OFFICE OF
ENVIRONMENTAL
INFORMATION
February 2009
CROMERR
Effective Approaches: Application Challenges/Solutions
This document presents 17 common challenges identified in CROMERR applications received by
EPA through January 2009. For each challenge, it presents the CROMERR issue or deficiency,
examples of effective approaches to resolving them, and the EPA-approved systems that use
these effective approaches. This document should be used by state and local environmental
agency officials and system managers to help them in planning systems that are CROMERR
compliant, preparing CROMERR applications, and, for submitted applications, responding to
notices from EPA of issues and deficiencies.
The application challenges discussed include general application issues, such as missing
information from the CROMERR application cover sheet, and issues associated with specific
CROMERR checklist items, such as not documenting transmission errors under Item 8 of the
CROMERR checklist. General challenges are discussed first, followed by challenges specific to
CROMERR checklist items.
Approved CROMERR applications are available at EPA's CROMERR web site for approved
CROMERR applications. The CROMERR application cover sheet and checklist template are
available at EPA's CROMERR Tools web site.
The examples of effective approaches provided do not include all possible effective approaches.
In addition, the examples may include system-specific details that may not be shared by all
systems identified as using a similar approach. Some of the language in the examples has been
summarized and edited for brevity and clarity. The examples provided are focused on the issues
and deficiencies identified. They do not necessarily represent a complete answer for the
CROMERR checklist items listed.
Common Application Challenges: General Application Issues
General Application Challenges/Solutions
1. Listing of Authorized Programs - 40 CFR § 3.1000
Common Issues/Deficiencies: The application does not identify the authorized state
program to be amended or revised to allow e-reporting.
The state must identify the authorized program to be amended or revised. The authorized
program must be identified in the Federal Register Notice announcing approval of the
program revisions. If the applicable program is not accurately identified in the Federal
Register Notice, then the revisions will not be approved for the correct program.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example of Effective Approaches:
Applicants should clearly identify the state program to be amended or revised, such as
RCRA, CWA, CAA, or other program designation. This is most commonly done on the
application cover sheet. For applications that cover multiple reports under different
authorized programs, the state should be sure that the indicated applicable programs
cover all of the reports. For example, the application cover sheet for the Oklahoma
Department of Environmental Quality Electronic Document Receiving System ("OK DEQ
EDRS") indicates the name of the state program as RCRA in the name of Report 1 for their
system as follows: "Report 1: *Regulated Waste Activity Notification (RCRA)."
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
North Dakota ERIS
OK DEQ EDRS
Texas NetDMR
Texas STEERS
2. Identification of Each Report by CFR Citation - 40 CFR § 3.1000
Common Issues/Deficiencies: The application does not identify the CFR citation for
each report received by the system or it does not identify them correctly. The state must
identify the correct CFR citation for each electronic report received by the system. For
priority reports, the correct CFR citations are identified in 40 CFR § 3.2000 Appendix 1
Part 3. The CFR citations will be listed in the Federal Register Notice announcing approval
of the program revisions. If the CFR citations are incorrect, the program revisions will not
be approved. Applications may also include planned future reports. By including planned
future reports, if they are approved, the submitter can avoid the need to amend their
application or submit a new application when their systems begin accepting them.
Examples of Effective Approaches: Applicants should clearly identify the correct
Federal Register citation for each report received. This is most commonly done on the
application cover sheet. For example, the cover sheet for the OK DEQ EDRS application
indicates that the citation for their "Regulated Waste Activity Notification (RCRA)" report is
40 CFR Part 261.
Systems Using a Similar Approach:
Delaware DNREC OK DEQ EDRS
ORS Texas NetDMR
Indiana IDEM eAuth Texas STEERS
North Dakota ERIS
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
3. Attorney General Certification Statement - 40 CFR § 3.1000(b)(l)(i)
Common Issues/Deficiencies: The application does not include a certification of
sufficient legal authority to implement electronic reporting signed by the State Attorney
General or a designee. The State Attorney General or a designee must certify that the
state has sufficient legal authority to implement electronic reporting before the application
can be approved.
