  Delaware DNREC
           ORS
        •  Indiana IDEM eAuth
        »  OK  DEQ EDRS
•  Texas NetDMR
•  Texas STEERS
•  EPA CDX
•  EPA NetDMR
5. (Item 5: Binding of signatures to document content) (e-signature cases only) - 40
CFR§ 3.2000(b)(5)(ii)	
     Common Issues/Deficiencies:  No identification of encryption algorithms, where
     encryption was used to bind electronic signatures to submissions.

     Electronic signatures must be bound to content of submissions, so that content cannot
     change without detection after the signature is executed. Note that this item must be
     addressed only for reports that require an electronic signature,  including priority reports.
     Examples of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     The digital signatures are created by the Windows Certificate Services server using 1024-
     bit encryption and the RSA algorithm.	

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Systems Using a Similar Approach:
        •  Delaware DNREC          •  Texas NetDMR            •  EPA NetDMR
           ORS                     •  Texas STEERS
        •  Indiana IDEM eAuth       •  EPA CDX
        »  OK DEQ EDRS	
6. (Item 8: Transmission error checking and documentation) - 40 CFR §
3.2000(b)(l)-(2)	
     Common Issues/Deficiencies: No description of system functions or business practices
     for:
        •  documenting transmission errors;
        •  notifying users or system administrators if transmission errors occur.

     The system must document any transmission errors, and have a process to address the
     errors.
     Examples of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     Oklahoma DEQ will rely on the standard TCP/IP over Ethernet technologies, which the
     internet currently uses as the transfer mode for all data. In the event of a transmission
     error on a digitally signed document, the document content would change, which in turn
     would change the hash value,  thereby invalidating the digital signature and the
     document. Further, all interaction with the ERS portal, from initial application for a
     certificate and upload account through submission and review of documents, is secured
     via SSL (v3.0). For any document submitted,  regardless of the presence of a digital
     signature, the SSL underlying  protocol stack would detect changes between the
     communication end points, perceive those changes as corruptions and invalidate the
     document (changes in the encrypted document will cause  decryption to fail). Any
     transmission errors will invalidate the signed document, and will  cause SSL protocol to
     fail, thereby causing the  receiving process to fail. ERS itself does not receive invalid
     transmissions, as these are prevented by the  underlying PKI infrastructure. Transmission
     errors and changes in transmissions are handled by the protocol  stack on the server, and
     invalid uploads and transmissions are therefore not received by the ERS portal. The
     protocol failure itself is logged in the web server logs  on the host server.

     Documents that were originally sent by DEQ but no longer have the DEQ signature are
     treated as invalid and changed, and therefore are rejected. In addition, documents
     without a valid signature from an accepted signatory are treated as invalid and rejected.
     Finally, if the signature on the document does not match the user currently logged onto
     the ERS portal, the document  is treated as invalid and rejected. An email detailing the
     reason for rejection is sent to both the submitter and  the ERS Administrator. A record of
     the invalid submission attempt is created  and stored in Edoctus.  In cases where an invalid
     document is received, that document is stored as part of the invalid submission record. A
     failure message will then be presented to the  submitter indicating they must resubmit.

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Systems Using a Similar Approach:
        •   Indiana IDEM eAuth       •  Texas NetDMR
                        •   EPA NetDMR
           North Dakota ERIS
           OK DEQ EDRS
Texas STEERS
EPA CDX
7. (Item 8: Transmission error checking and documentation) - 40 CFR §
3.2000(b)(l)-(2)	
     Common Issues/Deficiencies: No description of system provisions for transmission
     error prevention and detection, such as Secure Socket Layer (SSL). The system must be
     able to detect transmission errors.
     Examples of Effective Approaches:

     Example approach used by the EPA CDX system:

     CDX uses only SSL-secured HTTP sessions (HTTPS) for conducting business transactions.
     CDX supports SSL v3.0, 128 bits and TLS vl.O 256 bits. These protocols provide for
     encrypted application messages to be exchanged between client and server. As every
     data record must be successfully decrypted on the server using the negotiated key in
     order for the connection to remain viable, the integrity of the received data record is
     ensured. If data is found to be corrupted during transmission (i.e., the server decryption
     fails) the protocol automatically retransmits.	
     Systems Using a Similar Approach:
        •  Delaware DNREC         •  OK DEQ EDRS
           ORS
        •  Indiana IDEM eAuth
        •  North Dakota ERIS
Texas NetDMR
Texas STEERS
•  EPA CDX
•  EPA NetDMR
•  EPA SDWIS
8. (Items 10 and 11:  Procedures to address submitter/signatory repudiation of a
copy of record (COR) and procedures to flag accidental submissions) - 40 CFR §
3.2000(b)(l)-(3)	
     Common Issues/Deficiencies:  Incomplete description of how system handles
     submitter/signer repudiation, including cases where submittal is claimed to be accidental.
     Missing detail often includes:
        •  how users can repudiate a COR or report an accidental submission;
        •  how system administrators determine whether to designate a report as repudiated
           or accidental;
        •  how users can update their submission or submit a revised report.

     Where submission corrections or complete resubmissions are allowed, the  system must
     ensure that the original COR is saved or that an adequate log is kept of any changes
     made.

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Examples of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     For documents requiring electronic signature, the signatory or another verified
     representative of the regulated entity may request repudiation after sending the signed
     submission. Users can request the repudiation online by selecting it from the list of
     submitted documents and clicking a "request repudiation" button or by contacting the
     ERS Administrator via phone or email. The ERS Administrator will notify the appropriate
     person in the division concerned for approval. If the division approves repudiation of the
     document, the ERS Administrator  will mark the document as "Cancelled." Once a
     document has been marked as repudiated, the original submitter will receive an
     automated confirmation email from ERS. The submitter can then resubmit the document.
     Systems Using a Similar Approach:
        •  Delaware DNREC         •  OK DEQ EDRS
           ORS
        •  Indiana IDEM eAuth
        •  North Dakota ERIS
Texas NetDMR
Texas STEERS
•  EPA CDX
•  EPA NetDMR
9. (Item 12: Automatic acknowledgment of submission) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(vi)	
     Common Issues/Deficiencies: No description of procedures to prevent fraudulent
     changes to the e-mail address for automatic acknowledgments of submission. Missing
     detail often includes:
         •  how the e-mail addresses are established and changed;
         •  whether an e-mail address could be changed in the same user session in which
            data was submitted.

     The system must have procedures to ensure that the e-mail address actually belongs to
     the registrant who is supposed to be receiving the acknowledgments. Allowing a user to
     change his/her email address in the same session in which data is submitted may allow
     fraudulent address changes.

     Note that this item must be addressed only for reports that require an electronic
     signature, including priority reports.	

-------
            QFFiCEOF
            ENVIRONMENTAL
            INFORMATION
Example 1 of Effective Approaches:

Example approach used by the OK DEQ EDRS system (this information was provided
under Items 1 and 9 of the OK DEQ EDRS CROMERR Checklist, and not under Item 12):

Registrants will be directed to DEQ's CROMERR registration web site, ERS, where they will
supply valid e-mail addresses for both the submitter and company official, as well as
other demographic information required by DEQ's Electronic Signature Agreement. For
documents requiring electronic signature, the email address associated with the ESA will
be used to provide notification of document submission and availability for review. In the
event that a notification e-mail message is undeliverable, the email server will register
this event. The ERS Administrator will regularly check the ERS mailbox and respond to
undelivered messages by attempting to obtain a valid email address by contacting the
signatory or the company official authorizing  the signatory over the phone. If the email
address has changed  since the certificate was issued, the submitter has to go through the
process of registration. This procedure is also used when the submitter requests a change
of email address.
Systems Using a Similar Approach:
      OK DEQ EDRS
EPA CDX
Example 2 of Effective Approaches:

Example approach used by the Indiana IDEM eAuth system (this information was
provided under Items 1 and 3 of the Indiana IDEM eAuth CROMERR Checklist, and not
under Item 12):

