OFFICE OF
ENVIRONMENTAL
INFORMATION
February 2009
CROMERR
Frequently Asked Questions-
State, Tribe, and Local Government
I. SCOPE
Ql. What is CROMERR?
Al. CROMERR stands for the Cross-Media Electronic Reporting Regulation. It provides the legal
framework for electronic reporting under Title 40 of the Code of Federal Regulations to EPA and
state, tribe, and local governments (hereafter referred to simply as "authorized programs") that
are authorized to administer federal programs. The regulation authorizes and facilitates
electronic reporting for environmental programs while maintaining the level of corporate and
individual responsibility and accountability that exists for paper submissions.
Q2. Does CROMERR require electronic reporting?
A2. No. CROMERR does not mandate that authorized programs institute electronic reporting or
accept documents electronically. It also does not require that regulated entities use electronic
reporting for reporting directly to EPA. However, CROMERR does not prohibit authorized
programs from requiring electronic reporting if they otherwise possess the authority to mandate
electronic reporting.
Q3. Does CROMERR apply to all reporting that uses electronic media or related
technology?
A3. No. CROMERR does not affect the submission of any electronic document via magnetic or
optical media (e.g., diskette, compact disk, or tape) or via fax.
Q4. What regulatory programs are affected by CROMERR?
A4. CROMERR affects all regulatory programs that EPA implements under Title 40 of the Code of
Federal Regulations (CFR), and all state, tribe and local government programs authorized by EPA
under Title 40 of the CFR.
Q5. How does CROMERR affect authorized programs?
A5. CROMERR affects authorized programs in a number of ways.
• It requires authorized programs to seek EPA approval of program modifications or
revisions if they implement or wish to implement electronic reporting under their
authorized programs.
• CROMERR sets requirements for electronic reporting under authorized programs, including
standards for the systems that authorized programs use to receive electronic reports.
• It establishes a special, streamlined approval process for revisions or modifications to
authorized programs related to electronic reporting.
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
Q6. Does CROMERR affect all data transfers from authorized programs to EPA?
A6. No. CROMERR does not apply to data transfers between EPA and authorized programs as a
part of their authorized programs or as a part of administrative arrangements between
authorized programs and EPA to share data.
Q7. Does the rule cover electronic record-keeping?
A7. No, with the exception of the requirement to maintain a "copy of record" for those reports
filed electronically. Although the proposed rule included provisions for electronic record-keeping,
EPA is not issuing final record-keeping rules at this time.
Q8. What else does CROMERR not do?
A8. CROMERR does not:
• Change any substantive regulatory requirements that appear in Title 40 of the Code of
Federal Regulations.
• Change any substantive regulatory requirements under authorized state programs.
• Confer any right or privilege to submit data electronically.
• Require any state program to accept electronic documents.
• Require signatures on electronic documents if Title 40 does not require signatures on the
corresponding paper documents.
II. CROMERR REQUIREMENTS
Ql. What are the CROMERR requirements for electronic reporting systems?
Al. Authorized programs seeking to meet the requirements should consult the actual language
of section VI.E of the Preamble and §3.2000(b) of the rule for more detail. The subject-areas
addressed by the requirements include:
• Timeliness of data generation.
• Copy of record.
• Integrity of the electronic document.
• Submission knowingly.
• Opportunity to review and repudiate copy of record.
• Validity of the electronic signature.
• Binding signature to the document.
• Opportunity to review.
• Understanding the act of signing.
• Electronic signature or subscriber agreement.
• Acknowledgement of receipt.
• Determining the identity of the individual uniquely entitled to use a signature device.
Q2. How is an application for an electronic reporting system submitted to EPA for
review?
A2. Authorized programs can submit an application for program modification or revision using
the special 40 CFR Part 3 approval process or by using applicable program approval or revision
processes under other Parts of Title 40.
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
Q3. What is the approval process created by CROMERR?
A3. The CROMERR approval process allows authorized programs to submit a consolidated
application to seek approval of multiple program revisions or modifications related to electronic
reporting. CROMERR provides a single, straightforward EPA review process for consolidated
applications, with deadlines for EPA action written into the rule.
