[Federal Register: October 13, 2005 (Volume 70, Number 197)]
[Rules and Regulations]
[Page 59847-59889]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr13oc05-26]
[[Page 59847]]
-----------------------------------------------------------------------
Part III
Environmental Protection Agency
-----------------------------------------------------------------------
40 CFR Parts 3, 9, 51 et al.
Cross-Media Electronic Reporting; Final Rule
[[Page 59848]]
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
40 CFR Parts 3, 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233,
257, 258, 271, 281, 403, 501, 745 and 763
[FRL-7977-1]
RIN 2025-AA07
Cross-Media Electronic Reporting
AGENCY: Environmental Protection Agency (EPA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: EPA is establishing the framework by which it will accept
electronic reports from regulated entities in satisfaction of certain
document submission requirements in EPA's regulations. EPA will provide
public notice when the Agency is ready to receive direct submissions of
certain documents from regulated entities in electronic form consistent
with this rulemaking via an EPA electronic document receiving system.
This rule does not mandate that regulated entities utilize electronic
methods to submit documents in lieu of paper-based submissions. In
addition, EPA is not taking final action on the electronic
recordkeeping requirements at this time.
States, tribes, and local governments will be able to seek EPA
approval to accept electronic documents to satisfy reporting
requirements under environmental programs that EPA has delegated,
authorized, or approved them to administer. This rule includes
performance standards against which a state's, tribe's, or local
government's electronic document receiving system will be evaluated
before EPA will approve changes to the delegated, authorized, or
approved program to provide electronic reporting, and establishes a
streamlined process that states, tribes, and local governments can use
to seek and obtain such approvals.
DATES: This rule shall become effective January 11, 2006.
ADDRESSES: The public record for this rulemaking has been established
under docket number OEI-2003-0001 and is located in the EPA Docket
Center, (EPA/DC) EPA West, Room B102, 1301 Constitution Ave., NW.,
Washington, DC. The EPA Docket Center Public Reading Room is open from
8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal
holidays. (See SUPPLEMENTARY INFORMATION below.)
FOR FURTHER INFORMATION CONTACT: For general information on this final
rule, contact the docket above. For more detailed information on
specific aspects of this rulemaking, contact David Schwarz (2823T),
Office of Environmental Information, U.S. Environmental Protection
Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-
1704, schwarz.david@epa.gov, or Evi Huffer (2823T), Office of
Environmental Information, U.S. Environmental Protection Agency, 1200
Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-1697,
huffer.evi@epa.gov.
SUPPLEMENTARY INFORMATION:
General Information
A. Affected Entities
This rule will potentially affect states, tribes, and local
governments that have been delegated, authorized, or approved, or which
seek delegation, authorization, or approval to administer a federal
environmental program under Title 40 of the Code of Federal Regulations
(CFR). For purposes of this rulemaking, the term ``state'' includes the
District of Columbia and the United States territories, as specified in
the applicable statutes. That is, the term ``state'' includes the
District of Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, American Samoa, the Commonwealth of Northern Marina
Islands, and the Trust Territory of the Pacific Islands, depending on
the statute.
The rule will also potentially affect private parties subject to
any requirements in Title 40 of the CFR that require a document to be
submitted to EPA. Affected Entities include, but are not necessarily
limited to:
------------------------------------------------------------------------
Examples of affected
Category entities
------------------------------------------------------------------------
Local government.......................... Publicly owned treatment
works, owners and operators
of treatment works treating
domestic sewage, local and
regional air boards, local
and regional waste
management authorities, and
municipal and other
drinking water authorities.
Private................................... Industry owners and
operators, waste
transporters, privately
owned treatment works or
other treatment works
treating domestic sewage,
privately owned water
works, small businesses of
various kinds, sponsors
such as laboratories that
submit or initiate/support
studies, and testing
facilities that both
initiate and conducts
studies.
Tribe and State governments............... States, tribes or
territories that administer
any federal environmental
programs delegated,
authorized, or approved by
EPA under Title 40 of the
CFR.
Federal government........................ Federally owned treatment
works and industrial
dischargers, and federal
facilities subject to
hazardous waste regulation.
------------------------------------------------------------------------
This table is not intended to be exhaustive, but rather provides a
guide for readers regarding entities likely to be affected by this
action. This table lists the types of entities that EPA is now aware
can potentially be affected by this action. Other types of entities not
listed in the table can also be affected. If you have questions
regarding the applicability of this action to a particular entity,
consult the person listed in the preceding FOR FURTHER INFORMATION
CONTACT section.
B. How Can I Get Copies of This Document and Other Related Information?
1. Docket. EPA has established an official public docket for this
action under Docket ID No. OEI-2003-0001. The official public docket
consists of the documents specifically referenced in this action, any
public comments received, and other information related to this action.
Although a part of the official docket, the public docket does not
include Confidential Business Information (CBI) or other information
whose disclosure is restricted by statute. The official public docket
is the collection of materials that is available for public viewing at
the Cross-Media Electronic Reporting Rule (CROMERR) Docket in the EPA
Docket Center (EPA/DC), EPA West, Room B102, 1301 Constitution Ave.,
NW., Washington, DC. The EPA Docket Center Public Reading Room is open
from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal
holidays. The telephone number for the Public Reading Room is (202)
566-1744, and the telephone number for the Office of Environmental
Information Docket is (202) 566-1752. You may have to pay a reasonable
fee for copying.
An electronic version of the public docket is available through
EPA's
[[Page 59849]]
electronic public docket and comment system, EDOCKET. You may use
EDOCKET at http://www.epa.gov/edocket/ to view public comments, access
the index listing of the contents of the official public docket, and to
access those documents in the public docket that are available
electronically. Although not all docket materials may be available
electronically, you may still access any of the publicly available
docket materials. After selecting the ``Using EDOCKET'' icon, select
``quick search,'' then key in the appropriate docket identification
number. Double click on the document identification number to bring up
the docket contents.
2. Electronic Access. You may access this Federal Register document
electronically through the EPA Internet under the ``Federal Register''
listings at http://www.epa.gov/fedrgstr/.
Organization of This Document
Information in this Preamble is organized as follows:
I. Overview
A. Why does the Agency seek to provide electronic alternatives
to paper-based reporting and recordkeeping?
B. What does the electronic reporting rule do?
C. What is the status of the proposed electronic recordkeeping
provisions?
D. How were stakeholders consulted during the development of
today's final rule?
E. What alternatives to today's final rule did EPA consider?
II. Background
A. What has been EPA's electronic reporting policy?
B. How does today's final rule change EPA's electronic reporting
policy?
III. Scope of the Electronic Reporting Rule
A. Who may submit electronic documents?
B. Which documents can be filed electronically?
C. How does this final rule implement electronic reporting?
IV. Major Changes from Proposed Electronic Reporting Provisions
A. How does the rule streamline the approval of electronic
reporting under authorized state, tribe, and local government
programs?
1. Review of the proposal
2. Comments on the proposal
3. Revisions in the final rule
B. How has EPA revised the requirements that state, tribe, and
local government electronic reporting programs must satisfy?
1. Review of the proposal
2. Comments on the proposed criteria for electronic document
receiving systems
3. Revisions to the criteria in the final rule
C. How has EPA accommodated electronic submissions with follow-
on paper certifications?
D. How has EPA changed proposed definitions of terms?
1. Definition of ``acknowledgment''
2. Definition of ``electronic document''
3. Definition of ``electronic signature''
4. Definition of ``electronic signature device''
5. Definition of ``transmit''
6. Definition of ``valid electronic signature''
V. Requirements for Direct Electronic Reporting to EPA
A. What are the requirements for electronic reporting to EPA?
B. What is the status of existing electronic reporting to EPA?
C. What is EPA's Central Data Exchange?
1. Overview of general goals
2. Comments on the proposal
3. The aspects of CDX that have not changed since proposal
4. The major changes that EPA has made to CDX since proposal
D. How will EPA provide notice of changes to CDX?
VI. Requirements for Electronic Reporting under EPA-Authorized
Programs
A. What is the general regulatory approach?
B. When must authorized state, tribe, or local government
programs revise or modify their programs to allow electronic
reporting?
1. The general requirement
2. Deferred compliance for existing systems
C. What alternative procedures does EPA provide for revising or
modifying authorized state, tribe, or local government programs for
electronic reporting?
1. The application
2. Review for completeness
3. EPA actions on applications
4. Revisions or modifications associated with existing systems
5. Public hearings for Part 142 revisions or modifications
6. Re-submissions and amendments
D. What general requirements must state, tribe, and local
government electronic reporting programs satisfy?
E. What standards must state, tribe, and local government
electronic document receiving systems satisfy?
1. Timeliness of data generation
2. Copy of record
3. Integrity of the electronic document
4. Submission knowingly
5. Opportunity to review and repudiate copy of record
6. Validity of the electronic signature
7. Binding the signature to the document
8. Opportunity to review
9. Understanding the act of signing
10. The electronic signature or subscriber agreement
11. Acknowledgment of receipt
12. Determining the identity of the individual uniquely entitled
to use a signature device
VII. What are the Costs of Today's Rule?
A. Summary of proposal analysis
B. Final rule costs
C. General changes to methodology and assumptions
VIII. Statutory and Executive Order Reviews
A. Executive Order 12866
B. Executive Order 13132
C. Paperwork Reduction Act
D. Regulatory Flexibility Act
E. Unfunded Mandates Reform Act
F. National Technology Transfer and Advancement Act
G. Executive Order 13045
H. Executive Order 13175
I. Executive Order 13211 (Energy Effects)
J. Congressional Review Act
I. Overview
A. Why does the Agency seek to provide electronic alternatives to
paper-based reporting and recordkeeping?
In the Federal Register of August 31, 2001 (66 FR 46162), EPA
published a notice of proposed rulemaking, announcing the goal of
making electronic reporting and electronic recordkeeping available
under EPA regulatory programs. The Agency believes that the submission
and storage of electronic documents in lieu of paper documents can:
Reduce the cost and burden of data transfer and
maintenance for all parties to the data exchanges;
Improve the data and the various business processes
associated with its use in ways that may not be reflected directly in
cost-reduction, e.g., through improvements in data quality, and the
speed and convenience with which data may be transferred and used; and
Maintain the level of corporate and individual
responsibility and accountability for electronic reports and records
that currently exists in the paper environment.
Recent federal policy and law are also strong drivers of electronic
alternatives to traditional reporting and recordkeeping. The Government
Paperwork Elimination Act (GPEA) of 1998, Title XVII of Public Law 105-
277, requires the Director of the Office of Management and Budget (OMB)
to ensure that executive agencies provide for the option of the
electronic maintenance, submission, or disclosure of information as a
substitute for paper when practicable, and for the use and acceptance
of electronic signatures, when practicable. See GPEA section 1704.
Given the enormous strides in data transfer and management
technologies, particularly in connection with the Internet, replacing
paper with electronic data transfer now promises increased productivity
across almost all facets of business and government.
In seeking to make electronic alternatives available that were not
contemplated when most existing EPA regulations were written, EPA was
mindful of the need to maintain our ability to carry out our statutory
environmental and health protection mission, in part through ensuring
the integrity of environmental compliance documents. Accordingly, the
intended
[[Page 59850]]
effect of the proposed regulation was to permit and encourage the use
of electronic technologies in a manner that is consistent with EPA's
overall mission and that preserves the integrity of the Agency's
compliance and enforcement activities.
