[Federal Register Volume 70, Number 197 (Thursday, October 13, 2005)]
[Rules and Regulations]
[Pages 59848-59889]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-19601]



[[Page 59847]]

-----------------------------------------------------------------------

Part III





Environmental Protection Agency





-----------------------------------------------------------------------



40 CFR Parts 3, 9, 51 et al.



Cross-Media Electronic Reporting; Final Rule

Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 / 
Rules and Regulations

[[Page 59848]]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

40 CFR Parts 3, 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233, 
257, 258, 271, 281, 403, 501, 745 and 763

[FRL-7977-1]
RIN 2025-AA07


Cross-Media Electronic Reporting

AGENCY: Environmental Protection Agency (EPA).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: EPA is establishing the framework by which it will accept 
electronic reports from regulated entities in satisfaction of certain 
document submission requirements in EPA's regulations. EPA will provide 
public notice when the Agency is ready to receive direct submissions of 
certain documents from regulated entities in electronic form consistent 
with this rulemaking via an EPA electronic document receiving system. 
This rule does not mandate that regulated entities utilize electronic 
methods to submit documents in lieu of paper-based submissions. In 
addition, EPA is not taking final action on the electronic 
recordkeeping requirements at this time.
    States, tribes, and local governments will be able to seek EPA 
approval to accept electronic documents to satisfy reporting 
requirements under environmental programs that EPA has delegated, 
authorized, or approved them to administer. This rule includes 
performance standards against which a state's, tribe's, or local 
government's electronic document receiving system will be evaluated 
before EPA will approve changes to the delegated, authorized, or 
approved program to provide electronic reporting, and establishes a 
streamlined process that states, tribes, and local governments can use 
to seek and obtain such approvals.

DATES: This rule shall become effective January 11, 2006.

ADDRESSES: The public record for this rulemaking has been established 
under docket number OEI-2003-0001 and is located in the EPA Docket 
Center, (EPA/DC) EPA West, Room B102, 1301 Constitution Ave., NW., 
Washington, DC. The EPA Docket Center Public Reading Room is open from 
8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal 
holidays. (See SUPPLEMENTARY INFORMATION below.)

FOR FURTHER INFORMATION CONTACT: For general information on this final 
rule, contact the docket above. For more detailed information on 
specific aspects of this rulemaking, contact David Schwarz (2823T), 
Office of Environmental Information, U.S. Environmental Protection 
Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-
1704, schwarz.david@epa.gov, or Evi Huffer (2823T), Office of 
Environmental Information, U.S. Environmental Protection Agency, 1200 
Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-1697, 
huffer.evi@epa.gov.

SUPPLEMENTARY INFORMATION:

General Information

A. Affected Entities

    This rule will potentially affect states, tribes, and local 
governments that have been delegated, authorized, or approved, or which 
seek delegation, authorization, or approval to administer a federal 
environmental program under Title 40 of the Code of Federal Regulations 
(CFR). For purposes of this rulemaking, the term ``state'' includes the 
District of Columbia and the United States territories, as specified in 
the applicable statutes. That is, the term ``state'' includes the 
District of Columbia, the Commonwealth of Puerto Rico, the Virgin 
Islands, Guam, American Samoa, the Commonwealth of Northern Marina 
Islands, and the Trust Territory of the Pacific Islands, depending on 
the statute.
    The rule will also potentially affect private parties subject to 
any requirements in Title 40 of the CFR that require a document to be 
submitted to EPA. Affected Entities include, but are not necessarily 
limited to:

------------------------------------------------------------------------
                                                Examples of affected
                 Category                             entities
------------------------------------------------------------------------
Local government..........................  Publicly owned treatment
                                             works, owners and operators
                                             of treatment works treating
                                             domestic sewage, local and
                                             regional air boards, local
                                             and regional waste
                                             management authorities, and
                                             municipal and other
                                             drinking water authorities.
Private...................................  Industry owners and
                                             operators, waste
                                             transporters, privately
                                             owned treatment works or
                                             other treatment works
                                             treating domestic sewage,
                                             privately owned water
                                             works, small businesses of
                                             various kinds, sponsors
                                             such as laboratories that
                                             submit or initiate/support
                                             studies, and testing
                                             facilities that both
                                             initiate and conducts
                                             studies.
Tribe and State governments...............  States, tribes or
                                             territories that administer
                                             any federal environmental
                                             programs delegated,
                                             authorized, or approved by
                                             EPA under Title 40 of the
                                             CFR.
Federal government........................  Federally owned treatment
                                             works and industrial
                                             dischargers, and federal
                                             facilities subject to
                                             hazardous waste regulation.
------------------------------------------------------------------------

    This table is not intended to be exhaustive, but rather provides a 
guide for readers regarding entities likely to be affected by this 
action. This table lists the types of entities that EPA is now aware 
can potentially be affected by this action. Other types of entities not 
listed in the table can also be affected. If you have questions 
regarding the applicability of this action to a particular entity, 
consult the person listed in the preceding FOR FURTHER INFORMATION 
CONTACT section.

B. How Can I Get Copies of This Document and Other Related Information?

    1. Docket. EPA has established an official public docket for this 
action under Docket ID No. OEI-2003-0001. The official public docket 
consists of the documents specifically referenced in this action, any 
public comments received, and other information related to this action. 
Although a part of the official docket, the public docket does not 
include Confidential Business Information (CBI) or other information 
whose disclosure is restricted by statute. The official public docket 
is the collection of materials that is available for public viewing at 
the Cross-Media Electronic Reporting Rule (CROMERR) Docket in the EPA 
Docket Center (EPA/DC), EPA West, Room B102, 1301 Constitution Ave., 
NW., Washington, DC. The EPA Docket Center Public Reading Room is open 
from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal 
holidays. The telephone number for the Public Reading Room is (202) 
566-1744, and the telephone number for the Office of Environmental 
Information Docket is (202) 566-1752. You may have to pay a reasonable 
fee for copying.
    An electronic version of the public docket is available through 
EPA's

[[Page 59849]]

electronic public docket and comment system, EDOCKET. You may use 
EDOCKET at http://www.epa.gov/edocket/ to view public comments, access 
the index listing of the contents of the official public docket, and to 
access those documents in the public docket that are available 
electronically. Although not all docket materials may be available 
electronically, you may still access any of the publicly available 
docket materials. After selecting the ``Using EDOCKET'' icon, select 
``quick search,'' then key in the appropriate docket identification 
number. Double click on the document identification number to bring up 
the docket contents.
    2. Electronic Access. You may access this Federal Register document 
electronically through the EPA Internet under the ``Federal Register'' 
listings at http://www.epa.gov/fedrgstr/.

Organization of This Document

    Information in this Preamble is organized as follows:
I. Overview
    A. Why does the Agency seek to provide electronic alternatives 
to paper-based reporting and recordkeeping?
    B. What does the electronic reporting rule do?
    C. What is the status of the proposed electronic recordkeeping 
provisions?
    D. How were stakeholders consulted during the development of 
today's final rule?
    E. What alternatives to today's final rule did EPA consider?
II. Background
    A. What has been EPA's electronic reporting policy?
    B. How does today's final rule change EPA's electronic reporting 
policy?
III. Scope of the Electronic Reporting Rule
    A. Who may submit electronic documents?
    B. Which documents can be filed electronically?
    C. How does this final rule implement electronic reporting?
IV. Major Changes from Proposed Electronic Reporting Provisions
    A. How does the rule streamline the approval of electronic 
reporting under authorized state, tribe, and local government 
programs?
    1. Review of the proposal
    2. Comments on the proposal
    3. Revisions in the final rule
    B. How has EPA revised the requirements that state, tribe, and 
local government electronic reporting programs must satisfy?
    1. Review of the proposal
    2. Comments on the proposed criteria for electronic document 
receiving systems
    3. Revisions to the criteria in the final rule
    C. How has EPA accommodated electronic submissions with follow-
on paper certifications?
    D. How has EPA changed proposed definitions of terms?
    1. Definition of ``acknowledgment''
    2. Definition of ``electronic document''
    3. Definition of ``electronic signature''
    4. Definition of ``electronic signature device''
    5. Definition of ``transmit''
    6. Definition of ``valid electronic signature''
V. Requirements for Direct Electronic Reporting to EPA
    A. What are the requirements for electronic reporting to EPA?
    B. What is the status of existing electronic reporting to EPA?
    C. What is EPA's Central Data Exchange?
    1. Overview of general goals
    2. Comments on the proposal
    3. The aspects of CDX that have not changed since proposal
    4. The major changes that EPA has made to CDX since proposal
    D. How will EPA provide notice of changes to CDX?
VI. Requirements for Electronic Reporting under EPA-Authorized 
Programs
    A. What is the general regulatory approach?
    B. When must authorized state, tribe, or local government 
programs revise or modify their programs to allow electronic 
reporting?
    1. The general requirement
    2. Deferred compliance for existing systems
    C. What alternative procedures does EPA provide for revising or 
modifying authorized state, tribe, or local government programs for 
electronic reporting?
    1. The application
    2. Review for completeness
    3. EPA actions on applications
    4. Revisions or modifications associated with existing systems
    5. Public hearings for Part 142 revisions or modifications
    6. Re-submissions and amendments
    D. What general requirements must state, tribe, and local 
government electronic reporting programs satisfy?
    E. What standards must state, tribe, and local government 
electronic document receiving systems satisfy?
    1. Timeliness of data generation
    2. Copy of record
    3. Integrity of the electronic document
    4. Submission knowingly
    5. Opportunity to review and repudiate copy of record
    6. Validity of the electronic signature
    7. Binding the signature to the document
    8. Opportunity to review
    9. Understanding the act of signing
    10. The electronic signature or subscriber agreement
    11. Acknowledgment of receipt
    12. Determining the identity of the individual uniquely entitled 
to use a signature device
VII. What are the Costs of Today's Rule?
    A. Summary of proposal analysis
    B. Final rule costs
    C. General changes to methodology and assumptions
VIII. Statutory and Executive Order Reviews
    A. Executive Order 12866
    B. Executive Order 13132
    C. Paperwork Reduction Act
    D. Regulatory Flexibility Act
    E. Unfunded Mandates Reform Act
    F. National Technology Transfer and Advancement Act
    G. Executive Order 13045
    H. Executive Order 13175
    I. Executive Order 13211 (Energy Effects)
    J. Congressional Review Act

I. Overview

A. Why does the Agency seek to provide electronic alternatives to 
paper-based reporting and recordkeeping?

    In the Federal Register of August 31, 2001 (66 FR 46162), EPA 
published a notice of proposed rulemaking, announcing the goal of 
making electronic reporting and electronic recordkeeping available 
under EPA regulatory programs. The Agency believes that the submission 
and storage of electronic documents in lieu of paper documents can:
     Reduce the cost and burden of data transfer and 
maintenance for all parties to the data exchanges;
     Improve the data and the various business processes 
associated with its use in ways that may not be reflected directly in 
cost-reduction, e.g., through improvements in data quality, and the 
speed and convenience with which data may be transferred and used; and
     Maintain the level of corporate and individual 
responsibility and accountability for electronic reports and records 
that currently exists in the paper environment.

Recent federal policy and law are also strong drivers of electronic 
alternatives to traditional reporting and recordkeeping. The Government 
Paperwork Elimination Act (GPEA) of 1998, Title XVII of Public Law 105-
277, requires the Director of the Office of Management and Budget (OMB) 
to ensure that executive agencies provide for the option of the 
electronic maintenance, submission, or disclosure of information as a 
substitute for paper when practicable, and for the use and acceptance 
of electronic signatures, when practicable. See GPEA section 1704. 
Given the enormous strides in data transfer and management 
technologies, particularly in connection with the Internet, replacing 
paper with electronic data transfer now promises increased productivity 
across almost all facets of business and government.
    In seeking to make electronic alternatives available that were not 
contemplated when most existing EPA regulations were written, EPA was 
mindful of the need to maintain our ability to carry out our statutory 
environmental and health protection mission, in part through ensuring 
the integrity of environmental compliance documents. Accordingly, the 
intended

[[Page 59850]]

effect of the proposed regulation was to permit and encourage the use 
of electronic technologies in a manner that is consistent with EPA's 
overall mission and that preserves the integrity of the Agency's 
compliance and enforcement activities.
    The Agency believes that it is essential to ensure that electronic 
reports can play the same role as their paper counterparts in providing 
evidence of what was reported and to what identified individuals 
certified with respect to the report. Otherwise, electronic reporting 
places at risk the continuing viability of self-monitoring and self-
reporting that provides the framework for compliance under most of our 
environmental programs. The purpose of today's final rule is therefore 
twofold. Today's rule is intended to provide regulated industry, EPA, 
and state, tribe, and local governments with electronic reporting 
alternatives that improve the efficiency, the speed, and the quality of 
regulatory reporting. At the same time, the rule is intended to ensure 
the legal dependability of electronic documents submitted under 
environmental programs. This includes, among other things, ensuring 
that individuals will be held as responsible and accountable for the 
electronic signatures, which they execute, and for the documents to 
which such signatures attest as they currently are in cases of 
documents where they execute handwritten signatures.

B. What does the electronic reporting rule do?

    EPA is announcing today the final regulatory provisions in a new 
part 3 of Title 40 of the CFR for electronic reporting to EPA and under 
authorized state, tribe, and local government programs. ``Authorized 
program'' is shorthand for a federal program that EPA has delegated, 
authorized, or approved a state, tribe or local government to 
administer under other provisions of title 40 of the CFR, where the 
delegation, authorization, or approval has not been withdrawn or 
expired. Section 3.3 of the rule codifies this usage in the regulatory 
text. This use of ``authorized'' does not mean that EPA is precluded 
from an enforcement action by a prior enforcement action being taken by 
a state, tribe, or local government under its authorized program. The 
final rule incorporates changes made after publication of the proposed 
rule that are discussed in detail in section IV of this Preamble. This 
rule establishes electronic reporting as an acceptable regulatory 
alternative across a broad spectrum of EPA programs, and establishes 
requirements to assure that electronic documents are as legally 
dependable as their paper counterparts.
    The requirements in Subpart B of the rule apply to entities that 
choose to submit electronic documents for direct reporting to EPA, 
including state, tribe, and local government facilities that choose to 
submit electronic documents to EPA to satisfy requirements that apply 
to them under other provisions of title 40 of the CFR. However, the 
scope of this final rule excludes any data transfers between EPA and 
states, tribes, or local governments as a part of their authorized 
programs or as a part of administrative arrangements between states, 
tribes, or local governments and EPA to share data. The requirements in 
Subpart D of the rule provide for electronic reporting under authorized 
state, tribe, and local government programs and apply to the 
governmental entities administering the authorized programs. Under the 
final rule, states, tribes, and local governments have the choice of 
using electronic submission rather than paper for reporting under their 
authorized programs. Comments on the proposed rule indicated that some 
states and local governments are now requiring electronic reporting 
under those programs. Existing electronic document receiving systems 
must receive EPA approval in accordance with Subpart D in order to meet 
the requirements of part 3.
    This rule does not require that any document be submitted 
electronically, and it does not require any state, tribe, or local 
authorized program to receive electronic documents. Public access to 
environmental compliance information is not affected by today's action.
    Additionally, the scope of the final rule specifically excludes the 
submission of any electronic document via magnetic or optical media--
for example via diskette, compact disk (CD), digital video disc (DVD), 
or tape--as well as the transmission of documents via hard copy 
facsimile or ``fax.'' The exclusion of magnetic or optical media 
submissions from the scope of this rule in no way indicates EPA's 
rejection of these technologies as a valid approach to paperless 
reporting. Magnetic and optical media submissions fulfill the goal of 
providing alternatives to submission on paper. EPA has already 
successfully implemented a paperless reporting alternative that 
utilizes magnetic and optical media submissions to fulfill many 
regulatory reporting requirements. Such instances include reporting 
related to the hazardous waste, Toxic Release Inventory, and pesticide 
registration programs. EPA expects these magnetic and optical media 
approaches to paperless reporting to continue, and nothing in today's 
rule should be interpreted to proscribe or discourage them.
    For entities that report to EPA directly and do so by submitting 
electronic documents, today's action requires that these documents be 
submitted either to the Agency's centralized electronic document 
receiving system, called the ``Central Data Exchange'' (CDX), or to 
alternative systems designated by the Administrator as described herein 
and in a separate Federal Register notice. Entities that submit 
electronic documents directly to EPA will satisfy the requirements in 
today's rule by successfully submitting their reports to one of these 
systems. While we do not intend to codify any of the details of how CDX 
operates or how it is constructed, the characteristics of the CDX and 
the submission scenarios are described later in this Preamble. In 
addition, the CDX design specifications are included as a part of this 
rulemaking docket.
    Many facilities submit documents directly to states, tribes, or 
local governments under authorized programs. For currently authorized 
programs that receive or wish to begin receiving electronic documents 
in lieu of paper, this rule requires EPA approval of program revisions 
or modifications that address their electronic reporting 
implementations. For programs initially seeking authorization, this 
rule requires EPA approval of any electronic reporting components of 
the programs. In both cases, EPA approval will be based largely on an 
assessment of the program's ``electronic document receiving system'' 
that is or will be used to implement electronic reporting. For this 
purpose, this rule includes performance-based standards that EPA will 
use to determine that an electronic document receiving system is 
acceptable. To implement electronic reporting under currently 
authorized programs, EPA is creating a streamlined procedure that 
states, tribes, and local governments may use to revise or modify their 
authorized programs to incorporate electronic reporting. Today's 
rulemaking also includes special provisions for authorized programs' 
electronic document receiving systems that exist at the time of 
publication of this final rule.
    It is worth noting that EPA can approve changes to authorized 
state, tribe, or local programs that involve the use of CDX to receive 
data submissions from their reporting communities, and EPA is exploring 
opportunities to

[[Page 59851]]

leverage CDX resources for use by states, tribes, and local 
governments. As currently implemented, CDX provides the major systems 
infrastructure components necessary to achieve electronic reporting 
consistent with the standards in this rule for assessing state, tribe, 
or local government electronic document receiving systems. 
Additionally, EPA has set the goal of making CDX operations fully 
consistent with the requirements in today's rule within two years.
    While today's rule establishes electronic reporting as a regulatory 
alternative, EPA will make the electronic submission alternative 
available for specific reports or other documents only as EPA announces 
its readiness to receive them through CDX or another designated system. 
EPA will publish announcements in the Federal Register as CDX and other 
systems become available for particular environmental reports. These 
elements are discussed in more detail in section V of this Preamble.
    In a notice published concurrently with today's rule, EPA clarifies 
the status of electronic reporting directly to EPA systems that exist 
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA 
is designating for the receipt of electronic submissions, all EPA 
electronic document receiving systems currently existing and receiving 
electronic reports as of the date of the notice. This designation is 
valid for a period of up to two years from the date of publication of 
the notice. During this two-year period, entities that report directly 
to EPA may continue to satisfy EPA reporting requirements by reporting 
to the same systems as they did prior to CROMERR's publication unless 
EPA publishes a notice that announces changes to, or migration from, 
that system. Any existing system continuing to receive electronic 
reports at the expiration of this two-year period must receive 
redesignation by the Administrator under Sec.  3.10. Notice of such 
redesignation will be published in the Federal Register.

C. What is the status of the proposed electronic recordkeeping 
provisions?

    At this time, EPA is only finalizing the provisions for electronic 
reporting to EPA and under authorized programs. The August 31, 2001, 
proposal, however, also addressed records that EPA or authorized 
programs require entities to maintain under any of the environmental 
programs governed by Title 40 of the CFR or related state, tribe, and 
local laws and regulations. For such records, EPA proposed specific 
provisions for administering the maintenance of electronic records 
under these environmental regulations. EPA proposed criteria under 
which the Agency would consider electronic records to be trustworthy, 
reliable, and generally equivalent to paper records in satisfying 
regulatory requirements. For entities that choose to keep records 
electronically, the proposal would have required the adoption of best 
practices for electronic records management. For facilities maintaining 
records to satisfy the requirements of authorized programs, the 
proposal would have allowed for EPA approval of changes to the 
authorized programs to provide for electronic recordkeeping. Under the 
proposal, approval would have been based on a determination that the 
authorized program would require best practices for electronic records 
management, corresponding to EPA's provisions for electronic records 
maintained to satisfy EPA recordkeeping requirements.
    Further, EPA proposed that once the rule took effect, any records 
subject to the rule that were maintained to satisfy the requirements of 
EPA programs could only be maintained electronically after EPA 
announced in the Federal Register that EPA was ready to allow 
electronic records maintenance to satisfy the specified recordkeeping 
requirements. Also under the proposal, records maintained under an 
authorized state, tribe, or local government program could only be 
maintained electronically once EPA had approved the necessary changes 
to the authorized program.
    Based on the comments received on the proposed electronic 
recordkeeping provisions, EPA reconsidered its approach to electronic 
recordkeeping and is not issuing final recordkeeping rules at this 
time. The Agency is conducting additional analysis and intends to 
publish a supplemental notice or re-proposal to solicit additional 
comments before a final rule on electronic recordkeeping is issued. We 
will be reviewing provisions related to the methods used to ensure 
accuracy, accessibility and the ability to detect alterations of 
records stored electronically, as well as other possible controls for 
electronic recordkeeping. The Agency intends to utilize this review to 
engage states, tribes, local governments, and industry in meaningful 
consultation to ensure that the EPA has the best available information 
on which to base its decisions. In conjunction with these 
consultations--and before issuing any notice or re-proposal--EPA will 
conduct additional analysis on the costs and benefits of alternative 
approaches, and the technical feasibility of various options, with a 
focus on impacts to small businesses. Today's rule does not authorize 
the conversion of existing paper documents retained to comply with 
existing recordkeeping requirements under other provisions of Title 40 
of the CFR to an electronic format for record-retention purposes.

D. How were stakeholders consulted during the development of today's 
final rule?

    This final rule reflects more than ten years of interaction with 
stakeholders that included states, tribes, and local governments, 
industry groups, environmental non-government organizations, national 
standard setting committees, and other federal agencies. As detailed in 
the proposal, many of our most significant interactions involved 
electronic reporting pilot projects conducted with state agency 
partners, including the States of Pennsylvania, New York, Arizona, and 
several others. In May, 1997, work began with approximately 35 states 
on the State Electronic Commerce/Electronic Data Interchange Steering 
Committee (SEES) convened by the National Governors' Association (NGA) 
Center for Best Practices (CBP). Also, EPA sponsored a series of 
conferences and meetings, beginning in June, 1999, with the explicit 
purpose of seeking stakeholder advice before drafting the proposal. 
Reports of these conferences and meetings are available in the docket 
for this rulemaking, along with the product of the SEES effort, a 
document entitled, ``A State Guide for Electronic Reporting of 
Environmental Data,'' and reports on some of the more recent state/EPA 
electronic reporting pilots.
    For the proposal, EPA provided a 6-month public comment period, 
which closed on February 27, 2002. During that time, we received 184 
sets of written comments on the proposed rule. The commenters 
represented a broad spectrum of interested parties: States, local 
governments, specific businesses, trade associations, and other federal 
agencies. Substantive changes to the electronic reporting provisions 
based on public comments are discussed in detail in section IV of this 
Preamble. In addition, EPA received comments at four public meetings 
held around the country and at two meetings with states held in 
Washington, DC. The comments and meeting summaries can be found in the 
docket to this rulemaking. Today's final rule reflects many of the 
comments and concerns raised by commenters on the proposal. (A complete 
discussion of the options considered by EPA and other background 
information on the Agency's policy on electronic reporting

[[Page 59852]]

can be found in the proposed rule.) The majority of comments focused on 
the costs and burden of the proposed Subpart D electronic recordkeeping 
provisions. EPA's response to public comments to the proposal can be 
found in the rulemaking docket, in the Response to Comments document.

E. What alternatives to today's final rule did EPA consider?

    EPA considered both a more stringent and a less stringent 
alternative to the regulatory approach taken in this rule. The more 
stringent alternative is reflected in the electronic provisions 
published, August 31, 2001, in the Notice of Proposed Rulemaking for 
CROMERR. The proposed version of CROMERR was more stringent by virtue 
of setting much more prescriptive, detailed requirements that 
electronic document receiving systems would have to satisfy. For 
example:
     Proposed Sec.  3.2000(d) contained very specific 
requirements for submitter identity management that a system would have 
to satisfy, including detailed requirements for renewal of registration 
and revocation of registration under specified circumstances;
     Proposed Sec.  3.2000(e) contained very detailed 
requirements for the signature/certification scenario that a system 
would have to provide for, specifying the exact sequence of steps to be 
followed in electronically signing a submission, and requiring such 
features as on-screen, scroll-through presentation of the data to be 
submitted for review of the signatory prior to signing.
    EPA received significant public comment on this approach, both from 
states and from regulated companies, and there were at least three 
closely related themes. The first was that such prescriptive 
requirements would greatly limit the flexibility of states to implement 
electronic reporting in a cost-effective way. The second theme was that 
many of the requirements--especially those specifying the signature/
certification scenario--were not appropriate to many cases where 
electronic reporting would occur. Third and finally, many of these 
commenters expressed skepticism that these very detailed requirements 
represented the only possible approach to ensuring the legal 
dependability of electronic submissions and signatures. These themes 
are discussed in detail in section IV.B of this Preamble.
    EPA also considered a less stringent alternative that would have 
refrained from specifying requirements to establish the identity of an 
individual to whom a signature device or credential (e.g. a PIN, 
password, or PKI certificate) is issued. This less stringent 
alternative would have omitted the provision for identity-proofing in 
the final Sec.  3.2000(b)(5)(vii). In terms of regulatory impact, this 
would be a significant reduction in stringency. Most of the burden on 
regulated entities imposed by today's rule is associated with the 
registration process involved in obtaining a signature device or 
credential, and any requirement to establish the registrant's identity 
raises the aggregate burden substantially.
    EPA rejected this less stringent alternative, because we believe 
that it would seriously undermine the rule's ability to assure the 
legal dependability of electronic submissions. It is a basic principle 
of electronic authentication (E-authentication) that individuals being 
authenticated are who they say they are. E-authentication depends 
critically on the degree of trust we can place in the credential the 
individual presents, and such trust depends heavily on the process of 
establishing the individual's identity (or ``identity-proofing'') when 
he or she first registers for the credential. If the identity-proofing 
process is not sufficiently stringent and credible, then it may be 
uncertain who is using the credential in a specific instance where it 
is presented. Where the credential is used to create an electronic 
signature, inadequate identity-proofing may create uncertainty as to 
who the signatory is, as a result, the signature may be rendered 
undependable for any legal purpose. Accordingly, EPA believes that, 
notwithstanding the cost, it is necessary to specify that identity-
proofing be conducted. The Sec.  3.2000(b)(5)(vii) identity-proofing 
requirement is explained in detail in section VI.E.12 of this Preamble.

II. Background

A. What has been EPA's electronic reporting policy?

    On September 4, 1996, EPA published a document entitled ``Notice of 
Agency's General Policy for Accepting Filing of Environmental Reports 
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter 
referred to as `the 1996 Policy'), where ``EDI'' generally refers to 
the transmission, in a standard syntax, of unambiguous information 
between computers of organizations that may be completely external to 
each other. This notice announced EPA's basic policy for accepting 
electronically submitted environmental reports, and its scope was 
intended to include any regulatory, compliance, or informational 
(voluntary) reporting to EPA via EDI.
    For purposes of the 1996 policy, the standard transmission formats 
used by EPA were to be based on the EDI standards developed and 
maintained by the American National Standards Institute (ANSI) 
Accredited Standards Committee (ASC) X12. By linking our approach to 
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions, 
including a wide array of commercial off-the-shelf (COTS) software 
packages and communications network services, and a growing industry 
community of EDI experts available both to EPA and to the regulated 
community. At the time EPA was writing this policy, ANSI-based EDI was 
arguably the dominant mode of electronic commerce across almost all 
business sectors, from aerospace to wood products, at least in the 
United States. (A complete discussion of EPA's 1996 policy can be found 
in the preamble to the proposed rule.)
    With this final rule, EPA is making changes to the 1996 policy for 
three primary reasons. First, and most important, the technology 
environment has changed substantially since the 1996 policy was 
written. Web-based electronic commerce and public key infrastructure 
(PKI) are two examples. While both were available and in use for some 
purposes in 1996, they had not yet achieved the level of acceptance and 
use that they enjoy today. We could not have anticipated in 1996 that 
this evolution would occur as rapidly as it has. Clearly, these 
developments require that we extend our approach to electronic 
reporting beyond EDI and Personal Identification Numbers (PINs). In 
addition, they teach us that it is generally unwise to base regulatory 
requirements on the existing information technology environment or on 
assumptions about the speed and direction of technological evolution.
    Second, we believe that technology-specific provisions would be 
very complex and unwieldy. The resulting regulation would likely place 
unacceptable burdens on regulated entities trying to understand and 
comply.
    Third, and finally, an electronic reporting architecture that makes 
a centralized EPA or state system the platform for such functions as 
electronic signature/certification is now quite viable--and quite 
consistent with the standard practices of Web-based electronic 
commerce. Given the state of technology six years ago, we could not

[[Page 59853]]

have considered this approach in the 1996 policy.

