MEMORANDUM

TO:		Public Record for the NPDES Electronic Reporting Rule
		EPA Docket Number EPA-HQ-OECA-2009-0274 (www.regulations.gov)	

FROM:		Carey A. Johnston, P.E.
            USEPA/OECA/OC
            ph: (202) 566 1014
            johnston.carey@epa.gov

DATE:		17 March 2014

--------------------------------------------------------------------------------
SUBJECT:	Notes from State Technical Workgroup Meeting (13 March 2014) [DCN 0133]
--------------------------------------------------------------------------------


Overview 

      This was the sixth meeting for the EPA-state technical workgroup, which is discussing key issues related to the proposed NPDES Electronic Reporting Rule (eRule). These discussions will help inform the upcoming planned supplemental Federal Register notice and will continue beyond the supplemental notice to help EPA address state comments. EPA participants will include the OECA eRule Team as well as representatives from EPA's Office of Water and Office of Environmental Information. Technical workgroup members are listed below in Tables 1 and 2. The agenda for this meeting is also provided below. EPA is summarizing the notes from these discussions for the docket in order to provide transparency on EPA's outreach during the rulemaking process. The OECA eRule team will also be available for any other stakeholder group that would like to discuss the eRule.
      
Meeting Notes
      
     EPA (Mr. Carey Johnston) started the meeting with a roll call and then asked for any suggested edits to the draft notes from the February 20th and 27th State Technical Workgroup meetings. There were no edits for these two sets of meeting notes. Mr. Johnston then led the technical workgroup in a discussion on EPA's CROMERR (Cross-Media Electronic Reporting Regulation), which EPA promulgated in 2005 (40 CFR part 3). The meeting focused on the following aspects of CROMERR and electronic reporting:
     
*       CROMERR application approvals; 
*       Technical requirements for identity proofing;
*       Clarification of who needs to submit CROMERR application packages (e.g., POTWs not required to submit CROMERR applications for the eRule); and
*       EPA's password change policy. 

      Mr. Johnston started with an overview of CROMERR and how the eRule uses CROMERR for implement electronic reporting.
   
*       CROMERR sets performance-based, technology-neutral standards for systems that states, tribes, and local governments use to receive electronic reports from facilities they regulate under EPA-authorized programs. 
   
*       EPA's proposed NPDES Electronic Reporting rule (Part 127) requires all electronic reporting systems that are used for implementing NPDES electronic reporting, whether already existing or to be developed by EPA, authorized NPDES programs, or third-party software vendors, to be CROMERR compliant.

*       In response to a question about EPA allowing states to receive contingent approval from EPA to operate partially implemented electronic reporting systems, Mr. Roy Chaudet (EPA/OEI) noted that EPA can give contingent CROMERR approval. Mr. Chaudet noted that final approval would be contingent on the full implementation of their system.

*       Ms. Beth Graves (ECOS) requested that EPA create a running list of how states have successfully completed their CROMERR applications. In response to this request, Mr. Chaudet noted that EPA tracks this information with a software program called Salesforce and is looking to make a summary of this information available within the next few months. 

*       Ms. Graves noted that it would be very beneficial to involve the Exchange Network Leadership Council (ENLC) to help streamline the CROMERR approval process. Mr. Chaudet agreed with this idea and said that he would look into possible next steps.

*       Mr. Johnston noted that many state commenters on the proposed Rule expressed concern about EPA's processing of State CROMERR applications and concerns that more than one CROMERR application may be required if multiple system for electronic reporting were implemented. 

*       Ms. Teresa Marks (Arkansas) noted that states don't want to "be in a bind because it can't meeting the rule's implementation schedule due to EPA's slow CROMERR approval process." Mr. Johnston replied that many state comments on the proposed eRule echoed her concern and that EPA is focused very intently on streamlining and improving the CROMERR approval process. 
*       In particular, Mr. Johnston noted that EPA is now providing:

      o Standard CROMERR Checklists and Forms: EPA has developed a standard checklist for EPA's national electronic reporting systems and shared services (e.g., NetDMR, NPDES Electronic Reporting Tool (NeT), CROMERR shared services). The timeframes for receiving EPA's CROMERR approval when states uses these systems and services typically ranges from 16 and 20 weeks. See: http://www.epa.gov/cromerr/tools/index.html.
      o Model CROMERR Application: These models illustrate different CROMERR solutions that can be modified for another program's CROMERR implementation. Adopting one of these models will streamline EPA's CROMERR approval process to under 6 months.
      o Assistance and Training: Currently available are online forms, training videos, and webinars on best practices. See: http://www.epa.gov/cromerr/training/index.html.
         EPA has recently implemented a customer relationship management tool (Salesforce) and additional technical support to provide triggers and reminders on due dates and actions to improve the timeframes. Finally, EPA intends to work with states to develop state specific plans on how to attain needed CROMERR approval. 

