[Federal Register Volume 70, Number 197 (Thursday, October 13, 2005)]
[Rules and Regulations]
[Pages 59848-59889]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 05-19601]
[[Page 59847]]
-----------------------------------------------------------------------
Part III
Environmental Protection Agency
-----------------------------------------------------------------------
40 CFR Parts 3, 9, 51 et al.
Cross-Media Electronic Reporting; Final Rule
��Federal Register / Vol. 70, No. 197 / Thursday, October 13, 2005 /
Rules and Regulations��
[[Page 59848]]
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
40 CFR Parts 3, 9, 51, 60, 63, 69, 70, 71, 123, 142, 145, 162, 233,
257, 258, 271, 281, 403, 501, 745 and 763
[FRL-7977-1]
RIN 2025-AA07
Cross-Media Electronic Reporting
AGENCY: Environmental Protection Agency (EPA).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: EPA is establishing the framework by which it will accept
electronic reports from regulated entities in satisfaction of certain
document submission requirements in EPA's regulations. EPA will provide
public notice when the Agency is ready to receive direct submissions of
certain documents from regulated entities in electronic form consistent
with this rulemaking via an EPA electronic document receiving system.
This rule does not mandate that regulated entities utilize electronic
methods to submit documents in lieu of paper-based submissions. In
addition, EPA is not taking final action on the electronic
recordkeeping requirements at this time.
States, tribes, and local governments will be able to seek EPA
approval to accept electronic documents to satisfy reporting
requirements under environmental programs that EPA has delegated,
authorized, or approved them to administer. This rule includes
performance standards against which a state's, tribe's, or local
government's electronic document receiving system will be evaluated
before EPA will approve changes to the delegated, authorized, or
approved program to provide electronic reporting, and establishes a
streamlined process that states, tribes, and local governments can use
to seek and obtain such approvals.
DATES: This rule shall become effective January 11, 2006.
ADDRESSES: The public record for this rulemaking has been established
under docket number OEI-2003-0001 and is located in the EPA Docket
Center, (EPA/DC) EPA West, Room B102, 1301 Constitution Ave., NW.,
Washington, DC. The EPA Docket Center Public Reading Room is open from
8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal
holidays. (See SUPPLEMENTARY INFORMATION below.)
FOR FURTHER INFORMATION CONTACT: For general information on this final
rule, contact the docket above. For more detailed information on
specific aspects of this rulemaking, contact David Schwarz (2823T),
Office of Environmental Information, U.S. Environmental Protection
Agency, 1200 Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-
1704, schwarz.david@epa.gov, or Evi Huffer (2823T), Office of
Environmental Information, U.S. Environmental Protection Agency, 1200
Pennsylvania Avenue, NW., Washington, DC 20460, (202) 566-1697,
huffer.evi@epa.gov.
SUPPLEMENTARY INFORMATION:
General Information
A. Affected Entities
This rule will potentially affect states, tribes, and local
governments that have been delegated, authorized, or approved, or which
seek delegation, authorization, or approval to administer a federal
environmental program under Title 40 of the Code of Federal Regulations
(CFR). For purposes of this rulemaking, the term ``state'' includes the
District of Columbia and the United States territories, as specified in
the applicable statutes. That is, the term ``state'' includes the
District of Columbia, the Commonwealth of Puerto Rico, the Virgin
Islands, Guam, American Samoa, the Commonwealth of Northern Marina
Islands, and the Trust Territory of the Pacific Islands, depending on
the statute.
The rule will also potentially affect private parties subject to
any requirements in Title 40 of the CFR that require a document to be
submitted to EPA. Affected Entities include, but are not necessarily
limited to:
------------------------------------------------------------------------
Examples of affected
Category entities
------------------------------------------------------------------------
Local government.......................... Publicly owned treatment
works, owners and operators
of treatment works treating
domestic sewage, local and
regional air boards, local
and regional waste
management authorities, and
municipal and other
drinking water authorities.
Private................................... Industry owners and
operators, waste
transporters, privately
owned treatment works or
other treatment works
treating domestic sewage,
privately owned water
works, small businesses of
various kinds, sponsors
such as laboratories that
submit or initiate/support
studies, and testing
facilities that both
initiate and conducts
studies.
Tribe and State governments............... States, tribes or
territories that administer
any federal environmental
programs delegated,
authorized, or approved by
EPA under Title 40 of the
CFR.
Federal government........................ Federally owned treatment
works and industrial
dischargers, and federal
facilities subject to
hazardous waste regulation.
------------------------------------------------------------------------
This table is not intended to be exhaustive, but rather provides a
guide for readers regarding entities likely to be affected by this
action. This table lists the types of entities that EPA is now aware
can potentially be affected by this action. Other types of entities not
listed in the table can also be affected. If you have questions
regarding the applicability of this action to a particular entity,
consult the person listed in the preceding FOR FURTHER INFORMATION
CONTACT section.
B. How Can I Get Copies of This Document and Other Related Information?
1. Docket. EPA has established an official public docket for this
action under Docket ID No. OEI-2003-0001. The official public docket
consists of the documents specifically referenced in this action, any
public comments received, and other information related to this action.
Although a part of the official docket, the public docket does not
include Confidential Business Information (CBI) or other information
whose disclosure is restricted by statute. The official public docket
is the collection of materials that is available for public viewing at
the Cross-Media Electronic Reporting Rule (CROMERR) Docket in the EPA
Docket Center (EPA/DC), EPA West, Room B102, 1301 Constitution Ave.,
NW., Washington, DC. The EPA Docket Center Public Reading Room is open
from 8:30 a.m. to 4:30 p.m., Monday through Friday, excluding legal
holidays. The telephone number for the Public Reading Room is (202)
566-1744, and the telephone number for the Office of Environmental
Information Docket is (202) 566-1752. You may have to pay a reasonable
fee for copying.
An electronic version of the public docket is available through
EPA's
[[Page 59849]]
electronic public docket and comment system, EDOCKET. You may use
EDOCKET at http://www.epa.gov/edocket/ to view public comments, access
the index listing of the contents of the official public docket, and to
access those documents in the public docket that are available
electronically. Although not all docket materials may be available
electronically, you may still access any of the publicly available
docket materials. After selecting the ``Using EDOCKET'' icon, select
``quick search,'' then key in the appropriate docket identification
number. Double click on the document identification number to bring up
the docket contents.
2. Electronic Access. You may access this Federal Register document
electronically through the EPA Internet under the ``Federal Register''
listings at http://www.epa.gov/fedrgstr/.
Organization of This Document
Information in this Preamble is organized as follows:
I. Overview
A. Why does the Agency seek to provide electronic alternatives
to paper-based reporting and recordkeeping?
B. What does the electronic reporting rule do?
C. What is the status of the proposed electronic recordkeeping
provisions?
D. How were stakeholders consulted during the development of
today's final rule?
E. What alternatives to today's final rule did EPA consider?
II. Background
A. What has been EPA's electronic reporting policy?
B. How does today's final rule change EPA's electronic reporting
policy?
III. Scope of the Electronic Reporting Rule
A. Who may submit electronic documents?
B. Which documents can be filed electronically?
C. How does this final rule implement electronic reporting?
IV. Major Changes from Proposed Electronic Reporting Provisions
A. How does the rule streamline the approval of electronic
reporting under authorized state, tribe, and local government
programs?
1. Review of the proposal
2. Comments on the proposal
3. Revisions in the final rule
B. How has EPA revised the requirements that state, tribe, and
local government electronic reporting programs must satisfy?
1. Review of the proposal
2. Comments on the proposed criteria for electronic document
receiving systems
3. Revisions to the criteria in the final rule
C. How has EPA accommodated electronic submissions with follow-
on paper certifications?
D. How has EPA changed proposed definitions of terms?
1. Definition of ``acknowledgment''
2. Definition of ``electronic document''
3. Definition of ``electronic signature''
4. Definition of ``electronic signature device''
5. Definition of ``transmit''
6. Definition of ``valid electronic signature''
V. Requirements for Direct Electronic Reporting to EPA
A. What are the requirements for electronic reporting to EPA?
B. What is the status of existing electronic reporting to EPA?
C. What is EPA's Central Data Exchange?
1. Overview of general goals
2. Comments on the proposal
3. The aspects of CDX that have not changed since proposal
4. The major changes that EPA has made to CDX since proposal
D. How will EPA provide notice of changes to CDX?
VI. Requirements for Electronic Reporting under EPA-Authorized
Programs
A. What is the general regulatory approach?
B. When must authorized state, tribe, or local government
programs revise or modify their programs to allow electronic
reporting?
1. The general requirement
2. Deferred compliance for existing systems
C. What alternative procedures does EPA provide for revising or
modifying authorized state, tribe, or local government programs for
electronic reporting?
1. The application
2. Review for completeness
3. EPA actions on applications
4. Revisions or modifications associated with existing systems
5. Public hearings for Part 142 revisions or modifications
6. Re-submissions and amendments
D. What general requirements must state, tribe, and local
government electronic reporting programs satisfy?
E. What standards must state, tribe, and local government
electronic document receiving systems satisfy?
1. Timeliness of data generation
2. Copy of record
3. Integrity of the electronic document
4. Submission knowingly
5. Opportunity to review and repudiate copy of record
6. Validity of the electronic signature
7. Binding the signature to the document
8. Opportunity to review
9. Understanding the act of signing
10. The electronic signature or subscriber agreement
11. Acknowledgment of receipt
12. Determining the identity of the individual uniquely entitled
to use a signature device
VII. What are the Costs of Today's Rule?
A. Summary of proposal analysis
B. Final rule costs
C. General changes to methodology and assumptions
VIII. Statutory and Executive Order Reviews
A. Executive Order 12866
B. Executive Order 13132
C. Paperwork Reduction Act
D. Regulatory Flexibility Act
E. Unfunded Mandates Reform Act
F. National Technology Transfer and Advancement Act
G. Executive Order 13045
H. Executive Order 13175
I. Executive Order 13211 (Energy Effects)
J. Congressional Review Act
I. Overview
A. Why does the Agency seek to provide electronic alternatives to
paper-based reporting and recordkeeping?
In the Federal Register of August 31, 2001 (66 FR 46162), EPA
published a notice of proposed rulemaking, announcing the goal of
making electronic reporting and electronic recordkeeping available
under EPA regulatory programs. The Agency believes that the submission
and storage of electronic documents in lieu of paper documents can:
Reduce the cost and burden of data transfer and
maintenance for all parties to the data exchanges;
Improve the data and the various business processes
associated with its use in ways that may not be reflected directly in
cost-reduction, e.g., through improvements in data quality, and the
speed and convenience with which data may be transferred and used; and
Maintain the level of corporate and individual
responsibility and accountability for electronic reports and records
that currently exists in the paper environment.
Recent federal policy and law are also strong drivers of electronic
alternatives to traditional reporting and recordkeeping. The Government
Paperwork Elimination Act (GPEA) of 1998, Title XVII of Public Law 105-
277, requires the Director of the Office of Management and Budget (OMB)
to ensure that executive agencies provide for the option of the
electronic maintenance, submission, or disclosure of information as a
substitute for paper when practicable, and for the use and acceptance
of electronic signatures, when practicable. See GPEA section 1704.
Given the enormous strides in data transfer and management
technologies, particularly in connection with the Internet, replacing
paper with electronic data transfer now promises increased productivity
across almost all facets of business and government.
In seeking to make electronic alternatives available that were not
contemplated when most existing EPA regulations were written, EPA was
mindful of the need to maintain our ability to carry out our statutory
environmental and health protection mission, in part through ensuring
the integrity of environmental compliance documents. Accordingly, the
intended
[[Page 59850]]
effect of the proposed regulation was to permit and encourage the use
of electronic technologies in a manner that is consistent with EPA's
overall mission and that preserves the integrity of the Agency's
compliance and enforcement activities.
The Agency believes that it is essential to ensure that electronic
reports can play the same role as their paper counterparts in providing
evidence of what was reported and to what identified individuals
certified with respect to the report. Otherwise, electronic reporting
places at risk the continuing viability of self-monitoring and self-
reporting that provides the framework for compliance under most of our
environmental programs. The purpose of today's final rule is therefore
twofold. Today's rule is intended to provide regulated industry, EPA,
and state, tribe, and local governments with electronic reporting
alternatives that improve the efficiency, the speed, and the quality of
regulatory reporting. At the same time, the rule is intended to ensure
the legal dependability of electronic documents submitted under
environmental programs. This includes, among other things, ensuring
that individuals will be held as responsible and accountable for the
electronic signatures, which they execute, and for the documents to
which such signatures attest as they currently are in cases of
documents where they execute handwritten signatures.
B. What does the electronic reporting rule do?
EPA is announcing today the final regulatory provisions in a new
part 3 of Title 40 of the CFR for electronic reporting to EPA and under
authorized state, tribe, and local government programs. ``Authorized
program'' is shorthand for a federal program that EPA has delegated,
authorized, or approved a state, tribe or local government to
administer under other provisions of title 40 of the CFR, where the
delegation, authorization, or approval has not been withdrawn or
expired. Section 3.3 of the rule codifies this usage in the regulatory
text. This use of ``authorized'' does not mean that EPA is precluded
from an enforcement action by a prior enforcement action being taken by
a state, tribe, or local government under its authorized program. The
final rule incorporates changes made after publication of the proposed
rule that are discussed in detail in section IV of this Preamble. This
rule establishes electronic reporting as an acceptable regulatory
alternative across a broad spectrum of EPA programs, and establishes
requirements to assure that electronic documents are as legally
dependable as their paper counterparts.
The requirements in Subpart B of the rule apply to entities that
choose to submit electronic documents for direct reporting to EPA,
including state, tribe, and local government facilities that choose to
submit electronic documents to EPA to satisfy requirements that apply
to them under other provisions of title 40 of the CFR. However, the
scope of this final rule excludes any data transfers between EPA and
states, tribes, or local governments as a part of their authorized
programs or as a part of administrative arrangements between states,
tribes, or local governments and EPA to share data. The requirements in
Subpart D of the rule provide for electronic reporting under authorized
state, tribe, and local government programs and apply to the
governmental entities administering the authorized programs. Under the
final rule, states, tribes, and local governments have the choice of
using electronic submission rather than paper for reporting under their
authorized programs. Comments on the proposed rule indicated that some
states and local governments are now requiring electronic reporting
under those programs. Existing electronic document receiving systems
must receive EPA approval in accordance with Subpart D in order to meet
the requirements of part 3.
This rule does not require that any document be submitted
electronically, and it does not require any state, tribe, or local
authorized program to receive electronic documents. Public access to
environmental compliance information is not affected by today's action.
Additionally, the scope of the final rule specifically excludes the
submission of any electronic document via magnetic or optical media--
for example via diskette, compact disk (CD), digital video disc (DVD),
or tape--as well as the transmission of documents via hard copy
facsimile or ``fax.'' The exclusion of magnetic or optical media
submissions from the scope of this rule in no way indicates EPA's
rejection of these technologies as a valid approach to paperless
reporting. Magnetic and optical media submissions fulfill the goal of
providing alternatives to submission on paper. EPA has already
successfully implemented a paperless reporting alternative that
utilizes magnetic and optical media submissions to fulfill many
regulatory reporting requirements. Such instances include reporting
related to the hazardous waste, Toxic Release Inventory, and pesticide
registration programs. EPA expects these magnetic and optical media
approaches to paperless reporting to continue, and nothing in today's
rule should be interpreted to proscribe or discourage them.
For entities that report to EPA directly and do so by submitting
electronic documents, today's action requires that these documents be
submitted either to the Agency's centralized electronic document
receiving system, called the ``Central Data Exchange'' (CDX), or to
alternative systems designated by the Administrator as described herein
and in a separate Federal Register notice. Entities that submit
electronic documents directly to EPA will satisfy the requirements in
today's rule by successfully submitting their reports to one of these
systems. While we do not intend to codify any of the details of how CDX
operates or how it is constructed, the characteristics of the CDX and
the submission scenarios are described later in this Preamble. In
addition, the CDX design specifications are included as a part of this
rulemaking docket.
Many facilities submit documents directly to states, tribes, or
local governments under authorized programs. For currently authorized
programs that receive or wish to begin receiving electronic documents
in lieu of paper, this rule requires EPA approval of program revisions
or modifications that address their electronic reporting
implementations. For programs initially seeking authorization, this
rule requires EPA approval of any electronic reporting components of
the programs. In both cases, EPA approval will be based largely on an
assessment of the program's ``electronic document receiving system''
that is or will be used to implement electronic reporting. For this
purpose, this rule includes performance-based standards that EPA will
use to determine that an electronic document receiving system is
acceptable. To implement electronic reporting under currently
authorized programs, EPA is creating a streamlined procedure that
states, tribes, and local governments may use to revise or modify their
authorized programs to incorporate electronic reporting. Today's
rulemaking also includes special provisions for authorized programs'
electronic document receiving systems that exist at the time of
publication of this final rule.
It is worth noting that EPA can approve changes to authorized
state, tribe, or local programs that involve the use of CDX to receive
data submissions from their reporting communities, and EPA is exploring
opportunities to
[[Page 59851]]
leverage CDX resources for use by states, tribes, and local
governments. As currently implemented, CDX provides the major systems
infrastructure components necessary to achieve electronic reporting
consistent with the standards in this rule for assessing state, tribe,
or local government electronic document receiving systems.
Additionally, EPA has set the goal of making CDX operations fully
consistent with the requirements in today's rule within two years.
While today's rule establishes electronic reporting as a regulatory
alternative, EPA will make the electronic submission alternative
available for specific reports or other documents only as EPA announces
its readiness to receive them through CDX or another designated system.
EPA will publish announcements in the Federal Register as CDX and other
systems become available for particular environmental reports. These
elements are discussed in more detail in section V of this Preamble.
In a notice published concurrently with today's rule, EPA clarifies
the status of electronic reporting directly to EPA systems that exist
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA
is designating for the receipt of electronic submissions, all EPA
electronic document receiving systems currently existing and receiving
electronic reports as of the date of the notice. This designation is
valid for a period of up to two years from the date of publication of
the notice. During this two-year period, entities that report directly
to EPA may continue to satisfy EPA reporting requirements by reporting
to the same systems as they did prior to CROMERR's publication unless
EPA publishes a notice that announces changes to, or migration from,
that system. Any existing system continuing to receive electronic
reports at the expiration of this two-year period must receive
redesignation by the Administrator under Sec. 3.10. Notice of such
redesignation will be published in the Federal Register.
C. What is the status of the proposed electronic recordkeeping
provisions?
At this time, EPA is only finalizing the provisions for electronic
reporting to EPA and under authorized programs. The August 31, 2001,
proposal, however, also addressed records that EPA or authorized
programs require entities to maintain under any of the environmental
programs governed by Title 40 of the CFR or related state, tribe, and
local laws and regulations. For such records, EPA proposed specific
provisions for administering the maintenance of electronic records
under these environmental regulations. EPA proposed criteria under
which the Agency would consider electronic records to be trustworthy,
reliable, and generally equivalent to paper records in satisfying
regulatory requirements. For entities that choose to keep records
electronically, the proposal would have required the adoption of best
practices for electronic records management. For facilities maintaining
records to satisfy the requirements of authorized programs, the
proposal would have allowed for EPA approval of changes to the
authorized programs to provide for electronic recordkeeping. Under the
proposal, approval would have been based on a determination that the
authorized program would require best practices for electronic records
management, corresponding to EPA's provisions for electronic records
maintained to satisfy EPA recordkeeping requirements.
Further, EPA proposed that once the rule took effect, any records
subject to the rule that were maintained to satisfy the requirements of
EPA programs could only be maintained electronically after EPA
announced in the Federal Register that EPA was ready to allow
electronic records maintenance to satisfy the specified recordkeeping
requirements. Also under the proposal, records maintained under an
authorized state, tribe, or local government program could only be
maintained electronically once EPA had approved the necessary changes
to the authorized program.
Based on the comments received on the proposed electronic
recordkeeping provisions, EPA reconsidered its approach to electronic
recordkeeping and is not issuing final recordkeeping rules at this
time. The Agency is conducting additional analysis and intends to
publish a supplemental notice or re-proposal to solicit additional
comments before a final rule on electronic recordkeeping is issued. We
will be reviewing provisions related to the methods used to ensure
accuracy, accessibility and the ability to detect alterations of
records stored electronically, as well as other possible controls for
electronic recordkeeping. The Agency intends to utilize this review to
engage states, tribes, local governments, and industry in meaningful
consultation to ensure that the EPA has the best available information
on which to base its decisions. In conjunction with these
consultations--and before issuing any notice or re-proposal--EPA will
conduct additional analysis on the costs and benefits of alternative
approaches, and the technical feasibility of various options, with a
focus on impacts to small businesses. Today's rule does not authorize
the conversion of existing paper documents retained to comply with
existing recordkeeping requirements under other provisions of Title 40
of the CFR to an electronic format for record-retention purposes.
D. How were stakeholders consulted during the development of today's
final rule?
This final rule reflects more than ten years of interaction with
stakeholders that included states, tribes, and local governments,
industry groups, environmental non-government organizations, national
standard setting committees, and other federal agencies. As detailed in
the proposal, many of our most significant interactions involved
electronic reporting pilot projects conducted with state agency
partners, including the States of Pennsylvania, New York, Arizona, and
several others. In May, 1997, work began with approximately 35 states
on the State Electronic Commerce/Electronic Data Interchange Steering
Committee (SEES) convened by the National Governors' Association (NGA)
Center for Best Practices (CBP). Also, EPA sponsored a series of
conferences and meetings, beginning in June, 1999, with the explicit
purpose of seeking stakeholder advice before drafting the proposal.
Reports of these conferences and meetings are available in the docket
for this rulemaking, along with the product of the SEES effort, a
document entitled, ``A State Guide for Electronic Reporting of
Environmental Data,'' and reports on some of the more recent state/EPA
electronic reporting pilots.
For the proposal, EPA provided a 6-month public comment period,
which closed on February 27, 2002. During that time, we received 184
sets of written comments on the proposed rule. The commenters
represented a broad spectrum of interested parties: States, local
governments, specific businesses, trade associations, and other federal
agencies. Substantive changes to the electronic reporting provisions
based on public comments are discussed in detail in section IV of this
Preamble. In addition, EPA received comments at four public meetings
held around the country and at two meetings with states held in
Washington, DC. The comments and meeting summaries can be found in the
docket to this rulemaking. Today's final rule reflects many of the
comments and concerns raised by commenters on the proposal. (A complete
discussion of the options considered by EPA and other background
information on the Agency's policy on electronic reporting
[[Page 59852]]
can be found in the proposed rule.) The majority of comments focused on
the costs and burden of the proposed Subpart D electronic recordkeeping
provisions. EPA's response to public comments to the proposal can be
found in the rulemaking docket, in the Response to Comments document.
E. What alternatives to today's final rule did EPA consider?
EPA considered both a more stringent and a less stringent
alternative to the regulatory approach taken in this rule. The more
stringent alternative is reflected in the electronic provisions
published, August 31, 2001, in the Notice of Proposed Rulemaking for
CROMERR. The proposed version of CROMERR was more stringent by virtue
of setting much more prescriptive, detailed requirements that
electronic document receiving systems would have to satisfy. For
example:
Proposed Sec. 3.2000(d) contained very specific
requirements for submitter identity management that a system would have
to satisfy, including detailed requirements for renewal of registration
and revocation of registration under specified circumstances;
Proposed Sec. 3.2000(e) contained very detailed
requirements for the signature/certification scenario that a system
would have to provide for, specifying the exact sequence of steps to be
followed in electronically signing a submission, and requiring such
features as on-screen, scroll-through presentation of the data to be
submitted for review of the signatory prior to signing.
EPA received significant public comment on this approach, both from
states and from regulated companies, and there were at least three
closely related themes. The first was that such prescriptive
requirements would greatly limit the flexibility of states to implement
electronic reporting in a cost-effective way. The second theme was that
many of the requirements--especially those specifying the signature/
certification scenario--were not appropriate to many cases where
electronic reporting would occur. Third and finally, many of these
commenters expressed skepticism that these very detailed requirements
represented the only possible approach to ensuring the legal
dependability of electronic submissions and signatures. These themes
are discussed in detail in section IV.B of this Preamble.
EPA also considered a less stringent alternative that would have
refrained from specifying requirements to establish the identity of an
individual to whom a signature device or credential (e.g. a PIN,
password, or PKI certificate) is issued. This less stringent
alternative would have omitted the provision for identity-proofing in
the final Sec. 3.2000(b)(5)(vii). In terms of regulatory impact, this
would be a significant reduction in stringency. Most of the burden on
regulated entities imposed by today's rule is associated with the
registration process involved in obtaining a signature device or
credential, and any requirement to establish the registrant's identity
raises the aggregate burden substantially.
EPA rejected this less stringent alternative, because we believe
that it would seriously undermine the rule's ability to assure the
legal dependability of electronic submissions. It is a basic principle
of electronic authentication (E-authentication) that individuals being
authenticated are who they say they are. E-authentication depends
critically on the degree of trust we can place in the credential the
individual presents, and such trust depends heavily on the process of
establishing the individual's identity (or ``identity-proofing'') when
he or she first registers for the credential. If the identity-proofing
process is not sufficiently stringent and credible, then it may be
uncertain who is using the credential in a specific instance where it
is presented. Where the credential is used to create an electronic
signature, inadequate identity-proofing may create uncertainty as to
who the signatory is, as a result, the signature may be rendered
undependable for any legal purpose. Accordingly, EPA believes that,
notwithstanding the cost, it is necessary to specify that identity-
proofing be conducted. The Sec. 3.2000(b)(5)(vii) identity-proofing
requirement is explained in detail in section VI.E.12 of this Preamble.
II. Background
A. What has been EPA's electronic reporting policy?
On September 4, 1996, EPA published a document entitled ``Notice of
Agency's General Policy for Accepting Filing of Environmental Reports
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter
referred to as `the 1996 Policy'), where ``EDI'' generally refers to
the transmission, in a standard syntax, of unambiguous information
between computers of organizations that may be completely external to
each other. This notice announced EPA's basic policy for accepting
electronically submitted environmental reports, and its scope was
intended to include any regulatory, compliance, or informational
(voluntary) reporting to EPA via EDI.
For purposes of the 1996 policy, the standard transmission formats
used by EPA were to be based on the EDI standards developed and
maintained by the American National Standards Institute (ANSI)
Accredited Standards Committee (ASC) X12. By linking our approach to
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions,
including a wide array of commercial off-the-shelf (COTS) software
packages and communications network services, and a growing industry
community of EDI experts available both to EPA and to the regulated
community. At the time EPA was writing this policy, ANSI-based EDI was
arguably the dominant mode of electronic commerce across almost all
business sectors, from aerospace to wood products, at least in the
United States. (A complete discussion of EPA's 1996 policy can be found
in the preamble to the proposed rule.)
With this final rule, EPA is making changes to the 1996 policy for
three primary reasons. First, and most important, the technology
environment has changed substantially since the 1996 policy was
written. Web-based electronic commerce and public key infrastructure
(PKI) are two examples. While both were available and in use for some
purposes in 1996, they had not yet achieved the level of acceptance and
use that they enjoy today. We could not have anticipated in 1996 that
this evolution would occur as rapidly as it has. Clearly, these
developments require that we extend our approach to electronic
reporting beyond EDI and Personal Identification Numbers (PINs). In
addition, they teach us that it is generally unwise to base regulatory
requirements on the existing information technology environment or on
assumptions about the speed and direction of technological evolution.
Second, we believe that technology-specific provisions would be
very complex and unwieldy. The resulting regulation would likely place
unacceptable burdens on regulated entities trying to understand and
comply.
Third, and finally, an electronic reporting architecture that makes
a centralized EPA or state system the platform for such functions as
electronic signature/certification is now quite viable--and quite
consistent with the standard practices of Web-based electronic
commerce. Given the state of technology six years ago, we could not
[[Page 59853]]
have considered this approach in the 1996 policy.
B. How does today's final rule change EPA's electronic reporting
policy?
For practical purposes, the most important change that today's rule
makes is in our technical approach to electronic reporting. In contrast
to the 1996 policy, today's rule does not generally specify or limit
the range of allowable electronic submission technologies and formats.
Under today's rule, complaint electronic reporting approaches can
include user-friendly `smart' electronic forms to be completed on-line
or downloaded for completion off-line at the user's personal computer,
as well as data transfers via the Internet or secure email in a variety
of standard and common off-the-shelf, application-based formats.