Examples of Effective Approaches: An example of a signed certification is available in
the approved OK DEQ EDRS application. It can be found at:
http://epa.QOv/cromerr/Oklahoma%20Application%20Docs/Attachl2%20Attornev%20
Statement.doc
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
North Dakota ERIS
OK DEQ EDRS
Texas NetDMR
Texas STEERS
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Common Application Challenges: Issues Associated with CROMERR Checklist Items
Common Checklist Challenges/Solutions
1. (Item 1: Identity-proofing of registrant) (e-signature cases only) - 40 CFR §
3.2000(b)(5)(vii)(C)
Common Issues/Deficiencies: No description of business processes for storing paper
signature agreements (subscriber agreements).
Systems using the subscriber agreement alternative must store the agreements so they
are protected from alteration and destruction for as long as there may be any
enforcement interest in the signatures executed with the associated electronic signature
device. Note that this item must be addressed only for reports that require an electronic
signature, including priority reports, where the system requires a paper electronic
signature agreement to be signed by users. This is most commonly used by systems
using CROMERR checklist item l.b.alt.
Examples of Effective Approaches:
Example approach used by the Indiana IDEM eAuth system (this information was
provided under Item 2 and supporting documentation from the Indiana IDEM eAuth
CROMERR Checklist):
The eA-AppAdmin ensures the signature agreement, the Sponsor Letter, and identity-
proofing procedure documentation (if appropriate) are stored in a paper-based filing
system until such time as all documents are scanned and the images stored in IDEM's
Virtual File Cabinet (VFC) document management system. The VFC will rely on the FileNet
document management software to provide the foundation functionality for capture,
storage, and access to the documents. The VFC capture application, web application, and
web portal will access the FileNet repository through the use of FileNet user accounts
which have been set up with the necessary access controls to ensure secure input and
retrieval of documents within the VFC. The quality assurance process for capture of
documentation by the VFC will be accomplished through the implementation of thorough
operational procedures implemented by IDEM staff. In addition, the VFC application
contains several safeguards to allow for the assurance of quality and accuracy during the
capture process. The signature agreement, Sponsor Letter, and identity-proofing
procedure documentation shall be retained for a period of 5 years after being notified of
the applicant's departure from his/her sponsoring organization by a company official.
Systems Using a Similar Approach:
Indiana IDEM eAuth
OK DEQ EDRS
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example 2 of Effective Approaches:
Example approach used by the EPA NetDMR system (this information was provided under
Item 1 and supporting documentation for the EPA NetDMR CROMERR Checklist):
Paper copies of the NPDES permit with signature are received by the Regional Office
responsible for permitting and will remain on file along with any delegation of authority as
required by 40 CFR 122.22. EPA Regions with primacy for administering the NPDES
program using NetDMR will also receive signed subscriber agreements from individuals
requesting the ability to sign DMRs electronically for particular permits. Upon receipt of
the subscriber agreement, the Regional Office will verify the permit limits and the
signatures on the subscriber agreement through direct contact with the facility. The
Regional Office will verify that the "Cognizant Official" is in the ICIS-NPDES database for
every facility the user includes in the subscriber agreement and that has been verified by
the Region. The Regional Office will retain a paper copy of the subscriber agreement on
file according to item #lb-alt. Upon verification, the Regional Office will assign the
appropriate level of access in NetDMR.
Systems Using a Similar Approach:
Delaware DNREC
ORS
Texas NetDMR
EPA CDX
EPA NetDMR
2. (Item 2: Determination of registrant's signing authority) (e-signature cases only)
- 40 CFR § 3.2000(b)(5)(vii)
Common Issues/Deficiencies: Incomplete description of processes for determining a
registrant's signing authority. Missing detail often includes:
how the signing authority of registrants was verified;
where multiple verification methods are described, specification of which users are
subject to verification and which methods of verification are used.
