Cross-Media Electronic Reporting and Records Rule

Information Collection Request 

October 10, 2007

Task Order No.: TO38

Contract No.:  GS00T99ALD0203Table of Contents

  TOC \o "1-1" \f \h \z \t "Head 2—No TOC,2"    HYPERLINK \l
"_Toc67370599"  1.0	Identification of the Information Collection	 
PAGEREF _Toc67370599 \h  1  

  HYPERLINK \l "_Toc67370600"  2.0	Need for and Use of the Collection	 
PAGEREF _Toc67370600 \h  5  

  HYPERLINK \l "_Toc67370601"  3.0	Nonduplication, Consultations, and
Other Collection Criteria	  PAGEREF _Toc67370601 \h  7  

  HYPERLINK \l "_Toc67370602"  4.0	The Respondents and the Information
Requested	  PAGEREF _Toc67370602 \h  16  

  HYPERLINK \l "_Toc67370604"  5.0	The Information Collected - Agency
Activities, Collection Methodology, and Information Management	  PAGEREF
_Toc67370604 \h  20  

  HYPERLINK \l "_Toc67370606"  6.0	Estimating the Hour and Cost Burden
of the Collection	  PAGEREF _Toc67370606 \h  23  

  HYPERLINK \l "_Toc67370610"  Appendix A	List of the NAIC Codes
Associated with Industries Most Likely Affected by the Rule	  PAGEREF
_Toc67370610 \h  33  

 Identification of the Information Collection

1(a)	Title and Number of the Information Collection

This Information Collection Request (ICR) is entitled “A Cross-Media
Electronic Reporting and Recordkeeping Rule”, ICR Number 2002.04. OMB
Control Number: 2025-0003. 

1(b)	Short Characterization

The U.S. Environmental Protection Agency (EPA) has finalized a rule to
allow regulated entities to report electronically to EPA by permitting
the use of electronic document receiving systems to receive electronic
documents in satisfaction of certain document submission requirements in
EPA's regulations. This Cross-Media Electronic Reporting and
Recordkeeping Rule (CROMERR) also allows state, tribal, and local
environmental programs to seek EPA approval, as provided under 40 Code
of Federal Regulations (CFR) 3.1000; to accept electronic documents to
satisfy reporting requirements under authorized or delegated
environmental programs that they administer. In seeking EPA approval,
these state, tribal, and local environmental programs (referred to as
States/Locals in the remainder of this ICR) must upgrade their receiving
systems as needed in order to satisfy the criteria laid out at 40 CFR
3.2000. Regulated entities that use an electronic signature device in
submitting electronic documents to the EPA or State/Local receiving
system must comply with identity proofing requirements, as applicable. 

CROMERR does not require any regulated entity to report electronically
to EPA or State/Local jurisdiction. The rule establishes requirements
for utilizing electronic reporting as an alternative to paper-based
reporting. The rule also does not require State/Local jurisdictions to
implement electronic reporting; rather, it establishes the framework for
implementing the electronic reporting alternative for federal laws that
they administer. In this regard, the rule affects the burden of
regulated entities only as follows:

Entities that report electronically to EPA have to register with EPA’s
receiving system (e.g., log on to the EPA Web site and enter requested
information); comply with the identity proofing provisions; and then
commence electronic reporting (this ICR refers to these entities as
direct reporters).

State/Local jurisdictions must upgrade their electronic receiving
systems as needed to meet CFR Section 3.2000 requirements. This includes
upgrading electronic receiving systems, currently in existence, as well
as systems to be developed in the future. These State/Local
jurisdictions must apply for EPA program modification approval under CFR
Section 3.1000. They also must implement the identity proofing
requirements under CFR Section 3.2000(b)(5).

Entities that report electronically to State/Local jurisdictions must
comply with the identity proofing requirements under CFR Section
3.2000(b)(5). This ICR refers to these entities as indirect reporters.

This ICR examines these respondent requirements and associated burden.
Sections 1.0 through 5.0 of the ICR describe the requirements for
acceptable electronic reporting and receiving systems. Section 6.0
estimates the annual burden to direct reporters in registering with
EPA's electronic receiving system. It also estimates the burden to
direct and indirect reporters in complying with the rule’s identity
proofing requirements. Finally, it estimates State/Local burden in
upgrading their receiving systems and seeking EPA approval. The ICR does
not address the burden impacts (savings) to direct or indirect reporters
in reporting electronically under EPA programs. EPA’s programs will
amend their program-specific ICRs to address these impacts. 

The rule establishes requirements applicable to electronic reporting and
receiving systems, as specified. Many of the activities to be conducted
by direct reporters will be determined by the instructions associated
with EPA’s receiving system. Specifically, EPA has developed an
Agency-wide receiving system, Central Data Exchange (CDX), which guides
respondents through the registration and reporting procedures. In
developing this ICR, EPA referred to the regulatory text, as well as
CDX, in describing direct reporters’ activities and associated burden.

The following paragraphs describe the activities that facilities and
states would take under the rule.

Facility Electronic Reporting To EPA, State, and Local Receiving Systems

Facility Electronic Reporting to EPA Receiving System

40 CFR 3.10(a) and (b) establish Federal environmental reporting
requirements that facilities must satisfy to submit electronic documents
to EPA. Among other things, CFR Section 3.10(a) provides that a person
may use an electronic document to satisfy a federal reporting
requirement, or otherwise substitute for a paper document or submission
permitted or required under other provisions of this title only if the
person submits the electronic document to EPA’s CDX, or to another EPA
electronic document receiving system that the Administrator may
designate for the receipt of specified submissions, complying with the
system’s requirements for submission. The electronic document must
bear all valid electronic signatures as required under Title 40 to sign
the paper document for which the electronic document substitutes, unless
EPA announces special provisions to accept the signature on separate
paper submission. 

In accordance with the above requirements, as well as the requirements
of CDX, direct reporters must register initially with CDX. They also
must update their registration information as needed.

Facility Compliance with Identity Proofing Requirements

Direct and indirect reporters must comply with the identity proofing
provisions of the CDX and rule, as applicable. As provided by CDX and
CFR Section 3.2000(a)(2), any electronic document must bear the valid
electronic signature of a signatory if that signatory would be required
under the EPA or State/Local environmental program to sign the paper
document for which the electronic document substitutes, unless the
program makes special provisions to accept a handwritten signature on a
separate paper submission, as specified. 

In the case of an electronic document that must bear electronic
signatures of individuals, as provided by the CDX or CFR Section
3.2000(a)(2), each signatory must sign either an electronic signature
agreement or a subscriber agreement with respect to the electronic
signature device used to create their electronic signature on the
electronic document. 

The CDX and CFR Section 3.2000(b)(5)(vii) require that, for each
electronic signature device used to create an electronic signature on
the document, the identity of the individual uniquely entitled to use
the device and their relation to any entity for which they will sign
electronic documents must be determined with legal certainty by EPA or
State/Local, as applicable. In the case of priority reports, this
determination must be made before the electronic document is received,
by means of:

Identifiers or attributes that are verified by attestation of
disinterested individuals to be uniquely true of the individual in whose
name the application is submitted, based on information or objects of
independent origin, at least one item of which is not subject to change
without governmental action or authorization.

A method of determining identity no less stringent than the one above.

Collection of either a subscriber agreement or a certification from a
local registration authority that such an agreement has been received
and securely stored.

Approval of State and Local Electronic Document Receiving Systems

State/Local governments that receive, or wish to begin receiving,
electronic documents in lieu of paper documents to satisfy requirements
under authorized programs must revise or modify the EPA-approved state
or local environmental program to ensure that it meets the requirements
of 40 CFR Part 3. In making these program revisions or modifications,
the State/Local government must submit an application that complies with
CFR Section 3.1000(b)(1), and use either the applicable procedures for
revision or modification of such programs in other parts of this title;
or, at their option, the procedures provided in subsections (b) - (e) of
CFR Section 3.1000. The procedures provided in subsections (b) - (e) may
only be used for revising or modifying an authorized program to provide
for electronic reporting and for subsequent revisions or modifications
to the electronic reporting elements of the authorized program as
provided under CFR Section 3.1000(a)(4). CFR Section 3.1000(a)(1). 

State/Local governments that accept electronic documents in lieu of
paper documents under an authorized program for which EPA has approved
program revisions or modifications under the procedures provided in CFR
Section 3.1000(a)(1), must keep EPA apprised of those changes to laws,
policies, or the electronic document receiving systems that have the
potential to affect program conformance with CFR Section 3.2000. Where
the Administrator determines that such changes require EPA review and
approval, EPA may request that the state or local government submit an
application for program revision or modification; additionally, States
or local governments may submit applications on their own initiative,
for program revision or modification respecting their receipt of
electronic documents. CFR Section 3.1000(a)(4)

To obtain EPA approval of program revisions or modifications using
procedures provided under CFR Section 3.1000, a State/Local must submit
an application to the Administrator that includes the elements at CFR
Section 3.1000(b)(1)(i)-(iv).

A state, tribe, or local government that revises or modifies more than
one (1) authorized program for receipt of electronic documents, in lieu
of paper documents, may submit a consolidated application under this
section covering more than one (1) authorized program, provided the
consolidated application complies with this subsection for each
authorized program. CFR Section 3.1000(b)(2).

