1
CDX
System
Design
For
CROss­
Media
Electronic
Reporting
Rule
(
CROMERR)

Version
0.92
Date
08/
15/
2005
CDX
System
Design
for
CROMERR
Prepared
by
The
U.
S.
Environmental
Protection
Agency
Office
of
Environmental
Information
U.
S.
Environmental
Protection
Agency
Central
Data
Exchange
(
CDX)
2
SECTION
1.
INTRODUCTION...............................................................................................................
4
1.1
Purpose..................................................................................................................................................................................
4
1.2
Scope......................................................................................................................................................................................
4
1.3
Acronyms,
Abbreviations,
Definitions
and
Terms................................................................................................................
5
SECTION
2.
CDX
DECOMPOSITION
....................................................................................................
6
2.1
CDX
Module
Decomposition...............................................................................................................................................
10
2.1.1
CDX
Web
........................................................................................................................................................................
10
2.1.2
CDX
Home
Page
..............................................................................................................................................................
10
2.1.2.1
CDX
Warning
&
Privacy
Statements............................................................................................................................
10
2.1.2.2
CDX
Home
Page
Functions..........................................................................................................................................
11
2.1.3
MyCDX
Decomposition
...................................................................................................................................................
12
2.1.4
InBox
Module
..................................................................................................................................................................
13
2.1.4.1
CDX
InBox
Description...............................................................................................................................................
13
2.1.4.2
InBox
Features.............................................................................................................................................................
13
2.1.5
CDX
Submission
Module
Decomposition
.........................................................................................................................
14
2.1.5.1
Radionuclide
NESHAPs
(
R­
NESHAPS).......................................................................................................................
14
SECTION
3.
CDX
DEPENDENCIES.....................................................................................................
15
3.1
CDX
Compatibility
Requirements......................................................................................................................................
15
3.1.1
Equipment........................................................................................................................................................................
15
3.1.2
Client
Web
Browser
.........................................................................................................................................................
15
3.1.3
Internet
Access
.................................................................................................................................................................
16
3.1.4
Client
e­
Mail
....................................................................................................................................................................
16
3.1.5
Adobe
Acrobat
Reader......................................................................................................................................................
16
3.1.6
Zip
Compression
Utilities
.................................................................................................................................................
16
3.2
CDX
Registration
Requirements
........................................................................................................................................
17
3.2.1
User
Identity
Criteria
........................................................................................................................................................
17
3.2.2
PKI
Digital
Certificate
Support
.........................................................................................................................................
17
3.3
CDX
Interconnecting
Systems
............................................................................................................................................
18
3.3.1
Radionuclide
NESHAPs
...................................................................................................................................................
18
3.3.2
CDX
System
Interface
requirements
.................................................................................................................................
18
3.3.2.1
Radionuclide
NESHAPs...............................................................................................................................................
18
3
SECTION
4.
CDX
DETAILED
DESIGN
................................................................................................
18
4.1
CDX
Physical
Design...........................................................................................................................................................
18
4.1.1
CDX
Server
Components..................................................................................................................................................
18
4.1.2
CDX
Physical
Server
Process
Flow...................................................................................................................................
20
4.2
CDX
Module
Detail
Design.................................................................................................................................................
21
4.2.1
CDX
Registration
.............................................................................................................................................................
21
4.2.2
Open
Registration.............................................................................................................................................................
21
4.2.3
Open
Registration
Procedures
...........................................................................................................................................
22
4.2.3.1
Open
Registration
Screen
Layout
.................................................................................................................................
23
4.2.4
Dynamic
Pre­
Registration.................................................................................................................................................
33
4.2.4.1
Dynamic
Pre­
Registration
Procedures...........................................................................................................................
33
4.2.5
Closed
Registration
Module..............................................................................................................................................
34
4.2.5.1
Closed
Registration
Procedures
....................................................................................................................................
34
4.2.6
MyCDX
Module...............................................................................................................................................................
35
4.2.6.1
MyCDX
Screen
Layout................................................................................................................................................
35
4.2.6.2
MyCDX
Options..........................................................................................................................................................
36
4.2.7
InBox
Screen
Display.......................................................................................................................................................
38
4.2.8
CDX
Submission
Modules................................................................................................................................................
38
4.2.9
Radionuclide
NESHAPs
...................................................................................................................................................
39
TABLE
1............................................................................................................................................................................................
31
TABLE
2............................................................................................................................................................................................
33
TABLE
3............................................................................................................................................................................................
34
FIGURE
1
............................................................................................................................................................................................
8
FIGURE
2
............................................................................................................................................................................................
9
FIGURE
3
..........................................................................................................................................................................................
19
FIGURE
4
..........................................................................................................................................................................................
20
FIGURE
5
..........................................................................................................................................................................................
21
FIGURE
6
..........................................................................................................................................................................................
22
FIGURE
7
..........................................................................................................................................................................................
23
FIGURE
8
..........................................................................................................................................................................................
24
FIGURE
9
..........................................................................................................................................................................................
25
FIGURE
10
........................................................................................................................................................................................
26
FIGURE
11
........................................................................................................................................................................................
27
FIGURE
12
........................................................................................................................................................................................
28
FIGURE
13
........................................................................................................................................................................................
29
FIGURE
14
........................................................................................................................................................................................
30
FIGURE
15
........................................................................................................................................................................................
32
FIGURE
16
........................................................................................................................................................................................
35
FIGURE
17
........................................................................................................................................................................................
36
FIGURE
18
........................................................................................................................................................................................
36
FIGURE
19
........................................................................................................................................................................................
37
FIGURE
20
........................................................................................................................................................................................
37
FIGURE
21
........................................................................................................................................................................................
38
FIGURE
22
........................................................................................................................................................................................
39
FIGURE
23
........................................................................................................................................................................................
39
FIGURE
24
........................................................................................................................................................................................
40
4
Section
1.
Introduction
This
document
presents
the
system
design
for
the
Central
Data
Exchange
(
CDX)
defined
to
support
the
Cross­
Media
Electronic
Reporting
Rule
(
CROMERR)
system
requirements
specifications
that
enables
the
United
States
Environmental
Protection
Agency
(
EPA)
to
implement
electronic
reporting
capabilities.

1.1
Purpose
As
an
important
step
in
the
Agency's
efforts
toward
the
e­
Government
Initiative,
the
EPA
has
established
the
Central
Data
Exchange
(
CDX),
which
allows
companies,
states,
tribes,
and
other
entities
the
capability
to
securely
and
reliably
transfer
environmental
data
electronically
as
part
of
the
Agency's
Enterprise
Architecture.

CDX
provides
built­
in
quality
checks,
Web
forms,
standard
file
formats,
virus
detection,
Public
Key
Infrastructure
(
PKI)
encryption,
and
a
mailbox/
application­
reporting
interface.
Currently,
CDX
accepts
data
for
air,
water,
waste,
and
toxics
programs,
and
is
expanding
to
support
all
Agency
environmental
reporting.
The
types
of
information
processed
includes,
or
will
include,
drinking
water
supply;
ambient
water
quality
(
lakes
and
streams);
solid
waste
(
site
identification
information);
and
toxics
health
and
safety
and
expert
notification
data.

1.2
Scope
The
scope
of
this
CDX
system
design
document
focuses
on
Cross
Media
Electronic
Reporting
Rule
(
CROMERR)
submission
process
through
the
Central
Data
Exchange
and
interface
requirements
to
Agency,
backend
applications.
Centralized
paper
data
collections
and
the
functional
processing
of
Agency,
backend
applications
are
beyond
the
scope
of
this
document.
Platform
details
and
sensitive
information
that
may
compromise
the
integrity
or
confidentiality
of
the
CDX
or
any
system
interface
have
been
deliberately
omitted.
This
includes
significant
portions
of
design
information
for
sensitive,
Closed
Registration
Applications.