There must be a specifiable process for verifying a registrant's signing authority. Note
that this item must be addressed only for reports that require an electronic signature,
including priority reports.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Examples of Effective Approaches:
Example approach used by the Texas NetDMR system:
TCEQ staff will use due diligence when processing signed Subscriber Agreements. TCEQ
will, to the best of its ability, validate the information provided to assure accuracy and
that it is appropriate for the requestor to be granted signatory authority for the specified
permits. If needed, they will contact the facility to address the matter or may compare
the authority stated on the agreement with previously emailed hard-copy reports. Once
this review is complete, the TCEQ will assign the user's account the appropriate NetDMR
signatory permission. Furthermore, periodic inspections by TCEQ field staff may include
validation of the authorized facility representative who signed the subscriber agreement
to evaluate compliance with signatory authority requirements. If circumstances indicate a
claimed authority may not be appropriate, this will trigger an administrative review.
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
OK DEQ EDRS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
3. (Item 3: Issuance (or registration) of a signing credential in a way that protects it
from compromise) (e-signature cases only) - 40 CFR § 3.2000(b)(5)(i)
Common Issues/Deficiencies: Incomplete description of security for signature devices
such as passwords stored on their systems. Missing detail often includes:
where the devices are stored;
who has access to them;
how they are protected from being altered or deleted;
whether they are encrypted (or hashed);
if encrypted, what encryption techniques are used and how the encryption keys
are protected.
Signature devices must be stored on the system so that they are protected from
compromise, tampering, and deletion. Note that this item must be addressed only for
reports that require an electronic signature, including priority reports.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example 1 of Effective Approaches:
Example approach using a public key infrastructure (PKI) certificate used by the OK DEQ
EDRS system:
The private key generated by the DEQ Certificate Authority Server (Microsoft Certificate
Server) is required to utilize the certificate to sign a document. The private key is
encrypted by the certificate authority server when it is generated, using industry standard
PKCS methodology (128-bit RSA). When signatories wish to utilize the certificate to sign a
document, they will be prompted for the password needed to decrypt the private key for
use. Certificates issued by DEQ will not be usable with any software package that does
not support private key passwords, as those packages will not be able to decrypt the key
for use. This provides an added layer of security for the digital signature certificate by
requiring both a valid private key and a password to decrypt that private key prior to use.
As an additional layer of protection, users must select and answer 5 knowledge-based
questions from a list of 20. Each question and answer pair will be combined into a hash
and stored on the server. Without the appropriate question and answer combination, the
hash cannot be recreated, and authentication will fail. DEQ stores only the question
selected and a hash of the question and answer combination. The SHA-256 algorithm will
be used to generate the stored hash.
To obtain a certificate, users must submit a wet-ink signed Electronic Signature
Agreement (ESA) form to DEQ. If the ESA is approved, DEQ will notify the applicant via
email that the request has been approved and that the certificate package is available for
download. To obtain the certificate, the user must click the hyperlink to the SSL-secured
ERS portal that is provided in the email. Then, the user must log onto the ERS portal
using the strong password provided at the time of request, and correctly answer two
randomly selected (using the millisecond as the seed of the random function) out of the
five questions. Note that to obtain the certificate, the requestor must log in using the
hyperlink provided in the notification email, as this hyperlink contains a 32-character
unique identifier (System Generated GUID) download key used to obtain the certificate.
The hyperlink takes the user to the portal login page and provides the server with
redirection information (download key) to be used to access the certificate. The certificate
package will then be available for download. Once the certificate is obtained, users must
provide their private key password each time they wish to sign a document.
Systems Using a Similar Approach:
» OK DEQ EDRS
EPA CDX
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example 2 of Effective Approaches:
Example approach using PIN/'password used by the Indiana IDEM eAuth system:
The eAuth system supports e-signature credentials for use via the real-time input and
validation of a user's eAuth Enabled Application (eA-EApp) identity credential. User access
and information exchanged with the eAuth system and all eA-EApp's is performed over
Secure Socket Layer (SSL) connections. Negotiation of the version of SSL used for secure
sessions is controlled through server configuration files. At registration, users specify
their selection of an eAuth/eA-EApp user ID and password. The eAuth/eA-EApp user ID is
automatically entered on the signature agreement submitted by the user. Users must
select a password that will not be easily guessed (e.g., names, children's names,
birthdays), and passwords must be at least eight characters long and contain a mix of
numbers and upper/lower-case letters. Compliance with this guideline is automatically
enforced by the eAuth system. Users must adhere and must explicitly acknowledge
adherence to strict policies governing access to an eA-EApp, including policies for
password protection and reporting account compromise. Users must also select and
answer 5 knowledge-based questions from a list of 20.