The Agency believes that it is essential to ensure that electronic
reports can play the same role as their paper counterparts in providing
evidence of what was reported and to what identified individuals
certified with respect to the report. Otherwise, electronic reporting
places at risk the continuing viability of self-monitoring and self-
reporting that provides the framework for compliance under most of our
environmental programs. The purpose of today's final rule is therefore
twofold. Today's rule is intended to provide regulated industry, EPA,
and state, tribe, and local governments with electronic reporting
alternatives that improve the efficiency, the speed, and the quality of
regulatory reporting. At the same time, the rule is intended to ensure
the legal dependability of electronic documents submitted under
environmental programs. This includes, among other things, ensuring
that individuals will be held as responsible and accountable for the
electronic signatures, which they execute, and for the documents to
which such signatures attest as they currently are in cases of
documents where they execute handwritten signatures.
B. What does the electronic reporting rule do?
EPA is announcing today the final regulatory provisions in a new
part 3 of Title 40 of the CFR for electronic reporting to EPA and under
authorized state, tribe, and local government programs. ``Authorized
program'' is shorthand for a federal program that EPA has delegated,
authorized, or approved a state, tribe or local government to
administer under other provisions of title 40 of the CFR, where the
delegation, authorization, or approval has not been withdrawn or
expired. Section 3.3 of the rule codifies this usage in the regulatory
text. This use of ``authorized'' does not mean that EPA is precluded
from an enforcement action by a prior enforcement action being taken by
a state, tribe, or local government under its authorized program. The
final rule incorporates changes made after publication of the proposed
rule that are discussed in detail in section IV of this Preamble. This
rule establishes electronic reporting as an acceptable regulatory
alternative across a broad spectrum of EPA programs, and establishes
requirements to assure that electronic documents are as legally
dependable as their paper counterparts.
The requirements in Subpart B of the rule apply to entities that
choose to submit electronic documents for direct reporting to EPA,
including state, tribe, and local government facilities that choose to
submit electronic documents to EPA to satisfy requirements that apply
to them under other provisions of title 40 of the CFR. However, the
scope of this final rule excludes any data transfers between EPA and
states, tribes, or local governments as a part of their authorized
programs or as a part of administrative arrangements between states,
tribes, or local governments and EPA to share data. The requirements in
Subpart D of the rule provide for electronic reporting under authorized
state, tribe, and local government programs and apply to the
governmental entities administering the authorized programs. Under the
final rule, states, tribes, and local governments have the choice of
using electronic submission rather than paper for reporting under their
authorized programs. Comments on the proposed rule indicated that some
states and local governments are now requiring electronic reporting
under those programs. Existing electronic document receiving systems
must receive EPA approval in accordance with Subpart D in order to meet
the requirements of part 3.
This rule does not require that any document be submitted
electronically, and it does not require any state, tribe, or local
authorized program to receive electronic documents. Public access to
environmental compliance information is not affected by today's action.
Additionally, the scope of the final rule specifically excludes the
submission of any electronic document via magnetic or optical media--
for example via diskette, compact disk (CD), digital video disc (DVD),
or tape--as well as the transmission of documents via hard copy
facsimile or ``fax.'' The exclusion of magnetic or optical media
submissions from the scope of this rule in no way indicates EPA's
rejection of these technologies as a valid approach to paperless
reporting. Magnetic and optical media submissions fulfill the goal of
providing alternatives to submission on paper. EPA has already
successfully implemented a paperless reporting alternative that
utilizes magnetic and optical media submissions to fulfill many
regulatory reporting requirements. Such instances include reporting
related to the hazardous waste, Toxic Release Inventory, and pesticide
registration programs. EPA expects these magnetic and optical media
approaches to paperless reporting to continue, and nothing in today's
rule should be interpreted to proscribe or discourage them.
For entities that report to EPA directly and do so by submitting
electronic documents, today's action requires that these documents be
submitted either to the Agency's centralized electronic document
receiving system, called the ``Central Data Exchange'' (CDX), or to
alternative systems designated by the Administrator as described herein
and in a separate Federal Register notice. Entities that submit
electronic documents directly to EPA will satisfy the requirements in
today's rule by successfully submitting their reports to one of these
systems. While we do not intend to codify any of the details of how CDX
operates or how it is constructed, the characteristics of the CDX and
the submission scenarios are described later in this Preamble. In
addition, the CDX design specifications are included as a part of this
rulemaking docket.
Many facilities submit documents directly to states, tribes, or
local governments under authorized programs. For currently authorized
programs that receive or wish to begin receiving electronic documents
in lieu of paper, this rule requires EPA approval of program revisions
or modifications that address their electronic reporting
implementations. For programs initially seeking authorization, this
rule requires EPA approval of any electronic reporting components of
the programs. In both cases, EPA approval will be based largely on an
assessment of the program's ``electronic document receiving system''
that is or will be used to implement electronic reporting. For this
purpose, this rule includes performance-based standards that EPA will
use to determine that an electronic document receiving system is
acceptable. To implement electronic reporting under currently
authorized programs, EPA is creating a streamlined procedure that
states, tribes, and local governments may use to revise or modify their
authorized programs to incorporate electronic reporting. Today's
rulemaking also includes special provisions for authorized programs'
electronic document receiving systems that exist at the time of
publication of this final rule.
It is worth noting that EPA can approve changes to authorized
state, tribe, or local programs that involve the use of CDX to receive
data submissions from their reporting communities, and EPA is exploring
opportunities to
[[Page 59851]]
leverage CDX resources for use by states, tribes, and local
governments. As currently implemented, CDX provides the major systems
infrastructure components necessary to achieve electronic reporting
consistent with the standards in this rule for assessing state, tribe,
or local government electronic document receiving systems.
Additionally, EPA has set the goal of making CDX operations fully
consistent with the requirements in today's rule within two years.
While today's rule establishes electronic reporting as a regulatory
alternative, EPA will make the electronic submission alternative
available for specific reports or other documents only as EPA announces
its readiness to receive them through CDX or another designated system.
EPA will publish announcements in the Federal Register as CDX and other
systems become available for particular environmental reports. These
elements are discussed in more detail in section V of this Preamble.
In a notice published concurrently with today's rule, EPA clarifies
the status of electronic reporting directly to EPA systems that exist
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA
is designating for the receipt of electronic submissions, all EPA
electronic document receiving systems currently existing and receiving
electronic reports as of the date of the notice. This designation is
valid for a period of up to two years from the date of publication of
the notice. During this two-year period, entities that report directly
to EPA may continue to satisfy EPA reporting requirements by reporting
to the same systems as they did prior to CROMERR's publication unless
EPA publishes a notice that announces changes to, or migration from,
that system. Any existing system continuing to receive electronic
reports at the expiration of this two-year period must receive
redesignation by the Administrator under Sec. 3.10. Notice of such
redesignation will be published in the Federal Register.
C. What is the status of the proposed electronic recordkeeping
provisions?
At this time, EPA is only finalizing the provisions for electronic
reporting to EPA and under authorized programs. The August 31, 2001,
proposal, however, also addressed records that EPA or authorized
programs require entities to maintain under any of the environmental
programs governed by Title 40 of the CFR or related state, tribe, and
local laws and regulations. For such records, EPA proposed specific
provisions for administering the maintenance of electronic records
under these environmental regulations. EPA proposed criteria under
which the Agency would consider electronic records to be trustworthy,
reliable, and generally equivalent to paper records in satisfying
regulatory requirements. For entities that choose to keep records
electronically, the proposal would have required the adoption of best
practices for electronic records management. For facilities maintaining
records to satisfy the requirements of authorized programs, the
proposal would have allowed for EPA approval of changes to the
authorized programs to provide for electronic recordkeeping. Under the
proposal, approval would have been based on a determination that the
authorized program would require best practices for electronic records
management, corresponding to EPA's provisions for electronic records
maintained to satisfy EPA recordkeeping requirements.
Further, EPA proposed that once the rule took effect, any records
subject to the rule that were maintained to satisfy the requirements of
EPA programs could only be maintained electronically after EPA
announced in the Federal Register that EPA was ready to allow
electronic records maintenance to satisfy the specified recordkeeping
requirements. Also under the proposal, records maintained under an
authorized state, tribe, or local government program could only be
maintained electronically once EPA had approved the necessary changes
to the authorized program.
Based on the comments received on the proposed electronic
recordkeeping provisions, EPA reconsidered its approach to electronic
recordkeeping and is not issuing final recordkeeping rules at this
time. The Agency is conducting additional analysis and intends to
publish a supplemental notice or re-proposal to solicit additional
comments before a final rule on electronic recordkeeping is issued. We
will be reviewing provisions related to the methods used to ensure
accuracy, accessibility and the ability to detect alterations of
records stored electronically, as well as other possible controls for
electronic recordkeeping. The Agency intends to utilize this review to
engage states, tribes, local governments, and industry in meaningful
consultation to ensure that the EPA has the best available information
on which to base its decisions. In conjunction with these
consultations--and before issuing any notice or re-proposal--EPA will
conduct additional analysis on the costs and benefits of alternative
approaches, and the technical feasibility of various options, with a
focus on impacts to small businesses. Today's rule does not authorize
the conversion of existing paper documents retained to comply with
existing recordkeeping requirements under other provisions of Title 40
of the CFR to an electronic format for record-retention purposes.
D. How were stakeholders consulted during the development of today's
final rule?
This final rule reflects more than ten years of interaction with
stakeholders that included states, tribes, and local governments,
industry groups, environmental non-government organizations, national
standard setting committees, and other federal agencies. As detailed in
the proposal, many of our most significant interactions involved
electronic reporting pilot projects conducted with state agency
partners, including the States of Pennsylvania, New York, Arizona, and
several others. In May, 1997, work began with approximately 35 states
on the State Electronic Commerce/Electronic Data Interchange Steering
Committee (SEES) convened by the National Governors' Association (NGA)
Center for Best Practices (CBP). Also, EPA sponsored a series of
conferences and meetings, beginning in June, 1999, with the explicit
purpose of seeking stakeholder advice before drafting the proposal.
Reports of these conferences and meetings are available in the docket
for this rulemaking, along with the product of the SEES effort, a
document entitled, ``A State Guide for Electronic Reporting of
Environmental Data,'' and reports on some of the more recent state/EPA
electronic reporting pilots.
For the proposal, EPA provided a 6-month public comment period,
which closed on February 27, 2002. During that time, we received 184
sets of written comments on the proposed rule. The commenters
represented a broad spectrum of interested parties: States, local
governments, specific businesses, trade associations, and other federal
agencies. Substantive changes to the electronic reporting provisions
based on public comments are discussed in detail in section IV of this
Preamble. In addition, EPA received comments at four public meetings
held around the country and at two meetings with states held in
Washington, DC. The comments and meeting summaries can be found in the
docket to this rulemaking. Today's final rule reflects many of the
comments and concerns raised by commenters on the proposal. (A complete
discussion of the options considered by EPA and other background
information on the Agency's policy on electronic reporting
[[Page 59852]]
can be found in the proposed rule.) The majority of comments focused on
the costs and burden of the proposed Subpart D electronic recordkeeping
provisions. EPA's response to public comments to the proposal can be
found in the rulemaking docket, in the Response to Comments document.