Please
note
that
this
is
considered
a
"
living"
document
that
will
be
subject
to
change
over
time.
CDX
continues
to
evolve
with
emerging
technology,
new
requirements
to
protect
sensitive
data,
and
regulatory
codification
of
the
electronic
data
submittal
process.
As
CDX
changes
so
will
the
underlying
design
and
this
design
document.
This
document
represents
CDX
at
the
time
of
publication
and
EPA
reserves
the
right
to
amend
or
replace
it
as
changes
to
CDX
dictate.

Finally,
it
should
be
noted
that
this
current
design
document
varies
from
the
CDX
Design
document
that
was
published
in
the
CROMERR
docket.
As
previously
stated,
CDX
has
evolved
over
time.
The
original
design
document
was
written
prior
to
the
development
and
deployment
of
CDX
as
a
production
system.
The
current
design
document
represents
the
design
of
CDX
as
it
is
today.
This
reflects
that,
over
the
five
years
that
passed
between
the
original
and
the
current
design
document,
CDX
continued
to
grow
and
change
with
the
advent
of
new
technology
and
processes.
5
1.3
Acronyms,
Abbreviations,
Definitions
and
Terms
ACES
Access
Certificates
for
Electronic
Services
­
Digital
Signature
support
contract
provided
by
General
Services
Administration
(
GSA)
CC
Credit
Check
CDX
Central
Data
Exchange
­
EPA's
centralized
electronic
document
receiving
system,
or
its
successors,
including
associated
instructions
for
submitting
electronic
documents.

Closed
Registration
Registration
actions
originated
by
delegated
Security
Manager
whereby
submitter
is
pre­
registered,
and
through
an
invitation
process,
the
submitter
receives
a
Customer
Retrieval
Key
(
CRK)
/
one­
time­
pass­
phrase
in
order
to
start
the
online
registration
process.

CRK
Customer
Retrieval
Key
­
One­
time
Pass
Phrase
provided
to
pre­
registered
submitters
to
allow
Closed
Registration
process
to
begin.

CROMERR
CROss
Media
Electronic
Reporting
and
Record­
Keeping
Rule,
provides
guidance
on
electronic
data
submissions
for
parties
regulated
by
Title
40
of
the
Code
of
Federal
Regulations
the
US
EPA.
You
may
access
this
Federal
Register
document
electronically
through
the
EPA
Internet
under
the
A
Federal
Register@
listings
at
http://
www.
epa.
gov/
fedrgstr/
or
the
federal
wide
eRulemaking
site
at
www.
regulations.
gov
Data
Base
An
indexed,
queriable
data
repository
supported
by
a
data
base
management
system.

e­
Mail
Electronic
Mail
­
electronic
mail
or
Internet
Mail
supporting
SMTP
protocol.
FID
Facility
Identification
code
GFID
Government
Furnished
Identification
InBox
CDX
electronic
data
messaging
center
used
to
provide
Secure
encrypted
Web
file
data
transfer,
messaging,
and
reporting.

MyCDX
Primary
Web
Interface
page
for
the
CDX
providing
CDX
options
and
services
to
submitters
and
other
users
with
CDX
duties.

Open
Registration
Registration
actions
originated
by
Submitter
PKI
Public
Key
Infrastructure
PWS
Public
Water
Supply
or
Public
Water
Supply
code
RCRAInfo
Resource
Conservation
and
Recovery
Act
Information
System
Registration
The
process
of
obtaining
an
identification
account
for
CDX.

R­
NESHAPS
Radionuclide
National
Emissions
Standards
for
Hazardous
Air
Pollutants
(
NESHAPS)
Submission
system
and
regulations
managed
by
the
US
EPA
Office
of
Radiation
and
Indoor
Air
(
ORIA).

SWeNOI
Storm
Water
electronic
Notice
Of
Intent
TSCA
HaSD
Toxic
Substance
Control
Act
Health
and
safety
Data
submission
TSSMS
ID
Time
Share
Services
Management
System
Id
used
for
internal
Agency
use.

UCMR
Unregulated
Contaminants
Monitoring
Regulation
US
EPA
United
States
Environmental
Protection
Agency
Web
Refers
to
World
Wide
Web
and
the
Internet
typically
using
the
HyperText
Transfer
Protocol
(
http)

Zip
A
compression
technology
for
reducing
the
size
of
electronic
files.
Electronic
filenames
typically
end
in
.
zip
6
Section
2.
CDX
Decomposition
CDX
is
designed
to
provide
functions
and
services
as
part
of
the
US
Environmental
Protection
Agency's
Enterprise
Architecture.
An
integral
part
of
the
CDX
functionality
is
to
support
the
CROss­
Media
Reporting
Rule
(
CROMERR),
which
provides
that
electronic
documents
governed
by
EPA
regulations
in
Title
40
of
the
CFR
or
related
State,
tribal
and
local
laws
and
regulations
must
be
submitted
through
the
Central
Data
Exchange
or
by
another
EPA
system
designated
by
the
Administrator
with
the
exception
of
Hazardous
Waste
Manifest.
The
Hazardous
Waste
Manifest
will
be
governed
by
another
rule
that
will
be
issued
specifically
for
the
collection
and
tracking
of
Hazardous
Waste
Manifests.
Functions
described
by
CROMERR
were
analyzed
and
broken
into
modules
and
modules
were
described
to
meet
specific
criteria
as
described
below.

CDX
design
criteria
for
CROMERR:

1)
Generate
and
maintain
accurate
and
complete
copies
of
records
and
documents
in
a
form
that
does
not
allow
alteration
of
the
record
without
detection;

2)
Ensure
that
records
are
not
altered
throughout
the
records'
retention
period;

3)
Produce
accurate
and
complete
copies
of
an
electronic
record
and
render
these
copies
readily
available,
in
both
human
readable
and
electronic
form
as
required
by
predicate
regulations,
throughout
the
entire
retention
period;

4)
Ensure
that
any
record
bearing
an
electronic
signature
contains
the
name
of
the
signatory,
the
date
and
time
of
signature,
and
any
information
that
explains
the
meaning
affixed
to
the
signature;

5)
Protect
electronic
signatures
so
that
any
signature
that
has
been
affixed
to
a
record
cannot
be
detached,
copied,
or
otherwise
compromised;

6)
Use
secure,
computer­
generated,
time­
stamped
audit
trails
to
automatically
record
the
date
and
time
of
operator
entries
and
actions
that
create,
modify,
or
delete
electronic
records;
(
An
audit
trail
documentation
shall
be
retained
for
a
period
at
least
as
long
as
that
required
for
the
subject
electronic
records.
Audit
trail
documentation
shall
be
available
for
agency
review.)

7)
Ensure
that
records
are
searchable
and
retrievable
for
reference
and
secondary
uses,
including
inspections,
audits,
legal
proceedings,
and
third
party
disclosures,
as
required
by
predicate
regulations,
throughout
the
entire
retention
period;

8)
Archive
electronic
records
in
an
electronic
form
that
preserves
the
context,
metadata,
and
audit
trail;
(
Depending
on
the
record
retention
period
required
in
predicate
regulations,
regulated
entities
must
insure
that
the
complete
records,
including
the
related
metadata,
can
be
maintained
in
secure
and
accessible
form
on
the
preexisting
system
or
migrated
to
a
new
system,
as
needed,
throughout
the
required
retention
period.)
7
CDX
Functions
for
CROMERR
Support
In
the
CROMERR,
eight
functions
and
services
are
described
to
meet
specified
criteria:

1)
access
management,

2)
data
interchange,

3)
signature/
certification
management,

4)
submitter
and
data
authentication,

5)
transaction
logging,

6)
copy
of
record
provisions
and
acknowledgment,

7)
archiving,

8)
error
checking,

9)
translation
and
forwarding,

10)
outreach
Figure
1
illustrates
CDX
functions
and
the
process
designed
to
flow
data
to
distributed
target
systems.
Figure
2
provides
a
list
of
services
designed
to
support
CROMERR
and
electronic
reporting
for
environmental
systems.