B. How does today's final rule change EPA's electronic reporting 
policy?

    For practical purposes, the most important change that today's rule 
makes is in our technical approach to electronic reporting. In contrast 
to the 1996 policy, today's rule does not generally specify or limit 
the range of allowable electronic submission technologies and formats. 
Under today's rule, complaint electronic reporting approaches can 
include user-friendly `smart' electronic forms to be completed on-line 
or downloaded for completion off-line at the user's personal computer, 
as well as data transfers via the Internet or secure email in a variety 
of standard and common off-the-shelf, application-based formats. 
Similarly, in terms of electronic signature technology, the rule allows 
for a range of approaches, including various implementations of PINs 
and passwords, the use of private or personal information, digital 
signatures based on PKI certificates, and other signature technologies 
as they become viable for our applications. As EPA or authorized 
programs implement electronic submission for specific reports, the rule 
allows them to select one or more of the available submission and 
signature approaches according to their circumstances and the program-
specific requirements.
    EPA's goals are to make this electronic reporting alternative as 
simple, attractive and cost-effective as possible for reporting 
entities, while ensuring that electronically submitted documents are as 
legally dependable as their paper counterparts. We believe that today's 
rule achieves these goals, but--unlike the 1996 policy--without 
requiring specific technologies or setting detailed procedural steps 
for the submission of electronic documents. Our strategy--as initially 
set out in the August 31, 2001, notice of proposed rulemaking, and as 
finalized today--is to impose as few specific requirements as possible 
on reporting entities, and to generally keep requirements neutral with 
respect to technology. As a consequence, today's rule enables EPA, the 
states, tribes, and local governments to offer regulated companies 
diverse approaches to electronic reporting that can be tailored to 
their technical capabilities and to the level of automation they wish 
to achieve. In addition, the strategy gives EPA, the states, tribes, 
and local governments the flexibility to adapt electronic reporting 
systems to evolving technologies without requiring that regulations be 
amended with each technological innovation.
    However, this regulatory strategy does not mean abandoning any 
control over how electronic documents are submitted. In place of 
specific technologies or detailed procedural steps, today's rule 
requires that electronic submissions be made to CDX or other designated 
EPA systems, or to state, tribe, or local government systems that are 
determined to satisfy a certain specified set of technology-neutral 
performance standards. As a practical matter, the use of these systems 
(e.g., CDX or others that meet the specified performance standards) 
will involve submission procedures that we believe are sufficient to 
ensure the legal dependability of electronic reports so that they meet 
the needs of our compliance and enforcement programs. In addition, 
while the specified performance standards may be technology-neutral, 
agency electronic reporting systems that implement the standards will 
incorporate suites of very specific technologies that will further 
determine the process for actual electronic submission. Sections V.B 
and V.C of this Preamble describe these requirements and the associated 
technologies in some detail for the case of reporting directly to EPA 
via CDX.

III. Scope of the Electronic Reporting Rule

    EPA is today promulgating a new Part 3 in Title 40 of the CFR. The 
new Part applies to all persons who submit reports or other documents 
to EPA under Title 40, and to state, tribe, and local programs that 
administer or seek to administer authorized programs under Title 40. 
The new part 3 does not address contracts, grants or financial 
management regulations contained in Title 48 of the CFR.

A. Who may submit electronic documents?

    Any entity that submits documents addressed in this rule (see 
section III.B., below) directly to EPA can submit them electronically 
as soon as EPA announces that CDX or a designated alternative system is 
ready to receive these reports. (See section V of this Preamble for a 
discussion on requirements for electronic reporting to EPA, and section 
V.B for a discussion of the status of electronic reporting directly to 
EPA systems that exist as of the rule's publication date.) Under this 
rule, the affected entities may elect to utilize the electronic 
reporting alternative. These entities are not required by this final 
rule to report electronically; however, they may be required to report 
electronically under other Title 40 regulations, and nothing in today's 
rule limits EPA's ability to require electronic reporting under other 
parts of Title 40.
    In general, entities may submit documents electronically as 
provided for under authorized state, tribe, or local government 
programs. Nothing in this rule prohibits state, tribe, or local 
governments from requiring electronic reporting under applicable state, 
tribe, or local law.

B. Which documents can be filed electronically?

    This rule addresses document submissions required by or permitted 
under any EPA or authorized state, tribe, or local program governed by 
EPA's regulations in Title 40 of the CFR. Nonetheless, EPA will need 
time to develop the hardware and software components required for each 
individual type of document. Similarly, states, tribes, and local 
governments will need time to evaluate their electronic document 
receiving systems to ensure that they meet the standards promulgated in 
today's final rule. Accordingly, once this rule takes effect, specific 
documents submitted directly to EPA that are not already being 
submitted electronically to existing EPA systems can only be submitted 
electronically after EPA announces in the Federal Register that CDX or 
an alternative system is ready to receive those specific documents. 
(See section V.B of this Preamble for a discussion of the status of 
electronic reporting directly to EPA systems that exist as of the 
rule's publication date.) Documents may be submitted electronically 
under the provisions of an authorized state, tribe, or local program.

C. How does this final rule implement electronic reporting?

    The new 40 CFR part 3 consists of four (4) Subparts. Subpart A 
provides that any requirement in Title 40 to submit a report directly 
to EPA can be satisfied with an electronic submission that meets 
certain conditions (specified in Subpart B) once the Agency publishes a 
notice that electronic document submission is available for that 
requirement. Subpart A also provides that electronic reporting can be 
made available under EPA-authorized state, tribe, or local 
environmental programs. In addition, Subpart A makes clear: (1) that 
electronic document submission, while permissible under the terms of 
this rule, is not required by any provision of this rule; and (2) that 
this rule confers no right or privilege to submit data electronically 
and does not obligate EPA or states, tribes, or local

[[Page 59854]]

agencies to accept electronic data. Subpart A also contains key 
definitions and discusses compliance and enforcement.
    Subpart B sets forth the general requirements for acceptable 
electronic documents submitted to EPA. It provides that electronic 
documents must be submitted either to CDX or to other EPA designated 
systems. It also includes general requirements for electronic 
signatures. The requirements in Subpart B apply to entities that submit 
electronic documents for direct reporting to EPA, including states, 
tribes, and local governments that submit electronic documents to EPA 
to satisfy requirements that apply to them under Title 40 of the CFR. 
Subpart B does not apply to any data transfers between EPA and states, 
tribes, or local governments as a part of their authorized programs or 
as a part of administrative arrangements between states, tribes, or 
local governments and EPA to share data. Additionally, Subpart B does 
not apply to the submission of any electronic document via magnetic or 
optical media--for example via diskette, compact disk, or tape--or to 
the transmission of documents via hard copy facsimile or ``fax.''
    Subpart C is reserved for future EPA electronic recordkeeping 
requirements.
    Finally, Subpart D sets forth the process and standards for EPA 
approval of changes to authorized state, tribe, and local environmental 
programs to allow electronic reporting to satisfy requirements under 
these programs. Again, for purposes of Subpart D, ``electronic 
reporting'' entails submission via telecommunications, and Subpart D 
requirements do not apply in cases of submission via magnetic or 
optical media or hard copy ``fax.'' With respect to electronic 
reporting, Subpart D includes simplified performance-based standards 
for acceptable state, tribe, or local agency electronic document 
receiving systems against which EPA will assess authorized program 
electronic reporting elements. It also provides a streamlined process 
for approving applications for revisions to authorized programs for 
electronic reporting.
    Given the provisions of Subpart A, a regulated entity wishing to 
determine whether electronic reporting directly to EPA was available 
under some specific regulation will have to verify that EPA has 
published a Federal Register notice announcing their availability and 
will have to locate any additional provisions or instructions governing 
the electronic alternative for the particular reporting requirement. To 
facilitate this determination, EPA intends to maintain an easily 
accessed list of EPA reports for which electronic reporting has been 
implemented--cross-referencing the applicable Federal Register 
notices--on the Exchange Network and Grants webpage at www.epa.gov/
exchangenetwork.

IV. Major Changes From Proposed Electronic Reporting Provisions

A. How does the rule streamline the approval of electronic reporting 
under authorized state, tribe, and local government programs?

    1. Review of the proposal. EPA proposed that states, tribes, and 
local governmental entities would use the procedures for program 
revision or modification provided in existing program-specific 
regulations governing state, tribe, or local authorized programs.
    In the Preamble to the proposed rule, we noted that our approach 
raised certain administrative concerns, especially in cases where a 
governmental entity wished to use a single system to accept electronic 
submissions across a number of authorized programs, corresponding to 
EPA's use of CDX to receive reports across EPA programs. To receive EPA 
approval for such implementations, the governmental entity would have 
to apply for revision or modification under each authorized program 
affected, using procedures that might vary substantially from program 
to program. While these procedures might vary, each substantive review 
would still refer to the same proposed part 3 criteria, and--in the 
case of a single system implementation--would apply these criteria to 
the same system. EPA intended this approach to facilitate an 
administrative streamlining of the approval process, by allowing a 
single EPA review of all cross-program applications associated with a 
particular electronic document receiving system, which would enable EPA 
to make a single decision to approve or disapprove all the associated 
applications. While this approach would not eliminate multiple 
applications, it would at least simplify the interactions between the 
applicant and EPA during substantive review, and would speed EPA action 
on the applications themselves.
    EPA also considered more radical streamlining alternatives, 
including a centralized approval process provided for by regulation, 
and the proposal requested comment on whether any of these alternatives 
would be preferable to the administrative approach to streamlining.
    2. Comments on the proposal. In comments on the provisions for 
electronic reporting under authorized programs, a recurring theme was 
the complexity of the proposed requirements for EPA approval of program 
revisions or modifications to allow electronic reporting. The comments 
in many cases seemed directed equally to the approval process and to 
the proposed criteria for approval. Comments on the criteria are 
discussed in more detail in section IV.B.2 of this Preamble.
    As for the comments that clearly addressed the process, there were 
two major concerns. The first was that the process, due to the various 
current program authorization regulations, is inherently complicated, 
time-consuming and resource-intensive. In a few cases, commenters noted 
the particular worry that having to seek EPA approval for each program 
implementing electronic reporting would be especially burdensome, and 
that EPA's proposed approach of streamlining the internal review 
component of the program revision process would be of little help.
    The second concern was the impact of the rule on electronic 
reporting that was already underway. Commenters noted that many 
authorized programs are already accepting electronic submissions, or 
would be by the time the final rule is published, and they worried 
about the timing of the requirement that the electronic document 
receiving systems they use for this purpose be approved by EPA under 
associated program revision or modification procedures. Under the 
proposed provisions, such systems would have to be EPA-approved as soon 
as the rule became effective, which was not practicable. Given the need 
to address the criteria for approval, such applications could only be 
initiated once the rule was finalized, and they might take months to 
complete and get approved, or substantially longer in cases where the 
revision or modification required state legislative or regulatory 
changes. During the months or years that the revision or modification 
was in process, the authorized program would either have to shut down 
their electronic document receiving systems or, of necessity, operate 
them out of compliance with the rule. Commenters were particularly 
concerned with the disruptive impacts of having to shut these systems 
down. They pointed out that reversion to paper-based submissions in 
such cases may be difficult and expensive, both for the agencies and 
for the submitting entities that are affected, and that resuming

[[Page 59855]]

system operation after a long hiatus may require resources more 
typically associated with system start-up. Additional comments on 
program revision or modification and EPA's responses can be found in 
the rulemaking docket, in the Response to Comments document.
    3. Revisions in the final rule. To address the concern that the 
proposed program revision or modification to accommodate electronic 
reporting was too complicated and burdensome, the final rule provides 
streamlined procedures for adding electronic reporting to existing 
authorized programs. These are optional procedures that a state, tribe, 
or local government may use if it chooses, in place of the applicable 
program-specific procedures, to seek EPA approval for revisions or 
modifications that provide for electronic reporting. EPA believes that 
in most cases these optional procedures will be substantially simpler 
and quicker than their program-specific alternatives. These new 
procedures are discussed in detail in section VI.C of this Preamble.
    To address the concern that the required program revisions or 
modifications may disrupt authorized programs that already have 
electronic reporting underway, the final rule provides for a two-year 
delayed compliance date--in effect, a two-year ``grace period''--before 
such programs have to submit their applications for revision or 
modification. Programs will be allowed this grace period where they 
have systems that fit the definition of ``existing electronic document 
receiving system,'' explained in section VI.B.2 of this Preamble. In 
addition, these provisions allow the grace period to be extended, on a 
case-by-case basis, where an authorized program may need to wait for 
legislative or regulatory changes before a complete application can be 
submitted.

B. How has EPA revised the requirements that state, tribe, and local 
government electronic reporting programs must satisfy?

    1. Review of the proposal. EPA proposed a detailed set of criteria 
that would have to be met by any system that is used to receive 
electronic documents submitted to satisfy document submission 
requirements under any EPA-authorized state, tribe, or local 
environmental program. The proposed criteria addressed the capabilities 
that EPA believed a state, tribe, or local government's electronic 
document receiving system must have regarding six function-specific 
categories: (1) System security, (2) electronic signature method, (3) 
submitter registration, (4) signature/certification scenario, (5) 
transaction record, and (6) system archives.
    These criteria were based upon EPA's consideration of the roles 
that many electronically submitted documents will likely play in 
environmental program management, including compliance monitoring and 
enforcement, and the need to ensure that such roles were not 
compromised by the transition from paper to electronic submission. In 
many respects electronic submission enhances a document's utility for 
environmental programs: it significantly reduces the resources and time 
involved in making the content available to its users, and can greatly 
facilitate data quality assurance and analysis. Nonetheless, electronic 
submissions may also be open to challenge, primarily with respect to 
their authenticity, and particularly where they are used to establish 
the actions and intentions of the submitters. We normally consider such 
uses in the case of environmental reporting, especially where 
electronic submissions are made to report on an entity's compliance 
status and where the submission includes a responsible individual's 
certification to the truth of what is reported. For such cases, EPA 
identified a programmatic need to be able to authenticate the 
submission content and the certification--for example, to be able to 
address issues of fraud or false reporting where they arise--and it is 
primarily this need that was addressed by the six proposed criteria.
    The point of the proposal's six function-specific categories was to 
ensure the authenticity of electronic documents submitted in lieu of 
paper reports, so that they will be able to play the same role as their 
paper counterparts in providing evidence of what was reported and to 
what an identified individual certified with respect to the report. For 
example, in the case of paper submissions, the evidence surrounding a 
handwritten signature is normally sufficient to demonstrate that the 
signature is authentic and rebut any attempt by the signatory to 
repudiate it and EPA intends the standards in today's rule to provide 
evidence for electronic signatures that has a corresponding level of 
non-repudiation. Since these evidentiary issues typically arise in the 
context of judicial or other legal proceedings, electronic documents 
need the same ``legal dependability'' as their paper counterparts. The 
over-arching standard in the concept of ``legal dependability'' is that 
any electronic document that may be used as evidence to prosecute an 
environmental crime or to enforce against a civil violation should have 
no less evidentiary value than its paper equivalent. For example, where 
there is a question of deliberate falsification of compliance data--it 
must be possible to establish the signatory's identity beyond a 
reasonable doubt no matter whether the submission was electronic or 
paper.
    A seventh, more general proposed criterion, entitled ``Validity of 
Data,'' addressed the standard of legal dependability directly. The 
idea, in general, was that a system used to receive electronic 
documents must be capable of reliably generating evidence for use in 
private litigation, in civil enforcement proceedings, and in criminal 
proceedings in which the standard for conviction is proof beyond a 
reasonable doubt that the electronic document was actually signed by 
the individual identified as the signatory and that the data it 
contains was not submitted in error. The six more detailed, function-
specific criteria represented the requirements for satisfying this more 
general ``Validity of Data'' criterion. Taken together, the seven 
proposed criteria were intended to ensure the legal dependability of 
electronically submitted documents by providing:
     Standards for valid electronic signatures and authentic 
electronic documents to be admitted as evidence in a judicial 
proceeding;
     Assurance that electronic documents can be authenticated 
to provide evidence of what an individual submitted and/or attested to; 
and
     Assurance that electronic signatures resist repudiation by 
the signatory.

By providing for these and other facets of an electronic document's 
legal dependability, proposed CROMERR was intended to preserve the 
ability of EPA and its authorized programs to hold individuals 
accountable when they certify, attest or agree to the content of 
compliance reports under environmental laws and statutes. By the same 
token, proposed CROMERR was also intended to ensure that EPA and its 
authorized programs will have the documentary evidence they need to 
bring actionable cases of false or fraudulent reporting into court.
    2. Comments on the proposed criteria for electronic document 
receiving systems. EPA received a substantial number of comments on the 
proposed criteria for state, tribe, and local electronic document 
receiving systems, both in written submissions and at meetings with the 
public and with state and local government officials. While a

[[Page 59856]]

few of these comments questioned the ``Validity of Data'' criterion, 
the great majority dealt with the detailed function-specific criteria. 
There were at least three recurring and closely related themes. First, 
the criteria were too prescriptive and inflexible, and would prevent 
state, tribe, and local agencies from adapting their electronic 
reporting approaches to their needs and changing circumstances, and 
foreclose new and creative ways to achieve legal dependability. Second, 
the criteria would make electronic reporting unnecessarily complex, 
costly, and burdensome. Third, while the criteria might be appropriate 
for some cases, the ``one size fits all'' approach was not workable for 
all reports in all programs.
    Commenters tended to associate these three themes with certain 
misperceptions about the proposed requirements for signature method and 
the signature/certification scenario. Concerning signature method, a 
common concern was that the criteria would require states to implement 
PKI-based digital signatures. Commenters generally appear to have 
inferred this from proposed Sec.  3.2000(c) Electronic Signature 
Method, together with EPA's own choice of PKI for some submissions to 
CDX, as discussed in the Preamble. Whatever EPA's plans for CDX, state, 
tribe, and local government systems do not have to conform to the CDX 
model. Implementing a particular system of necessity requires the 
choice of specific technologies. To make those choices does not imply 
that these are the only possible choices that would satisfy whatever 
requirements the rule places on electronic reporting systems. 
Concerning Sec.  3.2000(c), commenters tended to focus on paragraph (5) 
of this section, which stated that the signature method had to ensure 
``that it is impossible to modify an electronic document without 
detection once the electronic signature has been affixed.'' EPA did not 
intend for this provision to establish PKI-digital signature as the 
required signature method. Given current technology, approaches to 
satisfying the Sec.  3.2000(c)(5) requirement frequently involve the 
computation of a number--called a ``hash''--that has a unique relation 
to the content of the electronic document such that any change to the 
document content would change the computed hash. Given the hash, the 
associated document can be confirmed as unmodified at any time by 
calculating a new hash and showing that the new and original hashes are 
identical. Using such a hash-based approach, it is important to ensure 
that the hash has been secured from tampering, and encryption is 
probably the most straightforward way to do this. Encryption can be 
accomplished in a number of ways. Approaches include PKI-based digital 
signature, digital signature where the asymmetric key-pair is not 
associated with a PKI certificate, and various forms of symmetric-key 
cryptography. Additionally, it may be possible to avoid cryptography 
altogether by storing the hash value in a system with appropriately 
controlled access. Thus, a solution using PKI-based digital signatures 
represents only one among a number of possible approaches to satisfying 
the proposed Sec. 3.2000(c)(5) requirement.
    A number of commenters also misinterpreted the criteria under 
proposed Sec.  3.2000(e) Electronic signature/certification scenario 
(especially the provisions for signatory's review of data under Sec.  
3.2000(e)(1)(i)) as requiring signatories to scroll through their 
submissions on-screen before they affix their electronic signatures, 
and requiring state systems to enforce this required ``scroll-
through''. However, the proposal provided not that the signatory must 
review the data on-screen, but rather that he or she be given the 
opportunity to do so. The example of the enforced on-screen ``scroll-
through'' then envisioned for CDX, and provided in the CDX section of 
the proposal's preamble, was in error. EPA did not intend to require 
this ``scroll-through'' of submitted data prior to signature. EPA 
certainly does expect and encourage reporting entities to review data 
intended for electronic submission prior to signature, but does not 
mandate this or any other particular mode or method of signatory review 
in today's rule.
    Returning to the three comment themes--of prescriptiveness, cost 
and burden, and a ``one size fits all'' approach--commenters who raised 
the prescriptiveness issue generally argued that, even supposing that 
there were no specific objections to the detailed Sec.  3.2000 
provisions, EPA had failed to make the case that every single 
requirement under these provisions is necessary to ensure the legal 
dependability of electronic submissions. Commenters who argued that the 
proposed rule would be too costly and burdensome generally focused on 
Sec.  3.2000(c)(5) and Sec.  3.2000(e)(1)(i), discussed above, or on 
the proposed Sec.  3.2000(d) registration and signature agreement 
provisions. There were many comments to the effect that the complex 
Sec.  3.2000(d) registration and re-registration requirements would 
pose substantial barriers to regulated company participation in 
electronic reporting and involve unacceptable expenses for implementing 
agencies. Commenters also noted that the required Sec.  3.2000(e)(1)(i) 
would be difficult to integrate with company workflow practices in many 
cases. Finally, there is the ``one size fits all'' issue. Some of the 
comments raised this as another version of the ``prescriptiveness'' 
issue, but adding that the proposal developed just one model of 
electronic reporting and attempted to make it fit the differing 
circumstances of the various state, tribe, and local agencies that 
would have to comply. Other comments emphasize the point that the 
proposal takes requirements apparently tailored to assuring an 
electronic document's authenticity and applies them to all cases of 
electronic reporting, whether or not the question of authenticity is 
likely to arise.
    EPA has considered these and related comments in writing today's 
rule. We do not wish to set overly prescriptive requirements and so 
foreclose acceptable electronic reporting alternatives that could offer 
equivalent or better assurance of legal dependability while, perhaps, 
being easier for a state, tribe, or local agency to implement. We do 
not wish to set requirements that impose unnecessary costs or burdens. 
And, while we do not see a ``bright line'' around the universe of cases 
where document authenticity might be of concern, we also do not wish to 
address authenticity with requirements that leave states, tribes, and 
local governments with too little flexibility in how they may adapt 
their electronic reporting implementations to their particular 
circumstances. Accordingly, EPA has decided to finalize criteria for 
electronic document receiving systems that directly articulate the 
underlying goal of assuring the legal dependability of electronic 
documents authenticity, and to add more specific requirements only to 
the extent that they are needed to achieve this underlying goal. 
Accordingly, the provisions of today's rule have been clarified as 
general performance standards necessary to ensure the legal 
dependability of the electronic documents they receive. Additional 
comments on the proposed criteria and EPA's responses can be found in 
the rulemaking docket, in the Response to Comments document.
    3. Revisions to the criteria in the final rule. In today's final 
rule, we intend to fulfill the underlying goal of the proposed Sec.  
3.2000 criteria for electronic document receiving systems. This is to 
assure the authenticity and non-

[[Page 59857]]

repudiation of electronic documents submitted in lieu of paper reports, 
so that they are as legally dependable--that is, as admissible in 
evidence and accorded the same evidentiary weight--as their paper 
counterparts. As noted earlier, this goal was expressed most directly 
in the proposed Sec.  3.2000(b) ``Validity of Data'' criterion. 
Accordingly, for the final rule, we started with the proposed Sec.  
3.2000(b) and then clarified the remaining proposed Sec.  3.2000 
criteria as general performance standards for electronic document 
receiving systems, which were incorporated as needed to assure the 
legal dependability of the electronic documents such systems receive. 
The resulting Sec.  3.2000(b) in the final electronic reporting rule 
reflects the requirements discussed in the table below. The citation 
for the corresponding language in the proposed rulemaking is also 
provided.

------------------------------------------------------------------------
                                          Citation/requirement in final
 Citation/subject area in proposed rule         section 3.2000(b)
------------------------------------------------------------------------
Proposed Sec.   3.2000(g), addressing    Section 3.2000(b)'s leading
 system archives.                         clause requires that the
                                          system be able to generate the
                                          required data as needed and in
                                          a timely manner.
Proposed Sec.  Sec.   3.2000(e)(3) and   Section 3.2000(b)'s leading
 3.2000(f), addressing signature/         clause and Sec.   3.2000(b)(4)
 certification scenarios and              require that the system be
 transaction record.                      able to generate a ``copy of
                                          record'' that is made
                                          available to the submitters
                                          and/or signatories for review
                                          and repudiation.
Proposed Sec.  Sec.   3.2000(c) and      Section 3.2000(b)(5)(i)
 3.2000(d), addressing the electronic     requires that the system be
 signature method and submitter           able to show that any
 registration process.                    electronic signature on an
                                          electronic document was
                                          created by an authorized
                                          signatory with a device that
                                          the identified signatory was
                                          uniquely entitled and able to
                                          use.
Proposed Sec.   3.2000(c)(5),            Section 3.2000(b)(5)(ii)
 addressing requirement that it be        requires that the system be
 impossible to modify an electronic       able to show that the
 document without detection once it has   electronic document cannot be
 been electronically signed.              altered without detection once
                                          it has been electronically
                                          signed.
Proposed Sec.   3.2000(e), addressing    Sections 3.2000(b)(5)(iii)--
 the signature/certification scenario.    (iv) require that the system
                                          be able to show that, before
                                          signing, any signatory had the
                                          opportunity to review what he
                                          or she was certifying to in a
                                          human-readable format, and to
                                          review the certification
                                          statement including any
                                          provisions relating to
                                          criminal penalties for false
                                          certification.
Proposed Sec.   3.2000(d), addressing    Section 3.2000(b)(5)(v)
 the submitter registration process.      requires that the system be
                                          able to show that the
                                          signatory signed an
                                          ``electronic signature
                                          agreement'' or a ``subscriber
                                          agreement'' acknowledging his
                                          or her obligations connected
                                          with preventing the compromise
                                          of the signature device.
Proposed Sec.   3.2000(e)(2),            Section 3.2000(b)(5)(vi)
 addressing acknowledgment.               requires that the system be
                                          able to show that it
                                          automatically sent an
                                          acknowledgment of any
                                          electronic submission it
                                          received that bears an
                                          electronic signature; the
                                          acknowledgment must identify
                                          the electronic document, the
                                          signatory and the date and
                                          time of receipt, and be sent
                                          to an address that does not
                                          share the access controls of
                                          the account used to make the
                                          submission.
Proposed Sec.   3.2000(d)(1)-(3),        Section 3.2000(b)(5)(vii)
 addressing submitter registration..      requires, for each electronic
                                          signature device used create
                                          an electronic signature on
                                          documents that the system
                                          receives, that the system be
                                          able to establish the identity
                                          of the individual uniquely
                                          entitled to use that device
                                          and his or her relation to the
                                          entity on whose behalf he or
                                          she signs the documents.
------------------------------------------------------------------------

    The requirements in Sec.  3.2000(b)(5)(iii)-(iv) of today's rule, 
concerning ``opportunity to review,'' do not place the responsibility 
for providing an opportunity, or for showing whether or not an 
opportunity was actually taken, on the state, tribe, or local 
government electronic document receiving system. What is required is 
that the system provide evidence sufficient to show that an opportunity 
was provided; this point is explained in greater detail in sections 
VI.E.8 and VI.E.9 of this Preamble.
    EPA believes that the standards in Sec.  3.2000(b) of today's rule, 
as developed from the proposed ``Validity of Data'' criterion, together 
with other proposed criteria clarified as general performance 
standards, represent the minimum set of requirements for electronic 
document receiving systems necessary to ensure the legal dependability 
of the electronic documents such systems receive. For example, the 
requirement for a copy of record is necessary to ensure that there is 
an authoritative answer to the question of what information content a 
signatory was certifying to or attesting to. The related requirement 
that the system be able to provide timely access to copies of record 
and related data reflects a practical concern that the data be 
accessible in time and in a format to serve the purposes for which it 
is needed.
    Concerning the requirement that signature devices be uniquely 
assigned to, and held by individuals, EPA believes that an acceptable 
electronic document receiving system must be able to attribute a 
signature to a specific individual, to help assure that the signatory 
cannot repudiate responsibility for the signature. Non-repudiation is 
also strengthened by the signed electronic signature agreement, which 
establishes that the signatory was informed of his or her obligation to 
keep the signature device from compromise by ensuring that it is not 
made available to anyone else. Requiring the signature agreement, as 
well as the opportunity to review what they are signing, helps 
establish that where signatures appear on electronic documents, the 
signatories had the requisite intent to certify. That is, these 
requirements help ensure that the signatories knew what they were 
signing, knew what signing meant, and understood the legal implications 
of false certification. As for the requirement that document content 
cannot be altered without detection after signature, an acceptable 
electronic document receiving system must provide evidence sufficient 
to allow a court to attribute the intention to certify to the 
document's current content to the signatory, so that he or she cannot 
repudiate this content.
    Finally, today's Sec.  3.2000(b)(5)(vii) requirement that the 
system be able to establish the identity of the individual who is 
assigned a signature is based on proposed Sec.  3.2000(d). Proposed 
Sec.  3.2000(d) logically entails today's Sec.  3.2000(b)(5)(vii), 
because satisfying the

[[Page 59858]]

provisions of the former guarantees compliance with the latter. 
However, today's Sec.  3.2000(b)(5)(vii) limits the scope of the 
proposed Sec.  3.2000(d)(3) requirement that, in registering for their 
signature devices, registrants must execute their electronic signature 
agreements on paper with handwritten signatures. In today's Sec.  
3.2000(b)(5)(vii), this requirement is limited to a special class of 
``priority report'' submittals. (See section VI.E.12 of this Preamble.) 
In addition, today's Sec.  3.2000(b)(5)(vii) offers alternatives to 
this handwritten signature requirement, to allow electronic reporting 
solutions that are completely free of paper transactions. The 
alternative provisions, found in today's Sec.  3.2000(b)(5)(vii)(A)-
(B), are elaborations of the proposed Sec.  3.2000(d)(1) requirement 
for ``evidence [of identity] that can be verified by information 
sources that are independent of the registrant and the entity or 
entities'' for which the registrant will submit electronic documents. 
The elaborations are necessary to assure that individuals' identities 
can be established without being able to rely on their handwritten 
signatures--and, in the final rule, the requirements apply only to 
``priority report'' submittals, and only where the choice is made to 
not use paper in the execution of electronic signature agreements. 
Section VI.E.12 of this Preamble outlines all of today's Sec.  
3.2000(b)(5)(vii) provisions in much more detail. In any event, we have 
made these changes to the proposed Sec.  3.2000(d) approach to help 
address commenters' concerns with ``one size fits all'' provisions, as 
well as to allow states, tribes, and local government as much 
flexibility as possible as they implement their electronic reporting 
systems.
    In sum, the overall approach to the standards for electronic 
document receiving systems in today's rule reflects a balancing of the 
concerns raised by the public comments, especially those relating to 
the proposal's burden on states, tribes, local governments and 
regulated entities, against the need to ensure the legal dependability 
of electronic documents submitted under authorized programs. Finally, 
EPA notes that to date the Agency has had limited experience with the 
practical application of electronic signatures and electronic reporting 
generally. With the benefit of practical experience accepting 
electronic reports under this rule, EPA may determine that this rule 
needs to be revisited, to either add or eliminate certain safeguards. 
In addition, while EPA has sought to write this rule so that its 
provisions are technology-neutral, it remains possible that revisions 
will be required to reflect technological changes or changes in 
prevailing industry norms and practices. If these or other 
circumstances require it, EPA thus reserves the right to revisit the 
issues addressed in this rule.