Q4. How will EPA assess authorized program electronic reporting systems as part of
the CROMERR approval process?
A4. Approval will be based on conformance with the CROMERR performance-based
requirements for electronic reporting systems, provided in §3.2000(b) of the rule. These
requirements reflect the need to assure the authenticity and integrity of electronic documents so
that they will meet the Agency's legal and business needs to the same extent as their paper
counterparts.
Q5. In consolidated applications with multiple program revisions or modifications,
does CROMERR require that EPA take the same action on each program in the
consolidated application?
A5. No. For example, EPA can approve some of the program revisions or modifications in the
consolidated application, and disapprove others.
Q6. When do new authorized program electronic reporting systems need to have EPA
approval?
A6. For new electronic reporting systems, authorized programs must obtain EPA approval of the
associated program modifications or revisions before electronic reports can be received.
Q7. When do existing authorized program electronic reporting systems need to have
EPA approval?
A7. Authorized programs must submit applications for program revisions or modifications
related to existing electronic reporting systems no later than January 13, 2010. This deadline
can be extended on a case-by-case basis and at the request of the authorized program, where
legislative or regulatory changes are necessary before a complete application can be submitted.
Q8. What happens if an application is not submitted by the January 13, 2010 deadline
for an existing authorized program electronic reporting system?
A8. Authorized programs that fail to meet the CROMERR deadline and continue to operate their
existing electronic reporting systems without EPA approval may jeopardize the enforceability of
affected programs.
Q9. Can the application deadline for an existing authorized program electronic
reporting system be extended?
A9. CROMERR does allow the EPA Administrator to extend the January 13, 2010, deadline on a
case-by-case basis, if an authorized program can demonstrate that it needs additional time to
make legislative or regulatory changes required for CROMERR compliance.
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
Q10. When do authorized program electronic reporting systems that are under
development need EPA approval?
A10. Authorized programs must submit applications for program revisions or modifications
related to electronic reporting systems that are "substantially developed" no later than January
13, 2010 (see §3.1000(a)(3) of the regulation). In the context of CROMERR, "substantially
developed" means that system services or specifications are already established by existing
contracts or other binding agreements. This would include cases where a state agency has
already made legally binding agreements to procure the services and/or components that will
constitute the system. Systems under development, but not "substantially developed," need
EPA approval before they are used to receive electronic reports. (See §3.3. of the regulation for
definition of existing electronic document receiving system.}
Qll. Once approved electronic reporting systems are operational, what happens if the
system needs to be changed?
All. Once authorized programs begin operating approved electronic reporting systems, they
must notify EPA of system changes that have the potential to affect compliance with CROMERR.
If there are substantial changes to approved systems, EPA may ask—based on a determination
by the Administrator—that the authorized program submit a new application for EPA approval.
(See §3.1000(a)(4) of the regulation.)
III. AUTHORIZED PROGRAM APPLICATIONS
Ql. What do CROMERR applications need to contain?
Al. Look to the Regulation for specific requirements (see §3.1000). However, applications
generally must contain:
1. A signed certification that state, tribe, or local laws and/or regulations provide sufficient legal
authority to implement electronic reporting and to enforce the affected authorized programs
using electronic documents collected under those programs - together with copies of the
relevant laws and/or regulations.
2. A listing of the electronic document receiving systems that do or will receive electronic
submissions addressed by the program revisions or modifications being requested, together
with a description of each system that specifies in detail how it will satisfy the requirements
of CROMERR. The application should indicate, for each system, which electronic submissions
the system will be used to receive, and, for each such submission, whether the submission
involves electronic signatures.
3. For each system, a schedule of upgrades that may affect future CROMERR compliance - to
the extent that such upgrades can be anticipated.
4. Other information necessary to demonstrate compliance with CROMERR.
Q2. How should electronic reporting systems be described in the CROMERR
application?