CDX
Modules
for
CROMERR
Support
Based
on
the
described
functions
and
services,
specific
modules
have
been
identified
to
be
developed
in
support
of
CROMERR:

1)
CDX
Web
­
a
common
client­
server
interface
that
starts
as
a
CDX
Web
Home
page
2)
CDX
Registration
­
CDX
user
registration,
authentication
and
authorization
software
3)
MyCDX
­
a
common
user
interface
for
supporting
electronic
submission
services
4)
CDX
InBox
­
a
service
provision
for
reporting
and
acknowledgement
of
submissions
5)
CDX
Submissions
­
modules
with
specific
criteria
for
data
submission,
translation,

archival,
and
error
checking
The
following
two
figures
illustrate
the
CDX
Core
functions
and
System
Services
(
see
Figures
1
and
Figure
2,
below).
8
Figure
1
Accept
Variety
of
Formats
 
Provides
access
to
EPA
National
Environmental
Information
Node
 
Enables
users
to
 
push 
files
or
CDX
can
 
pull 
through
Web
Services
 
Provides
receipt
 
Scan
for
viruses
Confirm
Origin
of
Submission
(
optional)

 
Supports
Access
Certificates
for
Electronic
Submissions
(
ACES)

 
Uses
digital
signature
 
Provides
PIN/
Passwor
d
Translate
and/
or
Edit
Data
(
optional)

 
Converts
format
(
XML

Flat­
file)

 
Performs
simple
or
complex
edit
checks
on
files
 
Creates
multiple/

different
copies
 
Provides
copies
of
record
to
submitter
Distribute
Data
to
Target
Systems
 
Uses
 
push 
or
 
pull 
technologies
 
Provides
a
variety
of
connections
(
e.
g.,
Virtual
Private
Network)

 
Sends
return
messages
and
error
notifications
to
users
at
several
points
PC
&

Internet
Browser
Submit
Web
Form
 
Receives
official
copy
 
Supports
additional
archives
as
needed
 
Includes
log
of
transaction
Archive
Data
 
Registers
individual
users
 
Provides
multiple
ways
to
register
 
Supports
users
through
a
help
desk
 
Houses
documentation
Register
&
Support
Users
EPA
&
Other
Systems
Distribute
Translate
or
Edit
Validate
Receive
Submit
XML,

Binary
or
Flat­
File
Submit
Web
Services
CDX
Core
Functions
9
Figure
2
CDX
functions
are
part
of
a
series
of
basic
and
enhanced
services
as
illustrated
in
Figure
2,
above.
Basic
functions
are
composed
of
modules
which
shall
be
referred
to
in
future
subsections
as:
CDX
Web
Home
Page,
CDX
Registration,
MyCDX,
and
CDX
Submission
modules.
Further
decomposition
of
these
CDX
modules
are
covered
in
subsection
2.1
and
subsequent
subsections
of
this
document.
Basic
Data
Exchange
 
Node­
Node
Data
Exchange
­
Transaction
Logging
­
Error
Handling
­
Naming
&
Directory
Services
­
Security/
Access
Controls
­
Data
Translation
­

Registration/
authentication/

authorization
­
Backup/
recovery
 
Web
User
Data
Exchange
­
Portal
­
Transaction
Logging
­
Error
Handling
­
Naming
&
Directory
Services
­
Security/
Access
Controls
­
Registration/
authentication/

authorization
­
Backup/
recovery
 
Legacy
Application
Integration
­
Transaction
Logging
­
Error
Handling
­
Security/
Access
Controls
­
Registration/
authentication/

authorization
­
Data
Translation
­
Backup/
recovery
 
Non­
repudiation
­
PKI
Certificates
­
128
Bit
Encryption
­
Archiving
 
Auditing
­
Archiving
Enhanced
Data
Exchange
 
Data
Reconciliation
&
Validation
 
Notification/
Alert
 
Messaging
 
Reporting
Capabilities
 
Workflow
 
Interfaces
to
Legacy
Systems
(
EAI
Middleware)

 
Single
Sign­
on
 
CBI
 
CROMERR
Support
Exchange
Support
Services
 
Development
Support
­
System
specifications
and
requirements
­
XML
Schema
­
Standards
Development
­
Test
plans
and
test
results
­
Data
flow
evaluation
­
System
HW/
SW
enhancement
­
Registry/
repository
 
Transition
Planning
&
Management
 
Implementation,
Operations
&

Maintenance
 
Security
Planning
Document
Services
 
Document
Collection
 
Data
Entry/
Data
Capture
 
Data
Validation,

Error
Check
and
Reconciliation
 
Data
Filing/
Storage
Client
Support
Services
 
Hotline
technical
support
 
Customer
service
tracking
and
reporting
 
User
guides,
manuals,
and
handbooks
 
Training
and
Outreach
for
the
CDX
System
 
Client
support
metrics
CDX
Services
10
2.1
CDX
Module
Decomposition
2.1.1
CDX
Web
The
Central
Data
Exchange
is
designed
to
be
entered
through
a
central
location.
The
entry
point
for
CDX
is
located
on
the
World
Wide
Web
at
URL:
http://
cdx.
epa.
gov
.
Upon
entering
the
Central
Data
Exchange
Warning
and
Privacy
Notices
are
displayed,
followed
by
the
choice
to
continue.
Once
the
choice
is
made,
those
entering
CDX
are
placed
at
the
CDX
Home
page.

2.1.2
CDX
Home
Page
2.1.2.1
CDX
Warning
&
Privacy
Statements
Upon
entry
to
the
CDX,
warning
and
privacy
notices
are
displayed
as
describe
below.
CDX
is
for
authorized
use
and
how
personal
registration
information
collected
shall
be
used
for
the
purpose
of
CDX
Registration
and
that
data
shall
not
be
disclosed
for
purposes
unless
required
by
law.
To
proceed,
to
the
CDX
Home
Page,
the
user
may
click
a
hyperlink
to
continue.

Warning
Notice
EPA's
Central
Data
Exchange
Registration
procedure
is
part
of
a
United
States
Environmental
Protection
Agency
(
EPA)
computer
system,
which
is
for
authorized
use
only.
Unauthorized
access
or
use
of
this
computer
system
may
subject
violators
to
criminal,
civil,
and/
or
administrative
action.
All
information
on
this
computer
system
may
be
monitored,
recorded,
read,
copied,
and
disclosed
by
and
to
authorized
personnel
for
official
purposes,
including
law
enforcement.
Access
or
use
of
this
computer
system
by
any
person,
whether
authorized
or
unauthorized,
constitutes
consent
to
these
terms.

Privacy
Statement
EPA
will
use
the
personal
identifying
information
which
you
provide
for
the
expressed
purpose
of
registration
to
the
Central
Data
Exchange
site
and
for
updating
and
correcting
information
in
internal
EPA
databases
as
necessary.
The
Agency
will
not
make
this
information
available
for
other
purposes
unless
required
by
law.
EPA
does
not
sell
or
otherwise
transfer
personal
information
to
an
outside
third
party.
11
2.1.2.2
CDX
Home
Page
Functions
The
CDX
Home
Page
provides
users,
with
official
business
purposes,
access
a
variety
of
options
to
perform
basic
CDX
functions:

CDX
Registration
 
acquiring
a
new
CDX
account
for
Open
Registration
Programs
Login
Menu
 
allows
authentication
and
hyperlink
to
MyCDX
Password
Reset
 
allows
user
to
reset
or
change
a
CDX
Id's
password
Additional
Hyperlinks
 
additional
hyperlinks
allow
options
including:
Help
&

Support,
Terms
&
Conditions,
and
Frequently
Asked
Questions
2.1.2.2.1
CDX
Registration
The
access
and
use
of
CDX
is
for
authorized
use,
only.
CDX
supports
several
registration
procedures.
These
include:
Open
Registration,
Dynamic
Pre­
registration,
and
Close
Registration.
Open
Registration
allows
registering
parties
to
register
at
CDX
without
identification
verification
where
they
may
request
authorization
to
specific
roles.
CDX
Closed
Registration
requires
that
authorizing
officials
pre­
register
registering
parties,
and
invite
registering
parties
to
complete
registration.
As
part
of
the
invitation
CDX
sends
a
CDX
generated,
one­
time
passphrase
called
a
Customer
Retrieval
Key
(
CRK),
in
order
to
review
and
confirm
identity
information
and
register
to
CDX.
CDX
also
supports
Dynamic
pre­
registration
whereby
the
Sponsor
may
send
the
registering
party
the
invitation
along
with
sensitive
information
which
will
allow
the
registering
party
to
obtain
their
one­
time
CRK
electronically
after
successfully
providing
the
sponsor's
sensitive
as
instructed
by
previous
correspondence.
Section
4
provides
a
list
of
detail
requirements
for
Registration
within
the
scope
of
this
design
document.