The applicant will complete portions of the signature agreement in an online eAuth
Enabled Application (eA-EApp) registration form specifically tied to each eA-EApp. This
form requires an email address entry, among other information. All user changes to an
account profile for a facility immediately disable access to that facility. The eA-AppAdmin
is notified via system function(s) of the change. The account owner is also notified, via
email, of all account profile changes. Thus, the original owner of the registered email
address will continue to receive account  profile modification notifications, even in the
event the account is compromised. The account owner must undergo another round of
identity-proofing before the eA-AppAdmin will reactivate the account. A change to a
user's registered email is handled as a special case.  The new email address is not used
for notifications (i.e., the vetted email continues to  be the email address utilized  for user
notifications), until the eA-AppAdmin completes the new identity-proofing  and re-enables
the user's account. At that time, the new email address becomes the email of record.
Systems Using This Approach:
   •  Indiana IDEM eAuth

-------
                QFFiCEOF
                ENVIRONMENTAL
                INFORMATION
10. (Item 12: Automatic acknowledgment of submission) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(vi)	
     Common Issues/Deficiencies: No description of how system maintains records of the
     automated e-mail acknowledgements of submission to demonstrate that the notifications
     have been sent. The system needs to maintain a record of the automated e-mail
     acknowledgements of submission. Note that this item must be addressed only for reports
     that require an electronic signature, including priority reports.	
     Example 1 of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     Edoctus captures and stores all emails (i.e., the date and time, address to which the
     email is sent, and the email contents). These emails are stored for the length of time
     required for retention of such records as set by the Oklahoma Department of Libraries, or
     the length of time required by rule, whichever  is greater.	
     Systems Using This Approach:

        •  OK DEQ EDRS
     Example 2 of Effective Approaches:

     Example approach used by the Indiana IDEM eAuth system:

     All email notifications are logged in eAuth system components. At a minimum, the
     following information is logged:
        1.  eA-EApp system
        2.  Submission document type
        3.  User ID
        4.  Timestamp
        5.  Document ID
        6.  Sender email address
        7.  Recipient email  address
        8.  Email body text content	
     Systems Using a Similar Approach:
        •  Delaware DNREC
           ORS
        •  Indiana IDEM eAuth
        •  Texas NetDMR
Texas STEERS
EPA NetDMR

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
11.  (Item 15. Procedures to flag spurious credential use) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(i)	
     Common Issues/Deficiencies: Incomplete description of processes for detecting and
     investigating signs of spurious credential use. Where applicants stated that they would
     review records or logs, missing detail often includes:
        •  what they would review;
        •  how often;
        •  what signs they would look for;
        •  the procedures to be used if suspicious activity is identified.

     The system must provide a process for detecting spurious credential use. Note that this
     item must be addressed only for reports that require an electronic signature, including
     priority reports.	
      Example 1 of Effective Approaches:

      Example approach used by the EPA CDX system:

      Three successive login failures will result in an account lock-out condition, which will
      automatically  result in an out-of-band e-mail being sent to the registered email address
      for that User ID  and a message will be placed into that user's MyCDX in-box. The
      message indicates that the locked-out user must contact the CDX Help Desk and provide
      identity-proofing information in order for the CDX Help Desk to re-enable the user
      account.  For CDX PKI Enabled Applications, if the associated CDX User ID does not
      match the CDX User ID associated with the X.509 certificate, CDX will reject the user's
      attempt to use the certificate in the signing process. This condition is also noted in the
      CDX audit logs. The CDX security engineers perform a weekly review of all security-
      related log files on the system (audit logs, CAM logs, etc.) and follow a documented
      security incident response procedure when any suspicious activities are noted,  such as
      multiple failed login attempts, certificate validation failures,  etc. This response  procedure
      ensures that both CDX and Program Office authorities are notified in the event of a
      security issue.	
     Systems Using This Approach:

        •  EPA CDX

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Example 2 of Effective Approaches:

     Example approach used by the EPA NetDMR system:

     NetDMR includes functions that allow NetDMR Administrators to detect compromises. For
     example, each time a user logs in, the IP and date/time of the login is stored.
     Inconsistencies in the logins, such as different IP addresses, may indicate a compromised
     password. Additionally, NetDMR will only allow a user to maintain a single concurrent
     NetDMR session. If the user is already logged in, the previous login will  be invalidated.
     Frequent, overlapping  login attempts may indicate a compromised password. NetDMR will
     include fraud analysis functionality, in which the logs are periodically analyzed for
     irregularities. Irregularities will be flagged for NetDMR Administrators to investigate and
     take further action, if appropriate. The irregularities NetDMR will flag include
     inconsistencies in the logins,  such as use of multiple IP addresses, frequent overlapping
     login attempts from different IP addresses, and irregular submission patterns (e.g., a
     user who has submitted a single DMR every month for the past 6 months, but then
     submits 50 in one month). If it is determined that a compromise has occurred, the
     affected account will be locked and the user will  be contacted.

     NetDMR also includes functions that allow NetDMR users to detect compromises. After
     each DMR is submitted, the submitter is sent a confirmation email. Also, after logging in,
     a list of the user's previous logins is displayed, including the date/time of the login and
     whether a submission was made during that session. If it is determined that a
     compromise has occurred, the user is required to lock their account and notify the
     Regulatory Authority.	
     Systems Using a Similar Approach:
        •  Delaware DNREC         •  Texas NetDMR
           ORS                     •  Texas STEERS
        •  Indiana IDEM eAuth      •  EPA NetDMR
        »  OK DEQ EDRS	
12. (Item 19: Timely availability of copy of record (COR) as needed) - 40 CFR §
3.2000(b)(l)-(2)	
     Common Issues/Deficiencies: No description of how long it takes to retrieve a copy of
     record for program or enforcement staff. Some applications provided this information for
     the period when the COR was in short-term storage, but did not provide it for the period
     after it was moved to long-term storage.

     Agency staff must be able to access CORs quickly enough to meet program and
     enforcement needs.

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Examples of Effective Approaches:

     Example approach used by the EPA NetDMR system:

     NetDMR generates the COR during the submission process. The COR is available for
     review using NetDMR by registrants with the authority to view CORs for the specified
     permit. Internal staff are also able to view CORs. NetDMR will allow users to search for
     CORs on various data fields (e.g., Submitter, Permit ID, Date Range). Further, users will
     be able to view the COR online and download the COR for offline review. The CORs will be
     searchable and viewable using NetDMR for the entire length of time for which they are
     maintained in NetDMR (the retention schedule is described in the NetDMR application
     under CROMERR Checklist Item 20).	
     Systems Using a Similar Approach:
        •  Delaware DNREC         •  Texas NetDMR
           ORS                     •  Texas STEERS
        •  Indiana IDEM eAuth
        »  OK DEQ EDRS	
EPA CDX
EPA NetDMR
13. (Item 20: Maintenance of copy of record (COR)) - 40 CFR § 3.2000(b)(l)-(2)
     Common Issues/Deficiencies: No description of how the system prevents the
     alteration or deletion of CORs. Missing detail often includes:
        •   the electronic and physical security measures of the system to prevent
           unauthorized access to the system from outside, such as firewall, virus detection,
           intrusion detection, and access restrictions for the physical space where system
           components such as servers are housed;
        •   safeguards against alterations of CORs by system administrators.

     The system must be able to prevent CORs from being altered or deleted by external
     intruders or by system administrators. In addition to describing such measures in the
     checklist, including attachments such as a security plan, description of safeguards,  rules
     of behavior for system administrator, and other information can often help to satisfy the
     requirements of Item  20.	
     Example 1 of Effective Approaches:

     Example approach to electronic measures to prevent unauthorized access used by the
     Texas STEERS system (this information was provided in supporting documentation for the
     Texas STEERS CROMERR checklist):

     The WWW6 ColdFusion servers exist between two firewalls. This area is referred to as the
     'DMZ.' The 'external' firewall intercepts all requests from the  internet and redirects them
     to the appropriate server. The 'internal' firewall accepts requests through the default
     Oracle identification port (1521) from the ColdFusion IP addresses.	