   * Ms. Elisa Willard (Colorado) asked if she could get a point of contact for giving technical assistance for their electronic reporting system design. She wanted to avoid the situation where they build out a system only be told by EPA that it does not meet EPA's CROMERR requirements. Other states also requested that there might be a single point of contact or help desk to help ensure that CROMERR approval packages don't get stuck in EPA's approval process. Mr. Chaudet provided the following contact for design assistance: William Labar (william.labar@cgifederal.com or 337-739-8861).

   * Oklahoma asked for clarification on what new CROMERR requirements (if any) need to be met in response to the eRule for existing state systems that have CROMERR approval. Mr. Le Desma (EPA/OCEFT) replied that just adding data flows to an already existing and EPA CROMERR approved state electronic reporting system will not likely require much time for EPA approval. Mr. Le Desma suggested that making edits via redline/strikeout will also speed EPA's approval process for any changes to existing state electronic reporting system that already has EPA's CROMERR approval.

   * Mr. Le Desma also noted that EPA considers some changes to existing state systems as non-significant or non-substantive changes and that these changes have a much more streamlined EPA approval process. For example, he noted that changing or upgrading a firewall would be a non-substantive change while changing the electronic signature agreement process might be a substantive change.  He noted that states can send an email to EPA asking for guidance on whether a change is substantive. New Jersey asked for the name of this contact. Mr. Chaudet provided the following contact for general help including determining if changes are substantive: wsherman@innovateteam.com at 304-482-3898. 

*       Mr. Johnston also noted that States can also use one CROMERR approval package to cover multiple NPDES data flows include:
      o Discharge Monitoring Reports
      o General Permit Reports (NOIs, NOTs, LEWs, NECs)
      o Program Reports (e.g., Annual POTW Pretreatment Report)

*       He also noted that States can use EPA's NetDMR to electronically collect DMRs or EPA's NeT for one or more of these three data flows and that States can use a suite of shared CROMERR services available from EPA. He further noted that States can use a combination of EPA and state electronic reporting systems to cover these three data flows and that EPA will work with states and other stakeholders to help identify issues and potential solutions for the `third-party' electronic reporting option.

*       Mr. Le Desma noted that EPA's CROMERR shared services are also modular. For example, identify-proofing can be done without requiring the use of other services. 

      Mr. Johnston then provided a summary of state comments on electronic signature agreement (ESA) requirements. In particular, he noted that states had concerns about: (1) the burden associated with potentially higher costs with obtaining and managing electronic signature agreements; and (2) the management of digital signatures for permittees high turnover and infrequent use of electronic reporting tools (e.g., construction stormwater sector). Mr. Johnston noted that EPA is moving from a `wet-ink' identity-proofing process to an electronic identity-proofing process using LexisNexis. He noted that the electronic identity-proofing process is a paperless, real-time, electronic identity proofing service that reduces the application and validation time from days to minutes, and costs from dollars to cents. This service can be invoked in a way that is transparent to the user and would allow users to begin using their electronic signature credentials in a single session.
      
         *       Mr. Tom Easterly (Indiana) asked how the electronic identity-proofing process works. Mr. Chaudet noted that the user would verify his identity using the last four Social Security numbers and challenge questions from LexisNexis data. Once the system grants electronic signature credentials the user can use a username and password to electronically sign documents. Several states asked for screenshots on this process and Mr. Chaudet stated that he would capture a few key screenshots to give an overview of how this electronic identify-proofing process works. [Note: Please see the Appendix for these screen shots.]

         *       Ms. Rochele Kadish (OECA/OC) also noted that EPA does not see or keep any of the personal identifiable information that is involved in this electronic identity-proofing process.

         *       Mr. Chaudet also noted that there are roles with these electronic signature credentials that include authorized company official (e.g., company president or director in charge of compliance), company employee with delegation authority to sign electronic submissions, company employee or contractor that can prepare (but not sign) electronic submissions. 

         *       Mr. Johnston also noted that signing credentials and signature agreements do not expire. Electronic reporting systems can structure the agreements and the associated business processes so that only a single agreement is collected, once, from each user who is granted authority to electronically sign documents in the system. For EPA CDX systems, a user only has to register and complete the signature agreement once, the credentials do not expire.

         *       Oklahoma noted that EPA's CROMERR has different requirements for priority and non-priority reports (see Appendix 1 to Part 3 -- Priority Reports).Mr. Johnston noted that EPA is exploring option on how to provide clarity on CROMERR's requirements for non-priority reports and will share this information with the state technical workgroup and the rulemaking docket. 

      Mr. Johnston also noted some confusion with some stakeholders on who is required to submit CROMERR approval packages. A number of California POTWs sought clarification on whether "POTWs need to be CROMERR certified to authorize electronic reporting directly to USEPA." 
      