E. What alternatives to today's final rule did EPA consider?
EPA considered both a more stringent and a less stringent
alternative to the regulatory approach taken in this rule. The more
stringent alternative is reflected in the electronic provisions
published, August 31, 2001, in the Notice of Proposed Rulemaking for
CROMERR. The proposed version of CROMERR was more stringent by virtue
of setting much more prescriptive, detailed requirements that
electronic document receiving systems would have to satisfy. For
example:
Proposed Sec. 3.2000(d) contained very specific
requirements for submitter identity management that a system would have
to satisfy, including detailed requirements for renewal of registration
and revocation of registration under specified circumstances;
Proposed Sec. 3.2000(e) contained very detailed
requirements for the signature/certification scenario that a system
would have to provide for, specifying the exact sequence of steps to be
followed in electronically signing a submission, and requiring such
features as on-screen, scroll-through presentation of the data to be
submitted for review of the signatory prior to signing.
EPA received significant public comment on this approach, both from
states and from regulated companies, and there were at least three
closely related themes. The first was that such prescriptive
requirements would greatly limit the flexibility of states to implement
electronic reporting in a cost-effective way. The second theme was that
many of the requirements--especially those specifying the signature/
certification scenario--were not appropriate to many cases where
electronic reporting would occur. Third and finally, many of these
commenters expressed skepticism that these very detailed requirements
represented the only possible approach to ensuring the legal
dependability of electronic submissions and signatures. These themes
are discussed in detail in section IV.B of this Preamble.
EPA also considered a less stringent alternative that would have
refrained from specifying requirements to establish the identity of an
individual to whom a signature device or credential (e.g. a PIN,
password, or PKI certificate) is issued. This less stringent
alternative would have omitted the provision for identity-proofing in
the final Sec. 3.2000(b)(5)(vii). In terms of regulatory impact, this
would be a significant reduction in stringency. Most of the burden on
regulated entities imposed by today's rule is associated with the
registration process involved in obtaining a signature device or
credential, and any requirement to establish the registrant's identity
raises the aggregate burden substantially.
EPA rejected this less stringent alternative, because we believe
that it would seriously undermine the rule's ability to assure the
legal dependability of electronic submissions. It is a basic principle
of electronic authentication (E-authentication) that individuals being
authenticated are who they say they are. E-authentication depends
critically on the degree of trust we can place in the credential the
individual presents, and such trust depends heavily on the process of
establishing the individual's identity (or ``identity-proofing'') when
he or she first registers for the credential. If the identity-proofing
process is not sufficiently stringent and credible, then it may be
uncertain who is using the credential in a specific instance where it
is presented. Where the credential is used to create an electronic
signature, inadequate identity-proofing may create uncertainty as to
who the signatory is, as a result, the signature may be rendered
undependable for any legal purpose. Accordingly, EPA believes that,
notwithstanding the cost, it is necessary to specify that identity-
proofing be conducted. The Sec. 3.2000(b)(5)(vii) identity-proofing
requirement is explained in detail in section VI.E.12 of this Preamble.
II. Background
A. What has been EPA's electronic reporting policy?
On September 4, 1996, EPA published a document entitled ``Notice of
Agency's General Policy for Accepting Filing of Environmental Reports
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter
referred to as `the 1996 Policy'), where ``EDI'' generally refers to
the transmission, in a standard syntax, of unambiguous information
between computers of organizations that may be completely external to
each other. This notice announced EPA's basic policy for accepting
electronically submitted environmental reports, and its scope was
intended to include any regulatory, compliance, or informational
(voluntary) reporting to EPA via EDI.
For purposes of the 1996 policy, the standard transmission formats
used by EPA were to be based on the EDI standards developed and
maintained by the American National Standards Institute (ANSI)
Accredited Standards Committee (ASC) X12. By linking our approach to
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions,
including a wide array of commercial off-the-shelf (COTS) software
packages and communications network services, and a growing industry
community of EDI experts available both to EPA and to the regulated
community. At the time EPA was writing this policy, ANSI-based EDI was
arguably the dominant mode of electronic commerce across almost all
business sectors, from aerospace to wood products, at least in the
United States. (A complete discussion of EPA's 1996 policy can be found
in the preamble to the proposed rule.)
With this final rule, EPA is making changes to the 1996 policy for
three primary reasons. First, and most important, the technology
environment has changed substantially since the 1996 policy was
written. Web-based electronic commerce and public key infrastructure
(PKI) are two examples. While both were available and in use for some
purposes in 1996, they had not yet achieved the level of acceptance and
use that they enjoy today. We could not have anticipated in 1996 that
this evolution would occur as rapidly as it has. Clearly, these
developments require that we extend our approach to electronic
reporting beyond EDI and Personal Identification Numbers (PINs). In
addition, they teach us that it is generally unwise to base regulatory
requirements on the existing information technology environment or on
assumptions about the speed and direction of technological evolution.
Second, we believe that technology-specific provisions would be
very complex and unwieldy. The resulting regulation would likely place
unacceptable burdens on regulated entities trying to understand and
comply.
Third, and finally, an electronic reporting architecture that makes
a centralized EPA or state system the platform for such functions as
electronic signature/certification is now quite viable--and quite
consistent with the standard practices of Web-based electronic
commerce. Given the state of technology six years ago, we could not
[[Page 59853]]
have considered this approach in the 1996 policy.
B. How does today's final rule change EPA's electronic reporting
policy?
For practical purposes, the most important change that today's rule
makes is in our technical approach to electronic reporting. In contrast
to the 1996 policy, today's rule does not generally specify or limit
the range of allowable electronic submission technologies and formats.
Under today's rule, complaint electronic reporting approaches can
include user-friendly `smart' electronic forms to be completed on-line
or downloaded for completion off-line at the user's personal computer,
as well as data transfers via the Internet or secure email in a variety
of standard and common off-the-shelf, application-based formats.
Similarly, in terms of electronic signature technology, the rule allows
for a range of approaches, including various implementations of PINs
and passwords, the use of private or personal information, digital
signatures based on PKI certificates, and other signature technologies
as they become viable for our applications. As EPA or authorized
programs implement electronic submission for specific reports, the rule
allows them to select one or more of the available submission and
signature approaches according to their circumstances and the program-
specific requirements.
EPA's goals are to make this electronic reporting alternative as
simple, attractive and cost-effective as possible for reporting
entities, while ensuring that electronically submitted documents are as
legally dependable as their paper counterparts. We believe that today's
rule achieves these goals, but--unlike the 1996 policy--without
requiring specific technologies or setting detailed procedural steps
for the submission of electronic documents. Our strategy--as initially
set out in the August 31, 2001, notice of proposed rulemaking, and as
finalized today--is to impose as few specific requirements as possible
on reporting entities, and to generally keep requirements neutral with
respect to technology. As a consequence, today's rule enables EPA, the
states, tribes, and local governments to offer regulated companies
diverse approaches to electronic reporting that can be tailored to
their technical capabilities and to the level of automation they wish
to achieve. In addition, the strategy gives EPA, the states, tribes,
and local governments the flexibility to adapt electronic reporting
systems to evolving technologies without requiring that regulations be
amended with each technological innovation.
However, this regulatory strategy does not mean abandoning any
control over how electronic documents are submitted. In place of
specific technologies or detailed procedural steps, today's rule
requires that electronic submissions be made to CDX or other designated
EPA systems, or to state, tribe, or local government systems that are
determined to satisfy a certain specified set of technology-neutral
performance standards. As a practical matter, the use of these systems
(e.g., CDX or others that meet the specified performance standards)
will involve submission procedures that we believe are sufficient to
ensure the legal dependability of electronic reports so that they meet
the needs of our compliance and enforcement programs. In addition,
while the specified performance standards may be technology-neutral,
agency electronic reporting systems that implement the standards will
incorporate suites of very specific technologies that will further
determine the process for actual electronic submission. Sections V.B
and V.C of this Preamble describe these requirements and the associated
technologies in some detail for the case of reporting directly to EPA
via CDX.
III. Scope of the Electronic Reporting Rule
EPA is today promulgating a new Part 3 in Title 40 of the CFR. The
new Part applies to all persons who submit reports or other documents
to EPA under Title 40, and to state, tribe, and local programs that
administer or seek to administer authorized programs under Title 40.
The new part 3 does not address contracts, grants or financial
management regulations contained in Title 48 of the CFR.
A. Who may submit electronic documents?
Any entity that submits documents addressed in this rule (see
section III.B., below) directly to EPA can submit them electronically
as soon as EPA announces that CDX or a designated alternative system is
ready to receive these reports. (See section V of this Preamble for a
discussion on requirements for electronic reporting to EPA, and section
V.B for a discussion of the status of electronic reporting directly to
EPA systems that exist as of the rule's publication date.) Under this
rule, the affected entities may elect to utilize the electronic
reporting alternative. These entities are not required by this final
rule to report electronically; however, they may be required to report
electronically under other Title 40 regulations, and nothing in today's
rule limits EPA's ability to require electronic reporting under other
parts of Title 40.
In general, entities may submit documents electronically as
provided for under authorized state, tribe, or local government
programs. Nothing in this rule prohibits state, tribe, or local
governments from requiring electronic reporting under applicable state,
tribe, or local law.
B. Which documents can be filed electronically?
This rule addresses document submissions required by or permitted
under any EPA or authorized state, tribe, or local program governed by
EPA's regulations in Title 40 of the CFR. Nonetheless, EPA will need
time to develop the hardware and software components required for each
individual type of document. Similarly, states, tribes, and local
governments will need time to evaluate their electronic document
receiving systems to ensure that they meet the standards promulgated in
today's final rule. Accordingly, once this rule takes effect, specific
documents submitted directly to EPA that are not already being
submitted electronically to existing EPA systems can only be submitted
electronically after EPA announces in the Federal Register that CDX or
an alternative system is ready to receive those specific documents.
(See section V.B of this Preamble for a discussion of the status of
electronic reporting directly to EPA systems that exist as of the
rule's publication date.) Documents may be submitted electronically
under the provisions of an authorized state, tribe, or local program.
C. How does this final rule implement electronic reporting?
The new 40 CFR part 3 consists of four (4) Subparts. Subpart A
provides that any requirement in Title 40 to submit a report directly
to EPA can be satisfied with an electronic submission that meets
certain conditions (specified in Subpart B) once the Agency publishes a
notice that electronic document submission is available for that
requirement. Subpart A also provides that electronic reporting can be
made available under EPA-authorized state, tribe, or local
environmental programs. In addition, Subpart A makes clear: (1) that
electronic document submission, while permissible under the terms of
this rule, is not required by any provision of this rule; and (2) that
this rule confers no right or privilege to submit data electronically
and does not obligate EPA or states, tribes, or local
[[Page 59854]]
agencies to accept electronic data. Subpart A also contains key
definitions and discusses compliance and enforcement.
Subpart B sets forth the general requirements for acceptable
electronic documents submitted to EPA. It provides that electronic
documents must be submitted either to CDX or to other EPA designated
systems. It also includes general requirements for electronic
signatures. The requirements in Subpart B apply to entities that submit
electronic documents for direct reporting to EPA, including states,
tribes, and local governments that submit electronic documents to EPA
to satisfy requirements that apply to them under Title 40 of the CFR.
Subpart B does not apply to any data transfers between EPA and states,
tribes, or local governments as a part of their authorized programs or
as a part of administrative arrangements between states, tribes, or
local governments and EPA to share data. Additionally, Subpart B does
not apply to the submission of any electronic document via magnetic or
optical media--for example via diskette, compact disk, or tape--or to
the transmission of documents via hard copy facsimile or ``fax.''
Subpart C is reserved for future EPA electronic recordkeeping
requirements.