Similarly, in terms of electronic signature technology, the rule allows
for a range of approaches, including various implementations of PINs
and passwords, the use of private or personal information, digital
signatures based on PKI certificates, and other signature technologies
as they become viable for our applications. As EPA or authorized
programs implement electronic submission for specific reports, the rule
allows them to select one or more of the available submission and
signature approaches according to their circumstances and the program-
specific requirements.
EPA's goals are to make this electronic reporting alternative as
simple, attractive and cost-effective as possible for reporting
entities, while ensuring that electronically submitted documents are as
legally dependable as their paper counterparts. We believe that today's
rule achieves these goals, but--unlike the 1996 policy--without
requiring specific technologies or setting detailed procedural steps
for the submission of electronic documents. Our strategy--as initially
set out in the August 31, 2001, notice of proposed rulemaking, and as
finalized today--is to impose as few specific requirements as possible
on reporting entities, and to generally keep requirements neutral with
respect to technology. As a consequence, today's rule enables EPA, the
states, tribes, and local governments to offer regulated companies
diverse approaches to electronic reporting that can be tailored to
their technical capabilities and to the level of automation they wish
to achieve. In addition, the strategy gives EPA, the states, tribes,
and local governments the flexibility to adapt electronic reporting
systems to evolving technologies without requiring that regulations be
amended with each technological innovation.
However, this regulatory strategy does not mean abandoning any
control over how electronic documents are submitted. In place of
specific technologies or detailed procedural steps, today's rule
requires that electronic submissions be made to CDX or other designated
EPA systems, or to state, tribe, or local government systems that are
determined to satisfy a certain specified set of technology-neutral
performance standards. As a practical matter, the use of these systems
(e.g., CDX or others that meet the specified performance standards)
will involve submission procedures that we believe are sufficient to
ensure the legal dependability of electronic reports so that they meet
the needs of our compliance and enforcement programs. In addition,
while the specified performance standards may be technology-neutral,
agency electronic reporting systems that implement the standards will
incorporate suites of very specific technologies that will further
determine the process for actual electronic submission. Sections V.B
and V.C of this Preamble describe these requirements and the associated
technologies in some detail for the case of reporting directly to EPA
via CDX.
III. Scope of the Electronic Reporting Rule
EPA is today promulgating a new Part 3 in Title 40 of the CFR. The
new Part applies to all persons who submit reports or other documents
to EPA under Title 40, and to state, tribe, and local programs that
administer or seek to administer authorized programs under Title 40.
The new part 3 does not address contracts, grants or financial
management regulations contained in Title 48 of the CFR.
A. Who may submit electronic documents?
Any entity that submits documents addressed in this rule (see
section III.B., below) directly to EPA can submit them electronically
as soon as EPA announces that CDX or a designated alternative system is
ready to receive these reports. (See section V of this Preamble for a
discussion on requirements for electronic reporting to EPA, and section
V.B for a discussion of the status of electronic reporting directly to
EPA systems that exist as of the rule's publication date.) Under this
rule, the affected entities may elect to utilize the electronic
reporting alternative. These entities are not required by this final
rule to report electronically; however, they may be required to report
electronically under other Title 40 regulations, and nothing in today's
rule limits EPA's ability to require electronic reporting under other
parts of Title 40.
In general, entities may submit documents electronically as
provided for under authorized state, tribe, or local government
programs. Nothing in this rule prohibits state, tribe, or local
governments from requiring electronic reporting under applicable state,
tribe, or local law.
B. Which documents can be filed electronically?
This rule addresses document submissions required by or permitted
under any EPA or authorized state, tribe, or local program governed by
EPA's regulations in Title 40 of the CFR. Nonetheless, EPA will need
time to develop the hardware and software components required for each
individual type of document. Similarly, states, tribes, and local
governments will need time to evaluate their electronic document
receiving systems to ensure that they meet the standards promulgated in
today's final rule. Accordingly, once this rule takes effect, specific
documents submitted directly to EPA that are not already being
submitted electronically to existing EPA systems can only be submitted
electronically after EPA announces in the Federal Register that CDX or
an alternative system is ready to receive those specific documents.
(See section V.B of this Preamble for a discussion of the status of
electronic reporting directly to EPA systems that exist as of the
rule's publication date.) Documents may be submitted electronically
under the provisions of an authorized state, tribe, or local program.
C. How does this final rule implement electronic reporting?
The new 40 CFR part 3 consists of four (4) Subparts. Subpart A
provides that any requirement in Title 40 to submit a report directly
to EPA can be satisfied with an electronic submission that meets
certain conditions (specified in Subpart B) once the Agency publishes a
notice that electronic document submission is available for that
requirement. Subpart A also provides that electronic reporting can be
made available under EPA-authorized state, tribe, or local
environmental programs. In addition, Subpart A makes clear: (1) that
electronic document submission, while permissible under the terms of
this rule, is not required by any provision of this rule; and (2) that
this rule confers no right or privilege to submit data electronically
and does not obligate EPA or states, tribes, or local
[[Page 59854]]
agencies to accept electronic data. Subpart A also contains key
definitions and discusses compliance and enforcement.
Subpart B sets forth the general requirements for acceptable
electronic documents submitted to EPA. It provides that electronic
documents must be submitted either to CDX or to other EPA designated
systems. It also includes general requirements for electronic
signatures. The requirements in Subpart B apply to entities that submit
electronic documents for direct reporting to EPA, including states,
tribes, and local governments that submit electronic documents to EPA
to satisfy requirements that apply to them under Title 40 of the CFR.
Subpart B does not apply to any data transfers between EPA and states,
tribes, or local governments as a part of their authorized programs or
as a part of administrative arrangements between states, tribes, or
local governments and EPA to share data. Additionally, Subpart B does
not apply to the submission of any electronic document via magnetic or
optical media--for example via diskette, compact disk, or tape--or to
the transmission of documents via hard copy facsimile or ``fax.''
Subpart C is reserved for future EPA electronic recordkeeping
requirements.
Finally, Subpart D sets forth the process and standards for EPA
approval of changes to authorized state, tribe, and local environmental
programs to allow electronic reporting to satisfy requirements under
these programs. Again, for purposes of Subpart D, ``electronic
reporting'' entails submission via telecommunications, and Subpart D
requirements do not apply in cases of submission via magnetic or
optical media or hard copy ``fax.'' With respect to electronic
reporting, Subpart D includes simplified performance-based standards
for acceptable state, tribe, or local agency electronic document
receiving systems against which EPA will assess authorized program
electronic reporting elements. It also provides a streamlined process
for approving applications for revisions to authorized programs for
electronic reporting.
Given the provisions of Subpart A, a regulated entity wishing to
determine whether electronic reporting directly to EPA was available
under some specific regulation will have to verify that EPA has
published a Federal Register notice announcing their availability and
will have to locate any additional provisions or instructions governing
the electronic alternative for the particular reporting requirement. To
facilitate this determination, EPA intends to maintain an easily
accessed list of EPA reports for which electronic reporting has been
implemented--cross-referencing the applicable Federal Register
notices--on the Exchange Network and Grants webpage at www.epa.gov/
exchangenetwork.
IV. Major Changes From Proposed Electronic Reporting Provisions
A. How does the rule streamline the approval of electronic reporting
under authorized state, tribe, and local government programs?
1. Review of the proposal. EPA proposed that states, tribes, and
local governmental entities would use the procedures for program
revision or modification provided in existing program-specific
regulations governing state, tribe, or local authorized programs.
In the Preamble to the proposed rule, we noted that our approach
raised certain administrative concerns, especially in cases where a
governmental entity wished to use a single system to accept electronic
submissions across a number of authorized programs, corresponding to
EPA's use of CDX to receive reports across EPA programs. To receive EPA
approval for such implementations, the governmental entity would have
to apply for revision or modification under each authorized program
affected, using procedures that might vary substantially from program
to program. While these procedures might vary, each substantive review
would still refer to the same proposed part 3 criteria, and--in the
case of a single system implementation--would apply these criteria to
the same system. EPA intended this approach to facilitate an
administrative streamlining of the approval process, by allowing a
single EPA review of all cross-program applications associated with a
particular electronic document receiving system, which would enable EPA
to make a single decision to approve or disapprove all the associated
applications. While this approach would not eliminate multiple
applications, it would at least simplify the interactions between the
applicant and EPA during substantive review, and would speed EPA action
on the applications themselves.
EPA also considered more radical streamlining alternatives,
including a centralized approval process provided for by regulation,
and the proposal requested comment on whether any of these alternatives
would be preferable to the administrative approach to streamlining.
2. Comments on the proposal. In comments on the provisions for
electronic reporting under authorized programs, a recurring theme was
the complexity of the proposed requirements for EPA approval of program
revisions or modifications to allow electronic reporting. The comments
in many cases seemed directed equally to the approval process and to
the proposed criteria for approval. Comments on the criteria are
discussed in more detail in section IV.B.2 of this Preamble.
As for the comments that clearly addressed the process, there were
two major concerns. The first was that the process, due to the various
current program authorization regulations, is inherently complicated,
time-consuming and resource-intensive. In a few cases, commenters noted
the particular worry that having to seek EPA approval for each program
implementing electronic reporting would be especially burdensome, and
that EPA's proposed approach of streamlining the internal review
component of the program revision process would be of little help.
The second concern was the impact of the rule on electronic
reporting that was already underway. Commenters noted that many
authorized programs are already accepting electronic submissions, or
would be by the time the final rule is published, and they worried
about the timing of the requirement that the electronic document
receiving systems they use for this purpose be approved by EPA under
associated program revision or modification procedures. Under the
proposed provisions, such systems would have to be EPA-approved as soon
as the rule became effective, which was not practicable. Given the need
to address the criteria for approval, such applications could only be
initiated once the rule was finalized, and they might take months to
complete and get approved, or substantially longer in cases where the
revision or modification required state legislative or regulatory
changes. During the months or years that the revision or modification
was in process, the authorized program would either have to shut down
their electronic document receiving systems or, of necessity, operate
them out of compliance with the rule. Commenters were particularly
concerned with the disruptive impacts of having to shut these systems
down. They pointed out that reversion to paper-based submissions in
such cases may be difficult and expensive, both for the agencies and
for the submitting entities that are affected, and that resuming
[[Page 59855]]
system operation after a long hiatus may require resources more
typically associated with system start-up. Additional comments on
program revision or modification and EPA's responses can be found in
the rulemaking docket, in the Response to Comments document.
3. Revisions in the final rule. To address the concern that the
proposed program revision or modification to accommodate electronic
reporting was too complicated and burdensome, the final rule provides
streamlined procedures for adding electronic reporting to existing
authorized programs. These are optional procedures that a state, tribe,
or local government may use if it chooses, in place of the applicable
program-specific procedures, to seek EPA approval for revisions or
modifications that provide for electronic reporting. EPA believes that
in most cases these optional procedures will be substantially simpler
and quicker than their program-specific alternatives. These new
procedures are discussed in detail in section VI.C of this Preamble.
To address the concern that the required program revisions or
modifications may disrupt authorized programs that already have
electronic reporting underway, the final rule provides for a two-year
delayed compliance date--in effect, a two-year ``grace period''--before
such programs have to submit their applications for revision or
modification. Programs will be allowed this grace period where they
have systems that fit the definition of ``existing electronic document
receiving system,'' explained in section VI.B.2 of this Preamble. In
addition, these provisions allow the grace period to be extended, on a
case-by-case basis, where an authorized program may need to wait for
legislative or regulatory changes before a complete application can be
submitted.
B. How has EPA revised the requirements that state, tribe, and local
government electronic reporting programs must satisfy?
1. Review of the proposal. EPA proposed a detailed set of criteria
that would have to be met by any system that is used to receive
electronic documents submitted to satisfy document submission
requirements under any EPA-authorized state, tribe, or local
environmental program. The proposed criteria addressed the capabilities
that EPA believed a state, tribe, or local government's electronic
document receiving system must have regarding six function-specific
categories: (1) System security, (2) electronic signature method, (3)
submitter registration, (4) signature/certification scenario, (5)
transaction record, and (6) system archives.
These criteria were based upon EPA's consideration of the roles
that many electronically submitted documents will likely play in
environmental program management, including compliance monitoring and
enforcement, and the need to ensure that such roles were not
compromised by the transition from paper to electronic submission. In
many respects electronic submission enhances a document's utility for
environmental programs: it significantly reduces the resources and time
involved in making the content available to its users, and can greatly
facilitate data quality assurance and analysis. Nonetheless, electronic
submissions may also be open to challenge, primarily with respect to
their authenticity, and particularly where they are used to establish
the actions and intentions of the submitters. We normally consider such
uses in the case of environmental reporting, especially where
electronic submissions are made to report on an entity's compliance
status and where the submission includes a responsible individual's
certification to the truth of what is reported. For such cases, EPA
identified a programmatic need to be able to authenticate the
submission content and the certification--for example, to be able to
address issues of fraud or false reporting where they arise--and it is
primarily this need that was addressed by the six proposed criteria.
The point of the proposal's six function-specific categories was to
ensure the authenticity of electronic documents submitted in lieu of
paper reports, so that they will be able to play the same role as their
paper counterparts in providing evidence of what was reported and to
what an identified individual certified with respect to the report. For
example, in the case of paper submissions, the evidence surrounding a
handwritten signature is normally sufficient to demonstrate that the
signature is authentic and rebut any attempt by the signatory to
repudiate it and EPA intends the standards in today's rule to provide
evidence for electronic signatures that has a corresponding level of
non-repudiation. Since these evidentiary issues typically arise in the
context of judicial or other legal proceedings, electronic documents
need the same ``legal dependability'' as their paper counterparts. The
over-arching standard in the concept of ``legal dependability'' is that
any electronic document that may be used as evidence to prosecute an
environmental crime or to enforce against a civil violation should have
no less evidentiary value than its paper equivalent. For example, where
there is a question of deliberate falsification of compliance data--it
must be possible to establish the signatory's identity beyond a
reasonable doubt no matter whether the submission was electronic or
paper.
A seventh, more general proposed criterion, entitled ``Validity of
Data,'' addressed the standard of legal dependability directly. The
idea, in general, was that a system used to receive electronic
documents must be capable of reliably generating evidence for use in
private litigation, in civil enforcement proceedings, and in criminal
proceedings in which the standard for conviction is proof beyond a
reasonable doubt that the electronic document was actually signed by
the individual identified as the signatory and that the data it
contains was not submitted in error. The six more detailed, function-
specific criteria represented the requirements for satisfying this more
general ``Validity of Data'' criterion. Taken together, the seven
proposed criteria were intended to ensure the legal dependability of
electronically submitted documents by providing:
Standards for valid electronic signatures and authentic
electronic documents to be admitted as evidence in a judicial
proceeding;
Assurance that electronic documents can be authenticated
to provide evidence of what an individual submitted and/or attested to;
and
Assurance that electronic signatures resist repudiation by
the signatory.
By providing for these and other facets of an electronic document's
legal dependability, proposed CROMERR was intended to preserve the
ability of EPA and its authorized programs to hold individuals
accountable when they certify, attest or agree to the content of
compliance reports under environmental laws and statutes. By the same
token, proposed CROMERR was also intended to ensure that EPA and its
authorized programs will have the documentary evidence they need to
bring actionable cases of false or fraudulent reporting into court.
2. Comments on the proposed criteria for electronic document
receiving systems. EPA received a substantial number of comments on the
proposed criteria for state, tribe, and local electronic document
receiving systems, both in written submissions and at meetings with the
public and with state and local government officials. While a
[[Page 59856]]
few of these comments questioned the ``Validity of Data'' criterion,
the great majority dealt with the detailed function-specific criteria.
There were at least three recurring and closely related themes. First,
the criteria were too prescriptive and inflexible, and would prevent
state, tribe, and local agencies from adapting their electronic
reporting approaches to their needs and changing circumstances, and
foreclose new and creative ways to achieve legal dependability. Second,
the criteria would make electronic reporting unnecessarily complex,
costly, and burdensome. Third, while the criteria might be appropriate
for some cases, the ``one size fits all'' approach was not workable for
all reports in all programs.
Commenters tended to associate these three themes with certain
misperceptions about the proposed requirements for signature method and
the signature/certification scenario. Concerning signature method, a
common concern was that the criteria would require states to implement
PKI-based digital signatures. Commenters generally appear to have
inferred this from proposed Sec. 3.2000(c) Electronic Signature
Method, together with EPA's own choice of PKI for some submissions to
CDX, as discussed in the Preamble. Whatever EPA's plans for CDX, state,
tribe, and local government systems do not have to conform to the CDX
model. Implementing a particular system of necessity requires the
choice of specific technologies. To make those choices does not imply
that these are the only possible choices that would satisfy whatever
requirements the rule places on electronic reporting systems.
Concerning Sec. 3.2000(c), commenters tended to focus on paragraph (5)
of this section, which stated that the signature method had to ensure
``that it is impossible to modify an electronic document without
detection once the electronic signature has been affixed.'' EPA did not
intend for this provision to establish PKI-digital signature as the
required signature method. Given current technology, approaches to
satisfying the Sec. 3.2000(c)(5) requirement frequently involve the
computation of a number--called a ``hash''--that has a unique relation
to the content of the electronic document such that any change to the
document content would change the computed hash. Given the hash, the
associated document can be confirmed as unmodified at any time by
calculating a new hash and showing that the new and original hashes are
identical. Using such a hash-based approach, it is important to ensure
that the hash has been secured from tampering, and encryption is
probably the most straightforward way to do this. Encryption can be
accomplished in a number of ways. Approaches include PKI-based digital
signature, digital signature where the asymmetric key-pair is not
associated with a PKI certificate, and various forms of symmetric-key
cryptography. Additionally, it may be possible to avoid cryptography
altogether by storing the hash value in a system with appropriately
controlled access. Thus, a solution using PKI-based digital signatures
represents only one among a number of possible approaches to satisfying
the proposed Sec. 3.2000(c)(5) requirement.
A number of commenters also misinterpreted the criteria under
proposed Sec. 3.2000(e) Electronic signature/certification scenario
(especially the provisions for signatory's review of data under Sec.
3.2000(e)(1)(i)) as requiring signatories to scroll through their
submissions on-screen before they affix their electronic signatures,
and requiring state systems to enforce this required ``scroll-
through''. However, the proposal provided not that the signatory must
review the data on-screen, but rather that he or she be given the
opportunity to do so. The example of the enforced on-screen ``scroll-
through'' then envisioned for CDX, and provided in the CDX section of
the proposal's preamble, was in error. EPA did not intend to require
this ``scroll-through'' of submitted data prior to signature. EPA
certainly does expect and encourage reporting entities to review data
intended for electronic submission prior to signature, but does not
mandate this or any other particular mode or method of signatory review
in today's rule.
Returning to the three comment themes--of prescriptiveness, cost
and burden, and a ``one size fits all'' approach--commenters who raised
the prescriptiveness issue generally argued that, even supposing that
there were no specific objections to the detailed Sec. 3.2000
provisions, EPA had failed to make the case that every single
requirement under these provisions is necessary to ensure the legal
dependability of electronic submissions. Commenters who argued that the
proposed rule would be too costly and burdensome generally focused on
Sec. 3.2000(c)(5) and Sec. 3.2000(e)(1)(i), discussed above, or on
the proposed Sec. 3.2000(d) registration and signature agreement
provisions. There were many comments to the effect that the complex
Sec. 3.2000(d) registration and re-registration requirements would
pose substantial barriers to regulated company participation in
electronic reporting and involve unacceptable expenses for implementing
agencies. Commenters also noted that the required Sec. 3.2000(e)(1)(i)
would be difficult to integrate with company workflow practices in many
cases. Finally, there is the ``one size fits all'' issue. Some of the
comments raised this as another version of the ``prescriptiveness''
issue, but adding that the proposal developed just one model of
electronic reporting and attempted to make it fit the differing
circumstances of the various state, tribe, and local agencies that
would have to comply. Other comments emphasize the point that the
proposal takes requirements apparently tailored to assuring an
electronic document's authenticity and applies them to all cases of
electronic reporting, whether or not the question of authenticity is
likely to arise.
EPA has considered these and related comments in writing today's
rule. We do not wish to set overly prescriptive requirements and so
foreclose acceptable electronic reporting alternatives that could offer
equivalent or better assurance of legal dependability while, perhaps,
being easier for a state, tribe, or local agency to implement. We do
not wish to set requirements that impose unnecessary costs or burdens.
And, while we do not see a ``bright line'' around the universe of cases
where document authenticity might be of concern, we also do not wish to
address authenticity with requirements that leave states, tribes, and
local governments with too little flexibility in how they may adapt
their electronic reporting implementations to their particular
circumstances. Accordingly, EPA has decided to finalize criteria for
electronic document receiving systems that directly articulate the
underlying goal of assuring the legal dependability of electronic
documents authenticity, and to add more specific requirements only to
the extent that they are needed to achieve this underlying goal.
Accordingly, the provisions of today's rule have been clarified as
general performance standards necessary to ensure the legal
dependability of the electronic documents they receive. Additional
comments on the proposed criteria and EPA's responses can be found in
the rulemaking docket, in the Response to Comments document.
3. Revisions to the criteria in the final rule. In today's final
rule, we intend to fulfill the underlying goal of the proposed Sec.
3.2000 criteria for electronic document receiving systems. This is to
assure the authenticity and non-
[[Page 59857]]
repudiation of electronic documents submitted in lieu of paper reports,
so that they are as legally dependable--that is, as admissible in
evidence and accorded the same evidentiary weight--as their paper
counterparts. As noted earlier, this goal was expressed most directly
in the proposed Sec. 3.2000(b) ``Validity of Data'' criterion.
Accordingly, for the final rule, we started with the proposed Sec.
3.2000(b) and then clarified the remaining proposed Sec. 3.2000
criteria as general performance standards for electronic document
receiving systems, which were incorporated as needed to assure the
legal dependability of the electronic documents such systems receive.
The resulting Sec. 3.2000(b) in the final electronic reporting rule
reflects the requirements discussed in the table below. The citation
for the corresponding language in the proposed rulemaking is also
provided.
------------------------------------------------------------------------
Citation/requirement in final
Citation/subject area in proposed rule section 3.2000(b)
------------------------------------------------------------------------
Proposed Sec. 3.2000(g), addressing Section 3.2000(b)'s leading
system archives. clause requires that the
system be able to generate the
required data as needed and in
a timely manner.
Proposed Sec. Sec. 3.2000(e)(3) and Section 3.2000(b)'s leading
3.2000(f), addressing signature/ clause and Sec. 3.2000(b)(4)
certification scenarios and require that the system be
transaction record. able to generate a ``copy of
record'' that is made
available to the submitters
and/or signatories for review
and repudiation.
Proposed Sec. Sec. 3.2000(c) and Section 3.2000(b)(5)(i)
3.2000(d), addressing the electronic requires that the system be
signature method and submitter able to show that any
registration process. electronic signature on an
electronic document was
created by an authorized
signatory with a device that
the identified signatory was
uniquely entitled and able to
use.
Proposed Sec. 3.2000(c)(5), Section 3.2000(b)(5)(ii)
addressing requirement that it be requires that the system be
impossible to modify an electronic able to show that the
document without detection once it has electronic document cannot be
been electronically signed. altered without detection once
it has been electronically
signed.
Proposed Sec. 3.2000(e), addressing Sections 3.2000(b)(5)(iii)--
the signature/certification scenario. (iv) require that the system
be able to show that, before
signing, any signatory had the
opportunity to review what he
or she was certifying to in a
human-readable format, and to
review the certification
statement including any
provisions relating to
criminal penalties for false
certification.
Proposed Sec. 3.2000(d), addressing Section 3.2000(b)(5)(v)
the submitter registration process. requires that the system be
able to show that the
signatory signed an
``electronic signature
agreement'' or a ``subscriber
agreement'' acknowledging his
or her obligations connected
with preventing the compromise
of the signature device.
Proposed Sec. 3.2000(e)(2), Section 3.2000(b)(5)(vi)
addressing acknowledgment. requires that the system be
able to show that it
automatically sent an
acknowledgment of any
electronic submission it
received that bears an
electronic signature; the
acknowledgment must identify
the electronic document, the
signatory and the date and
time of receipt, and be sent
to an address that does not
share the access controls of
the account used to make the
submission.
Proposed Sec. 3.2000(d)(1)-(3), Section 3.2000(b)(5)(vii)
addressing submitter registration.. requires, for each electronic
signature device used create
an electronic signature on
documents that the system
receives, that the system be
able to establish the identity
of the individual uniquely
entitled to use that device
and his or her relation to the
entity on whose behalf he or
she signs the documents.
------------------------------------------------------------------------
The requirements in Sec. 3.2000(b)(5)(iii)-(iv) of today's rule,
concerning ``opportunity to review,'' do not place the responsibility
for providing an opportunity, or for showing whether or not an
opportunity was actually taken, on the state, tribe, or local
government electronic document receiving system. What is required is
that the system provide evidence sufficient to show that an opportunity
was provided; this point is explained in greater detail in sections
VI.E.8 and VI.E.9 of this Preamble.
EPA believes that the standards in Sec. 3.2000(b) of today's rule,
as developed from the proposed ``Validity of Data'' criterion, together
with other proposed criteria clarified as general performance
standards, represent the minimum set of requirements for electronic
document receiving systems necessary to ensure the legal dependability
of the electronic documents such systems receive. For example, the
requirement for a copy of record is necessary to ensure that there is
an authoritative answer to the question of what information content a
signatory was certifying to or attesting to. The related requirement
that the system be able to provide timely access to copies of record
and related data reflects a practical concern that the data be
accessible in time and in a format to serve the purposes for which it
is needed.
Concerning the requirement that signature devices be uniquely
assigned to, and held by individuals, EPA believes that an acceptable
electronic document receiving system must be able to attribute a
signature to a specific individual, to help assure that the signatory
cannot repudiate responsibility for the signature. Non-repudiation is
also strengthened by the signed electronic signature agreement, which
establishes that the signatory was informed of his or her obligation to
keep the signature device from compromise by ensuring that it is not
made available to anyone else. Requiring the signature agreement, as
well as the opportunity to review what they are signing, helps
establish that where signatures appear on electronic documents, the
signatories had the requisite intent to certify. That is, these
requirements help ensure that the signatories knew what they were
signing, knew what signing meant, and understood the legal implications
of false certification. As for the requirement that document content
cannot be altered without detection after signature, an acceptable
electronic document receiving system must provide evidence sufficient
to allow a court to attribute the intention to certify to the
document's current content to the signatory, so that he or she cannot
repudiate this content.
Finally, today's Sec. 3.2000(b)(5)(vii) requirement that the
system be able to establish the identity of the individual who is
assigned a signature is based on proposed Sec. 3.2000(d). Proposed
Sec. 3.2000(d) logically entails today's Sec. 3.2000(b)(5)(vii),
because satisfying the
[[Page 59858]]
provisions of the former guarantees compliance with the latter.
However, today's Sec. 3.2000(b)(5)(vii) limits the scope of the
proposed Sec. 3.2000(d)(3) requirement that, in registering for their
signature devices, registrants must execute their electronic signature
agreements on paper with handwritten signatures. In today's Sec.
3.2000(b)(5)(vii), this requirement is limited to a special class of
``priority report'' submittals. (See section VI.E.12 of this Preamble.)
In addition, today's Sec. 3.2000(b)(5)(vii) offers alternatives to
this handwritten signature requirement, to allow electronic reporting
solutions that are completely free of paper transactions. The
alternative provisions, found in today's Sec. 3.2000(b)(5)(vii)(A)-
(B), are elaborations of the proposed Sec. 3.2000(d)(1) requirement
for ``evidence [of identity] that can be verified by information
sources that are independent of the registrant and the entity or
entities'' for which the registrant will submit electronic documents.
The elaborations are necessary to assure that individuals' identities
can be established without being able to rely on their handwritten
signatures--and, in the final rule, the requirements apply only to
``priority report'' submittals, and only where the choice is made to
not use paper in the execution of electronic signature agreements.
Section VI.E.12 of this Preamble outlines all of today's Sec.
3.2000(b)(5)(vii) provisions in much more detail. In any event, we have
made these changes to the proposed Sec. 3.2000(d) approach to help
address commenters' concerns with ``one size fits all'' provisions, as
well as to allow states, tribes, and local government as much
flexibility as possible as they implement their electronic reporting
systems.
In sum, the overall approach to the standards for electronic
document receiving systems in today's rule reflects a balancing of the
concerns raised by the public comments, especially those relating to
the proposal's burden on states, tribes, local governments and
regulated entities, against the need to ensure the legal dependability
of electronic documents submitted under authorized programs. Finally,
EPA notes that to date the Agency has had limited experience with the
practical application of electronic signatures and electronic reporting
generally. With the benefit of practical experience accepting
electronic reports under this rule, EPA may determine that this rule
needs to be revisited, to either add or eliminate certain safeguards.