         *       Mr. Johnston stated that POTWs do not have to submit a CROMERR application to electronically report NPDES program data. POTWs are considered a NPDES regulated entity under this rule and are only required by the eRule to complete the necessary signature agreement to electronically report to their regulatory authority.

         *       He further noted that the proposed eRule does not require Significant Industrial Users (SIUs) and Categorical Industrial Users (CIUs) to electronically report their semi-annual compliance monitoring data [i.e., see 403.12 (e)  & (h)] to POTWs that have an approved pretreatment program. He noted that the eRule requires SIU/CIUs to electronically report these compliance monitoring data when the state or EPA is the control authority. POTWs that choose to electronically receive data from the facilities that they regulate (e.g., SIUs and CIUs) need to get CROMERR approval; however, this is not a requirement of the proposed eRule. Mr. Johnston noted that Grand Rapids, Michigan, recently recent such CROMERR approval to electronically receive data from facilities that they regulate (13 February 2014; 79 FR 8701). 
      
      Mr. Johnston then discussed EPA's 90-day password reset requirement. He noted that the 90-day password reset requirement is not a CROMERR requirement but is a long standing EPA security requirement used for all of EPA's internal and external systems,  --  including websites for reporting. There is no such password reset requirement for state electronic reporting systems Mr. Johnston noted that a password reset will only be required at the time of electronic submission not when the password expires. For example, a regulated entity that only uses an EPA electronic reporting system or a state system that utilizes EPA's CROMERR services once a year can reset their password at the time of their electronic submission. These regulated entities would not need to access the electronic reporting system throughout the year to retain an active password or have an active password to initiate a password reset operation. 
      
         *       Mr. Tom Easterly stressed that he foresees many problems with this approach and that states will likely be expending resources to deal with uses that have password problems. 

         *       Mr. Andy Putnam (Colorado) stated that "it seems that we're designing a flaw into the system and that we're making it hard of future users of our electronic reporting tools."

         *       Mr. Johnston noted that EPA will pass these comments to senior EPA decision-makers and would get back to the state technical workgroup when he has more information to share.

Next Steps
      
      EPA agreed to summarize the meeting notes. EPA will share these draft notes with the technical workgroup in advance of the next meeting. 
     State Technical Workgroup Meeting  -  NPDES Electronic Reporting Rule
                                 13 March 2014



      1pm		Introduction/Roll Call 
      
      1:05		Edits to Notes from February 20th and 27th Meetings 
      
      1:10		Discussion of CROMERR 
      
      1:55		Solicitation of Topics for Next Meeting
      
      2:00		End of Call
      
      
Quick Reminder
   *    The technical workgroup is not a formal decision-making body. The workgroup is expected to develop, research, and evaluate options for consideration by EPA and state senior management.
   
   *    There are no formal quorum rules for the workgroup. Scheduled teleconferences will proceed with whichever workgroup members call in to participate.

   *    There will be no formal voting or consensus of the workgroup. Instead, the workgroup is expected to try to develop recommendations reflecting their various perspectives, not achieve consensus.

   *    Summaries of the workgroup's discussions will be prepared for and reviewed by the workgroup, for presentation to EPA senior management and other states and the rulemaking record. The discussions summaries will outline the major elements of the discussions, areas of agreement and any dissenting views.

Table 1: State Technical Workgroup Members
                                 Main Contact
                             State or Organization
                              Main Contact Email
                         State/Org. Present? (Yes/No)
                                 Sean  Rolland
                                     ACWA
                             srolland@acwa-us.org
                                      Yes
                                 Christy Monk
                                      AL
                             cvm@adem.state.al.us
                                      Yes
                                 Teresa Marks
                                      AR
                            marks@adeq.state.ar.us
                                      Yes
                                  Andy Putnam
                                      CO
                           andrew.putnam@state.co.us
                             goff@adeq.state.ar.us
                                      Yes
                                 Elisa Willard
                                      CO
                           elisa.willard@state.co.us
                                      Yes
                                 Bob Zimmerman
                                      DE
                         robert.zimmerman@state.de.us
                          stephanie.bower@state.de.us
                                      Yes
                                  Beth Graves
                                     ECOS
                               bgraves@ecos.org
                                      Yes
                                 Lee Garrigan
                                     ECOS
                              lgarrigan@ecos.org
                                      Yes
                                  Chris Klena
                                      FL
                         chris.m.klena@dep.state.fl.us
                                      Yes
                                 Tom Easterly
                                      IN
                             teasterl@idem.in.gov
                              ckoontz@idem.in.gov
                                      Yes
                                  John Murphy
                                    NEIWPCC
                              jmurphy@neiwpcc.org
                                      Yes
                                 Jason Lonardo
                                      NJ
                         jason.lonardo@dep.state.nj.us
                                      Yes
                                 Robert Wither
                                      NY
                          rewither@gw.dec.state.ny.us
                                      Yes
                             Shellie Chard-McClary
                                      OK
                       shellie.chard-mcclary@deq.ok.gov
                                      Yes
                                  Roy Walker
                                      OK
                             roy.walker@deq.ok.gov
                                      No
                                 Sean Furjanic
                                      PA
                               sefurjanic@pa.gov
                                      Yes
                                  Kim Wilson
                                      TX
                           kim.wilson@tceq.texas.gov
                                      Yes
                                 Jerome Brooks
                                      VA
                        jerome.brooks@deq.virginia.gov
                                      Yes
                                  Nancy Kmet
                                      WA
                              nkme461@ecy.wa.gov
                                      Yes
      