C. How has EPA accommodated electronic submissions with follow-on paper 
certifications?

    Currently there are EPA and state programs that take electronic 
submissions where the requirements for a signed certification statement 
are met with a follow-on paper submission with handwritten signatures. 
A number of commenters suggested that such an approach be recognized 
and allowed to continue under the electronic reporting rule. EPA has no 
wish to proscribe such an approach, and does not judge whether or not 
follow-on paper signature/certification is to be preferred to the 
approach where the signature/certification is electronic. To make this 
clear in the final rule, we have added a clause to Sec.  3.10(b) that 
allows follow-on handwritten signatures to substitute for electronic 
signatures on submissions to EPA where ``EPA announces special 
provisions'' for this purpose. A corresponding clause in Sec.  
3.2000(a)(2) of today's rule makes a similar allowance for electronic 
reporting under authorized state, tribe, or local programs, again, 
where ``the program makes special provisions to accept a handwritten 
signature on a separate paper submission.''
    Among other things, these ``special provisions'' would allow 
follow-on paper signature submission only if it were reliably linked or 
cross-referenced with the associated electronic document. The linking 
or cross-referencing is necessary in part to ensure that we can always 
determine which signature submissions belong with which electronic 
documents. Paper signature submissions must also provide sufficient 
evidence that the signatory intended to certify to or attest to the 
content of the electronic document as this content is recorded in the 
copy of record for the submission. There are various approaches to 
cross-referencing or linking that would meet these needs, most of which 
involve the inclusion of extra data elements in the signature 
submission that reference the associated electronic document. Such data 
elements might include summary data from the electronic document, the 
date and time of the electronic submission, or even the calculated hash 
value of the electronic document. EPA may use these and other 
alternatives if a decision is made to provide for direct electronic 
reporting to EPA with follow-on paper signatures. For such submissions 
to authorized programs, we have added to Sec.  3.2000(a)(2) of today's 
rule the requirement that authorized program provisions for follow-on 
paper signature submissions ``ensure that the paper submission contains 
references to the electronic document sufficient for legal certainty 
that the signature was executed with the intention to certify to, 
attest to, or agree to the content of that electronic document.''

D. How has EPA changed proposed definitions of terms?

    The ``Definitions'' section of the final rule, Sec.  3.3, provides 
new definitions for ``copy of record,'' ``electronic signature 
agreement,'' and ``valid electronic signature,'' as well as the 
revisions to the definition for ``electronic signature device,'' to 
help articulate the final Sec.  3.2000(b) standards for electronic 
document receiving systems. These terms are explained in more detail in 
section VI, below. (See especially, sections VI.E.2., VI.E.10. and 
VI.E.6.) Similarly, in section VI.B.2 of this Preamble we note the role 
of the new definition for ``existing electronic document receiving 
system;'' and, in section VI.E.12 we discuss the new definitions for 
``agreement collection certification,'' ``disinterested individual,'' 
``information or objects of independent origin,'' ``local registration 
authority,'' ``priority reports,'' and ``subscriber agreement.'' 
Section 3.3 also reflects a number of clarifying and/or simplifying 
changes for definitions of terms, as follows.
    1. Definition of ``acknowledgment.'' This definition has been added 
in conjunction with Sec.  3.2000(b)(5)(vi) of today's rule, to make 
clear that in the context of this rule, acknowledgment means a 
confirmation of electronic document receipt.
    2. Definition of ``electronic document.'' This definition has been 
revised from the proposed version in several ways. First, the use of 
``communicate'' has been eliminated, thereby eliminating the need for a 
separate definition of that term. Second, the exclusion of magnetic and 
optical media and facsimile submissions has been eliminated. We believe 
it is clearer to exclude such submissions from the scope of CROMERR 
under Sec.  3.1, entitled ``Who does this part apply to?'' Today's rule 
now provides this exclusion in Sec. Sec.  3.1(b) and 3.1(c). Third, the 
definition has also been revised so that it explains what a 
``document'' is in an electronic medium. Instead of saying that an 
``electronic document means a

[[Page 59859]]

document. * * *,'' the final version says that ``electronic document 
means any information in digital form. * * *,'' where information is 
explained as potentially including ``data, text, sounds, codes, 
computer programs, software or databases.'' Fourth, this definition 
clarifies that in this context, ``data,'' is used in its normal sense 
as denoting a delimited set of data elements, each of which is a unit 
of meaning in a document and consists of a content or value together 
with an understanding of what the meaning and/or context of the content 
or value is. Finally, the definition stipulates that where an 
electronic document includes data, the understanding of what the data 
content or value means must either be explicitly included in the 
electronic document or be readily available through such sources as an 
applicable data element dictionary, or a form or template that 
specifies what each data element means when it is presented in the 
specific file format used for the electronic document's submission.
    A consequence of this approach is that the identity of an 
electronic document consisting wholly of data is independent of the 
format in which it is presented or submitted. That is to say, 
rearranging or reformatting the data elements in an electronic document 
does not change it into a different one, at least so long as the 
signatory's intention and understanding of what the data elements each 
mean is preserved in the process. This does not conflict with the 
ordinary understanding of the term ``document,'' since we speak quite 
often of ``reformatting a document,'' with the clear understanding that 
what results will be the same document in a new format. 
Correspondingly, under the definition of ``copy of record,'' a ``true 
and correct'' copy of an electronic document does not necessarily have 
to reflect the format in which the document was submitted, provided 
that the document consists wholly of data. This independence of 
document identity from format may not always hold where other kinds of 
information are included in the electronic document, e.g. text or 
images; in such cases a copy of record may have to include format or 
formatting information.
    3. Definition of ``electronic signature.'' This definition has been 
revised by substituting ``information in digital form'' for 
``electronic record,'' to avoid problems with defining ``electronic 
record.'' The definition has also been revised to make clear that the 
electronic signature for an electronic document need not always be 
``included'' within that document; in some cases it may just be 
``logically associated'' with it. This point is explained further in 
section VI.E.2 of this Preamble, in discussing the copy of record 
requirement.
    4. Definition of ``electronic signature device.'' The definition of 
``electronic signature device'' has been revised to clarify that where 
a device is used to create an individual's electronic signature, then 
the device must be unique to that individual, and he or she must be 
uniquely entitled to use it at the time that the signature is created. 
Correspondingly, the device is compromised if it is available for use 
by any other individual, that is, if some other individual is able to 
use the device to create signatures if he or she wishes. To the extent 
that Sec. Sec.  3.10(b) and 3.2000(b)(5)(i) of the final rule prohibit 
the acceptance of signatures created with compromised devices, via the 
definition of ``valid electronic signature,'' the element of compromise 
rules out the sharing of electronic signature devices or delegating 
their use to create individuals' electronic signatures. Additionally, 
the definition includes the element that an individual needs to be 
entitled to use the electronic signature device; that is, the 
individual needs to be the ``owner'' of the device. The nature of the 
device itself will determine the way in which an individual comes to 
own it. In the case of personal identification numbers or certificate-
based private/public key pairs, there is normally some process of 
formally assigning the device to the individual, often through a 
trusted third party. In other cases, for example password or personal 
information-based signature devices, the process may have the 
individuals invent and assign the devices to themselves `` the basis 
for their ownership of the devices being determined by the 
circumstances or context within which they do this.
    5. Definition of ``transmit.'' In the proposed rulemaking the term 
``submit'' was defined as the ``means to successfully and accurately 
convey an electronic document so that it is received by the intended 
recipient in a format that can be processed by the electronic document 
receiving system.'' However, the term ``submit'' is used more widely in 
the rule in ways that are not consistent with this definition. 
Accordingly, in the final rule the function of successful and accurate 
conveyance of an electronic document is now termed ``transmit.''
    6. Definition of ``valid electronic signature.'' Beyond its role in 
Sec.  3.2000(b), this definition has also been added to help clarify 
and simplify the signature requirements associated with electronic 
reporting, both directly to EPA, in Sec.  3.10, and under authorized 
programs, in Sec.  3.2000(a)(2). The definition specifies three main 
conditions for validity. The first refers to features of the signature 
that are intrinsic to the items of information of which it consists: 
The signature must consist of the kind of information that has been 
established as appropriate for the signing of the document in question, 
and the specific information content must pass the validation tests 
which the system uses to determine that the signature belongs uniquely 
to the identified signatory. The second condition refers to the status 
of the electronic signature device used to create the signature, and 
ensuring that the device was not compromised at the time it was used to 
create the signature. This ties validity to the element of compromise 
within the definition of ``electronic signature device.'' That is, at 
the time of signature, the device must not have been made available to 
someone other than the individual who is entitled to use it. The third 
condition refers to the signatory's status at the time of signature as 
someone who is authorized to sign the document in question by virtue of 
his or her legal status and/or relationship to the entity on whose 
behalf the signature is executed. In the context of environmental 
reporting, this condition would make invalid electronic signatures on 
company compliance reports created by individuals who do not work for 
or in any way represent the company. Generally, in the context of 
environmental reporting, individuals who sign submissions to 
environmental agencies are explicitly authorized to do so, by their 
management and/or by the agency to which they report. However, in some 
cases the authorization may be implicit in the signatory's legal status 
and relationship to the regulated entity. For example, an owner or 
operator of a company is generally authorized to sign notifications or 
letters to an environmental agency whether or not this is explicitly 
provided for by law or regulation.
    As ``valid electronic signature'' is used in Sec. Sec.  3.10 and 
3.2000(a)(2), the validity of an electronic signature is necessary for 
the signatory's electronic submission to satisfy a federal or 
authorized program reporting requirement. Additionally, as the term is 
used in Sec.  3.2000(b), it also refers to a performance requirement 
for an electronic document receiving system, namely that the system 
must not accept and must be able to detect submissions with signatures 
that are not valid. These requirements in terms of ``validity'' are

[[Page 59860]]

meant to provide a form of insurance for electronic signatures to 
protect against the risks of repudiation. Nonetheless, a signatory may 
be legally bound by a signature even where not all the requirements for 
its validity have been met, e.g., where the signature has been executed 
with a compromised electronic signature device. The signatory of an 
electronic submission cannot avoid responsibility for its contents by 
pointing to a technical flaw or other defect in the signature process.

V. Requirements for Direct Electronic Reporting to EPA

A. What are the requirements for electronic reporting to EPA?

    Under the final rule, the requirements for electronic reporting to 
EPA remain essentially unchanged from those in the proposal. Section 
3.10 provides, first, that electronic documents must be submitted to an 
appropriate EPA electronic document receiving system. Generally this 
will be EPA's Central Data Exchange (CDX), although EPA can also 
designate additional systems for the receipt of electronic documents 
and is doing so in a separate Federal Register notice. Second, where a 
paper document must bear a signature under existing regulations, an 
electronic document that substitutes for the paper document must be 
signed (by the person authorized to sign under the current applicable 
provision) with a valid electronic signature.
    Only electronic submissions that meet these two requirements will 
be recognized as satisfying a federal environmental reporting 
requirement, although failure to satisfy these requirements will not 
preclude EPA from bringing an enforcement action based on the 
submission or otherwise relying on the submission. A new compliance and 
enforcement section has been added to the final rule to clarify certain 
compliance and enforcement issues related to electronic reporting. 
Section 3.4 makes clear that EPA can seek and obtain any appropriate 
federal civil or criminal penalties or other remedies for failure to 
comply with an EPA reporting requirement if a person submits an 
electronic document to EPA under this rule that fails to comply with 
the provisions of Sec.  3.10. Similarly, Sec.  3.4 makes clear that EPA 
can seek and obtain any appropriate federal civil or criminal penalties 
or other remedies for failure to comply with a state, tribe, or local 
government reporting requirement if a person submits an electronic 
document to a state, tribe, or local government under an authorized 
program and fails to comply with the applicable provisions for 
electronic reporting. Section 3.4 also contains provisions originally 
published under Sec.  3.10(d) and (e) of the proposal, stipulating that 
the electronic signature will make the person who signs the document 
responsible, bound, or obligated to the same extent as he or she would 
be signing the corresponding paper document by hand.
    The Sec.  3.10 requirement that there be an electronic signature 
applies only where a paper document would have to bear a signature were 
it to be submitted, either because this is required by a statute or 
regulation, or because a signature is required to complete the paper 
form. The rule does not impose any new or additional signature 
requirements for documents that are submitted in electronic form. In 
addition, as noted in section IV.C of this Preamble, Sec.  3.10(b) of 
today's rule also allows EPA to make special provisions, in specific 
cases, for accepting handwritten signatures in follow-on paper 
submissions in lieu of the required electronic signatures. In such 
cases, it is critical that the special provisions ensure that the 
electronic document cannot be altered without detection and is reliably 
linked to the handwritten signature.
    As in the proposal, this final rule does not specify any required 
hardware or software. Accordingly, the rule text does not include any 
detail about CDX per se or about what will be required of regulated 
entities who wish to use it. Nonetheless, as stated in the proposal, 
our goals include the sharing of detail on how CDX implements direct 
electronic reporting to EPA. Section V.C.4 of this Preamble explains 
how CDX has changed since we described it in the proposal, especially 
in relation to the many comments we received on CDX-related issues.

B. What is the status of existing electronic reporting to EPA?

    In a notice published concurrently with today's rule, EPA clarifies 
the status of electronic reporting directly to EPA systems that exist 
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA 
is designating for the receipt of electronic submissions, all EPA 
electronic document receiving systems currently existing and receiving 
electronic reports as of the date of this notice. This designation is 
valid for a period of up to two years from the date of publication of 
this notice. During this two-year period, entities that report directly 
to EPA may continue to satisfy EPA reporting requirements by reporting 
to the same systems as they did prior to CROMERR's publication unless 
EPA publishes a notice that announces changes to, or migration from, 
that system. Any existing systems continuing to receive electronic 
reports at the expiration of this two-year period must receive 
redesignation by the Administrator under Sec.  3.10. Notice of such 
redesignation will be published in the Federal Register.
    EPA's goal is that all its systems for receiving electronic reports 
be consistent with the CROMERR standards for electronic document 
receiving systems, set forth in Sec.  3.2000(b) of today's rule. EPA 
generally hopes to achieve this consistency within a two-year 
transition period for existing EPA systems; however, EPA is not bound 
by the Sec.  3.2000(b) standards of today's rule or the two-year 
period. This two-year period is similar to the two-year transition 
period provided under Sec.  3.1000(a)(3) for systems operated under 
EPA-authorized programs. In a number of cases, EPA may work toward this 
goal by migrating existing electronic reporting to CDX or to other, new 
CROMERR-consistent systems. As we change or migrate existing electronic 
reporting programs to achieve consistency with the CROMERR standards, 
we intend to provide sufficient advance notice to reporting entities so 
that any new requirements can be accommodated without causing 
significant disruption to their electronic reporting activities.

C. What is EPA's Central Data Exchange?

    1. Overview of general goals. The proposal described EPA's 
``Central Data Exchange'' as a system to be developed and maintained by 
EPA's Office of Environmental Information (OEI) that would serve as 
EPA's gateway or ``portal'' for receiving documents electronically from 
our reporting community. The goal of CDX was to augment, and, where 
appropriate, streamline and consolidate EPA's environmental reporting 
functions by offering our reporting community faster, easier, and more 
secure submission options through a single venue for electronic 
submission of environmental data. As a cornerstone of EPA's efforts to 
advance electronic government, CDX would support the electronic 
submission needs of thousands of regulated entities submitting data to 
EPA for certain air, water, waste, and toxic substances programs. 
Ultimately, EPA planned to offer, wherever practicable, all regulated 
entities that report directly to EPA, an option to file their specific 
environmental documents

[[Page 59861]]

electronically through CDX. Regulated entities that submit reports 
under an authorized program would also be able to file their documents 
through CDX in cases where the state, tribe or local government that 
administered the program chose to use CDX as a gateway for electronic 
data submissions from its reporting community.
    The reporting community using CDX would be able to access web 
``reporting'' forms with built-in data quality checks, and/or submit 
standard file formats through common, user-friendly interfaces that 
allowed them to electronically submit data across vastly different 
environmental programs. Both the reporting community and EPA would 
benefit by gaining access to environmental reports more quickly and 
with fewer errors, and by avoiding the inefficiencies of having to 
keystroke data from paper reports. CDX was also being developed to 
support a newly emerging Environmental Information Exchange Network 
(EIEN) that would facilitate the electronic exchange of environmental 
data between EPA and state, tribe, and local environmental agencies. 
However, in keeping with the scope of the proposed rule the description 
of CDX features and functions in this section apply only to electronic 
submissions to CDX from regulated entities; the description doesn't 
apply to EIEN exchanges with CDX in which states, tribes, or local 
governments participate as a part of their authorized programs or as a 
part of administrative arrangements with EPA to share data.
    The Concept of Uniformity. The proposal also characterized CDX as 
providing an environment that would promote a uniformity of 
technologies and processes. By adopting CDX to support the electronic 
reporting needs across various EPA programs, EPA hoped to avoid the 
proliferation of program-specific electronic reporting approaches that 
could lead to duplicative investments in electronic document receiving 
systems and possibly conflicting requirements for submitters.
    The CDX Functions and Building Blocks. As described in the proposed 
rule, CDX was being designed with the goal of fully satisfying the 
criteria that the proposal specified for state, tribe, and local 
electronic document receiving systems; similarly, EPA would ensure that 
other systems the Administrator designated to receive electronic 
submissions satisfied the criteria as well. The proposal discussed how 
CDX would implement CROMERR-compliant electronic reporting by 
describing the primary CDX functions and the system building blocks 
that would support these functions. The functions described in the 
proposal included: (1) Access management, (2) data interchange, (3) 
signature/certification management, (4) submitter and data 
authentication, (5) transaction logging, (6) copy of record provisions 
and acknowledgment, (7) archiving, (8) error checking, (9) translation 
and forwarding, and (10) outreach. The proposal then described five 
building blocks that would support CDX functions, which were: (1) 
Digital signatures based on PKI, where CDX would rely predominately on 
a third party vendor under the General Services Administration (GSA) 
Access Certificates for Electronic Services (ACES), (2) a process for 
registering users and managing their access to the CDX, (3) a client 
server-architecture, (4) EDI standards, as the primary format for 
exchanging environmental data, and (5) a consistent user interface for 
making electronic submissions.
    2. Comments on the proposal. EPA received more than 100 comments on 
the CDX concept as described in the proposal. A number of these 
comments were related to one of four main subject areas, as follows.
    Comments on Uniformity of Approach. Several comments expressed 
concern about the proposed characterization of CDX as promoting 
``uniformity of process and technology''. The phrase was used to 
highlight the benefits of CDX, which included EPA's plans to avoid the 
costly proliferation of redundant systems. However, comments pointed 
out that this ``uniformity'' implied an inflexible and overly 
prescriptive set of CDX technical and security requirements, which 
would discourage CDX use. Such comments were similar to those discussed 
in section IV.B.2 of this Preamble, raising concerns about the 
prescriptiveness and ``one size fits all'' approach of the proposed 
criteria for electronic document receiving systems.
    EPA understands that ``uniformity of process and technology'' could 
imply inflexibility, and this is not generally how we intended to 
develop CDX. In fact, CDX is currently using a wide range of 
technologies and processes to address CDX's functions that are tailored 
to individual EPA program submission requirements, including the 
technical capabilities of the reporting community for the particular 
program. EPA recognizes that, for example, permitting, compliance 
monitoring, and the conduct of studies involve fundamentally different 
business processes, and that the associated submission of electronic 
documents may have to be handled differently in each case. In some 
instances CDX may support a more interactive ``workflow'' environment 
for submitting data; in others, CDX may accept batch transmissions of 
user-formatted files. It is also true that the technical capabilities 
of a particular reporting community vary considerably, so CDX will 
offer more than one electronic submission option in many cases. CDX 
currently provides support for web-forms, file, and record-level 
submissions in various formats including flat file and XML and EPA 
plans to continue this flexible approach.
    Comments on registration process. Comments from regulated entities 
raised concerns about the costs and time required to register 
individuals in each company, and EPA's failure to address the 
increasingly common cases where the preparer of an environmental report 
and the certifying official are different individuals.
    Because electronic submission is being offered as an option to the 
reporting community, EPA recognizes the need to design CDX registration 
to be as user-friendly as practicable, in part by taking account of the 
flow of work, or ``workflow'' involved in meeting a particular 
environmental reporting requirement. For example, since proposal, EPA 
has developed approaches to register both preparers and certifying 
officials for at least two reporting programs. Changes to the CDX 
registration process are discussed in more detail in section V.C.4.
    Comments on digital signatures based on PKI. Comments pointed out 
that reliance on PKI for all cases of electronic signature may violate 
the GPEA directive to vary electronic signature approaches with the 
circumstances of their use. Several comments underlined this concern by 
pointing to PKI's costs and burdens. The comments objected that 
registering through CDX and acquiring digital signature certificates 
would be overly complicated, and would require that registrants provide 
private or personal information. Some comment also expressed concern 
about the incompatibility of a PKI-based approach with workflow, given 
that environmental reports were frequently prepared by staff and then 
signed by the facility owner, with staff turnover being frequent. 
Another concern was the implications of CDX PKI software for company 
system security, for example, given the need to download CDX software 
through the company firewall.
    EPA agrees that it should generally minimize the complexity and 
cost of electronic signatures or this will deter potential users of CDX 
from submitting

[[Page 59862]]

electronic documents. In implementing CDX, EPA has revised the initial 
plan for electronic signatures to include non-PKI electronic 
signatures. Section V.C.4 discusses how we are changing the ``digital 
signature based on PKI building block.''
    Comments on EDI Standards. Comments expressed both encouragement 
and concern over CDX's prospective implementation of standards-based 
exchange formats for data submissions. An exchange format is a 
predefined file structure, including data elements and higher level 
syntax that describes how the data extracted from a system must be 
arranged in a file for transmission to another system. A standards-
based format adheres to certain widely-accepted industry, national, or 
international file structure definitions. Several comments expressed 
concern about the costs of configuring their systems to generate a CDX-
specified standard format; others expressed concerns about the costs of 
potential changes to the format once it is implemented on their 
systems. By contrast, other comments strongly supported requiring 
standards-based formats--even recommending that we require such formats 
by rule for EPA and EPA-authorized state, tribe, and local electronic 
document receiving systems.
    CDX's approach to standards-based formats has changed considerably 
since the proposal, in large part because of the emergence of Internet-
based approaches, most notably Extensible Mark-up Language (XML). These 
changes are discussed in more detail in section V.C.4. EPA believes 
that the use of standard formats can be encouraged without requiring 
this by rule. Additional comments on CDX and EPA's responses can be 
found in the rulemaking docket, in the Response to Comments document.
    3. The aspects of CDX that have not changed since proposal.
    General Goals. EPA's continues its efforts to establish CDX as the 
gateway or ``portal'' for receiving documents electronically from the 
Agency's reporting community. In so doing, EPA's goal--to augment, and 
where appropriate, to streamline and consolidate EPA's environmental 
reporting functions through CDX--remains unchanged. The functions that 
comprise CDX operations continue to remain the same though the range of 
technologies and processes used to support these functions has 
considerably broadened. CDX continues to implement electronic reporting 
capabilities for EPA's many environmental programs, while advancing the 
efforts of EIEN in coordination with state, territorial, tribes, and 
other partners.
    General Approach to Electronic Reporting Implementation. In 
general, current instructions for client-side access of CDX suggest 
Internet access and a system that uses both Microsoft Windows and 
Microsoft Internet Explorer (IE). EPA acknowledges that the Government 
Paperwork Elimination Act (GPEA) directs OMB to develop procedures for 
agencies to follow in using and accepting electronic documents and 
signatures and these procedures ``may not inappropriately favor one 
industry or technology.'' Consistent with this GPEA directive, EPA is 
committed to considering ways to allow other vendors' technologies to 
access CDX. Accordingly, over the six months following the publication 
of today's rule, EPA intends to assess the full range of issues that 
affect CDX's ability to support multiple platforms and browsers. These 
issues include the technical requirements for the electronic signature 
options, form entry options, data upload options, network interface 
options, current capabilities of the CDX hardware/software platform, 
and potential impacts of new client-side platforms on the CDX life 
cycle management, technical support requirements, and help desk 
training and support. Based on this assessment, EPA intends to 
determine the target universe of client-side platforms and browsers 
that CDX can feasibly accommodate, and will identify the actions and 
timeline necessary to build out CDX support for this target universe.
    As described in the proposal, CDX users will need to:
     Register with CDX, during which time they may need to 
supply information used to identify themselves, their company, and the 
EPA documents they wish to submit electronically;
     Verify and/or correct registration information; and
     Access their CDX web account through a secure website, and 
agree to the terms and conditions of using the site, which include 
safeguarding their self-generated password, before using web forms or 
uploading files to submit electronic documents or data to EPA.

These are the minimum steps for gaining access to CDX at this time. 
Additional steps are involved in acquiring an electronic signature 
device, although these steps have changed somewhat since the proposal 
and are discussed in section V.C.4. CDX also offers at least two 
general methods for reporting electronically for many programs it 
supports, either through file submission or through a ``smart web 
form''. However, the types of formats and approaches for submitting 
data through CDX have broadened, and these too are discussed in section 
V.C.4.
    4. The major changes that EPA has made to CDX since proposal. Over 
the last two years, CDX has evolved from a prototype system to a fully 
operational electronic document receiving system. CDX supports tens of 
thousands of registered users providing data to dozens of environmental 
reporting programs across the major EPA media offices. CDX registered 
users include representatives from state, tribe, and local agencies, 
industries, laboratories, and other federal agencies. While CDX 
continues to provide a secure, single point of registration, access, 
and exchange between reporting entities and EPA programs, the building 
blocks supporting the CDX functions have changed substantially. These 
changes reflect EPA's experience operating CDX over the past two years, 
evolving trends in Internet technologies, and comments received on the 
proposed rule from potential CDX users.
    Digital signatures based on PKI. The proposal described the CDX 
approach to electronic signatures in terms of digital signatures and 
PKI. Since proposal, EPA has come to appreciate the complexity and 
costs of implementing PKI, and to recognize that non-PKI electronic 
signatures, as described in section IV.B.2 of the preamble today's 
rule, may be acceptable in many cases. Thus, for electronic reports 
currently submitted to CDX, only in one case is PKI used for electronic 
signature. The other cases involve PIN-based electronic signatures or 
other non-PKI electronic signature approaches. As an example of the 
latter, this year we anticipate implementing electronic signatures for 
an EPA reporting requirement by having signatories use a password that 
is self-generated during CDX registration in combination with certain 
items of information that are unlikely to be available to anyone except 
the signatory. This is a ``knowledge-based'' approach, which is being 
used extensively by commercial software vendors supporting the United 
States Internal Revenue Service (IRS) for electronic tax filings or 
``e-filings', and is being adopted by other agencies. EPA expects that 
these non-PKI-based approaches to signature will continue to dominate 
CDX implementations of electronic reporting. We currently intend to use 
PKI where such needs as security or assuring very robust non-
repudiation of signature make this the most appropriate approach.

[[Page 59863]]

    In addition, EPA's approach to PKI itself--described in the 
proposal as relying on ACES--is also undergoing change. Changes with 
respect to the role and method of identity proofing for those persons 
who apply for PKI certificates is being further evaluated. As proposed, 
the identity proofing was to be conducted by the third party ACES 
vendor; currently, CDX identity proofing is conducted for the most part 
by EPA's own contractor staff, who are able to issue digital 
certificates to members of the reporting community with less cost and 
in less time than the ACES vendor. EPA has also begun to explore 
alternatives to ACES for PKI certificates, partly because ACES-provided 
certificates do not support message encryption, which EPA may need for 
certain environmental reporting applications. In addition, EPA is 
considering its use of ACES in the light of recent federal advances in 
establishing interoperability across federal PKI domains, which may 
allow EPA to eventually leverage PKI's of other federal agencies or 
institute an in-house PKI.
    CDX Registration. Since the proposed rule, CDX has broadened it 
approach to registration to better accommodate the workflow involved in 
specific environmental reporting programs. While CDX still requires 
registration, there are three distinct areas where the registration 
process has changed since proposal. First, the proposal described CDX 
registration as the first step toward the issuance of a PKI-based 
digital signature, and it was implied that all persons opting to use 
CDX would need a digital signature. As noted above, this is no longer 
the case. Second, in the proposal, CDX registration began when a person 
received an EPA invitation letter that contained a temporary code and 
instructions on how to access the CDX registration website. CDX has 
adopted additional approaches to initiating registration for certain 
EPA programs, for example, embedding a link to CDX registration in 
reporting software that is distributed to the program's reporting 
community, or providing a public website where prospective CDX users 
can submit initial registration data EPA. While CDX continues to 
register persons by invitation letter for reporting under certain 
environmental programs, registration options will continue to broaden 
as the number of environmental programs supported by CDX expands.
    Finally, in the proposal, CDX registration was completed when the 
registrant printed out a ``signature holder'' agreement from the CDX 
registration website, signed this agreement and mailed it to EPA's CDX. 
CDX will continue this approach for reports where electronic signatures 
are required, although EPA is exploring the use of an entirely 
paperless signature agreement process for at least some of these cases. 
CDX registration to submit reports that do not include electronic 
signatures will not involve a ``signature holder'' agreement.
    EDI Standards. The proposal described EPA's plans to use EDI as the 
basis of standards-based formats for exchanging data between reporting 
entities and CDX. Since proposal, CDX development has reflected a 
significant evolution in formatting standards to accommodate the 
Internet--away from EDI and toward the use of XML. XML consists of a 
set of predefined tags and message structures that, like EDI, allows 
machine-to-machine exchange of data in a mutually agreed upon format, 
enabling exchange of data across different systems. However, unlike 
EDI, XML is tailored to Internet-based communications and security 
protocols. Additionally, an XML formatted file in combination with a 
style sheet can be displayed in a Web browser. Such features would 
allow CDX to use the same standard format both for exchanging data 
files and for designing web forms. The structure of XML also addresses 
some of the challenges in archiving data received, because the XML tags 
that accompany the data in an XML file can be used to interpret the 
data's context without the aid of additional software. This could 
facilitate the recovery of data from archived files, and reduces the 
need to maintain the versions of the software originally used to 
generate the files.
    CDX and specific EPA programs may address the question of which (if 
any) standards-based format to use for a particular report on a case-
by-case basis, and EPA intends to develop appropriate technical 
instructions for CDX submitters as program-specific reporting formats 
are adopted. These instructions normally will be distributed to the 
affected reporting communities via links on the CDX website and/or 
through program and CDX outreach efforts. EPA is working with 
authorized state, tribe, and local programs to develop standards-based 
reporting formats to meet their shared needs. In many instances, CDX 
contemplates a long transition period between file formats currently 
used to exchange data with regulated entities and any new, standards-
based formats. During this transition, CDX may offer submitters several 
electronic submission options; these may include an existing data 
format familiar to submitters, one or more new standards-based formats, 
and some other approach such as a smart-form hosted on a secure 
website.
    Client-side architecture and transaction environment. The proposal 
described a downloaded ``client'' that would generally supplement the 
browser to support the signature and security for CDX; such ``client 
side'' software is no longer needed for all cases of electronic 
reporting to CDX. However, in some cases CDX now uses various 
technologies to transparently insert routines into browsers during a 
user session to support special functions--for example to support the 
creation of a PKI-based electronic signature with an ACES business 
class certificate.