In addition, while EPA has sought to write this rule so that its
provisions are technology-neutral, it remains possible that revisions
will be required to reflect technological changes or changes in
prevailing industry norms and practices. If these or other
circumstances require it, EPA thus reserves the right to revisit the
issues addressed in this rule.
C. How has EPA accommodated electronic submissions with follow-on paper
certifications?
Currently there are EPA and state programs that take electronic
submissions where the requirements for a signed certification statement
are met with a follow-on paper submission with handwritten signatures.
A number of commenters suggested that such an approach be recognized
and allowed to continue under the electronic reporting rule. EPA has no
wish to proscribe such an approach, and does not judge whether or not
follow-on paper signature/certification is to be preferred to the
approach where the signature/certification is electronic. To make this
clear in the final rule, we have added a clause to Sec. 3.10(b) that
allows follow-on handwritten signatures to substitute for electronic
signatures on submissions to EPA where ``EPA announces special
provisions'' for this purpose. A corresponding clause in Sec.
3.2000(a)(2) of today's rule makes a similar allowance for electronic
reporting under authorized state, tribe, or local programs, again,
where ``the program makes special provisions to accept a handwritten
signature on a separate paper submission.''
Among other things, these ``special provisions'' would allow
follow-on paper signature submission only if it were reliably linked or
cross-referenced with the associated electronic document. The linking
or cross-referencing is necessary in part to ensure that we can always
determine which signature submissions belong with which electronic
documents. Paper signature submissions must also provide sufficient
evidence that the signatory intended to certify to or attest to the
content of the electronic document as this content is recorded in the
copy of record for the submission. There are various approaches to
cross-referencing or linking that would meet these needs, most of which
involve the inclusion of extra data elements in the signature
submission that reference the associated electronic document. Such data
elements might include summary data from the electronic document, the
date and time of the electronic submission, or even the calculated hash
value of the electronic document. EPA may use these and other
alternatives if a decision is made to provide for direct electronic
reporting to EPA with follow-on paper signatures. For such submissions
to authorized programs, we have added to Sec. 3.2000(a)(2) of today's
rule the requirement that authorized program provisions for follow-on
paper signature submissions ``ensure that the paper submission contains
references to the electronic document sufficient for legal certainty
that the signature was executed with the intention to certify to,
attest to, or agree to the content of that electronic document.''
D. How has EPA changed proposed definitions of terms?
The ``Definitions'' section of the final rule, Sec. 3.3, provides
new definitions for ``copy of record,'' ``electronic signature
agreement,'' and ``valid electronic signature,'' as well as the
revisions to the definition for ``electronic signature device,'' to
help articulate the final Sec. 3.2000(b) standards for electronic
document receiving systems. These terms are explained in more detail in
section VI, below. (See especially, sections VI.E.2., VI.E.10. and
VI.E.6.) Similarly, in section VI.B.2 of this Preamble we note the role
of the new definition for ``existing electronic document receiving
system;'' and, in section VI.E.12 we discuss the new definitions for
``agreement collection certification,'' ``disinterested individual,''
``information or objects of independent origin,'' ``local registration
authority,'' ``priority reports,'' and ``subscriber agreement.''
Section 3.3 also reflects a number of clarifying and/or simplifying
changes for definitions of terms, as follows.
1. Definition of ``acknowledgment.'' This definition has been added
in conjunction with Sec. 3.2000(b)(5)(vi) of today's rule, to make
clear that in the context of this rule, acknowledgment means a
confirmation of electronic document receipt.
2. Definition of ``electronic document.'' This definition has been
revised from the proposed version in several ways. First, the use of
``communicate'' has been eliminated, thereby eliminating the need for a
separate definition of that term. Second, the exclusion of magnetic and
optical media and facsimile submissions has been eliminated. We believe
it is clearer to exclude such submissions from the scope of CROMERR
under Sec. 3.1, entitled ``Who does this part apply to?'' Today's rule
now provides this exclusion in Sec. Sec. 3.1(b) and 3.1(c). Third, the
definition has also been revised so that it explains what a
``document'' is in an electronic medium. Instead of saying that an
``electronic document means a
[[Page 59859]]
document. * * *,'' the final version says that ``electronic document
means any information in digital form. * * *,'' where information is
explained as potentially including ``data, text, sounds, codes,
computer programs, software or databases.'' Fourth, this definition
clarifies that in this context, ``data,'' is used in its normal sense
as denoting a delimited set of data elements, each of which is a unit
of meaning in a document and consists of a content or value together
with an understanding of what the meaning and/or context of the content
or value is. Finally, the definition stipulates that where an
electronic document includes data, the understanding of what the data
content or value means must either be explicitly included in the
electronic document or be readily available through such sources as an
applicable data element dictionary, or a form or template that
specifies what each data element means when it is presented in the
specific file format used for the electronic document's submission.
A consequence of this approach is that the identity of an
electronic document consisting wholly of data is independent of the
format in which it is presented or submitted. That is to say,
rearranging or reformatting the data elements in an electronic document
does not change it into a different one, at least so long as the
signatory's intention and understanding of what the data elements each
mean is preserved in the process. This does not conflict with the
ordinary understanding of the term ``document,'' since we speak quite
often of ``reformatting a document,'' with the clear understanding that
what results will be the same document in a new format.
Correspondingly, under the definition of ``copy of record,'' a ``true
and correct'' copy of an electronic document does not necessarily have
to reflect the format in which the document was submitted, provided
that the document consists wholly of data. This independence of
document identity from format may not always hold where other kinds of
information are included in the electronic document, e.g. text or
images; in such cases a copy of record may have to include format or
formatting information.
3. Definition of ``electronic signature.'' This definition has been
revised by substituting ``information in digital form'' for
``electronic record,'' to avoid problems with defining ``electronic
record.'' The definition has also been revised to make clear that the
electronic signature for an electronic document need not always be
``included'' within that document; in some cases it may just be
``logically associated'' with it. This point is explained further in
section VI.E.2 of this Preamble, in discussing the copy of record
requirement.
4. Definition of ``electronic signature device.'' The definition of
``electronic signature device'' has been revised to clarify that where
a device is used to create an individual's electronic signature, then
the device must be unique to that individual, and he or she must be
uniquely entitled to use it at the time that the signature is created.
Correspondingly, the device is compromised if it is available for use
by any other individual, that is, if some other individual is able to
use the device to create signatures if he or she wishes. To the extent
that Sec. Sec. 3.10(b) and 3.2000(b)(5)(i) of the final rule prohibit
the acceptance of signatures created with compromised devices, via the
definition of ``valid electronic signature,'' the element of compromise
rules out the sharing of electronic signature devices or delegating
their use to create individuals' electronic signatures. Additionally,
the definition includes the element that an individual needs to be
entitled to use the electronic signature device; that is, the
individual needs to be the ``owner'' of the device. The nature of the
device itself will determine the way in which an individual comes to
own it. In the case of personal identification numbers or certificate-
based private/public key pairs, there is normally some process of
formally assigning the device to the individual, often through a
trusted third party. In other cases, for example password or personal
information-based signature devices, the process may have the
individuals invent and assign the devices to themselves `` the basis
for their ownership of the devices being determined by the
circumstances or context within which they do this.
5. Definition of ``transmit.'' In the proposed rulemaking the term
``submit'' was defined as the ``means to successfully and accurately
convey an electronic document so that it is received by the intended
recipient in a format that can be processed by the electronic document
receiving system.'' However, the term ``submit'' is used more widely in
the rule in ways that are not consistent with this definition.
Accordingly, in the final rule the function of successful and accurate
conveyance of an electronic document is now termed ``transmit.''
6. Definition of ``valid electronic signature.'' Beyond its role in
Sec. 3.2000(b), this definition has also been added to help clarify
and simplify the signature requirements associated with electronic
reporting, both directly to EPA, in Sec. 3.10, and under authorized
programs, in Sec. 3.2000(a)(2). The definition specifies three main
conditions for validity. The first refers to features of the signature
that are intrinsic to the items of information of which it consists:
The signature must consist of the kind of information that has been
established as appropriate for the signing of the document in question,
and the specific information content must pass the validation tests
which the system uses to determine that the signature belongs uniquely
to the identified signatory. The second condition refers to the status
of the electronic signature device used to create the signature, and
ensuring that the device was not compromised at the time it was used to
create the signature. This ties validity to the element of compromise
within the definition of ``electronic signature device.'' That is, at
the time of signature, the device must not have been made available to
someone other than the individual who is entitled to use it. The third
condition refers to the signatory's status at the time of signature as
someone who is authorized to sign the document in question by virtue of
his or her legal status and/or relationship to the entity on whose
behalf the signature is executed. In the context of environmental
reporting, this condition would make invalid electronic signatures on
company compliance reports created by individuals who do not work for
or in any way represent the company. Generally, in the context of
environmental reporting, individuals who sign submissions to
environmental agencies are explicitly authorized to do so, by their
management and/or by the agency to which they report. However, in some
cases the authorization may be implicit in the signatory's legal status
and relationship to the regulated entity. For example, an owner or
operator of a company is generally authorized to sign notifications or
letters to an environmental agency whether or not this is explicitly
provided for by law or regulation.
As ``valid electronic signature'' is used in Sec. Sec. 3.10 and
3.2000(a)(2), the validity of an electronic signature is necessary for
the signatory's electronic submission to satisfy a federal or
authorized program reporting requirement. Additionally, as the term is
used in Sec. 3.2000(b), it also refers to a performance requirement
for an electronic document receiving system, namely that the system
must not accept and must be able to detect submissions with signatures
that are not valid. These requirements in terms of ``validity'' are
[[Page 59860]]
meant to provide a form of insurance for electronic signatures to
protect against the risks of repudiation. Nonetheless, a signatory may
be legally bound by a signature even where not all the requirements for
its validity have been met, e.g., where the signature has been executed
with a compromised electronic signature device. The signatory of an
electronic submission cannot avoid responsibility for its contents by
pointing to a technical flaw or other defect in the signature process.
V. Requirements for Direct Electronic Reporting to EPA
A. What are the requirements for electronic reporting to EPA?
Under the final rule, the requirements for electronic reporting to
EPA remain essentially unchanged from those in the proposal. Section
3.10 provides, first, that electronic documents must be submitted to an
appropriate EPA electronic document receiving system. Generally this
will be EPA's Central Data Exchange (CDX), although EPA can also
designate additional systems for the receipt of electronic documents
and is doing so in a separate Federal Register notice. Second, where a
paper document must bear a signature under existing regulations, an
electronic document that substitutes for the paper document must be
signed (by the person authorized to sign under the current applicable
provision) with a valid electronic signature.
Only electronic submissions that meet these two requirements will
be recognized as satisfying a federal environmental reporting
requirement, although failure to satisfy these requirements will not
preclude EPA from bringing an enforcement action based on the
submission or otherwise relying on the submission. A new compliance and
enforcement section has been added to the final rule to clarify certain
compliance and enforcement issues related to electronic reporting.
Section 3.4 makes clear that EPA can seek and obtain any appropriate
federal civil or criminal penalties or other remedies for failure to
comply with an EPA reporting requirement if a person submits an
electronic document to EPA under this rule that fails to comply with
the provisions of Sec. 3.10. Similarly, Sec. 3.4 makes clear that EPA
can seek and obtain any appropriate federal civil or criminal penalties
or other remedies for failure to comply with a state, tribe, or local
government reporting requirement if a person submits an electronic
document to a state, tribe, or local government under an authorized
program and fails to comply with the applicable provisions for
electronic reporting. Section 3.4 also contains provisions originally
published under Sec. 3.10(d) and (e) of the proposal, stipulating that
the electronic signature will make the person who signs the document
responsible, bound, or obligated to the same extent as he or she would
be signing the corresponding paper document by hand.
The Sec. 3.10 requirement that there be an electronic signature
applies only where a paper document would have to bear a signature were
it to be submitted, either because this is required by a statute or
regulation, or because a signature is required to complete the paper
form. The rule does not impose any new or additional signature
requirements for documents that are submitted in electronic form. In
addition, as noted in section IV.C of this Preamble, Sec. 3.10(b) of
today's rule also allows EPA to make special provisions, in specific
cases, for accepting handwritten signatures in follow-on paper
submissions in lieu of the required electronic signatures. In such
cases, it is critical that the special provisions ensure that the
electronic document cannot be altered without detection and is reliably
linked to the handwritten signature.
As in the proposal, this final rule does not specify any required
hardware or software. Accordingly, the rule text does not include any
detail about CDX per se or about what will be required of regulated
entities who wish to use it. Nonetheless, as stated in the proposal,
our goals include the sharing of detail on how CDX implements direct
electronic reporting to EPA. Section V.C.4 of this Preamble explains
how CDX has changed since we described it in the proposal, especially
in relation to the many comments we received on CDX-related issues.
B. What is the status of existing electronic reporting to EPA?
In a notice published concurrently with today's rule, EPA clarifies
the status of electronic reporting directly to EPA systems that exist
as of the rule's publication date. In accordance with 40 CFR 3.10, EPA
is designating for the receipt of electronic submissions, all EPA
electronic document receiving systems currently existing and receiving
electronic reports as of the date of this notice. This designation is
valid for a period of up to two years from the date of publication of
this notice. During this two-year period, entities that report directly
to EPA may continue to satisfy EPA reporting requirements by reporting
to the same systems as they did prior to CROMERR's publication unless
EPA publishes a notice that announces changes to, or migration from,
that system. Any existing systems continuing to receive electronic
reports at the expiration of this two-year period must receive
redesignation by the Administrator under Sec. 3.10. Notice of such
redesignation will be published in the Federal Register.
EPA's goal is that all its systems for receiving electronic reports
be consistent with the CROMERR standards for electronic document
receiving systems, set forth in Sec. 3.2000(b) of today's rule. EPA
generally hopes to achieve this consistency within a two-year
transition period for existing EPA systems; however, EPA is not bound
by the Sec. 3.2000(b) standards of today's rule or the two-year
period. This two-year period is similar to the two-year transition
period provided under Sec. 3.1000(a)(3) for systems operated under
EPA-authorized programs. In a number of cases, EPA may work toward this
goal by migrating existing electronic reporting to CDX or to other, new
CROMERR-consistent systems. As we change or migrate existing electronic
reporting programs to achieve consistency with the CROMERR standards,
we intend to provide sufficient advance notice to reporting entities so
that any new requirements can be accommodated without causing
significant disruption to their electronic reporting activities.
C. What is EPA's Central Data Exchange?
1. Overview of general goals. The proposal described EPA's
``Central Data Exchange'' as a system to be developed and maintained by
EPA's Office of Environmental Information (OEI) that would serve as
EPA's gateway or ``portal'' for receiving documents electronically from
our reporting community. The goal of CDX was to augment, and, where
appropriate, streamline and consolidate EPA's environmental reporting
functions by offering our reporting community faster, easier, and more
secure submission options through a single venue for electronic
submission of environmental data. As a cornerstone of EPA's efforts to
advance electronic government, CDX would support the electronic
submission needs of thousands of regulated entities submitting data to
EPA for certain air, water, waste, and toxic substances programs.
Ultimately, EPA planned to offer, wherever practicable, all regulated
entities that report directly to EPA, an option to file their specific
environmental documents
[[Page 59861]]
electronically through CDX. Regulated entities that submit reports
under an authorized program would also be able to file their documents
through CDX in cases where the state, tribe or local government that
administered the program chose to use CDX as a gateway for electronic
data submissions from its reporting community.
The reporting community using CDX would be able to access web
``reporting'' forms with built-in data quality checks, and/or submit
standard file formats through common, user-friendly interfaces that
allowed them to electronically submit data across vastly different
environmental programs. Both the reporting community and EPA would
benefit by gaining access to environmental reports more quickly and
with fewer errors, and by avoiding the inefficiencies of having to
keystroke data from paper reports. CDX was also being developed to
support a newly emerging Environmental Information Exchange Network
(EIEN) that would facilitate the electronic exchange of environmental
data between EPA and state, tribe, and local environmental agencies.
However, in keeping with the scope of the proposed rule the description
of CDX features and functions in this section apply only to electronic
submissions to CDX from regulated entities; the description doesn't
apply to EIEN exchanges with CDX in which states, tribes, or local
governments participate as a part of their authorized programs or as a
part of administrative arrangements with EPA to share data.
The Concept of Uniformity. The proposal also characterized CDX as
providing an environment that would promote a uniformity of
technologies and processes. By adopting CDX to support the electronic
reporting needs across various EPA programs, EPA hoped to avoid the
proliferation of program-specific electronic reporting approaches that
could lead to duplicative investments in electronic document receiving
systems and possibly conflicting requirements for submitters.
The CDX Functions and Building Blocks. As described in the proposed
rule, CDX was being designed with the goal of fully satisfying the
criteria that the proposal specified for state, tribe, and local
electronic document receiving systems; similarly, EPA would ensure that
other systems the Administrator designated to receive electronic
submissions satisfied the criteria as well. The proposal discussed how
CDX would implement CROMERR-compliant electronic reporting by
describing the primary CDX functions and the system building blocks
that would support these functions. The functions described in the
proposal included: (1) Access management, (2) data interchange, (3)
signature/certification management, (4) submitter and data
authentication, (5) transaction logging, (6) copy of record provisions
and acknowledgment, (7) archiving, (8) error checking, (9) translation
and forwarding, and (10) outreach. The proposal then described five
building blocks that would support CDX functions, which were: (1)
Digital signatures based on PKI, where CDX would rely predominately on
a third party vendor under the General Services Administration (GSA)
Access Certificates for Electronic Services (ACES), (2) a process for
registering users and managing their access to the CDX, (3) a client
server-architecture, (4) EDI standards, as the primary format for
exchanging environmental data, and (5) a consistent user interface for
making electronic submissions.
2. Comments on the proposal. EPA received more than 100 comments on
the CDX concept as described in the proposal. A number of these
comments were related to one of four main subject areas, as follows.
Comments on Uniformity of Approach. Several comments expressed
concern about the proposed characterization of CDX as promoting
``uniformity of process and technology''. The phrase was used to
highlight the benefits of CDX, which included EPA's plans to avoid the
costly proliferation of redundant systems. However, comments pointed
out that this ``uniformity'' implied an inflexible and overly
prescriptive set of CDX technical and security requirements, which
would discourage CDX use. Such comments were similar to those discussed
in section IV.B.2 of this Preamble, raising concerns about the
prescriptiveness and ``one size fits all'' approach of the proposed
criteria for electronic document receiving systems.
EPA understands that ``uniformity of process and technology'' could
imply inflexibility, and this is not generally how we intended to
develop CDX. In fact, CDX is currently using a wide range of
technologies and processes to address CDX's functions that are tailored
to individual EPA program submission requirements, including the
technical capabilities of the reporting community for the particular
program. EPA recognizes that, for example, permitting, compliance
monitoring, and the conduct of studies involve fundamentally different
business processes, and that the associated submission of electronic
documents may have to be handled differently in each case. In some
instances CDX may support a more interactive ``workflow'' environment
for submitting data; in others, CDX may accept batch transmissions of
user-formatted files. It is also true that the technical capabilities
of a particular reporting community vary considerably, so CDX will
offer more than one electronic submission option in many cases. CDX
currently provides support for web-forms, file, and record-level
submissions in various formats including flat file and XML and EPA
plans to continue this flexible approach.
Comments on registration process. Comments from regulated entities
raised concerns about the costs and time required to register
individuals in each company, and EPA's failure to address the
increasingly common cases where the preparer of an environmental report
and the certifying official are different individuals.
Because electronic submission is being offered as an option to the
reporting community, EPA recognizes the need to design CDX registration
to be as user-friendly as practicable, in part by taking account of the
flow of work, or ``workflow'' involved in meeting a particular
environmental reporting requirement. For example, since proposal, EPA
has developed approaches to register both preparers and certifying
officials for at least two reporting programs. Changes to the CDX
registration process are discussed in more detail in section V.C.4.
Comments on digital signatures based on PKI. Comments pointed out
that reliance on PKI for all cases of electronic signature may violate
the GPEA directive to vary electronic signature approaches with the
circumstances of their use. Several comments underlined this concern by
pointing to PKI's costs and burdens. The comments objected that
registering through CDX and acquiring digital signature certificates
would be overly complicated, and would require that registrants provide
private or personal information. Some comment also expressed concern
about the incompatibility of a PKI-based approach with workflow, given
that environmental reports were frequently prepared by staff and then
signed by the facility owner, with staff turnover being frequent.
Another concern was the implications of CDX PKI software for company
system security, for example, given the need to download CDX software
through the company firewall.
EPA agrees that it should generally minimize the complexity and
cost of electronic signatures or this will deter potential users of CDX
from submitting
[[Page 59862]]
electronic documents. In implementing CDX, EPA has revised the initial
plan for electronic signatures to include non-PKI electronic
signatures. Section V.C.4 discusses how we are changing the ``digital
signature based on PKI building block.''
Comments on EDI Standards. Comments expressed both encouragement
and concern over CDX's prospective implementation of standards-based
exchange formats for data submissions. An exchange format is a
predefined file structure, including data elements and higher level
syntax that describes how the data extracted from a system must be
arranged in a file for transmission to another system. A standards-
based format adheres to certain widely-accepted industry, national, or
international file structure definitions. Several comments expressed
concern about the costs of configuring their systems to generate a CDX-
specified standard format; others expressed concerns about the costs of
potential changes to the format once it is implemented on their
systems. By contrast, other comments strongly supported requiring
standards-based formats--even recommending that we require such formats
by rule for EPA and EPA-authorized state, tribe, and local electronic
document receiving systems.
CDX's approach to standards-based formats has changed considerably
since the proposal, in large part because of the emergence of Internet-
based approaches, most notably Extensible Mark-up Language (XML). These
changes are discussed in more detail in section V.C.4. EPA believes
that the use of standard formats can be encouraged without requiring
this by rule. Additional comments on CDX and EPA's responses can be
found in the rulemaking docket, in the Response to Comments document.
3. The aspects of CDX that have not changed since proposal.
General Goals. EPA's continues its efforts to establish CDX as the
gateway or ``portal'' for receiving documents electronically from the
Agency's reporting community. In so doing, EPA's goal--to augment, and
where appropriate, to streamline and consolidate EPA's environmental
reporting functions through CDX--remains unchanged. The functions that
comprise CDX operations continue to remain the same though the range of
technologies and processes used to support these functions has
considerably broadened. CDX continues to implement electronic reporting
capabilities for EPA's many environmental programs, while advancing the
efforts of EIEN in coordination with state, territorial, tribes, and
other partners.
General Approach to Electronic Reporting Implementation. In
general, current instructions for client-side access of CDX suggest
Internet access and a system that uses both Microsoft Windows and
Microsoft Internet Explorer (IE). EPA acknowledges that the Government
Paperwork Elimination Act (GPEA) directs OMB to develop procedures for
agencies to follow in using and accepting electronic documents and
signatures and these procedures ``may not inappropriately favor one
industry or technology.'' Consistent with this GPEA directive, EPA is
committed to considering ways to allow other vendors' technologies to
access CDX. Accordingly, over the six months following the publication
of today's rule, EPA intends to assess the full range of issues that
affect CDX's ability to support multiple platforms and browsers. These
issues include the technical requirements for the electronic signature
options, form entry options, data upload options, network interface
options, current capabilities of the CDX hardware/software platform,
and potential impacts of new client-side platforms on the CDX life
cycle management, technical support requirements, and help desk
training and support. Based on this assessment, EPA intends to
determine the target universe of client-side platforms and browsers
that CDX can feasibly accommodate, and will identify the actions and
timeline necessary to build out CDX support for this target universe.
As described in the proposal, CDX users will need to:
Register with CDX, during which time they may need to
supply information used to identify themselves, their company, and the
EPA documents they wish to submit electronically;
Verify and/or correct registration information; and
Access their CDX web account through a secure website, and
agree to the terms and conditions of using the site, which include
safeguarding their self-generated password, before using web forms or
uploading files to submit electronic documents or data to EPA.
These are the minimum steps for gaining access to CDX at this time.
Additional steps are involved in acquiring an electronic signature
device, although these steps have changed somewhat since the proposal
and are discussed in section V.C.4. CDX also offers at least two
general methods for reporting electronically for many programs it
supports, either through file submission or through a ``smart web
form''. However, the types of formats and approaches for submitting
data through CDX have broadened, and these too are discussed in section
V.C.4.
4. The major changes that EPA has made to CDX since proposal. Over
the last two years, CDX has evolved from a prototype system to a fully
operational electronic document receiving system. CDX supports tens of
thousands of registered users providing data to dozens of environmental
reporting programs across the major EPA media offices. CDX registered
users include representatives from state, tribe, and local agencies,
industries, laboratories, and other federal agencies. While CDX
continues to provide a secure, single point of registration, access,
and exchange between reporting entities and EPA programs, the building
blocks supporting the CDX functions have changed substantially. These
changes reflect EPA's experience operating CDX over the past two years,
evolving trends in Internet technologies, and comments received on the
proposed rule from potential CDX users.
Digital signatures based on PKI. The proposal described the CDX
approach to electronic signatures in terms of digital signatures and
PKI. Since proposal, EPA has come to appreciate the complexity and
costs of implementing PKI, and to recognize that non-PKI electronic
signatures, as described in section IV.B.2 of the preamble today's
rule, may be acceptable in many cases. Thus, for electronic reports
currently submitted to CDX, only in one case is PKI used for electronic
signature. The other cases involve PIN-based electronic signatures or
other non-PKI electronic signature approaches. As an example of the
latter, this year we anticipate implementing electronic signatures for
an EPA reporting requirement by having signatories use a password that
is self-generated during CDX registration in combination with certain
items of information that are unlikely to be available to anyone except
the signatory. This is a ``knowledge-based'' approach, which is being
used extensively by commercial software vendors supporting the United
States Internal Revenue Service (IRS) for electronic tax filings or
``e-filings', and is being adopted by other agencies. EPA expects that
these non-PKI-based approaches to signature will continue to dominate
CDX implementations of electronic reporting. We currently intend to use
PKI where such needs as security or assuring very robust non-
repudiation of signature make this the most appropriate approach.
[[Page 59863]]
In addition, EPA's approach to PKI itself--described in the
proposal as relying on ACES--is also undergoing change. Changes with
respect to the role and method of identity proofing for those persons
who apply for PKI certificates is being further evaluated. As proposed,
the identity proofing was to be conducted by the third party ACES
vendor; currently, CDX identity proofing is conducted for the most part
by EPA's own contractor staff, who are able to issue digital
certificates to members of the reporting community with less cost and
in less time than the ACES vendor. EPA has also begun to explore
alternatives to ACES for PKI certificates, partly because ACES-provided
certificates do not support message encryption, which EPA may need for
certain environmental reporting applications. In addition, EPA is
considering its use of ACES in the light of recent federal advances in
establishing interoperability across federal PKI domains, which may
allow EPA to eventually leverage PKI's of other federal agencies or
institute an in-house PKI.
CDX Registration. Since the proposed rule, CDX has broadened it
approach to registration to better accommodate the workflow involved in
specific environmental reporting programs. While CDX still requires
registration, there are three distinct areas where the registration
process has changed since proposal. First, the proposal described CDX
registration as the first step toward the issuance of a PKI-based
digital signature, and it was implied that all persons opting to use
CDX would need a digital signature. As noted above, this is no longer
the case. Second, in the proposal, CDX registration began when a person
received an EPA invitation letter that contained a temporary code and
instructions on how to access the CDX registration website. CDX has
adopted additional approaches to initiating registration for certain
EPA programs, for example, embedding a link to CDX registration in
reporting software that is distributed to the program's reporting
community, or providing a public website where prospective CDX users
can submit initial registration data EPA. While CDX continues to
register persons by invitation letter for reporting under certain
environmental programs, registration options will continue to broaden
as the number of environmental programs supported by CDX expands.
Finally, in the proposal, CDX registration was completed when the
registrant printed out a ``signature holder'' agreement from the CDX
registration website, signed this agreement and mailed it to EPA's CDX.
CDX will continue this approach for reports where electronic signatures
are required, although EPA is exploring the use of an entirely
paperless signature agreement process for at least some of these cases.
CDX registration to submit reports that do not include electronic
signatures will not involve a ``signature holder'' agreement.