Finally, Subpart D sets forth the process and standards for EPA
approval of changes to authorized state, tribe, and local environmental
programs to allow electronic reporting to satisfy requirements under
these programs. Again, for purposes of Subpart D, ``electronic
reporting'' entails submission via telecommunications, and Subpart D
requirements do not apply in cases of submission via magnetic or
optical media or hard copy ``fax.'' With respect to electronic
reporting, Subpart D includes simplified performance-based standards
for acceptable state, tribe, or local agency electronic document
receiving systems against which EPA will assess authorized program
electronic reporting elements. It also provides a streamlined process
for approving applications for revisions to authorized programs for
electronic reporting.
Given the provisions of Subpart A, a regulated entity wishing to
determine whether electronic reporting directly to EPA was available
under some specific regulation will have to verify that EPA has
published a Federal Register notice announcing their availability and
will have to locate any additional provisions or instructions governing
the electronic alternative for the particular reporting requirement. To
facilitate this determination, EPA intends to maintain an easily
accessed list of EPA reports for which electronic reporting has been
implemented--cross-referencing the applicable Federal Register
notices--on the Exchange Network and Grants webpage at http://www.epa.gov/exchangenetwork
.
IV. Major Changes From Proposed Electronic Reporting Provisions
A. How does the rule streamline the approval of electronic reporting
under authorized state, tribe, and local government programs?
1. Review of the proposal. EPA proposed that states, tribes, and
local governmental entities would use the procedures for program
revision or modification provided in existing program-specific
regulations governing state, tribe, or local authorized programs.
In the Preamble to the proposed rule, we noted that our approach
raised certain administrative concerns, especially in cases where a
governmental entity wished to use a single system to accept electronic
submissions across a number of authorized programs, corresponding to
EPA's use of CDX to receive reports across EPA programs. To receive EPA
approval for such implementations, the governmental entity would have
to apply for revision or modification under each authorized program
affected, using procedures that might vary substantially from program
to program. While these procedures might vary, each substantive review
would still refer to the same proposed part 3 criteria, and--in the
case of a single system implementation--would apply these criteria to
the same system. EPA intended this approach to facilitate an
administrative streamlining of the approval process, by allowing a
single EPA review of all cross-program applications associated with a
particular electronic document receiving system, which would enable EPA
to make a single decision to approve or disapprove all the associated
applications. While this approach would not eliminate multiple
applications, it would at least simplify the interactions between the
applicant and EPA during substantive review, and would speed EPA action
on the applications themselves.
EPA also considered more radical streamlining alternatives,
including a centralized approval process provided for by regulation,
and the proposal requested comment on whether any of these alternatives
would be preferable to the administrative approach to streamlining.
2. Comments on the proposal. In comments on the provisions for
electronic reporting under authorized programs, a recurring theme was
the complexity of the proposed requirements for EPA approval of program
revisions or modifications to allow electronic reporting. The comments
in many cases seemed directed equally to the approval process and to
the proposed criteria for approval. Comments on the criteria are
discussed in more detail in section IV.B.2 of this Preamble.
As for the comments that clearly addressed the process, there were
two major concerns. The first was that the process, due to the various
current program authorization regulations, is inherently complicated,
time-consuming and resource-intensive. In a few cases, commenters noted
the particular worry that having to seek EPA approval for each program
implementing electronic reporting would be especially burdensome, and
that EPA's proposed approach of streamlining the internal review
component of the program revision process would be of little help.
The second concern was the impact of the rule on electronic
reporting that was already underway. Commenters noted that many
authorized programs are already accepting electronic submissions, or
would be by the time the final rule is published, and they worried
about the timing of the requirement that the electronic document
receiving systems they use for this purpose be approved by EPA under
associated program revision or modification procedures. Under the
proposed provisions, such systems would have to be EPA-approved as soon
as the rule became effective, which was not practicable. Given the need
to address the criteria for approval, such applications could only be
initiated once the rule was finalized, and they might take months to
complete and get approved, or substantially longer in cases where the
revision or modification required state legislative or regulatory
changes. During the months or years that the revision or modification
was in process, the authorized program would either have to shut down
their electronic document receiving systems or, of necessity, operate
them out of compliance with the rule. Commenters were particularly
concerned with the disruptive impacts of having to shut these systems
down. They pointed out that reversion to paper-based submissions in
such cases may be difficult and expensive, both for the agencies and
for the submitting entities that are affected, and that resuming
[[Page 59855]]
system operation after a long hiatus may require resources more
typically associated with system start-up. Additional comments on
program revision or modification and EPA's responses can be found in
the rulemaking docket, in the Response to Comments document.
3. Revisions in the final rule. To address the concern that the
proposed program revision or modification to accommodate electronic
reporting was too complicated and burdensome, the final rule provides
streamlined procedures for adding electronic reporting to existing
authorized programs. These are optional procedures that a state, tribe,
or local government may use if it chooses, in place of the applicable
program-specific procedures, to seek EPA approval for revisions or
modifications that provide for electronic reporting. EPA believes that
in most cases these optional procedures will be substantially simpler
and quicker than their program-specific alternatives. These new
procedures are discussed in detail in section VI.C of this Preamble.
To address the concern that the required program revisions or
modifications may disrupt authorized programs that already have
electronic reporting underway, the final rule provides for a two-year
delayed compliance date--in effect, a two-year ``grace period''--before
such programs have to submit their applications for revision or
modification. Programs will be allowed this grace period where they
have systems that fit the definition of ``existing electronic document
receiving system,'' explained in section VI.B.2 of this Preamble. In
addition, these provisions allow the grace period to be extended, on a
case-by-case basis, where an authorized program may need to wait for
legislative or regulatory changes before a complete application can be
submitted.
B. How has EPA revised the requirements that state, tribe, and local
government electronic reporting programs must satisfy?
1. Review of the proposal. EPA proposed a detailed set of criteria
that would have to be met by any system that is used to receive
electronic documents submitted to satisfy document submission
requirements under any EPA-authorized state, tribe, or local
environmental program. The proposed criteria addressed the capabilities
that EPA believed a state, tribe, or local government's electronic
document receiving system must have regarding six function-specific
categories: (1) System security, (2) electronic signature method, (3)
submitter registration, (4) signature/certification scenario, (5)
transaction record, and (6) system archives.
These criteria were based upon EPA's consideration of the roles
that many electronically submitted documents will likely play in
environmental program management, including compliance monitoring and
enforcement, and the need to ensure that such roles were not
compromised by the transition from paper to electronic submission. In
many respects electronic submission enhances a document's utility for
environmental programs: it significantly reduces the resources and time
involved in making the content available to its users, and can greatly
facilitate data quality assurance and analysis. Nonetheless, electronic
submissions may also be open to challenge, primarily with respect to
their authenticity, and particularly where they are used to establish
the actions and intentions of the submitters. We normally consider such
uses in the case of environmental reporting, especially where
electronic submissions are made to report on an entity's compliance
status and where the submission includes a responsible individual's
certification to the truth of what is reported. For such cases, EPA
identified a programmatic need to be able to authenticate the
submission content and the certification--for example, to be able to
address issues of fraud or false reporting where they arise--and it is
primarily this need that was addressed by the six proposed criteria.
The point of the proposal's six function-specific categories was to
ensure the authenticity of electronic documents submitted in lieu of
paper reports, so that they will be able to play the same role as their
paper counterparts in providing evidence of what was reported and to
what an identified individual certified with respect to the report. For
example, in the case of paper submissions, the evidence surrounding a
handwritten signature is normally sufficient to demonstrate that the
signature is authentic and rebut any attempt by the signatory to
repudiate it and EPA intends the standards in today's rule to provide
evidence for electronic signatures that has a corresponding level of
non-repudiation. Since these evidentiary issues typically arise in the
context of judicial or other legal proceedings, electronic documents
need the same ``legal dependability'' as their paper counterparts. The
over-arching standard in the concept of ``legal dependability'' is that
any electronic document that may be used as evidence to prosecute an
environmental crime or to enforce against a civil violation should have
no less evidentiary value than its paper equivalent. For example, where
there is a question of deliberate falsification of compliance data--it
must be possible to establish the signatory's identity beyond a
reasonable doubt no matter whether the submission was electronic or
paper.
A seventh, more general proposed criterion, entitled ``Validity of
Data,'' addressed the standard of legal dependability directly. The
idea, in general, was that a system used to receive electronic
documents must be capable of reliably generating evidence for use in
private litigation, in civil enforcement proceedings, and in criminal
proceedings in which the standard for conviction is proof beyond a
reasonable doubt that the electronic document was actually signed by
the individual identified as the signatory and that the data it
contains was not submitted in error. The six more detailed, function-
specific criteria represented the requirements for satisfying this more
general ``Validity of Data'' criterion. Taken together, the seven
proposed criteria were intended to ensure the legal dependability of
electronically submitted documents by providing:
Standards for valid electronic signatures and authentic
electronic documents to be admitted as evidence in a judicial
proceeding;
Assurance that electronic documents can be authenticated
to provide evidence of what an individual submitted and/or attested to;
and
Assurance that electronic signatures resist repudiation by
the signatory.
By providing for these and other facets of an electronic document's
legal dependability, proposed CROMERR was intended to preserve the
ability of EPA and its authorized programs to hold individuals
accountable when they certify, attest or agree to the content of
compliance reports under environmental laws and statutes. By the same
token, proposed CROMERR was also intended to ensure that EPA and its
authorized programs will have the documentary evidence they need to
bring actionable cases of false or fraudulent reporting into court.
2. Comments on the proposed criteria for electronic document
receiving systems. EPA received a substantial number of comments on the
proposed criteria for state, tribe, and local electronic document
receiving systems, both in written submissions and at meetings with the
public and with state and local government officials. While a
[[Page 59856]]
few of these comments questioned the ``Validity of Data'' criterion,
the great majority dealt with the detailed function-specific criteria.
There were at least three recurring and closely related themes. First,
the criteria were too prescriptive and inflexible, and would prevent
state, tribe, and local agencies from adapting their electronic
reporting approaches to their needs and changing circumstances, and
foreclose new and creative ways to achieve legal dependability. Second,
the criteria would make electronic reporting unnecessarily complex,
costly, and burdensome. Third, while the criteria might be appropriate
for some cases, the ``one size fits all'' approach was not workable for
all reports in all programs.
Commenters tended to associate these three themes with certain
misperceptions about the proposed requirements for signature method and
the signature/certification scenario. Concerning signature method, a
common concern was that the criteria would require states to implement
PKI-based digital signatures. Commenters generally appear to have
inferred this from proposed Sec. 3.2000(c) Electronic Signature
Method, together with EPA's own choice of PKI for some submissions to
CDX, as discussed in the Preamble. Whatever EPA's plans for CDX, state,
tribe, and local government systems do not have to conform to the CDX
model. Implementing a particular system of necessity requires the
choice of specific technologies. To make those choices does not imply
that these are the only possible choices that would satisfy whatever
requirements the rule places on electronic reporting systems.
Concerning Sec. 3.2000(c), commenters tended to focus on paragraph (5)
of this section, which stated that the signature method had to ensure
``that it is impossible to modify an electronic document without
detection once the electronic signature has been affixed.'' EPA did not
intend for this provision to establish PKI-digital signature as the
required signature method. Given current technology, approaches to
satisfying the Sec. 3.2000(c)(5) requirement frequently involve the
computation of a number--called a ``hash''--that has a unique relation
to the content of the electronic document such that any change to the
document content would change the computed hash. Given the hash, the
associated document can be confirmed as unmodified at any time by
calculating a new hash and showing that the new and original hashes are
identical. Using such a hash-based approach, it is important to ensure
that the hash has been secured from tampering, and encryption is
probably the most straightforward way to do this. Encryption can be
accomplished in a number of ways. Approaches include PKI-based digital
signature, digital signature where the asymmetric key-pair is not
associated with a PKI certificate, and various forms of symmetric-key
cryptography. Additionally, it may be possible to avoid cryptography
altogether by storing the hash value in a system with appropriately
controlled access. Thus, a solution using PKI-based digital signatures
represents only one among a number of possible approaches to satisfying
the proposed Sec. 3.2000(c)(5) requirement.