The State/Local program must satisfy the requirements at 40 CFR 3.2000.
Pursuant to CFR Section 3.2000(a), authorized programs that receive
electronic documents, in lieu of paper documents, to satisfy
requirements under such programs must use an acceptable electronic
document receiving system as specified and require that any electronic
document must bear the valid electronic signature of a signatory if that
signatory would be required under the authorized program to sign the
paper document for which the electronic document substitutes unless the
program makes special provisions to accept a handwritten signature on a
separate paper submission, where such provisions are addressed in the
application submitted under CFR Section 3.1000(b)(1) and ensure that the
paper submission contains  references to the electronic document
sufficient for legal certainty that the signature was executed with the
intention to certify to, attest to, or agree to the content of that
electronic document.

As provided at CFR Section 3.2000(b), an electronic document receiving
system that receives electronic documents, submitted in lieu of paper
documents, to satisfy requirements under an authorized program must be
able to generate data with respect to any such electronic document, as
needed and in a timely manner, including a copy of record for the
electronic document, that meets the criteria specified at CFR Section
3.2000(b)(1) through (5). 

Need for and Use of the Collection

2(a)	Need and Authority for the Collection

EPA is establishing these requirements to ensure compliance with the
Government Paperwork Elimination Act (GPEA).  GPEA requires that federal
agencies be prepared, by October 21, 2003, to allow persons who are
required to maintain, submit, or disclose information, the option of
doing so electronically, when practicable, as a substitute for paper;
and to use electronic authentication (electronic signature) methods to
verify the identity of the sender and the integrity of electronic
content. GPEA specifically provides that electronic records, and their
related electronic signatures, are not to be denied legal effect,
validity, or enforceability merely because they are in electronic form. 

Regulated entities must initially register with the EPA electronic
document receiving system to establish a user account. EPA needs the
registration information to identify the registrant, contact
information, and registrant’s organization. Registrants also select a
password and user name during registration. This information is needed
to ensure that only the registrant has access to their account.

The identity proofing provisions in CFR Section 3.2000(b)(5) are needed
to strengthen the non-repudiation provisions of the rule. The electronic
signature agreement, required at CFR Section 3.2000(b)(5)(v),
establishes that the signatory was informed of their obligation to keep
the signature device from compromise, by ensuring that it is not made
available to anyone else. These provisions are intended to ensure that
the Federal laws regarding the falsification of information submitted to
the government still apply to any and all electronic transactions, and
that fraudulent electronic submissions will be prosecuted to the fullest
extent of the law. In establishing clear requirements for electronic
reporting systems, this rule helps to minimize fraud by assuring that
the responsible individuals can be readily identified.

EPA needs information submitted by State/Locals in their program
modification applications to evaluate the State/Locals’ upgraded
systems to ensure they satisfy the criteria at CFR Section 3.2000. 

EPA also needs the information to evaluate whether the State/Local’s
modified program has been satisfactorily revised or modified in regard
to their receiving system. In particular, the application must include a
certification that the State/Local has sufficient legal authority
provided by lawfully enacted or promulgated statutes or regulations to
implement the electronic reporting component of its authorized program
covered by the application; and to enforce the affected programs using
electronic documents collected under these programs. The certification
must be signed by the governmental official who is legally competent to
certify with respect to legal authority on behalf of their government.
In the case of the state, this official must be the Attorney General or
their designee. In the case of a tribe or local government, this
official must be the chief administrative official or officer or their
designee. As a legal matter, EPA believes that Attorneys General or
their designees are the only officials capable of certifying with
respect to their States’ legal authority. Where there are substantial
administrative obstacles to involving the Attorney General in such
certifications, EPA urges the State Attorney General to provide for a
legally-competent designee who is available to participate in the
submission of the State’s application.

2(b)	Practical Utility and Users of the Data

Regulated entities must initially register with the EPA electronic
document receiving system to establish a user account and create a
password. EPA uses the information to identify the registrant (e.g., by
name and/or organization), establish the account, and contact the
registrant if needed. Regulated entities use the password to access
their account and to protect it from unauthorized use.

EPA and State/Locals use the identity proofing information from
registrants to determine each registrant’s identity and relationship
to their regulated entity. The information may be used in an EPA or
State/Local enforcement action to rebut a signatory’s attempt to
repudiate their electronic signature and/or other elements of the
document that was signed. 

When EPA or State/Local agency receives a subscriber agreement,
certification of receipt and secure storage, or other identity-proofing
information, the agency will review, process, and file the submittal.
EPA or State/Local agency would then provide the registrant with access
to the receiving system (e.g., open its account) so that it may begin
using the electronic signature device in reporting electronically.

EPA uses the information submitted by State/Locals in their program
modification applications to evaluate the State/Locals’ upgraded
receiving systems against the criteria at CFR Section 3.2000(b)(1)-(5).
For example, EPA will review the application to determine if the systems
are able to generate data as needed, and in a timely manner, including
copy of record for each electronic document received, sufficient to
prove that the electronic document was not altered without detection
during transmission or at any time after receipt.

EPA also reviews the application to ensure that the State/Local has
taken all necessary steps to modify its regulations and statutes, as
needed, so that it has authority to implement electronic reporting and
enforce the affected programs using electronic documents collected under
its programs. This includes, among other things, an evaluation of the
Attorney General’s certification under CFR Section 3.1000(b)(1)(i).

Nonduplication, Consultations, and Other Collection Criteria

3(a)	Nonduplication

The purpose of the rule is to establish uniform, Agency-wide criteria
for electronic receiving systems, thereby minimizing the potential for
duplication or redundancy across EPA or state programs. EPA expects that
the rule will significantly assist EPA’s electronic reporting
initiatives currently underway by establishing standardized and
streamlined systems, criteria, and procedures. 

In addition, EPA uses the Access Certificates for Electronic Services
(ACES) program for electronic signature certification for the CDX
system, as needed. The ACES program offers centralized signature
certification for electronic reporters across the federal government. 

Further, electronic reporting is voluntary, and will likely be used by
facilities only if cost-effective and non-duplicative with their other
compliance activities. CROMERR does not alter the reporting requirements
under existing regulations and statutes, and does not affect whether a
document must be created, submitted, or retained under the existing
provisions of Title 40 of the CFR. 

3(b)	Public Notice

In compliance with the Paperwork Reduction Act of 1995, EPA issued a
public notice in the Federal Register on August 31, 2001 (66 FR 46161).
The public comment period extended through February 27, 2002.  EPA
received 184 written comments on the proposal in the six (6) months
following publication of the Notice of Proposed Rulemaking (NPRM). The
commenters represented a broad spectrum of interested parties: states,
local governments, specific businesses, trade associations, and other
federal agencies.  EPA reviewed the public comments on the rule and
supporting analyses, and revised its analytical assumptions and data
accordingly. 

The majority of comments focused on the costs and burden of the proposed
Subpart D electronic record-keeping provisions in the August 31, 2001,
proposal.    SEQ CHAPTER \h \r 1 At this time, EPA is only finalizing,
with some revisions, the provisions for electronic reporting to EPA and
under authorized programs.    SEQ CHAPTER \h \r 1 Based on the comments
received on the proposed electronic record-keeping provisions, EPA is
carefully reconsidering our approach to electronic record-keeping and is
not issuing final record-keeping rules at this time.  We are conducting
additional analysis and intend to publish a supplemental notice or
re-proposal to solicit additional comment before a final rule on
electronic record-keeping is issued.

Some comments and concerns were also received on the proposal’s
electronic reporting provisions.  A discussion of those comments and the
s  SEQ CHAPTER \h \r 1 ubstantive changes to the rule’s electronic
reporting provisions based on public comments follows.

In the comments on the provisions for electronic reporting under
authorized programs, a recurring theme was the complexity of the
proposed requirements for EPA approval.  The comments in many cases
seemed directed equally to the program revision or modification process
associated with electronic reporting and to the proposed criteria for
approving such revisions or modifications.  For the comments that
clearly addressed the process, there were two major concerns.  The first
was simply that the process – dictated as it is by the various current
program authorization regulations – is inherently complicated,
time-consuming and resource-intensive.  In a few cases, commenters noted
the particular worry that having to seek EPA approval for each program
implementing electronic reporting would be especially burdensome, and
that EPA’s proposed approach of streamlining the internal review
component of the program revision process would be of little help.

To address the concern that the proposed program revision or
modification to accommodate electronic reporting was too complicated and
burdensome, the final rule provides for special, streamlined procedures
available exclusively for adding electronic  reporting to existing
authorized programs.  These are optional procedures which a State,
Tribe, or local government may use if it chooses, in place of the
applicable program-specific procedures, to seek EPA approval for
revisions or modifications that provide for electronic reporting or that
make changes to the electronic reporting implementation for that
program.  EPA believes that in most cases these optional procedures will
be substantially simpler and quicker than their program-specific
alternatives. 