D. How will EPA provide notice of changes to CDX?

    As noted in the proposal, the fully-implemented CDX will be subject 
to change over time, to take advantage of opportunities offered by 
evolving technologies, as well as to improve the system. EPA's decision 
to avoid codifying technology-specific or detailed procedural 
provisions for electronic reporting is meant, in part, to accommodate 
changes to CDX without requiring that we amend our regulations. 
Nonetheless, EPA recognizes that such changes can affect regulated 
entities that participate in electronic reporting; therefore, the final 
rule provides for advance notice when EPA intends to make changes to 
CDX. As discussed in the proposal, we distinguish four categories of 
changes:
     ``Significant'' changes that are likely to affect the 
kinds of hardware, software or services involved in transmitting 
electronic reports (Sec.  3.20(a)(1));
     ``Other'' changes that will affect the process or the 
timing of transmitting electronic reports to CDX, but without affecting 
the kinds of hardware, software or services involved in making the 
transmissions (Sec.  3.20(a)(2));
     ``Emergency'' changes necessary to protect the security or 
operational integrity of CDX (Sec.  3.20(b)).
     ``De minimis or transparent'' changes that will have 
minimal or no impact on the process or the timing of transmitting 
electronic reports to CDX.

``Significant'' changes include changes to the types of file formats 
CDX will accept--for example a change from extended markup language 
(XML) formats to some non-XML format--as well as changes to the 
technologies that may be used for file transfer to CDX or for creating 
electronic signatures on transmitted reports. ``Significant'' changes 
will not generally include optional upgrades to software, the

[[Page 59864]]

provision of additional formatting (or other technical) options, or 
changes to CDX that simply reflect changes to the underlying regulatory 
reporting requirements. ``Other'' changes include an increase in--or 
re-ordering of--the steps involved in transmitting electronic reports, 
changes to the registration or credential (e.g., PIN, password, PKI 
certificate) provisioning process that could affect users ability to 
access CDX, and changes to reporting formats that involve the 
reconfiguration of software. ``Emergency'' changes include such things 
as an upgrade to the system firewall protection. Finally, ``de minimis 
or transparent'' changes include the myriad small or ``back end'' fixes 
and improvements that EPA makes to CDX each week that have minimal or 
no impact on the transmission process. Such changes may range from 
fixing a typo on a data entry screen to re-engineering the system's 
archiving routines.
    To address ``significant'' changes, Sec.  3.20(a)(1) of the final 
rule provides that EPA will give public notice in the Federal Register 
of such changes and will seek comment. EPA proposed to provide this 
notice at least a year in advance of contemplated implementation, but 
based on experience developing and operating a CDX prototype, EPA no 
longer believes that a single time-frame is appropriate in all 
situations. For example, ``significant'' changes that could affect the 
transmission of an annual report may respond to needs or events that 
arise less than a year in advance of the report's due date. On the 
other hand, some ``significant'' changes may require more than a year 
for reporting entities to accommodate. Accordingly, the final rule 
provides that these Federal Register notices will propose and seek 
public comment on an implementation schedule for a ``significant'' 
change, along with describing and inviting comment on the change 
itself. To address ``other'' changes to CDX, Sec.  3.20(a)(2) of the 
final rule provides that EPA will give notice at least 60 days in 
advance of implementation. The notice in this case will typically be to 
CDX users, and the method of notice may be electronic, perhaps using 
the facilities of CDX itself. For ``emergency'' and ``de minimis or 
transparent'' changes, EPA will make decisions on whether, when, and 
how to provide public notice on a case-by-case basis.

VI. Requirements for Electronic Reporting Under EPA-Authorized Programs

A. What is the general regulatory approach?

    As explained in Part V of this preamble, the requirements in Sec.  
3.10 of today's rule apply to reporting entities that submit electronic 
reports directly to EPA. By contrast, today's rule contains no 
requirements that apply directly to entities who submit electronic 
reports to state, tribe, or local government agencies. However, Subpart 
D of today's rule does contain requirements that apply to state, tribe, 
or local government agencies that operate EPA-authorized programs. 
Subpart D of today's rule requires that such agencies that receive, or 
wish to begin receiving, electronic reports under an authorized program 
must apply to EPA for a revision or modification of that program and 
get EPA approval. Subpart D provides standards for such approvals based 
on consideration of the electronic document receiving system that the 
state, tribe, or local government will use to implement the electronic 
reporting. Additionally, Subpart D provides for special procedures for 
program revisions and modifications that provide for electronic 
reporting, to be used at the option of the state, tribe, or local 
government in place of procedures available under existing program-
specific authorization regulations.
    Generally speaking, EPA believes that even absent today's rule, an 
authorized program's electronic reporting implementation would still 
need EPA's approval under a program revision or modification. At least 
where electronic reports may play a role in enforcement proceedings, 
the authorized program's electronic reporting implementation has the 
potential to affect program enforceability, and as such, revises or 
modifies the program. Today's rule makes this explicit in Sec.  3.1000. 
In addition, the final rule includes program-specific amendments to 
various provisions in 40 CFR to cross reference those rules to the new 
Part 3. With this approach, EPA hopes to support and promote state, 
tribe, and local government efforts to make electronic reporting 
available under their authorized programs, both by clarifying the 
requirement that EPA approve these electronic reporting initiatives, 
and by providing a single, uniform set of standards and a specially-
designed process to facilitate electronic reporting approval for 
otherwise authorized programs.

B. When must authorized state, tribe, or local government programs 
revise or modify their programs to allow electronic reporting?

    1. The general requirement. As discussed earlier, this rule does 
not require states, tribes, or local governments to allow or require 
electronic reporting. Where they choose to do so, Sec.  3.1000 
generally provides that they must revise or modify such programs to 
ensure that their electronic reporting implementation will meet the 
requirements of section 3.2000. Additionally, once these authorized 
programs begin operating the electronic reporting systems under EPA-
approved revisions or modifications, they must keep EPA informed of 
changes to laws, policies or the electronic reporting systems that 
could affect the program's compliance with Sec.  3.2000. Where the 
Administrator determines that such changes require EPA review and 
approval, EPA may ask the authorized program to submit an application 
for revision or modification to address the changes. Alternatively, the 
authorized program can apply for a revision or modification on its own 
initiative.
    For any of these program revisions or modifications, states, 
tribes, or local governments may use either the application procedures 
provided under Sec.  3.1000(b)-(e) or the program-specific procedures 
provided in other parts of Title 40 or the applicable statute. 
Whichever procedure is used, the state, tribe, or local government must 
submit an application that complies with the requirements of Sec.  
3.1000(b)(1), discussed in section VI.C.1. Section 3.1000(b)(1) 
identifies the elements of an electronic reporting program that EPA 
would need to consider in order to approve a state's, tribe's, or local 
government's approach to receiving electronic documents, in lieu of 
paper, to satisfy requirements under their EPA-authorized programs.
    2. Deferred compliance for existing systems. For authorized 
programs that have ``existing'' electronic document receiving systems 
as of the date this final rule is published, EPA is deferring the 
deadline for these programs to submit their applications for program 
revisions or modifications with respect to such systems. The deferral 
is generally two years from the date of this rule's publication. This 
approach is consistent with similar provisions under other regulations 
governing program authorization where new requirements are imposed. 
Additionally, EPA conducted extensive discussions with entities 
operating authorized programs about how much time they generally

[[Page 59865]]

would need to bring their systems into compliance with today's rule, 
given their funding cycles, program review schedules under 
``performance partnership'' agreements, the timeframes for making any 
necessary system upgrades and completing an application for program 
revision or modification, and any necessary legislative or regulatory 
changes. Based upon these discussions, we believe that this two-year 
period is generally sufficient to allow these programs to make the 
transition to CROMERR-compliant systems without having to discontinue 
their electronic reporting operations. Today's rule also allows 
authorized programs to request extensions to the two-year deadline 
where the timeframe for regulatory or legislative changes may be 
somewhat longer.
    EPA's purpose in deferring the application deadline for program 
revisions or modifications with respect to existing electronic 
reporting is to avoid disrupting authorized programs' electronic 
reporting initiatives that are already underway. With this goal in 
mind, EPA has defined ``existing electronic document receiving system'' 
broadly, to include not only those that are actually operational at the 
time the final rule is published, but also those that are substantially 
developed. We recognize that it would be disruptive to require that 
authorized programs shut down their operational systems during the time 
it would take to prepare, submit and have their applications for 
revision or modification approved. However, there is often a very fine 
line between an operational system and a system under development; for 
example, where the developmental work is to scale a working prototype 
up to production. In addition, at least the later stages of development 
are likely to be restrained substantially or even halted if a system 
must await EPA approval to operate, and this may affect system costs, 
availability of contractor staff and their ability to complete the 
system in a timely manner. Avoiding such disruptions to substantially 
developed systems is part of the goal of the deferred compliance 
provisions. To define what counts as a ``substantially developed'' 
system for this purpose, the definition of ``existing electronic 
document receiving system'' uses evidence that system services or 
specifications are already established by existing contracts or other 
binding agreements. Where an agency has already made legally binding 
agreements to procure a significant proportion of the services and/or 
components that will constitute the system then such a system would be 
considered ``existing'' under this rule.
    While many or most authorized programs with existing systems may 
need this two-year compliance deferral, some may have no difficulty 
submitting a completed application well before the end of two years. We 
strongly encourage such early submissions when feasible. This will make 
better use of EPA's review resources and will provide earlier certainty 
of compliance with this rule for existing state, tribe, and local 
government electronic reporting programs that are subject to this rule. 
In addition, EPA believes that, whether through informal consultation 
or formal application, identifying and addressing any existing system 
issues as early as possible is the best way to avoid disruption to 
electronic reporting initiatives currently underway.

C. What alternative procedures does EPA provide for revising or 
modifying authorized state, tribe, or local government programs for 
electronic reporting?

    Under Sec.  3.1000, this rule provides procedures which a state, 
tribe, or local government, at its option, can use to seek approval for 
revisions or modifications with respect to electronic reporting under 
its existing authorized programs. These optional procedures are 
available both for revisions or modifications that seek initial EPA 
approval for electronic reporting programs, and also for revisions or 
modifications to accommodate substantial changes to electronic 
reporting programs that already have EPA approval.
    Although there is always the alternative of using the program-
specific procedures provided in other parts of 40 CFR, EPA believes 
that, normally, a state, tribe, or local government would find the 
procedures provided in this rule to be shorter, simpler, and easier. 
The Sec.  3.1000 procedures allow submission of a single, relatively 
simple application to request revisions or modifications that address 
electronic reporting across any number of authorized programs. 
Additionally, the procedures provide for a single, straightforward EPA 
review process, with deadlines for EPA action written into the rule. 
EPA believes that these procedures will be especially useful where the 
state, tribe, or local government is planning to implement all of its 
program-specific electronic reporting with a single system. Rather than 
requiring approval program-by-program, Sec.  3.1000 allows the system 
to be addressed in a single application package that can be reviewed in 
its entirety and responded to within a relatively short and predictable 
time-frame.
    1. The application. To request modifications or revisions under 
this rule, Sec.  3.1000(b)(1) requires a state, tribe, or local 
government to submit an application that generally contains three 
elements. The first is a certification that state, tribe, or local 
government laws and/or regulations provide sufficient legal authority 
to implement electronic reporting in conformance with Sec.  3.2000 and 
to enforce the affected authorized programs using electronic documents 
collected under those programs; the application must also include 
copies of the relevant laws and/or regulations. This certification of 
legal authority is not meant to address actual conformance with Sec.  
3.2000(b); that is, the certification is not meant to reflect a 
judgment about the capabilities of an agency's electronic document 
receiving system. However, the certification would address Sec.  
3.2000(c), and must be signed by the governmental official who is 
legally competent to certify with respect to legal authority on behalf 
of his or her government. In the case of a state, this official must be 
the Attorney General or his or her designee. In the case of tribes or 
local governments, this official must be the chief executive or 
administrative official or officer or his or her designee. EPA realizes 
that obtaining an Attorney General's certification for state 
applications may involve considerable administrative burden; however, 
as a legal matter, EPA believes that Attorneys General or their 
designees are the only officials capable of certifying with respect to 
their states' legal authority. Where there are substantial 
administrative obstacles to involving the Attorney General in such 
certifications, EPA urges the state Attorney General to provide for a 
legally-competent designee who is available to participate in the 
submission of the state's application.
    The second element of the application, and the most substantive, is 
a listing and description of the electronic document receiving systems 
that do or will receive the electronic submissions addressed by the 
requested program revisions or modifications. The application should 
specify the electronic submissions each system will be used to receive, 
and which (if any) of these submissions involve electronic signatures. 
In describing each system, the application should explain how the 
system will satisfy the applicable requirements of Sec.  3.2000. Many 
of these requirements apply only to systems that receive submissions 
with electronic

[[Page 59866]]

signatures; accordingly, the descriptions for systems that receive no 
electronically signed submissions will be relatively short and simple. 
For each of the Sec.  3.2000 requirements that do apply, the 
description should explain the functions the system will perform to 
satisfy the requirement, and the technologies that will be used to 
achieve this functionality. EPA does not expect such explanations to 
include detailed technical specifications of the systems, but rather to 
provide conceptual descriptions of the technical approach and 
functionality. In implementing this rule, EPA will provide applicants 
with more detailed recommendations for preparing these system 
descriptions, including examples and an application checklist.
    The third element of the application is simply a schedule of 
upgrades to each system addressed by the application--to the extent 
that such upgrades can be anticipated--together with a brief discussion 
of how the upgrades will assure continued compliance with Sec.  3.2000. 
This third element should be thought of as an appendix to the second, 
recognizing that the functionality with which each electronic document 
receiving system addresses the Sec.  3.2000 requirements normally 
exists within the dynamic environment of the system life cycle.
    2. Review for completeness. Once EPA receives an application 
submitted under the procedures in this rule, EPA will, within 75 
calendar days, send a letter that either notifies the applicant that 
its application is complete or identifies deficiencies that render the 
application incomplete. An applicant that receives a notice of 
deficiencies may amend the application and resubmit it. From the date 
EPA receives the amended application, EPA will, within 30 calendar 
days, respond with a letter that either notifies the applicant that the 
amended application is complete or else identifies remaining 
deficiencies. If an amended application is not submitted within a 
reasonable time period to remedy identified deficiencies, EPA has the 
authority to review and act on the incomplete application, as explained 
in section VI.C.3.
    3. EPA actions on applications. EPA will act on an application by 
either approving or denying the requested program revisions or 
modifications. In the case of a consolidated application for revision 
or modification of more than one program, EPA need not take the same 
action on each revision or modification; some may be approved while 
others are denied. EPA will have 180 calendar days from the time it 
sends a notice of completeness to act on an application in its 
entirety. Except in certain cases of requested revisions or 
modifications associated with existing systems (see section VI.C.4) or 
with an authorized public water system program under 40 CFR part 142 
(see section VI.C.5), if EPA does not act on a program revision or 
modification by the end of the 180-day review period, then that 
revision and/or modification is considered automatically approved by 
EPA. The rule allows this review period to be extended, at the request 
of the state, tribe, or local government submitting the application. 
This may accommodate situations where EPA and the applicant are working 
through issues that may take more than the 180-day review period to 
resolve, and they mutually find it in their best interest to continue 
discussion before EPA makes its decision.
    Where EPA approves a program revision or modification (by either 
affirmative or automatic approval), the approval becomes effective when 
EPA publishes a notice of the approval in the Federal Register. Where 
EPA denies a requested revision or modification, EPA will explain the 
reasons for the action and advise the applicant of the steps that can 
be taken to remedy the application's defects and will generally try to 
work with the applicant to address the issues that have posed an 
obstacle to approval. Additionally, in some cases, denial of approval 
under the Sec.  3.1000 process may result from EPA's determination that 
the application raises certain issues that are highly program-specific 
and that these cannot be adequately addressed through the procedures 
provided in this rule. For example, there may be issues that require a 
discussion of program features that the Sec.  3.1000(b)(1) application 
would not cover. In such cases, EPA will identify the issues that 
exceed the scope of the Sec.  3.1000 process and will advise the 
applicant to request the revision or modification under the applicable 
program-specific procedures provided in other parts of Title 40.
    4. Revisions or modifications associated with existing systems. 
Some applications will request modification or revision to an 
authorized program with an ``existing electronic document receiving 
system''. As noted in section VI.B.2, the deadline for submitting such 
applications is two years after the publication of today's rule. Where 
such applications are submitted and are determined to be complete 
before the two-year deadline, EPA will have a 180-day review-period for 
any program modification or revision being requested, as explained in 
section VI.B.3. However, where EPA sends notification that an 
application is complete after the two-year deadline has passed, for 
example, because the application was submitted relatively late in the 
two-year period, EPA will have 360 days to act on any requested 
modification or revision addressed by the application. As with the 
cases where EPA has 180 days to act, this 360-day review period can be 
extended at the request of the state, tribe, or local government 
submitting the application.
    The rule provides for this extended review period to deal with the 
possibility that EPA will receive a large number of applications 
associated with existing systems just before the two-year deadline 
expires. If the number of such applications is sufficiently large, EPA 
may not be able to act on all of them within a 180-day review period. 
States, tribes, or local governments that wish to avoid the extended 
review may do so by submitting their applications addressing existing 
systems early enough in the two-year period to ensure that EPA can 
determine completeness before the deadline. As noted in section VI.B.2, 
EPA strongly encourages such early submissions wherever they are 
feasible.
    5. Public hearings for Part 142 revisions or modifications. Where a 
complete application requests a revision or modification of an 
authorized public water system program under 40 CFR part 142, EPA will 
make a preliminary determination on the request--either an approval or 
a denial--by the end of the 180-day review period (or the 360-day 
extended review period discussed in section VI.C.4). EPA will then 
publish a notice of the preliminary determination in the Federal 
Register. The notice will state the reasons for the preliminary 
determination, and will inform interested members of the public that 
they may request a public hearing on the preliminary determination. 
Such hearing requests must be submitted within 30 days of the notice's 
Federal Register publication. If no requests are submitted, and the 
Administrator does not hold a hearing on his or her own motion, then 
the preliminary determination will be effective 30 days after the 
initial Federal Register publication.
    If a request for hearing is granted, or the Administrator 
determines that a hearing is warranted, EPA will publish an additional 
Federal Register notice announcing--at least 15 days in advance of any 
such hearing--the date and time of any hearing, contact information, 
and the purpose of the hearing. At the hearing, a hearing officer will 
receive oral and written testimony, and will forward a record of the 
hearing to the EPA Administrator. After

[[Page 59867]]

reviewing the record of the hearing, EPA will by order either affirm or 
rescind the preliminary determination, and will publish notice of this 
decision in the Federal Register. If the order is to approve the 
revision or modification, the approval will be effective upon 
publication of the order in the Federal Register.
    6. Re-submissions and amendments. States, tribes, or local 
governments whose Sec.  3.1000 applications for revisions or 
modifications have been denied in whole or in part may reapply for 
reconsideration, using either the Sec.  3.1000 procedures again, or, at 
their option, the applicable program-specific procedures. A state, 
tribe, or local government may also, on occasion, choose to amend a 
Sec.  3.1000 application after the Administrator has determined the 
application to be complete. In such cases, the application will be 
considered to have been withdrawn and resubmitted as a new package, and 
a new 75-day completeness determination process will begin. An 
applicant may choose to withdraw and resubmit the package in this 
manner, for example, if it becomes clear relatively early into the 180-
day review period that the application cannot be approved in its 
current form. For such re-submissions, EPA will work diligently to 
expedite the completeness determination.

D. What general requirements must state, tribe, and local government 
electronic reporting programs satisfy?

    States, tribes, and local governments that accept electronic 
reports in lieu of paper under their authorized programs must satisfy 
the requirements of Sec.  3.2000(b) and (c). Section 3.2000(b) sets 
forth the standards that acceptable electronic document receiving 
systems must satisfy, and these are explained in detail in section 
VI.E. In parallel with Sec.  3.4 on federal compliance and enforcement, 
Sec.  3.2000(c) requires that the state, tribe, or local government be 
able to seek and obtain any appropriate civil, criminal or other 
remedies under state, tribe, or local law for failure to comply with a 
reporting requirement if a person submits an electronic document that 
fails to comply with the applicable provisions for electronic 
reporting. Similarly, Sec.  3.2000(c) contains provisions to ensure 
that an electronic signature provided to a state, tribe, or local 
government will make the person who signs the document responsible, 
bound, and/or obligated to the same extent as he or she would be 
signing the corresponding paper document.
    Additionally, under Sec.  3.2000(a)(2), the authorized program must 
require that any electronic document it accepts bear a valid electronic 
signature wherever the corresponding paper document would have to be 
signed under existing regulations or guidance, with the signatory being 
the same person who is authorized and/or required to sign under the 
current applicable provision. As in the case of direct reporting to EPA 
(see section V.A), the requirement for an electronic signature will 
apply only where the document would have to bear a signature were it to 
be submitted on paper, either because this is required by statute or 
regulation, or because a signature is required to complete the paper 
form. This rule does not require that authorized programs impose any 
new or additional signature requirements for electronic documents that 
are submitted in lieu of paper and were not previously required to be 
signed when submitted in paper form.
    As with direct reporting to EPA, Sec.  3.2000(a)(2) also allows an 
authorized program to make special provisions for the required 
signatures to be executed on follow-on paper submissions. As noted in 
section IV.C, such provisions must ensure that the paper submission 
containing the signatures is adequately cross-referenced with the 
electronic document being signed, and must be described as a part of 
the Sec.  3.1000(b)(1) application. Systems that receive electronic 
documents with such follow-on paper signature submissions are subject 
to all applicable Sec.  3.2000(b) requirements, including the 
requirement that the electronic document cannot be altered without 
detection after the signature has been executed.

E. What standards must state, tribe, and local government electronic 
document receiving systems satisfy?

    Section 3.2000(b) specifies the standards that electronic document 
receiving systems must satisfy if they are to be approved for use by 
states, tribes, or local governments to receive electronic documents in 
lieu of paper under an EPA-authorized program. EPA's purpose in 
specifying such standards remains the same as it was when EPA specified 
the proposed Sec.  3.2000 criteria in proposed CROMERR. As discussed in 
section IV.B.1, that purpose was to ensure that electronically 
submitted documents have the same ``legal dependability'' as their 
paper counterparts, so that any electronic document that may be used as 
evidence to prosecute an environmental crime or to enforce against a 
civil violation has no less evidentiary value than its paper 
equivalent. EPA has been motivated to provide for the legal 
dependability of electronic documents submitted under authorized 
programs by considering, among other things:
     The roles that many electronically submitted documents 
would likely play in environmental program management, including 
compliance monitoring and enforcement;
     EPA's statutory obligation to ensure that authorized or 
delegated programs maintain the enforceability of environmental law and 
regulations; and
     The consequent need to ensure that enforceability is not 
compromised as authorized programs make the transition from paper to 
electronic submission of compliance or enforcement-related documents.

The Sec.  3.2000(b) standards for electronic document receiving systems 
in today's rule provide an expanded version of what had been the 
proposed Sec.  3.2000(b) ``Validity of Data'' criterion. Like proposed 
Sec.  3.2000(b), final Sec.  3.2000(b) requires that electronic 
document receiving systems reliably enable EPA, states, tribes, and 
local governments to prove, in civil and criminal enforcement 
proceedings, that the electronic documents they receive and maintain 
are what they purport to be, that any changes to their content are 
documented, and that any associated signatures were actually executed 
by the designated signatories intending to certify that content. 
Systems must be able to satisfy the Sec.  3.2000(b) requirements for 
any electronic documents they receive that are submitted in lieu of 
paper to satisfy an authorized program requirement.
    The following discussion highlights some of the Sec.  3.2000(b) 
requirements for electronic document receiving systems. The first five 
of these requirements (timeliness of data generation, copy of record, 
integrity of the electronic document, submission knowingly, and 
opportunity to review and repudiate copy of record) apply to all 
electronic document receiving systems. The other highlighted 
requirements (validity of the electronic signature, binding the 
signature to the document, opportunity to review, understanding the act 
of signing, the electronic signature or subscriber agreement, 
acknowledgment of receipt, and determining the identity of an 
individual) apply only to systems that receive electronically signed 
documents.
    1. Timeliness of data generation. Section 3.2000(b) reflects the 
role that electronic document receiving systems play in supporting a 
wide range of compliance and enforcement-related activities, including 
compliance research and analysis, civil actions, and

[[Page 59868]]

litigation, and the fact that the success of such activities may be 
affected by the relative ease or difficulty of accessing the data 
related to electronic submissions. Accordingly, electronic document 
receiving systems must provide timely access to such data, especially 
to data relevant to the questions of what was submitted, by whom, and, 
where signatures are involved, who the signatories were and to what 
they certified. Much of this data may be assembled in the copy of 
record, together with any data needed to establish that the copy is a 
``true and correct copy of an electronic document received,'' as 
specified by the Sec.  3.3 copy of record definition. To help the 
litigator develop evidence and present it in the courtroom, it is 
advisable that the copy of record be maintained and made accessible in 
a form and format that requires the minimum possible ``assembly'' of 
its elements, so that its connection with what was received and what 
was certified to by any signatories is easy to understand and to 
demonstrate to others.
    2. Copy of record. Under Sec.  3.2000(b), an acceptable electronic 
document receiving system must retain and be able to make available a 
copy of record for each electronic document it receives that is 
submitted in lieu of paper to satisfy requirements under an authorized 
program. For such submissions, the copy of record is intended to serve 
as the electronic surrogate for what we refer to as the ``original'' of 
the document received where we are doing business on paper. The copy of 
record is meant to provide an authoritative answer to the question of 
what was actually submitted and, as applicable, what was signed and 
certified to in the particular case.
    As defined in Sec.  3.3, a copy of record must satisfy at least 
four requirements. First, it must be a true and correct copy of the 
electronic document that was received. In the case of documents 
consisting of data, this means that the copy of record must contain 
exactly the set of data elements that constituted the electronic 
document that was submitted. In the case of a document consisting of 
other forms of information, e.g., text or images, being a ``true and 
correct copy,'' may mean including file and or visual format 
information along with the items of information themselves, to the 
extent the meaning of these items is dependent on format. (See the 
discussion of the definition of ``electronic document,'' in section 
IV.D.1.) For the copy of record to fulfill its intended role, it is not 
enough that it be a true and correct copy; it must also be capable of 
being shown to be a true and correct copy; otherwise, it cannot meet 
other related system requirements, such as establishing document 
integrity. (See section VI.E.3, below.) The copy of record is shown to 
be true and correct in part by virtue of its not being repudiated by 
the submitters and/or signatories where it is made available for their 
review and repudiation. (See section VI.E.5., below.) In addition, the 
system must provide sufficient evidence to show how the copy of record 
was derived from and accurately reflects the electronic document as it 
was received by the system; such evidence is also necessary to 
establish document integrity. To provide for such evidence, the system 
may need to establish a chain of custody for the copy of record, 
particularly if there are a number of processing steps that separate 
the copy of record from the file as it enters the system. On the other 
hand, where the copy of record captures and preserves the file 
containing the electronic document exactly in the form and format in 
which it is received, then a chain of custody may not be necessary. 
Considerations of ``timeliness'' favor maintaining copies of record in 
a way that would not require a chain of custody. (See section VI.E.1., 
above.)
    Second, the copy of record must include all the electronic 
signatures that have been executed to sign the document or components 
of the document. The method of inclusion may vary, depending on the 
nature of the signature. With a digital signature, created by 
encrypting a hash of the document being signed with the private key in 
a private/public key-pair, the signature is simply a number that can 
and should be contained as a copy of record element. There is no risk 
of signature theft in this case. Each digital signature is bound to the 
specific document it signs, and the private key, which is actually used 
for signing, is inaccessible to a would-be intruder.
    With other forms of signature such as personal identification 
numbers (PINs) or passwords, items of personal information, or 
biometric images or values, including the signature as a copy of record 
element may raise signature theft issues. At least in theory, such 
signatures could be detached or copied from a copy of record and re-
used spuriously without detection. To address this risk, the signature, 
especially in the case of a PIN or password, may be encrypted for 
storage, perhaps together with a hash of the document signed, to bind 
the signature to the document content. Another approach may be to 
validate the signatory's identity, e.g. by comparing a signatory-
generated password with an encrypted version maintained securely at the 
electronic document receiving system. In such cases, the signatory-
generated password--which might be regarded as the signature--never 
actually appears on the electronic document, so the signature that is 
``included'' in the copy of record may be an encrypted form of the 
signature, or possibly nothing exactly corresponding to a signature at 
all, but rather pointers or references to the processes or encrypted 
data that provide the actual link to the signatory. There are analogous 
strategies for biometric signatures. For example, the validity of a 
biometric (e.g., a finger print, a retinal scan, etc.) may be 
established by using certain statistical algorithms to evaluate data 
provided by the biometric. In such cases, the copy of record might 
document the process of validating the signature, but without including 
the biometric data that was used to show that the signature was valid. 
On any of these approaches, the copy of record may satisfy the 
requirement that the copy ``include'' the signatures, provided that 
what the copy does contain serves to establish whether the electronic 
document in question was signed and by whom.
    Third, the copy of record must include the date and time of receipt 
to help establish its relation to submission deadlines, to the 
circumstances of its submission, and to other possibly associated 
documents that may have been submitted or alleged to have been 
submitted. This is not generally problematic, except in cases of 
continuous streams of data conveyed to the system. For such continuous 
data, reasonable alternatives may be substituted that serve the same 
purposes, for example, associating stages of the data flow with dates 
and times, say, at hourly intervals. Similarly, the copy of record may 
include other additional information to the extent that this is needed 
to establish the meaning of the content and the circumstances of 
receipt. Such additional information might include data field labels, 
signatory information such as references to PKI certificates, and 
transmission source information.
    Fourth, the copy of record must be viewable in a human-readable 
format that clearly indicates what the submitter and, where applicable, 
the signatory intended that each of the data elements or other 
information items in the document means. This supports the copy of 
record's role as a surrogate ``original'' of the paper document, and 
serves to establish the content of the document as it was signed and/or