-------
            QFFiCEOF
            ENVIRONMENTAL
            INFORMATION
Systems Using a Similar Approach:

   •  Indiana IDEM eAuth      •  Texas STEERS
Example 2 of Effective Approaches:

Example approach to physical security from an attachment to the EPA NetDMR
application:

Physical and environmental controls for the CDX Production environment are provided,
reviewed, and maintained by the NCC located in RTP, NC in accordance with Agency
Network Security Policy; OTOP 200.05; NCC Access Security Procedure; Computer
Operations Security  Data Center Sign-in Procedure; NCC Physical Security Plan;
OARM/RTP Card Access Authorization and Usage Records; and the Draft EPA Qualitative
Physical Security Risk Assessment for RTP Campus Draft March 2002. The controls include
physical access authorization and control, monitoring physical access, visitor control, and
access logs.  For specific procedures see referenced documents.	
Systems Using a Similar Approach:
   •  Delaware DNREC         •  Indiana IDEM eAuth
      ORS                     •  EPA NetDMR
   •  Texas NetDMR
North Dakota ERIS
Example 3 of Effective Approaches:

Example approach to safeguards against alterations by system administrators used by the
EPA CDX system:

In order to prevent unauthorized access to the system or its data by operating personnel,
CDX is operated according to the policies defined in the CDX Separation of Duties Guide.
This document identifies the access controls, authorized actions, and minimal personnel
security checks required for each defined operations role. All CDX personnel with access
privileges to the production environment are required to have at least a Minimum
Background Investigation (MBI) clearance check.

After a COR is created, CDX computes a SHA-1 hash value of all COR components. This
hash value is then signed using a CDX server private certificate, and the signature value
(and information regarding it) is saved within the database and written to the CDX audit
logs. Once per day the CDX system copies these log files to a separate server and applies
a separate signature to prevent/identify tampering with  log file content. This process
provides an additional independent means of validating the integrity of COR content as
maintained on the database servers.  CDX also makes use of standard database vendor
audit tracking functions for all COR database tables, thereby recording any access to (or
modification  of) this information by an authorized or unauthorized user.

-------
                 QFFiCEOF
                 ENVIRONMENTAL
                 INFORMATION
     Systems Using a Similar Approach:
        •   Delaware DNREC
           ORS
        •   Indiana IDEM eAuth
        •   North Dakota ERIS
   OK DEQ EDRS
   Texas NetDMR
   Texas STEERS
   EPA CDX
   EPA NetDMR
   EPA SDWIS
14. (Item 20: Maintenance of copy of record (COR)) - 40 CFR § 3.2000(b)(l)-(2)
     Common Issues/Deficiencies: Incomplete description of how CORs were protected
     through file backups.  Missing detail often includes:
        •  how frequently files are backed up;
        •  what files are backed up;
        •  whether backups are stored on-site or off-site;
        •  provisions for disaster recovery.

     Systems must have procedures to back up COR files and ensure that backups are safely
     maintained and can restore CORs in case there is system disaster. In addition to
     describing such measures in the checklist, including attachments such as a backup plan,
     document retention schedule, disaster recovery plan, continuity of operations plan, and
     other information can often help to satisfy the requirements of Item 20.	
     Examples of Effective Approaches:

     Example approach used by the OK DEQ EDRS system:

     Submitted documents will be stored in human-readable format along with the digital
     signature(s) as copies of record in Edoctus. These documents will be protected from edits
     and preserved in exactly the form in which they were submitted. Read-only access to the
     documents will be available to authorized agency personnel and to the submitter for
     review.  Documents will be preserved indefinitely in the document management system.

     All data  at DEQ, including the data stored within Edoctus, are backed up on a nightly
     basis. These backups are also stored off-site, and  DEQ will soon implement an advanced
     off-site SAN-to-SAN backup solution. DEQ is required to file an annual disaster recovery
     plan, which includes substantial provisions for recovery of data and resumption of
     operations in the event of a disaster.	
     Systems Using a Similar Approach:
           Indiana IDEM eAuth
»  OK DEQ EDRS
•  EPA CDX

-------