A second concern was the impact of the rule on electronic reporting that
was already underway.  Commenters noted that many authorized programs
are already accepting electronic submissions, or would be by the time
the final rule is published, and they worried about the timing of the
requirement that the electronic document receiving systems they use for
this purpose be approved by EPA under associated program revision or
modification procedures.  Under the proposed provisions, such systems
would have to be EPA-approved as soon as the rule became effective – a
practical impossibility.  Given the need to address the criteria for
approval, such applications could only be initiated once the rule was
finalized, and they might take months to complete and get approved –
or substantially longer in cases where the revision or modification
required State legislative or regulatory changes.  During the months or
years that the revision or modification was in process, the authorized
program would either have to shut down their electronic document
receiving systems or, of necessity, operate them out of compliance with
the rule.  Commenters were particularly concerned with the disruptive
impacts of having to shut these systems down.  They pointed out that
reversion to paper-based submissions in such cases may be difficult and
expensive, both for the agencies and for the submitting entities that
are affected, and that resuming system operation after a long hiatus may
require resources more typically associated with system start-up.

To address the concern that the required program revisions or
modifications may disrupt authorized programs that already have
electronic reporting underway, the final rule provides for a two-year
delayed compliance date – in effect, a two-year “grace period” –
before such programs have to submit their applications for revision or
modification.  Programs will be allowed this grace period where they
have systems that fit a new definition of “existing electronic
document receiving system.”  In addition, these provisions allow the
grace period to be extended, on a case-by-case basis, where an
authorized program may need to wait for legislative or regulatory
changes before a complete application can be submitted.

EPA also received a number of comments on the proposed criteria for
State, Tribal, and local electronic document receiving systems.  While a
few of these comments questioned the “Validity of Data” criterion,
the great majority dealt with the detailed function-specific criteria. 
There were at least three recurring and closely related themes.  One was
simply that the criteria were too prescriptive and inflexible –
preventing State and local agencies from adapting their electronic
reporting approaches to local needs and changing circumstances, and
restricting the development of new and creative approaches to achieving
legal dependability.  Another was that the criteria would make
electronic reporting unnecessarily complex, costly, and burdensome.  A
third concern was that while the criteria might be appropriate for some
cases, the “one size fits all” approach was not workable for all
reports in all programs.    

Unfortunately, commenters tended to associate these three themes with
certain misperceptions about the proposed requirements for signature
method and the signature/certification scenario.  Concerning signature
method, a common complaint was that the criteria would require States to
implement PKI-based digital signatures.  Commenters generally appear to
have inferred this from EPA’s own choice of PKI for submissions to
CDX, as discussed in the Preamble, together with proposed §3.2000(c)
Electronic Signature Method –  especially paragraph (5), which would
require that the method ensure “...that it is impossible to modify an
electronic document without detection once the electronic signature has
been affixed.”  We did not intend these to establish PKI as the
required approach to signatures.  Whatever our plans for CDX, we did
not, and do not, intend that State, Tribal and local government systems
have to conform to the CDX model.  Implementing a particular system of
necessity requires the choice of specific technologies; however, to make
those choices does not imply that these are the only possible choices
that would satisfy whatever requirements we place on electronic
reporting systems.  Moreover, proposed §3.2000(c)(5) was not intended
to require PKI-based signature. Given current technology, it would be
difficult, at the least, to be certain whether or not the content of an
electronic document has changed since it was signed without calculating
a hash of the document at signature and securing this hash in a manner
that protects it from degradation or falsification.  Encryption is
probably the most straightforward way to secure the hash.  Encryption
could be accomplished with a PKI-based signature, with a digital
signature where the asymmetric key-pair is not associated with a PKI
certificate, or with symmetric-key cryptography.  It might be possible
to avoid cryptography altogether by storing the hash value in a system
with appropriately controlled access.  PKI-based signature, then,
represents only one among a number of possible solutions here, and at
least some of them – for example, non-PKI digital signatures – are
considerably less expensive and less burdensome than a PKI-based
approach.

Similarly, a number of commenters interpreted the criteria under
proposed §3.2000(e) Electronic signature/certification scenario – and
especially the provisions for signatory’s review of data under
§3.2000(e)(1)(i) – as requiring signatories to scroll through their
submissions on-screen before they affix their electronic signatures, and
requiring State systems to enforce this required “scroll-through”. 
However, the proposal provided not that the signatory must review the
data on-screen, but rather that he or she be given the opportunity to do
so.  Unfortunately, the preamble discussion in the proposal encouraged
this misinterpretation, explaining §3.2000(e)(1)(i) with the example of
the enforced on-screen “scroll-through” then envisioned for CDX, and
described in the CDX section of the preamble.  We did not, and do not,
intend to require this “scroll-through” of submitted data prior to
signature.  Of course, EPA certainly does expect and encourage reporting
entities to review data intended for electronic submission prior to
signature.  Nonetheless, we agree that to mandate this or any other
particular mode or method of signatory review would be needlessly
intrusive and burdensome for submitters.

Setting these and perhaps other misperceptions aside, the three themes
– of prescriptiveness, cost and burden, and a “one size fits all”
approach – nonetheless raised useful and important questions about the
proposal.   The overall approach to the criteria for electronic document
receiving systems in the final rule associated with this ICR, reflects a
balancing of the concerns raised by the public comments – and
especially those relating to the proposal’s burden on States and
regulated entities – against the need to maintain the reliability and
security of electronic signatures and the evidentiary force of the
documents that contain them.  Those who commented that the proposed rule
was too prescriptive generally argued that, even supposing that there
were no specific objections to the detailed provisions under proposed
§3.2000, EPA had failed to make the case that every single requirement
under these provisions is necessary to ensure the legal dependability of
electronic submissions.  If this is correct, then the criteria as
proposed may foreclose acceptable electronic reporting approaches that
could offer equivalent or better assurance of legal dependability while,
perhaps, being easier for a State, Tribal, or local agency to implement.
 We do not want to exclude such alternatives, but it is difficult to
know whether or how specific criteria would need to be changed to avoid
this.  In effect we confronted a dilemma.  On the one hand, we continued
to believe that the basic issues related to authenticity that motivated
the proposed criteria must still be addressed, if we are to assure that
electronic document receiving systems collect and maintain data that
will meet program and enforcement needs.  On the other, given our
inexperience with electronic reporting, EPA simply lacks a basis for
certainty that any particular set of function-based requirements at the
level of specificity reflected in our proposed criteria is (or is not)
necessary for legally dependable electronic submissions.  As a way to
resolve this dilemma, then, we decided it would be better to focus on
criteria that directly articulate these basic issues – the underlying
goals of assuring electronic document authenticity – and add the more
specific requirements only where we are certain we need them.

Commenters who argued that the proposed rule would be too costly and
burdensome generally focused on the sometimes misinterpreted provisions
related to proposed §3.2000(c)(5) and §3.2000(e)(1)(i), discussed
above, or on the proposed §3.2000(d) registration and signature
agreement provisions.  There were many comments to the effect that the
§3.2000(d) requirements would pose substantial barriers to regulated
company participation in electronic reporting and involve unacceptable
expenses for implementing agencies.  For example, some comments note
that corporate officials are reluctant to sign any agreement without
having it first reviewed by counsel, and so the signature agreement
builds delay and billable hours into what is supposed to be a time- and
cost-saving measure.  Similarly, commenters pointed out that the
requirements that regulatory agencies create and support the
registration and agreement processes – with both paper and electronic
records to maintain and correlate – make the administrative overhead
for an electronic reporting initiative much larger than State or local
governments may have anticipated.

These comments posed a more specific version of the dilemma noted in
connection with the prescriptiveness issue.  On the one hand, it is
difficult to imagine a credible electronic reporting system that does
not have some way to control access for the purpose of accepting
submissions, in part by determining the identity of the would-be
submitters – and whatever this involved would be tantamount to a form
of submitter registration.  In addition, having a would-be signatory
sign a signature agreement would be extremely useful if needed to prove
that the individual understood the implications of electronically
signing a document and knew his or her obligations to protect the
signature device from compromise.  On the other hand, it is difficult to
be certain that the specific proposed §3.2000(d) registration process
and signature agreement requirements are the only way to adequately
provide for submitter/signatory identification and for establishing that
an electronic signatory understands the implications and obligations
associated with using the signature device.  Again, this suggests that a
better approach may be to focus on these underlying goals and their
connection with assuring the authenticity and legal dependability of
electronic documents.   

Finally, there is the “one size fits all” issue.  Some of the
comments raised this as another version of the “prescriptiveness”
issue, already discussed, but adding that the proposal developed just
one model of electronic reporting and attempted to make it fit the
differing circumstances of the various State and local agencies that
would have to comply.  Other comments emphasize the point that the
proposal takes requirements apparently tailored to assuring an
electronic document’s authenticity and applies them to all cases of
electronic reporting, whether or not the question of authenticity is
likely to arise.  Indeed, the proposed §3.2000 criteria, taken
together, were designed for the cases where EPA might need to rebut a
signatory’s attempt to repudiate his or her electronic signature
and/or other elements of the document that was signed.  The proposal to
apply these criteria to all cases (or at least to all cases involving a
signature) was motivated by two considerations.  The first was that it
proved to be difficult in practice to draw a “bright line” around
the universe of cases where document authenticity might be of concern;
whether submitted on paper or electronically, almost any report that
requires signature/certification has at least the theoretical potential
to play a role as evidence in a criminal prosecution for false
statements.  Second, the marginal cost of meeting the proposed §3.2000
criteria for electronic documents where authenticity was unlikely to be
an issue seemed, at the time of  proposal, to be more than balanced by
the economies of scale – both for reporting entities and for the
regulatory agencies receiving the electronic reports – afforded by a
single, uniform implementation for all cases.  To the extent that these
assumed economies of scale are doubtful, we face yet another version of
our dilemma.  On the one hand, we still do not see a “bright line”
around the cases where document authenticity is likely to be challenged.
 On the other, we can not be certain that varying one or another of the
system characteristics specified by our proposed criteria – for
example, the specifics of signature method – would necessarily
undermine legal dependability, particularly if the variation were
limited to certain special cases of electronic reporting and/or if there
were compensating measures to strengthen other features of the system. 
To resolve this dilemma – and, to allow variation among and within
electronic reporting systems to the extent that we can still assure
electronic document authenticity where we need to  – EPA has decided
to revise the §3.2000 criteria with focus on articulating this
underlying performance goal.