2.1.2.2.2
CDX
Login
Menu
Because
access
and
use
of
CDX
is
for
authorized
use,
only.
A
minimum
functional
requirement
is
to
support
a
PIN/
Password
menu.
This
menu
is
the
means
of
authentication
and
authorization
to
the
MyCDX
module
which
may
have
additional
identity
management
requirements
specific
to
distributed
target
systems,
often
referred
to
as
"
data
flows".

Primary
criteria
are
to
provide
entry
and
validation
for
User
Name
and
Password.
Another
term
for
User
Name
is
CDX
Id
or
CDX
Userid.

Additional
criteria
are
to
provide
access
to
Password
Reset
and
other
additional
hyperlinks.

2.1.2.2.3
Password
Reset
CDX
forces
passwords
to
expire
on
a
90
day
schedule.
It
is,
therefore,
necessary
for
CDX
users
to
reset
their
passwords
on
a
regular
basis.
CDX
Userid'
passwords
which
have
exceeded
the
90­
day
expiration
period
are
expired;
however,
they
may
be
reset
by
providing
the
Secret
Question/
Secret
Answer
defined
by
the
user
at
time
of
CDX
Registration.
A
one­
time
password
will
be
generated,
which
the
user
may
then
revise
after
successfully
entering
MyCDX.
Password
restrictions
are
further
described
in
Section
4,
below.
12
2.1.2.2.4
Additional
Hyperlinks
In
addition
to
the
primary
functions
CDX
Home
page
provides,
additional
hyperlinks1
allow
additional
CDX
support.
Options
such
as:

 
Help
&
Support
 
Terms
&
Conditions
 
Frequently
Asked
Questions
 
Terms
and
Conditions
Once
satisfied
with
these
options,
Login
Menu
is
the
next
logical
step,
which
transfers
registered
users
to
the
MyCDX
web
page.

2.1.3
MyCDX
Decomposition
 
The
MyCDX
web
page
provides
a
console
of
primary
services
available
to
authenticated
users.
Sidebar
hyperlinks
from
the
CDX
Home
Page
are
retained,
but
MyCDX
provides
additional
hyperlinks
in
support
of
CDX
user
maintenance
and
access
to
target
system
interfaces.
These
Options
include:

 
Change
System
Password
 
Provides
a
means
of
resetting
password
for
CDX
Userid
 
Edit
Personal
Information
 
Provides
a
means
of
updating
user
name
and
contact
information
 
Edit
Current
Account
Profiles
 
Provides
a
means
of
updating
Organization
and
mailing
address
information.

 
Add
New
Organization
 
Provides
a
means
of
adding
new
Organizations
allowing
for
support
of
multiple
Organizations
with
multiple
target
application
requirements.

 
CDX
InBox
Module
 
Provides
a
means
for
CDX
to
securely
transmit
encrypted
messages
and/
or
reports
to
CDX
registered
users.

 
CDX
Submission
Modules
 
Hyperlinks
to
file
upload
web
pages
and
submission
forms
as
necessary
to
send
data
to
target
applications.

 
PKI
Certificate
Request
form
 
Access
to
the
Digital
Certificate
Request
form
used
to
request
an
ACES
PKI
Digital
Certificate.

1
All
CDX
Web
Pages
provide
hyperlinks
to
EPA
Home,
Privacy
and
Security
Notice,
and
Contact
Us
web
pages.
13
2.1.4
InBox
Module
2.1.4.1
CDX
InBox
Description
CDX
InBox
provides
an
securely,
encrypted
interface
between
CDX
Web
users
and
Target
applications,
which
allows
CDX
to
securely
transmit
encrypted
messages
and/
or
reports
to
CDX
registered
users
from
CDX
or
from
CDX
target
applications.
Because
this
function
provides
submission
status
and
reporting
capabilities,
this
feature
combined
with
an
Email
to
submitter
outside
of
CDX,
supports
the
non­
repudiation
requirement
specified
under
the
CROMERR.

2.1.4.2
InBox
Features
CDX
Message
services
CDX
success
and
failure
messages
are
commonly
reported
through
the
CDX
InBox
as
a
message
service.
Data
submission
completion
status,
data
submission
errors,
registration
activation
instructions,
and
other
messages
are
frequently
reported
through
the
CDX
messaging
service.
Messages
are
typically
no
larger
than
a
few
hundred
characters.
For
more
substantial
messaging,
CDX
provides
for
hyperlink
attachment
support.

CDX
hyperlink
attachment
support
CDX
Messages
may
contain
hyperlinks
to
larger
objects
which
may
be
distributed
in
third
party
formats
such
as
Adobe
pdf,
html,
xml,
and/
or
zip
formats.
By
clicking
on
hyperlinks
within
CDX
InBox
messages,
users
may
save
or
launch
files
which
utilize
third
party
software
from
their
workstations
and
allow
CDX
users
to
view
exact
content
transmitted
by
CDX
which
may
have
been
received
from
target
applications.
The
returned
file
provides
receipt
confirmation
for
electronic
submission
transactions.

CDX
Attachment
Security
CDX
Message
Attachments
are
files
returned
to
submitters
from
CDX
and
from
interface
applications.
These
data
are
logged
in
CDX
Archive
5.
CDX
provides
security
controls
so
that
these
attachments
may
be
restricted
to
individual
CDX
users
or
lists
of
CDX
users,
read­
only,
as
required
by
electronic
submission
process
and/
or
interface
application.
14
2.1.5
CDX
Submission
Module
Decomposition
2.1.5.1
Radionuclide
NESHAPs
(
R­
NESHAPS)

2.1.5.1.1
R­
NESHAPS
Description
The
R­
NESHAPS
is
a
CROMERR
Priority
Report.
R­
NESHAPS
regulations
establish
reporting
requirements
for
the
facilities
that
are
sources
of
radionuclide
emissions.
These
facilities,
which
include
both
federal
and
non­
federal
sites,
are
required
to:

 
Sample
and
monitor
R­
NESHAPS
emissions.
 
Calculate
doses
to
determine
compliance
with
the
standard.
 
Report
the
results
of
the
monitoring/
compliance
analysis
to
the
Environmental
Protection
Agency
(
EPA)
or
authorized
state.

Each
report
must
be
signed
and
dated
by
a
corporate
officer.
EPA
headquarters,
EPA
regional
offices,
and
states
with
delegated
authority
review
the
R­
NESHAPS
reports
to
ensure
that
each
facility
is
in
compliance
with
the
standards.

Regulations
supported
by
the
Office
of
Radiation
and
Indoor
Air
(
ORIA)
2
outline
what
each
type
of
facility
under
each
subpart
must
report;
however
these
regulations
do
not
specify
a
standard
format
for
consistent
reporting.
As
a
result,
the
reports
are
submitted
to
EPA
as
unstructured
text,
rather
than
structured
text
or
data.
These
reports
are
retained
by
the
EPA
as
record
of
facility'
reporting
and
compliance.