[[Page 59869]]

submitted. The copy of record may satisfy this requirement in many 
different ways. It might actually include explicit labels or 
descriptions for each data element or information item, or preserve a 
visual format in which the data were submitted. Alternatively, it may 
incorporate a conventional ordering of the items or elements, where the 
information that associates such ordered data with labels, 
descriptions, or other means of visual display is maintained externally 
and can be invoked as needed--for example, to make the data elements 
appear within fields in the image of a filled-out form. Where the 
electronic document is created off-line by the submitter and conveyed 
as a whole to the receiving system, it is preferable for the copy of 
record to reflect the mechanism or format for indicating meaning 
supplied in the submission. For example, if the submission is in some 
standard electronic data interchange format, then the copy of record 
might usefully preserve that format. Taking this approach will help to 
resolve potential chain of custody issues if questions arise about 
whether the copy of record is true and correct. However, in cases where 
the electronic document is created on-line, for example, through the 
use of a web-form, the format for the copy of record will of necessity 
be an artifact of the electronic document receiving system itself. This 
is not problematic, as long as the system provides a way to ensure that 
the meaning of each data element as supplied by the submitter remains 
unambiguous.
    Some commenters objected to copy of record requirements because of 
the potential expense of redesigning systems that are not currently 
capable of creating and storing electronic copies of records. EPA 
notes, however, that systems satisfying copy of record requirements 
need not preserve the electronic documents received in separate or 
special storage apart from the files that maintain the data or 
information content of the documents. For example, data loaded from 
submitted electronic documents to a database may satisfy copy of record 
requirements where the stored content includes the signatures, the 
date/time of receipt, and an adequate chain of custody. This may be the 
most practical copy of record approach for receiving continuous data 
streams. Such an approach does not preclude satisfying the requirement 
that the copy of record be viewable in a human-readable format. The 
requirement does not mean that the data must be stored in a human-
readable format, so long as there is a well-documented way to display 
the stored data in such a format. In addition, nothing in the ``copy of 
record'' definition requires such copies to be electronic. Particularly 
where the signature involves some easily represented numerical value, 
the copy of record may be created and maintained in an imaging medium 
or on paper, provided that such copies can be shown to have been 
created by the electronic document receiving system to be true and 
correct copies of the electronic documents received. Whether such 
alternatives are appropriate as interim or even long-term solutions 
will depend on individual circumstances. It may be difficult to provide 
a copy of record for review and possible repudiation if the copy is not 
available as an electronic document that can be viewed on-line or 
downloaded through the network.
    3. Integrity of the electronic document. Under Sec.  3.2000(b)(1)--
(2), an acceptable electronic document receiving system must be able to 
establish that a given electronic document was not altered without 
detection in transmission or at any time after receipt, and any such 
alterations must be fully documented. For purposes of Sec.  
3.2000(b)(1)--(2), EPA excludes alterations that have no effect on the 
document's information content. Examples of excluded alterations 
include the separation of a transmitted file into packets and their 
error-free recombination, the error-free processes of file compression 
and extraction, as well as certain disk maintenance functions that may, 
for example, involve physically repositioning file components on the 
storage medium. To satisfy Sec.  3.2000(b)(1)--(2) requirements with 
respect to alterations that do affect information content, a system may 
rely on a number of different but complementary capabilities, including 
general provisions for system security, access control, and secure 
transmission. Additionally, the system's copy of record provisions help 
make the case that the electronic document is unaltered, or has been 
altered only as documented (for example, through a chain of custody), a 
case which is strengthened where submitters and/or signatories have had 
the opportunity to review the copy and have not contacted the system to 
repudiate the copy. Finally there are specific technical approaches to 
ensuring integrity, based, for example, on calculating hash values 
associated with the document content.
    4. Submission knowingly. Under Sec.  3.2000(b)(3), an acceptable 
electronic document receiving system must provide evidence that the 
submitter had some reliable way of knowing and/or confirming that the 
submission took place. This requirement is necessary to help establish 
submitter responsibility for the electronic document and to rule out 
spurious submissions, whether by accident or through the actions of an 
unauthorized submitter or ``hacker.'' EPA believes that to satisfy this 
requirement, the system must have some follow-on communication with the 
submitter related to the submission. This could be a communication 
initiated by the submitter in cases where it is realistic to rely on 
submitters to regularly check the system for evidence of documents 
submitted; where such submitter interactions are relied upon, they must 
be documented. Alternatively, the system must send some form of 
acknowledgment of submission as a response to the submitter named, and 
must document such acknowledgments, recording at least their date, 
time, content and the addresses to which they were sent. For cases 
where the electronic document bears an electronic signature, this 
acknowledgment is explicitly provided for under Sec.  3.2000(b)(5)(vi). 
(See section VI.E.11.)
    5. Opportunity to review and repudiate copy of record. Under Sec.  
3.2000(b)(4), the copy of record must be available for review and 
timely repudiation by the individuals to whom the document is 
attributed, as its submitters and/or signatories. The fact that the 
copy was available for this review and was not repudiated provides 
strong support for its being a ``true and correct copy of an electronic 
document received,'' as specified by the Sec.  3.3 copy of record 
definition. Program managers normally would set reasonable end dates 
for this process, especially where there is concern that the copy is 
not ``officially'' a copy of record until the process is complete.
    Satisfying this ``opportunity to review'' provision involves at 
least two requirements. The first is that the identified submitters 
and/or signatories must have some way of knowing that their submission 
was received, and that a copy of record is available for review. This 
requires some follow-on communication with the submitters and 
signatories related to the submission--initiated either by the 
submitters/signatories or by the system, as discussed in section 
VI.E.4. Approaches should be avoided that allow the initial submission 
and provision of copy of record to occur as a part of the same on-line 
session, because in cases of spurious submission the identified 
submitters/signatures may never learn

[[Page 59870]]

that a copy of record exists. Second, to ensure that the opportunity to 
review and repudiate is meaningful, the copy of record must be viewable 
in a human-readable format that clearly and accurately associates all 
the information elements of the electronic document with descriptions 
or labeling of those elements. This second requirement is consistent 
with the definition of ``copy of record,'' as discussed in section 
VI.E.2.
    6. Validity of the electronic signature. Under Sec.  
3.2000(b)(5)(i), for each electronic document that is required to bear 
an electronic signature, the receiving system must be able to establish 
that each electronic signature was a valid electronic signature at the 
time of signing. Under Sec.  3.3, as discussed in section IV.D.5, a 
valid electronic signature must satisfy three conditions. The first is 
that the signature must be created with a signature device that is 
``owned'' by the individual designated as signatory--``owned'' in the 
sense that this individual is uniquely entitled to use it for creating 
signatures. To establish this, an electronic document receiving system 
must be able to identify signature device ``owners'' and must be able 
to determine that an identified signatory is the owner of the device 
used to create the signature in question. Section 3.2000(b)(5)(vii) 
explicitly requires the ability to identify signature device owners, 
and section VI.E.12 of this Preamble discusses the Sec.  
3.2000(b)(5)(vii) requirements in detail.
    Concerning the determination that an identified signatory is the 
owner of the device used to create the signature, the system needs to 
have unique signature validation criteria for each identified signature 
device owner who submits electronically signed documents; the system 
must be able to apply these criteria to each signature on documents 
received. For example, in the case of a digital signature, the 
validation criteria include the existence of a valid PKI certificate 
for the identified signatory and the ability of the associated public 
key to decrypt the encrypted message digest that constitutes the 
signature. In the case of a PIN, the validation criterion may be simply 
that the PIN added to the document as a signature matches the PIN on 
file for the identified signatory.
    The second condition for an electronic signature to be considered 
valid is that the signature must be created with a device that has not 
been compromised. That is, at the time of signing, the electronic 
signature device must in fact be available only to the individual 
identified as its owner, and to no one else. Otherwise, the use of the 
device to create the electronic signature may not provide evidence that 
a specific, identifiable individual has certified to the truth or 
accuracy of an electronic document. Accordingly, an acceptable 
electronic document receiving system must provide evidence that the 
electronic documents it receives and maintains do not contain 
signatures executed with compromised devices. Such evidence will 
document the system's approach to three related functions: prevention 
of signature device compromise, detection of compromises where they 
occur, and rejection of known compromised submissions.
    The approach to prevention will include the way the system notifies 
submitters of their obligations to avoid signature compromise, 
including the obligation not to share or delegate the use of the device 
as a part of the electronic signature agreement. (See sections IV.D.4 
and VI.D.8. of this Preamble, respectively.) Prevention also involves 
choosing the kinds of signature devices to support and determining how 
they are to be used. Some devices are inherently vulnerable to 
compromise, for example, because protection from spurious use relies on 
``secret'' (such as a PIN or password) that has to be shared when the 
device is used. However, vulnerable devices can sometimes be 
strengthened with appropriate implementation. In the case of a PIN or 
password, adding an element that does not rely on secrecy--e.g. a 
physical ``token,'' such as a smart card or employee badge--that had to 
be used along with the PIN or password may greatly reduce the device's 
vulnerability. Alternatively, a system accepting secret-based 
signatures might be programmed to query the would-be signatory about a 
randomly selected piece of private information that has been (or could 
be) verified. This approach would also reduce vulnerability to 
compromise, since the discovery of a secret number or password does not 
convey other private information about the secret's owner.
    For detection of compromises, there are two complementary 
approaches. The first is to ensure that the system recognizes the signs 
of spurious submission, for example, duplicate reports, off-schedule 
submissions, and deviations from normal content or procedure. The 
second is to ensure that the system empowers submitters to detect and 
report spurious submissions by providing the regular ``out of band'' 
acknowledgments discussed in section VI.E.11. Once spurious submissions 
are detected, the system must ensure their rejection, and the rejection 
of any subsequent submissions that use the same device. An acceptable 
receiving system must provide for timely revocation or suspension of 
access by those individuals with compromised signature devices.
    Finally, a signature must be created by an individual who is 
authorized to do so, primarily by virtue of his or her relationship 
with the regulated entity on whose behalf the signature is executed. An 
electronic document receiving systems must be able to determine whether 
the identified signatories have the necessary relationship with the 
regulated entity that enables them to sign the documents being 
submitted. Generally, the system would obtain the information necessary 
for these determinations along with establishing the identity of the 
signature device owners. Section VI.E.12 of this Preamble discusses 
this point in more detail.
    The system must also have some way to keep this information up-to-
date, for example, some way to reject signatures where it is known that 
the signature device owner is no longer authorized to sign the 
electronic document in question. As with the initial registration 
process, the provisions for updating this information may vary. For 
some cases, it may be sufficient to rely on voluntary notifications 
from registrants when, e.g., their job status changes. For other cases, 
it may be appropriate to identify a responsible company official who is 
charged with managing the authorizations of employees signing documents 
on behalf of the company, to include keeping records of changes in 
authorization status and/or sending notifications. For certain cases, 
the system might limit a signature device owner's authorization to a 
defined period, which could be extended only through a re-registration 
process.
    7. Binding the signature to the document. Under Sec.  
3.2000(b)(5)(ii), an acceptable electronic document receiving system 
must establish that electronic documents cannot be altered without 
detection once such documents are signed. Well-implemented provisions 
for copy of record help satisfy this requirement. The fact that a 
signatory has not repudiated a document's copy of record that he or she 
has had the opportunity to review provides evidence that the copy 
accurately reflects the document as it was signed. However, even where 
the signatory affirms the authenticity of the copy of record at the 
time of review, he or she may still repudiate the document at a later 
date. Therefore, an acceptable electronic document receiving system

[[Page 59871]]

must provide a method of ensuring that any breach of a signed 
document's integrity can be detected. As discussed in section IV.B.2., 
such methods are available in the form of signatures that incorporate a 
hash value of the content being signed, or in the form of signature 
processes that involve the creation of this hash and its maintenance in 
association with the signed document. Encrypting the hash value, for 
example, by executing a digital signature, provide the strongest 
approach to rebutting claims that the hash has been manipulated. 
Encryption may not be necessary to the extent that the system provides 
other means to prevent tampering and establish that the hash has not 
been altered since it was calculated.
    8. Opportunity to review. Where a signatory is certifying to the 
truth or accuracy of document content, the certification represents the 
signatory as knowing and understanding the content, as well as 
certifying to its truth. Under Sec.  3.2000(b)(5)(iii), an acceptable 
electronic document receiving system must be able to provide evidence 
that the signatory had the opportunity to review what he or she was 
signing in a human-readable format. Providing this evidence may be 
relatively simple, depending on the signature/certification scenarios 
that the system provides for or allows. In a case where the system only 
allows signature/certification during an on-line client-server session, 
and where the server always explicitly gives the signatory the option 
of scrolling through an appropriately-formatted display of the 
submission content before signing, documenting these server functions 
should suffice to provide the required evidence. Cases that may be 
similarly straightforward include those where signature/certification 
takes place off-line, at the signatory's computer, but using software 
provided by or certified by the governmental entity whose system will 
receive the signed electronic document. In this case, the evidence is 
provided by documenting how the software works. Less straightforward 
are cases where the signature/certification software is completely 
beyond the control of the governmental entity. In such cases, evidence 
of the opportunity to review may need to rely on the use of a 
submission format that demonstrably allows a human-readable display of 
the content. For example, the fact that the file format is a Word or 
Excel file and that the file provides a human readable display when 
opened with the right program may constitute sufficient evidence that 
the opportunity to review has been provided.
    9. Understanding the act of signing. Where a signatory is 
certifying to the truth or accuracy of document content, the 
certification affirmatively represents that the signatory understands 
both what the act of signing means and that he or she is subject to 
criminal liability for false certification. Reporting formats in the 
paper medium provide evidence that certifications are made with the 
requisite understandings by placing the certification statement in a 
clearly visible position near the place where signatures are to be 
affixed and by prominently displaying the statement that there are 
criminal penalties for false certification. Under Sec.  
3.2000(b)(5)(iv), an acceptable electronic document receiving system 
must ensure that such statements are presented in conjunction with 
electronic signature/certification. Satisfying this requirement is 
straightforward where the system itself provides for the signature 
process or where the governmental entity receiving the submission 
provides or otherwise has control over the signature/certification 
software being used. In other cases, satisfaction will depend on 
requiring that the signatories and/or submitters incorporate such 
statements into their documents before they are signed or into screens 
that are displayed prior to signature. Confidence that the requirement 
is satisfied will depend in part on the extent to which the submission 
process involves the use of common, easy-to-display file structures 
together with the software to display the files being signed.
    10. The electronic signature or subscriber agreement. Under Sec.  
3.2000(b)(5)(v), an acceptable electronic document receiving system 
must be able to provide evidence that any signatory of documents 
received by the system has signed an electronic signature agreement or 
subscriber agreement with respect to the electronic signature device he 
or she uses to sign the documents. ``Electronic signature agreement'' 
and ``subscriber agreement'' are defined under Sec.  3.3, the latter 
referring to electronic signature agreements that are executed with ink 
on paper. (The distinct role of subscriber agreements is explained in 
section VI.E.12.) By signing such agreements, an individual agrees to 
protect his or her signature device from compromise, that is, to keep a 
secret code secret, a hardware token secured, etc., and not to 
deliberately compromise the device by making it available to others. He 
or she also agrees to promptly report any evidence that the device has 
been compromised, for example, to promptly notify the system manager if 
he or she receives system acknowledgments of submissions he or she did 
not make, or if the device has become available to others. Finally, by 
signing the electronic signature or subscribed agreement, an individual 
agrees that use of his or her electronic signature device to sign 
documents creates obligations and/or legally binds him or her to the 
same extent as he or she would be bound or obligated by executing 
handwritten signatures. EPA believes that such agreements are necessary 
to assure--and provide evidence--that the signatory recognizes his or 
her obligations with respect to the electronic signature device. 
Insofar as the institutions surrounding the use of electronic 
signatures are relatively new, EPA believes that express recognition of 
signatory obligations through explicit agreements avoids potential 
ambiguity or misunderstandings.
    11. Acknowledgment of receipt. Where an electronic signature is 
used to certify to the truth or accuracy of document content--with 
criminal liability for false certification--then it is especially 
important to ensure that any individual identified as signatory has the 
opportunity to detect and repudiate any spurious submissions made in 
his or her name through unauthorized access to signature device and/or 
the electronic document receiving system. To provide for this, Sec.  
3.2000(b)(5)(vi) requires the system to automatically send 
acknowledgments of document receipt to the individuals in whose names 
the submissions are made, the acknowledgments in each case identifying 
the document in question, the signatories, and the date and time of 
receipt.
    Additionally, Sec.  3.2000(b)(5)(vi) requires that each 
acknowledgment be sent to an address with access controls different and 
separate from those that enable the submission itself, so that in cases 
of compromised access, the individual in whose name a submission is 
made would still receive the acknowledgment without interference. This 
is sometimes referred to as ``out of band'' acknowledgment. In web-
based commerce, this is fairly standard practice--a purchase is 
normally acknowledged directly to the internet protocol (IP) address 
from which the purchase is made, as a part of the on-line session, but 
also is confirmed through a follow-up communication to an email 
address. Note that while the ``out of band'' acknowledgment is normally 
sent electronically, electronic transmission is not required. A paper 
acknowledgment sent by U.S. Mail, or a voice acknowledgment via 
telephone would serve the same purpose so long

[[Page 59872]]

as these are documented by the system so they may be produced, possibly 
as evidence, at a later date.
    12. Determining the identity of the individual uniquely entitled to 
use a signature device. As discussed in section VI.E.6, a system cannot 
accept an electronic signature as valid unless it establishes an 
identity between the individual designated as signatory and the owner 
of the device used to create the signature. Any circumstance casting 
doubt on the device's ownership undermines the certainty that 
signatures created with the device are valid; if it's not certain whose 
device created the signature then it's not certain whether the actual 
signatory is the individual who is designated as signatory in the 
submitted document. Additionally, it must be clear what the signature 
device owner's relation is to the entity on whose behalf a document is 
signed, in order to be certain that this device owner is an authorized 
signatory. This is also a condition of signature validity. (See section 
VI.E.6.) Accordingly, to assure that electronically signed documents 
are legally reliable, a system accepting such documents must have a 
process for determining who owns the signature devices used to create 
the signatures, and their relations to the entities on whose behalf 
they sign submitted documents. Section 3.2000(b)(5)(vii) explicitly 
reflects this performance standard by requiring that a system provide 
for such determinations ``with legal certainty.'' That is, the system 
must be able to provide evidence sufficient to prove the signature 
device owner's identity and relation to entities on whose behalf he or 
she signs in a context where designated signatories may have an 
interest in repudiating their signature device ownership or in 
distancing themselves from the entities on whose behalf they are 
supposed to have signed.
    Section 3.2000(b)(5)(vii) does not specify how this performance 
standard is to be met, however, at a minimum, an ``identity-proofing'' 
capability must involve access to a set of descriptions that apply 
uniquely to the individual in question and refer to attributes that are 
durable, documented, and objective. Such descriptions must be capable 
of being shown at any time to uniquely identify the individual without 
having to depend on anyone who might have an interest in repudiating 
the identification. Section 3.2000(b)(5)(vii) requires that more 
specific conditions be met for the special class of electronically 
signed documents that are included in the list that defines ``priority 
report'' under Sec.  3.3 and Appendix 1 to Part 3. The priority reports 
are those that EPA has identified as likely to be material to potential 
enforcement litigation. Given this likelihood, it is important to 
provide not only for the provability of signature device ownership in 
principle, but for the practical need to make this proof with the 
resources typically available to enforcement staff and within the 
constraints of the judicial process in criminal and civil proceedings. 
To address this practical dimension of identity-proofing in the case of 
priority reports, Sec.  3.2000(b)(5)(vii) adds three conditions to the 
general performance standard. The first is that the identity of a 
signature device owner must be verified before the system accepts any 
electronic signature created with the device. The second, in Sec.  
3.2000(b)(5)(vii)(A), is that this verification must be ``by 
attestation of disinterested individuals.'' The third condition, also 
contained in Sec.  3.2000(b)(5)(vii)(A), specifies that the 
verification be ``based on information or objects of independent 
origin, at least one item of which is not subject to change without 
government action or authorization.''
    Regarding the first condition, requiring identity-proofing before 
the signature device is used helps prevent systems from accepting 
electronic signatures that cannot be proved to be valid in the context 
of an enforcement proceeding. This is at least a potential concern in 
any case of electronic signature, but it is also a very real concern in 
cases where what is signed is a priority report. The second condition 
anticipates the need to prove signature device ownership in court, by 
ensuring the availability of someone credible to offer testimony about 
the device owner's identity who does not have an interest in 
repudiating device ownership. This is the idea of verification by a 
``disinterested individual,'' the term defined under Sec.  3.3 as ``a 
person who is not the employer; the employer's corporate parent, 
subsidiary, or affiliate; contracting agent; or relative (including 
spouse or domestic partner) of the individual in whose name the 
electronic signature device is issued.'' The condition suggests an 
identity-proofing process carried out by a trusted third party, and, in 
the current electronic commerce environment, this would typically be a 
PKI certificate authority (CA), whose business is to issue certificate-
based electronic signature devices that reflect identity-proofing at a 
specified level of assurance. However, it is important to be clear that 
verification by a ``disinterested individual'' does not have to involve 
a PKI-based approach to electronic signatures. Indeed, it does not have 
to involve a third party at all; the disinterested individual could 
simply be an employee of the agency operating the electronic document 
receiving system, if that agency itself has the resources to provide 
for identity-proofing as it registers signature device owners to use 
the system. Additionally, if a trusted third party is wanted, there are 
alternatives to the CA. For example, with an appropriately defined 
procedure, a notary public or some local government official could play 
this role; so could some other governmental agency, such as department 
of motor vehicles, which is in the business of issuing credentials 
based (usually) on in-person verification of identity.
    The third condition sets a standard for the evidence on which 
verification of identity would be based--evidence that would be 
attested to by the disinterested individual provided for by the second 
condition. The standard refers to ``information or objects'' and for 
each requires that they be ``of independent origin'' and include at 
least one item that requires ``governmental action or authorization'' 
to change. Information ``of independent origin'' must be knowable 
empirically, and not simply as a matter of someone's say so; objects of 
independent origin could provide such information. Such information, 
where it concerns an individual's identity, would generally come from 
three sources: first, documented, direct, in-person contact; second, 
documentation of the individual's history--e.g., as an employee, a 
consumer, a student, etc.--with objects such as credit cards, 
passports, etc., sometimes together with corroborating testimony; and 
third, forensic evidence of unique, immutable traits, from such objects 
as fingerprints, photos, and handwritten signatures.
    Evidence of identity from any of these three sources will meet the 
Sec.  3.2000(b)(5)(vii)(A) standard, provided that the information used 
also includes at least one item that cannot be changed without 
governmental action or authorization--for example, a social security 
number, a passport number, or a driver's license number. This last 
requirement helps assure that the identifying information used is 
sufficiently well-documented and durable to support re-verification of 
identity at some later date. The requirement also facilitates identity-
proofing that relies on database searches, insofar as data on 
individuals tends to be keyed to government-issued identifiers. 
Finally, while such

[[Page 59873]]

identifiers are items of information, they typically are presented on 
objects--e.g. a driver's license or a passport--that provide 
independent evidence of their authenticity.
    EPA recognizes that the identity-proofing requirements specified in 
Sec.  3.2000(b)(5)(vii)(A) may be difficult to implement in some cases. 
The rule therefore allows a system to meet the Sec.  
3.2000(b)(5)(vii)(A) requirements for cases of priority reports in 
other ways. Under Sec.  3.2000(b)(5)(vii)(C), a system may collect a 
subscriber agreement (see section VI.E.10) from each signatory of the 
priority reports received by the system, in lieu of satisfying Sec.  
3.2000(b)(5)(vii)(A). Alternatively, the system may collect a 
certification from a ``local registration authority'' (LRA) that such a 
subscriber agreement has been executed and is being securely stored. As 
defined under Sec.  3.3, an LRA is an individual who plays the role of 
a custodian of subscriber agreements, maintaining these paper 
agreements as records and sending the system a certification of receipt 
and secure storage for each such agreement he or she receives. The 
presumption is that such certifications would be sent electronically to 
the system as signed electronic documents. To become an LRA, an 
individual must have his or her identity established by notarized 
affidavit, and must be authorized in writing by the regulated entity to 
issue these ``agreement collection certifications'' (defined under 
Sec.  3.3) on its behalf.
    A state, tribe, or local government adopting the subscriber 
agreement alternative might chose to implement through LRAs as a way of 
reducing the pieces of paper it had to manage in operating its 
electronic document receiving system. While setting up the LRA 
relationships requires the collection of affidavits and authorizations 
on paper, this involves far fewer paper transactions than collecting 
the individual subscriber agreements from each person who signs 
priority reports. However, only larger companies or facilities with 
many employees signing priority reports are likely to be motivated and 
able to designate a company official as an LRA. Although nothing in the 
rule prohibits third parties from serving as LRAs for the smaller 
companies, a subscriber agreement implementation will probably always 
involve accepting some of these agreements directly from priority 
report signatories. What is essential under Sec.  3.2000(b)(5)(vii)(C) 
is that a subscriber agreement be available, as needed, to establish 
the identity of the associated signature device owner. Identity in this 
case is established based on the forensic properties of the handwritten 
signature on the agreement.
    Finally, Sec.  3.2000(b)(5)(vii)(B) gives states, tribes, or local 
governments the flexibility to propose identity-proofing methods that 
may not meet the specific requirements of Sec.  3.2000(b)(5)(vii)(A), 
but which are no less stringent than the methods that satisfy Sec.  
3.2000(b)(5)(vii)(A). For example, if a method of electronic identity-
proofing were proposed that relies on the attestations of an LRA who is 
not a disinterested party, EPA would look for other features in the 
identity-proofing method that guarantee the identity of the LRA and the 
trustworthiness of the identity-proofing that the LRA would conduct. 
Similarly, if an identity-proofing method were proposed that relies on 
objects or information that are not of independent origin (e.g., a 
company identification card), EPA would look for other features in the 
authentication method that guarantee that the registrant's identity 
could not have been manufactured by the registrant or another 
interested party. EPA's expectation is that the advance of technology 
may also make new methods of identity-proofing available that meet the 
needs of the enforcement community, and we expect that Sec.  
3.2000(b)(5)(vii)(B) could be used to accommodate such new methods when 
implemented as part of electronic document receiving systems.

VII. What are the costs of today's rule?

A. Summary of Proposal Analysis

    The Agency has conducted a number of analyses to ensure that this 
rule complies with the various statutory and administrative 
requirements that apply to EPA regulations. The results of the analyses 
are summarized in this section.
    In the proposal, EPA estimated that the proposed rule could result 
in an average annual reduction in burden of $52.3 million per year for 
those facilities reporting, $1.2 million per year for EPA, and $1.24 
million for each of the 30 states that were assumed to implement 
programs over the eight years of the analysis. EPA received many 
comments on the costs associated with the proposed electronic reporting 
provisions. Comments included concerns about the proposal's assumptions 
related to the number of affected entities, the number of registered 
users per facility, the costs to state programs, and the costs of 
implementing standard formats. Several commenters expressed support for 
the analysis findings, concurring that electronic reporting will reduce 
their environmental reporting costs. EPA's response to these comments 
is explained in the following section. Additional comments on the cost 
analysis and EPA's responses can be found in the rulemaking docket, in 
the Response to Comments document.

B. Final Rule Costs

    In response to comments received on the proposed rule, EPA 
conducted additional cost analyses to determine the impacts of this 
rule on regulated entities, states, tribes, and local governments, and 
EPA programs. In developing the analysis for this final rule, EPA 
relied heavily on existing sources of data that included:
     EPA's 2002 Government Paperwork Elimination Act (GPEA) 
Report to OMB;
     Interviews with EPA programs, states, and nine industry 
representatives currently using CDX to report electronically;
     EPA's Information Collection Requests (ICRs);
     EPA's Envirofacts Warehouse and Facility Registry System;
     Follow-up to comments received from twenty state and local 
government agencies and several major industry associations; and
     Market research to assess trends of large and small 
companies using the Internet, costs of technology for electronic 
signature and data exchange formats, and other technical issues.
    Based on the additional analyses, EPA estimates that under this 
rule there will be a total cumulative cost savings to the Agency, over 
the period 2003 to 2012, ranging from $64.4 million to $75.4 million, 
depending on the discount rate used. For those that adopt electronic 
reporting, EPA estimates a total cumulative cost burden to state and 
local governments under this rule, over the period 2003 to 2012, 
ranging from $57.2 million to $65.2 million annually, depending on the 
discount rate used. These costs result from the incremental burden to 
states to upgrade their receiving systems to meet the rule's standards 
and apply for EPA approval of program modifications and revisions. The 
model does not consider the potential cost savings to state and local 
governments resulting from processing electronic submittals but 
believes the savings would likely offset these incremental costs. For 
facilities, EPA estimates a total cumulative cost during this period 
ranging from $41.6 million to $51.9 million, depending on the discount 
rate used. The net total cumulative cost of this rule, over the period 
2003 to 2012, ranges from $34.4 million to $41.7 million, depending on 
the discount rate used.

