United
States
Environmental
Protection
Agency
Office
of
Environmental
Information
(
OEI)

November
18,
2004
Memo
For
Docket
SUBJECT:
Memorandum
for
the
Cross­
Media
Electronic
Reporting
Rule
(
CROMERR)
Docket
(
Docket
Number:
OEI­
2003­
0001),
documenting
revisions
to
the
final
rule
resulting
from
review
by
the
Office
of
Management
and
Budget
under
Executive
Order
12866.

FROM:
Evi
Huffer
Co­
Chair,
CROMERR
Workgroup
Office
of
Information
Collection
(
2823T)

TO:
Public
Docket
Number
OEI­
2003­
0001
The
purpose
of
this
memorandum
is
to
document
revisions
to
the
Final
Cross­
Media
Electronic
Reporting
Rule
(
CROMERR)
based
on
the
Office
of
Management
and
Budget
(
OMB)
review.
Pursuant
to
Executive
Order
(
EO)
12866,
EPA
provided
to
OMB
a
draft
of
the
final
rule,
as
well
as
the
cost­
benefit
analysis
(
CBA),
for
its
review.
OMB
completed
its
review
on
November
18,
2004
and
released
it
to
EPA
for
finalization.
Based
on
OMB
review,
no
substantial
revisions
were
made
to
the
final
rule.
The
following
revisions
were
made
to
the
final
rule
CBA
to
address
OMB's
comments.

(
1)
Under
Section
2.1.1
of
the
CBA,
EPA
added
an
explanation
for
its
choice
of
10­
year
period
for
analysis:

EPA
has
chosen
a
10­
year
period
for
the
regulatory
impact
analysis,
because
we
believe
that
this
is
roughly
the
time
frame
for
EPA
and
our
authorized
or
delegated
State,
Tribal
and
local
government
programs
to
achieve
full
implementation
of
electronic
reporting
under
CROMERR.
Accordingly,
looking
at
the
out­
years
beyond
the
10­
year
time
frame
would
not
provide
any
additional
analytic
information
about
CROMERR's
impacts.

(
2)
Throughout
the
document,
EPA
changed
the
"
As­
Is"
scenario
to
"
Baseline"
scenario.

(
3)
To
address
OMB
questions
regarding
some
basic
assumptions,
we
added
notes
to
more
clearly
explain
those
assumptions.
Such
as
adding
an
explanation
that
the
"
dollars"
referred
to
in
the
CBA
tables
and
discussions
were
in
terms
of
"
2003"
dollars.

(
4)
To
respond
to
OMB's
concern
that
the
reason
for
CROMERR
be
clearly
articulated
under
the
1.0
Introduction,
we
added
a
new
section
titled
1.2
Problem
Statement,
which
discussed
EPA's
primary
purpose
in
developing
CROMERR:

The
primary
purpose
of
CROMERR
is
to
set
standards
for
electronic
reporting
as
it
is
implemented
by
State,
Tribal
or
local
governments
administer
environmental
programs
under
EPA
authorization
or
delegation.
EPA
has
been
motivated
to
set
such
standards
primarily
by
considering:
the
roles
that
many
electronically
submitted
documents
would
likely
play
in
environmental
program
management,
including
compliance
monitoring
and
enforcement;
EPA's
statutory
obligation
to
ensure
that
authorized
or
delegated
programs
maintain
the
enforceability
of
environmental
law
and
regulations;
and
the
consequent
need
to
ensure
that
enforceability
is
not
compromised
as
authorized
or
delegated
program
make
the
transition
from
paper
to
electronic
submission
of
compliance­
or
enforcement­
related
documents.

Concerning
this
last
point,
in
many
respects
electronic
submission
enhances
a
document's
utility
for
environmental
programs:
it
significantly
reduces
the
resources
and
time
involved
in
making
the
content
available
to
its
users,
and
can
greatly
facilitate
data
quality
assurance
and
analysis.
Nonetheless,
the
federal
government's
experience
with
prosecuting
computer­
related
crimes
has
shown
us
that
electronic
submissions
may
also
be
open
to
challenge,
primarily
with
respect
to
their
authenticity
 
and
particularly
where
they
are
used
to
establish
the
actions
and
intentions
of
the
submitters.
We
have
to
consider
such
uses
in
the
case
of
environmental
reporting,
especially
where
electronic
submissions
are
made
to
report
on
an
entity's
compliance
status
and
where
the
submission
includes
a
responsible
individual's
certification
to
the
truth
of
what
is
reported.
For
such
cases,
EPA
has
identified
a
programmatic
need
to
be
able
to
authenticate
the
submission
content
and
the
certification
 
for
example,
to
be
able
to
address
issues
of
fraud
or
false
reporting
where
they
arise
 
and
it
is
primarily
to
address
this
problem
of
authentication
that
EPA
is
setting
standards
for
electronic
reporting
through
CROMERR.