ORIA
has
commenced
the
reporting
process
for
the
R­
NESHAPS,
Subpart
H
facilities.
There
are
approximately
40
Subpart
H
facilities,
and
12
delegated
regions
and
states.
This
reporting
process
will
be
opened
to
additional
radionuclide
reporting
entities,
which
could
total
up
to
200.
The
pilot
involved
reporting
through
the
EPA's
Central
Data
Exchange
(
CDX)
using
digital
certificates
for
authenticating
users
and
testing
the
workflow
on
a
Lotus
Notes
(
Notes)
back­
end
database
application
with
delegated
states
and
regions
as
the
recipients
of
the
information.

A
fully
developed
CDX
NESHAPS
Interface
allows
regulated
entities
(
Department
of
Energy
facilities),
EPA
regions,
states,
and
EPA
HQ
to
electronically
submit
R­
NESHAPS
compliance
reports
in
a
structured
format
over
the
Internet
via
a
CDX
provided
web­
based
architecture.

2
The
Office
of
Radiation
and
Indoor
Air
(
ORIA)

The
Office
of
Radiation
and
Indoor
Air
is
charged
with
protecting
the
public
and
the
environment
from
the
risks
of
radiation
and
indoor
pollution.
As
part
of
this
responsibility,
ORIA
must
ensure
that
radionuclide
emissions
from
regulated
facilities
meet
National
Emissions
Standards
for
Hazardous
Air
Pollutants
(
NESHAPS).
To
meet
this
responsibility,
ORIA
has
established
the
ORIA
radionuclide
NESHAPS
(
R­
NESHAPS)
program.
15
Section
3.
CDX
Dependencies
3.1
CDX
Compatibility
Requirements
3.1.1
Equipment
CDX
electronic
submissions
under
CROMERR
currently
Equipment
will
I
need
to
participate?

o
Personal
Computer
o
Internet
Service
o
Electronic
email
account
o
Internet
Web
Browser
o
Printer
To
ensure
best
results,
it
is
recommended
that
electronic
submissions
be
performed
using
certified
hardware/
software
configurations
for
CDX.
CDX
is
designed
only
support
Operating
systems
with
web
browsers
in
a
configuration
that
is
supported
both
by
the
software
vendors
and
supported
by
Federal
Information
Processing
Standards
with
128­
Bit
encryption
support.
Currently
verified
computer
configurations
include
Microsoft
supported
versions
of
Windows
2xxx
and
Windows
XP
using
Pentium
processors
using
currently
supported
versions
of
Internet
Explorer
.
An
update
to
Internet
Explorer
browser
may
be
downloaded
from
the
Microsoft
128­
bit
internet
explorer
download
page
.

3.1.2
Client
Web
Browser
In
addition
to
vendor
and
FIPS
support,
for
optimal
results,
features
and
configuration
of
browser
should
may
require
specific
settings
depending
on
the
electronic
submission
and
whether
the
submission
has
specific
digital
signature
requirements.
Therefore,
Electronic
Submissions
may
require
specific
security
settings
be
enabled
or
allow
for
dynamic
prompting
for
the
electronic
submission
process
to
function
properly.
These
include
support
for:

 
JavaScript
 
Active­
X
controls
 
Pop­
Ups
Additional
System
Compatibility
Requirements
for
obtaining
and
utilizing
digital
certificates:

­
A
browser
which
supports
128­
bit
encryption
­
Enabled
Cookies
­
Enabled
JavaScript
­
Enabled
ActiveX
controls
16
3.1.3
Internet
Access
CDX
web
browser
support
requires
a
connection
to
the
Internet
that
is
typically
provided
by
Internet
Service
Providers
(
ISPs).

3.1.4
Client
e­
Mail
CDX
currently
requires
that
all
submitters
who
maintain
a
CDX
accounts
also
own
and
maintain
a
personal
e­
Mail
account
in
order
to
support
CROMERR
and
receive
receipt
acknowledgements
and
messages
relating
to
registration
status
as
well
as
electronic
submissions
from
both
inside
and
outside
of
CDX
authentication
(
e.
g.
out­
of­
band).

3.1.5
Adobe
Acrobat
Reader
CDX
supports
versions
of
Acrobat
Reader
supported
by
Adobe.
Use
the
following
location
to
obtain
a
supported
version
of
the
Reader:

3.1.6
Zip
Compression
Utilities
There
are
a
number
of
commercially
available
software
packages
that
compress
or
zip
files,
which
may
be
easily
found
by
doing
a
search;
however,
not
all
zip
utilities
are
compatible.
ZIP
files
must
conform
to
PKWARE's
(
de
facto)
compression
standard.
The
following,
two,
packages,
below,
have
been
successfully
tested
in
the
CDX
environment
for
creating
zip
compressed
files
(
See
CDX
Frequently
Asked
Questions
hyperlink
http://
www.
epa.
gov/
cdx/
test/
zipintro.
htm
for
further
details).
17
3.2
CDX
Registration
Requirements
3.2.1
User
Identity
Criteria
The
access
and
use
of
CDX
is
for
authorized
use,
only.
All
CDX
electronic
submittals
require
the
creation
of
a
CDX
User
Name
and
password
that
must
be
maintained
and
kept
confidential
by
the
registering
party.

User
Identity
Specifications
Parties
Registering
under
Open
and
Closed
registration
are
required
to
provide
accurate
First
Name
(
up
to
20
Characters),
Last
Name
(
up
to
30
Characters),
User
Name
(
CDX
Id
up
to
20
characters),
Password
(
up
to
20
characters),
Secret
Question(
up
to
20
characters),
and
Secret
Answer(
up
to
20
characters).

Choosing
a
CDX
User
Name
and
Password
For
CDX
registration
purposes,
the
registering
party
agrees
to
select
a
password
which
will
not
be
easily
guessed
(
e.
g.,
my
name,
my
children's
names,
birthdays,
etc.).

Where
registering
party
has
the
choice
of
userid,
both
the
id
and
the
password
must
be
at
least
eight
characters
long
and
contain
a
mix
of
letters
and
numbers.
Some
prefixes
such
as
First
Name,
Last
Name,
and
in
some
cases
name
of
submission
are
restricted
along
with
the
special
characters:
$,
#,
",
and
@
.

The
User
Name
is
considered
a
personal
account
and
the
password
must
not
be
divulged
to
any
other
individual,
or
stored
in
an
unprotected
location.

Actions
Registered
Parties
must
take
if
a
CDX
Account
is
believed
to
be
compromised
A
CDX
Technical
Support
Help
Desk
is
available
at
1­
888­
890­
1995
in
the
event
a
registering
party
believes
his
CDX
id
or
data
has
become
compromised.
A
registering
party
is
instructed
to
contact
the
CDX
Technical
Support
as
soon
as
possible.

Terminating
CDX
Accounts
T
he
registering
party
must
agree
to
notify
CDX
within
ten
working
days
if
their
duties
change
and
they
no
longer
need
to
interact
with
the
CDX
on
behalf
of
their
organization.
They
agree
to
notify
CDX
either
through
the
CDX
web
interface
at
https://
cdx.
epa.
gov/
contactus.
asp
or
by
notifying
the
CDX
Technical
Support
staff
at
1­
888­
890­
1995.
This
notification
will
allow
CDX
to
deactivate
their
account
and
protect
it
from
potential
unauthorized
use.

3.2.2
PKI
Digital
Certificate
Support
CDX
Technical
Support
Help
Desk
serves
as
a
Local
Registration
Authority
for
PKI
Certificates,
which
may
be
issued
to
registering
parties
for
the
purpose
of
digitally
signing
data
submissions
for
specific
data
submissions
that
require
digital
certificates.
The
digital
certificate
request
form
URL
is
located
on
the
left
sidebar
on
the
MyCDX
webpage.
All
PKI
Certificates
provided
by
the
CDX
Help
Desk
are
Certificates
are
covered
under
the
GSA
ACES
PKI
Certificate
Agreement.
CDX
PKI
Certificates
are
currently
issued
by
Digital
Signature
Trust
http://
www.
digsigtrust.
com/
home.
html
.
18
3.3
CDX
Interconnecting
Systems
3.3.1
Radionuclide
NESHAPs
NESHAPS
requires
regulated
facilities
report
data
related
to
the
emission
of
radionuclides
into
the
atmosphere
3.3.2
CDX
System
Interface
requirements
3.3.2.1
Radionuclide
NESHAPs
Radionuclide
NESHAPS
data
submissions
are
transferred
via
a
replication
process
over
an
encrypted
TCP
protocol.
CDX
sends
Electronic
mail
to
notify
reviewers
when
data
is
available
for
review.