[[Page 59874]]

C. General changes to methodology and assumptions

    The research effort for the final rule differed from that conducted 
for the proposal in that it was much broader and involved far greater 
engagement with external stakeholders. EPA used this research to 
reevaluate assumptions made in the proposal and to refine the overall 
approach to the cost-benefit analysis. The process of reevaluating 
costs to regulated entities included:
     Analyzing the GPEA report to determine the specific 
information collections identified as being suitable for electronic 
reporting and their implementation schedule;
     Evaluating each information collection request for an 
understanding of the types of activities that would be eliminated (such 
as mailing paper forms) or reduced (manual data quality checks) through 
electronic reporting;
     Interviewing trade associations, reviewing comments 
received, evaluating market trend research, and querying Envirofacts 
warehouse and Facility Registry System to establish an understanding of 
the numbers of potential facility representatives that would register 
for a particular program, the rate of electronic reporting growth in a 
program, the number of facilities using web forms or file exchanges, 
and the relative distribution of small to large businesses; and
     Establishing an understanding of the time required by 
facilities to register with CDX and maintain a CDX account, through 
interviews with CDX registered users and the CDX hotline.
    The process of reevaluating costs and benefits to EPA, state, 
tribes, and local governments, included:
     Meeting with EPA programs and state program counterparts 
to identify the broad range of EPA authorized programs and the types 
and number of agencies under each program;
     Interviewing state and local agencies and their 
associations as follow-up to public comment to obtain an understanding 
of their current electronic reporting systems, long-term plans, and 
perceived impacts to their systems from this rule;
     Evaluating current information technology expenditures of 
CDX and other program system development efforts, and general costs of 
EPA rulemakings with respect to federal costs and benefits.
    In preparing the CBA, EPA used a computer model to estimate the 
annual costs to EPA, state and local governments and regulated 
entities. To evaluate the costs and benefits of this rule, two 
scenarios were modeled: a ``Baseline'' scenario in which EPA would 
enable electronic reporting through an approach other than CROMERR and 
a ``To Be'' scenario in which EPA enables electronic reporting under 
CROMERR. In comparing the cumulative costs of this rule, EPA notes that 
the ``To Be'' scenario would be a more efficient approach than the 
``Baseline'' scenario. Under the ``Baseline'' scenario, EPA programs 
would be left to implement their own program-specific electronic 
reporting requirements and electronic document receiving systems. Also, 
under the ``Baseline'' scenario, electronic reporting would be delayed, 
because EPA would have to generate separate rules and guidance to 
support program-specific electronic document receiving systems. Once 
these systems were established, reporting entities could conceivably be 
required to register under different rules and through different 
systems across EPA programs.
    Based on the new research, EPA revised assumptions about the costs 
associated with authorized programs and corresponding benefits to the 
reporting entities. In contrast to the proposal, EPA does not claim the 
costs associated in building electronic document receiving systems for 
authorized programs (state, tribe, and local) or the benefits for their 
reporting entities in using these systems. Since it is clear that 
authorized programs intend to proceed with electronic reporting on 
their own regardless of this rule, the analyses for the final rule 
looks at the incremental costs to electronic document receiving systems 
that would be developed absent this rule, in meeting the final rule's 
requirements.
    Based on research and comments received on the proposal, EPA also 
revised the following key cost assumptions:
     Increased costs for XML. EPA substantially increased the 
cost estimate of integrating an XML format into a facility's 
environmental management system (from $4,000 to $10,000).
     Increased number of registered users. EPA substantially 
increased the number of registrants (from 3 registrant/facility to 6 
registrants per facility) in large companies that would use CDX.
     Broadened impacts of authorized programs. EPA 
substantially broadened the number of state, tribe, and local 
environmental agencies potentially impacted by the rule, to include 
health departments, county air boards, oil and gas agencies, and 
publicly-owned treatment works.

VIII. Statutory and Executive Order Reviews

A. Executive Order 12866

    Pursuant to the terms of Executive Order 12866 (58 FR 51735, 
October 4, 1993), it has been determined that this rule is a 
``significant regulatory action'' because it raises novel legal or 
policy issues. As such, this action was submitted to OMB for review. 
Changes made in response to OMB suggestions or recommendations are 
documented in the public record.
    For EPA, the average annual cost to implement and operate 
electronic reporting under this rule is estimated to be $60.94 million. 
The average annual cost to implement and operate electronic reporting 
in the absence of this rule (i.e., where EPA implements electronic 
reporting on a program-specific basis) is estimated to be $70.36 
million for EPA. The average annual cost savings to EPA under this rule 
is $8.42 million. The average annual cost to states, tribes, and local 
governments in initially upgrading their electronic receiving systems 
and obtaining EPA approval for appropriate program modification under 
the rule ranges from roughly $5,000 to $460,000, depending on the 
number of systems and extent of the upgrades needed. In addition, 
states, tribes, and local governments that upgrade their systems are 
expected to incur system maintenance costs averaging about $10,000 
annually. These costs reflect solely the incremental costs resulting 
from the rule; they do not reflect the cost savings that states, 
tribes, and local governments will experience in implementing their 
receiving systems. EPA has not quantified these savings as part of its 
analysis. It should be noted that EPA expects today's rule to produce a 
net cost savings for states, tribes, and local governments. However, it 
is not possible to provide an adequate year-by-year comparison of the 
costs of the two scenarios, because the Baseline Scenario anticipates a 
more gradual process of EPA approval for state, tribe, and local 
government electronic reporting systems, starting at a later point in 
time.
    The average annual cost to facilities to submit electronic reports 
to EPA in compliance with today's rule ranges from $9 for those 
entities that choose simply to use a web browser to access CDX and fill 
out web forms, to $10,000 per facility for those companies that wish to 
configure their environmental management systems to exchange data with 
CDX, using agreed-upon data exchange formats.
    In addition to the monetary benefits identified by the analysis, 
EPA also

[[Page 59875]]

believes that there are many qualitative benefits that justify the 
initial costs associated with the rule. These benefits include:
     Responding to federal requirements, such as GPEA, which, 
among other things, requires federal agencies to allow individuals or 
entities that deal with the agencies the option to submit information 
or transact with the agency electronically. This rule sets the legal 
framework for most major EPA initiatives implementing electronic 
environmental data exchanges with the various stakeholders.
     Maintaining consistency with emerging industry commercial 
practices. The implementation of electronic government initiatives is a 
reflection of the rapid evolution of electronic commerce, which has 
occurred in industry since the expansion of the Internet and the World 
Wide Web (WWW), in the early 1990s. In many ways, EPA and state, tribe, 
and local environmental agencies' implementations of electronic 
reporting under today's rule will be more consistent with emerging 
practices and less burdensome to industry than paper reporting.
     Providing sound environmental practice. Part of EPA's 
mission is conserving environmental resources. The traditional paper-
based reporting practices and processes consumes trees and other 
resources for printing, exchanging, reproducing, storing, and 
retrieving grants, permits, compliance reports, and supporting 
documents.
     Fostering more rapid environmental compliance reporting. 
Organizations have become increasingly environmentally conscientious. 
This change stems both from a desire to be good corporate citizens and 
from fear of negative media reporting. Hence, organizations, especially 
large companies, are becoming increasingly interested in being able to 
demonstrate their environmental compliance. More rapid and accurate 
public posting of compliance data by environmental agencies is one way 
to help achieve this goal.
     Simplifying facility reporting. Electronic reporting and 
EPA's planned implementation support a single point of entry into 
agency systems, which will enhance facilities' ability to locate 
appropriate regulations, obtain information, ask questions, obtain 
forms, and submit data.
     Providing more accurate data. Replacing paper forms with 
electronic forms will result in more accurate data. Systems 
incorporating electronic forms can perform real time edit checks that 
will reduce the number of input errors. These checks can range from 
simple verification of valid date formats, to complex validations of 
proper nomenclature and limits of chemicals emitted into the 
environment. Improved data quality will also help reduce the time 
required for data correction and the effects of inaccurate reporting.
     Making data more readily available. The process of 
creating, mailing, receiving, entering, verifying, and correcting paper 
reports consumes both resources and time. This delays the analysis of 
the data by EPA and authorized programs and its availability to 
decision makers and the public.
     Provides the foundation for further process re-
engineering. Moving data from a paper to an electronic system as early 
in the process as possible creates the foundation on which many work-
flow re-engineering initiatives can be constructed.

B. Executive Order 13132

    Executive Order 13132, entitled ``Federalism'' (64 FR 43255, August 
10, 1999), requires EPA to develop an accountable process to ensure 
``meaningful and timely input by state and local officials in the 
development of regulatory policies that have federalism implications.'' 
``Policies that have federalism implications'' are defined in the 
Executive Order to include regulations that have ``substantial direct 
effects on the states, on the relationship between the national 
government and the states, or on the distribution of power and 
responsibilities among the various levels of government.''
    This final rule does not have federalism implications. EPA has 
determined that the final rule will not have substantial direct effects 
on the states, on the relationship between the national government and 
the states, or on the distribution of power and responsibilities among 
the various levels of government, as specified in Executive Order 
13132. The final rule will not require states to accept electronic 
reports. The effect of this rule will be to provide an electronic 
alternative to currently accepted methods of receiving regulatory 
reports on paper and to give the states the option of choosing to 
receive electronic submissions in satisfaction of reporting 
requirements under their authorized programs or continuing to require 
submissions on paper.
    Authorized states and local agencies that choose to receive 
electronic reports under this rule may incur expenses initially in 
developing systems or modifying existing systems to meet the standards 
in this rule. The average annual cost to state agencies in upgrading 
their electronic receiving systems and obtaining EPA program 
modification approval depends on the amount of effort required to 
adhere to the requirements of this rule. However, EPA estimates that 
for those states deploying systems that meet rule standards, each state 
will incur a cost of about $12,000 in obtaining EPA approval of its 
system. For a state where upgrades to its systems are needed to meet 
rule requirements, the costs can range up to $460,000, depending on the 
size and complexity of its systems and the extent of the upgrades 
needed. Maintenance costs for maintaining compliance with this rule 
will cost each state about $10,000 annually. These costs include both 
capital costs required for hardware and software upgrades, and labor 
costs incurred by state employees. EPA analyzed the most likely 
alternative scenario where, absent this rule, EPA programs would 
implement rules that would require states to seek program modifications 
on a program by program basis. It should be noted that these analyses 
do not quantify the cost savings that states will incur through 
offering electronic reporting options to their reporting entities. EPA 
believes these savings will greatly outweigh the costs of complying 
with the rule. Based on these analyses, EPA believes that although the 
final rule imposes some compliance costs on state and local 
governments, the costs for most states are marginal and will result in 
net benefits over the most likely alternative scenario.
    Over the last several years, EPA has provided substantial financial 
support to states to assist in upgrades to information technology 
systems. For example, in fiscal years 2002-2004, EPA provided 
approximately $65 million dollars to states, tribes, and territories 
through grants to support their efforts to establish EIEN. EPA intends 
to award additional grants for fiscal year 2005. EPA's fiscal year 2006 
budget includes $20 million for the EIEN Grant Program. States, tribes, 
and territories may apply for these grant funds to generally upgrade 
their EIEN capabilities, including improvements related to this rule, 
e.g., to improve data validity and user authentication procedures, as 
required by today's final rule.
    Although Section 6 of Executive Order 13132 does not apply to this 
rule, EPA has welcomed the active participation of the states; on 
several separate occasions EPA has held substantial consultations with 
state and local officials in developing this rule. State participation 
has resulted in changes to the final rule, including the section 3.1000 
approval process and

[[Page 59876]]

special provisions such as deferred compliance for existing systems.

C. Paperwork Reduction Act

    OMB has approved the information collection requirements contained 
in this rule under the provisions of the Paperwork Reduction Act (PRA), 
44 U.S.C. 3501 et seq. and has assigned OMB control number 2025-0003.
    The ICR for this rule covers the registration information, which 
will be collected from individuals wishing to submit electronic reports 
to EPA on behalf of regulated facilities. The information will be used 
to establish the identity of that individual and the regulated entity 
he or she represents. This information will be used by EPA to register 
and provide individuals with the ability to access the EPA's electronic 
document receiving system, CDX. In appropriate circumstances this 
information will also be used to issue an electronic signature to the 
registered individual. The ICR also covers activities incidental to 
electronic reporting (e.g., submittal of an electronic signature 
agreement to EPA as applicable). It should be noted that the submission 
of environmental reports in an electronic format to EPA and states, 
tribes, and local governments is voluntary for most examples of 
electronic reporting, and viewed as a service that EPA and its 
regulatory partners are providing to the regulated community. The rule 
allows reporting entities to submit reports and other information 
electronically, thereby streamlining and expediting the process for 
reporting. However, it should also be understood that this rule does 
set forth requirements for regulated entities that submit electronic 
reports directly to EPA and for states, tribes, and local governments 
that choose to implement electronic reporting under their authorized 
programs. EPA is issuing this rule on cross-media electronic reporting, 
in part, under the authority of GPEA, Public Law 105-277, which amends 
the PRA.
    In addition, the ICR covers state, tribe, and local government 
activities involved in upgrading their electronic receiving systems to 
satisfy the standards in the rule and in applying to EPA for approval 
of program modification. States, tribes, and local governments will 
undertake these activities only if they intend to collect information 
electronically under an EPA authorized program.
    The total annual reporting and recordkeeping burden this ICR 
estimates is 151,963 hours, which includes the tasks described above. 
It is expected that a respondent reporting directly to EPA will take on 
average ten minutes to register with CDX; however, if the respondent 
contacts the CDX help desk for assistance with CDX registration, on 
average the respondent will incur an additional six minutes. The 
average annual number of respondents registering with CDX is 19,434. It 
is further expected that 201,331 respondents will report electronically 
to a state, tribe, or local government receiving system. Respondents 
reporting to EPA or state, tribe, or local governments may also incur 
an additional burden of 20 minutes to prepare, sign, and submit an 
electronic signature agreement. The average annual number of these 
respondents is 177,009. In addition, the ICR estimates that 7,293 
medium-sized and large companies will register local registration 
authorities (LRA) and incur an additional burden of 1 hour. This 
includes the time to prepare and submit LRA designation applications, 
collect and store subscriber agreements, and prepare and submit 
certification of receipt and secure storage.
    Finally, it is expected that a state, tribe, or local government 
would take between 210 and 330 hours to prepare and submit its program 
modification application to EPA. The average annual number of states 
applying to EPA is expected to be 15; the average annual number of 
tribes and local governments applying to EPA is expected to be 46. In 
addition, the ICR estimates $4,450,658 in annual capital/start-up costs 
for states, tribes and local governments to upgrade their receiving 
systems. The ICR estimates $663,975 in annual operation and maintenance 
costs. This includes costs to registrants and state, tribes and local 
governments in submitting information to EPA.

Public Burden Statement

    The public reporting burden is estimated to be 10 minutes for an 
individual that reports electronically to the CDX. This includes time 
for preparing the on-line application and calling the CDX help desk.
    The public reporting burden in this ICR is estimated to be 15 
minutes for an individual that prepares and submits a subscriber 
agreement.
    The public reporting burden is estimated to be 30 minutes for a 
local registration authority. This includes time for preparing and 
submitting the certification of receipt and secure storage to EPA or 
state/local agency.
    The public reporting burden is estimated to range from 210 hours 
for a local government to 330 hours for a state seeking to implement an 
electronic receiving system. This includes time for preparing and 
submitting the program modification application to EPA.
    Burden means the total time, effort, or financial resources 
expended by persons to generate, maintain, retain, or disclose or 
provide information to or for a Federal agency. This includes the time 
needed to review instructions; develop, acquire, install, and utilize 
technology and systems for the purposes of collecting, validating, and 
verifying information, processing and maintaining information, and 
disclosing and providing information; adjust the existing ways to 
comply with any previously applicable instructions and requirements; 
train personnel to be able to respond to a collection of information; 
search data sources; complete and review the collection of information; 
and transmit or otherwise disclose the information.
    An agency may not conduct or sponsor, and a person is not required 
to respond to a collection of information unless it displays a 
currently valid OMB control number. The OMB control numbers for EPA's 
regulations are listed in 40 CFR part 9 and 48 CFR chapter 15. In 
addition, EPA is amending the table in 40 CFR part 9 of currently 
approved OMB control numbers for various regulations to list the 
regulatory citations for the information requirements contained in this 
final rule.

D. Regulatory Flexibility Act

    The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq., 
generally requires an agency to prepare a regulatory flexibility 
analysis of any rule subject to notice and comment rulemaking 
requirements under the Administrative Procedure Act or any other 
statute unless the agency certifies that the rule will not have a 
significant economic impact on a substantial number of small entities. 
Small entities include small businesses, small organizations, and small 
governmental jurisdictions.
    For the purpose of assessing the impacts of today's rule on small 
entities, small entity is defined as: (1) Small business as defined by 
the RFA and based on Small Business Administration (SBA) size 
standards; (2) a small governmental jurisdiction that is a government 
of a city, county, town, school district, or special district with a 
population of less then 50,000; and (3) a small organization that is 
any not-for-profit enterprise which is independently owned and operated 
and is not dominant in its field.
    After considering the economic impacts of today's final rule on 
small entities, the Agency certifies, pursuant to section 605(b) of the 
RFA, that this

[[Page 59877]]

action will not have a significant economic impact on a substantial 
number of small entities. Courts have interpreted the RFA to require a 
regulatory flexibility analysis only when small entities will be 
subject to the requirements of the rule. See Motor and Equip. Mfrs. 
Ass'n v. Nichols, 142 F.3d 449 (D.C. Cir. 1998); United Distribution 
Cos. v. FERC, 88 F.3d 1105, 1170 (D.C. Cir. 1996); Mid-Tex Elec. Co-op, 
Inc. v. FERC, 773 F.2d 327, 342 (D.C. Cir. 1985) (agency's 
certification need only consider the rule's impact on entities subject 
to the rule). This final rule would not establish any new direct 
requirements applicable to small entities. States that are directly 
regulated in this rulemaking are not small entities.
    This rule provides for EPA review and approval of authorized state, 
tribe, and local government programs that decide to provide for 
electronic reporting. This rule includes performance standards against 
which a state's, tribe's, or local government's electronic document 
receiving system will be evaluated before EPA will approve changes to 
the delegated, authorized, or approved program to provide electronic 
reporting, and establishes a streamlined process that states, tribes, 
and local governments can use to seek and obtain such approvals. The 
rule also includes special provisions for existing state electronic 
reporting systems in place at the time of publication of this rule.
    Currently, entities that choose to submit electronic documents 
directly to EPA submit documents to a centralized Agency-wide 
electronic document-receiving system, called the CDX, or to alternative 
systems designated by the Administrator. This rule does not change 
those systems. In addition, today's rule, does not require the 
submission of electronic documents in lieu of paper documents.
    Because there is no requirement to adopt electronic reporting, EPA 
has determined that small local governments will not be directly 
impacted by this rule. Nonetheless, EPA also considered the possible 
impacts of this rule to determine whether small local governments could 
potentially be subject to the provisions of Sec.  3.1000, which would 
require these programs to seek EPA approval for their electronic 
document receiving systems if they choose to provide electronic 
reporting. EPA reviewed its programs and conducted follow-up to 
comments received from industry, state, and local government 
associations to determine possible impacts to small local 
jurisdictions. Based on its review, EPA concluded that the only small 
government jurisdictions possibly subject to the rule are those with 
Publicly-Owned Treatment Works (POTWs). Only POTWs choosing to deploy 
electronic document receiving systems would be subject to today's rule. 
Through analysis and direct discussions with municipal POTWs and trade 
associations, EPA did not identify any such small government 
jurisdictions planning to deploy electronic reporting systems.
    Although not required by the RFA, (See Michigan v. EPA, 213 F.3d 
663, 668-69 (D.C. Cir., 2000), cert. den. 121 S.Ct. 225, 149 L.Ed.2d 
135 (2001)), as a part of the analysis prepared under Executive Order 
12866, EPA also considered the costs to small entities that are 
indirect reporters to authorized state, tribal, and local government 
programs. For this final rule, EPA prepared a cost/benefit analysis to 
assess the economic impact of CROMERR, which can be found in the docket 
for this rule.
    Although this rule will not have a significant economic impact on a 
substantial number of small entities, the Agency nonetheless consulted 
with small entities as well as organizations such as the Small Business 
Administration (SBA). We made several changes to the rule based upon 
these discussions.

E. Unfunded Mandates Reform Act

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public 
Law 104-4, establishes requirements for federal agencies to assess the 
effects of their regulatory actions on states, tribes, and local 
governments and the private sector. Under section 202 of UMRA, EPA must 
prepare a written statement, including a cost-benefit analysis, for 
proposed and final rules with ``Federal mandates'' that may result in 
expenditures to states, tribes, and local governments, in the 
aggregate, or to the private sector, of $100 million or more in any one 
year. Before promulgating a rule for which a written statement is 
needed, section 205 of the UMRA generally requires EPA to identify and 
consider a reasonable number of regulatory alternatives and adopt the 
least costly, most cost-effective or least burdensome alternative that 
achieves the objectives of the rule. The provisions of section 205 do 
not apply when they are inconsistent with applicable law. Moreover, 
section 205 allows EPA to adopt an alternative other than the least 
costly, most cost-effective or least burdensome alternative if the 
Administrator publishes with the final rule an explanation why that 
alternative was not adopted.
    Before EPA establishes any regulatory requirements that may 
significantly or uniquely affect small governments, including tribes, 
it must have developed under section 203 of UMRA a small-government 
agency plan. The plan must provide for notifying potentially affected 
small governments, enabling officials of affected small governments to 
have meaningful and timely input into the development of EPA regulatory 
proposals with significant Federal intergovernmental mandates. The plan 
must also provide for informing, educating, and advising small 
governments on compliance with the regulatory requirements.
    As described in section VIII.D. of this Preamble, above, EPA also 
evaluated the possible impacts of this rule to small governments. In 
particular, EPA was concerned that small governments could potentially 
be subject to the provisions of Sec.  3.1000, which would require these 
programs to seek EPA approval for the electronic document receiving 
systems. EPA reviewed its programs, and also conducted follow-up to 
comments from industry, state, and local government associations to 
determine possible impacts to small local governments. As a result of 
this review, EPA concluded that small local governments would not be 
adversely impacted by the provisions of Sec.  3.1000 this rule.
    The Agency has determined that this rule does not contain a Federal 
mandate that may result in expenditures of $100 million or more for 
states, tribes, and local governments, in the aggregate, or the private 
sector in any one year. Thus, today's rule is not subject to the 
requirements in sections 202 and 205 of UMRA. The Agency has determined 
that this rule contains no regulatory requirements that might 
significantly or uniquely affect small governments and thus this rule 
is not subject to the requirements in section 202 of UMRA.

F. National Technology Transfer and Advancement Act

    Section 12(d) of the National Technology Transfer and Advancement 
Act of 1995 (NTTAA), Public Law 104-113, section 12(d) (15 U.S.C. 272 
note) directs EPA to use voluntary consensus standards in its 
regulatory activities unless to do so would be inconsistent with 
applicable law or otherwise impractical. Voluntary consensus standards 
are technical standards (e.g., materials specifications, test methods, 
sampling procedures, and business practices) that are developed or 
adopted by voluntary consensus standards bodies. The NTTAA directs EPA 
to provide Congress, through OMB, with explanations when the Agency 
decides

[[Page 59878]]

not to use available and applicable voluntary consensus standards.
    The consensus standards relevant to an electronic reporting rule 
are primarily technical standards that specify file formats for the 
electronic exchange of data, telecommunications network protocols, and 
electronic signature technologies and formats. EPA is not setting 
requirements for electronic reporting at the level of specificity 
addressed by such formats, protocols and technologies, so consensus 
standards are not directly applicable to today's rule. For example, the 
final rule does not stipulate data exchange formats, does not specify 
electronic signature technologies, and does not address 
telecommunications issues. At the same time, there is nothing in 
today's rule that is incompatible with these standards, and in 
implementing electronic reporting under this rule EPA is adopting 
standards-based approaches to electronic data exchange.
    In the preamble to the proposed rule, EPA described its initial 
plans to implement a number of standards-based approaches to electronic 
reporting, including electronic data exchange formats based upon the 
ANSI Accredited Standards Committee's (ASC) X12 for Electronic Data 
Interchange or EDI. That preamble also discussed EPA's interest in 
exploring the use of Internet data exchange formats based on XML, then 
under development by the World Wide Web Consortium (W3C). As a part of 
the preamble discussion, EPA solicited comment on these planned 
standards-based electronic reporting implementations. In response, EPA 
received considerable feedback both from states and from industry 
indicating a trend in the direction of XML, and away from the 
deployment of ANSI ASC X12 standards. In any event, CDX now looks to 
XML to provide the formats for its Internet data exchanges. EPA 
currently supports multi-agency Integrated Project Teams to develop XML 
formats and intends to use standardized formats for this purpose to the 
extent that they are available. In addition, EPA currently registers 
XML formats in its System of Registries to facilitate easy access to 
these formats for partners wishing to exchange data. EPA is attempting 
to make use of applicable standards-setting work being done by several 
organizations, including the Electronic Business XML (ebXML), the 
Organization for the Advancement of Structured Information Standards 
(OASIS), and, internationally, the United Nation's Center for 
Administration, Commerce, and Transport (UN/CEFACT) Forum. In any 
event, today's rule is compatible with any of these current standards-
based approaches to electronic reporting, but the rule itself does not 
set requirements at the level of detail that such standards address.

G. Executive Order 13045

    Executive Order 13045, Protection of Children from Environmental 
Health Risks and Safety Risks (62 FR 19885, April 23, 1997) applies to 
any rule that EPA determines (1) ``economically significant'' as 
defined under Executive Order 12866 and (2) concerns an environmental 
health or safety risk that EPA has reason to believe may have a 
disproportionate effect on children. EPA interprets Executive Order 
13045 as encompassing only those regulatory actions that are risk-based 
or health-based, such that the analysis required under Section 5-501 of 
the Executive Order has the potential to influence the regulation.
    This rule is not subject to Executive Order 13045 because it is not 
an economically significant action as defined by Executive Order 12866 
and it does not involve decisions regarding environmental health or 
safety risks. This rule contains general performance standards for the 
submission of environmental data electronically.

H. Executive Order 13175

    Executive Order 13175, entitled, ``Consultation and Coordination 
with Indian Tribal Governments'' (65 FR 67249, November 6, 2000), 
requires EPA to develop an accountable process to ensure ``meaningful 
and timely input by tribal officials in the development of regulatory 
policies that have tribal implications.'' ``Policies that have tribal 
implications'' are defined in the Executive Order to include 
regulations that have ``substantial direct effects on one or more 
Indian tribes, on the relationship between the Federal Government and 
the Indian tribes, or on the distribution of power and responsibilities 
between the Federal Government and Indian tribes.''
    This rule does not have tribal implications, as specified in 
Executive Order 13175, and therefore consultation under the Order is 
not required. It will not have substantial direct effects on tribes, on 
the relationship between the federal government and Indian tribes, or 
on the distribution of power and responsibilities between the federal 
government and Indian tribes, as specified in Executive Order 13175. 
This action does not require Indian tribes to accept electronic 
reports. The effect of this rule is to provide additional regulatory 
flexibility to Indian tribes by giving them the opportunity to submit 
electronic reports to EPA in satisfaction of EPA reporting requirements 
and by allowing them to implement electronic reporting under their 
authorized programs.

I. Executive Order 13211 (Energy Effects)

    This rule is not a ``significant energy action'' as defined in 
Executive Order 13211, ``Actions Concerning Regulations That 
Significantly Affect Energy Supply, Distribution, or Use'' (66 FR 
28355, May 22, 2001) because it is not likely to have a significant 
adverse affect on the supply, distribution, or use of energy. EPA has 
concluded that this rule is not likely to have any adverse energy 
effects.

J. Congressional Review Act

    The Congressional Review Act, 5 U.S.C. 801 et seq., as added by the 
Small Business Regulatory Enforcement Fairness Act of 1996, generally 
provides that before a rule may take effect, the agency promulgating 
the rule must submit a rule report, which includes a copy of the rule, 
to each House of the Congress and to the Comptroller General of the 
United States. EPA will submit a report containing this rule and other 
required information to the U.S. Senate, the U.S. House of 
Representatives, and the Comptroller General of the United States prior 
to publication of the rule in the Federal Register. A major rule cannot 
take effect until 60 days after it is published in the Federal 
Register. This action is not a ``major rule'' as defined by 5 U.S.C. 
804(2). This rule will become effective on January 11, 2006.

List of Subjects

40 CFR Part 3

    Environmental protection, Conflict of interests, Electronic 
records, Electronic reporting requirements, Electronic reports, 
Intergovernmental relations.

40 CFR Part 9

    Environmental protection, Electronic records, Electronic reporting 
requirements, Electronic reports, Intergovernmental relations, 
Reporting and recordkeeping requirements.

40 CFR Part 51

    Environmental protection, Administrative practice and procedure, 
Air pollution control, Carbon monoxide, Electronic records, Electronic 
reporting requirements, Electronic reports, Intergovernmental 
relations, Lead, Nitrogen dioxide, Ozone, Particulate matter, Reporting 
and recordkeeping

[[Page 59879]]

requirements, Sulfur oxides, Volatile organic compounds.

40 CFR Part 60

    Environmental protection, Administrative practice and procedure, 
Air pollution control, Aluminum, Ammonium sulfate plants, Batteries, 
Beverages, Carbon monoxide, Cement industry, Coal, Copper, Dry 
cleaners, Electric power plants, Electronic records, Electronic 
reporting requirements, Electronic reports, Fertilizers, Fluoride, 
Gasoline, Glass and glass products, Grains, Graphic arts industry, 
Heaters, Household appliances, Insulation, Intergovernmental relations, 
Iron, Labeling, Lead, Lime, Metallic and nonmetallic mineral processing 
plants, Metals, Motor vehicles, Natural gas, Nitric acid plants, 
Nitrogen dioxide, Paper and paper products industry, Particulate 
matter, Paving and roofing materials, Petroleum, Phosphate, Plastics 
materials and synthetics, Polymers, Reporting and recordkeeping 
requirements, Sewage disposal, Steel, Sulfur oxides, Sulfuric acid 
plants, Tires, Urethane, Vinyl, Volatile organic compounds, Waste 
treatment and disposal, Zinc.

40 CFR Part 63

    Environmental protection, Air pollution control, Electronic 
records, Electronic reporting requirements, Electronic reports, 
Hazardous substances, Intergovernmental relations, Reporting and 
recordkeeping requirements.

40 CFR Part 69

    Environmental protection, Air pollution control, Electronic 
records, Electronic reporting requirements, Electronic reports, Guam, 
Intergovernmental relations.

40 CFR Part 70

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations.

40 CFR Part 71

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations.

40 CFR Part 123

    Environmental protection, Administrative practice and procedure, 
Confidential business information, Electronic records, Electronic 
reporting requirements, Electronic reports, Hazardous substances, 
Indians-lands, Intergovernmental relations, Penalties, Reporting and 
recordkeeping requirements, Water pollution control.

40 CFR Part 142

    Environmental protection, Administrative practice and procedure, 
Chemicals, Electronic records, Electronic reporting requirements, 
Electronic reports, Indians-lands, Intergovernmental relations, 
Radiation protection, Reporting and recordkeeping requirements, Water 
supply.

40 CFR Part 145

    Environmental protection, Confidential business information, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Indians-lands, Intergovernmental relations, Penalties, 
Reporting and recordkeeping requirements, Water supply.