In revising the §3.2000 criteria for the final rule, in response to
public comments, we sought to fulfill the underlying goal of the
proposal.  This is to assure the authenticity and non-repudiation of
electronic documents submitted in lieu of paper reports, so that they
are as legally dependable – that is, as admissible in evidence and
accorded the same evidentiary weight –  as their paper counterparts. 
As noted earlier, within proposed §3.2000 this goal was expressed most
directly in the §3.2000(b) “Validity of Data” criterion.  This
criterion is also valuable in that it avoids the difficult detail of the
other more function-specific criteria.  Accordingly, for the final rule,
we started with the proposed §3.2000(b) and then incorporated at an
appropriate level of generality other elements from the remainder of
proposed §3.2000 needed to assure the requisite authenticity and
non-repudiation of electronic documents.  The resulting §3.2000(b) in
the final electronic reporting rule reflects the following requirements:

-- in the leading clause of §3.2000(b), that the system be able to
generate the required data as needed and in a timely manner – from
proposed §3.2000(g) addressing system archives;

-- in the leading clause of §3.2000(b) and in §3.2000(b)(4), that the
system must be able to generate a “copy of record” that is made
available to the submitters and/or signatories for review and
repudiation (a definition for this term has been added to §3.3) –
from proposed §3.2000(e)(3) and §3.2000(f) addressing the
signature/certification scenario and transaction record;

-- in §3.2000(b)(5)(i), that the system be able to show that any
electronic signature on an electronic document was created by an
authorized signatory with a device that the identified signatory was
uniquely entitled and able to use.  This is expressed in terms of a
newly defined concept of “valid electronic signature,” taken
together with a revised definition of “electronic signature device”
that addresses its uniqueness to an individual (both explained in
Section IV.D. of this Preamble) – from proposed §3.2000(c) and
§3.2000(d) addressing the electronic signature method and submitter
registration process;

-- in §3.2000(b)(5)(ii), that the system be able to show that the
electronic document cannot be altered without detection once it has been
electronically signed –  from proposed §3.2000(c)(5);

-- in §3.2000(b)(5)(iii) - (iv), that the system be able to show that,
before signing, any signatory had the opportunity to review what he or
she was certifying to in a human-readable format, and to review the
certification statement including any provisions relating to criminal
penalties for false certification –  from proposed §3.2000(e)
addressing the signature/certification scenario;

--  in §3.2000(b)(5)(v), that the system be able to show that the
signatory signed an “electronic signature agreement” or a
“subscriber agreement” acknowledging his or her obligations
connected with preventing the compromise of the signature device (a
definition for this term has been added to §3.3) – from proposed
§3.2000(d) addressing the submitter registration process;

--  in §3.2000(b)(5)(vi), that the system be able to show that it
automatically sent an acknowledgment of any electronic submission it
received that bears an electronic signature.   The acknowledgment must
identify the electronic document, the signatory and the date and time of
receipt, and be sent to an address that does not share the access
controls of the account used to make the submission – from proposed
§3.2000(e)(2); and in §3.2000(b)(5)(vii), for each electronic
signature device used to create an electronic signature on documents
that the system receives, that the system be able to establish the
identity of the individual uniquely entitled to use that device and his
or her relation to the entity on whose behalf he or she signs he
documents – from proposed §3.2000(d)(1) - (3).

EPA believes that the “Validity of Data” criterion enhanced with
these other elements from the proposed rule represents the minimum set
of requirements necessary to assure that the documents accepted by an
electronic document receiving system can be shown to be authentic, and
any signatures on such documents can overcome attempts by signatories to
repudiate the intent to certify or responsibility for the document
content or for the signature itself.  For example, the requirement for a
copy of record was added to ensure that there is an authoritative answer
to the question of what information content a signatory was certifying
to or attesting to. The related requirement that the system be able to
provide timely access to copies of record and related data simply
reflects a practical concern that the data be accessible in time and in
a format to serve the purposes for which it is needed.

Concerning the requirement that signature devices be uniquely assigned
to, and held by, individuals, an acceptable electronic document
receiving system must be able to attribute a signature to a specific
individual, at least on the evidence of its presence on a document, to
help assure that the signatory cannot repudiate responsibility for the
signature.  Non-repudiation is also strengthened by the signed
electronic signature agreement, which establishes that the signatory was
informed of his or her obligation to keep the signature device from
compromise, by ensuring that it is not made available to anyone else. 
Requiring the signature agreement – and that signatories have the
opportunity to review what they are signing –  also helps establish
that where signatures appear on electronic documents, the signatories
had the requisite intent to certify.  That is, these requirements help
ensure that the signatories knew what they were signing, knew what
signing meant, and understood the legal implications of false
certification.

As for the requirement that document content cannot be altered without
detection after signature – so that the signature is somehow
“bound” to the document – an acceptable electronic document
receiving system must, on the evidence of the signature’s presence on
a document, allow a court to attribute the intention to certify to the
document’s current content to the signatory, so that he or she cannot
repudiate this content.  

Finally, the §3.2000(b)(5)(vii) requirement that the system be able to
establish the identity of the individual who is assigned a signature is
based on proposed §3.2000(d).  Proposed §3.2000(d) logically entails
§3.2000(b)(5)(vii) because satisfying the provisions of the former
guarantees compliance with the latter.  However, final
§3.2000(b)(5)(vii) limits the scope of some of the proposed version’s
provisions, most notably the proposed requirement in §3.2000(d)(3) that
in registering for their signature devices registrants must execute
their electronic signature agreements on paper with handwritten
signatures.  In the final rule, this requirement is limited to a special
class of “priority report” submittals.  In addition, final
§3.2000(b)(5)(vii) offers alternatives to this handwritten signature
requirement to allow electronic reporting solutions that are completely
free of paper transactions.  The alternative provisions – in
§3.2000(b)(5)(vii)((a)) - ((b)) – are elaborations of the proposed
§3.2000(d)(1) requirement for  “...evidence (of identity) that can be
verified by information sources that are independent of the registrant
and the entity or entities (for which the registrant will submit
electronic documents)....”  The elaborations are necessary to assure
that we can establish individuals’ identities without being able to
rely on their handwritten signatures – and, in the final version, the
elaborated requirements apply only to “priority report” submittals,
and only where the choice is made to eschew paper in the execution of
electronic signature agreements.  In any event, we have made these
changes to the proposed §3.2000(d) approach to help address
commenters’ concerns with “one size fits all” provisions, as well
as to allow States, Tribes, and local government as much flexibility as
possible as they implement their electronic reporting systems.

3(c)	Consultations

CROMERR reflects more than ten (10) years of interaction with
stakeholders including state and local governments, industry groups, the
legal community, environmental non-government organizations, national
standard setting committees, and other federal agencies. As detailed in
the NPRM, many of EPA’s most significant interactions involved
electronic reporting pilot projects conducted with State agency
partners, including the States of Pennsylvania, New York, Arizona, and
several others. In addition, beginning in June 1999, EPA sponsored a
series of conferences and meetings with the explicit purpose of seeking
stakeholder advice before drafting the NPRM. 

During the extended comment period, EPA also sponsored four (4) public
hearings held around the country, and two (2) state meetings held in
Washington, D.C. The comments and meeting summaries can be found in the
docket to this rulemaking. The final rule reflects many of the comments
and concerns raised by comments on the NPRM. The majority of comments
focused on the costs and burden of the proposed Subpart D, Electronic
Recordkeeping Provisions. A complete discussion of EPA’s response to
public comments to the NPRM can be found in the rule’s Response to
Comments document. 

Lastly, EPA conducted consultations in developing this ICR and the Cost
Benefit Analysis (CBA) supporting the final rule. Information on the
respondents contacted is provided in the table below.	

Name of Organization or State	Contact Person

Arizona Department of Environmental Quality	Russ Brodie

Florida Department of Environmental Protection	John Coates

Illinois Environmental Protection Agency	Mike Garretson 

Nebraska Oil and Gas Conservation Commission	Stan Belieu

New Jersey Department of Environmental Quality	Pete Tenebruso

New Mexico Environment Department	Renee Martinez

Texas Commission on Environmental Quality	Greg Nudd 

Virginia Department of Environmental Quality	Allison Kittle

Wisconsin Department of Environmental Quality	Tom Aten

These respondents provided information on State/Locals’ progress in
developing electronic receiving systems. In particular, they indicated
that State/Locals are implementing electronic receiving systems
independently of EPA’s final rule. In addition, they estimated the
burden to State/Locals in upgrading their receiving systems and applying
for EPA approval of their program modifications. Their feedback was used
to develop this ICR’s estimates for State/Local upgrade costs (shown
in Table 2 of this document) and program modification burden. 