Section
4.
CDX
Detailed
Design
4.1
CDX
Physical
Design
4.1.1
CDX
Server
Components
Within
the
CDX
environment,
there
is
a
physical
separation
of
processing.
Within
the
scope
of
this
design
document
CDX
is
composed
of
separate
machines
or
groups
of
load­
balanced/
clustered
machines
that
host
specialized
files
and
functions
as
described,
below.

Application
servers:

These
servers
host
the
software
modules
written
to
support
the
business
processing
of
the
various
CDX
applications.
This
is
where
XML
transformation,
archiving,
verification
of
proper
encryption
and
other
services
occur.

Certificate
Arbitration
Module
server
(
CAM)

These
servers
route
Digital
Certificates
to
the
Certificate
Authority
for
validation.

Database
servers:

These
servers
host
database
management
system
software
that
maintains
the
data
and
functionality
(
procedures,
functions,
and
events)
for
user
registration,
user
authentication
and
authorization
and
auditing
for
the
CDX.
It
also
hosts
the
data
and
functionality
for
archiving
the
users'
submissions.

File
servers:

These
servers
contain
and
dynamically
serve
up
Web
resources
such
as
images,
style
sheets,
JavaScript
files,
and
HTML
files.

Mail
server:

This
server
transmits/
receives
e­
Mail
messages
and
other
mail
functions.
Limited
data
base
functionality
is
also
maintains
content
transported
over
the
mail
server.
19
Web
servers:

These
servers
are
responsible
for
managing
the
interaction
with
the
user
via
Web
pages
sent
to
the
user's
browser
software.
There
may
be
one
Web
server
or
several
servers
behind
a
load
balancer.
This
issue
is
transparent
to
the
application
software
and
does
not
need
to
be
taken
into
account.
It
also
hosts
the
modules
that
handle
user
interaction
for
registration
with,
and
login
to
the
CDX
system.

CDX
Server
Components:

Figure
3
See
Figure
5,
above,
for
further
illustration
of
CDX
physical
server
components.
Data
base
servers
support
separate
archives
(
copies
of
submission)
used
to
support
auditing
requirements.

Full
and
incremental
backups
to
magnetic
media
are
performed
against
servers
and
data
bases.
20
4.1.2
CDX
Physical
Server
Process
Flow
CDX
functions
and
services
flow
across
the
Internet
through
firewalls
in
order
to
perform
services
and
data
transfer
to
target
applications.
Many
of
these
target
applications
are
within
the
US
EPA's
Central
Environment.
Figure
6,
below,
illustrates
the
physical
server
components
as
data
is
transferred
to
target
applications
in
the
Agency's
Central
Environment.

Figure
4
21
4.2
CDX
Module
Detail
Design
4.2.1
CDX
Registration
As
described
in
subsection
2.1.2,
CDX
supports
several
registration
procedures,
including:
Open
Registration,
Dynamic
Pre­
registration,
and
Close
Registration.
Figure
5,
below,
outlines
the
procedures
specific
to
distributed
target
systems
within
the
scope
of
this
System
Design
document.

Registration
Process
Data
Flow
Open
Registration
Dynamic
Pre­
Registration
Closed
Registration
Comment
LEAD


Sponsor
Letter
Required
RCRAInfo

R­
NESHAPS

Digital
Certificate
and
Sponsor
Letter
Required
SWeNOI

TSCA­
HaSD

Digital
Certificate
Required
UCMR

Sponsor
Letter
Required
Figure
5
The
following
subsections
describe
the
procedures
and
software
related
to
Open
Registration,
Dynamic
Preregistration
and
Close
Registration.
As
noted
in
the
comment
section
of
Figure
7,
above,
further
restrictions
may
apply
for
distributed
target
systems.

4.2.2
Open
Registration
This
registration
module
allows
an
EPA
stakeholder
to
register
on
CDX,
for
a
particular
data
flow,
without
any
prior
identity­
proofing
or
systematic
control
from
the
EPA
Integrated
Process
Team
(
IPT)
or
EPA
Application
Manager.
The
newly
created
account
may
not
be
activated
for
the
appropriate
data
flow
role
until
the
CDX
Help
Desk
has
received
approval
from
a
sponsor
and/
or
received
a
user's
"
Sponsor
Letter",
authorizing
access
on
behalf
of
a
particular
reporting
entity.
The
CDX
Help
Desk
activates
accounts
only
after
approval
from
sponsor
and/
or
properly
formatted
sponsor
letters
are
received.
In
addition,
any
necessary
account
information
must
be
properly
authenticated
per
EPA
Application
Manager
instructions.
22
4.2.3
Open
Registration
Procedures
Steps
Responsible
Party
1.
Access
the
EPA
CDX
Web
site
(
http://
cdx.
epa.
gov)
CDX
Registering
Party
2.
Acknowledge
the
"
Warning"
notice
CDX
Registering
Party
3.
Choose
to
register
as
a
new
CDX
Registering
Party
CDX
Registering
Party
4.
Acknowledge
the
"
Warning"
notice
CDX
Registering
Party
5.
Accept
the
"
Terms
&
Conditions"
CDX
Registering
Party
6.
Enter
"
User"
information
CDX
Registering
Party
7.
Enter
"
Organization"
information
CDX
Registering
Party
8.
Choose
the
"
Program"
CDX
Registering
Party
9.
Select
"
Role"
and
enter
"
Program
ID"
CDX
Registering
Party
10.
Print
the
sample
"
Sponsor
Letter"
and
create
one
on
company
letterhead
CDX
Registering
Party
11.
Send
the
"
Sponsor
Letter",
on
company
letterhead,
to
the
EPA
Application
Manager
CDX
Registering
Party
12.
Sign
the
"
Sponsor
Letter"
EPA
Application
Manager
13.
Fax
the
signed
"
Sponsor
Letter"
to
the
CDX
Help
Desk
EPA
Application
Manager
14.
Verify
that
the
"
Sponsor
Letter"
came
from
the
EPA
Application
Manager
by
checking
for
the
Application
Manager's
office
on
the
Fax
cover
sheet
CDX
Help
Desk
15.
Activate
the
User's
account
CDX
Help
Desk
16.
Notify
the
new
user
of
the
activated
user
account
Automated
e­
mail
from
the
CDX
application
Figure
6
23
4.2.3.1
Open
Registration
Screen
Layout
The
following
walkthrough
captures
the
screens
that
a
user
will
encounter
in
the
open
registration
process.

4.2.3.1.1
CDX
Warning
Notice
and
Privacy
Statement
Page
This
page
is
displayed
when
a
user
enters
the
www.
epa.
gov/
cdx
address
in
their
web
browser.
The
CDX
Warning
Notice
and
Privacy
Statement
are
displayed.
The
user
can
acknowledge
these
statements
and
continue
on
in
the
registration
process.

Figure
7
24
4.2.3.1.2
CDX
Home
Page
After
acknowledging
the
Warning
and
Privacy
Statements,
the
user
is
directed
to
the
CDX
Home
page
where
they
can
either
choose
to
create
a
new
account
or
access
an
existing
account.
Users
already
having
an
account
are
taken
to
the
CDX
Login
page
where
they
can
enter
their
user
ID
an
password.

Figure
8
25
4.2.3.1.3
CDX
Registration
Warning
Page
Upon
choosing
to
create
a
new
registration,
the
user
is
taken
to
the
CDX
Registration
Warning
page
where
they
are
presented
with
Warning
and
Privacy
Notices
Figure
9
26
4.2.3.1.4
CDX
Terms
and
Conditions
Page
The
user
is
next
directed
to
the
CDX
Terms
and
Conditions
page
which
outlines
the
requirements
that
must
agree
to
follow
when
establishing
and
using
a
CDX
account.
A
user
may
either
choose
to
accept
or
decline
the
terms
and
conditions.
Acceptance
takes
the
user
to
the
User
Registration
page
whereas
declining
will
take
them
back
to
the
CDX
Home
page.