A number of commenters also misinterpreted the criteria under
proposed Sec. 3.2000(e) Electronic signature/certification scenario
(especially the provisions for signatory's review of data under Sec.
3.2000(e)(1)(i)) as requiring signatories to scroll through their
submissions on-screen before they affix their electronic signatures,
and requiring state systems to enforce this required ``scroll-
through''. However, the proposal provided not that the signatory must
review the data on-screen, but rather that he or she be given the
opportunity to do so. The example of the enforced on-screen ``scroll-
through'' then envisioned for CDX, and provided in the CDX section of
the proposal's preamble, was in error. EPA did not intend to require
this ``scroll-through'' of submitted data prior to signature. EPA
certainly does expect and encourage reporting entities to review data
intended for electronic submission prior to signature, but does not
mandate this or any other particular mode or method of signatory review
in today's rule.
Returning to the three comment themes--of prescriptiveness, cost
and burden, and a ``one size fits all'' approach--commenters who raised
the prescriptiveness issue generally argued that, even supposing that
there were no specific objections to the detailed Sec. 3.2000
provisions, EPA had failed to make the case that every single
requirement under these provisions is necessary to ensure the legal
dependability of electronic submissions. Commenters who argued that the
proposed rule would be too costly and burdensome generally focused on
Sec. 3.2000(c)(5) and Sec. 3.2000(e)(1)(i), discussed above, or on
the proposed Sec. 3.2000(d) registration and signature agreement
provisions. There were many comments to the effect that the complex
Sec. 3.2000(d) registration and re-registration requirements would
pose substantial barriers to regulated company participation in
electronic reporting and involve unacceptable expenses for implementing
agencies. Commenters also noted that the required Sec. 3.2000(e)(1)(i)
would be difficult to integrate with company workflow practices in many
cases. Finally, there is the ``one size fits all'' issue. Some of the
comments raised this as another version of the ``prescriptiveness''
issue, but adding that the proposal developed just one model of
electronic reporting and attempted to make it fit the differing
circumstances of the various state, tribe, and local agencies that
would have to comply. Other comments emphasize the point that the
proposal takes requirements apparently tailored to assuring an
electronic document's authenticity and applies them to all cases of
electronic reporting, whether or not the question of authenticity is
likely to arise.
EPA has considered these and related comments in writing today's
rule. We do not wish to set overly prescriptive requirements and so
foreclose acceptable electronic reporting alternatives that could offer
equivalent or better assurance of legal dependability while, perhaps,
being easier for a state, tribe, or local agency to implement. We do
not wish to set requirements that impose unnecessary costs or burdens.
And, while we do not see a ``bright line'' around the universe of cases
where document authenticity might be of concern, we also do not wish to
address authenticity with requirements that leave states, tribes, and
local governments with too little flexibility in how they may adapt
their electronic reporting implementations to their particular
circumstances. Accordingly, EPA has decided to finalize criteria for
electronic document receiving systems that directly articulate the
underlying goal of assuring the legal dependability of electronic
documents authenticity, and to add more specific requirements only to
the extent that they are needed to achieve this underlying goal.
Accordingly, the provisions of today's rule have been clarified as
general performance standards necessary to ensure the legal
dependability of the electronic documents they receive. Additional
comments on the proposed criteria and EPA's responses can be found in
the rulemaking docket, in the Response to Comments document.
3. Revisions to the criteria in the final rule. In today's final
rule, we intend to fulfill the underlying goal of the proposed Sec.
3.2000 criteria for electronic document receiving systems. This is to
assure the authenticity and non-
[[Page 59857]]
repudiation of electronic documents submitted in lieu of paper reports,
so that they are as legally dependable--that is, as admissible in
evidence and accorded the same evidentiary weight--as their paper
counterparts. As noted earlier, this goal was expressed most directly
in the proposed Sec. 3.2000(b) ``Validity of Data'' criterion.
Accordingly, for the final rule, we started with the proposed Sec.
3.2000(b) and then clarified the remaining proposed Sec. 3.2000
criteria as general performance standards for electronic document
receiving systems, which were incorporated as needed to assure the
legal dependability of the electronic documents such systems receive.
The resulting Sec. 3.2000(b) in the final electronic reporting rule
reflects the requirements discussed in the table below. The citation
for the corresponding language in the proposed rulemaking is also
provided.
------------------------------------------------------------------------
Citation/requirement in final
Citation/subject area in proposed rule section 3.2000(b)
------------------------------------------------------------------------
Proposed Sec. 3.2000(g), addressing Section 3.2000(b)'s leading
system archives. clause requires that the
system be able to generate the
required data as needed and in
a timely manner.
Proposed Sec. Sec. 3.2000(e)(3) and Section 3.2000(b)'s leading
3.2000(f), addressing signature/ clause and Sec. 3.2000(b)(4)
certification scenarios and require that the system be
transaction record. able to generate a ``copy of
record'' that is made
available to the submitters
and/or signatories for review
and repudiation.
Proposed Sec. Sec. 3.2000(c) and Section 3.2000(b)(5)(i)
3.2000(d), addressing the electronic requires that the system be
signature method and submitter able to show that any
registration process. electronic signature on an
electronic document was
created by an authorized
signatory with a device that
the identified signatory was
uniquely entitled and able to
use.
Proposed Sec. 3.2000(c)(5), Section 3.2000(b)(5)(ii)
addressing requirement that it be requires that the system be
impossible to modify an electronic able to show that the
document without detection once it has electronic document cannot be
been electronically signed. altered without detection once
it has been electronically
signed.
Proposed Sec. 3.2000(e), addressing Sections 3.2000(b)(5)(iii)--
the signature/certification scenario. (iv) require that the system
be able to show that, before
signing, any signatory had the
opportunity to review what he
or she was certifying to in a
human-readable format, and to
review the certification
statement including any
provisions relating to
criminal penalties for false
certification.
Proposed Sec. 3.2000(d), addressing Section 3.2000(b)(5)(v)
the submitter registration process. requires that the system be
able to show that the
signatory signed an
``electronic signature
agreement'' or a ``subscriber
agreement'' acknowledging his
or her obligations connected
with preventing the compromise
of the signature device.
Proposed Sec. 3.2000(e)(2), Section 3.2000(b)(5)(vi)
addressing acknowledgment. requires that the system be
able to show that it
automatically sent an
acknowledgment of any
electronic submission it
received that bears an
electronic signature; the
acknowledgment must identify
the electronic document, the
signatory and the date and
time of receipt, and be sent
to an address that does not
share the access controls of
the account used to make the
submission.
Proposed Sec. 3.2000(d)(1)-(3), Section 3.2000(b)(5)(vii)
addressing submitter registration.. requires, for each electronic
signature device used create
an electronic signature on
documents that the system
receives, that the system be
able to establish the identity
of the individual uniquely
entitled to use that device
and his or her relation to the
entity on whose behalf he or
she signs the documents.
------------------------------------------------------------------------
The requirements in Sec. 3.2000(b)(5)(iii)-(iv) of today's rule,
concerning ``opportunity to review,'' do not place the responsibility
for providing an opportunity, or for showing whether or not an
opportunity was actually taken, on the state, tribe, or local
government electronic document receiving system. What is required is
that the system provide evidence sufficient to show that an opportunity
was provided; this point is explained in greater detail in sections
VI.E.8 and VI.E.9 of this Preamble.
EPA believes that the standards in Sec. 3.2000(b) of today's rule,
as developed from the proposed ``Validity of Data'' criterion, together
with other proposed criteria clarified as general performance
standards, represent the minimum set of requirements for electronic
document receiving systems necessary to ensure the legal dependability
of the electronic documents such systems receive. For example, the
requirement for a copy of record is necessary to ensure that there is
an authoritative answer to the question of what information content a
signatory was certifying to or attesting to. The related requirement
that the system be able to provide timely access to copies of record
and related data reflects a practical concern that the data be
accessible in time and in a format to serve the purposes for which it
is needed.
Concerning the requirement that signature devices be uniquely
assigned to, and held by individuals, EPA believes that an acceptable
electronic document receiving system must be able to attribute a
signature to a specific individual, to help assure that the signatory
cannot repudiate responsibility for the signature. Non-repudiation is
also strengthened by the signed electronic signature agreement, which
establishes that the signatory was informed of his or her obligation to
keep the signature device from compromise by ensuring that it is not
made available to anyone else. Requiring the signature agreement, as
well as the opportunity to review what they are signing, helps
establish that where signatures appear on electronic documents, the
signatories had the requisite intent to certify. That is, these
requirements help ensure that the signatories knew what they were
signing, knew what signing meant, and understood the legal implications
of false certification. As for the requirement that document content
cannot be altered without detection after signature, an acceptable
electronic document receiving system must provide evidence sufficient
to allow a court to attribute the intention to certify to the
document's current content to the signatory, so that he or she cannot
repudiate this content.
Finally, today's Sec. 3.2000(b)(5)(vii) requirement that the
system be able to establish the identity of the individual who is
assigned a signature is based on proposed Sec. 3.2000(d). Proposed
Sec. 3.2000(d) logically entails today's Sec. 3.2000(b)(5)(vii),
because satisfying the
[[Page 59858]]
provisions of the former guarantees compliance with the latter.
However, today's Sec. 3.2000(b)(5)(vii) limits the scope of the
proposed Sec. 3.2000(d)(3) requirement that, in registering for their
signature devices, registrants must execute their electronic signature
agreements on paper with handwritten signatures. In today's Sec.
3.2000(b)(5)(vii), this requirement is limited to a special class of
``priority report'' submittals. (See section VI.E.12 of this Preamble.)
In addition, today's Sec. 3.2000(b)(5)(vii) offers alternatives to
this handwritten signature requirement, to allow electronic reporting
solutions that are completely free of paper transactions. The
alternative provisions, found in today's Sec. 3.2000(b)(5)(vii)(A)-
(B), are elaborations of the proposed Sec. 3.2000(d)(1) requirement
for ``evidence [of identity] that can be verified by information
sources that are independent of the registrant and the entity or
entities'' for which the registrant will submit electronic documents.
The elaborations are necessary to assure that individuals' identities
can be established without being able to rely on their handwritten
signatures--and, in the final rule, the requirements apply only to
``priority report'' submittals, and only where the choice is made to
not use paper in the execution of electronic signature agreements.
Section VI.E.12 of this Preamble outlines all of today's Sec.
3.2000(b)(5)(vii) provisions in much more detail. In any event, we have
made these changes to the proposed Sec. 3.2000(d) approach to help
address commenters' concerns with ``one size fits all'' provisions, as
well as to allow states, tribes, and local government as much
flexibility as possible as they implement their electronic reporting
systems.
In sum, the overall approach to the standards for electronic
document receiving systems in today's rule reflects a balancing of the
concerns raised by the public comments, especially those relating to
the proposal's burden on states, tribes, local governments and
regulated entities, against the need to ensure the legal dependability
of electronic documents submitted under authorized programs. Finally,
EPA notes that to date the Agency has had limited experience with the
practical application of electronic signatures and electronic reporting
generally. With the benefit of practical experience accepting
electronic reports under this rule, EPA may determine that this rule
needs to be revisited, to either add or eliminate certain safeguards.