EDI Standards. The proposal described EPA's plans to use EDI as the
basis of standards-based formats for exchanging data between reporting
entities and CDX. Since proposal, CDX development has reflected a
significant evolution in formatting standards to accommodate the
Internet--away from EDI and toward the use of XML. XML consists of a
set of predefined tags and message structures that, like EDI, allows
machine-to-machine exchange of data in a mutually agreed upon format,
enabling exchange of data across different systems. However, unlike
EDI, XML is tailored to Internet-based communications and security
protocols. Additionally, an XML formatted file in combination with a
style sheet can be displayed in a Web browser. Such features would
allow CDX to use the same standard format both for exchanging data
files and for designing web forms. The structure of XML also addresses
some of the challenges in archiving data received, because the XML tags
that accompany the data in an XML file can be used to interpret the
data's context without the aid of additional software. This could
facilitate the recovery of data from archived files, and reduces the
need to maintain the versions of the software originally used to
generate the files.
CDX and specific EPA programs may address the question of which (if
any) standards-based format to use for a particular report on a case-
by-case basis, and EPA intends to develop appropriate technical
instructions for CDX submitters as program-specific reporting formats
are adopted. These instructions normally will be distributed to the
affected reporting communities via links on the CDX website and/or
through program and CDX outreach efforts. EPA is working with
authorized state, tribe, and local programs to develop standards-based
reporting formats to meet their shared needs. In many instances, CDX
contemplates a long transition period between file formats currently
used to exchange data with regulated entities and any new, standards-
based formats. During this transition, CDX may offer submitters several
electronic submission options; these may include an existing data
format familiar to submitters, one or more new standards-based formats,
and some other approach such as a smart-form hosted on a secure
website.
Client-side architecture and transaction environment. The proposal
described a downloaded ``client'' that would generally supplement the
browser to support the signature and security for CDX; such ``client
side'' software is no longer needed for all cases of electronic
reporting to CDX. However, in some cases CDX now uses various
technologies to transparently insert routines into browsers during a
user session to support special functions--for example to support the
creation of a PKI-based electronic signature with an ACES business
class certificate.
D. How will EPA provide notice of changes to CDX?
As noted in the proposal, the fully-implemented CDX will be subject
to change over time, to take advantage of opportunities offered by
evolving technologies, as well as to improve the system. EPA's decision
to avoid codifying technology-specific or detailed procedural
provisions for electronic reporting is meant, in part, to accommodate
changes to CDX without requiring that we amend our regulations.
Nonetheless, EPA recognizes that such changes can affect regulated
entities that participate in electronic reporting; therefore, the final
rule provides for advance notice when EPA intends to make changes to
CDX. As discussed in the proposal, we distinguish four categories of
changes:
``Significant'' changes that are likely to affect the
kinds of hardware, software or services involved in transmitting
electronic reports (Sec. 3.20(a)(1));
``Other'' changes that will affect the process or the
timing of transmitting electronic reports to CDX, but without affecting
the kinds of hardware, software or services involved in making the
transmissions (Sec. 3.20(a)(2));
``Emergency'' changes necessary to protect the security or
operational integrity of CDX (Sec. 3.20(b)).
``De minimis or transparent'' changes that will have
minimal or no impact on the process or the timing of transmitting
electronic reports to CDX.
``Significant'' changes include changes to the types of file formats
CDX will accept--for example a change from extended markup language
(XML) formats to some non-XML format--as well as changes to the
technologies that may be used for file transfer to CDX or for creating
electronic signatures on transmitted reports. ``Significant'' changes
will not generally include optional upgrades to software, the
[[Page 59864]]
provision of additional formatting (or other technical) options, or
changes to CDX that simply reflect changes to the underlying regulatory
reporting requirements. ``Other'' changes include an increase in--or
re-ordering of--the steps involved in transmitting electronic reports,
changes to the registration or credential (e.g., PIN, password, PKI
certificate) provisioning process that could affect users ability to
access CDX, and changes to reporting formats that involve the
reconfiguration of software. ``Emergency'' changes include such things
as an upgrade to the system firewall protection. Finally, ``de minimis
or transparent'' changes include the myriad small or ``back end'' fixes
and improvements that EPA makes to CDX each week that have minimal or
no impact on the transmission process. Such changes may range from
fixing a typo on a data entry screen to re-engineering the system's
archiving routines.
To address ``significant'' changes, Sec. 3.20(a)(1) of the final
rule provides that EPA will give public notice in the Federal Register
of such changes and will seek comment. EPA proposed to provide this
notice at least a year in advance of contemplated implementation, but
based on experience developing and operating a CDX prototype, EPA no
longer believes that a single time-frame is appropriate in all
situations. For example, ``significant'' changes that could affect the
transmission of an annual report may respond to needs or events that
arise less than a year in advance of the report's due date. On the
other hand, some ``significant'' changes may require more than a year
for reporting entities to accommodate. Accordingly, the final rule
provides that these Federal Register notices will propose and seek
public comment on an implementation schedule for a ``significant''
change, along with describing and inviting comment on the change
itself. To address ``other'' changes to CDX, Sec. 3.20(a)(2) of the
final rule provides that EPA will give notice at least 60 days in
advance of implementation. The notice in this case will typically be to
CDX users, and the method of notice may be electronic, perhaps using
the facilities of CDX itself. For ``emergency'' and ``de minimis or
transparent'' changes, EPA will make decisions on whether, when, and
how to provide public notice on a case-by-case basis.
VI. Requirements for Electronic Reporting Under EPA-Authorized Programs
A. What is the general regulatory approach?
As explained in Part V of this preamble, the requirements in Sec.
3.10 of today's rule apply to reporting entities that submit electronic
reports directly to EPA. By contrast, today's rule contains no
requirements that apply directly to entities who submit electronic
reports to state, tribe, or local government agencies. However, Subpart
D of today's rule does contain requirements that apply to state, tribe,
or local government agencies that operate EPA-authorized programs.
Subpart D of today's rule requires that such agencies that receive, or
wish to begin receiving, electronic reports under an authorized program
must apply to EPA for a revision or modification of that program and
get EPA approval. Subpart D provides standards for such approvals based
on consideration of the electronic document receiving system that the
state, tribe, or local government will use to implement the electronic
reporting. Additionally, Subpart D provides for special procedures for
program revisions and modifications that provide for electronic
reporting, to be used at the option of the state, tribe, or local
government in place of procedures available under existing program-
specific authorization regulations.
Generally speaking, EPA believes that even absent today's rule, an
authorized program's electronic reporting implementation would still
need EPA's approval under a program revision or modification. At least
where electronic reports may play a role in enforcement proceedings,
the authorized program's electronic reporting implementation has the
potential to affect program enforceability, and as such, revises or
modifies the program. Today's rule makes this explicit in Sec. 3.1000.
In addition, the final rule includes program-specific amendments to
various provisions in 40 CFR to cross reference those rules to the new
Part 3. With this approach, EPA hopes to support and promote state,
tribe, and local government efforts to make electronic reporting
available under their authorized programs, both by clarifying the
requirement that EPA approve these electronic reporting initiatives,
and by providing a single, uniform set of standards and a specially-
designed process to facilitate electronic reporting approval for
otherwise authorized programs.
B. When must authorized state, tribe, or local government programs
revise or modify their programs to allow electronic reporting?
1. The general requirement. As discussed earlier, this rule does
not require states, tribes, or local governments to allow or require
electronic reporting. Where they choose to do so, Sec. 3.1000
generally provides that they must revise or modify such programs to
ensure that their electronic reporting implementation will meet the
requirements of section 3.2000. Additionally, once these authorized
programs begin operating the electronic reporting systems under EPA-
approved revisions or modifications, they must keep EPA informed of
changes to laws, policies or the electronic reporting systems that
could affect the program's compliance with Sec. 3.2000. Where the
Administrator determines that such changes require EPA review and
approval, EPA may ask the authorized program to submit an application
for revision or modification to address the changes. Alternatively, the
authorized program can apply for a revision or modification on its own
initiative.
For any of these program revisions or modifications, states,
tribes, or local governments may use either the application procedures
provided under Sec. 3.1000(b)-(e) or the program-specific procedures
provided in other parts of Title 40 or the applicable statute.
Whichever procedure is used, the state, tribe, or local government must
submit an application that complies with the requirements of Sec.
3.1000(b)(1), discussed in section VI.C.1. Section 3.1000(b)(1)
identifies the elements of an electronic reporting program that EPA
would need to consider in order to approve a state's, tribe's, or local
government's approach to receiving electronic documents, in lieu of
paper, to satisfy requirements under their EPA-authorized programs.
2. Deferred compliance for existing systems. For authorized
programs that have ``existing'' electronic document receiving systems
as of the date this final rule is published, EPA is deferring the
deadline for these programs to submit their applications for program
revisions or modifications with respect to such systems. The deferral
is generally two years from the date of this rule's publication. This
approach is consistent with similar provisions under other regulations
governing program authorization where new requirements are imposed.
Additionally, EPA conducted extensive discussions with entities
operating authorized programs about how much time they generally
[[Page 59865]]
would need to bring their systems into compliance with today's rule,
given their funding cycles, program review schedules under
``performance partnership'' agreements, the timeframes for making any
necessary system upgrades and completing an application for program
revision or modification, and any necessary legislative or regulatory
changes. Based upon these discussions, we believe that this two-year
period is generally sufficient to allow these programs to make the
transition to CROMERR-compliant systems without having to discontinue
their electronic reporting operations. Today's rule also allows
authorized programs to request extensions to the two-year deadline
where the timeframe for regulatory or legislative changes may be
somewhat longer.
EPA's purpose in deferring the application deadline for program
revisions or modifications with respect to existing electronic
reporting is to avoid disrupting authorized programs' electronic
reporting initiatives that are already underway. With this goal in
mind, EPA has defined ``existing electronic document receiving system''
broadly, to include not only those that are actually operational at the
time the final rule is published, but also those that are substantially
developed. We recognize that it would be disruptive to require that
authorized programs shut down their operational systems during the time
it would take to prepare, submit and have their applications for
revision or modification approved. However, there is often a very fine
line between an operational system and a system under development; for
example, where the developmental work is to scale a working prototype
up to production. In addition, at least the later stages of development
are likely to be restrained substantially or even halted if a system
must await EPA approval to operate, and this may affect system costs,
availability of contractor staff and their ability to complete the
system in a timely manner. Avoiding such disruptions to substantially
developed systems is part of the goal of the deferred compliance
provisions. To define what counts as a ``substantially developed''
system for this purpose, the definition of ``existing electronic
document receiving system'' uses evidence that system services or
specifications are already established by existing contracts or other
binding agreements. Where an agency has already made legally binding
agreements to procure a significant proportion of the services and/or
components that will constitute the system then such a system would be
considered ``existing'' under this rule.
While many or most authorized programs with existing systems may
need this two-year compliance deferral, some may have no difficulty
submitting a completed application well before the end of two years. We
strongly encourage such early submissions when feasible. This will make
better use of EPA's review resources and will provide earlier certainty
of compliance with this rule for existing state, tribe, and local
government electronic reporting programs that are subject to this rule.
In addition, EPA believes that, whether through informal consultation
or formal application, identifying and addressing any existing system
issues as early as possible is the best way to avoid disruption to
electronic reporting initiatives currently underway.
C. What alternative procedures does EPA provide for revising or
modifying authorized state, tribe, or local government programs for
electronic reporting?
Under Sec. 3.1000, this rule provides procedures which a state,
tribe, or local government, at its option, can use to seek approval for
revisions or modifications with respect to electronic reporting under
its existing authorized programs. These optional procedures are
available both for revisions or modifications that seek initial EPA
approval for electronic reporting programs, and also for revisions or
modifications to accommodate substantial changes to electronic
reporting programs that already have EPA approval.
Although there is always the alternative of using the program-
specific procedures provided in other parts of 40 CFR, EPA believes
that, normally, a state, tribe, or local government would find the
procedures provided in this rule to be shorter, simpler, and easier.
The Sec. 3.1000 procedures allow submission of a single, relatively
simple application to request revisions or modifications that address
electronic reporting across any number of authorized programs.
Additionally, the procedures provide for a single, straightforward EPA
review process, with deadlines for EPA action written into the rule.
EPA believes that these procedures will be especially useful where the
state, tribe, or local government is planning to implement all of its
program-specific electronic reporting with a single system. Rather than
requiring approval program-by-program, Sec. 3.1000 allows the system
to be addressed in a single application package that can be reviewed in
its entirety and responded to within a relatively short and predictable
time-frame.
1. The application. To request modifications or revisions under
this rule, Sec. 3.1000(b)(1) requires a state, tribe, or local
government to submit an application that generally contains three
elements. The first is a certification that state, tribe, or local
government laws and/or regulations provide sufficient legal authority
to implement electronic reporting in conformance with Sec. 3.2000 and
to enforce the affected authorized programs using electronic documents
collected under those programs; the application must also include
copies of the relevant laws and/or regulations. This certification of
legal authority is not meant to address actual conformance with Sec.
3.2000(b); that is, the certification is not meant to reflect a
judgment about the capabilities of an agency's electronic document
receiving system. However, the certification would address Sec.
3.2000(c), and must be signed by the governmental official who is
legally competent to certify with respect to legal authority on behalf
of his or her government. In the case of a state, this official must be
the Attorney General or his or her designee. In the case of tribes or
local governments, this official must be the chief executive or
administrative official or officer or his or her designee. EPA realizes
that obtaining an Attorney General's certification for state
applications may involve considerable administrative burden; however,
as a legal matter, EPA believes that Attorneys General or their
designees are the only officials capable of certifying with respect to
their states' legal authority. Where there are substantial
administrative obstacles to involving the Attorney General in such
certifications, EPA urges the state Attorney General to provide for a
legally-competent designee who is available to participate in the
submission of the state's application.
The second element of the application, and the most substantive, is
a listing and description of the electronic document receiving systems
that do or will receive the electronic submissions addressed by the
requested program revisions or modifications. The application should
specify the electronic submissions each system will be used to receive,
and which (if any) of these submissions involve electronic signatures.
In describing each system, the application should explain how the
system will satisfy the applicable requirements of Sec. 3.2000. Many
of these requirements apply only to systems that receive submissions
with electronic
[[Page 59866]]
signatures; accordingly, the descriptions for systems that receive no
electronically signed submissions will be relatively short and simple.
For each of the Sec. 3.2000 requirements that do apply, the
description should explain the functions the system will perform to
satisfy the requirement, and the technologies that will be used to
achieve this functionality. EPA does not expect such explanations to
include detailed technical specifications of the systems, but rather to
provide conceptual descriptions of the technical approach and
functionality. In implementing this rule, EPA will provide applicants
with more detailed recommendations for preparing these system
descriptions, including examples and an application checklist.
The third element of the application is simply a schedule of
upgrades to each system addressed by the application--to the extent
that such upgrades can be anticipated--together with a brief discussion
of how the upgrades will assure continued compliance with Sec. 3.2000.
This third element should be thought of as an appendix to the second,
recognizing that the functionality with which each electronic document
receiving system addresses the Sec. 3.2000 requirements normally
exists within the dynamic environment of the system life cycle.
2. Review for completeness. Once EPA receives an application
submitted under the procedures in this rule, EPA will, within 75
calendar days, send a letter that either notifies the applicant that
its application is complete or identifies deficiencies that render the
application incomplete. An applicant that receives a notice of
deficiencies may amend the application and resubmit it. From the date
EPA receives the amended application, EPA will, within 30 calendar
days, respond with a letter that either notifies the applicant that the
amended application is complete or else identifies remaining
deficiencies. If an amended application is not submitted within a
reasonable time period to remedy identified deficiencies, EPA has the
authority to review and act on the incomplete application, as explained
in section VI.C.3.
3. EPA actions on applications. EPA will act on an application by
either approving or denying the requested program revisions or
modifications. In the case of a consolidated application for revision
or modification of more than one program, EPA need not take the same
action on each revision or modification; some may be approved while
others are denied. EPA will have 180 calendar days from the time it
sends a notice of completeness to act on an application in its
entirety. Except in certain cases of requested revisions or
modifications associated with existing systems (see section VI.C.4) or
with an authorized public water system program under 40 CFR part 142
(see section VI.C.5), if EPA does not act on a program revision or
modification by the end of the 180-day review period, then that
revision and/or modification is considered automatically approved by
EPA. The rule allows this review period to be extended, at the request
of the state, tribe, or local government submitting the application.
This may accommodate situations where EPA and the applicant are working
through issues that may take more than the 180-day review period to
resolve, and they mutually find it in their best interest to continue
discussion before EPA makes its decision.
Where EPA approves a program revision or modification (by either
affirmative or automatic approval), the approval becomes effective when
EPA publishes a notice of the approval in the Federal Register. Where
EPA denies a requested revision or modification, EPA will explain the
reasons for the action and advise the applicant of the steps that can
be taken to remedy the application's defects and will generally try to
work with the applicant to address the issues that have posed an
obstacle to approval. Additionally, in some cases, denial of approval
under the Sec. 3.1000 process may result from EPA's determination that
the application raises certain issues that are highly program-specific
and that these cannot be adequately addressed through the procedures
provided in this rule. For example, there may be issues that require a
discussion of program features that the Sec. 3.1000(b)(1) application
would not cover. In such cases, EPA will identify the issues that
exceed the scope of the Sec. 3.1000 process and will advise the
applicant to request the revision or modification under the applicable
program-specific procedures provided in other parts of Title 40.
4. Revisions or modifications associated with existing systems.
Some applications will request modification or revision to an
authorized program with an ``existing electronic document receiving
system''. As noted in section VI.B.2, the deadline for submitting such
applications is two years after the publication of today's rule. Where
such applications are submitted and are determined to be complete
before the two-year deadline, EPA will have a 180-day review-period for
any program modification or revision being requested, as explained in
section VI.B.3. However, where EPA sends notification that an
application is complete after the two-year deadline has passed, for
example, because the application was submitted relatively late in the
two-year period, EPA will have 360 days to act on any requested
modification or revision addressed by the application. As with the
cases where EPA has 180 days to act, this 360-day review period can be
extended at the request of the state, tribe, or local government
submitting the application.
The rule provides for this extended review period to deal with the
possibility that EPA will receive a large number of applications
associated with existing systems just before the two-year deadline
expires. If the number of such applications is sufficiently large, EPA
may not be able to act on all of them within a 180-day review period.
States, tribes, or local governments that wish to avoid the extended
review may do so by submitting their applications addressing existing
systems early enough in the two-year period to ensure that EPA can
determine completeness before the deadline. As noted in section VI.B.2,
EPA strongly encourages such early submissions wherever they are
feasible.
5. Public hearings for Part 142 revisions or modifications. Where a
complete application requests a revision or modification of an
authorized public water system program under 40 CFR part 142, EPA will
make a preliminary determination on the request--either an approval or
a denial--by the end of the 180-day review period (or the 360-day
extended review period discussed in section VI.C.4). EPA will then
publish a notice of the preliminary determination in the Federal
Register. The notice will state the reasons for the preliminary
determination, and will inform interested members of the public that
they may request a public hearing on the preliminary determination.
Such hearing requests must be submitted within 30 days of the notice's
Federal Register publication. If no requests are submitted, and the
Administrator does not hold a hearing on his or her own motion, then
the preliminary determination will be effective 30 days after the
initial Federal Register publication.
If a request for hearing is granted, or the Administrator
determines that a hearing is warranted, EPA will publish an additional
Federal Register notice announcing--at least 15 days in advance of any
such hearing--the date and time of any hearing, contact information,
and the purpose of the hearing. At the hearing, a hearing officer will
receive oral and written testimony, and will forward a record of the
hearing to the EPA Administrator. After
[[Page 59867]]
reviewing the record of the hearing, EPA will by order either affirm or
rescind the preliminary determination, and will publish notice of this
decision in the Federal Register. If the order is to approve the
revision or modification, the approval will be effective upon
publication of the order in the Federal Register.
6. Re-submissions and amendments. States, tribes, or local
governments whose Sec. 3.1000 applications for revisions or
modifications have been denied in whole or in part may reapply for
reconsideration, using either the Sec. 3.1000 procedures again, or, at
their option, the applicable program-specific procedures. A state,
tribe, or local government may also, on occasion, choose to amend a
Sec. 3.1000 application after the Administrator has determined the
application to be complete. In such cases, the application will be
considered to have been withdrawn and resubmitted as a new package, and
a new 75-day completeness determination process will begin. An
applicant may choose to withdraw and resubmit the package in this
manner, for example, if it becomes clear relatively early into the 180-
day review period that the application cannot be approved in its
current form. For such re-submissions, EPA will work diligently to
expedite the completeness determination.
D. What general requirements must state, tribe, and local government
electronic reporting programs satisfy?
States, tribes, and local governments that accept electronic
reports in lieu of paper under their authorized programs must satisfy
the requirements of Sec. 3.2000(b) and (c). Section 3.2000(b) sets
forth the standards that acceptable electronic document receiving
systems must satisfy, and these are explained in detail in section
VI.E. In parallel with Sec. 3.4 on federal compliance and enforcement,
Sec. 3.2000(c) requires that the state, tribe, or local government be
able to seek and obtain any appropriate civil, criminal or other
remedies under state, tribe, or local law for failure to comply with a
reporting requirement if a person submits an electronic document that
fails to comply with the applicable provisions for electronic
reporting. Similarly, Sec. 3.2000(c) contains provisions to ensure
that an electronic signature provided to a state, tribe, or local
government will make the person who signs the document responsible,
bound, and/or obligated to the same extent as he or she would be
signing the corresponding paper document.
Additionally, under Sec. 3.2000(a)(2), the authorized program must
require that any electronic document it accepts bear a valid electronic
signature wherever the corresponding paper document would have to be
signed under existing regulations or guidance, with the signatory being
the same person who is authorized and/or required to sign under the
current applicable provision. As in the case of direct reporting to EPA
(see section V.A), the requirement for an electronic signature will
apply only where the document would have to bear a signature were it to
be submitted on paper, either because this is required by statute or
regulation, or because a signature is required to complete the paper
form. This rule does not require that authorized programs impose any
new or additional signature requirements for electronic documents that
are submitted in lieu of paper and were not previously required to be
signed when submitted in paper form.
As with direct reporting to EPA, Sec. 3.2000(a)(2) also allows an
authorized program to make special provisions for the required
signatures to be executed on follow-on paper submissions. As noted in
section IV.C, such provisions must ensure that the paper submission
containing the signatures is adequately cross-referenced with the
electronic document being signed, and must be described as a part of
the Sec. 3.1000(b)(1) application. Systems that receive electronic
documents with such follow-on paper signature submissions are subject
to all applicable Sec. 3.2000(b) requirements, including the
requirement that the electronic document cannot be altered without
detection after the signature has been executed.
E. What standards must state, tribe, and local government electronic
document receiving systems satisfy?
Section 3.2000(b) specifies the standards that electronic document
receiving systems must satisfy if they are to be approved for use by
states, tribes, or local governments to receive electronic documents in
lieu of paper under an EPA-authorized program. EPA's purpose in
specifying such standards remains the same as it was when EPA specified
the proposed Sec. 3.2000 criteria in proposed CROMERR. As discussed in
section IV.B.1, that purpose was to ensure that electronically
submitted documents have the same ``legal dependability'' as their
paper counterparts, so that any electronic document that may be used as
evidence to prosecute an environmental crime or to enforce against a
civil violation has no less evidentiary value than its paper
equivalent. EPA has been motivated to provide for the legal
dependability of electronic documents submitted under authorized
programs by considering, among other things:
The roles that many electronically submitted documents
would likely play in environmental program management, including
compliance monitoring and enforcement;
EPA's statutory obligation to ensure that authorized or
delegated programs maintain the enforceability of environmental law and
regulations; and
The consequent need to ensure that enforceability is not
compromised as authorized programs make the transition from paper to
electronic submission of compliance or enforcement-related documents.
The Sec. 3.2000(b) standards for electronic document receiving systems
in today's rule provide an expanded version of what had been the
proposed Sec. 3.2000(b) ``Validity of Data'' criterion. Like proposed
Sec. 3.2000(b), final Sec. 3.2000(b) requires that electronic
document receiving systems reliably enable EPA, states, tribes, and
local governments to prove, in civil and criminal enforcement
proceedings, that the electronic documents they receive and maintain
are what they purport to be, that any changes to their content are
documented, and that any associated signatures were actually executed
by the designated signatories intending to certify that content.
Systems must be able to satisfy the Sec. 3.2000(b) requirements for
any electronic documents they receive that are submitted in lieu of
paper to satisfy an authorized program requirement.
The following discussion highlights some of the Sec. 3.2000(b)
requirements for electronic document receiving systems. The first five
of these requirements (timeliness of data generation, copy of record,
integrity of the electronic document, submission knowingly, and
opportunity to review and repudiate copy of record) apply to all
electronic document receiving systems. The other highlighted
requirements (validity of the electronic signature, binding the
signature to the document, opportunity to review, understanding the act
of signing, the electronic signature or subscriber agreement,
acknowledgment of receipt, and determining the identity of an
individual) apply only to systems that receive electronically signed
documents.
1. Timeliness of data generation. Section 3.2000(b) reflects the
role that electronic document receiving systems play in supporting a
wide range of compliance and enforcement-related activities, including
compliance research and analysis, civil actions, and
[[Page 59868]]
litigation, and the fact that the success of such activities may be
affected by the relative ease or difficulty of accessing the data
related to electronic submissions. Accordingly, electronic document
receiving systems must provide timely access to such data, especially
to data relevant to the questions of what was submitted, by whom, and,
where signatures are involved, who the signatories were and to what
they certified. Much of this data may be assembled in the copy of
record, together with any data needed to establish that the copy is a
``true and correct copy of an electronic document received,'' as
specified by the Sec. 3.3 copy of record definition. To help the
litigator develop evidence and present it in the courtroom, it is
advisable that the copy of record be maintained and made accessible in
a form and format that requires the minimum possible ``assembly'' of
its elements, so that its connection with what was received and what
was certified to by any signatories is easy to understand and to
demonstrate to others.
2. Copy of record. Under Sec. 3.2000(b), an acceptable electronic
document receiving system must retain and be able to make available a
copy of record for each electronic document it receives that is
submitted in lieu of paper to satisfy requirements under an authorized
program. For such submissions, the copy of record is intended to serve
as the electronic surrogate for what we refer to as the ``original'' of
the document received where we are doing business on paper. The copy of
record is meant to provide an authoritative answer to the question of
what was actually submitted and, as applicable, what was signed and
certified to in the particular case.
As defined in Sec. 3.3, a copy of record must satisfy at least
four requirements. First, it must be a true and correct copy of the
electronic document that was received. In the case of documents
consisting of data, this means that the copy of record must contain
exactly the set of data elements that constituted the electronic
document that was submitted. In the case of a document consisting of
other forms of information, e.g., text or images, being a ``true and
correct copy,'' may mean including file and or visual format
information along with the items of information themselves, to the
extent the meaning of these items is dependent on format. (See the
discussion of the definition of ``electronic document,'' in section
IV.D.1.) For the copy of record to fulfill its intended role, it is not
enough that it be a true and correct copy; it must also be capable of
being shown to be a true and correct copy; otherwise, it cannot meet
other related system requirements, such as establishing document
integrity. (See section VI.E.3, below.) The copy of record is shown to
be true and correct in part by virtue of its not being repudiated by
the submitters and/or signatories where it is made available for their
review and repudiation. (See section VI.E.5., below.) In addition, the
system must provide sufficient evidence to show how the copy of record
was derived from and accurately reflects the electronic document as it
was received by the system; such evidence is also necessary to
establish document integrity. To provide for such evidence, the system
may need to establish a chain of custody for the copy of record,
particularly if there are a number of processing steps that separate
the copy of record from the file as it enters the system. On the other
hand, where the copy of record captures and preserves the file
containing the electronic document exactly in the form and format in
which it is received, then a chain of custody may not be necessary.
Considerations of ``timeliness'' favor maintaining copies of record in
a way that would not require a chain of custody. (See section VI.E.1.,
above.)
Second, the copy of record must include all the electronic
signatures that have been executed to sign the document or components
of the document. The method of inclusion may vary, depending on the
nature of the signature. With a digital signature, created by
encrypting a hash of the document being signed with the private key in
a private/public key-pair, the signature is simply a number that can
and should be contained as a copy of record element. There is no risk
of signature theft in this case. Each digital signature is bound to the
specific document it signs, and the private key, which is actually used
for signing, is inaccessible to a would-be intruder.