The
point
of
these
standards
is
to
assure
the
authenticity
of
electronic
documents
submitted
in
lieu
of
paper
reports,
so
that
they
are
able
to
play
the
same
role
as
their
paper
counterparts
in
providing
evidence
of
what
was
reported
and
of
what
an
identified
individual
certified
to
with
respect
to
the
report.
For
example,
in
the
case
of
paper
submissions,
the
evidence
surrounding
a
handwritten
signature
is
normally
sufficient
to
demonstrate
that
the
signature
is
authentic
and
rebut
any
attempt
by
the
signatory
to
repudiate
it
 
and
EPA
intends
the
CROMERR
standards
ensure
that
electronic
signatures
have
a
corresponding
level
of
non­
repudiation.
Since
these
evidentiary
issues
typically
arise
in
the
context
of
judicial
or
other
legal
proceedings,
electronic
documents
need
to
have
the
same
"
legal
dependability"
as
their
paper
counterparts.
The
over­
arching
standard
here
is
that
any
electronic
document
used
as
evidence
to
prosecute
an
environmental
crime
or
to
enforce
against
a
civil
violation
must
have
no
less
evidentiary
value
than
its
paper
equivalent.
For
example,
where
there
is
a
question
of
deliberate
falsification
of
compliance
data,
whether
the
submission
was
electronic
or
paper,
it
must
be
possible
to
establish
the
signatory's
identity
beyond
a
reasonable
doubt.
Hence,
in
general,
the
goal
of
the
CROMERR
standards
is
to
ensure
that
a
system
used
to
receive
electronic
documents
is
capable
of
reliably
generating
evidence
for
use
in
private
litigation,
in
civil
enforcement
proceedings,
and
in
criminal
proceedings
in
which
the
standard
for
conviction
is
proof
beyond
a
reasonable
doubt
that
the
electronic
document
was
actually
signed
by
the
individual
identified
as
the
signatory
and
that
the
data
it
contains
was
not
submitted
in
error.

(
5)
EPA
also
added
a
new
section
titled
Consideration
of
Alternatives
at
1.3
to
address
OMB
concerns.
This
section
discusses
the
alternatives
EPA
considered
in
developing
the
regulatory
approach
taken
in
the
final
rule.

EPA
considered
both
a
more
stringent
and
a
less
stringent
alternative
to
the
regulatory
approach
taken
in
final
CROMERR.
The
more
stringent
alternative
is
reflected
in
the
electronic
provisions
published,
August
31,
2001,
in
the
Notice
of
Proposed
Rulemaking
for
CROMERR.
The
proposed
version
of
CROMERR
is
more
stringent
by
virtue
of
setting
much
more
prescriptive,
detailed
requirements
that
acceptable
electronic
document
receiving
systems
would
have
to
satisfy.
For
example,
proposed
§
3.2000(
d)
set
very
specific
requirements
for
submitter
identity
management
that
a
system
would
have
to
satisfy,
including
detailed
requirements
for
renewal
of
registration
and
revocation
of
registration
under
specified
circumstances.
Again,
§
3.2000(
e)
set
very
detailed
requirements
for
the
signature/
certification
scenario
that
a
system
would
have
to
provide
for,
specifying
the
exact
sequence
of
steps
to
be
followed
in
electronically
signing
a
submission,
and
requiring
such
features
as
on­
screen,
scroll­
through
presentation
of
the
data
to
be
submitted
for
review
of
the
signatory
prior
to
signing
(
§
3.2000(
e)(
1)(
i)).
EPA
received
significant
public
comment
on
this
approach,
both
from
States
and
from
regulated
companies,
and
there
were
at
least
three
closely
related
themes.
The
first
was
that
such
prescriptive
requirements
would
greatly
limit
the
flexibility
of
States
to
implement
electronic
reporting
in
cost­
effective
way.
Many
of
the
comments
pointed
that
such
requirements
would
render
the
investments
that
States
had
already
made
in
electronic
reporting
infrastructure
virtually
worthless,
would
prohibit
their
use
of
COTS
products,
and
would
require,
instead,
the
development
of
very
costly
customized
systems
that
might
be
both
difficult
and
expensive
to
operate
and
maintain.
The
second
theme
was
that
many
of
the
requirements
 