In addition, while EPA has sought to write this rule so that its
provisions are technology-neutral, it remains possible that revisions
will be required to reflect technological changes or changes in
prevailing industry norms and practices. If these or other
circumstances require it, EPA thus reserves the right to revisit the
issues addressed in this rule.
C. How has EPA accommodated electronic submissions with follow-on paper
certifications?
Currently there are EPA and state programs that take electronic
submissions where the requirements for a signed certification statement
are met with a follow-on paper submission with handwritten signatures.
A number of commenters suggested that such an approach be recognized
and allowed to continue under the electronic reporting rule. EPA has no
wish to proscribe such an approach, and does not judge whether or not
follow-on paper signature/certification is to be preferred to the
approach where the signature/certification is electronic. To make this
clear in the final rule, we have added a clause to Sec. 3.10(b) that
allows follow-on handwritten signatures to substitute for electronic
signatures on submissions to EPA where ``EPA announces special
provisions'' for this purpose. A corresponding clause in Sec.
3.2000(a)(2) of today's rule makes a similar allowance for electronic
reporting under authorized state, tribe, or local programs, again,
where ``the program makes special provisions to accept a handwritten
signature on a separate paper submission.''
Among other things, these ``special provisions'' would allow
follow-on paper signature submission only if it were reliably linked or
cross-referenced with the associated electronic document. The linking
or cross-referencing is necessary in part to ensure that we can always
determine which signature submissions belong with which electronic
documents. Paper signature submissions must also provide sufficient
evidence that the signatory intended to certify to or attest to the
content of the electronic document as this content is recorded in the
copy of record for the submission. There are various approaches to
cross-referencing or linking that would meet these needs, most of which
involve the inclusion of extra data elements in the signature
submission that reference the associated electronic document. Such data
elements might include summary data from the electronic document, the
date and time of the electronic submission, or even the calculated hash
value of the electronic document. EPA may use these and other
alternatives if a decision is made to provide for direct electronic
reporting to EPA with follow-on paper signatures. For such submissions
to authorized programs, we have added to Sec. 3.2000(a)(2) of today's
rule the requirement that authorized program provisions for follow-on
paper signature submissions ``ensure that the paper submission contains
references to the electronic document sufficient for legal certainty
that the signature was executed with the intention to certify to,
attest to, or agree to the content of that electronic document.''
D. How has EPA changed proposed definitions of terms?
The ``Definitions'' section of the final rule, Sec. 3.3, provides
new definitions for ``copy of record,'' ``electronic signature
agreement,'' and ``valid electronic signature,'' as well as the
revisions to the definition for ``electronic signature device,'' to
help articulate the final Sec. 3.2000(b) standards for electronic
document receiving systems. These terms are explained in more detail in
section VI, below. (See especially, sections VI.E.2., VI.E.10. and
VI.E.6.) Similarly, in section VI.B.2 of this Preamble we note the role
of the new definition for ``existing electronic document receiving
system;'' and, in section VI.E.12 we discuss the new definitions for
``agreement collection certification,'' ``disinterested individual,''
``information or objects of independent origin,'' ``local registration
authority,'' ``priority reports,'' and ``subscriber agreement.''
Section 3.3 also reflects a number of clarifying and/or simplifying
changes for definitions of terms, as follows.
1. Definition of ``acknowledgment.'' This definition has been added
in conjunction with Sec. 3.2000(b)(5)(vi) of today's rule, to make
clear that in the context of this rule, acknowledgment means a
confirmation of electronic document receipt.
2. Definition of ``electronic document.'' This definition has been
revised from the proposed version in several ways. First, the use of
``communicate'' has been eliminated, thereby eliminating the need for a
separate definition of that term. Second, the exclusion of magnetic and
optical media and facsimile submissions has been eliminated. We believe
it is clearer to exclude such submissions from the scope of CROMERR
under Sec. 3.1, entitled ``Who does this part apply to?'' Today's rule
now provides this exclusion in Sec. Sec. 3.1(b) and 3.1(c). Third, the
definition has also been revised so that it explains what a
``document'' is in an electronic medium. Instead of saying that an
``electronic document means a
[[Page 59859]]
document. * * *,'' the final version says that ``electronic document
means any information in digital form. * * *,'' where information is
explained as potentially including ``data, text, sounds, codes,
computer programs, software or databases.'' Fourth, this definition
clarifies that in this context, ``data,'' is used in its normal sense
as denoting a delimited set of data elements, each of which is a unit
of meaning in a document and consists of a content or value together
with an understanding of what the meaning and/or context of the content
or value is. Finally, the definition stipulates that where an
electronic document includes data, the understanding of what the data
content or value means must either be explicitly included in the
electronic document or be readily available through such sources as an
applicable data element dictionary, or a form or template that
specifies what each data element means when it is presented in the
specific file format used for the electronic document's submission.
A consequence of this approach is that the identity of an
electronic document consisting wholly of data is independent of the
format in which it is presented or submitted. That is to say,
rearranging or reformatting the data elements in an electronic document
does not change it into a different one, at least so long as the
signatory's intention and understanding of what the data elements each
mean is preserved in the process. This does not conflict with the
ordinary understanding of the term ``document,'' since we speak quite
often of ``reformatting a document,'' with the clear understanding that
what results will be the same document in a new format.
Correspondingly, under the definition of ``copy of record,'' a ``true
and correct'' copy of an electronic document does not necessarily have
to reflect the format in which the document was submitted, provided
that the document consists wholly of data. This independence of
document identity from format may not always hold where other kinds of
information are included in the electronic document, e.g. text or
images; in such cases a copy of record may have to include format or
formatting information.
3. Definition of ``electronic signature.'' This definition has been
revised by substituting ``information in digital form'' for
``electronic record,'' to avoid problems with defining ``electronic
record.'' The definition has also been revised to make clear that the
electronic signature for an electronic document need not always be
``included'' within that document; in some cases it may just be
``logically associated'' with it. This point is explained further in
section VI.E.2 of this Preamble, in discussing the copy of record
requirement.
4. Definition of ``electronic signature device.'' The definition of
``electronic signature device'' has been revised to clarify that where
a device is used to create an individual's electronic signature, then
the device must be unique to that individual, and he or she must be
uniquely entitled to use it at the time that the signature is created.
Correspondingly, the device is compromised if it is available for use
by any other individual, that is, if some other individual is able to
use the device to create signatures if he or she wishes. To the extent
that Sec. Sec. 3.10(b) and 3.2000(b)(5)(i) of the final rule prohibit
the acceptance of signatures created with compromised devices, via the
definition of ``valid electronic signature,'' the element of compromise
rules out the sharing of electronic signature devices or delegating
their use to create individuals' electronic signatures. Additionally,
the definition includes the element that an individual needs to be
entitled to use the electronic signature device; that is, the
individual needs to be the ``owner'' of the device. The nature of the
device itself will determine the way in which an individual comes to
own it. In the case of personal identification numbers or certificate-
based private/public key pairs, there is normally some process of
formally assigning the device to the individual, often through a
trusted third party. In other cases, for example password or personal
information-based signature devices, the process may have the
individuals invent and assign the devices to themselves `` the basis
for their ownership of the devices being determined by the
circumstances or context within which they do this.
5. Definition of ``transmit.'' In the proposed rulemaking the term
``submit'' was defined as the ``means to successfully and accurately
convey an electronic document so that it is received by the intended
recipient in a format that can be processed by the electronic document
receiving system.'' However, the term ``submit'' is used more widely in
the rule in ways that are not consistent with this definition.
Accordingly, in the final rule the function of successful and accurate
conveyance of an electronic document is now termed ``transmit.''
6. Definition of ``valid electronic signature.'' Beyond its role in
Sec. 3.2000(b), this definition has also been added to help clarify
and simplify the signature requirements associated with electronic
reporting, both directly to EPA, in Sec. 3.10, and under authorized
programs, in Sec. 3.2000(a)(2). The definition specifies three main
conditions for validity. The first refers to features of the signature
that are intrinsic to the items of information of which it consists:
The signature must consist of the kind of information that has been
established as appropriate for the signing of the document in question,
and the specific information content must pass the validation tests
which the system uses to determine that the signature belongs uniquely
to the identified signatory. The second condition refers to the status
of the electronic signature device used to create the signature, and
ensuring that the device was not compromised at the time it was used to
create the signature. This ties validity to the element of compromise
within the definition of ``electronic signature device.'' That is, at
the time of signature, the device must not have been made available to
someone other than the individual who is entitled to use it. The third
condition refers to the signatory's status at the time of signature as
someone who is authorized to sign the document in question by virtue of
his or her legal status and/or relationship to the entity on whose
behalf the signature is executed. In the context of environmental
reporting, this condition would make invalid electronic signatures on
company compliance reports created by individuals who do not work for
or in any way represent the company. Generally, in the context of
environmental reporting, individuals who sign submissions to
environmental agencies are explicitly authorized to do so, by their
management and/or by the agency to which they report. However, in some
cases the authorization may be implicit in the signatory's legal status
and relationship to the regulated entity. For example, an owner or
operator of a company is generally authorized to sign notifications or
letters to an environmental agency whether or not this is explicitly
provided for by law or regulation.
As ``valid electronic signature'' is used in Sec. Sec. 3.10 and
3.2000(a)(2), the validity of an electronic signature is necessary for
the signatory's electronic submission to satisfy a federal or
authorized program reporting requirement. Additionally, as the term is
used in Sec. 3.2000(b), it also refers to a performance requirement
for an electronic document receiving system, namely that the system
must not accept and must be able to detect submissions with signatures
that are not valid. These requirements in terms of ``validity'' are
[[Page 59860]]
meant to provide a form of insurance for electronic signatures to
protect against the risks of repudiation. Nonetheless, a signatory may
be legally bound by a signature even where not all the requirements for
its validity have been met, e.g., where the signature has been executed
with a compromised electronic signature device. The signatory of an
electronic submission cannot avoid responsibility for its contents by
pointing to a technical flaw or other defect in the signature process.
V. Requirements for Direct Electronic Reporting to EPA
A. What are the requirements for electronic reporting to EPA?
Under the final rule, the requirements for electronic reporting to
EPA remain essentially unchanged from those in the proposal. Section
3.10 provides, first, that electronic documents must be submitted to an
appropriate EPA electronic document receiving system. Generally this
will be EPA's Central Data Exchange (CDX), although EPA can also
designate additional systems for the receipt of electronic documents
and is doing so in a separate Federal Register notice. Second, where a
paper document must bear a signature under existing regulations, an
electronic document that substitutes for the paper document must be
signed (by the person authorized to sign under the current applicable
provision) with a valid electronic signature.
Only electronic submissions that meet these two requirements will
be recognized as satisfying a federal environmental reporting
requirement, although failure to satisfy these requirements will not
preclude EPA from bringing an enforcement action based on the
submission or otherwise relying on the submission. A new compliance and
enforcement section has been added to the final rule to clarify certain
compliance and enforcement issues related to electronic reporting.
Section 3.4 makes clear that EPA can seek and obtain any appropriate
federal civil or criminal penalties or other remedies for failure to
comply with an EPA reporting requirement if a person submits an
electronic document to EPA under this rule that fails to comply with
the provisions of Sec. 3.10. Similarly, Sec. 3.4 makes clear that EPA
can seek and obtain any appropriate federal civil or criminal penalties
or other remedies for failure to comply with a state, tribe, or local
government reporting requirement if a person submits an electronic
document to a state, tribe, or local government under an authorized
program and fails to comply with the applicable provisions for
electronic reporting. Section 3.4 also contains provisions originally
published under Sec. 3.10(d) and (e) of the proposal, stipulating that
the electronic signature will make the person who signs the document
responsible, bound, or obligated to the same extent as he or she would
be signing the corresponding paper document by hand.