A2. For each electronic reporting system, the application should explain the approach, both
system functions and business processes, to addressing the applicable CROMERR requirements
as detailed in section VI.E of the Preamble and §3.2000(b) of the rule. (Note that many of these
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
requirements may not apply to electronic document receiving systems that do not receive
submissions with electronic signatures.) The description should provide detailed information for
EPA to be able to understand what functions the system will perform to address the requirement
and the technologies that will be used to achieve this functionality.
Q3. Who needs to sign the certification of legal authority to implement electronic
reporting under CROMERR?
A3. For states, the certification must be signed by the Attorney General or his or her designee.
For tribes and local governments, the certification must be signed by the chief administrative
official or officer or his or her designee. (See §3.1000(b)(l)(i) of the regulation.)
IV. APPLICATION REVIEW PROCESS
Ql. How does EPA review CROMERR applications?
Al. Within 75 days of receipt of the application, EPA typically notifies an applicant whether an
application is complete. EPA then determines whether to approve or disapprove the revisions or
modifications addressed by the application. In most cases, the agency has 180 days from
notification of completeness to act on the application, unless the authorized program requests
the deadline be extended; in certain circumstances the deadline is 360 days. If EPA does not
meet the applicable deadline, then the revisions or modifications in the application are
automatically approved (see §3.1000(c)(4) of the regulation).
Q2. Who reviews the CROMERR applications?
A2. EPA convened the CROMERR Technical Review Committee (TRC) to review applications
submitted under CROMERR for authorized programs. The TRC reflects an Agency-wide
perspective, with representatives from each of the EPA Regions and Program Offices. The TRC
reviews applications from authorized programs that are submitted under the new CROMERR Part
3 process, which sets relatively tight deadlines for EPA action. The TRC also can be called upon
to work with Program and Regional Offices that review CROMERR-required applications
submitted under other Title 40 processes for program revision or modification.
Q3. Is the review any different in cases of existing systems?
A3. The review is the same, but in certain cases the timing of that review may vary. Under
CROMERR, authorized programs with existing systems have until January 13, 2010 to submit
their applications. For applications for existing systems that are received after July 30, 2007,
EPA has up to 360 days (rather than 180 days) to act on any modification or revision requested
in the application.
Q4. Can applications be amended once they have been deemed complete by EPA?
A4. Yes. An authorized program may amend its application after EPA has determined the
application package to be complete. However, the application will be considered to have been
withdrawn and resubmitted as a new package, and a new 75-day completeness determination
process will begin. (See §3.1000(e) of the regulation.)
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
Q5. Can the review period be extended?
A5. The 180-day or 360-day review period may be extended, but only at the request of the
authorized program submitting the application (see §3.1000(c)(4) of the regulation).
Q6. When does the approval become effective?
A6. The approval becomes effective as soon as EPA publishes a notice of the approval in the
Federal Register.
Q7. What happens if EPA determines that an application is incomplete?
A7. For applications that EPA deems incomplete, the agency will provide notice to the applicant
along with information about the application's deficiencies. Authorized programs can then either
withdraw their application and re-submit a new application, or they may submit and amended
application. EPA has 75 calendar days to respond to the resubmitted new application with a
completeness determination and 30 calendar days to respond to an amended application with a
completeness determination.
Q8. What happens if EPA denies a requested modification or revision covered by an
application?
A8. If EPA denies a requested modification or revision, the Agency will explain the reasons for
the action and advise the applicant of the steps that can be taken to remedy the application's
deficiencies. EPA will work with the applicant to identify the issues that have posed an obstacle
to approval. Authorized programs may then re-submit applications for reconsideration.
Q9. Are there special provisions for public water system programs?
A9. Yes. Where authorized programs apply for approval of an electronic reporting system for a
public water system program (under 40 CFR Part 142), the application approach is the same as
for any other system except that EPA's approval or denial of the request is considered a
"preliminary determination" and is followed by a public hearing process. Following this
approach, EPA publishes a notice of the preliminary determination in the Federal Register and
informs members of the public that they can request a public hearing. If no public hearing is
requested (or determined necessary by EPA), then the preliminary determination becomes
effective 30 days after the initial Federal Register publication. If there is a hearing, EPA reviews
the hearing record, and, by order, either affirms or rescinds the preliminary determination; EPA
then publishes a notice of its decision in the Federal Register. If the order is to approve the
revision or modification, the approval will be effective upon publication of the order in the
Federal Register.