40 CFR Part 162

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations, Pesticides and pests, Reporting 
and recordkeeping requirements, State registration of pesticide 
products.

40 CFR Part 233

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations, Penalties, Reporting and 
recordkeeping requirements, Water pollution control.

40 CFR Part 257

    Environmental protection, Electronic records, Electronic reporting 
requirements, Electronic reports, Intergovernmental relations, Waste 
treatment and disposal.

40 CFR Part 258

    Environmental protection, Electronic records, Electronic reporting 
requirements, Electronic reports, Intergovernmental relations, 
Reporting and recordkeeping requirements, Waste treatment and disposal, 
Water pollution control.

40 CFR Part 271

    Environmental protection, Administrative practice and procedure, 
Confidential business information, Electronic records, Electronic 
reporting requirements, Electronic reports, Hazardous materials 
transportation, Hazardous waste, Indians-lands, Intergovernmental 
relations, Penalties, Reporting and recordkeeping requirements, Water 
pollution control, Water supply.

40 CFR Part 281

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Hazardous substances, Insurance, Intergovernmental relations, 
Oil pollution, Reporting and recordkeeping requirements, Surety bonds, 
Water pollution control, Water supply.

40 CFR Part 403

    Environmental protection, Confidential business information, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations, Reporting and recordkeeping 
requirements, Waste treatment and disposal, Water pollution control.

40 CFR Part 501

    Environmental protection, Administrative practice and procedure, 
Electronic records, Electronic reporting requirements, Electronic 
reports, Intergovernmental relations, Penalties, Reporting and 
recordkeeping requirements, Sewage disposal.

40 CFR Part 745

    Environmental protection, Electronic records, Electronic reporting 
requirements, Electronic reports, Intergovernmental relations, 
Hazardous substances, Lead poisoning, Reporting and recordkeeping 
requirements.

40 CFR Part 763

    Environmental protection, Administrative practice and procedure, 
Asbestos, Electronic records, Electronic reporting requirements, 
Electronic reports, Hazardous substances, Imports, Intergovernmental 
relations, Reporting and recordkeeping requirements.

    Dated: September 22, 2005.
Stephen L. Johnson,
Administrator.

0
Therefore, Title 40 Chapter I of the Code of Federal Regulations is 
amended by adding a new Part 3, and amending parts 9, 51, 60, 63, 69, 
70, 71, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403, 501, 745, and 
763 to read as follows:

PART 3--CROSS-MEDIA ELECTRONIC REPORTING

Subpart A--General Provisions
Sec.
3.1 Who does this part apply to?
3.2 How does this part provide for electronic reporting?
3.3 What definitions are applicable to this part?

[[Page 59880]]

3.4 How does this part affect enforcement and compliance provisions 
of Title 40?
Subpart B--Electronic Reporting to EPA
3.10 What are the requirements for electronic reporting to EPA?
3.20 How will EPA provide notice of changes to the Central Data 
Exchange?
Subpart C--[Reserved]
Subpart D--Electronic Reporting under EPA-Authorized State, Tribe, and 
Local Programs
3.1000 How does a state, tribe, or local government revise or modify 
its authorized program to allow electronic reporting?
3.2000 What are the requirements authorized state, tribe, and local 
programs' reporting systems must meet?

    Authority: 7 U.S.C. 136 to 136y; 15 U.S.C. 2601 to 2692; 33 
U.S.C. 1251 to 1387; 33 U.S.C. 1401 to 1445; 33 U.S.C. 2701 to 2761; 
42 U.S.C. 300f to 300j-26; 42 U.S.C. 4852d; 42 U.S.C. 6901-6992k; 42 
U.S.C. 7401 to 7671q; 42 U.S.C. 9601 to 9675; 42 U.S.C. 11001 to 
11050; 15 U.S.C. 7001; 44 U.S.C. 3504 to 3506.

Subpart A--General Provisions


Sec.  3.1  Who does this part apply to?

    (a) This part applies to:
    (1) Persons who submit reports or other documents to EPA to satisfy 
requirements under Title 40 of the Code of Federal Regulations (CFR); 
and
    (2) States, tribes, and local governments administering or seeking 
to administer authorized programs under Title 40 of the CFR.
    (b) This part does not apply to:
    (1) Documents submitted via facsimile in satisfaction of reporting 
requirements as permitted under other parts of Title 40 or under 
authorized programs; or
    (2) Electronic documents submitted via magnetic or optical media 
such as diskette, compact disc, digital video disc, or tape in 
satisfaction of reporting requirements, as permitted under other parts 
of Title 40 or under authorized programs.
    (c) This part does not apply to any data transfers between EPA and 
states, tribes, or local governments as a part of their authorized 
programs or as a part of administrative arrangements between states, 
tribes, or local governments and EPA to share data.


Sec.  3.2  How does this part provide for electronic reporting?

    (a) Electronic reporting to EPA. Except as provided in Sec.  
3.1(b), any person who is required under Title 40 to create and submit 
or otherwise provide a document to EPA may satisfy this requirement 
with an electronic document, in lieu of a paper document, provided 
that:
    (1) He or she satisfies the requirements of Sec.  3.10; and
    (2) EPA has first published a notice in the Federal Register 
announcing that EPA is prepared to receive, in electronic form, 
documents required or permitted by the identified part or subpart of 
Title 40.
    (b) Electronic reporting under an EPA-authorized state, tribe, or 
local program.
    (1) An authorized program may allow any document submission 
requirement under that program to be satisfied with an electronic 
document provided that the state, tribe, or local government seeks and 
obtains revision or modification of that program in accordance with 
Sec.  3.1000 and also meets the requirements of Sec.  3.2000 for such 
electronic reporting.
    (2) A state, tribe, or local government that is applying for 
initial delegation, authorization, or approval to administer a federal 
program or a program in lieu of the federal program, and that will 
allow document submission requirements under the program to be 
satisfied with an electronic document, must use the procedures for 
obtaining delegation, authorization, or approval under the relevant 
part of Title 40 and may not use the procedures set forth in Sec.  
3.1000; but the application must contain the information required by 
Sec.  3.1000(b)(1) and the state, tribe, or local government must meet 
the requirements of Sec.  3.2000.
    (c) Limitations. This part does not require submission of 
electronic documents in lieu of paper. This part confers no right or 
privilege to submit data electronically and does not obligate EPA, 
states, tribes, or local governments to accept electronic documents.


Sec.  3.3  What definitions are applicable to this part?

    The definitions set forth in this section apply when used in this 
part.
    Acknowledgment means a confirmation of electronic document receipt.
    Administrator means the Administrator of the EPA.
    Agency means the EPA or a state, tribe, or local government that 
administers or seeks to administer an authorized program.
    Agreement collection certification means a signed statement by 
which a local registration authority certifies that a subscriber 
agreement has been received from a registrant; the agreement has been 
stored in a manner that prevents unauthorized access to these 
agreements by anyone other than the local registration authority; and 
the local registration authority has no basis to believe that any of 
the collected agreements have been tampered with or prematurely 
destroyed.
    Authorized program means a Federal program that EPA has delegated, 
authorized, or approved a state, tribe, or local government to 
administer, or a program that EPA has delegated, authorized, or 
approved a state, tribe or local government to administer in lieu of a 
Federal program, under other provisions of Title 40 and such 
delegation, authorization, or approval has not been withdrawn or 
expired.
    Central Data Exchange means EPA's centralized electronic document 
receiving system, or its successors, including associated instructions 
for submitting electronic documents.
    Chief Information Officer means the EPA official assigned the 
functions described in section 5125 of the Clinger Cohen Act (Pub. L. 
104-106).
    Copy of record means a true and correct copy of an electronic 
document received by an electronic document receiving system, which 
copy can be viewed in a human-readable format that clearly and 
accurately associates all the information provided in the electronic 
document with descriptions or labeling of the information. A copy of 
record includes:
    (1) All electronic signatures contained in or logically associated 
with that document;
    (2) The date and time of receipt; and
    (3) Any other information used to record the meaning of the 
document or the circumstances of its receipt.
    Disinterested individual means an individual who is not connected 
with the person in whose name the electronic signature device is 
issued. A disinterested individual is not any of the following: The 
person's employer or employer's corporate parent, subsidiary, or 
affiliate; the person's contracting agent; member of the person's 
household; or relative with whom the person has a personal 
relationship.
    Electronic document means any information in digital form that is 
conveyed to an agency or third-party, where ``information'' may include 
data, text, sounds, codes, computer programs, software, or databases. 
``Data,'' in this context, refers to a delimited set of data elements, 
each of which consists of a content or value together with an 
understanding of what the content or value means; where the electronic 
document includes data, this understanding of what the data element 
content or value means must be explicitly included in the electronic 
document itself or else be readily available to the electronic document 
recipient.
    Electronic document receiving system means any set of apparatus, 
procedures,

[[Page 59881]]

software, records, or documentation used to receive electronic 
documents.
    Electronic signature means any information in digital form that is 
included in or logically associated with an electronic document for the 
purpose of expressing the same meaning and intention as would a 
handwritten signature if affixed to an equivalent paper document with 
the same reference to the same content. The electronic document bears 
or has on it an electronic signature where it includes or has logically 
associated with it such information.
    Electronic signature agreement means an agreement signed by an 
individual with respect to an electronic signature device that the 
individual will use to create his or her electronic signatures 
requiring such individual to protect the electronic signature device 
from compromise; to promptly report to the agency or agencies relying 
on the electronic signatures created any evidence discovered that the 
device has been compromised; and to be held as legally bound, 
obligated, or responsible by the electronic signatures created as by a 
handwritten signature.
    Electronic signature device means a code or other mechanism that is 
used to create electronic signatures. Where the device is used to 
create an individual's electronic signature, then the code or mechanism 
must be unique to that individual at the time the signature is created 
and he or she must be uniquely entitled to use it. The device is 
compromised if the code or mechanism is available for use by any other 
person.
    EPA means the United States Environmental Protection Agency.
    Existing electronic document receiving system means an electronic 
document receiving system that is being used to receive electronic 
documents in lieu of paper to satisfy requirements under an authorized 
program on October 13, 2005 or the system, if not in use, has been 
substantially developed on or before that date as evidenced by the 
establishment of system services or specifications by contract or other 
binding agreement.
    Federal program means any program administered by EPA under any 
other provision of Title 40.
    Federal reporting requirement means a requirement to report 
information directly to EPA under any other provision of Title 40.
    Handwritten signature means the scripted name or legal mark of an 
individual, handwritten by that individual with a marking-or writing-
instrument such as a pen or stylus and executed or adopted with the 
present intention to authenticate a writing in a permanent form, where 
``a writing'' means any intentional recording of words in a visual 
form, whether in the form of handwriting, printing, typewriting, or any 
other tangible form. The physical instance of the scripted name or mark 
so created constitutes the handwritten signature. The scripted name or 
legal mark, while conventionally applied to paper, may also be applied 
to other media.
    Information or objects of independent origin means data or items 
that originate from a disinterested individual or are forensic evidence 
of a unique, immutable trait which is (and may at any time be) 
attributed to the individual in whose name the device is issued.
    Local registration authority means an individual who is authorized 
by a state, tribe, or local government to issue an agreement collection 
certification, whose identity has been established by notarized 
affidavit, and who is authorized in writing by a regulated entity to 
issue agreement collection certifications on its behalf.
    Priority reports means the reports listed in Appendix 1 to part 3.
    Subscriber agreement means an electronic signature agreement signed 
by an individual with a handwritten signature. This agreement must be 
stored until five years after the associated electronic signature 
device has been deactivated.
    Transmit means to successfully and accurately convey an electronic 
document so that it is received by the intended recipient in a format 
that can be processed by the electronic document receiving system.
    Valid electronic signature means an electronic signature on an 
electronic document that has been created with an electronic signature 
device that the identified signatory is uniquely entitled to use for 
signing that document, where this device has not been compromised, and 
where the signatory is an individual who is authorized to sign the 
document by virtue of his or her legal status and/or his or her 
relationship to the entity on whose behalf the signature is executed.


Sec.  3.4  How does this part affect enforcement and compliance 
provisions of Title 40?

    (a) A person is subject to any applicable federal civil, criminal, 
or other penalties and remedies for failure to comply with a federal 
reporting requirement if the person submits an electronic document to 
EPA under this part that fails to comply with the provisions of Sec.  
3.10.
    (b) A person is subject to any applicable federal civil, criminal, 
or other penalties or remedies for failure to comply with a State, 
tribe, or local reporting requirement if the person submits an 
electronic document to a State, tribe, or local government under an 
authorized program and fails to comply with the applicable provisions 
for electronic reporting.
    (c) Where an electronic document submitted to satisfy a federal or 
authorized program reporting requirement bears an electronic signature, 
the electronic signature legally binds, obligates, and makes the 
signatory responsible, to the same extent as the signatory's 
handwritten signature would on a paper document submitted to satisfy 
the same federal or authorized program reporting requirement.
    (d) Proof that a particular signature device was used to create an 
electronic signature will suffice to establish that the individual 
uniquely entitled to use the device did so with the intent to sign the 
electronic document and give it effect.
    (e) Nothing in this part limits the use of electronic documents or 
information derived from electronic documents as evidence in 
enforcement or other proceedings.

Subpart B--Electronic Reporting to EPA


Sec.  3.10  What are the requirements for electronic reporting to EPA?

    (a) A person may use an electronic document to satisfy a federal 
reporting requirement or otherwise substitute for a paper document or 
submission permitted or required under other provisions of Title 40 
only if:
    (1) The person transmits the electronic document to EPA's Central 
Data Exchange, or to another EPA electronic document receiving system 
that the Administrator may designate for the receipt of specified 
submissions, complying with the system's requirements for submission; 
and
    (2) The electronic document bears all valid electronic signatures 
that are required under paragraph (b) of this section.
    (b) An electronic document must bear the valid electronic signature 
of a signatory if that signatory would be required under Title 40 to 
sign the paper document for which the electronic document substitutes, 
unless EPA announces special provisions to accept a handwritten 
signature on a separate paper submission and the signatory provides 
that handwritten signature.


Sec.  3.20  How will EPA provide notice of changes to the Central Data 
Exchange?

    (a) Except as provided under paragraph (b) of this section, 
whenever

[[Page 59882]]

EPA plans to change Central Data Exchange hardware or software in ways 
that would affect the transmission process, EPA will provide notice as 
follows:
    (1) Significant changes to CDX: Where the equipment, software, or 
services needed to transmit electronic documents to the Central Data 
Exchange would be changed significantly, EPA will provide public notice 
and seek comment on the change and the proposed implementation schedule 
through the Federal Register;
    (2) Other changes to CDX: EPA will provide notice of other changes 
to Central Data Exchange users at least sixty (60) days in advance of 
implementation.
    (3) De minimis or transparent changes to CDX: For de minimis or 
transparent changes that have minimal or no impact on the transmission 
process, EPA may provide notice if appropriate on a case-by-case basis.
    (b) Emergency changes to CDX: Any change which EPA's Chief 
Information Officer or his or her designee determines is needed to 
ensure the security and integrity of the Central Data Exchange is 
exempt from the provisions of paragraph (a) of this section. However, 
to the extent consistent with ensuring the security and integrity of 
the system, EPA will provide notice for any change other than de 
minimis or transparent changes to the Central Data Exchange.

Subpart C--[Reserved]

Subpart D--Electronic Reporting Under EPA-Authorized State, Tribe, 
and Local Programs


Sec.  3.1000  How does a state, tribe, or local government revise or 
modify its authorized program to allow electronic reporting?

    (a) A state, tribe, or local government that receives or plans to 
begin receiving electronic documents in lieu of paper documents to 
satisfy requirements under an authorized program must revise or modify 
such authorized program to ensure that it meets the requirements of 
this part.
    (1) General procedures for program modification or revision: To 
revise or modify an authorized program to meet the requirements of this 
part, a state, tribe, or local government must submit an application 
that complies with paragraph (b)(1) of this section and must follow 
either the applicable procedures for program revision or modification 
in other parts of Title 40, or, at the applicant's option, the 
procedures provided in paragraphs (b) through (e) of this section.
    (2) Programs planning to receive electronic documents under an 
authorized program: A state, tribe, or local government that does not 
have an existing electronic document receiving system for an authorized 
program must receive EPA approval of revisions or modifications to such 
program in compliance with paragraph (a)(1) of this section before the 
program may receive electronic documents in lieu of paper documents to 
satisfy program requirements.
    (3) Programs already receiving electronic documents under an 
authorized program: A state, tribe, or local government with an 
existing electronic document receiving system for an authorized program 
must submit an application to revise or modify such authorized program 
in compliance with paragraph (a)(1) of this section no later than 
October 13, 2007. On a case-by-case basis, this deadline may be 
extended by the Administrator, upon request of the state, tribe, or 
local government, where the Administrator determines that the state, 
tribe, or local government needs additional time to make legislative or 
regulatory changes to meet the requirements of this part.
    (4) Programs with approved electronic document receiving systems: 
An authorized program that has EPA's approval to accept electronic 
documents in lieu of paper documents must keep EPA apprised of those 
changes to laws, policies, or the electronic document receiving systems 
that have the potential to affect program compliance with Sec.  3.2000. 
Where the Administrator determines that such changes require EPA review 
and approval, EPA may request that the state, tribe, or local 
government submit an application for program revision or modification; 
additionally, a state, tribe, or local government on its own initiative 
may submit an application for program revision or modification 
respecting their receipt of electronic documents. Such applications 
must comply with paragraph (a)(1) of this section.
    (5) Restrictions on the use of procedures in this section: The 
procedures provided in paragraphs (b) through (e) of this section may 
only be used for revising or modifying an authorized program to provide 
for electronic reporting and for subsequent revisions or modifications 
to the electronic reporting elements of an authorized program as 
provided under paragraph (a)(4) of this section.
    (b)(1) To obtain EPA approval of program revisions or modifications 
using procedures provided under this section, a state, tribe, or local 
government must submit an application to the Administrator that 
includes the following elements:
    (i) A certification that the state, tribe, or local government has 
sufficient legal authority provided by lawfully enacted or promulgated 
statutes or regulations that are in full force and effect on the date 
of the certification to implement the electronic reporting component of 
its authorized programs covered by the application in conformance with 
Sec.  3.2000 and to enforce the affected programs using electronic 
documents collected under these programs, together with copies of the 
relevant statutes and regulations, signed by the State Attorney General 
or his or her designee, or, in the case of an authorized tribe or local 
government program, by the chief executive or administrative official 
or officer of the governmental entity, or his or her designee;
    (ii) A listing of all the state, tribe, or local government 
electronic document receiving systems to accept the electronic 
documents being addressed by the program revisions or modifications 
that are covered by the application, together with a description for 
each such system that specifies how the system meets the applicable 
requirements in Sec.  3.2000 with respect to those electronic 
documents;
    (iii) A schedule of upgrades for the electronic document receiving 
systems listed under paragraph (b)(1)(ii) of this section that have the 
potential to affect the program's continued conformance with Sec.  
3.2000; and
    (iv) Other information that the Administrator may request to fully 
evaluate the application.
    (2) A state, tribe, or local government that revises or modifies 
more than one authorized program for receipt of electronic documents in 
lieu of paper documents may submit a consolidated application under 
this section covering more than one authorized program, provided the 
consolidated application complies with paragraph (b)(1) of this section 
for each authorized program.
    (3)(i) Within 75 calendar days of receiving an application for 
program revision or modification submitted under paragraph (b)(1) of 
this section, the Administrator will respond with a letter that either 
notifies the state, tribe, or local government that the application is 
complete or identifies deficiencies in the application that render the 
application incomplete. The state, tribe, or local government receiving 
a notice of deficiencies may amend the application and resubmit it. 
Within 30 calendar days of receiving the amended application, the 
Administrator will respond with a letter that either notifies the 
applicant that the amended

[[Page 59883]]

application is complete or identifies remaining deficiencies that 
render the application incomplete.
    (ii) If a state, tribe, or local government receiving notice of 
deficiencies under paragraph (b)(3)(i) of this section does not remedy 
the deficiencies and resubmit the subject application within a 
reasonable period of time, the Administrator may act on the incomplete 
application under paragraph (c) of this section.
    (c)(1) The Administrator will act on an application by approving or 
denying the state's, tribe's or local government's request for program 
revision or modification.
    (2) Where a consolidated application submitted under paragraph 
(b)(2) of this section addresses revisions or modifications to more 
than one authorized program, the Administrator may approve or deny the 
request for revision or modification of each authorized program in the 
application separately; the Administrator need not take the same action 
with respect to the requested revisions or modifications for each such 
program.
    (3) When an application under paragraph (b) of this section 
requests revision or modification of an authorized public water system 
program under part 142 of this title, the Administrator will, in 
accordance with the procedures in paragraph (f) of this section, 
provide an opportunity for a public hearing before a final 
determination pursuant to paragraph (c)(1) of this section with respect 
to that component of the application.
    (4) Except as provided under paragraph (c)(4)(i) and (ii) of this 
section, if the Administrator does not take any action under paragraph 
(c)(1) of this section on a specific request for revision or 
modification of a specific authorized program addressed by an 
application submitted under paragraph (b) of this section within 180 
calendar days of notifying the state, tribe, or local government under 
paragraph (b)(3) of this section that the application is complete, the 
specific request for program revision or modification for the specific 
authorized program is considered automatically approved by EPA at the 
end of the 180 calendar days unless the review period is extended at 
the request of the state, tribe, or local government submitting the 
application.
    (i) Where an opportunity for public hearing is required under 
paragraph (c)(3) of this section, the Administrator's action on the 
requested revision or modification will be in accordance with paragraph 
(f) of this section.
    (ii) Where a requested revision or modification addressed by an 
application submitted under paragraph (b) of this section is to an 
authorized program with an existing electronic document receiving 
system, and where notification under paragraph (b)(3) of this section 
that the application is complete is executed after October 13, 2007, if 
the Administrator does not take any action under paragraph (c)(1) of 
this section on the specific request for revision or modification 
within 360 calendar days of such notification, the specific request is 
considered automatically approved by EPA at the end of the 360 calendar 
days unless the review period is extended at the request of the state, 
tribe, or local government submitting the application.
    (d) Except where an opportunity for public hearing is required 
under paragraph (c)(3) of this section, EPA's approval of a program 
revision or modification under this section will be effective upon 
publication of a notice of EPA's approval of the program revision or 
modification in the Federal Register. EPA will publish such a notice 
promptly after approving a program revision or modification under 
paragraph (c)(1) of this section or after an EPA approval occurs 
automatically under paragraph (c)(4) of this section.
    (e) If a state, tribe, or local government submits material to 
amend its application under paragraph (b)(1) of this section after the 
date that the Administrator sends notification under paragraph 
(b)(3)(i) of this section that the application is complete, this new 
submission will constitute withdrawal of the pending application and 
submission of a new, amended application for program revision or 
modification under paragraph (b)(1) of this section, and the 180-day 
time period in paragraph (c)(4) of this section or the 360-day time 
period in paragraph (c)(4)(ii) of this section will begin again only 
when the Administrator makes a new determination and notifies the 
state, tribe, or local government under paragraph (b)(3)(i) of this 
section that the amended application is complete.
    (f) For an application under this section that requests revision or 
modification of an authorized public water system program under part 
142 of this chapter:
    (1) The Administrator will publish notice of the Administrator's 
preliminary determination under paragraph (c)(1) of this section in the 
Federal Register, stating the reasons for the determination and 
informing interested persons that they may request a public hearing on 
the Administrator's determination. Frivolous or insubstantial requests 
for a hearing may be denied by the Administrator;
    (2) Requests for a hearing submitted under this section must be 
submitted to the Administrator within 30 days after publication of the 
notice of opportunity for hearing in the Federal Register. The 
Administrator will give notice in the Federal Register of any hearing 
to be held pursuant to a request submitted by an interested person or 
on the Administrator's own motion. Notice of hearing will be given not 
less than 15 days prior to the time scheduled for the hearing;
    (3) The hearing will be conducted by a designated hearing officer 
in an informal, orderly, and expeditious manner. The hearing officer 
will have authority to take such action as may be necessary to assure 
the fair and efficient conduct of the hearing; and
    (4) After reviewing the record of the hearing, the Administrator 
will issue an order either affirming the determination the 
Administrator made under paragraph (c)(1) of this section or rescinding 
such determination and will promptly publish a notice of the order in 
the Federal Register. If the order is to approve the program revision 
or modification, EPA's approval will be effective upon publication of 
the notice in the Federal Register. If no timely request for a hearing 
is received and the Administrator does not determine to hold a hearing 
on the Administrator's own motion, the Administrator's determination 
made under paragraph (c)(1) of this section will be effective 30 days 
after notice is published pursuant to paragraph (f)(1) of this section.


Sec.  3.2000  What are the requirements authorized state, tribe, and 
local programs' reporting systems must meet?

    (a) Authorized programs that receive electronic documents in lieu 
of paper to satisfy requirements under such programs must:
    (1) Use an acceptable electronic document receiving system as 
specified under paragraphs (b) and (c) of this section; and
    (2) Require that any electronic document must bear the valid 
electronic signature of a signatory if that signatory would be required 
under the authorized program to sign the paper document for which the 
electronic document substitutes, unless the program has been approved 
by EPA to accept a handwritten signature on a separate paper 
submission. The paper submission must contain references to the 
electronic document sufficient for legal certainty that the signature 
was executed with the intention to certify to, attest to, or agree to 
the content of that electronic document.

[[Page 59884]]

    (b) An electronic document receiving system that receives 
electronic documents submitted in lieu of paper documents to satisfy 
requirements under an authorized program must be able to generate data 
with respect to any such electronic document, as needed and in a timely 
manner, including a copy of record for the electronic document, 
sufficient to prove, in private litigation, civil enforcement 
proceedings, and criminal proceedings, that:
    (1) The electronic document was not altered without detection 
during transmission or at any time after receipt;
    (2) Any alterations to the electronic document during transmission 
or after receipt are fully documented;
    (3) The electronic document was submitted knowingly and not by 
accident;
    (4) Any individual identified in the electronic document submission 
as a submitter or signatory had the opportunity to review the copy of 
record in a human-readable format that clearly and accurately 
associates all the information provided in the electronic document with 
descriptions or labeling of the information and had the opportunity to 
repudiate the electronic document based on this review; and
    (5) In the case of an electronic document that must bear electronic 
signatures of individuals as provided under paragraph (a)(2) of this 
section, that:
    (i) Each electronic signature was a valid electronic signature at 
the time of signing;
    (ii) The electronic document cannot be altered without detection at 
any time after being signed;
    (iii) Each signatory had the opportunity to review in a human-
readable format the content of the electronic document that he or she 
was certifying to, attesting to or agreeing to by signing;
    (iv) Each signatory had the opportunity, at the time of signing, to 
review the content or meaning of the required certification statement, 
including any applicable provisions that false certification carries 
criminal penalties;
    (v) Each signatory has signed either an electronic signature 
agreement or a subscriber agreement with respect to the electronic 
signature device used to create his or her electronic signature on the 
electronic document;
    (vi) The electronic document receiving system has automatically 
responded to the receipt of the electronic document with an 
acknowledgment that identifies the electronic document received, 
including the signatory and the date and time of receipt, and is sent 
to at least one address that does not share the same access controls as 
the account used to make the electronic submission; and
    (vii) For each electronic signature device used to create an 
electronic signature on the document, the identity of the individual 
uniquely entitled to use the device and his or her relation to any 
entity for which he or she will sign electronic documents has been 
determined with legal certainty by the issuing state, tribe, or local 
government. In the case of priority reports identified in the table in 
Appendix 1 of Part 3, this determination has been made before the 
electronic document is received, by means of:
    (A) Identifiers or attributes that are verified (and that may be 
re-verified at any time) by attestation of disinterested individuals to 
be uniquely true of (or attributable to) the individual in whose name 
the application is submitted, based on information or objects of 
independent origin, at least one item of which is not subject to change 
without governmental action or authorization; or
    (B) A method of determining identity no less stringent than would 
be permitted under paragraph (b)(5)(vii)(A) of this section; or
    (C) Collection of either a subscriber agreement or a certification 
from a local registration authority that such an agreement has been 
received and securely stored.
    (c) An authorized program that receives electronic documents in 
lieu of paper documents must ensure that:
    (1) A person is subject to any appropriate civil, criminal 
penalties or other remedies under state, tribe, or local law for 
failure to comply with a reporting requirement if the person fails to 
comply with the applicable provisions for electronic reporting.
    (2) Where an electronic document submitted to satisfy a state, 
tribe, or local reporting requirement bears an electronic signature, 
the electronic signature legally binds or obligates the signatory, or 
makes the signatory responsible, to the same extent as the signatory's 
handwritten signature on a paper document submitted to satisfy the same 
reporting requirement.
    (3) Proof that a particular electronic signature device was used to 
create an electronic signature that is included in or logically 
associated with an electronic document submitted to satisfy a state, 
tribe, or local reporting requirement will suffice to establish that 
the individual uniquely entitled to use the device at the time of 
signature did so with the intent to sign the electronic document and 
give it effect.
    (4) Nothing in the authorized program limits the use of electronic 
documents or information derived from electronic documents as evidence 
in enforcement proceedings.

Appendix 1 to Part 3--Priority Reports

------------------------------------------------------------------------
           Category                   Description        40 CFR Citation
------------------------------------------------------------------------
                            Required Reports
------------------------------------------------------------------------
State Implementation Plan.....  Emissions data reports  51.60(c).
                                 for mobile sources.
Excess Emissions and            Excess emissions and    60.7(c),
 Monitoring Performance Report   monitoring              60.7(d).
 Compliance Notification         performance report
 Report.                         detailing the
                                 magnitude of excess
                                 emissions, and
                                 provides the date,
                                 time, and system
                                 status at the time of
                                 the excess emission.
New Source Performance          Semi-annual reports     60.49a(e) & (j)
 Standards Reporting             (quarterly, if report   & (v),
 Requirements.                   is approved for         60.49b(v).
                                 electronic submission
                                 by the permitting
                                 authority) on sulfur
                                 dioxide, nitrous
                                 oxides and
                                 particulate matter
                                 emission (includes
                                 reporting
                                 requirements in
                                 Subparts A through
                                 DDDD).
Semi-annual Operations and      Semi-annual report      60.107(c),
 Corrective Action Reports.      provides information    60.107(d).
                                 on a company's
                                 exceedance of its
                                 sulfur dioxide
                                 emission rate, sulfur
                                 content of the fresh
                                 feed, and the average
                                 percent reduction and
                                 average concentration
                                 of sulfur dioxide.
                                 When emissions data
                                 is unavailable, a
                                 signed statement is
                                 required which
                                 documents the
                                 changes, if any, made
                                 to the emissions
                                 control system that
                                 would impact the
                                 company's compliance
                                 with emission limits.