3(d)	Effects of Less Frequent Collection

Facilities must initially register with the EPA electronic document
receiving system to establish a user account. Registration information
is collected at the time of registration (i.e., a one-time event) and
updated if needed. Because it is a one-time activity, the information
cannot be collected less frequently. If this information were not
collected, EPA would not have a way to learn the identity of the
registrant and establish its account. 

Facilities must comply with the identity proofing provisions of the CDX
and CFR Section 3.2000(b)(5), as applicable. These provisions provide
that, in the case of priority reports for which an electronic signature
device was used to create an electronic signature, a determination of
identity must be made before the electronic document is received. EPA
believes it is critical that registrants submit the identity proofing
paperwork in advance of their priority reports so that the Agency can
establish a link between each registrant, and its electronic signature
device, to hold them accountable for their submittals. 

Facilities must also report any compromise or surrender of its
electronic signature device to EPA or State/Local. Local Registration
Authority’s (LRAs) must report any breach of storage of its subscriber
agreements. These are as-needed submittals. If these reports were not
collected, EPA and State/Locals would not have a way to learn about the
signature compromise/surrender or storage breaches. Hence, they would
not be in a position to take follow up action as needed (e.g., to
temporarily prevent access to an account whose signature device has been
compromised). This could result in the unauthorized use an electronic
signature device. 

In addition, the rule sets forth timeframes for EPA receipt, review, and
approval of State/Local program modification applications to implement
electronic receiving systems. CFR Section 3.10000(a)(2) provides that a
State/Local that does not have an electronic document receiving system
on or before the date of publication of the rule must apply to EPA for
program modification approval before receiving electronic documents. If
this frequency were not specified, EPA would not have assurance that
State/Locals are developing and using electronic document receiving
systems that comply with the rule’s provisions at CFR Section 3.2000. 

CFR Section 3.1000(a)(3) provides that a State/Local with an existing
receiving system must apply for EPA approval within two years of the
date of publication of the rule. EPA believes the two (2) year timeframe
will be sufficient to allow State/Locals to upgrade their systems and
submit their applications. EPA believes that a shorter timeframe would
make it difficult for State/Locals to comply. EPA believes that a longer
timeframe would not enable it to review State/Local program
modifications in a timely manner. EPA would not have assurances that the
State/Local programs have sufficient regulatory or statutory authority
to implement and enforce the programs using the electronic documents
received.

3(e)	General Guidelines

This ICR adheres to the guidelines stated in the Paperwork Reduction Act
of 1995, OMB's implementing regulations, EPA's ICR Handbook, and other
applicable Office of Management and Budget (OMB) guidance. 

EPA notes that subscriber agreements must be kept on file until five (5)
years after deactivation of the associated electronic signature device.
EPA believes a five (5) year retention period is necessary to ensure
that such records are available in case of an EPA or State/Local
enforcement action. EPA recognizes that a registrant may use an
electronic signature device in signing a range of enforcement-sensitive
reports. Certain reports may have relevance to an enforcement action
long after it is submitted to EPA or State/Local. Because of this, EPA
needed to establish a sufficiently long retention period for the
subscriber agreements so that they would available for such enforcement
actions.

3(f)	Confidentiality

EPA plans to give priority to receipt of the relatively high-volume
environmental compliance reports that do not involve the submission of
confidential business information (CBI) in developing the CDX, and in
approving changes to authorized state and tribal programs related to
electronic reporting. EPA believes that receipt of electronically
transmitted CBI requires considerably stronger security measures than
the initial version of CDX may be able to support, including provisions
for encryption. While EPA plans to enhance CDX to accommodate CBI, EPA
would want to first gain experience implementing CDX in the non-CBI
arena, and also take the time to explore CBI security issues with
companies that submit confidential data.

At the time EPA enhances CDX to accommodate CBI, EPA must treat the
information in accordance with the confidentiality regulations set forth
in 40 CFR Part 2, Subpart B. EPA also will ensure that the information
collection procedures comply with the Privacy Act of 1974 and the OMB
Circular 108.

3(g)	Sensitive Questions

Persons registering with the CDX are asked to provide knowledge-based
information (e.g., date of birth) to ensure the security of their
password, user name, and other information supplied. If the person loses
his password or user name, or otherwise needs to confirm his identity to
EPA, EPA could use his knowledge-based information to confirm his
identity.

The Respondents and the Information Requested

4(a)	Respondents and NAICS Codes tc \l2 "4(a)	Respondents and NAICS
Codes 

This information collection activity will likely have broad
applicability across industries. Refer to Appendix I for a list of the
North American Industrial Classification System (NAICS) codes associated
with industries most likely affected by the rule.

4(b)	Information Requested

Facility Electronic Reporting to EPA, State, and Local Receiving Systems

Facility Electronic Reporting to EPA Receiving System

Facilities must register their employees with CDX before reporting
electronically to EPA. The employees must update their registration
information if it changes. 

(i)	Data Items:

An on-line registration application:

Registrant name

Organization name

Address

Knowledge-based information (e.g., user-supplied secret
question-and-answer pair)

(ii)	Respondent Activities:

Log on to receiving system site and enter requested information

Update the information, as needed

Facility Compliance with Identity Proofing Requirements

Direct and indirect reporters must comply with the identity proofing
provisions of the CDX and rule, as applicable. The CDX and CFR Section
3.2000(a)(2) require that any electronic document must bear the valid
electronic signature of a signatory if that signatory would be required
under the authorized program to sign the paper document for which the
electronic document substitutes, except as otherwise specified. 

In the case of an electronic document that must bear electronic
signatures of individuals as provided by the CDX and CFR Section
3.2000(a)(2), each signatory must sign either an electronic signature
agreement, or a subscriber agreement with respect to the electronic
signature device used to create their electronic signature on the
electronic document.	

The CDX and CFR Section 3.2000(b)(5)(vii) require that the identity of
the individual uniquely entitled to use the device and their relation to
any entity for which he or she will sign electronic documents must be
determined with legal certainty by EPA or State/Local, as applicable. In
the case of priority reports, this determination must be made before the
electronic document is received, by means of:

Identifiers or attributes that are verified by attestation of
disinterested individuals to be uniquely true of the individual in whose
name the application is submitted, based on information or objects of
independent origin, at least one (1) item of which is not subject to
change without governmental action or authorization.

A method of determining identity no less stringent than the one above.

Collection of either a subscriber agreement or a certification from a
LRA that such an agreement has been received and securely stored. 

The term “subscriber agreement” means an electronic signature
agreement signed by an individual with ink on paper. The agreement must
be signed by an individual with respect to an electronic signature
device that the individual will use to create their electronic
signatures requiring such individual to protect the electronic signature
device from compromise; to promptly report to the agency or agencies
relying on the electronic signatures created any evidence discovered
that the device has been compromised; and to be held as legally bound,
obligated, or responsible by the electronic signatures created as by a
handwritten signature. This agreement must be stored until five (5)
years after the associated electronic signature device has been
deactivated.

The term “Local Registration Authority” means an individual who is
authorized by a state to issue an agreement collection certification,
whose identity has been established by notarized affidavit, and who is
authorized in writing by a regulated entity to issue agreement
collection certifications on its behalf. To become a LRA, an individual
must have their identity established by notarized affidavit, and must be
authorized in writing by the regulated entity to issue agreement
collection certifications on its behalf. Once approved by EPA or
State/Local, the LRA would collect subscriber agreements from each
individual in the regulated entity that intends to use an electronic
signature device in reporting electronically to EPA or State/Local
system. The LRA would collect and store the subscriber agreements in a
manner that prevents authorized or unauthorized access to these
agreements by anyone other than the LRA. The LRA would prepare an
agreement collection certification and submit a certification of receipt
and secure storage to the EPA or State/Local.

(i)	Data Items:

Identifiers or attributes that are verified by attestation of
disinterested individuals to be uniquely true, as specified.

Other information necessary to determine identity.

Subscriber agreement.

Application to designate a LRA, including notarized affidavit and a
written authorization from the regulated entity to issue collection
agreement certifications on its behalf.

Agreement collection certification. This is a signed statement by which
a LRA certifies that a subscriber agreement has been received from a
registrant; the agreement has been stored in a manner that prevents
authorized or unauthorized access to these agreements by anyone other
than the local registration authority; and the local registration
authority has no basis to believe that any of the collected agreements
have been tampered with or prematurely destroyed.

Certification of receipt and secure storage. 

Report of breach of security.

Report of compromised or surrendered electronic signature.

(ii)	Respondent Activities:

Regulated entities must comply with the CDX and rule’s requirements
for determining the identity of individuals who will use an electronic
signature device:

Submit information on identifiers or attributes or other
identity-proofing information. 

Comply with subscriber agreement provisions:

Prepare, file, and submit a subscriber agreement.