The Sec. 3.10 requirement that there be an electronic signature
applies only where a paper document would have to bear a signature were
it to be submitted, either because this is required by a statute or
regulation, or because a signature is required to complete the paper
form. The rule does not impose any new or additional signature
requirements for documents that are submitted in electronic form. In
addition, as noted in section IV.C of this Preamble, Sec. 3.10(b) of
today's rule also allows EPA to make special provisions, in specific
cases, for accepting handwritten signatures in follow-on paper
submissions in lieu of the required electronic signatures. In such
cases, it is critical that the special provisions ensure that the
electronic document cannot be altered without detection and is reliably
linked to the handwritten signature.
As in the proposal, this final rule does not specify any required
hardware or software. Accordingly, the rule text does not include any
detail about CDX per se or about what will be required of regulated
entities who wish to use it. Nonetheless, as stated in the proposal,
our goals include the sharing of detail on how CDX implements direct
electronic reporting to EPA. Section V.C.4 of this Preamble explains
how CDX has changed since we described it in the proposal, especially
in relation to the many comments we received on CDX-related issues.
B. What is the status of existing electronic reporting to EPA?
In a notice published concurrently with today's rule, EPA clarifies
the status of electronic reporting directly to EPA systems that exist
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA
is designating for the receipt of electronic submissions, all EPA
electronic document receiving systems currently existing and receiving
electronic reports as of the date of this notice. This designation is
valid for a period of up to two years from the date of publication of
this notice. During this two-year period, entities that report directly
to EPA may continue to satisfy EPA reporting requirements by reporting
to the same systems as they did prior to CROMERR's publication unless
EPA publishes a notice that announces changes to, or migration from,
that system. Any existing systems continuing to receive electronic
reports at the expiration of this two-year period must receive
redesignation by the Administrator under Sec. 3.10. Notice of such
redesignation will be published in the Federal Register.
EPA's goal is that all its systems for receiving electronic reports
be consistent with the CROMERR standards for electronic document
receiving systems, set forth in Sec. 3.2000(b) of today's rule. EPA
generally hopes to achieve this consistency within a two-year
transition period for existing EPA systems; however, EPA is not bound
by the Sec. 3.2000(b) standards of today's rule or the two-year
period. This two-year period is similar to the two-year transition
period provided under Sec. 3.1000(a)(3) for systems operated under
EPA-authorized programs. In a number of cases, EPA may work toward this
goal by migrating existing electronic reporting to CDX or to other, new
CROMERR-consistent systems. As we change or migrate existing electronic
reporting programs to achieve consistency with the CROMERR standards,
we intend to provide sufficient advance notice to reporting entities so
that any new requirements can be accommodated without causing
significant disruption to their electronic reporting activities.
C. What is EPA's Central Data Exchange?
1. Overview of general goals. The proposal described EPA's
``Central Data Exchange'' as a system to be developed and maintained by
EPA's Office of Environmental Information (OEI) that would serve as
EPA's gateway or ``portal'' for receiving documents electronically from
our reporting community. The goal of CDX was to augment, and, where
appropriate, streamline and consolidate EPA's environmental reporting
functions by offering our reporting community faster, easier, and more
secure submission options through a single venue for electronic
submission of environmental data. As a cornerstone of EPA's efforts to
advance electronic government, CDX would support the electronic
submission needs of thousands of regulated entities submitting data to
EPA for certain air, water, waste, and toxic substances programs.
Ultimately, EPA planned to offer, wherever practicable, all regulated
entities that report directly to EPA, an option to file their specific
environmental documents
[[Page 59861]]
electronically through CDX. Regulated entities that submit reports
under an authorized program would also be able to file their documents
through CDX in cases where the state, tribe or local government that
administered the program chose to use CDX as a gateway for electronic
data submissions from its reporting community.
The reporting community using CDX would be able to access web
``reporting'' forms with built-in data quality checks, and/or submit
standard file formats through common, user-friendly interfaces that
allowed them to electronically submit data across vastly different
environmental programs. Both the reporting community and EPA would
benefit by gaining access to environmental reports more quickly and
with fewer errors, and by avoiding the inefficiencies of having to
keystroke data from paper reports. CDX was also being developed to
support a newly emerging Environmental Information Exchange Network
(EIEN) that would facilitate the electronic exchange of environmental
data between EPA and state, tribe, and local environmental agencies.
However, in keeping with the scope of the proposed rule the description
of CDX features and functions in this section apply only to electronic
submissions to CDX from regulated entities; the description doesn't
apply to EIEN exchanges with CDX in which states, tribes, or local
governments participate as a part of their authorized programs or as a
part of administrative arrangements with EPA to share data.
The Concept of Uniformity. The proposal also characterized CDX as
providing an environment that would promote a uniformity of
technologies and processes. By adopting CDX to support the electronic
reporting needs across various EPA programs, EPA hoped to avoid the
proliferation of program-specific electronic reporting approaches that
could lead to duplicative investments in electronic document receiving
systems and possibly conflicting requirements for submitters.
The CDX Functions and Building Blocks. As described in the proposed
rule, CDX was being designed with the goal of fully satisfying the
criteria that the proposal specified for state, tribe, and local
electronic document receiving systems; similarly, EPA would ensure that
other systems the Administrator designated to receive electronic
submissions satisfied the criteria as well. The proposal discussed how
CDX would implement CROMERR-compliant electronic reporting by
describing the primary CDX functions and the system building blocks
that would support these functions. The functions described in the
proposal included: (1) Access management, (2) data interchange, (3)
signature/certification management, (4) submitter and data
authentication, (5) transaction logging, (6) copy of record provisions
and acknowledgment, (7) archiving, (8) error checking, (9) translation
and forwarding, and (10) outreach. The proposal then described five
building blocks that would support CDX functions, which were: (1)
Digital signatures based on PKI, where CDX would rely predominately on
a third party vendor under the General Services Administration (GSA)
Access Certificates for Electronic Services (ACES), (2) a process for
registering users and managing their access to the CDX, (3) a client
server-architecture, (4) EDI standards, as the primary format for
exchanging environmental data, and (5) a consistent user interface for
making electronic submissions.
2. Comments on the proposal. EPA received more than 100 comments on
the CDX concept as described in the proposal. A number of these
comments were related to one of four main subject areas, as follows.
Comments on Uniformity of Approach. Several comments expressed
concern about the proposed characterization of CDX as promoting
``uniformity of process and technology''. The phrase was used to
highlight the benefits of CDX, which included EPA's plans to avoid the
costly proliferation of redundant systems. However, comments pointed
out that this ``uniformity'' implied an inflexible and overly
prescriptive set of CDX technical and security requirements, which
would discourage CDX use. Such comments were similar to those discussed
in section IV.B.2 of this Preamble, raising concerns about the
prescriptiveness and ``one size fits all'' approach of the proposed
criteria for electronic document receiving systems.
EPA understands that ``uniformity of process and technology'' could
imply inflexibility, and this is not generally how we intended to
develop CDX. In fact, CDX is currently using a wide range of
technologies and processes to address CDX's functions that are tailored
to individual EPA program submission requirements, including the
technical capabilities of the reporting community for the particular
program. EPA recognizes that, for example, permitting, compliance
monitoring, and the conduct of studies involve fundamentally different
business processes, and that the associated submission of electronic
documents may have to be handled differently in each case. In some
instances CDX may support a more interactive ``workflow'' environment
for submitting data; in others, CDX may accept batch transmissions of
user-formatted files. It is also true that the technical capabilities
of a particular reporting community vary considerably, so CDX will
offer more than one electronic submission option in many cases. CDX
currently provides support for web-forms, file, and record-level
submissions in various formats including flat file and XML and EPA
plans to continue this flexible approach.
Comments on registration process. Comments from regulated entities
raised concerns about the costs and time required to register
individuals in each company, and EPA's failure to address the
increasingly common cases where the preparer of an environmental report
and the certifying official are different individuals.
Because electronic submission is being offered as an option to the
reporting community, EPA recognizes the need to design CDX registration
to be as user-friendly as practicable, in part by taking account of the
flow of work, or ``workflow'' involved in meeting a particular
environmental reporting requirement. For example, since proposal, EPA
has developed approaches to register both preparers and certifying
officials for at least two reporting programs. Changes to the CDX
registration process are discussed in more detail in section V.C.4.
Comments on digital signatures based on PKI. Comments pointed out
that reliance on PKI for all cases of electronic signature may violate
the GPEA directive to vary electronic signature approaches with the
circumstances of their use. Several comments underlined this concern by
pointing to PKI's costs and burdens. The comments objected that
registering through CDX and acquiring digital signature certificates
would be overly complicated, and would require that registrants provide
private or personal information. Some comment also expressed concern
about the incompatibility of a PKI-based approach with workflow, given
that environmental reports were frequently prepared by staff and then
signed by the facility owner, with staff turnover being frequent.
Another concern was the implications of CDX PKI software for company
system security, for example, given the need to download CDX software
through the company firewall.
EPA agrees that it should generally minimize the complexity and
cost of electronic signatures or this will deter potential users of CDX
from submitting
[[Page 59862]]
electronic documents. In implementing CDX, EPA has revised the initial
plan for electronic signatures to include non-PKI electronic
signatures. Section V.C.4 discusses how we are changing the ``digital
signature based on PKI building block.''
Comments on EDI Standards. Comments expressed both encouragement
and concern over CDX's prospective implementation of standards-based
exchange formats for data submissions. An exchange format is a
predefined file structure, including data elements and higher level
syntax that describes how the data extracted from a system must be
arranged in a file for transmission to another system. A standards-
based format adheres to certain widely-accepted industry, national, or
international file structure definitions. Several comments expressed
concern about the costs of configuring their systems to generate a CDX-
specified standard format; others expressed concerns about the costs of
potential changes to the format once it is implemented on their
systems. By contrast, other comments strongly supported requiring
standards-based formats--even recommending that we require such formats
by rule for EPA and EPA-authorized state, tribe, and local electronic
document receiving systems.
CDX's approach to standards-based formats has changed considerably
since the proposal, in large part because of the emergence of Internet-
based approaches, most notably Extensible Mark-up Language (XML). These
changes are discussed in more detail in section V.C.4. EPA believes
that the use of standard formats can be encouraged without requiring
this by rule. Additional comments on CDX and EPA's responses can be
found in the rulemaking docket, in the Response to Comments document.
3. The aspects of CDX that have not changed since proposal.
General Goals. EPA's continues its efforts to establish CDX as the
gateway or ``portal'' for receiving documents electronically from the
Agency's reporting community. In so doing, EPA's goal--to augment, and
where appropriate, to streamline and consolidate EPA's environmental
reporting functions through CDX--remains unchanged. The functions that
comprise CDX operations continue to remain the same though the range of
technologies and processes used to support these functions has
considerably broadened. CDX continues to implement electronic reporting
capabilities for EPA's many environmental programs, while advancing the
efforts of EIEN in coordination with state, territorial, tribes, and
other partners.