[[Page 59885]]

 
National Emission Standards     Include such reports    61.11,
 for Hazardous Air Pollutants    as: Annual              61.24(a)(3) &
 Reporting Requirements.         compliance,             (a)(8),
                                 calculation, initial    61.70(c)(1) &
                                 startup, compliance     (c)(2)(v) &
                                 status,                 (c)(3) &
                                 certifications of       (c)(4)(iv),
                                 compliance, waivers     61.94(a) &
                                 from compliance         (b)(9),
                                 certifications,         61.104(a) &
                                 quarterly inspection    (a)(1)(x) &
                                 certifications,         (a)(1)(xi) &
                                 operations, and         (a)(1)(xvi),
                                 operations and          61.138(e) &
                                 process change.         (f),
                                                         61.165(d)(2) &
                                                         (d)(3) & (d)(4)
                                                         & (f)(1) &
                                                         (f)(2) &(f)(3),
                                                         61.177(a)(2) &
                                                         (c)(1) & (c)(2)
                                                         & (c)(3) &
                                                         (e)(1) &
                                                         (e)(3),
                                                         61.186(b)(1) &
                                                         (b)(2) & (b)(3)
                                                         & (c)(1) &
                                                         (f)(1),
                                                         61.247(a)(1) &
                                                         (a)(4) &
                                                         (a)(5)(v) &
                                                         (b)(5) & (d),
                                                         61.254(a)(4),
                                                         61.275(a) & (b)
                                                         & (c),
                                                         61.305(f) &
                                                         (i), 61.357(a)
                                                         & (b) & (c) &
                                                         (d), 63.9(h).
Hazardous Air Pollutants        Reports containing      63.10(d),
 Compliance Report.              results from            63.10(e)(1),
                                 performance test,       63.10(e)(3).
                                 opacity tests, and
                                 visible emissions
                                 tests. Progress
                                 reports; periodic and
                                 immediate startup,
                                 shutdown, and
                                 malfunction reports;
                                 results from
                                 continuous monitoring
                                 system performance
                                 evaluations; excess
                                 emissions and
                                 continuous monitoring
                                 system performance
                                 report; or summary
                                 report.
Notifications and Reports.....  Reports that document   65.5(d),
                                 a facility's initial    65.5(e).
                                 compliance status,
                                 notification of
                                 initial start-up, and
                                 periodic reports
                                 which includes the
                                 startup, shutdown,
                                 and malfunction
                                 reports discussed in
                                 40 CFR 65.6(c).
Continuous Emissions            Quarterly emissions     75.64, 75.65.
 Monitoring.                     monitoring reports
                                 and opacity reports
                                 which document a
                                 facility's excess
                                 emission.
Notice of Fuel or Fuel          Registration of new     79.10, 79.11,
 Additive Registration and       fuels and additives,    79.20, 79.21,
 Health Effects Testing.         and the submission      79.51.
                                 and certification of
                                 health effect data.
Manufacture In-Use and Product  Reports that document   86.1845,
 Line Emissions Testing.         the emissions testing   86.1846,
                                 results generated       86.1847,
                                 from the in-use         90.113,
                                 testing program for     90.1205,
                                 new and in-use          90.704, 91.805,
                                 highway vehicle         91.504, 92.607,
                                 ignition engines; non-  92.508, 92.509.
                                 road spark-ignition
                                 engines; marine spark-
                                 ignition engines; and
                                 locomotives and
                                 locomotive engines.
Industrial and Publicly Owned   Discharge monitoring    122.41(l)(4)(i),
 Treatment Works Reports.        reports for all         403.12(b) & (d)
                                 individual              & (e) & (h).
                                 permittees--including
                                 baseline reports,
                                 pretreatment
                                 standards report,
                                 periodic compliance
                                 reports, and reports
                                 made by significant
                                 industrial users.
-------------------------------
                          Event Driven Notices
------------------------------------------------------------------------
State Implementation Plan.....  Owners report           51.211.
                                 emissions data from
                                 stationary sources.
Report For Initial Performance  Report that provides    60.2200 (initial
 Test.                           the initial             performance
                                 performance test        tests).
                                 results, site-
                                 specific operating
                                 limits, and, if
                                 installed,
                                 information on the
                                 bag leak detection
                                 device used by the
                                 facility.
Emissions Control Report......  Report submitted by     61.153(a)(1),
                                 new sources within 90   61.153(a)(4)(i)
                                 days of set-up which    ,
                                 describes emission      61.153(a)(5)(ii
                                 control equipment       ).
                                 used, processes which
                                 generate asbestos-
                                 containing waste
                                 material, and
                                 disposal information.
State Operating Permits--       Monitoring and          70.6(a)(3)(iii)(
 Permit Content.                 deviation reports       A),
                                 under the State         70.6(a)(3)(iii)
                                 Operating Permit.       (B).
Title V Permits--Permit         Monitoring and          71.6(a)(3)(iii).
 Content.                        deviation reports
                                 under the Federal
                                 Operating Permit.
Annual Export Report..........  Annual report           262.56(a).
                                 summarizing the
                                 amount and type of
                                 hazardous waste
                                 exported.
Exceptions Reports............  Reports submitted by a  262.42, 262.55.
                                 generator when the
                                 generator has not
                                 received confirmation
                                 from the Treatment,
                                 Storage, and Disposal
                                 Facility (TSDF) that
                                 it received the
                                 generator's waste and
                                 when hazardous waste
                                 shipment was received
                                 by the TSDF. For
                                 exports, reports
                                 submitted when the
                                 generator has not
                                 received a copy of
                                 the manifest from the
                                 transporter with
                                 departure date and
                                 place of export
                                 indicated; and
                                 confirmation from the
                                 consignee that the
                                 hazardous waste was
                                 received or when the
                                 hazardous waste is
                                 returned to the U.S.
Contingency Plan                Follow-up reports made  264.56(j),
 Implementation Reports.         to the Agency for all   265.56(j).
                                 incidents noted in
                                 the operating record
                                 which required the
                                 implementation of a
                                 facility's
                                 contingency plan.
Significant Manifest            Report filed by         264.72(b),
 Discrepancy Report.             Treatment, Storage,     265.72(b).
                                 and Disposal
                                 Facilities (TSDF)
                                 within 15 days of
                                 receiving wastes,
                                 when the TSDF is
                                 unable to resolve
                                 manifest
                                 discrepancies with
                                 the generator.
Unmanifested Waste Report.....  Report that documents   264.76, 265.76.
                                 hazardous waste
                                 received by a
                                 Treatment, Storage,
                                 and Disposal Facility
                                 without an
                                 accompanying manifest.
Noncompliance Report..........  An owner/operator       264.1090.
                                 submitted report
                                 which documents
                                 hazardous waste that
                                 was placed in
                                 hazardous waste
                                 management units in
                                 noncompliance with 40
                                 CFR sections
                                 264.1082(c)(1) and
                                 (c)(2); 264.1084(b);
                                 264.1035(c)(4); or
                                 264.1033(d).

[[Page 59886]]

 
Notification--Low Level Mixed   One-time notification   266.345.
 Waste.                          concerning
                                 transportation and
                                 disposal of
                                 conditionally
                                 exempted waste.
Notification--Land Disposal     One-time notification   268.9(d).
 Restrictions.                   and certification
                                 that characteristic
                                 waste is no longer
                                 hazardous.
Underground Storage Tank        Underground Storage     280.22.
 Notification.                   Tank system
                                 notifications
                                 concerning design,
                                 construction, and
                                 installation. As well
                                 as when systems are
                                 being placed in
                                 operation. (EPA Form
                                 7530-1 or state
                                 version.).
Free Product Removal Report     Report written and      280.64, 280.65.
 and Subsequent Investigation    submitted within 45
 Report.                         days after confirming
                                 a free product
                                 release, including
                                 information on the
                                 release and recovery
                                 methods used for the
                                 free product, and
                                 when test indicate
                                 presence of free
                                 product, response
                                 measures.
Manufacture or Import           Premanufacture          720.102, 721.25.
 Premanufacture Notification.    notification of
                                 intent to begin
                                 manufacturing,
                                 importing, or
                                 processing chemicals
                                 identified in Subpart
                                 E for significant new
                                 use (forms 7710-56
                                 and 7710-25).
-------------------------------
                         Permit Applications \1\
------------------------------------------------------------------------
State Implementation Plan.....  Information describing  52.21(n).
                                 the source, its
                                 construction
                                 schedule, and the
                                 planned continuous
                                 emissions reductions
                                 system.
State Operating Permits.......  Reports, notices, or    70.6(c)(1).
                                 other written
                                 submissions required
                                 by a State Operating
                                 Permit.
Title V Permits--Permit         Reports, notices, or    71.6(c)(1),
 Content.                        other written           71.25(c)(1).
                                 submissions required
                                 by a Title V
                                 Operating Permit.
Title V Permits...............  Specific criteria for   71.7(e(2)(ii)(c)
                                 permit modifications    .
                                 and or revisions,
                                 including a
                                 certification
                                 statement by a
                                 responsible official.
Reclaimer Certification.......  Certification made by   82.164.
                                 a reclaimer that the
                                 refrigerant was
                                 reprocessed according
                                 to specifications and
                                 that no more than
                                 1.5% of the
                                 refrigerant was
                                 released during the
                                 reclamation.
Application for Certification   Control of Emissions    86.007-21 (heavy
 and Statement of Compliance.    for New and In-Use      duty), 1844-01
                                 Highway Vehicles and    (light duty).
                                 Engines statement of
                                 compliance made by
                                 manufacturer,
                                 attesting that the
                                 engine family
                                 complies with
                                 standards for new and
                                 in-use highway
                                 vehicles and engines.
Application for Certification.  Application made by     89.115, 90.107,
                                 engine manufacturer     91.107, 92.203,
                                 to obtain certificate   94.203.
                                 of conformity.
National Pollutant Discharge    National Pollutant      122.21.
 Elimination System.             Discharge Elimination
                                 System (NPDES)
                                 Permits and Renewals
                                 (includes individual
                                 permit applications,
                                 NPDES General Form 1,
                                 and NPDES Forms 2A-F,
                                 and 2S).
Resource Conservation and       Signatures for permit   270.11, 270.42.
 Recovery Act Permit             applications and
 Applications and                reports; submission
 Modifications.                  of permit
                                 modifications. (This
                                 category excludes
                                 Class I permit
                                 modifications (40 CFR
                                 270.42, Appendix I)
                                 that do not require
                                 prior approval).
-------------------------------
             Certifications of Compliance/Non-Applicability
------------------------------------------------------------------------
State Implementation Plan       State implementation    51.212(c),
 Requirements.                   plan certifications     51.214(e).
                                 for testing,
                                 inspection,
                                 enforcement, and
                                 continuous emissions
                                 monitoring.
Certification Statement.......  Chemical Accident       68.185.
                                 Prevention
                                 Provisions--Risk
                                 Management Plan
                                 certification
                                 statements.
Title V Permits...............  Federal compliance      70.5(c)(9),
                                 certifications and      70.5(d),
                                 permit applications.    70.6(c)(5).
State Operating Permits.......  State compliance        71.5(c)(9),
                                 certifications and      71.5(d),
                                 permit applications.    71.24(f).
Annual and Other Compliance     Annual compliance       72.90.
 Certification Reports.          certification report
                                 and is submitted by
                                 units subject to acid
                                 rain emissions
                                 limitations.
Annual Compliance               Annual compliance       74.43.
 Certification Report, Opt-In    certification report
 Report, and Confirmation        which is submitted in
 Report.                         lieu of annual
                                 compliance
                                 certification report
                                 listed in Subpart I
                                 of Part 72.
Quarterly Reports and           Continuous Emission     75.73.
 Compliance Certifications.      Monitoring
                                 certifications,
                                 monitoring plans, and
                                 quarterly reports for
                                 NOX emissions.
Certification Letters Recovery  Protection of           79.4, 80.161,
 and Recycling Equipment,        Stratospheric Ozone:    82.162, 82.42.
 Motor Vehicle Air               Recycling & Emissions
 Conditioners Recycling          Reduction.
 Program, Detergent Package.     Acquisition of
                                 equipment for
                                 recovery or recycling
                                 made by auto repair
                                 service technician
                                 and Fuels and Fuel
                                 Additives Detergent
                                 additive
                                 certification.
Response Plan Cover Sheet.....  Oil Pollution           112 (Appendix
                                 Prevention              f).
                                 certification to the
                                 truth and accuracy of
                                 information.
Closure Report................  Report which documents  146.71.
                                 that closure was in
                                 accordance with
                                 closure plan and/or
                                 details difference
                                 between actual
                                 closure and the
                                 procedures outlined
                                 in the closure plan.
Certification of Closure and    Certification that      264.115,
 Post Closure Care, Post-        Treatment, Storage,     264.119,
 Closure Notices.                and Disposal            264.119(b)(2),
                                 Facilities (TSDF) are   264.120,
                                 closed in accordance    265.115,
                                 with approved closure   265.119(b)(2),
                                 plan or post-closure    265.120,
                                 plan.                   265.19.
Certification of Testing Lab    Certification that the  270.63.
 Analysis.                       testing and/or lab
                                 analyses required for
                                 the treatment
                                 demonstration phase
                                 of a two-phase permit
                                 was conducted.

[[Page 59887]]

 
Periodic Certification........  Certification that      437.41(b).
                                 facility is operating
                                 its system to provide
                                 equivalent treatment
                                 as in initial
                                 certification.
------------------------------------------------------------------------
\1\ Included within each permit application category, though sometimes
  not listed, are the permits submitted to run/operate/maintain
  facilities and/or equipment/products under EPA or authorized programs.

PART 9--OMB APPROVALS UNDER THE PAPERWORK REDUCTION ACT

0
1. The authority citation for part 9 continues to read as follows:

    Authority: 7 U.S.C. 135 et seq., 136-136y; 15 U.S.C. 2001, 2003, 
2005, 2006, 2601-2671; 21 U.S.C. 331j, 346a, 31 U.S.C. 9701; 33 
U.S.C. 125l et seq., 1311, 1313d, 1314, 1318, 1321, 1326, 1330, 
1342, 1344, 1345 (d) and (e), 1361; E.O. 11735, 38 FR 21243, 3 CFR, 
1971-1975 Comp. p. 973; 42 U.S.C. 241, 242b, 243, 246, 300f, 300g, 
300g-1, 300g-2, 300g-3, 300g-4, 300g-5, 300g-6, 300j-1, 300j-2, 
300j-3, 300j-4, 300j-9, 1857 et seq., 6901-6992k, 7401-7671q, 7542, 
9601-9657, 11023, 11048.

0
2. Section 9.1 is amended by adding a new entry in numerical order for 
part 3 to read as follows:


Sec.  9.1  OMB approvals under the Paperwork Reduction Act.

* * * * *

------------------------------------------------------------------------
                                                                 OMB
                      40 CFR citation                        Control No.
------------------------------------------------------------------------
 
                                * * * * *
------------------------------------------------------------
                    Cross-Media Electronic Reporting
------------------------------------------------------------------------
Part 3.....................................................    2025-0003
------------------------------------------------------------------------

* * * * *

PART 51--REQUIREMENTS FOR PREPARATION, ADOPTION, AND SUBMITTAL OF 
IMPLEMENTATION PLANS

0
1. The authority citation for part 51 continues to read as follows:

    Authority: 23 U.S.C. 101; 42 U.S.C. 7401-7671q.


0
2. Section 51.286 is added to Subpart O to read as follows:


Sec.  51.286  Electronic reporting.

    States that wish to receive electronic documents must revise the 
State Implementation Plan to satisfy the requirements of 40 CFR Part 
3--(Electronic reporting).

PART 60--STANDARDS OF PERFORMANCE FOR NEW STATIONARY SOURCES

0
1. The authority citation for part 60 continues to read as follows:

    Authority: 42 U.S.C. 7401-7601.


0
2. Section 60.25(b)(1) is amended by adding a sentence to the end of 
the paragraph to read as follows:


Sec.  60.25  Emission inventories, source surveillance, reports.

* * * * *
    (b)(1) * * * Submission of electronic documents shall comply with 
the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *

PART 63--NATIONAL EMISSION STANDARDS FOR HAZARDOUS AIR POLLUTANTS 
FOR SOURCE CATEGORIES

0
1. The authority citation for part 63 continues to read as follows:

    Authority: 42 U.S.C. 7401 et seq.


0
2. Section 63.91 is amended by adding a new paragraph (d)(5)to read as 
follows:


Sec.  63.91  Criteria for straight delegation and criteria common to 
all approved options.

* * * * *
    (d) * * *
    (5) Electronic documents. Submission of electronic documents shall 
comply with the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *

PART 69--SPECIAL EXEMPTIONS FROM REQUIREMENTS OF THE CLEAN AIR ACT

0
1. The authority citation for part 69 continues to read as follows:

    Authority: 42 U.S.C. 7545(c), (g) and (i), and 7625-1.


0
2. Section 69.13 is amended by adding a new paragraph (b)(1)(v) to read 
as follows:


Sec.  69.13  Title V conditional exemption.

* * * * *
    (b) * * *
    (1) * * *
    (v) If the program chooses to accept electronic documents it must 
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *

0
3. Section 69.22 is amended by adding a new paragraph (b)(1)(v) to read 
as follows:


Sec.  69.22  Title V conditional exemption.

* * * * *
    (b) * * *
    (1) * * *
    (v) If the program chooses to accept electronic documents it must 
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *

0
4. Section 69.32 is amended by adding a new paragraph (b)(1)(v) to read 
as follows:


Sec.  69.32  Title V conditional exemption.

* * * * *
    (b) * * *
    (1) * * *
    (v) If the program chooses to accept electronic documents it must 
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *

PART 70--STATE OPERATING PERMIT PROGRAMS

0
1. The authority citation for part 70 continues to read as follows:

    Authority: 42 U.S.C. 7401, et seq.


0
2. Section 70.1 is amended by adding a new paragraph (f) to read as 
follows:


Sec.  70.1  Program overview.

* * * * *
    (f) States that choose to receive electronic documents must satisfy 
the requirements of 40 CFR Part 3--(Electronic reporting) in their 
program.

PART 71--FEDERAL OPERATING PERMIT PROGRAMS

0
1. The authority citation for part 71 continues to read as follows:

    Authority: 42 U.S.C. 7401, et seq.


0
2. Section 71.10 is amended by adding a new sentence to the end of 
paragraph (a) to read as follows:


Sec.  71.10  Delegation of part 71 program.

    (a) * * * Delegate agencies that choose to receive electronic 
documents as part of their delegated program must satisfy the 
requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *

PART 123--STATE PROGRAM REQUIREMENTS

0
1. The authority citation for part 123 continues to read as follows:

    Authority: Clean Water Act, 33 U.S.C. 1251 et seq.


[[Page 59888]]



0
2. Section 123.25 is amended by revising paragraphs (a)(44) and 
(a)(45), adding the phrase ``Except for paragraph (a)(46) of this 
section,'' at the beginning of the Note to paragraph (a), and adding a 
new paragraph (a)(46) to read as follows:


Sec.  123.25  Requirements for permitting.

    (a) * * *
    (44) Sec.  122.35 (As an operator of a regulated small MS4, may I 
share the responsibility to implement the minimum control measures with 
other entities?);
    (45) Sec.  122.36 (As an operator of a regulated small MS4, what 
happens if I don't comply with the application or permit requirements 
in Sec. Sec.  122.33 through 122.35?); and
    (46) For states that wish to receive electronic documents, 40 CFR 
Part 3--(Electronic reporting).
* * * * *

PART 142--NATIONAL PRIMARY DRINKING WATER REGULATIONS 
IMPLEMENTATION

0
1. The authority citation for part 142 continues to read as follows:

    Authority: 42 U.S.C. 300f, 300g-1, 300g-2, 300g-3, 300g-4, 300g-
5, 300g-6, 300j-4, 300j-9, and 300j-11.


0
2. Section 142.10 is amended by redesignating paragraph (g) as 
paragraph (h) and by adding a new paragraph (g) to read as follows:


Sec.  142.10  Requirements for a determination of primary enforcement 
responsibility.

* * * * *
    (g) Has adopted regulations consistent with 40 CFR Part 3--
(Electronic reporting) if the state receives electronic documents.
* * * * *

PART 145--REQUIREMENTS FOR STATE PROGRAMS

0
1. The authority citation for part 145 continues to read as follows:

    Authority: 42 U.S.C. 300f et seq.


0
2. Section 145.11 is amended by revising paragraphs (a)(30), (a)(31), 
(a)(32), and adding paragraph (a)(33) to read as follows:


Sec.  145.11  Requirements for permitting.

    (a) * * *
    (30) Section 124.12(a)--(Public hearings);
    (31) Section 124.17 (a) and (c)--(Response to comments);
    (32) Section 144.88--(What are the additional requirements?); and
    (33) For states that wish to receive electronic documents, 40 CFR 
Part 3--(Electronic reporting).
* * * * *

PART 162--STATE REGISTRATION OF PESTICIDE PRODUCTS

0
1. The authority citation for part 162 continues to read as follows:

    Authority: 7 U.S.C. 136v, 136w.


0
2. Section 162.153 is amended by adding a paragraph (a)(6) to read as 
follows:


Sec.  162.153  State registration procedures.

    (a) * * *
    (6) Electronic Reporting under State Registration of Pesticide 
Products for Special Local Needs. States that choose to receive 
electronic documents under the regulations pertaining to state 
registration of pesticides to meet special local needs, must ensure 
that the requirements of 40 CFR Part 3--(Electronic reporting) are 
satisfied by their state procedures for such registrations.
* * * * *

PART 233--404 STATE PROGRAM REGULATIONS

0
1. The authority citation for part 233 continues to read as follows:

    Authority: 33 U.S.C. 1251 et seq.


0
2. A new Sec.  233.39 is added to Subpart D to read as follows:


Sec.  233.39  Electronic reporting.

    States that choose to receive electronic documents must satisfy the 
requirements of 40 CFR Part 3--(Electronic reporting) in their state 
program.

PART 257--CRITERIA FOR CLASSIFICATION OF SOLID WASTE DISPOSAL 
FACILITIES AND PRACTICES

0
1. The authority citation for part 257 continues to read as follows:

    Authority: 42 U.S.C. 6907(a)(3), 6912(a)(1), 6944(a) and 
6949(c), 33 U.S.C. 1345(d) and (e).


0
2. Section 257.30 is amended by adding a new paragraph (d) to read as 
follows:


Sec.  257.30  Recordkeeping requirements.

* * * * *
    (d) The Director of an approved state program may receive 
electronic documents only if the state program includes the 
requirements of 40 CFR Part 3--(Electronic reporting).

PART 258--CRITERIA FOR MUNICIPAL SOLID WASTE LANDFILLS

0
1. The authority citation for part 258 continues to read as follows:

    Authority: 33 U.S.C. 1345(d) and (e); 42 U.S.C. 6902(a), 6907, 
6912(a), 6944, 6945(c) and 6949a(c).


0
2. Section 258.29 is amended by adding a new paragraph (d) to read as 
follows:


Sec.  258.29  Recordkeeping requirements.

* * * * *
    (d) The Director of an approved state program may receive 
electronic documents only if the state program includes the 
requirements of 40 CFR Part 3--(Electronic reporting).

PART 271--REQUIREMENTS FOR AUTHORIZATION OF STATE HAZARDOUS WASTE 
PROGRAMS

0
1. The authority citation for part 271 continues to read as follows:

    Authority: 42 U.S.C. 6905, 6912 and 6926.


0
2. Section 271.10 is amended by revising paragraph (b) to read as 
follows:


Sec.  271.10  Requirements for generators of hazardous waste.

* * * * *
    (b) The State shall have authority to require and shall require all 
generators to comply with reporting and recordkeeping requirements 
equivalent to those under 40 CFR 262.40 and 262.41. States must require 
that generators keep these records at least 3 years. States that choose 
to receive electronic documents must include the requirements of 40 CFR 
Part 3--(Electronic reporting) in their Program (except that states 
that choose to receive electronic manifests and/or permit the use of 
electronic manifests must comply with any applicable requirements for 
e-manifest in this section of this section).
* * * * *

0
3. Section 271.11 is amended by revising paragraph (b) to read as 
follows:


Sec.  271.11  Requirements for transporters of hazardous waste.

* * * * *
    (b) The State shall have authority to require and shall require all 
transporters to comply with reporting and recordkeeping requirements 
equivalent to those under 40 CFR 263.22. States must require that 
transporters keep these records at least 3 years. States that choose to 
receive electronic documents must include the requirements of 40 CFR 
Part 3--(Electronic reporting) in their Program (except that states 
that choose to receive electronic manifests

[[Page 59889]]

and/or permit the use of electronic manifests must comply with any 
applicable requirements for e-manifest in this section of this 
section).
* * * * *

0
4. Section 271.12 is amended by revising paragraph (h) to read as 
follows:


Sec.  271.12  Requirements for hazardous waste management facilities.

* * * * *
    (h) Inspections, monitoring, recordkeeping, and reporting. States 
that choose to receive electronic documents must include the 
requirements of 40 CFR Part 3--(Electronic reporting) in their Program 
(except that states that choose to receive electronic manifests and/or 
permit the use of electronic manifests must comply with paragraph (i) 
of this section);
* * * * *

PART 281--APPROVAL OF STATE UNDERGROUND STORAGE TANK PROGRAMS

0
1. The authority citation for part 281 continues to read as follows:

    Authority: 42 U.S.C. 6912, 6991 (c), (d), (e), (g).


0
2. Section 281.40 is amended by revising paragraph (d) to read as 
follows:


Sec.  281.40  Requirements for compliance monitoring program and 
authority.

* * * * *
    (d) State programs must have procedures for receipt, evaluation, 
retention and investigation of records and reports required of owners 
or operators and must provide for enforcement of failure to submit 
these records and reports. States that choose to receive electronic 
documents must include the requirements of 40 CFR Part 3--(Electronic 
reporting) in their state program.
* * * * *

PART 403--GENERAL PRETREATMENT REGULATIONS FOR EXISTING AND NEW 
SOURCES OF POLLUTION

0
1. The authority citation for part 403 continues to read as follows:

    Authority: 33 U.S.C. 1251 et seq.


0
2. Section 403.8 is amended by adding a new paragraph (g) to read as 
follows:


Sec.  403.8  Pretreatment Program Requirements: Development and 
Implementation by POTW.

* * * * *
    (g) A POTW that chooses to receive electronic documents must 
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).

0
3. Section 403.12 is amended by adding a new paragraph (r) to read as 
follows:


Sec.  403.12  Reporting requirements for POTW's and industrial users.

* * * * *
    (r) The Control Authority that chooses to receive electronic 
documents must satisfy the requirements of 40 CFR Part 3--(Electronic 
reporting).

PART 501--STATE SLUDGE MANAGEMENT PROGRAM REGULATIONS

0
1. The authority citation for part 501 continues to read as follows:

    Authority: 33 U.S.C. 1251 et seq.


0
2. Section 501.15 is amended by adding a new paragraph (a)(4) to read 
as follows:


Sec.  501.15  Requirements for permitting.

    (a) * * *
    (4) Information requirements: All treatment works treating domestic 
sewage shall submit to the Director within the time frames established 
in paragraph (d)(1)(ii) of this section the information listed in 
paragraphs (a)(4)(i) through (xii) of this section. The Director of an 
approved state program that chooses to receive electronic documents 
must satisfy the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *

PART 745--LEAD-BASED PAINT POISONING PREVENTION IN CERTAIN 
RESIDENTIAL STRUCTURES

0
1. The authority citation for part 745 continues to read as follows:

    Authority: 15 U.S.C. 2605, 2607, 2681-2692 and 42 U.S.C. 4852d.


0
2. Section 745.327 is amended by adding a new paragraph (f) to read as 
follows:


Sec.  745.327  State or Indian Tribal lead-based paint compliance and 
enforcement programs.

* * * * *
    (f) Electronic reporting under State or Indian Tribe programs. 
States and tribes that choose to receive electronic documents under the 
authorized state or Indian tribe lead-based paint program, must ensure 
that the requirements of 40 CFR part 3--(Electronic reporting) are 
satisfied in their lead-based paint program.

PART 763--ASBESTOS

0
1. The authority citation for part 763 continues to read as follows:

    Authority: 15 U.S.C. 2605, 2607(c), 2643, and 2646.


0
2. Section 763.98 is amended by revising paragraphs (a)(1), (b)(3), and 
(d)(3) to read as follows:


Sec.  763.98  Waiver; delegation to state.

    (a) General. (1) Upon request from a state Governor and after 
notice and comment and an opportunity for a public hearing in 
accordance with paragraphs (b) and (c) of this section, EPA may waive 
some or all of the requirements of this subpart E if the state has 
established and is implementing or intends to implement a program of 
asbestos inspection and management that contains requirements that are 
at least as stringent as the requirements of this subpart. In addition, 
if the state chooses to receive electronic documents, the state program 
must include, at a minimum, the requirements of 40 CFR part 3--
(Electronic reporting).
* * * * *
    (b) * * *
    (3) Detailed reasons, supporting papers, and the rationale for 
concluding that the state's asbestos inspection and management program 
provisions for which the request is made are at least as stringent as 
the requirements of Subpart E of this part, and that, if the state 
chooses to receive electronic documents, the state program includes, at 
a minimum, the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
    (d) * * *
    (3) The state has an enforcement mechanism to allow it to implement 
the program described in the waiver request and any electronic 
reporting requirements are at least as stringent as 40 CFR part 3--
(Electronic reporting).
* * * * *

0
3. Appendix C to subpart E of part 763 is amended by adding paragraph 
(I) to section I to read as follows:

Appendix C to Subpart E of Part 763--Asbestos Model Accreditation Plan

I. Asbestos Model Accreditation Plan for States

* * * * *
    (I) Electronic Reporting.
    States that choose to receive electronic documents must include, 
at a minimum, the requirements of 40 CFR Part 3--(Electronic 
reporting) in their programs.
* * * * *
[FR Doc. 05-19601 Filed 10-12-05; 8:45 am]
BILLING CODE 6560-50-P