User IDs are stored in the eA-EApp registration/security database, and passwords are
securely stored by applying a one-way hash (SHA-256) to the password, and storing the
resulting Hex value, as well as a creation date timestamp, in the registration/security
database. Upon subsequent logins, user authentication is accomplished through a
comparison of the one-way hash value of the session-specific user-supplied password
with the hash value of the most recently established password. To independently secure
each knowledge-based answer, the system concatenates the user ID, question number
and user-supplied answer, hashes (SHA-256) the concatenated value, and stores the Hex
value of the resulting hash, as well as a creation date timestamp, in the
registration/security database. Use of the eAuth/eA-EApp User ID in the hash
computation ensures that the supplied answers are tied to a particular eAuth/eA-EApp
account.
Users must answer a secret question to access their account profile. All user changes to
an account profile for a facility immediately disable access to that facility. The eA-
AppAdmin is notified via system function(s) of the change. The account owner is also
notified, via email, of all account profile changes. Thus the original owner of the
registered email address will continue to receive account profile modification notifications,
even in the event the account is compromised. The account owner must undergo another
round of identity-proofing before the eA-AppAdmin will reactivate the account. A change
to the user's registered email is handled as a special case. The new email address is not
used for notifications (i.e. the vetted email continues to be the email address utilized for
user notifications), until the eA-AppAdmin completes the new identity-proofing and re-
enables the user's account. At that time, the new email address becomes the email of
record.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Systems Using a Similar Approach:
Delaware DNREC Texas STEERS
ORS
Indiana IDEM eAuth
Texas NetDMR
EPA CDX
EPA NetDMR
4. (Item 3: Issuance (or registration) of a signing credential in a way that protects it
from compromise) (e-signature cases only) - 40 CFR § 3.2000(b)(5)(i)
Common Issues/Deficiencies: No description of requirements for password or PIN
strength when this is being used as the signature device, orif requirements are
describedno description of how system enforces those requirements.
System must enforce requirements for PIN/password strength where this is being used as
the signature device. Note that this item must be addressed only for reports that require
an electronic signature, including priority reports, where the system requires a paper
electronic signature agreement to be signed by users.
Examples of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
The password must be a strong password, at least 8 characters long and containing at
least 3 of the following four types of characters: upper case, lower case, numbers, and
punctuation. This password is created and validated for acceptability during the
completion of the Electronic Signature Agreement Application online.
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
» OK DEQ EDRS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
5. (Item 5: Binding of signatures to document content) (e-signature cases only) - 40
CFR§ 3.2000(b)(5)(ii)
Common Issues/Deficiencies: No identification of encryption algorithms, where
encryption was used to bind electronic signatures to submissions.
Electronic signatures must be bound to content of submissions, so that content cannot
change without detection after the signature is executed. Note that this item must be
addressed only for reports that require an electronic signature, including priority reports.
Examples of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
The digital signatures are created by the Windows Certificate Services server using 1024-
bit encryption and the RSA algorithm.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Systems Using a Similar Approach:
Delaware DNREC Texas NetDMR EPA NetDMR
ORS Texas STEERS
Indiana IDEM eAuth EPA CDX
» OK DEQ EDRS
6. (Item 8: Transmission error checking and documentation) - 40 CFR §
3.2000(b)(l)-(2)
Common Issues/Deficiencies: No description of system functions or business practices
for:
documenting transmission errors;
notifying users or system administrators if transmission errors occur.
The system must document any transmission errors, and have a process to address the
errors.
Examples of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
Oklahoma DEQ will rely on the standard TCP/IP over Ethernet technologies, which the
internet currently uses as the transfer mode for all data. In the event of a transmission
error on a digitally signed document, the document content would change, which in turn
would change the hash value, thereby invalidating the digital signature and the
document. Further, all interaction with the ERS portal, from initial application for a
certificate and upload account through submission and review of documents, is secured
via SSL (v3.0). For any document submitted, regardless of the presence of a digital
signature, the SSL underlying protocol stack would detect changes between the
communication end points, perceive those changes as corruptions and invalidate the
document (changes in the encrypted document will cause decryption to fail). Any
transmission errors will invalidate the signed document, and will cause SSL protocol to
fail, thereby causing the receiving process to fail. ERS itself does not receive invalid
transmissions, as these are prevented by the underlying PKI infrastructure. Transmission
errors and changes in transmissions are handled by the protocol stack on the server, and
invalid uploads and transmissions are therefore not received by the ERS portal. The
protocol failure itself is logged in the web server logs on the host server.