With other forms of signature such as personal identification
numbers (PINs) or passwords, items of personal information, or
biometric images or values, including the signature as a copy of record
element may raise signature theft issues. At least in theory, such
signatures could be detached or copied from a copy of record and re-
used spuriously without detection. To address this risk, the signature,
especially in the case of a PIN or password, may be encrypted for
storage, perhaps together with a hash of the document signed, to bind
the signature to the document content. Another approach may be to
validate the signatory's identity, e.g. by comparing a signatory-
generated password with an encrypted version maintained securely at the
electronic document receiving system. In such cases, the signatory-
generated password--which might be regarded as the signature--never
actually appears on the electronic document, so the signature that is
``included'' in the copy of record may be an encrypted form of the
signature, or possibly nothing exactly corresponding to a signature at
all, but rather pointers or references to the processes or encrypted
data that provide the actual link to the signatory. There are analogous
strategies for biometric signatures. For example, the validity of a
biometric (e.g., a finger print, a retinal scan, etc.) may be
established by using certain statistical algorithms to evaluate data
provided by the biometric. In such cases, the copy of record might
document the process of validating the signature, but without including
the biometric data that was used to show that the signature was valid.
On any of these approaches, the copy of record may satisfy the
requirement that the copy ``include'' the signatures, provided that
what the copy does contain serves to establish whether the electronic
document in question was signed and by whom.
Third, the copy of record must include the date and time of receipt
to help establish its relation to submission deadlines, to the
circumstances of its submission, and to other possibly associated
documents that may have been submitted or alleged to have been
submitted. This is not generally problematic, except in cases of
continuous streams of data conveyed to the system. For such continuous
data, reasonable alternatives may be substituted that serve the same
purposes, for example, associating stages of the data flow with dates
and times, say, at hourly intervals. Similarly, the copy of record may
include other additional information to the extent that this is needed
to establish the meaning of the content and the circumstances of
receipt. Such additional information might include data field labels,
signatory information such as references to PKI certificates, and
transmission source information.
Fourth, the copy of record must be viewable in a human-readable
format that clearly indicates what the submitter and, where applicable,
the signatory intended that each of the data elements or other
information items in the document means. This supports the copy of
record's role as a surrogate ``original'' of the paper document, and
serves to establish the content of the document as it was signed and/or
[[Page 59869]]
submitted. The copy of record may satisfy this requirement in many
different ways. It might actually include explicit labels or
descriptions for each data element or information item, or preserve a
visual format in which the data were submitted. Alternatively, it may
incorporate a conventional ordering of the items or elements, where the
information that associates such ordered data with labels,
descriptions, or other means of visual display is maintained externally
and can be invoked as needed--for example, to make the data elements
appear within fields in the image of a filled-out form. Where the
electronic document is created off-line by the submitter and conveyed
as a whole to the receiving system, it is preferable for the copy of
record to reflect the mechanism or format for indicating meaning
supplied in the submission. For example, if the submission is in some
standard electronic data interchange format, then the copy of record
might usefully preserve that format. Taking this approach will help to
resolve potential chain of custody issues if questions arise about
whether the copy of record is true and correct. However, in cases where
the electronic document is created on-line, for example, through the
use of a web-form, the format for the copy of record will of necessity
be an artifact of the electronic document receiving system itself. This
is not problematic, as long as the system provides a way to ensure that
the meaning of each data element as supplied by the submitter remains
unambiguous.
Some commenters objected to copy of record requirements because of
the potential expense of redesigning systems that are not currently
capable of creating and storing electronic copies of records. EPA
notes, however, that systems satisfying copy of record requirements
need not preserve the electronic documents received in separate or
special storage apart from the files that maintain the data or
information content of the documents. For example, data loaded from
submitted electronic documents to a database may satisfy copy of record
requirements where the stored content includes the signatures, the
date/time of receipt, and an adequate chain of custody. This may be the
most practical copy of record approach for receiving continuous data
streams. Such an approach does not preclude satisfying the requirement
that the copy of record be viewable in a human-readable format. The
requirement does not mean that the data must be stored in a human-
readable format, so long as there is a well-documented way to display
the stored data in such a format. In addition, nothing in the ``copy of
record'' definition requires such copies to be electronic. Particularly
where the signature involves some easily represented numerical value,
the copy of record may be created and maintained in an imaging medium
or on paper, provided that such copies can be shown to have been
created by the electronic document receiving system to be true and
correct copies of the electronic documents received. Whether such
alternatives are appropriate as interim or even long-term solutions
will depend on individual circumstances. It may be difficult to provide
a copy of record for review and possible repudiation if the copy is not
available as an electronic document that can be viewed on-line or
downloaded through the network.
3. Integrity of the electronic document. Under Sec. 3.2000(b)(1)--
(2), an acceptable electronic document receiving system must be able to
establish that a given electronic document was not altered without
detection in transmission or at any time after receipt, and any such
alterations must be fully documented. For purposes of Sec.
3.2000(b)(1)--(2), EPA excludes alterations that have no effect on the
document's information content. Examples of excluded alterations
include the separation of a transmitted file into packets and their
error-free recombination, the error-free processes of file compression
and extraction, as well as certain disk maintenance functions that may,
for example, involve physically repositioning file components on the
storage medium. To satisfy Sec. 3.2000(b)(1)--(2) requirements with
respect to alterations that do affect information content, a system may
rely on a number of different but complementary capabilities, including
general provisions for system security, access control, and secure
transmission. Additionally, the system's copy of record provisions help
make the case that the electronic document is unaltered, or has been
altered only as documented (for example, through a chain of custody), a
case which is strengthened where submitters and/or signatories have had
the opportunity to review the copy and have not contacted the system to
repudiate the copy. Finally there are specific technical approaches to
ensuring integrity, based, for example, on calculating hash values
associated with the document content.
4. Submission knowingly. Under Sec. 3.2000(b)(3), an acceptable
electronic document receiving system must provide evidence that the
submitter had some reliable way of knowing and/or confirming that the
submission took place. This requirement is necessary to help establish
submitter responsibility for the electronic document and to rule out
spurious submissions, whether by accident or through the actions of an
unauthorized submitter or ``hacker.'' EPA believes that to satisfy this
requirement, the system must have some follow-on communication with the
submitter related to the submission. This could be a communication
initiated by the submitter in cases where it is realistic to rely on
submitters to regularly check the system for evidence of documents
submitted; where such submitter interactions are relied upon, they must
be documented. Alternatively, the system must send some form of
acknowledgment of submission as a response to the submitter named, and
must document such acknowledgments, recording at least their date,
time, content and the addresses to which they were sent. For cases
where the electronic document bears an electronic signature, this
acknowledgment is explicitly provided for under Sec. 3.2000(b)(5)(vi).
(See section VI.E.11.)
5. Opportunity to review and repudiate copy of record. Under Sec.
3.2000(b)(4), the copy of record must be available for review and
timely repudiation by the individuals to whom the document is
attributed, as its submitters and/or signatories. The fact that the
copy was available for this review and was not repudiated provides
strong support for its being a ``true and correct copy of an electronic
document received,'' as specified by the Sec. 3.3 copy of record
definition. Program managers normally would set reasonable end dates
for this process, especially where there is concern that the copy is
not ``officially'' a copy of record until the process is complete.
Satisfying this ``opportunity to review'' provision involves at
least two requirements. The first is that the identified submitters
and/or signatories must have some way of knowing that their submission
was received, and that a copy of record is available for review. This
requires some follow-on communication with the submitters and
signatories related to the submission--initiated either by the
submitters/signatories or by the system, as discussed in section
VI.E.4. Approaches should be avoided that allow the initial submission
and provision of copy of record to occur as a part of the same on-line
session, because in cases of spurious submission the identified
submitters/signatures may never learn
[[Page 59870]]
that a copy of record exists. Second, to ensure that the opportunity to
review and repudiate is meaningful, the copy of record must be viewable
in a human-readable format that clearly and accurately associates all
the information elements of the electronic document with descriptions
or labeling of those elements. This second requirement is consistent
with the definition of ``copy of record,'' as discussed in section
VI.E.2.
6. Validity of the electronic signature. Under Sec.
3.2000(b)(5)(i), for each electronic document that is required to bear
an electronic signature, the receiving system must be able to establish
that each electronic signature was a valid electronic signature at the
time of signing. Under Sec. 3.3, as discussed in section IV.D.5, a
valid electronic signature must satisfy three conditions. The first is
that the signature must be created with a signature device that is
``owned'' by the individual designated as signatory--``owned'' in the
sense that this individual is uniquely entitled to use it for creating
signatures. To establish this, an electronic document receiving system
must be able to identify signature device ``owners'' and must be able
to determine that an identified signatory is the owner of the device
used to create the signature in question. Section 3.2000(b)(5)(vii)
explicitly requires the ability to identify signature device owners,
and section VI.E.12 of this Preamble discusses the Sec.
3.2000(b)(5)(vii) requirements in detail.
Concerning the determination that an identified signatory is the
owner of the device used to create the signature, the system needs to
have unique signature validation criteria for each identified signature
device owner who submits electronically signed documents; the system
must be able to apply these criteria to each signature on documents
received. For example, in the case of a digital signature, the
validation criteria include the existence of a valid PKI certificate
for the identified signatory and the ability of the associated public
key to decrypt the encrypted message digest that constitutes the
signature. In the case of a PIN, the validation criterion may be simply
that the PIN added to the document as a signature matches the PIN on
file for the identified signatory.
The second condition for an electronic signature to be considered
valid is that the signature must be created with a device that has not
been compromised. That is, at the time of signing, the electronic
signature device must in fact be available only to the individual
identified as its owner, and to no one else. Otherwise, the use of the
device to create the electronic signature may not provide evidence that
a specific, identifiable individual has certified to the truth or
accuracy of an electronic document. Accordingly, an acceptable
electronic document receiving system must provide evidence that the
electronic documents it receives and maintains do not contain
signatures executed with compromised devices. Such evidence will
document the system's approach to three related functions: prevention
of signature device compromise, detection of compromises where they
occur, and rejection of known compromised submissions.
The approach to prevention will include the way the system notifies
submitters of their obligations to avoid signature compromise,
including the obligation not to share or delegate the use of the device
as a part of the electronic signature agreement. (See sections IV.D.4
and VI.D.8. of this Preamble, respectively.) Prevention also involves
choosing the kinds of signature devices to support and determining how
they are to be used. Some devices are inherently vulnerable to
compromise, for example, because protection from spurious use relies on
``secret'' (such as a PIN or password) that has to be shared when the
device is used. However, vulnerable devices can sometimes be
strengthened with appropriate implementation. In the case of a PIN or
password, adding an element that does not rely on secrecy--e.g. a
physical ``token,'' such as a smart card or employee badge--that had to
be used along with the PIN or password may greatly reduce the device's
vulnerability. Alternatively, a system accepting secret-based
signatures might be programmed to query the would-be signatory about a
randomly selected piece of private information that has been (or could
be) verified. This approach would also reduce vulnerability to
compromise, since the discovery of a secret number or password does not
convey other private information about the secret's owner.
For detection of compromises, there are two complementary
approaches. The first is to ensure that the system recognizes the signs
of spurious submission, for example, duplicate reports, off-schedule
submissions, and deviations from normal content or procedure. The
second is to ensure that the system empowers submitters to detect and
report spurious submissions by providing the regular ``out of band''
acknowledgments discussed in section VI.E.11. Once spurious submissions
are detected, the system must ensure their rejection, and the rejection
of any subsequent submissions that use the same device. An acceptable
receiving system must provide for timely revocation or suspension of
access by those individuals with compromised signature devices.
Finally, a signature must be created by an individual who is
authorized to do so, primarily by virtue of his or her relationship
with the regulated entity on whose behalf the signature is executed. An
electronic document receiving systems must be able to determine whether
the identified signatories have the necessary relationship with the
regulated entity that enables them to sign the documents being
submitted. Generally, the system would obtain the information necessary
for these determinations along with establishing the identity of the
signature device owners. Section VI.E.12 of this Preamble discusses
this point in more detail.
The system must also have some way to keep this information up-to-
date, for example, some way to reject signatures where it is known that
the signature device owner is no longer authorized to sign the
electronic document in question. As with the initial registration
process, the provisions for updating this information may vary. For
some cases, it may be sufficient to rely on voluntary notifications
from registrants when, e.g., their job status changes. For other cases,
it may be appropriate to identify a responsible company official who is
charged with managing the authorizations of employees signing documents
on behalf of the company, to include keeping records of changes in
authorization status and/or sending notifications. For certain cases,
the system might limit a signature device owner's authorization to a
defined period, which could be extended only through a re-registration
process.
7. Binding the signature to the document. Under Sec.
3.2000(b)(5)(ii), an acceptable electronic document receiving system
must establish that electronic documents cannot be altered without
detection once such documents are signed. Well-implemented provisions
for copy of record help satisfy this requirement. The fact that a
signatory has not repudiated a document's copy of record that he or she
has had the opportunity to review provides evidence that the copy
accurately reflects the document as it was signed. However, even where
the signatory affirms the authenticity of the copy of record at the
time of review, he or she may still repudiate the document at a later
date. Therefore, an acceptable electronic document receiving system
[[Page 59871]]
must provide a method of ensuring that any breach of a signed
document's integrity can be detected. As discussed in section IV.B.2.,
such methods are available in the form of signatures that incorporate a
hash value of the content being signed, or in the form of signature
processes that involve the creation of this hash and its maintenance in
association with the signed document. Encrypting the hash value, for
example, by executing a digital signature, provide the strongest
approach to rebutting claims that the hash has been manipulated.
Encryption may not be necessary to the extent that the system provides
other means to prevent tampering and establish that the hash has not
been altered since it was calculated.
8. Opportunity to review. Where a signatory is certifying to the
truth or accuracy of document content, the certification represents the
signatory as knowing and understanding the content, as well as
certifying to its truth. Under Sec. 3.2000(b)(5)(iii), an acceptable
electronic document receiving system must be able to provide evidence
that the signatory had the opportunity to review what he or she was
signing in a human-readable format. Providing this evidence may be
relatively simple, depending on the signature/certification scenarios
that the system provides for or allows. In a case where the system only
allows signature/certification during an on-line client-server session,
and where the server always explicitly gives the signatory the option
of scrolling through an appropriately-formatted display of the
submission content before signing, documenting these server functions
should suffice to provide the required evidence. Cases that may be
similarly straightforward include those where signature/certification
takes place off-line, at the signatory's computer, but using software
provided by or certified by the governmental entity whose system will
receive the signed electronic document. In this case, the evidence is
provided by documenting how the software works. Less straightforward
are cases where the signature/certification software is completely
beyond the control of the governmental entity. In such cases, evidence
of the opportunity to review may need to rely on the use of a
submission format that demonstrably allows a human-readable display of
the content. For example, the fact that the file format is a Word or
Excel file and that the file provides a human readable display when
opened with the right program may constitute sufficient evidence that
the opportunity to review has been provided.
9. Understanding the act of signing. Where a signatory is
certifying to the truth or accuracy of document content, the
certification affirmatively represents that the signatory understands
both what the act of signing means and that he or she is subject to
criminal liability for false certification. Reporting formats in the
paper medium provide evidence that certifications are made with the
requisite understandings by placing the certification statement in a
clearly visible position near the place where signatures are to be
affixed and by prominently displaying the statement that there are
criminal penalties for false certification. Under Sec.
3.2000(b)(5)(iv), an acceptable electronic document receiving system
must ensure that such statements are presented in conjunction with
electronic signature/certification. Satisfying this requirement is
straightforward where the system itself provides for the signature
process or where the governmental entity receiving the submission
provides or otherwise has control over the signature/certification
software being used. In other cases, satisfaction will depend on
requiring that the signatories and/or submitters incorporate such
statements into their documents before they are signed or into screens
that are displayed prior to signature. Confidence that the requirement
is satisfied will depend in part on the extent to which the submission
process involves the use of common, easy-to-display file structures
together with the software to display the files being signed.
10. The electronic signature or subscriber agreement. Under Sec.
3.2000(b)(5)(v), an acceptable electronic document receiving system
must be able to provide evidence that any signatory of documents
received by the system has signed an electronic signature agreement or
subscriber agreement with respect to the electronic signature device he
or she uses to sign the documents. ``Electronic signature agreement''
and ``subscriber agreement'' are defined under Sec. 3.3, the latter
referring to electronic signature agreements that are executed with ink
on paper. (The distinct role of subscriber agreements is explained in
section VI.E.12.) By signing such agreements, an individual agrees to
protect his or her signature device from compromise, that is, to keep a
secret code secret, a hardware token secured, etc., and not to
deliberately compromise the device by making it available to others. He
or she also agrees to promptly report any evidence that the device has
been compromised, for example, to promptly notify the system manager if
he or she receives system acknowledgments of submissions he or she did
not make, or if the device has become available to others. Finally, by
signing the electronic signature or subscribed agreement, an individual
agrees that use of his or her electronic signature device to sign
documents creates obligations and/or legally binds him or her to the
same extent as he or she would be bound or obligated by executing
handwritten signatures. EPA believes that such agreements are necessary
to assure--and provide evidence--that the signatory recognizes his or
her obligations with respect to the electronic signature device.
Insofar as the institutions surrounding the use of electronic
signatures are relatively new, EPA believes that express recognition of
signatory obligations through explicit agreements avoids potential
ambiguity or misunderstandings.
11. Acknowledgment of receipt. Where an electronic signature is
used to certify to the truth or accuracy of document content--with
criminal liability for false certification--then it is especially
important to ensure that any individual identified as signatory has the
opportunity to detect and repudiate any spurious submissions made in
his or her name through unauthorized access to signature device and/or
the electronic document receiving system. To provide for this, Sec.
3.2000(b)(5)(vi) requires the system to automatically send
acknowledgments of document receipt to the individuals in whose names
the submissions are made, the acknowledgments in each case identifying
the document in question, the signatories, and the date and time of
receipt.
Additionally, Sec. 3.2000(b)(5)(vi) requires that each
acknowledgment be sent to an address with access controls different and
separate from those that enable the submission itself, so that in cases
of compromised access, the individual in whose name a submission is
made would still receive the acknowledgment without interference. This
is sometimes referred to as ``out of band'' acknowledgment. In web-
based commerce, this is fairly standard practice--a purchase is
normally acknowledged directly to the internet protocol (IP) address
from which the purchase is made, as a part of the on-line session, but
also is confirmed through a follow-up communication to an email
address. Note that while the ``out of band'' acknowledgment is normally
sent electronically, electronic transmission is not required. A paper
acknowledgment sent by U.S. Mail, or a voice acknowledgment via
telephone would serve the same purpose so long
[[Page 59872]]
as these are documented by the system so they may be produced, possibly
as evidence, at a later date.
12. Determining the identity of the individual uniquely entitled to
use a signature device. As discussed in section VI.E.6, a system cannot
accept an electronic signature as valid unless it establishes an
identity between the individual designated as signatory and the owner
of the device used to create the signature. Any circumstance casting
doubt on the device's ownership undermines the certainty that
signatures created with the device are valid; if it's not certain whose
device created the signature then it's not certain whether the actual
signatory is the individual who is designated as signatory in the
submitted document. Additionally, it must be clear what the signature
device owner's relation is to the entity on whose behalf a document is
signed, in order to be certain that this device owner is an authorized
signatory. This is also a condition of signature validity. (See section
VI.E.6.) Accordingly, to assure that electronically signed documents
are legally reliable, a system accepting such documents must have a
process for determining who owns the signature devices used to create
the signatures, and their relations to the entities on whose behalf
they sign submitted documents. Section 3.2000(b)(5)(vii) explicitly
reflects this performance standard by requiring that a system provide
for such determinations ``with legal certainty.'' That is, the system
must be able to provide evidence sufficient to prove the signature
device owner's identity and relation to entities on whose behalf he or
she signs in a context where designated signatories may have an
interest in repudiating their signature device ownership or in
distancing themselves from the entities on whose behalf they are
supposed to have signed.
Section 3.2000(b)(5)(vii) does not specify how this performance
standard is to be met, however, at a minimum, an ``identity-proofing''
capability must involve access to a set of descriptions that apply
uniquely to the individual in question and refer to attributes that are
durable, documented, and objective. Such descriptions must be capable
of being shown at any time to uniquely identify the individual without
having to depend on anyone who might have an interest in repudiating
the identification. Section 3.2000(b)(5)(vii) requires that more
specific conditions be met for the special class of electronically
signed documents that are included in the list that defines ``priority
report'' under Sec. 3.3 and Appendix 1 to Part 3. The priority reports
are those that EPA has identified as likely to be material to potential
enforcement litigation. Given this likelihood, it is important to
provide not only for the provability of signature device ownership in
principle, but for the practical need to make this proof with the
resources typically available to enforcement staff and within the
constraints of the judicial process in criminal and civil proceedings.
To address this practical dimension of identity-proofing in the case of
priority reports, Sec. 3.2000(b)(5)(vii) adds three conditions to the
general performance standard. The first is that the identity of a
signature device owner must be verified before the system accepts any
electronic signature created with the device. The second, in Sec.
3.2000(b)(5)(vii)(A), is that this verification must be ``by
attestation of disinterested individuals.'' The third condition, also
contained in Sec. 3.2000(b)(5)(vii)(A), specifies that the
verification be ``based on information or objects of independent
origin, at least one item of which is not subject to change without
government action or authorization.''
Regarding the first condition, requiring identity-proofing before
the signature device is used helps prevent systems from accepting
electronic signatures that cannot be proved to be valid in the context
of an enforcement proceeding. This is at least a potential concern in
any case of electronic signature, but it is also a very real concern in
cases where what is signed is a priority report. The second condition
anticipates the need to prove signature device ownership in court, by
ensuring the availability of someone credible to offer testimony about
the device owner's identity who does not have an interest in
repudiating device ownership. This is the idea of verification by a
``disinterested individual,'' the term defined under Sec. 3.3 as ``a
person who is not the employer; the employer's corporate parent,
subsidiary, or affiliate; contracting agent; or relative (including
spouse or domestic partner) of the individual in whose name the
electronic signature device is issued.'' The condition suggests an
identity-proofing process carried out by a trusted third party, and, in
the current electronic commerce environment, this would typically be a
PKI certificate authority (CA), whose business is to issue certificate-
based electronic signature devices that reflect identity-proofing at a
specified level of assurance. However, it is important to be clear that
verification by a ``disinterested individual'' does not have to involve
a PKI-based approach to electronic signatures. Indeed, it does not have
to involve a third party at all; the disinterested individual could
simply be an employee of the agency operating the electronic document
receiving system, if that agency itself has the resources to provide
for identity-proofing as it registers signature device owners to use
the system. Additionally, if a trusted third party is wanted, there are
alternatives to the CA. For example, with an appropriately defined
procedure, a notary public or some local government official could play
this role; so could some other governmental agency, such as department
of motor vehicles, which is in the business of issuing credentials
based (usually) on in-person verification of identity.
The third condition sets a standard for the evidence on which
verification of identity would be based--evidence that would be
attested to by the disinterested individual provided for by the second
condition. The standard refers to ``information or objects'' and for
each requires that they be ``of independent origin'' and include at
least one item that requires ``governmental action or authorization''
to change. Information ``of independent origin'' must be knowable
empirically, and not simply as a matter of someone's say so; objects of
independent origin could provide such information. Such information,
where it concerns an individual's identity, would generally come from
three sources: first, documented, direct, in-person contact; second,
documentation of the individual's history--e.g., as an employee, a
consumer, a student, etc.--with objects such as credit cards,
passports, etc., sometimes together with corroborating testimony; and
third, forensic evidence of unique, immutable traits, from such objects
as fingerprints, photos, and handwritten signatures.
Evidence of identity from any of these three sources will meet the
Sec. 3.2000(b)(5)(vii)(A) standard, provided that the information used
also includes at least one item that cannot be changed without
governmental action or authorization--for example, a social security
number, a passport number, or a driver's license number. This last
requirement helps assure that the identifying information used is
sufficiently well-documented and durable to support re-verification of
identity at some later date. The requirement also facilitates identity-
proofing that relies on database searches, insofar as data on
individuals tends to be keyed to government-issued identifiers.
Finally, while such
[[Page 59873]]
identifiers are items of information, they typically are presented on
objects--e.g. a driver's license or a passport--that provide
independent evidence of their authenticity.
EPA recognizes that the identity-proofing requirements specified in
Sec. 3.2000(b)(5)(vii)(A) may be difficult to implement in some cases.
The rule therefore allows a system to meet the Sec.
3.2000(b)(5)(vii)(A) requirements for cases of priority reports in
other ways. Under Sec. 3.2000(b)(5)(vii)(C), a system may collect a
subscriber agreement (see section VI.E.10) from each signatory of the
priority reports received by the system, in lieu of satisfying Sec.
3.2000(b)(5)(vii)(A). Alternatively, the system may collect a
certification from a ``local registration authority'' (LRA) that such a
subscriber agreement has been executed and is being securely stored. As
defined under Sec. 3.3, an LRA is an individual who plays the role of
a custodian of subscriber agreements, maintaining these paper
agreements as records and sending the system a certification of receipt
and secure storage for each such agreement he or she receives. The
presumption is that such certifications would be sent electronically to
the system as signed electronic documents. To become an LRA, an
individual must have his or her identity established by notarized
affidavit, and must be authorized in writing by the regulated entity to
issue these ``agreement collection certifications'' (defined under
Sec. 3.3) on its behalf.
A state, tribe, or local government adopting the subscriber
agreement alternative might chose to implement through LRAs as a way of
reducing the pieces of paper it had to manage in operating its
electronic document receiving system. While setting up the LRA
relationships requires the collection of affidavits and authorizations
on paper, this involves far fewer paper transactions than collecting
the individual subscriber agreements from each person who signs
priority reports. However, only larger companies or facilities with
many employees signing priority reports are likely to be motivated and
able to designate a company official as an LRA. Although nothing in the
rule prohibits third parties from serving as LRAs for the smaller
companies, a subscriber agreement implementation will probably always
involve accepting some of these agreements directly from priority
report signatories. What is essential under Sec. 3.2000(b)(5)(vii)(C)
is that a subscriber agreement be available, as needed, to establish
the identity of the associated signature device owner. Identity in this
case is established based on the forensic properties of the handwritten
signature on the agreement.
Finally, Sec. 3.2000(b)(5)(vii)(B) gives states, tribes, or local
governments the flexibility to propose identity-proofing methods that
may not meet the specific requirements of Sec. 3.2000(b)(5)(vii)(A),
but which are no less stringent than the methods that satisfy Sec.
3.2000(b)(5)(vii)(A). For example, if a method of electronic identity-
proofing were proposed that relies on the attestations of an LRA who is
not a disinterested party, EPA would look for other features in the
identity-proofing method that guarantee the identity of the LRA and the
trustworthiness of the identity-proofing that the LRA would conduct.
Similarly, if an identity-proofing method were proposed that relies on
objects or information that are not of independent origin (e.g., a
company identification card), EPA would look for other features in the
authentication method that guarantee that the registrant's identity
could not have been manufactured by the registrant or another
interested party. EPA's expectation is that the advance of technology
may also make new methods of identity-proofing available that meet the
needs of the enforcement community, and we expect that Sec.
3.2000(b)(5)(vii)(B) could be used to accommodate such new methods when
implemented as part of electronic document receiving systems.
VII. What are the costs of today's rule?
A. Summary of Proposal Analysis
The Agency has conducted a number of analyses to ensure that this
rule complies with the various statutory and administrative
requirements that apply to EPA regulations. The results of the analyses
are summarized in this section.
In the proposal, EPA estimated that the proposed rule could result
in an average annual reduction in burden of $52.3 million per year for
those facilities reporting, $1.2 million per year for EPA, and $1.24
million for each of the 30 states that were assumed to implement
programs over the eight years of the analysis. EPA received many
comments on the costs associated with the proposed electronic reporting
provisions. Comments included concerns about the proposal's assumptions
related to the number of affected entities, the number of registered
users per facility, the costs to state programs, and the costs of
implementing standard formats. Several commenters expressed support for
the analysis findings, concurring that electronic reporting will reduce
their environmental reporting costs. EPA's response to these comments
is explained in the following section. Additional comments on the cost
analysis and EPA's responses can be found in the rulemaking docket, in
the Response to Comments document.
B. Final Rule Costs
In response to comments received on the proposed rule, EPA
conducted additional cost analyses to determine the impacts of this
rule on regulated entities, states, tribes, and local governments, and
EPA programs. In developing the analysis for this final rule, EPA
relied heavily on existing sources of data that included:
EPA's 2002 Government Paperwork Elimination Act (GPEA)
Report to OMB;
Interviews with EPA programs, states, and nine industry
representatives currently using CDX to report electronically;
EPA's Information Collection Requests (ICRs);
EPA's Envirofacts Warehouse and Facility Registry System;
Follow-up to comments received from twenty state and local
government agencies and several major industry associations; and
Market research to assess trends of large and small
companies using the Internet, costs of technology for electronic
signature and data exchange formats, and other technical issues.