Prepare, file, and submit new subscriber agreement, for employee
turnover.

Contact the help desk for technical support.

Report compromised or surrendered electronic signature device and
prepare/submit new subscriber agreement if necessary.

Comply with the requirements for a local registration authority:

Develop a process or plan to implement the requirement, designate the
LRA, and submit application to agency.

Register the local authority with the receiving system.

Prepare subscriber agreements and send to local authority.

Prepare agreement collection certification after securely storing
subscriber agreements, and submit certification of receipt and secure
storage.

Prepare new subscriber agreements and submit to local authority, for
employee turnover.

Submit updated certification of receipt and secure storage.

Redesignate local authority, due to turnover.

Register new local authority.

Report breach of security or compromise/surrender of electronic
signature device.

Prepare new subscriber agreements and send to LRA.

Prepare and submit certification of receipt and secure storage.

Conduct ongoing management.

Approval of State and Local Electronic Document Receiving Systems

To obtain EPA approval of program revision or modification using
procedures provided under CFR Section 3.1000, a State /Local must submit
an application for program revision to EPA that includes the elements
specified in CFR Section 3.1000(b)(1)(i)-(iv).

A State/Local government that revises or modifies more than one (1)
authorized program for receipt of electronic documents, in lieu of paper
documents, may submit a consolidated application covering more than one
authorized program, provided the consolidated application complies with
applicable requirements for each authorized program.

A State/Local government that accepts electronic documents in lieu of
paper documents under an authorized program for which EPA has approved
program revisions or modifications under the procedures provided in CFR
Section 3.2000(a)(1) must keep EPA apprised of those changes to laws,
policies, or the electronic document receiving systems that have the
potential to affect program conformance with CFR Section 3.2000.

The State/Local program must satisfy the requirements at 40 CFR 3.2000.
Pursuant to CFR Section 3.2000, authorized programs that receive
electronic documents, in lieu of paper documents, to satisfy
requirements under such programs must use an acceptable electronic
document receiving system as specified and require that any electronic
document must bear valid electronic signatures to the same extent that
the paper submission for which it substitutes would bear handwritten
signatures under the authorized program, unless otherwise specified. An
electronic document receiving system that receives electronic documents,
submitted in lieu of paper documents, to satisfy requirements under an
authorized program must be able to generate data with respect to any
such electronic document, as needed and in a timely manner, including a
copy of record for the electronic document, that meets the criteria
specified at CFR Section 3.2000(b)(1) through (5). 

(i)	Data Items:

An application for program revision that includes the following
elements:

A certification that the state, tribe, or local government has
sufficient legal authority provided by lawfully enacted or promulgated
statutes or regulations that are in full force and effect on the date of
certification to implement the electronic reporting component of its
authorized programs covered by the application in conformance with CFR
Section 3.2000 and to enforce the affected programs using electronic
documents collected under these programs B together with copies of the
relevant statutes and regulations B signed by the State Attorney General
or their designee, or in the case of an authorized tribal or local
government program, by the chief administrative official or officer of
the governmental entity or their designee.

A listing of all state or local government electronic document receiving
systems to accept the electronic documents being addressed by the
program modification or revisions that are covered by the application,
together with a description for each such system that specifies how the
system meets the applicable criteria in CFR Section 3.2000(b) with
respect to those electronic documents.

A schedule of upgrades for electronic document receiving systems that
have the potential to affect the program’s continued conformance with
CFR Section 3.2000, if appropriate. 

Other such information as the Administrator may request to fully
evaluate the application.

Appraisals to EPA of changes to laws, policies, or electronic document
receiving systems.

(ii)	Respondent Activities:

State/Local jurisdictions with receiving systems must upgrade them as
needed to meet CFR Section 3.2000 and apply for EPA program modification
approval under CFR Section 3.1000.

State/Local jurisdictions must keep EPA apprised of changes to laws,
policies, or electronic document receiving systems.

The Information Collected - Agency Activities, Collection Methodology,
and Information Management

5(a)	Agency Activities tc \l2 "5(a)	Agency Activities 

EPA Activities

Develop and operate the CDX.

Process and file applications submitted by State/Locals seeking to
modify their programs, as required by CFR Section 3.1000.

EPA and State/Local Jurisdictions

Collect identifiers or attributes or other requested information.

Collect subscriber agreements:

Receive, process, review, approve, and file new subscriber agreements.

Receive, process, review, approve, and file new subscriber agreements,
for employee turnover.

Receive, process, review, and approve report of compromise or surrender
of electronic signature device.

Collect submittals from LRAs:

Receive application to designate first-time LRA.

Receive, process, review, and approve certification of receipt and
secure storage.

Receive application to designate LRA, for LRA turnover.

Receive, process, review and approve updated certification of receipt
and secure storage, for employee turnover.

Receive notification of breach of security or compromise/surrender of
electronic signature and take action.

Receive, process, review, and approve certification of receipt and
secure storage, for breach of security or compromise/surrender of
electronic signature device.

Conduct ongoing management

Identify and resolve problems.

Respond to information requests.	

5(b)	Collection Methodology and Management

The CDX serves as EPA’s primary gateway for electronic documents
received by EPA. CDX functions include:

Access management allowing or denying an entity access to CDX.

Data interchange accepting and returning data via various file transfer
mechanisms.

Signature/certification management providing devices and required
scenarios for individuals to sign and certify what they submit.

Submitter and data authentication assuring that electronic signatures
are valid and data is uncorrupted.

Transaction logging providing date, time, and source information for
data received to establish “chain of custody”.

Acknowledgment and provision of copy of record providing the submitter
with confirmations of the data received.

Archiving placing files received and transmission logs into secure,
long-term storage.

Error-checking flagging obvious errors in documents and document
transactions, including duplicate documents and unauthorized
submissions.

Translation and forwarding converting submitted documents into formats
that will load to EPA databases, and forwarding them to the appropriate
systems. 

Outreach providing education and other customer services (such as user
manuals, Help Desk) to CDX users.

5(c)	Small Entity Flexibility

The rule allows electronic reporting by permitting the use of electronic
document receiving systems to receive electronic documents in
satisfaction of certain document submission requirements in EPA’s
regulations. Electronic reporting under the rule is voluntary. These
changes will reduce the burden on all affected entities, including small
businesses. In addition, facilities will find that the initial set up
process requires little expenditure of time and resources, and in the
long run, this process will reduce the time spent on submissions each
year. 

5(d)	Collection Schedule

The collection frequencies associated with the CDX system and ACES
program include the following:

Facilities must initially register with the electronic document
receiving system and obtain electronic signature certification, if
applicable.

Facilities must comply with requirements for determining the identity of
individuals who use electronic signature devices (e.g., prepare/submit
subscriber agreements or certification of receipt and secure storage),
before submitting electronic reports using the associated device.

Registrants must submit a notice of compromise or surrender of
electronic signature device promptly, should this occur.

LRAs must submit a notice of breach of secure storage promptly, should
this occur. 

A State/Local government that does not have an existing electronic
document receiving system for receiving electronic documents in lieu of
paper documents to satisfy requirements of an authorized program on or
before publication of the final rule must, using specified procedures,
apply for, and receive EPA approval of revisions or modifications to
such program before the program may receive electronic documents in lieu
of paper documents to satisfy requirements of such program.

A State/Local government that has an existing electronic document
receiving system and that seeks to receive electronic documents, in lieu
of paper documents, to satisfy requirements of an authorized program
must submit an application to revise or modify such authorized program
no later than two years after publication of the final rule. On a
case-by-case basis, this deadline may be extended by the Administrator,
upon request, where the Administrator determines that the State/Local
government needs additional time to make legislative or regulatory
changes in order to meet the requirements of this part.

Within 75 calendar days of receiving an application for program revision
or modification, the Administrator will respond with a letter that
either notifies the State/Local government that the application is
complete or identifies deficiencies in the application that render the
application incomplete. The State/Local government receiving a notice of
deficiencies may amend the application and resubmit it. Within 30
calendar days of receiving the amended application, the Administrator
will respond with a letter that either notifies the applicant that the
amended application is complete or identifies remaining deficiencies
that render the application incomplete.

Except where an opportunity for public hearing is required, if the
Administrator does not take any action on a specific request for
revision or modification of a specific authorized program addressed by
an application submitted within 180 calendar days of notifying the
State/Local government that the application is complete, the specific
request for program revision or modification for the specific authorized
program is considered automatically approved by EPA at the end of the
180 calendar days unless the review period is extended at the request of
the State/Local government submitting the application.

If a State/Local government submits material to amend its application
after the date that the Administrator sends notification that the
application is complete, this new submission will constitute withdrawal
of the pending application and submission of a new, amended application
for program revision or modification, and the 180-day time period will
begin again only when the Administrator makes a new determination and
notifies the State/Local government under that the amended application
is complete.

Estimating the Hour and Cost Burden of the Collection

6(a)	Estimating Respondent Burden

EPA estimates respondent hour and cost burden associated with all of the
requirements covered in this ICR in Exhibits 1 and 2. EPA obtained its
hour, cost, and universe estimates for activities in this ICR from the
Agency’s technical background document, Cross Media Electronic
Reporting Rule Cost Benefit Analysis.