Documents that were originally sent by DEQ but no longer have the DEQ signature are
treated as invalid and changed, and therefore are rejected. In addition, documents
without a valid signature from an accepted signatory are treated as invalid and rejected.
Finally, if the signature on the document does not match the user currently logged onto
the ERS portal, the document is treated as invalid and rejected. An email detailing the
reason for rejection is sent to both the submitter and the ERS Administrator. A record of
the invalid submission attempt is created and stored in Edoctus. In cases where an invalid
document is received, that document is stored as part of the invalid submission record. A
failure message will then be presented to the submitter indicating they must resubmit.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Systems Using a Similar Approach:
Indiana IDEM eAuth Texas NetDMR
EPA NetDMR
North Dakota ERIS
OK DEQ EDRS
Texas STEERS
EPA CDX
7. (Item 8: Transmission error checking and documentation) - 40 CFR §
3.2000(b)(l)-(2)
Common Issues/Deficiencies: No description of system provisions for transmission
error prevention and detection, such as Secure Socket Layer (SSL). The system must be
able to detect transmission errors.
Examples of Effective Approaches:
Example approach used by the EPA CDX system:
CDX uses only SSL-secured HTTP sessions (HTTPS) for conducting business transactions.
CDX supports SSL v3.0, 128 bits and TLS vl.O 256 bits. These protocols provide for
encrypted application messages to be exchanged between client and server. As every
data record must be successfully decrypted on the server using the negotiated key in
order for the connection to remain viable, the integrity of the received data record is
ensured. If data is found to be corrupted during transmission (i.e., the server decryption
fails) the protocol automatically retransmits.
Systems Using a Similar Approach:
Delaware DNREC OK DEQ EDRS
ORS
Indiana IDEM eAuth
North Dakota ERIS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
EPA SDWIS
8. (Items 10 and 11: Procedures to address submitter/signatory repudiation of a
copy of record (COR) and procedures to flag accidental submissions) - 40 CFR §
3.2000(b)(l)-(3)
Common Issues/Deficiencies: Incomplete description of how system handles
submitter/signer repudiation, including cases where submittal is claimed to be accidental.
Missing detail often includes:
how users can repudiate a COR or report an accidental submission;
how system administrators determine whether to designate a report as repudiated
or accidental;
how users can update their submission or submit a revised report.
Where submission corrections or complete resubmissions are allowed, the system must
ensure that the original COR is saved or that an adequate log is kept of any changes
made.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Examples of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
For documents requiring electronic signature, the signatory or another verified
representative of the regulated entity may request repudiation after sending the signed
submission. Users can request the repudiation online by selecting it from the list of
submitted documents and clicking a "request repudiation" button or by contacting the
ERS Administrator via phone or email. The ERS Administrator will notify the appropriate
person in the division concerned for approval. If the division approves repudiation of the
document, the ERS Administrator will mark the document as "Cancelled." Once a
document has been marked as repudiated, the original submitter will receive an
automated confirmation email from ERS. The submitter can then resubmit the document.
Systems Using a Similar Approach:
Delaware DNREC OK DEQ EDRS
ORS
Indiana IDEM eAuth
North Dakota ERIS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
9. (Item 12: Automatic acknowledgment of submission) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(vi)
Common Issues/Deficiencies: No description of procedures to prevent fraudulent
changes to the e-mail address for automatic acknowledgments of submission. Missing
detail often includes:
how the e-mail addresses are established and changed;
whether an e-mail address could be changed in the same user session in which
data was submitted.
The system must have procedures to ensure that the e-mail address actually belongs to
the registrant who is supposed to be receiving the acknowledgments. Allowing a user to
change his/her email address in the same session in which data is submitted may allow
fraudulent address changes.