especially
those
specifying
the
signature/
certification
scenario
 
were
simply
not
appropriate
to
many
cases
where
electronic
reporting
would
occur.
Some
commenters
cited
examples
where
very
large
data
files
would
be
transferred,
rendering
on­
screen
review
impractical;
others
pointed
out
that
company
business
processes
involved
in
internal
review,
approval
and
certification
of
regulatory
submissions
was
simply
not
compatible
with
the
specified
scenario.
Third
and
finally,
many
of
these
commenters
expressed
skepticism
that
these
very
detailed
requirements
represented
the
only
possible
approach
to
ensuring
the
legal
dependability
of
electronic
submissions
and
signatures.
In
considering
such
comments,
EPA
has
concluded
that,
given
our
inexperience
with
electronic
reporting,
we
simply
lack
a
basis
for
certainty
that
any
particular
set
of
function­
based
requirements
at
the
level
of
specificity
reflected
in
proposed
CROMERR
is
(
or
is
not)
necessary
for
legally
dependable
electronic
submissions.
Given
the
evidently
high
cost
 
to
both
States
and
regulated
entities
 
that
such
requirements
would
impose,
we
decided
it
would
be
better
to
focus
on
criteria
that
directly
articulate
these
basic
issues,
that
is,
the
underlying
goal
of
assuring
legal
dependability,
including
the
authenticity
of
electronic
documents
and
the
nonrepudiation
of
electronic
signatures.
Accordingly,
we
are
setting
standards
in
terms
of
general
system
performance
goals
that
are
less
stringent
by
virtue
of
allowing
much
greatly
flexibility
in
how
such
goals
are
met
in
specific
implementations.

In
writing
these
general
performance
goals,
EPA
also
considered
a
less
stringent
alternative
that
would
have
refrained
from
specifying
performance
in
terms
of
establishing
the
identity
of
an
individual
to
whom
a
signature
device
or
credential
(
e.
g.
a
PIN,
password,
or
PKI
certificate)
is
issued.
With
reference
to
the
final
CROMERR
provisions,
this
less
stringent
alternative
would
have
omitted
§
3.2000(
b)(
5)(
vii)
identityproofing
provisions.
In
terms
of
regulatory
impact,
this
would
be
a
significant
reduction
in
stringency,
insofar
as
most
of
CROMERR's
burden
on
regulated
entities
is
associated
with
have
to
register
to
obtain
a
signature
device
or
credential,
and
any
identity­
proofing
requirement
raises
at
least
the
aggregate
burden
substantially.
EPA
rejected
this
alternative,
because
we
believe
that
it
would
seriously
 
perhaps
fatally
 
undermine
the
rule's
ability
to
assure
the
legal
dependability
of
electronic
submissions.
It
is
a
basic
principle
of
electronic
authentication
(
E­
authentication)
 
whether
in
the
context
of
validating
an
individual's
signature,
or
for
other
purposes
 
that
our
confidence
that
the
individual
being
authenticated
is
who
we
believe
him
or
her
to
be
depends
critically
on
the
degree
of
trust
we
can
place
in
the
credential
the
individual
presents.
Trust
is
largely
a
function
of
the
identity­
proofing
process
conducted
when
the
individual
registered
for
the
credential
in
the
first
place
 
the
process
must
have
been
sufficiently
stringent
and
credible.
If
we
did
not
establish
with
sufficient
certainty
who
this
individual
was
when
we
issued
the
credential,
then
we
cannot
we
certain
who
is
using
the
credential
in
a
specific
instance
where
it
is
presented.
Where
the
credential
is
used
to
create
an
electronic
signature,
then,
inadequate
identity­
proofing
would
mean
that
we
cannot
be
certain
who
the
signatory
is
 
that
is,
no
specific
individual
would
be
bound
with
any
certainty
by
the
signature
 
and
this
would
render
the
signature
virtually
worthless
for
any
legal
purpose.
In
view
of
this,
EPA
felt
that,
notwithstanding
the
cost,
it
was
necessary
to
specify
that
identity
proofing
be
conducted.
Additionally,
for
electronic
documents
of
particular
legal
importance
to
environmental
programs
 
identified
as
the
"
priority
reports"
 
we
felt
that
is
was
necessary
to
specify,
at
least
to
a
degree,
how
the
identity
proofing
had
to
be
performed.
We
believe
we
need
this
additional
specification
for
cases
where
signatory
identity
may
be
a
legal
issue,
so
that
we
are
assured
that
electronic
reporting
implementations
give
us
clear
and
predictable
methods
to
establish
this
identity
that
conform
to
the
standard
practices
of
electronic
commerce.