Based on the additional analyses, EPA estimates that under this
rule there will be a total cumulative cost savings to the Agency, over
the period 2003 to 2012, ranging from $64.4 million to $75.4 million,
depending on the discount rate used. For those that adopt electronic
reporting, EPA estimates a total cumulative cost burden to state and
local governments under this rule, over the period 2003 to 2012,
ranging from $57.2 million to $65.2 million annually, depending on the
discount rate used. These costs result from the incremental burden to
states to upgrade their receiving systems to meet the rule's standards
and apply for EPA approval of program modifications and revisions. The
model does not consider the potential cost savings to state and local
governments resulting from processing electronic submittals but
believes the savings would likely offset these incremental costs. For
facilities, EPA estimates a total cumulative cost during this period
ranging from $41.6 million to $51.9 million, depending on the discount
rate used. The net total cumulative cost of this rule, over the period
2003 to 2012, ranges from $34.4 million to $41.7 million, depending on
the discount rate used.
[[Page 59874]]
C. General changes to methodology and assumptions
The research effort for the final rule differed from that conducted
for the proposal in that it was much broader and involved far greater
engagement with external stakeholders. EPA used this research to
reevaluate assumptions made in the proposal and to refine the overall
approach to the cost-benefit analysis. The process of reevaluating
costs to regulated entities included:
Analyzing the GPEA report to determine the specific
information collections identified as being suitable for electronic
reporting and their implementation schedule;
Evaluating each information collection request for an
understanding of the types of activities that would be eliminated (such
as mailing paper forms) or reduced (manual data quality checks) through
electronic reporting;
Interviewing trade associations, reviewing comments
received, evaluating market trend research, and querying Envirofacts
warehouse and Facility Registry System to establish an understanding of
the numbers of potential facility representatives that would register
for a particular program, the rate of electronic reporting growth in a
program, the number of facilities using web forms or file exchanges,
and the relative distribution of small to large businesses; and
Establishing an understanding of the time required by
facilities to register with CDX and maintain a CDX account, through
interviews with CDX registered users and the CDX hotline.
The process of reevaluating costs and benefits to EPA, state,
tribes, and local governments, included:
Meeting with EPA programs and state program counterparts
to identify the broad range of EPA authorized programs and the types
and number of agencies under each program;
Interviewing state and local agencies and their
associations as follow-up to public comment to obtain an understanding
of their current electronic reporting systems, long-term plans, and
perceived impacts to their systems from this rule;
Evaluating current information technology expenditures of
CDX and other program system development efforts, and general costs of
EPA rulemakings with respect to federal costs and benefits.
In preparing the CBA, EPA used a computer model to estimate the
annual costs to EPA, state and local governments and regulated
entities. To evaluate the costs and benefits of this rule, two
scenarios were modeled: a ``Baseline'' scenario in which EPA would
enable electronic reporting through an approach other than CROMERR and
a ``To Be'' scenario in which EPA enables electronic reporting under
CROMERR. In comparing the cumulative costs of this rule, EPA notes that
the ``To Be'' scenario would be a more efficient approach than the
``Baseline'' scenario. Under the ``Baseline'' scenario, EPA programs
would be left to implement their own program-specific electronic
reporting requirements and electronic document receiving systems. Also,
under the ``Baseline'' scenario, electronic reporting would be delayed,
because EPA would have to generate separate rules and guidance to
support program-specific electronic document receiving systems. Once
these systems were established, reporting entities could conceivably be
required to register under different rules and through different
systems across EPA programs.
Based on the new research, EPA revised assumptions about the costs
associated with authorized programs and corresponding benefits to the
reporting entities. In contrast to the proposal, EPA does not claim the
costs associated in building electronic document receiving systems for
authorized programs (state, tribe, and local) or the benefits for their
reporting entities in using these systems. Since it is clear that
authorized programs intend to proceed with electronic reporting on
their own regardless of this rule, the analyses for the final rule
looks at the incremental costs to electronic document receiving systems
that would be developed absent this rule, in meeting the final rule's
requirements.
Based on research and comments received on the proposal, EPA also
revised the following key cost assumptions:
Increased costs for XML. EPA substantially increased the
cost estimate of integrating an XML format into a facility's
environmental management system (from $4,000 to $10,000).
Increased number of registered users. EPA substantially
increased the number of registrants (from 3 registrant/facility to 6
registrants per facility) in large companies that would use CDX.
Broadened impacts of authorized programs. EPA
substantially broadened the number of state, tribe, and local
environmental agencies potentially impacted by the rule, to include
health departments, county air boards, oil and gas agencies, and
publicly-owned treatment works.
VIII. Statutory and Executive Order Reviews
A. Executive Order 12866
Pursuant to the terms of Executive Order 12866 (58 FR 51735,
October 4, 1993), it has been determined that this rule is a
``significant regulatory action'' because it raises novel legal or
policy issues. As such, this action was submitted to OMB for review.
Changes made in response to OMB suggestions or recommendations are
documented in the public record.
For EPA, the average annual cost to implement and operate
electronic reporting under this rule is estimated to be $60.94 million.
The average annual cost to implement and operate electronic reporting
in the absence of this rule (i.e., where EPA implements electronic
reporting on a program-specific basis) is estimated to be $70.36
million for EPA. The average annual cost savings to EPA under this rule
is $8.42 million. The average annual cost to states, tribes, and local
governments in initially upgrading their electronic receiving systems
and obtaining EPA approval for appropriate program modification under
the rule ranges from roughly $5,000 to $460,000, depending on the
number of systems and extent of the upgrades needed. In addition,
states, tribes, and local governments that upgrade their systems are
expected to incur system maintenance costs averaging about $10,000
annually. These costs reflect solely the incremental costs resulting
from the rule; they do not reflect the cost savings that states,
tribes, and local governments will experience in implementing their
receiving systems. EPA has not quantified these savings as part of its
analysis. It should be noted that EPA expects today's rule to produce a
net cost savings for states, tribes, and local governments. However, it
is not possible to provide an adequate year-by-year comparison of the
costs of the two scenarios, because the Baseline Scenario anticipates a
more gradual process of EPA approval for state, tribe, and local
government electronic reporting systems, starting at a later point in
time.
The average annual cost to facilities to submit electronic reports
to EPA in compliance with today's rule ranges from $9 for those
entities that choose simply to use a web browser to access CDX and fill
out web forms, to $10,000 per facility for those companies that wish to
configure their environmental management systems to exchange data with
CDX, using agreed-upon data exchange formats.
In addition to the monetary benefits identified by the analysis,
EPA also
[[Page 59875]]
believes that there are many qualitative benefits that justify the
initial costs associated with the rule. These benefits include:
Responding to federal requirements, such as GPEA, which,
among other things, requires federal agencies to allow individuals or
entities that deal with the agencies the option to submit information
or transact with the agency electronically. This rule sets the legal
framework for most major EPA initiatives implementing electronic
environmental data exchanges with the various stakeholders.
Maintaining consistency with emerging industry commercial
practices. The implementation of electronic government initiatives is a
reflection of the rapid evolution of electronic commerce, which has
occurred in industry since the expansion of the Internet and the World
Wide Web (WWW), in the early 1990s. In many ways, EPA and state, tribe,
and local environmental agencies' implementations of electronic
reporting under today's rule will be more consistent with emerging
practices and less burdensome to industry than paper reporting.
Providing sound environmental practice. Part of EPA's
mission is conserving environmental resources. The traditional paper-
based reporting practices and processes consumes trees and other
resources for printing, exchanging, reproducing, storing, and
retrieving grants, permits, compliance reports, and supporting
documents.
Fostering more rapid environmental compliance reporting.
Organizations have become increasingly environmentally conscientious.
This change stems both from a desire to be good corporate citizens and
from fear of negative media reporting. Hence, organizations, especially
large companies, are becoming increasingly interested in being able to
demonstrate their environmental compliance. More rapid and accurate
public posting of compliance data by environmental agencies is one way
to help achieve this goal.
Simplifying facility reporting. Electronic reporting and
EPA's planned implementation support a single point of entry into
agency systems, which will enhance facilities' ability to locate
appropriate regulations, obtain information, ask questions, obtain
forms, and submit data.
Providing more accurate data. Replacing paper forms with
electronic forms will result in more accurate data. Systems
incorporating electronic forms can perform real time edit checks that
will reduce the number of input errors. These checks can range from
simple verification of valid date formats, to complex validations of
proper nomenclature and limits of chemicals emitted into the
environment. Improved data quality will also help reduce the time
required for data correction and the effects of inaccurate reporting.
Making data more readily available. The process of
creating, mailing, receiving, entering, verifying, and correcting paper
reports consumes both resources and time. This delays the analysis of
the data by EPA and authorized programs and its availability to
decision makers and the public.
Provides the foundation for further process re-
engineering. Moving data from a paper to an electronic system as early
in the process as possible creates the foundation on which many work-
flow re-engineering initiatives can be constructed.
B. Executive Order 13132
Executive Order 13132, entitled ``Federalism'' (64 FR 43255, August
10, 1999), requires EPA to develop an accountable process to ensure
``meaningful and timely input by state and local officials in the
development of regulatory policies that have federalism implications.''
``Policies that have federalism implications'' are defined in the
Executive Order to include regulations that have ``substantial direct
effects on the states, on the relationship between the national
government and the states, or on the distribution of power and
responsibilities among the various levels of government.''
This final rule does not have federalism implications. EPA has
determined that the final rule will not have substantial direct effects
on the states, on the relationship between the national government and
the states, or on the distribution of power and responsibilities among
the various levels of government, as specified in Executive Order
13132. The final rule will not require states to accept electronic
reports. The effect of this rule will be to provide an electronic
alternative to currently accepted methods of receiving regulatory
reports on paper and to give the states the option of choosing to
receive electronic submissions in satisfaction of reporting
requirements under their authorized programs or continuing to require
submissions on paper.
Authorized states and local agencies that choose to receive
electronic reports under this rule may incur expenses initially in
developing systems or modifying existing systems to meet the standards
in this rule. The average annual cost to state agencies in upgrading
their electronic receiving systems and obtaining EPA program
modification approval depends on the amount of effort required to
adhere to the requirements of this rule. However, EPA estimates that
for those states deploying systems that meet rule standards, each state
will incur a cost of about $12,000 in obtaining EPA approval of its
system. For a state where upgrades to its systems are needed to meet
rule requirements, the costs can range up to $460,000, depending on the
size and complexity of its systems and the extent of the upgrades
needed. Maintenance costs for maintaining compliance with this rule
will cost each state about $10,000 annually. These costs include both
capital costs required for hardware and software upgrades, and labor
costs incurred by state employees. EPA analyzed the most likely
alternative scenario where, absent this rule, EPA programs would
implement rules that would require states to seek program modifications
on a program by program basis. It should be noted that these analyses
do not quantify the cost savings that states will incur through
offering electronic reporting options to their reporting entities. EPA
believes these savings will greatly outweigh the costs of complying
with the rule. Based on these analyses, EPA believes that although the
final rule imposes some compliance costs on state and local
governments, the costs for most states are marginal and will result in
net benefits over the most likely alternative scenario.
Over the last several years, EPA has provided substantial financial
support to states to assist in upgrades to information technology
systems. For example, in fiscal years 2002-2004, EPA provided
approximately $65 million dollars to states, tribes, and territories
through grants to support their efforts to establish EIEN. EPA intends
to award additional grants for fiscal year 2005. EPA's fiscal year 2006
budget includes $20 million for the EIEN Grant Program. States, tribes,
and territories may apply for these grant funds to generally upgrade
their EIEN capabilities, including improvements related to this rule,
e.g., to improve data validity and user authentication procedures, as
required by today's final rule.
Although Section 6 of Executive Order 13132 does not apply to this
rule, EPA has welcomed the active participation of the states; on
several separate occasions EPA has held substantial consultations with
state and local officials in developing this rule. State participation
has resulted in changes to the final rule, including the section 3.1000
approval process and
[[Page 59876]]
special provisions such as deferred compliance for existing systems.
C. Paperwork Reduction Act
OMB has approved the information collection requirements contained
in this rule under the provisions of the Paperwork Reduction Act (PRA),
44 U.S.C. 3501 et seq. and has assigned OMB control number 2025-0003.
The ICR for this rule covers the registration information, which
will be collected from individuals wishing to submit electronic reports
to EPA on behalf of regulated facilities. The information will be used
to establish the identity of that individual and the regulated entity
he or she represents. This information will be used by EPA to register
and provide individuals with the ability to access the EPA's electronic
document receiving system, CDX. In appropriate circumstances this
information will also be used to issue an electronic signature to the
registered individual. The ICR also covers activities incidental to
electronic reporting (e.g., submittal of an electronic signature
agreement to EPA as applicable). It should be noted that the submission
of environmental reports in an electronic format to EPA and states,
tribes, and local governments is voluntary for most examples of
electronic reporting, and viewed as a service that EPA and its
regulatory partners are providing to the regulated community. The rule
allows reporting entities to submit reports and other information
electronically, thereby streamlining and expediting the process for
reporting. However, it should also be understood that this rule does
set forth requirements for regulated entities that submit electronic
reports directly to EPA and for states, tribes, and local governments
that choose to implement electronic reporting under their authorized
programs. EPA is issuing this rule on cross-media electronic reporting,
in part, under the authority of GPEA, Public Law 105-277, which amends
the PRA.
In addition, the ICR covers state, tribe, and local government
activities involved in upgrading their electronic receiving systems to
satisfy the standards in the rule and in applying to EPA for approval
of program modification. States, tribes, and local governments will
undertake these activities only if they intend to collect information
electronically under an EPA authorized program.
The total annual reporting and recordkeeping burden this ICR
estimates is 151,963 hours, which includes the tasks described above.
It is expected that a respondent reporting directly to EPA will take on
average ten minutes to register with CDX; however, if the respondent
contacts the CDX help desk for assistance with CDX registration, on
average the respondent will incur an additional six minutes. The
average annual number of respondents registering with CDX is 19,434. It
is further expected that 201,331 respondents will report electronically
to a state, tribe, or local government receiving system. Respondents
reporting to EPA or state, tribe, or local governments may also incur
an additional burden of 20 minutes to prepare, sign, and submit an
electronic signature agreement. The average annual number of these
respondents is 177,009. In addition, the ICR estimates that 7,293
medium-sized and large companies will register local registration
authorities (LRA) and incur an additional burden of 1 hour. This
includes the time to prepare and submit LRA designation applications,
collect and store subscriber agreements, and prepare and submit
certification of receipt and secure storage.
Finally, it is expected that a state, tribe, or local government
would take between 210 and 330 hours to prepare and submit its program
modification application to EPA. The average annual number of states
applying to EPA is expected to be 15; the average annual number of
tribes and local governments applying to EPA is expected to be 46. In
addition, the ICR estimates $4,450,658 in annual capital/start-up costs
for states, tribes and local governments to upgrade their receiving
systems. The ICR estimates $663,975 in annual operation and maintenance
costs. This includes costs to registrants and state, tribes and local
governments in submitting information to EPA.
Public Burden Statement
The public reporting burden is estimated to be 10 minutes for an
individual that reports electronically to the CDX. This includes time
for preparing the on-line application and calling the CDX help desk.
The public reporting burden in this ICR is estimated to be 15
minutes for an individual that prepares and submits a subscriber
agreement.
The public reporting burden is estimated to be 30 minutes for a
local registration authority. This includes time for preparing and
submitting the certification of receipt and secure storage to EPA or
state/local agency.
The public reporting burden is estimated to range from 210 hours
for a local government to 330 hours for a state seeking to implement an
electronic receiving system. This includes time for preparing and
submitting the program modification application to EPA.
Burden means the total time, effort, or financial resources
expended by persons to generate, maintain, retain, or disclose or
provide information to or for a Federal agency. This includes the time
needed to review instructions; develop, acquire, install, and utilize
technology and systems for the purposes of collecting, validating, and
verifying information, processing and maintaining information, and
disclosing and providing information; adjust the existing ways to
comply with any previously applicable instructions and requirements;
train personnel to be able to respond to a collection of information;
search data sources; complete and review the collection of information;
and transmit or otherwise disclose the information.
An agency may not conduct or sponsor, and a person is not required
to respond to a collection of information unless it displays a
currently valid OMB control number. The OMB control numbers for EPA's
regulations are listed in 40 CFR part 9 and 48 CFR chapter 15. In
addition, EPA is amending the table in 40 CFR part 9 of currently
approved OMB control numbers for various regulations to list the
regulatory citations for the information requirements contained in this
final rule.
D. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq.,
generally requires an agency to prepare a regulatory flexibility
analysis of any rule subject to notice and comment rulemaking
requirements under the Administrative Procedure Act or any other
statute unless the agency certifies that the rule will not have a
significant economic impact on a substantial number of small entities.
Small entities include small businesses, small organizations, and small
governmental jurisdictions.
For the purpose of assessing the impacts of today's rule on small
entities, small entity is defined as: (1) Small business as defined by
the RFA and based on Small Business Administration (SBA) size
standards; (2) a small governmental jurisdiction that is a government
of a city, county, town, school district, or special district with a
population of less then 50,000; and (3) a small organization that is
any not-for-profit enterprise which is independently owned and operated
and is not dominant in its field.
After considering the economic impacts of today's final rule on
small entities, the Agency certifies, pursuant to section 605(b) of the
RFA, that this
[[Page 59877]]
action will not have a significant economic impact on a substantial
number of small entities. Courts have interpreted the RFA to require a
regulatory flexibility analysis only when small entities will be
subject to the requirements of the rule. See Motor and Equip. Mfrs.
Ass'n v. Nichols, 142 F.3d 449 (D.C. Cir. 1998); United Distribution
Cos. v. FERC, 88 F.3d 1105, 1170 (D.C. Cir. 1996); Mid-Tex Elec. Co-op,
Inc. v. FERC, 773 F.2d 327, 342 (D.C. Cir. 1985) (agency's
certification need only consider the rule's impact on entities subject
to the rule). This final rule would not establish any new direct
requirements applicable to small entities. States that are directly
regulated in this rulemaking are not small entities.
This rule provides for EPA review and approval of authorized state,
tribe, and local government programs that decide to provide for
electronic reporting. This rule includes performance standards against
which a state's, tribe's, or local government's electronic document
receiving system will be evaluated before EPA will approve changes to
the delegated, authorized, or approved program to provide electronic
reporting, and establishes a streamlined process that states, tribes,
and local governments can use to seek and obtain such approvals. The
rule also includes special provisions for existing state electronic
reporting systems in place at the time of publication of this rule.
Currently, entities that choose to submit electronic documents
directly to EPA submit documents to a centralized Agency-wide
electronic document-receiving system, called the CDX, or to alternative
systems designated by the Administrator. This rule does not change
those systems. In addition, today's rule, does not require the
submission of electronic documents in lieu of paper documents.
Because there is no requirement to adopt electronic reporting, EPA
has determined that small local governments will not be directly
impacted by this rule. Nonetheless, EPA also considered the possible
impacts of this rule to determine whether small local governments could
potentially be subject to the provisions of Sec. 3.1000, which would
require these programs to seek EPA approval for their electronic
document receiving systems if they choose to provide electronic
reporting. EPA reviewed its programs and conducted follow-up to
comments received from industry, state, and local government
associations to determine possible impacts to small local
jurisdictions. Based on its review, EPA concluded that the only small
government jurisdictions possibly subject to the rule are those with
Publicly-Owned Treatment Works (POTWs). Only POTWs choosing to deploy
electronic document receiving systems would be subject to today's rule.
Through analysis and direct discussions with municipal POTWs and trade
associations, EPA did not identify any such small government
jurisdictions planning to deploy electronic reporting systems.
Although not required by the RFA, (See Michigan v. EPA, 213 F.3d
663, 668-69 (D.C. Cir., 2000), cert. den. 121 S.Ct. 225, 149 L.Ed.2d
135 (2001)), as a part of the analysis prepared under Executive Order
12866, EPA also considered the costs to small entities that are
indirect reporters to authorized state, tribal, and local government
programs. For this final rule, EPA prepared a cost/benefit analysis to
assess the economic impact of CROMERR, which can be found in the docket
for this rule.
Although this rule will not have a significant economic impact on a
substantial number of small entities, the Agency nonetheless consulted
with small entities as well as organizations such as the Small Business
Administration (SBA). We made several changes to the rule based upon
these discussions.
E. Unfunded Mandates Reform Act
Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public
Law 104-4, establishes requirements for federal agencies to assess the
effects of their regulatory actions on states, tribes, and local
governments and the private sector. Under section 202 of UMRA, EPA must
prepare a written statement, including a cost-benefit analysis, for
proposed and final rules with ``Federal mandates'' that may result in
expenditures to states, tribes, and local governments, in the
aggregate, or to the private sector, of $100 million or more in any one
year. Before promulgating a rule for which a written statement is
needed, section 205 of the UMRA generally requires EPA to identify and
consider a reasonable number of regulatory alternatives and adopt the
least costly, most cost-effective or least burdensome alternative that
achieves the objectives of the rule. The provisions of section 205 do
not apply when they are inconsistent with applicable law. Moreover,
section 205 allows EPA to adopt an alternative other than the least
costly, most cost-effective or least burdensome alternative if the
Administrator publishes with the final rule an explanation why that
alternative was not adopted.
Before EPA establishes any regulatory requirements that may
significantly or uniquely affect small governments, including tribes,
it must have developed under section 203 of UMRA a small-government
agency plan. The plan must provide for notifying potentially affected
small governments, enabling officials of affected small governments to
have meaningful and timely input into the development of EPA regulatory
proposals with significant Federal intergovernmental mandates. The plan
must also provide for informing, educating, and advising small
governments on compliance with the regulatory requirements.
As described in section VIII.D. of this Preamble, above, EPA also
evaluated the possible impacts of this rule to small governments. In
particular, EPA was concerned that small governments could potentially
be subject to the provisions of Sec. 3.1000, which would require these
programs to seek EPA approval for the electronic document receiving
systems. EPA reviewed its programs, and also conducted follow-up to
comments from industry, state, and local government associations to
determine possible impacts to small local governments. As a result of
this review, EPA concluded that small local governments would not be
adversely impacted by the provisions of Sec. 3.1000 this rule.
The Agency has determined that this rule does not contain a Federal
mandate that may result in expenditures of $100 million or more for
states, tribes, and local governments, in the aggregate, or the private
sector in any one year. Thus, today's rule is not subject to the
requirements in sections 202 and 205 of UMRA. The Agency has determined
that this rule contains no regulatory requirements that might
significantly or uniquely affect small governments and thus this rule
is not subject to the requirements in section 202 of UMRA.
F. National Technology Transfer and Advancement Act
Section 12(d) of the National Technology Transfer and Advancement
Act of 1995 (NTTAA), Public Law 104-113, section 12(d) (15 U.S.C. 272
note) directs EPA to use voluntary consensus standards in its
regulatory activities unless to do so would be inconsistent with
applicable law or otherwise impractical. Voluntary consensus standards
are technical standards (e.g., materials specifications, test methods,
sampling procedures, and business practices) that are developed or
adopted by voluntary consensus standards bodies. The NTTAA directs EPA
to provide Congress, through OMB, with explanations when the Agency
decides
[[Page 59878]]
not to use available and applicable voluntary consensus standards.
The consensus standards relevant to an electronic reporting rule
are primarily technical standards that specify file formats for the
electronic exchange of data, telecommunications network protocols, and
electronic signature technologies and formats. EPA is not setting
requirements for electronic reporting at the level of specificity
addressed by such formats, protocols and technologies, so consensus
standards are not directly applicable to today's rule. For example, the
final rule does not stipulate data exchange formats, does not specify
electronic signature technologies, and does not address
telecommunications issues. At the same time, there is nothing in
today's rule that is incompatible with these standards, and in
implementing electronic reporting under this rule EPA is adopting
standards-based approaches to electronic data exchange.
In the preamble to the proposed rule, EPA described its initial
plans to implement a number of standards-based approaches to electronic
reporting, including electronic data exchange formats based upon the
ANSI Accredited Standards Committee's (ASC) X12 for Electronic Data
Interchange or EDI. That preamble also discussed EPA's interest in
exploring the use of Internet data exchange formats based on XML, then
under development by the World Wide Web Consortium (W3C). As a part of
the preamble discussion, EPA solicited comment on these planned
standards-based electronic reporting implementations. In response, EPA
received considerable feedback both from states and from industry
indicating a trend in the direction of XML, and away from the
deployment of ANSI ASC X12 standards. In any event, CDX now looks to
XML to provide the formats for its Internet data exchanges. EPA
currently supports multi-agency Integrated Project Teams to develop XML
formats and intends to use standardized formats for this purpose to the
extent that they are available. In addition, EPA currently registers
XML formats in its System of Registries to facilitate easy access to
these formats for partners wishing to exchange data. EPA is attempting
to make use of applicable standards-setting work being done by several
organizations, including the Electronic Business XML (ebXML), the
Organization for the Advancement of Structured Information Standards
(OASIS), and, internationally, the United Nation's Center for
Administration, Commerce, and Transport (UN/CEFACT) Forum. In any
event, today's rule is compatible with any of these current standards-
based approaches to electronic reporting, but the rule itself does not
set requirements at the level of detail that such standards address.
G. Executive Order 13045
Executive Order 13045, Protection of Children from Environmental
Health Risks and Safety Risks (62 FR 19885, April 23, 1997) applies to
any rule that EPA determines (1) ``economically significant'' as
defined under Executive Order 12866 and (2) concerns an environmental
health or safety risk that EPA has reason to believe may have a
disproportionate effect on children. EPA interprets Executive Order
13045 as encompassing only those regulatory actions that are risk-based
or health-based, such that the analysis required under Section 5-501 of
the Executive Order has the potential to influence the regulation.
This rule is not subject to Executive Order 13045 because it is not
an economically significant action as defined by Executive Order 12866
and it does not involve decisions regarding environmental health or
safety risks. This rule contains general performance standards for the
submission of environmental data electronically.
H. Executive Order 13175
Executive Order 13175, entitled, ``Consultation and Coordination
with Indian Tribal Governments'' (65 FR 67249, November 6, 2000),
requires EPA to develop an accountable process to ensure ``meaningful
and timely input by tribal officials in the development of regulatory
policies that have tribal implications.'' ``Policies that have tribal
implications'' are defined in the Executive Order to include
regulations that have ``substantial direct effects on one or more
Indian tribes, on the relationship between the Federal Government and
the Indian tribes, or on the distribution of power and responsibilities
between the Federal Government and Indian tribes.''
This rule does not have tribal implications, as specified in
Executive Order 13175, and therefore consultation under the Order is
not required. It will not have substantial direct effects on tribes, on
the relationship between the federal government and Indian tribes, or
on the distribution of power and responsibilities between the federal
government and Indian tribes, as specified in Executive Order 13175.
This action does not require Indian tribes to accept electronic
reports. The effect of this rule is to provide additional regulatory
flexibility to Indian tribes by giving them the opportunity to submit
electronic reports to EPA in satisfaction of EPA reporting requirements
and by allowing them to implement electronic reporting under their
authorized programs.
I. Executive Order 13211 (Energy Effects)
This rule is not a ``significant energy action'' as defined in
Executive Order 13211, ``Actions Concerning Regulations That
Significantly Affect Energy Supply, Distribution, or Use'' (66 FR
28355, May 22, 2001) because it is not likely to have a significant
adverse affect on the supply, distribution, or use of energy. EPA has
concluded that this rule is not likely to have any adverse energy
effects.
J. Congressional Review Act
The Congressional Review Act, 5 U.S.C. 801 et seq., as added by the
Small Business Regulatory Enforcement Fairness Act of 1996, generally
provides that before a rule may take effect, the agency promulgating
the rule must submit a rule report, which includes a copy of the rule,
to each House of the Congress and to the Comptroller General of the
United States. EPA will submit a report containing this rule and other
required information to the U.S. Senate, the U.S. House of
Representatives, and the Comptroller General of the United States prior
to publication of the rule in the Federal Register. A major rule cannot
take effect until 60 days after it is published in the Federal
Register. This action is not a ``major rule'' as defined by 5 U.S.C.
804(2). This rule will become effective on January 11, 2006.
List of Subjects
40 CFR Part 3
Environmental protection, Conflict of interests, Electronic
records, Electronic reporting requirements, Electronic reports,
Intergovernmental relations.
40 CFR Part 9
Environmental protection, Electronic records, Electronic reporting
requirements, Electronic reports, Intergovernmental relations,
Reporting and recordkeeping requirements.
40 CFR Part 51
Environmental protection, Administrative practice and procedure,
Air pollution control, Carbon monoxide, Electronic records, Electronic
reporting requirements, Electronic reports, Intergovernmental
relations, Lead, Nitrogen dioxide, Ozone, Particulate matter, Reporting
and recordkeeping
[[Page 59879]]
requirements, Sulfur oxides, Volatile organic compounds.