Note that this item must be addressed only for reports that require an electronic
signature, including priority reports.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example 1 of Effective Approaches:
Example approach used by the OK DEQ EDRS system (this information was provided
under Items 1 and 9 of the OK DEQ EDRS CROMERR Checklist, and not under Item 12):
Registrants will be directed to DEQ's CROMERR registration web site, ERS, where they will
supply valid e-mail addresses for both the submitter and company official, as well as
other demographic information required by DEQ's Electronic Signature Agreement. For
documents requiring electronic signature, the email address associated with the ESA will
be used to provide notification of document submission and availability for review. In the
event that a notification e-mail message is undeliverable, the email server will register
this event. The ERS Administrator will regularly check the ERS mailbox and respond to
undelivered messages by attempting to obtain a valid email address by contacting the
signatory or the company official authorizing the signatory over the phone. If the email
address has changed since the certificate was issued, the submitter has to go through the
process of registration. This procedure is also used when the submitter requests a change
of email address.
Systems Using a Similar Approach:
OK DEQ EDRS
EPA CDX
Example 2 of Effective Approaches:
Example approach used by the Indiana IDEM eAuth system (this information was
provided under Items 1 and 3 of the Indiana IDEM eAuth CROMERR Checklist, and not
under Item 12):
The applicant will complete portions of the signature agreement in an online eAuth
Enabled Application (eA-EApp) registration form specifically tied to each eA-EApp. This
form requires an email address entry, among other information. All user changes to an
account profile for a facility immediately disable access to that facility. The eA-AppAdmin
is notified via system function(s) of the change. The account owner is also notified, via
email, of all account profile changes. Thus, the original owner of the registered email
address will continue to receive account profile modification notifications, even in the
event the account is compromised. The account owner must undergo another round of
identity-proofing before the eA-AppAdmin will reactivate the account. A change to a
user's registered email is handled as a special case. The new email address is not used
for notifications (i.e., the vetted email continues to be the email address utilized for user
notifications), until the eA-AppAdmin completes the new identity-proofing and re-enables
the user's account. At that time, the new email address becomes the email of record.
Systems Using This Approach:
Indiana IDEM eAuth
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
10. (Item 12: Automatic acknowledgment of submission) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(vi)
Common Issues/Deficiencies: No description of how system maintains records of the
automated e-mail acknowledgements of submission to demonstrate that the notifications
have been sent. The system needs to maintain a record of the automated e-mail
acknowledgements of submission. Note that this item must be addressed only for reports
that require an electronic signature, including priority reports.
Example 1 of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
Edoctus captures and stores all emails (i.e., the date and time, address to which the
email is sent, and the email contents). These emails are stored for the length of time
required for retention of such records as set by the Oklahoma Department of Libraries, or
the length of time required by rule, whichever is greater.
Systems Using This Approach:
OK DEQ EDRS
Example 2 of Effective Approaches:
Example approach used by the Indiana IDEM eAuth system:
All email notifications are logged in eAuth system components. At a minimum, the
following information is logged:
1. eA-EApp system
2. Submission document type
3. User ID
4. Timestamp
5. Document ID
6. Sender email address
7. Recipient email address
8. Email body text content
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
Texas NetDMR
Texas STEERS
EPA NetDMR
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
11. (Item 15. Procedures to flag spurious credential use) (e-signature cases only) -
40 CFR § 3.2000(b)(5)(i)
Common Issues/Deficiencies: Incomplete description of processes for detecting and
investigating signs of spurious credential use. Where applicants stated that they would
review records or logs, missing detail often includes:
what they would review;
how often;
what signs they would look for;
the procedures to be used if suspicious activity is identified.
The system must provide a process for detecting spurious credential use. Note that this
item must be addressed only for reports that require an electronic signature, including
priority reports.