V. CHALLENGE-QUESTION "SECOND FACTOR" APPROACH
Ql. Does CROMERR require systems use a challenge-question second-factor approach
for e-signatures?
Al. No, but CROMERR does require an approach that demonstrates that e-signatures are valid
as defined by the rule. Among other things, a valid PIN/password-based e-signature needs to
demonstrate that the PIN (or password) has not been compromised. The CROMERR Preamble
suggests that where an e-signature is executed with a PIN (or password), preventing device
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
compromise requires a second 'factor' that is not easy to share by accident or one the owner is
likely not to wish to share.
Q2. Is the challenge-question approach the only "second factor" available to
strengthen a PIN/password-based e-signature?
A2. No, candidate second-factors include private knowledge (such as a 'challenge-question'),
biometrics, and hardware devices (e.g., smart cards, USBs, PIN/Password Generators, RSA
tokens, cell-phones). EPA recommends PIN-based e-signatures use a challenge-question as a
"second factor" because compared with the alternatives, the challenge-question approach
provides significant added protection against signature repudiation at a relatively low cost - the
approach is low-tech, relatively cheap and easy to implement, and is widely used for commercial
applications such as banking. States are welcome to propose other options that demonstrate
that the PIN/password has not been compromised.
Q3. When a system uses a challenge-question as a "second factor" to strengthen a
PIN/password-based e-signature — by helping to ensure that the PIN/password has
not
been compromised — how many challenge-questions need to be presented to users
each time they enter their PIN or password to execute a signature?
A3. A single challenge-question is usually sufficient. It should be randomly selected from the
set of questions for which the user has provided pre-arranged answers, so that the user cannot
predict which question will be presented in any particular case.
Q4. To set up a challenge-question "second factor" approach, how many questions
does the user need to provide with pre-arranged answers?
A4. Five pre-arranged question-answer pairs are usually sufficient to allow the system to
present a single question in a truly unpredictable way to a user who is executing an e-signature.
Any less than five pre-arranged question-answer pairs are too few to allow meaningful
unpredictability.
Q5. When asking users to select questions to provide with pre-arranged answers, how
long should the list of candidate questions be from which users get to choose?
A5. The answer depends in part on how many pre-arranged question-answer pairs there will be,
and in part on the nature of the questions. Where there will be five pre-arranged question-
answer pairs, then a list of ten candidate questions may be sufficient, although EPA recommends
twenty candidate questions, to give users the best chance of finding five questions they can
answer with certainty from memory based on private knowledge. If there will be more than five
question-answer pairs, then a longer list may be needed. In any event, the list of candidate
questions needs to be significantly longer than the number of questions to be given pre-
arranged answers, because questions that address the private knowledge of some users may not
relate to the private knowledge of others. For example, "What is the name of your favorite
pet?" wouldn't work for someone who doesn't have a pet at all or who has pets but no clear
favorite. It is possible that questions could be identified that really do relate to the private
knowledge of almost any user -- "What is your mother's maiden name?" may be an example of
this. A relatively short list of candidates that consists entirely of such generally applicable
-------�
OfFiCEOF
ENVIRONMENTAL
INFORMATION
questions may meet the requirements of a challenge-question implementation as well or better
than a much longer list of questions that do not have such universal applicability.
Q6. What are the numbers of questions asked, pre-arranged question-answer pairs,
and candidate questions associated with challenge-question implementations of
CROMERR-approved systems?
A6. Here's a matrix of the numbers for the currently approved systems. We'll update this
matrix as we approve additional systems.
Number of:
Questions asked at signature
Question-answer pairs pre-
arranged by user
Candidate questions available
for user to chose from at
registration
CDX
1
5
20
Net DMR
1
5
10 - 20
-------� |