6(b)	Estimating Respondent Costs

Labor Costs

The estimated average hourly labor cost (including overhead and fringe),
by labor category, for facilities and States is shown in Table 1. These
labor rates were used to calculate the labor cost to all respondents in
conducting the reporting activities covered in this ICR, as shown in
Exhibits 1 and 2. 

Table 1. Average Hourly Respondent Labor Cost, by Labor Category

Respondent	Legal	Managerial	Technical	Clerical

Facilities	$74.54	$55.33	$37.29	$24.99

States/Locals	$ 46.53	$43.62	$29.59	$22.65

a Labor rates included in this table were obtained from the technical
background document developed for the rule, Cross Media Electronic
Reporting Rule Cost Benefit Analysis. 

Capital and Operation and Maintenance (O&M) Costs

This ICR estimates capital and O&M costs based on information in the
CROMERR CBA. The CBA estimates capital and O&M costs for State/Locals to
upgrade their electronic receiving systems to satisfy CROMERR’s
standards at 40 CFR 3.2000. As explained in the CBA, EPA estimates that
a percentage of State/Locals would need to upgrade their systems for
copy of record, Secure Sockets Layer (SSL), email notification,
electronic signatures, and/or electronic signature agreement provisions.
The capital/start-up and maintenance costs associated with these
upgrades, as well as the percentage of State/Locals with systems
performing the upgrades are shown in Table 2.

	Table 2:  Summary of State/Local System Upgrade Costs` Per Receiving
System

	Copy of Record	SSL	Email Notification	E-Signature	E-Signature Agreement
Upgrade

	Cost Per System Upgrade	% of States Needing Upgrade	Cost Per System
Upgrade	% of States Needing Upgrade	Cost Per System Upgrade	% of States
Needing Upgrade	Cost Per System Upgrade	% of States Needing Upgrade	Cost
Per System Upgrade	% of States Needing Upgrade

	Startup Cost	Annual Maintenance

Startup Cost	Annual Maintenance







	State Environmental Agencies	$208,333	$28,333	58%	$25,000	$600	27%
$56,000	7%	$15,270	10%	$31,232	100%

All Other State and Local Agencies	$50,000	$10,000	58%	$25,000	$600	27%
$56,000	7%	$15,270	10%	$31,232	100%



In addition, this ICR estimates a postage cost of $2.50 for certified
mail delivery (e.g., for registrants that submit subscriber agreements
to EPA or State/Local), and $0.37 per submittal for employee registrants
that submit subscriber agreements to their LRA. The ICR estimates $2.50
for obtaining a notarized affidavit. The ICR also estimates $5.00 in
postage for a State/Local to submit its program modification
application.

6(c)	Estimating Agency Hour and Cost Burden

The estimated average hourly labor cost (including overhead and fringe),
by labor category, for EPA is shown in Table 3. These labor rates were
used to calculate agency costs associated with the activities covered in
this ICR, as shown in Exhibit 3. 

Table 3. Average Hourly Agency Labor Cost, by Labor Category

	Legal	Managerial	Technical	Clerical

EPA	$70.62	$59.49	$43.43	$20.05

a Labor rates included in this table were obtained from the technical
background document developed for the rule, Cross Media Electronic
Reporting Rule Cost Benefit Analysis.

6(d)	Estimating the Respondent Universe and Total Hour and Cost Burden

Respondent Universe

The number of direct and indirect reporting facilities expected to
register to conduct electronic reporting during the three (3) year
period covered by this ICR is shown in Table 4. It shows that EPA
expects 59,003 small facilities on average to register for electronic
reporting to EPA or State/Local receiving systems each year. Each
facility is expected to have three employees, on average, who will
register with the receiving system, for an average total of 177,009
employee registrants each year.

It also shows that EPA expects 7,293 facilities owned by medium-size and
large firms to register for electronic reporting to EPA or State./Local
receiving systems each year. Each facility is expected to have an
average of six (6) employees who will register with the receiving
system, for an average total of 43,758 employee registrants, on average.

The following paragraphs discuss these universe estimates in relation to
the reporting requirements of the rule.

Table 4. Average Annual Number of Direct and Indirect Reporting
Facilities and Employees Expected to Register with the CDX and
State/Local Systems During the Three-Year Life of ICR 

	Number of Facilities per Year	Average Annual Number of Facilities
During Three Years	Average Annual Number of Employee Registrants During
Three Years

	Year 1	Year 2	Year 3



Direct Reporters

Small Firms	7,388	4,647	3,548	5,194	15,582

Medium-Size and Large Firms	914	574	438	642	3,852

Indirect Reporters

Small Firms	0	130,888	30,540	53,809	161,427

Medium-Size and Large Firms	0	16,177	3,775	6,651	39,904



Facility Electronic Reporting to EPA, State, and Local Receiving Systems

Facility Electronic Reporting to EPA Receiving System

As shown in Table 4, EPA estimates that, on average, 19,434 facility
employees (i.e., employees of direct reporting facilities), will
register with EPA’s electronic document receiving system each year.
These registrants are expected to call the CDX Help Desk and complete
the online registration application. EPA estimates that ten (10) percent
of registrants each year will need to update their registration
information. These assumptions are reflected in Exhibit 1.

Facility Compliance With Identity Proofing Requirement

The CDX and rule provide a range of ways for determining the identity of
individuals using electronic signature devices for priority reports.
This could include the use of identifiers or attributes that are
verified by attestation of disinterested individuals to be uniquely true
of the individual, as specified. It also may include other methods no
less stringent than the use of such identifiers or attributes. Finally,
it may include the collection of either a subscriber agreement or a
certification from a LRA that such an agreement has been received and
securely stored.

For purposes of this ICR, EPA has made the assumption that all
registrants to the CDX and State/Local systems will comply with the
requirements for a subscriber agreement or LRA certification. We
recognize, however, that the other methods (e.g., submittal of
identifiers or attributes) could also be used. For example, the
submittal of identifiers or attributes may be required by a Certificate
Authority to determine one’s identity before issuing an electronic
signature certificate.  

Under the identity-proofing requirements, EPA estimates that small firms
will comply with the subscriber agreement requirements. This includes,
on average, 15,582 registrants from small direct reporter facilities. It
also includes 161,427 registrants from small indirect reporter
facilities. Note that EPA estimates that each registrant from an
indirect reporter firm will register with 1.3 receiving systems, on
average. 

EPA further estimates that medium-size and large firms will comply with
the LRA requirements. This includes, on average, 3,852 employee
registrants from medium or large-size direct reporter facilities and
39,904 employee registrants from medium-size or large indirect reporter
facilities. EPA further assumes that each medium-size and large firm
owns, on average, three (3) facilities, for a total of 18 employee
registrants each. EPA estimates that each firm will designate a LRA, who
will collect subscriber agreements from its firm’s employees. Note
that EPA assumes that a medium-size or large indirect reporter firm will
register with 1.3 receiving systems, on average. These assumptions are
reflected in Exhibit 1.

Approval of State and Local Electronic Document Receiving Systems

To obtain EPA approval of a program revision or modification using
procedures provided under CFR Section 3.1000, a state or local
government must submit an application for program revision to EPA that
includes the elements specified in CFR Section 3.1000(b)(1)(i)-(iv). A
State/Local government that revises or modifies more than one authorized
program for receipt of electronic documents, in lieu of paper documents,
may submit a consolidated application covering more than one authorized
program, provided the consolidated application complies with applicable
requirements for each authorized program. The State/Local program must
satisfy the requirements at 40 CFR 3.2000.

Based on the CBA, this ICR estimates that 45 state environmental
protection agencies (state EPAs) and 138 other State/Local jurisdictions
(e.g., counties, tribes) will upgrade their receiving systems and submit
program modification applications to EPA during the three-year life of
this ICR. 

Because the exhibits in this ICR present annual costs over three (3)
years, EPA has divided the number of State/Local jurisdictions by three.
Hence, Exhibit 2 estimates annual burden for 15 State EPAs and 46 other
State/Local jurisdictions annually (i.e., 45 State EPAs / 3 years’ 15
per year; 138 other State/Local Jurisdictions / 3 years’ 46 per year).

EPA further estimates that each State EPA will have, on average, three
receiving systems each. Each other State/Local will have one receiving
system each. EPA assumes the State/Locals will incur capital/start-up
costs in upgrading their receiving systems according to the burden
assumptions in Table 2 of this document. These assumptions are reflected
in Exhibit 2.

6(e)	Bottom Line Hour and Cost Burden

Respondent Tally

The total annual hour and cost burden to facilities and to State/Locals
under the rule is summarized in Exhibit 4. As shown in the exhibit, EPA
estimates the annual respondent burden to be 151,963 hours, and
$10,763,740. The bottom line burden to respondents over three (3) years
is 455,889 hours and $32,291,219.

Agency Tally

Exhibit 5 summarizes the total annual hour and cost burden to EPA under
the rule. As shown in the exhibit, EPA estimates that the annual Agency
burden is 250,929 hours and $17,183,510. The bottom line burden to the
Agency over three years is 752,787 hours and $51,550,530.

6(f)	Reasons for Change in Burden

There is no significant change in the ICR compared to the previous ICR.
This is due to the regulations having not changed over the past three
years and is not anticipated to change over the next three years.  There
is, however, an adjustment in the labor cost estimate. This is due to
the inflation of the labor rates over the past three years. 