Example 1 of Effective Approaches:
Example approach used by the EPA CDX system:
Three successive login failures will result in an account lock-out condition, which will
automatically result in an out-of-band e-mail being sent to the registered email address
for that User ID and a message will be placed into that user's MyCDX in-box. The
message indicates that the locked-out user must contact the CDX Help Desk and provide
identity-proofing information in order for the CDX Help Desk to re-enable the user
account. For CDX PKI Enabled Applications, if the associated CDX User ID does not
match the CDX User ID associated with the X.509 certificate, CDX will reject the user's
attempt to use the certificate in the signing process. This condition is also noted in the
CDX audit logs. The CDX security engineers perform a weekly review of all security-
related log files on the system (audit logs, CAM logs, etc.) and follow a documented
security incident response procedure when any suspicious activities are noted, such as
multiple failed login attempts, certificate validation failures, etc. This response procedure
ensures that both CDX and Program Office authorities are notified in the event of a
security issue.
Systems Using This Approach:
EPA CDX
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Example 2 of Effective Approaches:
Example approach used by the EPA NetDMR system:
NetDMR includes functions that allow NetDMR Administrators to detect compromises. For
example, each time a user logs in, the IP and date/time of the login is stored.
Inconsistencies in the logins, such as different IP addresses, may indicate a compromised
password. Additionally, NetDMR will only allow a user to maintain a single concurrent
NetDMR session. If the user is already logged in, the previous login will be invalidated.
Frequent, overlapping login attempts may indicate a compromised password. NetDMR will
include fraud analysis functionality, in which the logs are periodically analyzed for
irregularities. Irregularities will be flagged for NetDMR Administrators to investigate and
take further action, if appropriate. The irregularities NetDMR will flag include
inconsistencies in the logins, such as use of multiple IP addresses, frequent overlapping
login attempts from different IP addresses, and irregular submission patterns (e.g., a
user who has submitted a single DMR every month for the past 6 months, but then
submits 50 in one month). If it is determined that a compromise has occurred, the
affected account will be locked and the user will be contacted.
NetDMR also includes functions that allow NetDMR users to detect compromises. After
each DMR is submitted, the submitter is sent a confirmation email. Also, after logging in,
a list of the user's previous logins is displayed, including the date/time of the login and
whether a submission was made during that session. If it is determined that a
compromise has occurred, the user is required to lock their account and notify the
Regulatory Authority.
Systems Using a Similar Approach:
Delaware DNREC Texas NetDMR
ORS Texas STEERS
Indiana IDEM eAuth EPA NetDMR
» OK DEQ EDRS
12. (Item 19: Timely availability of copy of record (COR) as needed) - 40 CFR §
3.2000(b)(l)-(2)
Common Issues/Deficiencies: No description of how long it takes to retrieve a copy of
record for program or enforcement staff. Some applications provided this information for
the period when the COR was in short-term storage, but did not provide it for the period
after it was moved to long-term storage.
Agency staff must be able to access CORs quickly enough to meet program and
enforcement needs.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Examples of Effective Approaches:
Example approach used by the EPA NetDMR system:
NetDMR generates the COR during the submission process. The COR is available for
review using NetDMR by registrants with the authority to view CORs for the specified
permit. Internal staff are also able to view CORs. NetDMR will allow users to search for
CORs on various data fields (e.g., Submitter, Permit ID, Date Range). Further, users will
be able to view the COR online and download the COR for offline review. The CORs will be
searchable and viewable using NetDMR for the entire length of time for which they are
maintained in NetDMR (the retention schedule is described in the NetDMR application
under CROMERR Checklist Item 20).
Systems Using a Similar Approach:
Delaware DNREC Texas NetDMR
ORS Texas STEERS
Indiana IDEM eAuth
» OK DEQ EDRS
EPA CDX
EPA NetDMR
13. (Item 20: Maintenance of copy of record (COR)) - 40 CFR § 3.2000(b)(l)-(2)
Common Issues/Deficiencies: No description of how the system prevents the
alteration or deletion of CORs. Missing detail often includes:
the electronic and physical security measures of the system to prevent
unauthorized access to the system from outside, such as firewall, virus detection,
intrusion detection, and access restrictions for the physical space where system
components such as servers are housed;
safeguards against alterations of CORs by system administrators.
The system must be able to prevent CORs from being altered or deleted by external
intruders or by system administrators. In addition to describing such measures in the
checklist, including attachments such as a security plan, description of safeguards, rules
of behavior for system administrator, and other information can often help to satisfy the
requirements of Item 20.