40 CFR Part 60
Environmental protection, Administrative practice and procedure,
Air pollution control, Aluminum, Ammonium sulfate plants, Batteries,
Beverages, Carbon monoxide, Cement industry, Coal, Copper, Dry
cleaners, Electric power plants, Electronic records, Electronic
reporting requirements, Electronic reports, Fertilizers, Fluoride,
Gasoline, Glass and glass products, Grains, Graphic arts industry,
Heaters, Household appliances, Insulation, Intergovernmental relations,
Iron, Labeling, Lead, Lime, Metallic and nonmetallic mineral processing
plants, Metals, Motor vehicles, Natural gas, Nitric acid plants,
Nitrogen dioxide, Paper and paper products industry, Particulate
matter, Paving and roofing materials, Petroleum, Phosphate, Plastics
materials and synthetics, Polymers, Reporting and recordkeeping
requirements, Sewage disposal, Steel, Sulfur oxides, Sulfuric acid
plants, Tires, Urethane, Vinyl, Volatile organic compounds, Waste
treatment and disposal, Zinc.
40 CFR Part 63
Environmental protection, Air pollution control, Electronic
records, Electronic reporting requirements, Electronic reports,
Hazardous substances, Intergovernmental relations, Reporting and
recordkeeping requirements.
40 CFR Part 69
Environmental protection, Air pollution control, Electronic
records, Electronic reporting requirements, Electronic reports, Guam,
Intergovernmental relations.
40 CFR Part 70
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations.
40 CFR Part 71
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations.
40 CFR Part 123
Environmental protection, Administrative practice and procedure,
Confidential business information, Electronic records, Electronic
reporting requirements, Electronic reports, Hazardous substances,
Indians-lands, Intergovernmental relations, Penalties, Reporting and
recordkeeping requirements, Water pollution control.
40 CFR Part 142
Environmental protection, Administrative practice and procedure,
Chemicals, Electronic records, Electronic reporting requirements,
Electronic reports, Indians-lands, Intergovernmental relations,
Radiation protection, Reporting and recordkeeping requirements, Water
supply.
40 CFR Part 145
Environmental protection, Confidential business information,
Electronic records, Electronic reporting requirements, Electronic
reports, Indians-lands, Intergovernmental relations, Penalties,
Reporting and recordkeeping requirements, Water supply.
40 CFR Part 162
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations, Pesticides and pests, Reporting
and recordkeeping requirements, State registration of pesticide
products.
40 CFR Part 233
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations, Penalties, Reporting and
recordkeeping requirements, Water pollution control.
40 CFR Part 257
Environmental protection, Electronic records, Electronic reporting
requirements, Electronic reports, Intergovernmental relations, Waste
treatment and disposal.
40 CFR Part 258
Environmental protection, Electronic records, Electronic reporting
requirements, Electronic reports, Intergovernmental relations,
Reporting and recordkeeping requirements, Waste treatment and disposal,
Water pollution control.
40 CFR Part 271
Environmental protection, Administrative practice and procedure,
Confidential business information, Electronic records, Electronic
reporting requirements, Electronic reports, Hazardous materials
transportation, Hazardous waste, Indians-lands, Intergovernmental
relations, Penalties, Reporting and recordkeeping requirements, Water
pollution control, Water supply.
40 CFR Part 281
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Hazardous substances, Insurance, Intergovernmental relations,
Oil pollution, Reporting and recordkeeping requirements, Surety bonds,
Water pollution control, Water supply.
40 CFR Part 403
Environmental protection, Confidential business information,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations, Reporting and recordkeeping
requirements, Waste treatment and disposal, Water pollution control.
40 CFR Part 501
Environmental protection, Administrative practice and procedure,
Electronic records, Electronic reporting requirements, Electronic
reports, Intergovernmental relations, Penalties, Reporting and
recordkeeping requirements, Sewage disposal.
40 CFR Part 745
Environmental protection, Electronic records, Electronic reporting
requirements, Electronic reports, Intergovernmental relations,
Hazardous substances, Lead poisoning, Reporting and recordkeeping
requirements.
40 CFR Part 763
Environmental protection, Administrative practice and procedure,
Asbestos, Electronic records, Electronic reporting requirements,
Electronic reports, Hazardous substances, Imports, Intergovernmental
relations, Reporting and recordkeeping requirements.
Dated: September 22, 2005.
Stephen L. Johnson,
Administrator.
0
Therefore, Title 40 Chapter I of the Code of Federal Regulations is
amended by adding a new Part 3, and amending parts 9, 51, 60, 63, 69,
70, 71, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403, 501, 745, and
763 to read as follows:
PART 3--CROSS-MEDIA ELECTRONIC REPORTING
Subpart A--General Provisions
Sec.
3.1 Who does this part apply to?
3.2 How does this part provide for electronic reporting?
3.3 What definitions are applicable to this part?
[[Page 59880]]
3.4 How does this part affect enforcement and compliance provisions
of Title 40?
Subpart B--Electronic Reporting to EPA
3.10 What are the requirements for electronic reporting to EPA?
3.20 How will EPA provide notice of changes to the Central Data
Exchange?
Subpart C--[Reserved]
Subpart D--Electronic Reporting under EPA-Authorized State, Tribe, and
Local Programs
3.1000 How does a state, tribe, or local government revise or modify
its authorized program to allow electronic reporting?
3.2000 What are the requirements authorized state, tribe, and local
programs' reporting systems must meet?
Authority: 7 U.S.C. 136 to 136y; 15 U.S.C. 2601 to 2692; 33
U.S.C. 1251 to 1387; 33 U.S.C. 1401 to 1445; 33 U.S.C. 2701 to 2761;
42 U.S.C. 300f to 300j-26; 42 U.S.C. 4852d; 42 U.S.C. 6901-6992k; 42
U.S.C. 7401 to 7671q; 42 U.S.C. 9601 to 9675; 42 U.S.C. 11001 to
11050; 15 U.S.C. 7001; 44 U.S.C. 3504 to 3506.
Subpart A--General Provisions
Sec. 3.1 Who does this part apply to?
(a) This part applies to:
(1) Persons who submit reports or other documents to EPA to satisfy
requirements under Title 40 of the Code of Federal Regulations (CFR);
and
(2) States, tribes, and local governments administering or seeking
to administer authorized programs under Title 40 of the CFR.
(b) This part does not apply to:
(1) Documents submitted via facsimile in satisfaction of reporting
requirements as permitted under other parts of Title 40 or under
authorized programs; or
(2) Electronic documents submitted via magnetic or optical media
such as diskette, compact disc, digital video disc, or tape in
satisfaction of reporting requirements, as permitted under other parts
of Title 40 or under authorized programs.
(c) This part does not apply to any data transfers between EPA and
states, tribes, or local governments as a part of their authorized
programs or as a part of administrative arrangements between states,
tribes, or local governments and EPA to share data.
Sec. 3.2 How does this part provide for electronic reporting?
(a) Electronic reporting to EPA. Except as provided in Sec.
3.1(b), any person who is required under Title 40 to create and submit
or otherwise provide a document to EPA may satisfy this requirement
with an electronic document, in lieu of a paper document, provided
that:
(1) He or she satisfies the requirements of Sec. 3.10; and
(2) EPA has first published a notice in the Federal Register
announcing that EPA is prepared to receive, in electronic form,
documents required or permitted by the identified part or subpart of
Title 40.
(b) Electronic reporting under an EPA-authorized state, tribe, or
local program.
(1) An authorized program may allow any document submission
requirement under that program to be satisfied with an electronic
document provided that the state, tribe, or local government seeks and
obtains revision or modification of that program in accordance with
Sec. 3.1000 and also meets the requirements of Sec. 3.2000 for such
electronic reporting.
(2) A state, tribe, or local government that is applying for
initial delegation, authorization, or approval to administer a federal
program or a program in lieu of the federal program, and that will
allow document submission requirements under the program to be
satisfied with an electronic document, must use the procedures for
obtaining delegation, authorization, or approval under the relevant
part of Title 40 and may not use the procedures set forth in Sec.
3.1000; but the application must contain the information required by
Sec. 3.1000(b)(1) and the state, tribe, or local government must meet
the requirements of Sec. 3.2000.
(c) Limitations. This part does not require submission of
electronic documents in lieu of paper. This part confers no right or
privilege to submit data electronically and does not obligate EPA,
states, tribes, or local governments to accept electronic documents.
Sec. 3.3 What definitions are applicable to this part?
The definitions set forth in this section apply when used in this
part.
Acknowledgment means a confirmation of electronic document receipt.
Administrator means the Administrator of the EPA.
Agency means the EPA or a state, tribe, or local government that
administers or seeks to administer an authorized program.
Agreement collection certification means a signed statement by
which a local registration authority certifies that a subscriber
agreement has been received from a registrant; the agreement has been
stored in a manner that prevents unauthorized access to these
agreements by anyone other than the local registration authority; and
the local registration authority has no basis to believe that any of
the collected agreements have been tampered with or prematurely
destroyed.
Authorized program means a Federal program that EPA has delegated,
authorized, or approved a state, tribe, or local government to
administer, or a program that EPA has delegated, authorized, or
approved a state, tribe or local government to administer in lieu of a
Federal program, under other provisions of Title 40 and such
delegation, authorization, or approval has not been withdrawn or
expired.
Central Data Exchange means EPA's centralized electronic document
receiving system, or its successors, including associated instructions
for submitting electronic documents.
Chief Information Officer means the EPA official assigned the
functions described in section 5125 of the Clinger Cohen Act (Pub. L.
104-106).
Copy of record means a true and correct copy of an electronic
document received by an electronic document receiving system, which
copy can be viewed in a human-readable format that clearly and
accurately associates all the information provided in the electronic
document with descriptions or labeling of the information. A copy of
record includes:
(1) All electronic signatures contained in or logically associated
with that document;
(2) The date and time of receipt; and
(3) Any other information used to record the meaning of the
document or the circumstances of its receipt.
Disinterested individual means an individual who is not connected
with the person in whose name the electronic signature device is
issued. A disinterested individual is not any of the following: The
person's employer or employer's corporate parent, subsidiary, or
affiliate; the person's contracting agent; member of the person's
household; or relative with whom the person has a personal
relationship.
Electronic document means any information in digital form that is
conveyed to an agency or third-party, where ``information'' may include
data, text, sounds, codes, computer programs, software, or databases.
``Data,'' in this context, refers to a delimited set of data elements,
each of which consists of a content or value together with an
understanding of what the content or value means; where the electronic
document includes data, this understanding of what the data element
content or value means must be explicitly included in the electronic
document itself or else be readily available to the electronic document
recipient.
Electronic document receiving system means any set of apparatus,
procedures,
[[Page 59881]]
software, records, or documentation used to receive electronic
documents.
Electronic signature means any information in digital form that is
included in or logically associated with an electronic document for the
purpose of expressing the same meaning and intention as would a
handwritten signature if affixed to an equivalent paper document with
the same reference to the same content. The electronic document bears
or has on it an electronic signature where it includes or has logically
associated with it such information.
Electronic signature agreement means an agreement signed by an
individual with respect to an electronic signature device that the
individual will use to create his or her electronic signatures
requiring such individual to protect the electronic signature device
from compromise; to promptly report to the agency or agencies relying
on the electronic signatures created any evidence discovered that the
device has been compromised; and to be held as legally bound,
obligated, or responsible by the electronic signatures created as by a
handwritten signature.
Electronic signature device means a code or other mechanism that is
used to create electronic signatures. Where the device is used to
create an individual's electronic signature, then the code or mechanism
must be unique to that individual at the time the signature is created
and he or she must be uniquely entitled to use it. The device is
compromised if the code or mechanism is available for use by any other
person.
EPA means the United States Environmental Protection Agency.
Existing electronic document receiving system means an electronic
document receiving system that is being used to receive electronic
documents in lieu of paper to satisfy requirements under an authorized
program on October 13, 2005 or the system, if not in use, has been
substantially developed on or before that date as evidenced by the
establishment of system services or specifications by contract or other
binding agreement.
Federal program means any program administered by EPA under any
other provision of Title 40.
Federal reporting requirement means a requirement to report
information directly to EPA under any other provision of Title 40.
Handwritten signature means the scripted name or legal mark of an
individual, handwritten by that individual with a marking-or writing-
instrument such as a pen or stylus and executed or adopted with the
present intention to authenticate a writing in a permanent form, where
``a writing'' means any intentional recording of words in a visual
form, whether in the form of handwriting, printing, typewriting, or any
other tangible form. The physical instance of the scripted name or mark
so created constitutes the handwritten signature. The scripted name or
legal mark, while conventionally applied to paper, may also be applied
to other media.
Information or objects of independent origin means data or items
that originate from a disinterested individual or are forensic evidence
of a unique, immutable trait which is (and may at any time be)
attributed to the individual in whose name the device is issued.
Local registration authority means an individual who is authorized
by a state, tribe, or local government to issue an agreement collection
certification, whose identity has been established by notarized
affidavit, and who is authorized in writing by a regulated entity to
issue agreement collection certifications on its behalf.
Priority reports means the reports listed in Appendix 1 to part 3.
Subscriber agreement means an electronic signature agreement signed
by an individual with a handwritten signature. This agreement must be
stored until five years after the associated electronic signature
device has been deactivated.
Transmit means to successfully and accurately convey an electronic
document so that it is received by the intended recipient in a format
that can be processed by the electronic document receiving system.
Valid electronic signature means an electronic signature on an
electronic document that has been created with an electronic signature
device that the identified signatory is uniquely entitled to use for
signing that document, where this device has not been compromised, and
where the signatory is an individual who is authorized to sign the
document by virtue of his or her legal status and/or his or her
relationship to the entity on whose behalf the signature is executed.
Sec. 3.4 How does this part affect enforcement and compliance
provisions of Title 40?
(a) A person is subject to any applicable federal civil, criminal,
or other penalties and remedies for failure to comply with a federal
reporting requirement if the person submits an electronic document to
EPA under this part that fails to comply with the provisions of Sec.
3.10.
(b) A person is subject to any applicable federal civil, criminal,
or other penalties or remedies for failure to comply with a State,
tribe, or local reporting requirement if the person submits an
electronic document to a State, tribe, or local government under an
authorized program and fails to comply with the applicable provisions
for electronic reporting.
(c) Where an electronic document submitted to satisfy a federal or
authorized program reporting requirement bears an electronic signature,
the electronic signature legally binds, obligates, and makes the
signatory responsible, to the same extent as the signatory's
handwritten signature would on a paper document submitted to satisfy
the same federal or authorized program reporting requirement.
(d) Proof that a particular signature device was used to create an
electronic signature will suffice to establish that the individual
uniquely entitled to use the device did so with the intent to sign the
electronic document and give it effect.
(e) Nothing in this part limits the use of electronic documents or
information derived from electronic documents as evidence in
enforcement or other proceedings.
Subpart B--Electronic Reporting to EPA
Sec. 3.10 What are the requirements for electronic reporting to EPA?
(a) A person may use an electronic document to satisfy a federal
reporting requirement or otherwise substitute for a paper document or
submission permitted or required under other provisions of Title 40
only if:
(1) The person transmits the electronic document to EPA's Central
Data Exchange, or to another EPA electronic document receiving system
that the Administrator may designate for the receipt of specified
submissions, complying with the system's requirements for submission;
and
(2) The electronic document bears all valid electronic signatures
that are required under paragraph (b) of this section.
(b) An electronic document must bear the valid electronic signature
of a signatory if that signatory would be required under Title 40 to
sign the paper document for which the electronic document substitutes,
unless EPA announces special provisions to accept a handwritten
signature on a separate paper submission and the signatory provides
that handwritten signature.
Sec. 3.20 How will EPA provide notice of changes to the Central Data
Exchange?
(a) Except as provided under paragraph (b) of this section,
whenever
[[Page 59882]]
EPA plans to change Central Data Exchange hardware or software in ways
that would affect the transmission process, EPA will provide notice as
follows:
(1) Significant changes to CDX: Where the equipment, software, or
services needed to transmit electronic documents to the Central Data
Exchange would be changed significantly, EPA will provide public notice
and seek comment on the change and the proposed implementation schedule
through the Federal Register;
(2) Other changes to CDX: EPA will provide notice of other changes
to Central Data Exchange users at least sixty (60) days in advance of
implementation.
(3) De minimis or transparent changes to CDX: For de minimis or
transparent changes that have minimal or no impact on the transmission
process, EPA may provide notice if appropriate on a case-by-case basis.
(b) Emergency changes to CDX: Any change which EPA's Chief
Information Officer or his or her designee determines is needed to
ensure the security and integrity of the Central Data Exchange is
exempt from the provisions of paragraph (a) of this section. However,
to the extent consistent with ensuring the security and integrity of
the system, EPA will provide notice for any change other than de
minimis or transparent changes to the Central Data Exchange.
Subpart C--[Reserved]
Subpart D--Electronic Reporting Under EPA-Authorized State, Tribe,
and Local Programs
Sec. 3.1000 How does a state, tribe, or local government revise or
modify its authorized program to allow electronic reporting?
(a) A state, tribe, or local government that receives or plans to
begin receiving electronic documents in lieu of paper documents to
satisfy requirements under an authorized program must revise or modify
such authorized program to ensure that it meets the requirements of
this part.
(1) General procedures for program modification or revision: To
revise or modify an authorized program to meet the requirements of this
part, a state, tribe, or local government must submit an application
that complies with paragraph (b)(1) of this section and must follow
either the applicable procedures for program revision or modification
in other parts of Title 40, or, at the applicant's option, the
procedures provided in paragraphs (b) through (e) of this section.
(2) Programs planning to receive electronic documents under an
authorized program: A state, tribe, or local government that does not
have an existing electronic document receiving system for an authorized
program must receive EPA approval of revisions or modifications to such
program in compliance with paragraph (a)(1) of this section before the
program may receive electronic documents in lieu of paper documents to
satisfy program requirements.
(3) Programs already receiving electronic documents under an
authorized program: A state, tribe, or local government with an
existing electronic document receiving system for an authorized program
must submit an application to revise or modify such authorized program
in compliance with paragraph (a)(1) of this section no later than
October 13, 2007. On a case-by-case basis, this deadline may be
extended by the Administrator, upon request of the state, tribe, or
local government, where the Administrator determines that the state,
tribe, or local government needs additional time to make legislative or
regulatory changes to meet the requirements of this part.
(4) Programs with approved electronic document receiving systems:
An authorized program that has EPA's approval to accept electronic
documents in lieu of paper documents must keep EPA apprised of those
changes to laws, policies, or the electronic document receiving systems
that have the potential to affect program compliance with Sec. 3.2000.
Where the Administrator determines that such changes require EPA review
and approval, EPA may request that the state, tribe, or local
government submit an application for program revision or modification;
additionally, a state, tribe, or local government on its own initiative
may submit an application for program revision or modification
respecting their receipt of electronic documents. Such applications
must comply with paragraph (a)(1) of this section.
(5) Restrictions on the use of procedures in this section: The
procedures provided in paragraphs (b) through (e) of this section may
only be used for revising or modifying an authorized program to provide
for electronic reporting and for subsequent revisions or modifications
to the electronic reporting elements of an authorized program as
provided under paragraph (a)(4) of this section.
(b)(1) To obtain EPA approval of program revisions or modifications
using procedures provided under this section, a state, tribe, or local
government must submit an application to the Administrator that
includes the following elements:
(i) A certification that the state, tribe, or local government has
sufficient legal authority provided by lawfully enacted or promulgated
statutes or regulations that are in full force and effect on the date
of the certification to implement the electronic reporting component of
its authorized programs covered by the application in conformance with
Sec. 3.2000 and to enforce the affected programs using electronic
documents collected under these programs, together with copies of the
relevant statutes and regulations, signed by the State Attorney General
or his or her designee, or, in the case of an authorized tribe or local
government program, by the chief executive or administrative official
or officer of the governmental entity, or his or her designee;
(ii) A listing of all the state, tribe, or local government
electronic document receiving systems to accept the electronic
documents being addressed by the program revisions or modifications
that are covered by the application, together with a description for
each such system that specifies how the system meets the applicable
requirements in Sec. 3.2000 with respect to those electronic
documents;
(iii) A schedule of upgrades for the electronic document receiving
systems listed under paragraph (b)(1)(ii) of this section that have the
potential to affect the program's continued conformance with Sec.
3.2000; and
(iv) Other information that the Administrator may request to fully
evaluate the application.
(2) A state, tribe, or local government that revises or modifies
more than one authorized program for receipt of electronic documents in
lieu of paper documents may submit a consolidated application under
this section covering more than one authorized program, provided the
consolidated application complies with paragraph (b)(1) of this section
for each authorized program.
(3)(i) Within 75 calendar days of receiving an application for
program revision or modification submitted under paragraph (b)(1) of
this section, the Administrator will respond with a letter that either
notifies the state, tribe, or local government that the application is
complete or identifies deficiencies in the application that render the
application incomplete. The state, tribe, or local government receiving
a notice of deficiencies may amend the application and resubmit it.
Within 30 calendar days of receiving the amended application, the
Administrator will respond with a letter that either notifies the
applicant that the amended
[[Page 59883]]
application is complete or identifies remaining deficiencies that
render the application incomplete.
(ii) If a state, tribe, or local government receiving notice of
deficiencies under paragraph (b)(3)(i) of this section does not remedy
the deficiencies and resubmit the subject application within a
reasonable period of time, the Administrator may act on the incomplete
application under paragraph (c) of this section.
(c)(1) The Administrator will act on an application by approving or
denying the state's, tribe's or local government's request for program
revision or modification.
(2) Where a consolidated application submitted under paragraph
(b)(2) of this section addresses revisions or modifications to more
than one authorized program, the Administrator may approve or deny the
request for revision or modification of each authorized program in the
application separately; the Administrator need not take the same action
with respect to the requested revisions or modifications for each such
program.
(3) When an application under paragraph (b) of this section
requests revision or modification of an authorized public water system
program under part 142 of this title, the Administrator will, in
accordance with the procedures in paragraph (f) of this section,
provide an opportunity for a public hearing before a final
determination pursuant to paragraph (c)(1) of this section with respect
to that component of the application.
(4) Except as provided under paragraph (c)(4)(i) and (ii) of this
section, if the Administrator does not take any action under paragraph
(c)(1) of this section on a specific request for revision or
modification of a specific authorized program addressed by an
application submitted under paragraph (b) of this section within 180
calendar days of notifying the state, tribe, or local government under
paragraph (b)(3) of this section that the application is complete, the
specific request for program revision or modification for the specific
authorized program is considered automatically approved by EPA at the
end of the 180 calendar days unless the review period is extended at
the request of the state, tribe, or local government submitting the
application.
(i) Where an opportunity for public hearing is required under
paragraph (c)(3) of this section, the Administrator's action on the
requested revision or modification will be in accordance with paragraph
(f) of this section.
(ii) Where a requested revision or modification addressed by an
application submitted under paragraph (b) of this section is to an
authorized program with an existing electronic document receiving
system, and where notification under paragraph (b)(3) of this section
that the application is complete is executed after October 13, 2007, if
the Administrator does not take any action under paragraph (c)(1) of
this section on the specific request for revision or modification
within 360 calendar days of such notification, the specific request is
considered automatically approved by EPA at the end of the 360 calendar
days unless the review period is extended at the request of the state,
tribe, or local government submitting the application.
(d) Except where an opportunity for public hearing is required
under paragraph (c)(3) of this section, EPA's approval of a program
revision or modification under this section will be effective upon
publication of a notice of EPA's approval of the program revision or
modification in the Federal Register. EPA will publish such a notice
promptly after approving a program revision or modification under
paragraph (c)(1) of this section or after an EPA approval occurs
automatically under paragraph (c)(4) of this section.
(e) If a state, tribe, or local government submits material to
amend its application under paragraph (b)(1) of this section after the
date that the Administrator sends notification under paragraph
(b)(3)(i) of this section that the application is complete, this new
submission will constitute withdrawal of the pending application and
submission of a new, amended application for program revision or
modification under paragraph (b)(1) of this section, and the 180-day
time period in paragraph (c)(4) of this section or the 360-day time
period in paragraph (c)(4)(ii) of this section will begin again only
when the Administrator makes a new determination and notifies the
state, tribe, or local government under paragraph (b)(3)(i) of this
section that the amended application is complete.
(f) For an application under this section that requests revision or
modification of an authorized public water system program under part
142 of this chapter:
(1) The Administrator will publish notice of the Administrator's
preliminary determination under paragraph (c)(1) of this section in the
Federal Register, stating the reasons for the determination and
informing interested persons that they may request a public hearing on
the Administrator's determination. Frivolous or insubstantial requests
for a hearing may be denied by the Administrator;
(2) Requests for a hearing submitted under this section must be
submitted to the Administrator within 30 days after publication of the
notice of opportunity for hearing in the Federal Register. The
Administrator will give notice in the Federal Register of any hearing
to be held pursuant to a request submitted by an interested person or
on the Administrator's own motion. Notice of hearing will be given not
less than 15 days prior to the time scheduled for the hearing;
(3) The hearing will be conducted by a designated hearing officer
in an informal, orderly, and expeditious manner. The hearing officer
will have authority to take such action as may be necessary to assure
the fair and efficient conduct of the hearing; and
(4) After reviewing the record of the hearing, the Administrator
will issue an order either affirming the determination the
Administrator made under paragraph (c)(1) of this section or rescinding
such determination and will promptly publish a notice of the order in
the Federal Register. If the order is to approve the program revision
or modification, EPA's approval will be effective upon publication of
the notice in the Federal Register. If no timely request for a hearing
is received and the Administrator does not determine to hold a hearing
on the Administrator's own motion, the Administrator's determination
made under paragraph (c)(1) of this section will be effective 30 days
after notice is published pursuant to paragraph (f)(1) of this section.
Sec. 3.2000 What are the requirements authorized state, tribe, and
local programs' reporting systems must meet?
(a) Authorized programs that receive electronic documents in lieu
of paper to satisfy requirements under such programs must:
(1) Use an acceptable electronic document receiving system as
specified under paragraphs (b) and (c) of this section; and
(2) Require that any electronic document must bear the valid
electronic signature of a signatory if that signatory would be required
under the authorized program to sign the paper document for which the
electronic document substitutes, unless the program has been approved
by EPA to accept a handwritten signature on a separate paper
submission. The paper submission must contain references to the
electronic document sufficient for legal certainty that the signature
was executed with the intention to certify to, attest to, or agree to
the content of that electronic document.
[[Page 59884]]
(b) An electronic document receiving system that receives
electronic documents submitted in lieu of paper documents to satisfy
requirements under an authorized program must be able to generate data
with respect to any such electronic document, as needed and in a timely
manner, including a copy of record for the electronic document,
sufficient to prove, in private litigation, civil enforcement
proceedings, and criminal proceedings, that:
(1) The electronic document was not altered without detection
during transmission or at any time after receipt;
(2) Any alterations to the electronic document during transmission
or after receipt are fully documented;
(3) The electronic document was submitted knowingly and not by
accident;
(4) Any individual identified in the electronic document submission
as a submitter or signatory had the opportunity to review the copy of
record in a human-readable format that clearly and accurately
associates all the information provided in the electronic document with
descriptions or labeling of the information and had the opportunity to
repudiate the electronic document based on this review; and
(5) In the case of an electronic document that must bear electronic
signatures of individuals as provided under paragraph (a)(2) of this
section, that:
(i) Each electronic signature was a valid electronic signature at
the time of signing;
(ii) The electronic document cannot be altered without detection at
any time after being signed;
(iii) Each signatory had the opportunity to review in a human-
readable format the content of the electronic document that he or she
was certifying to, attesting to or agreeing to by signing;
(iv) Each signatory had the opportunity, at the time of signing, to
review the content or meaning of the required certification statement,
including any applicable provisions that false certification carries
criminal penalties;
(v) Each signatory has signed either an electronic signature
agreement or a subscriber agreement with respect to the electronic
signature device used to create his or her electronic signature on the
electronic document;
(vi) The electronic document receiving system has automatically
responded to the receipt of the electronic document with an
acknowledgment that identifies the electronic document received,
including the signatory and the date and time of receipt, and is sent
to at least one address that does not share the same access controls as
the account used to make the electronic submission; and
(vii) For each electronic signature device used to create an
electronic signature on the document, the identity of the individual
uniquely entitled to use the device and his or her relation to any
entity for which he or she will sign electronic documents has been
determined with legal certainty by the issuing state, tribe, or local
government. In the case of priority reports identified in the table in
Appendix 1 of Part 3, this determination has been made before the
electronic document is received, by means of:
(A) Identifiers or attributes that are verified (and that may be
re-verified at any time) by attestation of disinterested individuals to
be uniquely true of (or attributable to) the individual in whose name
the application is submitted, based on information or objects of
independent origin, at least one item of which is not subject to change
without governmental action or authorization; or
(B) A method of determining identity no less stringent than would
be permitted under paragraph (b)(5)(vii)(A) of this section; or
(C) Collection of either a subscriber agreement or a certification
from a local registration authority that such an agreement has been
received and securely stored.