General Approach to Electronic Reporting Implementation. In
general, current instructions for client-side access of CDX suggest
Internet access and a system that uses both Microsoft Windows and
Microsoft Internet Explorer (IE). EPA acknowledges that the Government
Paperwork Elimination Act (GPEA) directs OMB to develop procedures for
agencies to follow in using and accepting electronic documents and
signatures and these procedures ``may not inappropriately favor one
industry or technology.'' Consistent with this GPEA directive, EPA is
committed to considering ways to allow other vendors' technologies to
access CDX. Accordingly, over the six months following the publication
of today's rule, EPA intends to assess the full range of issues that
affect CDX's ability to support multiple platforms and browsers. These
issues include the technical requirements for the electronic signature
options, form entry options, data upload options, network interface
options, current capabilities of the CDX hardware/software platform,
and potential impacts of new client-side platforms on the CDX life
cycle management, technical support requirements, and help desk
training and support. Based on this assessment, EPA intends to
determine the target universe of client-side platforms and browsers
that CDX can feasibly accommodate, and will identify the actions and
timeline necessary to build out CDX support for this target universe.
As described in the proposal, CDX users will need to:
Register with CDX, during which time they may need to
supply information used to identify themselves, their company, and the
EPA documents they wish to submit electronically;
Verify and/or correct registration information; and
Access their CDX web account through a secure website, and
agree to the terms and conditions of using the site, which include
safeguarding their self-generated password, before using web forms or
uploading files to submit electronic documents or data to EPA.
These are the minimum steps for gaining access to CDX at this time.
Additional steps are involved in acquiring an electronic signature
device, although these steps have changed somewhat since the proposal
and are discussed in section V.C.4. CDX also offers at least two
general methods for reporting electronically for many programs it
supports, either through file submission or through a ``smart web
form''. However, the types of formats and approaches for submitting
data through CDX have broadened, and these too are discussed in section
V.C.4.
4. The major changes that EPA has made to CDX since proposal. Over
the last two years, CDX has evolved from a prototype system to a fully
operational electronic document receiving system. CDX supports tens of
thousands of registered users providing data to dozens of environmental
reporting programs across the major EPA media offices. CDX registered
users include representatives from state, tribe, and local agencies,
industries, laboratories, and other federal agencies. While CDX
continues to provide a secure, single point of registration, access,
and exchange between reporting entities and EPA programs, the building
blocks supporting the CDX functions have changed substantially. These
changes reflect EPA's experience operating CDX over the past two years,
evolving trends in Internet technologies, and comments received on the
proposed rule from potential CDX users.
Digital signatures based on PKI. The proposal described the CDX
approach to electronic signatures in terms of digital signatures and
PKI. Since proposal, EPA has come to appreciate the complexity and
costs of implementing PKI, and to recognize that non-PKI electronic
signatures, as described in section IV.B.2 of the preamble today's
rule, may be acceptable in many cases. Thus, for electronic reports
currently submitted to CDX, only in one case is PKI used for electronic
signature. The other cases involve PIN-based electronic signatures or
other non-PKI electronic signature approaches. As an example of the
latter, this year we anticipate implementing electronic signatures for
an EPA reporting requirement by having signatories use a password that
is self-generated during CDX registration in combination with certain
items of information that are unlikely to be available to anyone except
the signatory. This is a ``knowledge-based'' approach, which is being
used extensively by commercial software vendors supporting the United
States Internal Revenue Service (IRS) for electronic tax filings or
``e-filings', and is being adopted by other agencies. EPA expects that
these non-PKI-based approaches to signature will continue to dominate
CDX implementations of electronic reporting. We currently intend to use
PKI where such needs as security or assuring very robust non-
repudiation of signature make this the most appropriate approach.
[[Page 59863]]
In addition, EPA's approach to PKI itself--described in the
proposal as relying on ACES--is also undergoing change. Changes with
respect to the role and method of identity proofing for those persons
who apply for PKI certificates is being further evaluated. As proposed,
the identity proofing was to be conducted by the third party ACES
vendor; currently, CDX identity proofing is conducted for the most part
by EPA's own contractor staff, who are able to issue digital
certificates to members of the reporting community with less cost and
in less time than the ACES vendor. EPA has also begun to explore
alternatives to ACES for PKI certificates, partly because ACES-provided
certificates do not support message encryption, which EPA may need for
certain environmental reporting applications. In addition, EPA is
considering its use of ACES in the light of recent federal advances in
establishing interoperability across federal PKI domains, which may
allow EPA to eventually leverage PKI's of other federal agencies or
institute an in-house PKI.
CDX Registration. Since the proposed rule, CDX has broadened it
approach to registration to better accommodate the workflow involved in
specific environmental reporting programs. While CDX still requires
registration, there are three distinct areas where the registration
process has changed since proposal. First, the proposal described CDX
registration as the first step toward the issuance of a PKI-based
digital signature, and it was implied that all persons opting to use
CDX would need a digital signature. As noted above, this is no longer
the case. Second, in the proposal, CDX registration began when a person
received an EPA invitation letter that contained a temporary code and
instructions on how to access the CDX registration website. CDX has
adopted additional approaches to initiating registration for certain
EPA programs, for example, embedding a link to CDX registration in
reporting software that is distributed to the program's reporting
community, or providing a public website where prospective CDX users
can submit initial registration data EPA. While CDX continues to
register persons by invitation letter for reporting under certain
environmental programs, registration options will continue to broaden
as the number of environmental programs supported by CDX expands.
Finally, in the proposal, CDX registration was completed when the
registrant printed out a ``signature holder'' agreement from the CDX
registration website, signed this agreement and mailed it to EPA's CDX.
CDX will continue this approach for reports where electronic signatures
are required, although EPA is exploring the use of an entirely
paperless signature agreement process for at least some of these cases.
CDX registration to submit reports that do not include electronic
signatures will not involve a ``signature holder'' agreement.
EDI Standards. The proposal described EPA's plans to use EDI as the
basis of standards-based formats for exchanging data between reporting
entities and CDX. Since proposal, CDX development has reflected a
significant evolution in formatting standards to accommodate the
Internet--away from EDI and toward the use of XML. XML consists of a
set of predefined tags and message structures that, like EDI, allows
machine-to-machine exchange of data in a mutually agreed upon format,
enabling exchange of data across different systems. However, unlike
EDI, XML is tailored to Internet-based communications and security
protocols. Additionally, an XML formatted file in combination with a
style sheet can be displayed in a Web browser. Such features would
allow CDX to use the same standard format both for exchanging data
files and for designing web forms. The structure of XML also addresses
some of the challenges in archiving data received, because the XML tags
that accompany the data in an XML file can be used to interpret the
data's context without the aid of additional software. This could
facilitate the recovery of data from archived files, and reduces the
need to maintain the versions of the software originally used to
generate the files.
CDX and specific EPA programs may address the question of which (if
any) standards-based format to use for a particular report on a case-
by-case basis, and EPA intends to develop appropriate technical
instructions for CDX submitters as program-specific reporting formats
are adopted. These instructions normally will be distributed to the
affected reporting communities via links on the CDX website and/or
through program and CDX outreach efforts. EPA is working with
authorized state, tribe, and local programs to develop standards-based
reporting formats to meet their shared needs. In many instances, CDX
contemplates a long transition period between file formats currently
used to exchange data with regulated entities and any new, standards-
based formats. During this transition, CDX may offer submitters several
electronic submission options; these may include an existing data
format familiar to submitters, one or more new standards-based formats,
and some other approach such as a smart-form hosted on a secure
website.
Client-side architecture and transaction environment. The proposal
described a downloaded ``client'' that would generally supplement the
browser to support the signature and security for CDX; such ``client
side'' software is no longer needed for all cases of electronic
reporting to CDX. However, in some cases CDX now uses various
technologies to transparently insert routines into browsers during a
user session to support special functions--for example to support the
creation of a PKI-based electronic signature with an ACES business
class certificate.
D. How will EPA provide notice of changes to CDX?
As noted in the proposal, the fully-implemented CDX will be subject
to change over time, to take advantage of opportunities offered by
evolving technologies, as well as to improve the system. EPA's decision
to avoid codifying technology-specific or detailed procedural
provisions for electronic reporting is meant, in part, to accommodate
changes to CDX without requiring that we amend our regulations.
Nonetheless, EPA recognizes that such changes can affect regulated
entities that participate in electronic reporting; therefore, the final
rule provides for advance notice when EPA intends to make changes to
CDX. As discussed in the proposal, we distinguish four categories of
changes:
``Significant'' changes that are likely to affect the
kinds of hardware, software or services involved in transmitting
electronic reports (Sec. 3.20(a)(1));
``Other'' changes that will affect the process or the
timing of transmitting electronic reports to CDX, but without affecting
the kinds of hardware, software or services involved in making the
transmissions (Sec. 3.20(a)(2));
``Emergency'' changes necessary to protect the security or
operational integrity of CDX (Sec. 3.20(b)).
``De minimis or transparent'' changes that will have
minimal or no impact on the process or the timing of transmitting
electronic reports to CDX.
``Significant'' changes include changes to the types of file formats
CDX will accept--for example a change from extended markup language
(XML) formats to some non-XML format--as well as changes to the
technologies that may be used for file transfer to CDX or for creating
electronic signatures on transmitted reports. ``Significant'' changes
will not generally include optional upgrades to software, the
[[Page 59864]]
provision of additional formatting (or other technical) options, or
changes to CDX that simply reflect changes to the underlying regulatory
reporting requirements. ``Other'' changes include an increase in--or
re-ordering of--the steps involved in transmitting electronic reports,
changes to the registration or credential (e.g., PIN, password, PKI
certificate) provisioning process that could affect users ability to
access CDX, and changes to reporting formats that involve the
reconfiguration of software. ``Emergency'' changes include such things
as an upgrade to the system firewall protection. Finally, ``de minimis
or transparent'' changes include the myriad small or ``back end'' fixes
and improvements that EPA makes to CDX each week that have minimal or
no impact on the transmission process. Such changes may range from
fixing a typo on a data entry screen to re-engineering the system's
archiving routines.
To address ``significant'' changes, Sec. 3.20(a)(1) of the final
rule provides that EPA will give public notice in the Federal Register
of such changes and will seek comment. EPA proposed to provide this
notice at least a year in advance of contemplated implementation, but
based on experience developing and operating a CDX prototype, EPA no
longer believes that a single time-frame is appropriate in all
situations. For example, ``significant'' changes that could affect the
transmission of an annual report may respond to needs or events that
arise less than a year in advance of the report's due date. On the
other hand, some ``significant'' changes may require more than a year
for reporting entities to accommodate. Accordingly, the final rule
provides that these Federal Register notices will propose and seek
public comment on an implementation schedule for a ``significant''
change, along with describing and inviting comment on the change
itself. To address ``other'' changes to CDX, Sec. 3.20(a)(2) of the
final rule provides that EPA will give notice at least 60 days in
advance of implementation. The notice in this case will typically be to
CDX users, and the method of notice may be electronic, perhaps using
the facilities of CDX itself. For ``emergency'' and ``de minimis or
transparent'' changes, EPA will make decisions on whether, when, and
how to provide public notice on a case-by-case basis.
VI. Requirements for Electronic Reporting Under EPA-Authorized Programs
A. What is the general regulatory approach?
As explained in Part V of this preamble, the requirements in Sec.
3.10 of today's rule apply to reporting entities that submit electronic
reports directly to EPA. By contrast, today's rule contains no
requirements that apply directly to entities who submit electronic
reports to state, tribe, or local government agencies. However, Subpart
D of today's rule does contain requirements that apply to state, tribe,
or local government agencies that operate EPA-authorized programs.
Subpart D of today's rule requires that such agencies that receive, or
wish to begin receiving, electronic reports under an authorized program