Example 1 of Effective Approaches:
Example approach to electronic measures to prevent unauthorized access used by the
Texas STEERS system (this information was provided in supporting documentation for the
Texas STEERS CROMERR checklist):
The WWW6 ColdFusion servers exist between two firewalls. This area is referred to as the
'DMZ.' The 'external' firewall intercepts all requests from the internet and redirects them
to the appropriate server. The 'internal' firewall accepts requests through the default
Oracle identification port (1521) from the ColdFusion IP addresses.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Systems Using a Similar Approach:
Indiana IDEM eAuth Texas STEERS
Example 2 of Effective Approaches:
Example approach to physical security from an attachment to the EPA NetDMR
application:
Physical and environmental controls for the CDX Production environment are provided,
reviewed, and maintained by the NCC located in RTP, NC in accordance with Agency
Network Security Policy; OTOP 200.05; NCC Access Security Procedure; Computer
Operations Security Data Center Sign-in Procedure; NCC Physical Security Plan;
OARM/RTP Card Access Authorization and Usage Records; and the Draft EPA Qualitative
Physical Security Risk Assessment for RTP Campus Draft March 2002. The controls include
physical access authorization and control, monitoring physical access, visitor control, and
access logs. For specific procedures see referenced documents.
Systems Using a Similar Approach:
Delaware DNREC Indiana IDEM eAuth
ORS EPA NetDMR
Texas NetDMR
North Dakota ERIS
Example 3 of Effective Approaches:
Example approach to safeguards against alterations by system administrators used by the
EPA CDX system:
In order to prevent unauthorized access to the system or its data by operating personnel,
CDX is operated according to the policies defined in the CDX Separation of Duties Guide.
This document identifies the access controls, authorized actions, and minimal personnel
security checks required for each defined operations role. All CDX personnel with access
privileges to the production environment are required to have at least a Minimum
Background Investigation (MBI) clearance check.
After a COR is created, CDX computes a SHA-1 hash value of all COR components. This
hash value is then signed using a CDX server private certificate, and the signature value
(and information regarding it) is saved within the database and written to the CDX audit
logs. Once per day the CDX system copies these log files to a separate server and applies
a separate signature to prevent/identify tampering with log file content. This process
provides an additional independent means of validating the integrity of COR content as
maintained on the database servers. CDX also makes use of standard database vendor
audit tracking functions for all COR database tables, thereby recording any access to (or
modification of) this information by an authorized or unauthorized user.
-------�
QFFiCEOF
ENVIRONMENTAL
INFORMATION
Systems Using a Similar Approach:
Delaware DNREC
ORS
Indiana IDEM eAuth
North Dakota ERIS
OK DEQ EDRS
Texas NetDMR
Texas STEERS
EPA CDX
EPA NetDMR
EPA SDWIS
14. (Item 20: Maintenance of copy of record (COR)) - 40 CFR § 3.2000(b)(l)-(2)
Common Issues/Deficiencies: Incomplete description of how CORs were protected
through file backups. Missing detail often includes:
how frequently files are backed up;
what files are backed up;
whether backups are stored on-site or off-site;
provisions for disaster recovery.
Systems must have procedures to back up COR files and ensure that backups are safely
maintained and can restore CORs in case there is system disaster. In addition to
describing such measures in the checklist, including attachments such as a backup plan,
document retention schedule, disaster recovery plan, continuity of operations plan, and
other information can often help to satisfy the requirements of Item 20.
Examples of Effective Approaches:
Example approach used by the OK DEQ EDRS system:
Submitted documents will be stored in human-readable format along with the digital
signature(s) as copies of record in Edoctus. These documents will be protected from edits
and preserved in exactly the form in which they were submitted. Read-only access to the
documents will be available to authorized agency personnel and to the submitter for
review. Documents will be preserved indefinitely in the document management system.
All data at DEQ, including the data stored within Edoctus, are backed up on a nightly
basis. These backups are also stored off-site, and DEQ will soon implement an advanced
off-site SAN-to-SAN backup solution. DEQ is required to file an annual disaster recovery
plan, which includes substantial provisions for recovery of data and resumption of
operations in the event of a disaster.
Systems Using a Similar Approach:
Indiana IDEM eAuth
» OK DEQ EDRS
EPA CDX
-------� |