(
6)
Finally,
to
address
OMB
concerns,
EPA
revised
the
5.0
Qualitative
Benefits
section.
Specifically,
we
included
a
paragraph
on
the
benefits
from
greater
enforcement
certainty
and
deleted
the
following
paragraphs:
Responds
to
federal
requirements;
Consistent
with
emerging
industry
commercial
practices;
sound
environmental
practice;
more
rapid
environmental
compliance
reporting;
simplifies
facility
reporting;
and
Serves
as
foundation
for
further
process
reengineering.
The
following
is
the
new
paragraph:

More
Enforcement
Certainty.
The
purpose
of
CROMERR
is
primarily
to
ensure
that
as
State,
Tribal
or
local
governments
implement
electronic
reporting
for
the
EPAauthorized
or
delegated
programs
they
administer,
the
electronic
documents
that
receive
are
as
legally
dependable
as
their
paper
counterparts,
especially
for
purposes
of
providing
evidence
in
the
context
of
legal
proceedings
of
who
attested
by
signature
to
the
truth
and
accuracy
of
what
data.
The
requirements
set
by
CROMERR
are
specifically
designed
to
provide
for
this
legal
dependability,
and
they
will
do
so
in
at
least
by
providing:

 
standards
for
valid
electronic
signatures
and
authentic
electronic
documents
 
to
be
admitted
as
evidence
in
a
judicial
proceeding,
electronic
signatures
and
documents
may
need
to
be
shown
to
satisfy
standards
of
validity
and
authenticity.
Absent
clearly
identifiable
standards,
it
may
be
difficult
to
environmental
litigators
to
make
such
a
showing.
CROMERR
will
provide
such
standards.
 
assurance
that
electronic
documents
can
be
authenticated
 
to
provide
evidence
of
what
an
individual
submitted
and/
or
attested
to,
there
must
be
clear
and
straightforward
methods
of
showing
that
the
electronic
document
an
environmental
agency
received
is
in
fact
what
the
individual
submitted.
CROMERR
requirements
for
electronic
document
receiving
systems
will
ensure
that
these
systems
receive
and
maintain
electronic
documents
so
as
to
ensure
that
such
authentication
methods
are
available.
 
assurance
that
electronic
signatures
resist
repudiation
by
the
signatory
 
in
at
least
some
enforcement
proceedings,
a
critical
issue
is
whether
a
particular
individual
is
responsible
for
the
content
of
a
submitted
document,
and
the
issue
turns
on
whether
that
individual
was
the
signatory
of
the
certification
statement.
If
the
individual
in
question
is
able
to
repudiate
his
or
her
electronic
signature
 
that
is,
successfully
deny
that
it
was
his
or
hers
­­
then
the
enforcement
case
may
collapse.
CROMERR
requirements
for
electronic
signatures,
and
for
the
identity
proofing
needed
to
issue
a
signature
device
or
credential,
are
designed
to
ensure
that
signatories
are
not
able
to
repudiate
signatures
that
they
create,
that
is,
that
there
is
sufficient
evidence
to
show
when
an
individual
has
created
a
signature.

By
providing
for
these
and
other
facets
of
an
electronic
document's
legal
dependability,
CROMERR
provides
certainty
that
EPA
and
its
authorized
or
delegated
programs
can
continue
to
ensure
compliance
with
environmental
laws
and
statutes
by
being
able
to
hold
individuals
responsible
for
being
truthful
when
they
report
on
their
companies'
compliance
status.
By
the
same
token,
CROMERR
also
provides
certainty
that
when
EPA
or
its
authorized
or
delegated
programs
discover
actionable
cases
of
false
or
fraudulent
reporting
that
they
will
have
the
documentary
evidence
they
need
to
bring
such
cases
into
court.