6(g)	Burden Statement

The public reporting burden in this ICR is estimated to be about 10
minutes for an individual that reports electronically to the CDX. This
includes time for preparing the on-line application and calling the CDX
Help Desk.

The public reporting burden in this ICR is estimated to be 15 minutes
for an individual that prepares and submits a subscriber agreement.  
SEQ CHAPTER \h \r 1 The public record keeping burden for the individual
is estimated to be 5 minutes for filing an agreement on site.

The public reporting burden is estimated to be approximately 30 minutes
for the LRA.  This includes time for preparing and submitting the
certification of receipt and secure storage to EPA or State/Local
agency.  The public record keeping burden is estimated to be
approximately 30 minutes for the LRA.  This includes time for compiling
subscriber agreements from employee registrants within the LRA’s firm,
placing them in secure storage, and preparing and filing the agreement
collection certification.

The public reporting burden in this ICR is estimated to range from 210
hours for a Local government to 330 hours for State EPA seeking to
implement an electronic receiving system. This includes time for
preparing and submitting the program modification application to EPA.

  SEQ CHAPTER \h \r 1 Burden means the total time, effort, or financial
resources expended by persons to generate, maintain, retain, or disclose
or provide information to or for a Federal agency.  This includes the
time needed to review instructions; develop, acquire, install, and
utilize technology and systems for the purposes of collecting,
validating, and verifying information, processing and maintaining
information, and disclosing and providing information; adjust the
existing ways to comply with any previously applicable instructions and
requirements; train personnel to be able to respond to a collection of
information; search data sources; complete and review the collection of
information; and transmit or otherwise disclose the information.   

To comment on the Agency's need for this information, the accuracy of
the provided burden estimates, and any suggested methods for minimizing
respondent burden, including the use of automated collection techniques,
EPA has established a public docket for this ICR under Docket ID No.
EPA-HQ-OEI-2007-0412, which is available for public viewing at the OEI
Docket in the EPA Docket Center (EPA/DC), EPA West, Room 3334, 1301
Constitution Ave., NW, Washington, D.C. The EPA Docket Center Public
Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday,
excluding legal holidays.  The telephone number for the Reading Room is
(202) 566-1744, and the telephone number for the OEI Docket is
202-566-1752. An electronic version of the public docket is available
through EPA Dockets (EDOCKET) at http://www.epa.gov/edocket. Use EDOCKET
to submit or view public comments, access the index listing of the
contents of the public docket, and to access those documents in the
public docket that are available electronically. Once in the system,
select “search”, then key in the docket ID number identified above.
Also, you can send comments to the Office of Information and Regulatory
Affairs, Office of Management and Budget, 725 17th Street, NW,
Washington, DC 20503, Attention: Desk Office for EPA. Please include the
EPA Docket ID No. EPA-HQ-OEI-2007-0412 and EPA ICR No. 2002.04.



Appendix A	List of the NAIC Codes Associated with Industries Most
Likely Affected by the Rule

11	Agriculture, Forestry, Fishing and Hunting 

111	Crop Production 

112	Animal Production 

113	Forestry and Logging 

114	Fishing, Hunting and Trapping 

115	Support Activities for Agriculture and Forestry 

21	Mining

211	Oil and Gas Extraction 

212	Mining (except Oil and Gas) 

213	Support Activities for Mining 

22	Utilities

221	Utilities 

23	Construction 

233	Building, Developing, and General Contracting 

234	Heavy Construction 

235	Special Trade Contractors 

31	Manufacturing 

311	Food Manufacturing 

312	Beverage and Tobacco Product Manufacturing 

313	Textile Mills 

314	Textile Product Mills 

315	Apparel Manufacturing 

316	Leather and Allied Product Manufacturing 

321	Wood Product Manufacturing 

322	Paper Manufacturing 

323	Printing and Related Support Activities 

324	Petroleum and Coal Products Manufacturing 

325	Chemical Manufacturing 

326	Plastics and Rubber Products Manufacturing 

327	Nonmetallic Mineral Product Manufacturing 

331	Primary Metal Manufacturing 

332	Fabricated Metal Product Manufacturing 

333	Machinery Manufacturing 

334	Computer and Electronic Product Manufacturing 

335	Electrical Equipment, Appliance, and Component Manufacturing 

336	Transportation Equipment Manufacturing 

337	Furniture and Related Product Manufacturing 

339	Miscellaneous Manufacturing 

42	Wholesale Trade 

421	Wholesale Trade, Durable Goods 

422	Wholesale Trade, Nondurable Goods 

44-45	Retail Trade 

441	Motor Vehicle and Parts Dealers 

442	Furniture and Home Furnishings Stores 

443	Electronics and Appliance Stores 

444	Building Material and Garden Equipment and Supplies Dealers 

445	Food and Beverage Stores 

446	Health and Personal Care Stores 

447	Gasoline Stations 

448	Clothing and Clothing Accessories Stores 

451	Sporting Goods, Hobby, Book, and Music Stores 

452	General Merchandise Stores 

453	Miscellaneous Store Retailers 

454	Nonstore Retailers 

48-49	Transportation and Warehousing 

481	Air Transportation 

482	Rail Transportation 

483	Water Transportation 

484	Truck Transportation 

485	Transit and Ground Passenger 

	Transportation 

486	Pipeline Transportation 

487	Scenic and Sightseeing Transportation 

488	Support Activities for Transportation 

491	Postal Service 

492	Couriers and Messengers 

493	Warehousing and Storage 

51	Information 

511	Publishing Industries 

512	Motion Picture and Sound Recording 

	Industries 

513	Broadcasting and Telecommunications 

514	Information Services and Data Processing Services 

52	Finance and Insurance 

521	Monetary Authorities - Central Bank 

522	Credit Intermediation and Related Activities 

523	Securities, Commodity Contracts, and Other Financial Investments and
Related Activities

524	Insurance Carriers and Related Activities 

525	Funds, Trusts, and Other Financial Vehicles 

53	Real Estate and Rental and Leasing 

531	Real Estate 

532	Rental and Leasing Services 

533	Lessors of Nonfinancial Intangible Assets (except Copyrighted Works)

54	Professional, Scientific, and Technical Services 

541	Professional, Scientific, and Technical Services 

55	Management of Companies and Enterprises 

551	Management of Companies and Enterprises 

56	Administrative and Support and Waste Management and Remediation
Services 

561	Administrative and Support Services 

562	Waste Management and Remediation Services 

61	Educational Services 611	Educational Services 

62	Health Care and Social Assistance 

621	Ambulatory Health Care Services 

622	Hospitals 

623	Nursing and Residential Care Facilities 

624	Social Assistance 

71	Arts, Entertainment, and Recreation 

711	Performing Arts, Spectator Sports, and Related Industries 

712	Museums, Historical Sites, and Similar Institutions 

713	Amusement, Gambling, and Recreation Industries 

72	Accommodation and Food Services 

721	Accommodation 

722	Food Services and Drinking Places 

81	Other Services (except Public Administration) 

811	Repair and Maintenance 

812	Personal and Laundry Services 

813	Religious, Grantmaking, Civic, Professional, and Similar 

814	Private Households 

92	Public Administration 

921	Executive, Legislative, and Other General Government Support 

922  	Justice, Public Order, and Safety Activities 

923  	Administration of Human Resource Programs 

924	Administration of Environmental Quality Programs 

925	Administration of Housing Programs, Urban Planning, and C 

926  	Administration of Economic Programs 

927  	Space Research and Technology 

928  	National Security and International Affair

  For purposes of this rule, EPA is using the term electronic reporting
in a sense that excludes submission of a report via magnetic media,
(i.e., via diskette, compact disc, or tape). EPA is also excluding
transmission via hard copy facsimile. Likewise, EPA's use of the term
"electronic document" throughout this ICR refers exclusively to
documents that are transmitted via a telecommunications network,
excluding hard copy facsimile.

 Title XVII of Pub. L. 105-277

 . Updated hourly wage rates were inflated to 2007 dollars. The Bureau
of Labor Statistics (BLS) employment cost index (available at
http://www.bls.gov/news.release/eci.t02.htm) was used to inflate the
wage rates

 Capital costs in Exhibit 2 have been annualized at the OMB-approved
discount rate of seven percent over ten years.

 	Updated hourly wage rates were inflated to 2007 dollars. The Bureau of
Labor Statistics (BLS) employment cost index (available at
http://www.bls.gov/news.release/eci.t02.htm) was used to inflate the
wage rates

  In this regard, the General Services Administration (GSA) has
established an electronic signature certification program, ACES. EPA may
use ACES for certain of its information collections, if applicable. The
federal government has already received approval from the OMB to request
respondent information to issue electronic signature certificates under
the ACES program. Refer to the Supporting Statement, ACES for the burden
to individuals under the ACES program.

CSC Standard Words List

 PAGE   12 

 PAGE   

 12 

 PAGE   

 

i

  PAGE  1-1 

  PAGE  1 

  PAGE  15 

  PAGE  19 

  PAGE  22 

  PAGE  23 

  PAGE  28 

  PAGE  32 

  PAGE  34 

 