Tab le 2: EPA Technical Workgroup Members
                                     Name
                                  EPA Office 
                                     Email
                               Present? (Yes/No)
                                   Lisa Lund
                                  OECA/OC/IO
                               lund.lisa@epa.gov
                                      No
                                John Dombrowski
                                 OECA/OC/ETDD
                            dombrowski.john@epa.gov
                                      No
                                  Andy Hudock
                                 OECA/OC/ETDD
                             hudock.andrew@epa.gov
                                      No
                                Rochele Kadish
                                 OECA/OC/ETDD
                            kadish.rochele@epa.gov
                                      Yes
                                Carey Johnston
                                 OECA/OC/ETDD
                            johnston.carey@epa.gov
                                      Yes
                                 Jackie Clark
                                  OW/OWM/WPD
                             clark.jackie@epa.gov
                                      Yes
                                  Roy Chaudet
                                 OEI/OIC/IESD
                              chaudet.roy@epa.gov
                                      Yes
                                 Chuck Freeman
                                 OEI/OIC/IESD
                            freeman.charles@epa.gov
                                      No
                               Michael Le Desma
                                OECA/OCEFT/NEIC
                            ledesma.michael@epa.gov
                                      Yes
                                 Aditi Prabhu
                                    OGC/WLO
                             prabhu.aditi@epa.gov
                                      No
                                  Glynis Hill
                                 OP/ORPM/PRAD
                              hill.glynis@epa.gov
                                      Yes


 
 Appendix: Screen Shots Showing the LexisNexis Identify Proofing Verification Process

1. Pre-Condition

Prior to seeing the verification screen below, the user will go to the following website (https://cdx.epa.gov/Registration/SelectDataflow) and complete the following tasks:

   1. Register in CDX by providing the program service, role, user, and organization information
   2. Verify the email by clicking on a link from an email sent by CDX. 
   
2. Verification Option

Users are given the option to use the electronic verification option or manual paper verification.



Provide Personal Information

EPA's electronic option uses LexisNexis and there are two verification options:

   1. Verify a person's identity, the organization, and that the person works at the organization
   2. Verify a person's identity only (shown below)

The first and last name is pre-populated from CDX Registration. LexisNexis then requests additional personal identifiable information (PII) to be entered for their verification processing.

NOTE: CDX Web does not collect or store any of the PII used in the LexisNexis identity-proofing.


   
Complete Identity Verification 

The user is redirected back to the CDX Web screen where after clicking on the "Continue" button, CDX Web will calculate the scores received from LexisNexis and determine whether the user has passed or failed verification. Passing scores prompt users to establish five (5) challenge questions and answers to be used as a second-factor authentication when signing document electronically.

   
CROMERR Challenge Questions and Answers Setup

The user is given the option to choose five (5) questions from a list of 20 possible questions. Among the 5 chosen questions, the CDX CROMERR service will present the user with one of these questions when attempting to sign a document.



Electronic Signature Agreement

After a user has successfully set up the challenge question and answers, they will be prompted to sign the ESA electronically.


   
Sign Document Electronically

Upon clicking on the Sign Electronically button, the user will be prompted to:

   1. Re-authenticate
   2. Provide challenge answer
   3. Apply digital signature to the ESA


   

1. CDX Password Reset
   
   A. Provide Known Account Information

User is prompted to provide email address and User ID for identification purposes.


   
   A. Provide Secret Answer

If the email and User ID combination matches, the user is then prompted to provide the secret answer. As part of this self-kiosk process and for security reasons, the user gets up to three failed attempts before they are required to call the help desk to reset their password.

NOTE: The secret answer is different from the CROMERR challenge answer that is set up for electronic signing.



   B. Successful Reset Notice

When the secret answer is correct, the user receives an on-screen message indicating the password was reset successfully. The message also indicates that an email has been sent with password reset instructions.





   

   A. Complete the Password Reset Process

Upon clicking on a hyperlink from the email, the user is prompted to provide new password to complete this process.