Figure
10
27
4.2.3.1.5
CDX
Registration
User
Information
Page
The
user
is
then
taken
to
the
user
registration
information
page.
Here,
the
user
will
create
a
CDX
user
ID,
password,
and
secret
question/
answer
pair
that
can
be
used
to
automatically
reset
the
user's
password
if
they
forget
it
or
become
locked
out
of
the
system
from
too
many
incorrect
attempts.

Figure
11
28
4.2.3.1.6
CDX
Registration
Organization
Information
Page
Upon
adopting
a
CDX
User
Name,
password,
and
secret
question/
answer
pair,
the
user
is
directed
to
another
page
where
organization
and
contact
information
such
as
address,
email,
and
phone
number
are
collected.

Figure
12
29
4.2.3.1.7
Data
Flow
Selection
Page
After
entering
in
the
pertinent
information,
the
user
is
directed
to
the
Data
Flow
Selection
Page
where
they
can
select
which
flow
they
want
to
sign
up
for.
In
Open
Registration,
the
user
will
only
be
able
to
register
for
flows
that
use
the
Open
Registration
Process.
The
User
will
not
be
able
to
see
or
select
Closed
Registration
data
flows.
While
the
user
may
be
able
to
register
for
a
particular
data
flow
through
open
registration,
they
may
not
be
authorized
to
access
the
data
flow
until
certain
conditions
are
met.
This
is
referred
to
as
Open
Registration
with
Restricted
Authorization.
CDX
currently
employs
two
types
of
Open
Registration
with
Restricted
Authorization:
Open
Registration
with
Digital
Certificates
and
Open
Registration
with
A
Sponsor
Letter.
These
will
be
discussed
more
fully
later
in
this
document.

Figure
13
30
4.2.3.1.8
CDX
Role
Selection
Page
Upon
selecting
a
data
flow,
the
user
is
taken
to
the
CDX
Role
Selection
Page
where
they
can
choose
the
type
of
role
they
will
act
in
as
a
user
of
a
particular
flow.
While
CDX
does
allow
for
some
customization
for
a
given
data
system,
the
general
roles
available
are
submitter,
reviewer,
and
approver.
The
user
will
also
enter
in
information
that
identifies
the
facility
that
they
are
reporting
for
via
a
government
recognized
ID
number.
Finally,
a
user
can
choose
a
method
of
submission.

Figure
14
4.2.3.2
Open
Registration
with
Digital
Certificates
4.2.3.2.1
Open
Registration
with
Digital
Certificate
Requirements
This
particular
process
is
designed
to
allow
an
EPA
stakeholder
to
register
on
through
Open
Registration,
described
above;
The
newly
created
account
is
not
accessible
for
some
submission
functions
until
the
CDX
Help
Desk
has
received
and
reviewed
the
user's
signed
"
CDX
Digital
Signature
Agreement",
and
confirmed
with
the
EPA
Application
Manager,
authorizing
access
on
behalf
of
a
particular
reporting
entity.
The
CDX
Help
Desk
acts
as
the
Local
Registration
Authority
for
issuing
digital
certificates
to
be
used
for
CDX
data
flows,
and
facilitates
the
process
for
accessing
such
programs
once
the
user
completes,
signs,
and
returns
the
digital
certificate
agreement
to
the
CDX
Help
Desk,
and
the
CDX
Help
Desk
confirms
with
the
EPA
Application
Manager.
31
4.2.3.2.2
Open
Registration
with
Digital
Certificates
Procedures
Procedures
for
establishing
an
Open
Registration
Account
with
Digital
Certificates
is
initially
performed
by
CDX
Registering
Party
and
Table
1
Steps
Responsible
Party
1.
Access
the
EPA
CDX
Web
site
(
http://
cdx.
epa.
gov)
CDX
Registering
Party
2.
Acknowledge
the
"
Warning"
notice
CDX
Registering
Party
3.
Choose
to
register
as
a
new
CDX
Registering
Party
CDX
Registering
Party
4.
Acknowledge
the
"
Warning"
notice
CDX
Registering
Party
5.
Accept
the
"
Terms
&
Conditions"
CDX
Registering
Party
6.
Enter
"
User"
information
CDX
Registering
Party
7.
Enter
"
Organization"
information
CDX
Registering
Party
8.
Choose
the
"
Program"
CDX
Registering
Party
9.
Select
"
Role"
and
enter
"
Program
ID"
CDX
Registering
Party
10.
Print
the
"
Digital
Signature
Agreement"
form
CDX
Registering
Party
11.
Fill
out
and
sign
the
"
Digital
Signature
Agreement"
form
CDX
Registering
Party
12.
Mail
the
signed
form
to
the
CDX
Help
Desk
CDX
Registering
Party
13.
Contact
the
EPA
Application
Manager
to
verify
authorization
to
access
the
flow
CDX
Help
Desk
14.
Verify
/
compare
contact
information
in
DST
registration
and
CDX
CDX
Help
Desk
15.
Verify
the
CDX
Registering
Party
via
Local
Registration
Authority
Procedures
Certified
Local
Registration
Authority
16.
Approve
certificate,
if
all
information
is
valid/
verified
Certified
Local
Registration
Authority
17.
Send
certificate
"
Activation
Code"
and
"
URL"
to
the
user
via
the
MyCDX
Inbox
Certified
Local
Registration
Authority
18.
Retrieve
certificate
from
URL
using
the
"
Activation
Code"
from
the
MyCDX
Inbox
CDX
Registering
Party
19.
Activate
the
User's
account
CDX
application
upon
issuance
of
certificate
performed
by
CDX
Help
Desk
20.
Notify
the
new
user
of
the
activated
user
account
Automated
e­
mail
from
the
CDX
application
32
4.2.3.2.3
Open
Registration
with
Digital
Certifications
Screen
Layout
The
following
walkthrough
captures
the
screens
that
a
user
will
encounter
in
the
Open
Registration
with
Digital
Certifications
process.
The
Open
Registration
with
Digital
Certifications
Process
mirrors
the
normal
Open
Registration
process
up
to
the
confirmation
of
registration.
Instead
of
immediately
being
activated
to
submit
to
a
flow
as
in
open
registration,
the
Open
Registration
with
Digital
Certifications
process
requires
the
completion
and
submittal
of
a
Digital
Certificate
Agreement.
The
user
is
automatically
linked
to
the
agreement
page
when
they
complete
registration
and
select
finished
as
in
Figure
18.

Figure
15
4.2.2.2.3
CDX
Digital
Certification
Agreement
When
the
use
selects
the
"
Finish"
option
at
the
end
of
the
Registration
Process,
an
electronic
version
of
the
digital
certificate
agreement
is
brought
up
on
the
screen,
33
4.2.4
Dynamic
Pre­
Registration
Dynamic
Pre­
Registration
This
process
requires
the
user
to
be
pre­
identified
by
the
by
the
distributed
target
application
manager
in
order
to
access
a
particular
program.
As
such,
data
flows
are
"
turned
off"
to
public
access.
Dynamic
Pre­
Registration
is
an
effective
means
of
allowing
the
program
to
control
the
user
base
of
registrations.

Accounts
and
access
criteria
are
pre­
identified
by
the
target
application
manager
and
populated
into
predefined
database
tables.
The
target
application
manager
then
generates
and
sends
invitation
letters
to
the
registering
party.
The
invitation
letters
contain
a
URL
and
access
criteria
to
be
entered
at
that
URL.
Once
the
CDX
registering
party
accesses
this
URL,
and
enters
the
unique
access
criteria,
the
CDX
Dynamic
Pre­
Registration
module
automatically
generates
and
transfers
the
user's
one­
time
Customer
Retrieval
Key
(
CRK)
and
allows
the
user
to
complete
their
registration
process
following
the
remaining
procedures
as
described
in
the
Closed
Registration
subsection,
below.

4.2.4.1
Dynamic
Pre­
Registration
Procedures
Table
2
Steps
Responsible
Party
1.
Identify
and
populate
database
table
of
user
information
EPA
Application
Manager
2.
Send
invitation
letters
to
user
community
(
with
unique
data,
defined
by
the
EPA
Application
Manager,
and
URL)
EPA
Application
Manager
3.
Access
the
Web
site
specified
in
the
URL
CDX
Registering
User
4.
Enter
unique
pieces
of
data,
defined
by
the
EPA
Application
Manager
CDX
Registering
User
5.
Populate
Web
page
with
user
information
from
the
Pre­
Registration
table
CDX
Application
6.
Confirm
pre­
populated
user
data
CDX
Registering
User
7.
Accept
the
"
Terms
&
Conditions"
CDX
Registering
User
8.
Verify
and
complete
"
User
Information"
CDX
Registering
User
9.
Verify
and
complete
"
Organization"
information
CDX
Registering
User
10.
Confirm
the
"
Program"
CDX
Registering
User
11.
Confirm
"
Role"
and
"
Program
ID"
CDX
Registering
User
34
4.2.5
Closed
Registration
Module
The
Closed
Registration
module
requires
that
the
registering
party
be
pre­
registered
by
the
CDX
Help
Desk
prior
to
registration.
As
such,
certain
CDX
functions
or
roles
are
"
Closed"
to
public
access.
This
is
an
effective
means
of
allowing
Programs
to
more
tightly
control
the
user
base
of
registrants.
In
such
cases,
accounts
are
preregistered
by
the
CDX
Help
Desk
per
request
of
the
designated
sponsoring
official
also
known
as
the
Security
Responsible
Party.
Once
an
account
is
pre­
registered,
a
Customer
Retrieval
Key
(
CRK)
is
automatically
generated.
The
CDX
Help
Desk
provides
the
user
with
the
CRK,
either
by
mail
or
by
phone
based
on
the
required
level
of
identity
management
required
for
the
electronic
submission.
PKI
Certificates
may
have
already
provided
an
additional
measure
of
identity
proofing;
however,
the
CRK
ultimately
allows
the
CDX
registering
party
to
complete
their
registration
and
activate
access
to
the
necessary
features
authorized
to
the
user
as
permitted
by
the
sponsoring
official.

4.2.5.1
Closed
Registration
Procedures
Table
3
Steps
Responsible
Party
1.
Provide
CDX
Help
Desk
with
user
information
for
Pre­
Registration
(
Pre­
Reg
form
­
Name,
E­
mail,
Phone)
EPA
Application
Manager
or
Sponsoring
Official
2.
Enter
Pre­
Registration
information
and
generate
CRK
CDX
Help
Desk
3.
Notify
user,
via
e­
mail,
to
contact
the
CDX
Help
Desk
to
obtain
CRK
CDX
Help
Desk
4.
Verify
the
CDX
Registering
Party
by
calling
them
back
on
the
Pre­
Registration
phone
number
CDX
Help
Desk
5.
Access
the
EPA
CDX
Web
site
(
http://
cdx.
epa.
gov/
govtregistration)
CDX
Registering
Party
6.
Enter
the
CRK
on
the
Pre­
Registration
Web
page
CDX
Registering
Party
7.
Acknowledge
the
"
Warning"
notice
CDX
Registering
Party
8.
Accept
the
"
Terms
&
Conditions"
CDX
Registering
Party
9.
Verify
and
complete
"
User"
information
CDX
Registering
Party
10.
Verify
and
complete
"
Organization"
information
CDX
Registering
Party
11.
Confirm
the
"
Program"
CDX
Registering
Party
12.
Confirm
"
Role"
and
"
Program
ID"
CDX
Registering
Party
35
4.2.6
MyCDX
Module
Valid
entry
point
for
interactive
user
connections
to
CDX
MyCDX
using
a
web
browser:

https://
cdx.
epa.
gov/
SSL/
cdx/
login.
asp
User
must
have
previously
registered
with
CDX
Web
and
be
authorized
to
access
each
CDX
Web
data
flow.

User
must
have
previously
provided
username
and
password
to
login
4.2.6.1
MyCDX
Screen
Layout
Figure
16
36
4.2.6.2
MyCDX
Options
Change
System
Password
https://
cdx.
epa.
gov/
SSL/
cdx/
chgpassword.
asp
Figure
17
Edit
Personal
Information
https://
cdx.
epa.
gov/
SSL/
cdx/
edituserinfo.
asp
Figure
18
37
Edit
Current
Account
Profiles
https://
cdx.
epa.
gov/
SSL/
cdx/
editclientprofile.
asp
Figure
19
Add
New
Organization
https://
cdx.
epa.
gov/
SSL/
cdx/
addorganization.
asp
Figure
20
38
4.2.7
InBox
Screen
Display
Figure
21
4.2.8
CDX
Submission
Modules
 
Users
submissions
originate
from
CDX
Web
data
submission
forms
hyperlinked
from
the
MyCDX
Module.

 
Uploaded
file
is
scanned
for
viruses
 
Uploaded
file
can
have
any
format:
txt,
xml,
pdf,
zip
 
Zipped
file
can
be
optionally
unzipped
by
CDX
Web
for
processing
 
Archiving
Guidelines
for
Data
Submissions
 
All
submissions
uploaded
to
CDX
Web
are
saved
in
CDX
Web
Archive
1.

 
All
submission
log
history
is
stored
in
CDX
Web
Archive
2.

 
All
submissions
uploaded
to
CDX
Web
and
then
modified
at
CDX
Web
before
distribution
to
the
backend
system
are
saved
in
CDX
Web
Archive
3.

 
All
submissions
uploaded
with
non­
repudiation
requirements
are
stored
in
Archive
4,
and
CDX
retains
Hash
Key
information
with
submission
data
for
retrieval
and
audit
verification/
non­
repudiation.

 
CDX
backend
system
interfaces
may
transmit
data
to
CDX
Web
which
is
saved
in
CDX
Web
Archive
5.

 
All
CDX
data
submission
interfaces
must
define
retention
period
criteria
for
archived
data,
e.
g.,
retention
time
for
each
type
of
archived
data.
CDX
Web
and
CDX
Node
archives
will
be
purged
of
data
exceeding
data
retention
period.
39
4.2.9
Radionuclide
NESHAPs
4.2.9.1.1
R­
NESHAPS
System
Design
Diagrams
Data
submissions
are
sent
by
submitters
through
CDX
to
a
backend
holding
data
base,
and
public
portions,
ultimately
distributed
to
other
backend
systems.

Figure
22
CDX
utilizes
Secure
Sockets
Layer
(
SSL)
to
provide
128­
Bit
encrypted
data
submissions
and
utilizes
Certificate
validation
services
to
verify
submitter's
PKI
Certificate.
Web
Servers
are
load
balanced
to
improve
system
availability
and
performance.
Data
submissions
are
logged
with
hash
key
values
for
signed
submissions
in
Archives
1
and
2.
Data
is
asynchronously
transferred
by
an
independent
process,
to
a
holding
area
behind
a
controlled
firewall,
separate
from
user
authorized
functions.

Figure
23
Electronic
Submission
EPA
Data
Warehouse
Review
ers
Central
Data
Exchange
Prepare
electronic
report
files
and
zip
CDX
Complete
Submittal
Form,
sign,
attach
zip
file
Hold
ing
database
Regions
Delegated
States
Warehouse
Public
Other
government
agencies
EPA
intranet
EPA
regions
­
Text
File
­
D
ata
File
HQ
Archive
email
notif
ication
40
CDX
R­
NESHAPS
sample
report
is
provided
to
submitter
for
confirmation
and
approval
(
or
rejection)
prior
to
electronic
submission.

Figure
24