(c) An authorized program that receives electronic documents in
lieu of paper documents must ensure that:
(1) A person is subject to any appropriate civil, criminal
penalties or other remedies under state, tribe, or local law for
failure to comply with a reporting requirement if the person fails to
comply with the applicable provisions for electronic reporting.
(2) Where an electronic document submitted to satisfy a state,
tribe, or local reporting requirement bears an electronic signature,
the electronic signature legally binds or obligates the signatory, or
makes the signatory responsible, to the same extent as the signatory's
handwritten signature on a paper document submitted to satisfy the same
reporting requirement.
(3) Proof that a particular electronic signature device was used to
create an electronic signature that is included in or logically
associated with an electronic document submitted to satisfy a state,
tribe, or local reporting requirement will suffice to establish that
the individual uniquely entitled to use the device at the time of
signature did so with the intent to sign the electronic document and
give it effect.
(4) Nothing in the authorized program limits the use of electronic
documents or information derived from electronic documents as evidence
in enforcement proceedings.
Appendix 1 to Part 3--Priority Reports
------------------------------------------------------------------------
Category Description 40 CFR Citation
------------------------------------------------------------------------
Required Reports
------------------------------------------------------------------------
State Implementation Plan..... Emissions data reports 51.60(c).
for mobile sources.
Excess Emissions and Excess emissions and 60.7(c),
Monitoring Performance Report monitoring 60.7(d).
Compliance Notification performance report
Report. detailing the
magnitude of excess
emissions, and
provides the date,
time, and system
status at the time of
the excess emission.
New Source Performance Semi-annual reports 60.49a(e) & (j)
Standards Reporting (quarterly, if report & (v),
Requirements. is approved for 60.49b(v).
electronic submission
by the permitting
authority) on sulfur
dioxide, nitrous
oxides and
particulate matter
emission (includes
reporting
requirements in
Subparts A through
DDDD).
Semi-annual Operations and Semi-annual report 60.107(c),
Corrective Action Reports. provides information 60.107(d).
on a company's
exceedance of its
sulfur dioxide
emission rate, sulfur
content of the fresh
feed, and the average
percent reduction and
average concentration
of sulfur dioxide.
When emissions data
is unavailable, a
signed statement is
required which
documents the
changes, if any, made
to the emissions
control system that
would impact the
company's compliance
with emission limits.
[[Page 59885]]
National Emission Standards Include such reports 61.11,
for Hazardous Air Pollutants as: Annual 61.24(a)(3) &
Reporting Requirements. compliance, (a)(8),
calculation, initial 61.70(c)(1) &
startup, compliance (c)(2)(v) &
status, (c)(3) &
certifications of (c)(4)(iv),
compliance, waivers 61.94(a) &
from compliance (b)(9),
certifications, 61.104(a) &
quarterly inspection (a)(1)(x) &
certifications, (a)(1)(xi) &
operations, and (a)(1)(xvi),
operations and 61.138(e) &
process change. (f),
61.165(d)(2) &
(d)(3) & (d)(4)
& (f)(1) &
(f)(2) &(f)(3),
61.177(a)(2) &
(c)(1) & (c)(2)
& (c)(3) &
(e)(1) &
(e)(3),
61.186(b)(1) &
(b)(2) & (b)(3)
& (c)(1) &
(f)(1),
61.247(a)(1) &
(a)(4) &
(a)(5)(v) &
(b)(5) & (d),
61.254(a)(4),
61.275(a) & (b)
& (c),
61.305(f) &
(i), 61.357(a)
& (b) & (c) &
(d), 63.9(h).
Hazardous Air Pollutants Reports containing 63.10(d),
Compliance Report. results from 63.10(e)(1),
performance test, 63.10(e)(3).
opacity tests, and
visible emissions
tests. Progress
reports; periodic and
immediate startup,
shutdown, and
malfunction reports;
results from
continuous monitoring
system performance
evaluations; excess
emissions and
continuous monitoring
system performance
report; or summary
report.
Notifications and Reports..... Reports that document 65.5(d),
a facility's initial 65.5(e).
compliance status,
notification of
initial start-up, and
periodic reports
which includes the
startup, shutdown,
and malfunction
reports discussed in
40 CFR 65.6(c).
Continuous Emissions Quarterly emissions 75.64, 75.65.
Monitoring. monitoring reports
and opacity reports
which document a
facility's excess
emission.
Notice of Fuel or Fuel Registration of new 79.10, 79.11,
Additive Registration and fuels and additives, 79.20, 79.21,
Health Effects Testing. and the submission 79.51.
and certification of
health effect data.
Manufacture In-Use and Product Reports that document 86.1845,
Line Emissions Testing. the emissions testing 86.1846,
results generated 86.1847,
from the in-use 90.113,
testing program for 90.1205,
new and in-use 90.704, 91.805,
highway vehicle 91.504, 92.607,
ignition engines; non- 92.508, 92.509.
road spark-ignition
engines; marine spark-
ignition engines; and
locomotives and
locomotive engines.
Industrial and Publicly Owned Discharge monitoring 122.41(l)(4)(i),
Treatment Works Reports. reports for all 403.12(b) & (d)
individual & (e) & (h).
permittees--including
baseline reports,
pretreatment
standards report,
periodic compliance
reports, and reports
made by significant
industrial users.
-------------------------------
Event Driven Notices
------------------------------------------------------------------------
State Implementation Plan..... Owners report 51.211.
emissions data from
stationary sources.
Report For Initial Performance Report that provides 60.2200 (initial
Test. the initial performance
performance test tests).
results, site-
specific operating
limits, and, if
installed,
information on the
bag leak detection
device used by the
facility.
Emissions Control Report...... Report submitted by 61.153(a)(1),
new sources within 90 61.153(a)(4)(i)
days of set-up which ,
describes emission 61.153(a)(5)(ii
control equipment ).
used, processes which
generate asbestos-
containing waste
material, and
disposal information.
State Operating Permits-- Monitoring and 70.6(a)(3)(iii)(
Permit Content. deviation reports A),
under the State 70.6(a)(3)(iii)
Operating Permit. (B).
Title V Permits--Permit Monitoring and 71.6(a)(3)(iii).
Content. deviation reports
under the Federal
Operating Permit.
Annual Export Report.......... Annual report 262.56(a).
summarizing the
amount and type of
hazardous waste
exported.
Exceptions Reports............ Reports submitted by a 262.42, 262.55.
generator when the
generator has not
received confirmation
from the Treatment,
Storage, and Disposal
Facility (TSDF) that
it received the
generator's waste and
when hazardous waste
shipment was received
by the TSDF. For
exports, reports
submitted when the
generator has not
received a copy of
the manifest from the
transporter with
departure date and
place of export
indicated; and
confirmation from the
consignee that the
hazardous waste was
received or when the
hazardous waste is
returned to the U.S.
Contingency Plan Follow-up reports made 264.56(j),
Implementation Reports. to the Agency for all 265.56(j).
incidents noted in
the operating record
which required the
implementation of a
facility's
contingency plan.
Significant Manifest Report filed by 264.72(b),
Discrepancy Report. Treatment, Storage, 265.72(b).
and Disposal
Facilities (TSDF)
within 15 days of
receiving wastes,
when the TSDF is
unable to resolve
manifest
discrepancies with
the generator.
Unmanifested Waste Report..... Report that documents 264.76, 265.76.
hazardous waste
received by a
Treatment, Storage,
and Disposal Facility
without an
accompanying manifest.
Noncompliance Report.......... An owner/operator 264.1090.
submitted report
which documents
hazardous waste that
was placed in
hazardous waste
management units in
noncompliance with 40
CFR sections
264.1082(c)(1) and
(c)(2); 264.1084(b);
264.1035(c)(4); or
264.1033(d).
[[Page 59886]]
Notification--Low Level Mixed One-time notification 266.345.
Waste. concerning
transportation and
disposal of
conditionally
exempted waste.
Notification--Land Disposal One-time notification 268.9(d).
Restrictions. and certification
that characteristic
waste is no longer
hazardous.
Underground Storage Tank Underground Storage 280.22.
Notification. Tank system
notifications
concerning design,
construction, and
installation. As well
as when systems are
being placed in
operation. (EPA Form
7530-1 or state
version.).
Free Product Removal Report Report written and 280.64, 280.65.
and Subsequent Investigation submitted within 45
Report. days after confirming
a free product
release, including
information on the
release and recovery
methods used for the
free product, and
when test indicate
presence of free
product, response
measures.
Manufacture or Import Premanufacture 720.102, 721.25.
Premanufacture Notification. notification of
intent to begin
manufacturing,
importing, or
processing chemicals
identified in Subpart
E for significant new
use (forms 7710-56
and 7710-25).
-------------------------------
Permit Applications \1\
------------------------------------------------------------------------
State Implementation Plan..... Information describing 52.21(n).
the source, its
construction
schedule, and the
planned continuous
emissions reductions
system.
State Operating Permits....... Reports, notices, or 70.6(c)(1).
other written
submissions required
by a State Operating
Permit.
Title V Permits--Permit Reports, notices, or 71.6(c)(1),
Content. other written 71.25(c)(1).
submissions required
by a Title V
Operating Permit.
Title V Permits............... Specific criteria for 71.7(e(2)(ii)(c)
permit modifications .
and or revisions,
including a
certification
statement by a
responsible official.
Reclaimer Certification....... Certification made by 82.164.
a reclaimer that the
refrigerant was
reprocessed according
to specifications and
that no more than
1.5% of the
refrigerant was
released during the
reclamation.
Application for Certification Control of Emissions 86.007-21 (heavy
and Statement of Compliance. for New and In-Use duty), 1844-01
Highway Vehicles and (light duty).
Engines statement of
compliance made by
manufacturer,
attesting that the
engine family
complies with
standards for new and
in-use highway
vehicles and engines.
Application for Certification. Application made by 89.115, 90.107,
engine manufacturer 91.107, 92.203,
to obtain certificate 94.203.
of conformity.
National Pollutant Discharge National Pollutant 122.21.
Elimination System. Discharge Elimination
System (NPDES)
Permits and Renewals
(includes individual
permit applications,
NPDES General Form 1,
and NPDES Forms 2A-F,
and 2S).
Resource Conservation and Signatures for permit 270.11, 270.42.
Recovery Act Permit applications and
Applications and reports; submission
Modifications. of permit
modifications. (This
category excludes
Class I permit
modifications (40 CFR
270.42, Appendix I)
that do not require
prior approval).
-------------------------------
Certifications of Compliance/Non-Applicability
------------------------------------------------------------------------
State Implementation Plan State implementation 51.212(c),
Requirements. plan certifications 51.214(e).
for testing,
inspection,
enforcement, and
continuous emissions
monitoring.
Certification Statement....... Chemical Accident 68.185.
Prevention
Provisions--Risk
Management Plan
certification
statements.
Title V Permits............... Federal compliance 70.5(c)(9),
certifications and 70.5(d),
permit applications. 70.6(c)(5).
State Operating Permits....... State compliance 71.5(c)(9),
certifications and 71.5(d),
permit applications. 71.24(f).
Annual and Other Compliance Annual compliance 72.90.
Certification Reports. certification report
and is submitted by
units subject to acid
rain emissions
limitations.
Annual Compliance Annual compliance 74.43.
Certification Report, Opt-In certification report
Report, and Confirmation which is submitted in
Report. lieu of annual
compliance
certification report
listed in Subpart I
of Part 72.
Quarterly Reports and Continuous Emission 75.73.
Compliance Certifications. Monitoring
certifications,
monitoring plans, and
quarterly reports for
NOX emissions.
Certification Letters Recovery Protection of 79.4, 80.161,
and Recycling Equipment, Stratospheric Ozone: 82.162, 82.42.
Motor Vehicle Air Recycling & Emissions
Conditioners Recycling Reduction.
Program, Detergent Package. Acquisition of
equipment for
recovery or recycling
made by auto repair
service technician
and Fuels and Fuel
Additives Detergent
additive
certification.
Response Plan Cover Sheet..... Oil Pollution 112 (Appendix
Prevention f).
certification to the
truth and accuracy of
information.
Closure Report................ Report which documents 146.71.
that closure was in
accordance with
closure plan and/or
details difference
between actual
closure and the
procedures outlined
in the closure plan.
Certification of Closure and Certification that 264.115,
Post Closure Care, Post- Treatment, Storage, 264.119,
Closure Notices. and Disposal 264.119(b)(2),
Facilities (TSDF) are 264.120,
closed in accordance 265.115,
with approved closure 265.119(b)(2),
plan or post-closure 265.120,
plan. 265.19.
Certification of Testing Lab Certification that the 270.63.
Analysis. testing and/or lab
analyses required for
the treatment
demonstration phase
of a two-phase permit
was conducted.
[[Page 59887]]
Periodic Certification........ Certification that 437.41(b).
facility is operating
its system to provide
equivalent treatment
as in initial
certification.
------------------------------------------------------------------------
\1\ Included within each permit application category, though sometimes
not listed, are the permits submitted to run/operate/maintain
facilities and/or equipment/products under EPA or authorized programs.
PART 9--OMB APPROVALS UNDER THE PAPERWORK REDUCTION ACT
0
1. The authority citation for part 9 continues to read as follows:
Authority: 7 U.S.C. 135 et seq., 136-136y; 15 U.S.C. 2001, 2003,
2005, 2006, 2601-2671; 21 U.S.C. 331j, 346a, 31 U.S.C. 9701; 33
U.S.C. 125l et seq., 1311, 1313d, 1314, 1318, 1321, 1326, 1330,
1342, 1344, 1345 (d) and (e), 1361; E.O. 11735, 38 FR 21243, 3 CFR,
1971-1975 Comp. p. 973; 42 U.S.C. 241, 242b, 243, 246, 300f, 300g,
300g-1, 300g-2, 300g-3, 300g-4, 300g-5, 300g-6, 300j-1, 300j-2,
300j-3, 300j-4, 300j-9, 1857 et seq., 6901-6992k, 7401-7671q, 7542,
9601-9657, 11023, 11048.
0
2. Section 9.1 is amended by adding a new entry in numerical order for
part 3 to read as follows:
Sec. 9.1 OMB approvals under the Paperwork Reduction Act.
* * * * *
------------------------------------------------------------------------
OMB
40 CFR citation Control No.
------------------------------------------------------------------------
* * * * *
------------------------------------------------------------
Cross-Media Electronic Reporting
------------------------------------------------------------------------
Part 3..................................................... 2025-0003
------------------------------------------------------------------------
* * * * *
PART 51--REQUIREMENTS FOR PREPARATION, ADOPTION, AND SUBMITTAL OF
IMPLEMENTATION PLANS
0
1. The authority citation for part 51 continues to read as follows:
Authority: 23 U.S.C. 101; 42 U.S.C. 7401-7671q.
0
2. Section 51.286 is added to Subpart O to read as follows:
Sec. 51.286 Electronic reporting.
States that wish to receive electronic documents must revise the
State Implementation Plan to satisfy the requirements of 40 CFR Part
3--(Electronic reporting).
PART 60--STANDARDS OF PERFORMANCE FOR NEW STATIONARY SOURCES
0
1. The authority citation for part 60 continues to read as follows:
Authority: 42 U.S.C. 7401-7601.
0
2. Section 60.25(b)(1) is amended by adding a sentence to the end of
the paragraph to read as follows:
Sec. 60.25 Emission inventories, source surveillance, reports.
* * * * *
(b)(1) * * * Submission of electronic documents shall comply with
the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
PART 63--NATIONAL EMISSION STANDARDS FOR HAZARDOUS AIR POLLUTANTS
FOR SOURCE CATEGORIES
0
1. The authority citation for part 63 continues to read as follows:
Authority: 42 U.S.C. 7401 et seq.
0
2. Section 63.91 is amended by adding a new paragraph (d)(5)to read as
follows:
Sec. 63.91 Criteria for straight delegation and criteria common to
all approved options.
* * * * *
(d) * * *
(5) Electronic documents. Submission of electronic documents shall
comply with the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
PART 69--SPECIAL EXEMPTIONS FROM REQUIREMENTS OF THE CLEAN AIR ACT
0
1. The authority citation for part 69 continues to read as follows:
Authority: 42 U.S.C. 7545(c), (g) and (i), and 7625-1.
0
2. Section 69.13 is amended by adding a new paragraph (b)(1)(v) to read
as follows:
Sec. 69.13 Title V conditional exemption.
* * * * *
(b) * * *
(1) * * *
(v) If the program chooses to accept electronic documents it must
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *
0
3. Section 69.22 is amended by adding a new paragraph (b)(1)(v) to read
as follows:
Sec. 69.22 Title V conditional exemption.
* * * * *
(b) * * *
(1) * * *
(v) If the program chooses to accept electronic documents it must
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *
0
4. Section 69.32 is amended by adding a new paragraph (b)(1)(v) to read
as follows:
Sec. 69.32 Title V conditional exemption.
* * * * *
(b) * * *
(1) * * *
(v) If the program chooses to accept electronic documents it must
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *
PART 70--STATE OPERATING PERMIT PROGRAMS
0
1. The authority citation for part 70 continues to read as follows:
Authority: 42 U.S.C. 7401, et seq.
0
2. Section 70.1 is amended by adding a new paragraph (f) to read as
follows:
Sec. 70.1 Program overview.
* * * * *
(f) States that choose to receive electronic documents must satisfy
the requirements of 40 CFR Part 3--(Electronic reporting) in their
program.
PART 71--FEDERAL OPERATING PERMIT PROGRAMS
0
1. The authority citation for part 71 continues to read as follows:
Authority: 42 U.S.C. 7401, et seq.
0
2. Section 71.10 is amended by adding a new sentence to the end of
paragraph (a) to read as follows:
Sec. 71.10 Delegation of part 71 program.
(a) * * * Delegate agencies that choose to receive electronic
documents as part of their delegated program must satisfy the
requirements of 40 CFR Part 3--(Electronic reporting).
* * * * *
PART 123--STATE PROGRAM REQUIREMENTS
0
1. The authority citation for part 123 continues to read as follows:
Authority: Clean Water Act, 33 U.S.C. 1251 et seq.
[[Page 59888]]
0
2. Section 123.25 is amended by revising paragraphs (a)(44) and
(a)(45), adding the phrase ``Except for paragraph (a)(46) of this
section,'' at the beginning of the Note to paragraph (a), and adding a
new paragraph (a)(46) to read as follows:
Sec. 123.25 Requirements for permitting.
(a) * * *
(44) Sec. 122.35 (As an operator of a regulated small MS4, may I
share the responsibility to implement the minimum control measures with
other entities?);
(45) Sec. 122.36 (As an operator of a regulated small MS4, what
happens if I don't comply with the application or permit requirements
in Sec. Sec. 122.33 through 122.35?); and
(46) For states that wish to receive electronic documents, 40 CFR
Part 3--(Electronic reporting).
* * * * *
PART 142--NATIONAL PRIMARY DRINKING WATER REGULATIONS
IMPLEMENTATION
0
1. The authority citation for part 142 continues to read as follows:
Authority: 42 U.S.C. 300f, 300g-1, 300g-2, 300g-3, 300g-4, 300g-
5, 300g-6, 300j-4, 300j-9, and 300j-11.
0
2. Section 142.10 is amended by redesignating paragraph (g) as
paragraph (h) and by adding a new paragraph (g) to read as follows:
Sec. 142.10 Requirements for a determination of primary enforcement
responsibility.
* * * * *
(g) Has adopted regulations consistent with 40 CFR Part 3--
(Electronic reporting) if the state receives electronic documents.
* * * * *
PART 145--REQUIREMENTS FOR STATE PROGRAMS
0
1. The authority citation for part 145 continues to read as follows:
Authority: 42 U.S.C. 300f et seq.
0
2. Section 145.11 is amended by revising paragraphs (a)(30), (a)(31),
(a)(32), and adding paragraph (a)(33) to read as follows:
Sec. 145.11 Requirements for permitting.
(a) * * *
(30) Section 124.12(a)--(Public hearings);
(31) Section 124.17 (a) and (c)--(Response to comments);
(32) Section 144.88--(What are the additional requirements?); and
(33) For states that wish to receive electronic documents, 40 CFR
Part 3--(Electronic reporting).
* * * * *
PART 162--STATE REGISTRATION OF PESTICIDE PRODUCTS
0
1. The authority citation for part 162 continues to read as follows:
Authority: 7 U.S.C. 136v, 136w.
0
2. Section 162.153 is amended by adding a paragraph (a)(6) to read as
follows:
Sec. 162.153 State registration procedures.
(a) * * *
(6) Electronic Reporting under State Registration of Pesticide
Products for Special Local Needs. States that choose to receive
electronic documents under the regulations pertaining to state
registration of pesticides to meet special local needs, must ensure
that the requirements of 40 CFR Part 3--(Electronic reporting) are
satisfied by their state procedures for such registrations.
* * * * *
PART 233--404 STATE PROGRAM REGULATIONS
0
1. The authority citation for part 233 continues to read as follows:
Authority: 33 U.S.C. 1251 et seq.
0
2. A new Sec. 233.39 is added to Subpart D to read as follows:
Sec. 233.39 Electronic reporting.
States that choose to receive electronic documents must satisfy the
requirements of 40 CFR Part 3--(Electronic reporting) in their state
program.
PART 257--CRITERIA FOR CLASSIFICATION OF SOLID WASTE DISPOSAL
FACILITIES AND PRACTICES
0
1. The authority citation for part 257 continues to read as follows:
Authority: 42 U.S.C. 6907(a)(3), 6912(a)(1), 6944(a) and
6949(c), 33 U.S.C. 1345(d) and (e).
0
2. Section 257.30 is amended by adding a new paragraph (d) to read as
follows:
Sec. 257.30 Recordkeeping requirements.
* * * * *
(d) The Director of an approved state program may receive
electronic documents only if the state program includes the
requirements of 40 CFR Part 3--(Electronic reporting).
PART 258--CRITERIA FOR MUNICIPAL SOLID WASTE LANDFILLS
0
1. The authority citation for part 258 continues to read as follows:
Authority: 33 U.S.C. 1345(d) and (e); 42 U.S.C. 6902(a), 6907,
6912(a), 6944, 6945(c) and 6949a(c).
0
2. Section 258.29 is amended by adding a new paragraph (d) to read as
follows:
Sec. 258.29 Recordkeeping requirements.
* * * * *
(d) The Director of an approved state program may receive
electronic documents only if the state program includes the
requirements of 40 CFR Part 3--(Electronic reporting).
PART 271--REQUIREMENTS FOR AUTHORIZATION OF STATE HAZARDOUS WASTE
PROGRAMS
0
1. The authority citation for part 271 continues to read as follows:
Authority: 42 U.S.C. 6905, 6912 and 6926.
0
2. Section 271.10 is amended by revising paragraph (b) to read as
follows:
Sec. 271.10 Requirements for generators of hazardous waste.
* * * * *
(b) The State shall have authority to require and shall require all
generators to comply with reporting and recordkeeping requirements
equivalent to those under 40 CFR 262.40 and 262.41. States must require
that generators keep these records at least 3 years. States that choose
to receive electronic documents must include the requirements of 40 CFR
Part 3--(Electronic reporting) in their Program (except that states
that choose to receive electronic manifests and/or permit the use of
electronic manifests must comply with any applicable requirements for
e-manifest in this section of this section).
* * * * *
0
3. Section 271.11 is amended by revising paragraph (b) to read as
follows:
Sec. 271.11 Requirements for transporters of hazardous waste.
* * * * *
(b) The State shall have authority to require and shall require all
transporters to comply with reporting and recordkeeping requirements
equivalent to those under 40 CFR 263.22. States must require that
transporters keep these records at least 3 years. States that choose to
receive electronic documents must include the requirements of 40 CFR
Part 3--(Electronic reporting) in their Program (except that states
that choose to receive electronic manifests
[[Page 59889]]
and/or permit the use of electronic manifests must comply with any
applicable requirements for e-manifest in this section of this
section).
* * * * *
0
4. Section 271.12 is amended by revising paragraph (h) to read as
follows:
Sec. 271.12 Requirements for hazardous waste management facilities.
* * * * *
(h) Inspections, monitoring, recordkeeping, and reporting. States
that choose to receive electronic documents must include the
requirements of 40 CFR Part 3--(Electronic reporting) in their Program
(except that states that choose to receive electronic manifests and/or
permit the use of electronic manifests must comply with paragraph (i)
of this section);
* * * * *
PART 281--APPROVAL OF STATE UNDERGROUND STORAGE TANK PROGRAMS
0
1. The authority citation for part 281 continues to read as follows:
Authority: 42 U.S.C. 6912, 6991 (c), (d), (e), (g).
0
2. Section 281.40 is amended by revising paragraph (d) to read as
follows:
Sec. 281.40 Requirements for compliance monitoring program and
authority.
* * * * *
(d) State programs must have procedures for receipt, evaluation,
retention and investigation of records and reports required of owners
or operators and must provide for enforcement of failure to submit
these records and reports. States that choose to receive electronic
documents must include the requirements of 40 CFR Part 3--(Electronic
reporting) in their state program.
* * * * *
PART 403--GENERAL PRETREATMENT REGULATIONS FOR EXISTING AND NEW
SOURCES OF POLLUTION
0
1. The authority citation for part 403 continues to read as follows:
Authority: 33 U.S.C. 1251 et seq.
0
2. Section 403.8 is amended by adding a new paragraph (g) to read as
follows:
Sec. 403.8 Pretreatment Program Requirements: Development and
Implementation by POTW.
* * * * *
(g) A POTW that chooses to receive electronic documents must
satisfy the requirements of 40 CFR Part 3--(Electronic reporting).
0
3. Section 403.12 is amended by adding a new paragraph (r) to read as
follows:
Sec. 403.12 Reporting requirements for POTW's and industrial users.
* * * * *
(r) The Control Authority that chooses to receive electronic
documents must satisfy the requirements of 40 CFR Part 3--(Electronic
reporting).
PART 501--STATE SLUDGE MANAGEMENT PROGRAM REGULATIONS
0
1. The authority citation for part 501 continues to read as follows:
Authority: 33 U.S.C. 1251 et seq.
0
2. Section 501.15 is amended by adding a new paragraph (a)(4) to read
as follows:
Sec. 501.15 Requirements for permitting.
(a) * * *
(4) Information requirements: All treatment works treating domestic
sewage shall submit to the Director within the time frames established
in paragraph (d)(1)(ii) of this section the information listed in
paragraphs (a)(4)(i) through (xii) of this section. The Director of an
approved state program that chooses to receive electronic documents
must satisfy the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
PART 745--LEAD-BASED PAINT POISONING PREVENTION IN CERTAIN
RESIDENTIAL STRUCTURES
0
1. The authority citation for part 745 continues to read as follows:
Authority: 15 U.S.C. 2605, 2607, 2681-2692 and 42 U.S.C. 4852d.
0
2. Section 745.327 is amended by adding a new paragraph (f) to read as
follows:
Sec. 745.327 State or Indian Tribal lead-based paint compliance and
enforcement programs.
* * * * *
(f) Electronic reporting under State or Indian Tribe programs.
States and tribes that choose to receive electronic documents under the
authorized state or Indian tribe lead-based paint program, must ensure
that the requirements of 40 CFR part 3--(Electronic reporting) are
satisfied in their lead-based paint program.
PART 763--ASBESTOS
0
1. The authority citation for part 763 continues to read as follows:
Authority: 15 U.S.C. 2605, 2607(c), 2643, and 2646.
0
2. Section 763.98 is amended by revising paragraphs (a)(1), (b)(3), and
(d)(3) to read as follows:
Sec. 763.98 Waiver; delegation to state.
(a) General. (1) Upon request from a state Governor and after
notice and comment and an opportunity for a public hearing in
accordance with paragraphs (b) and (c) of this section, EPA may waive
some or all of the requirements of this subpart E if the state has
established and is implementing or intends to implement a program of
asbestos inspection and management that contains requirements that are
at least as stringent as the requirements of this subpart. In addition,
if the state chooses to receive electronic documents, the state program
must include, at a minimum, the requirements of 40 CFR part 3--
(Electronic reporting).
* * * * *
(b) * * *
(3) Detailed reasons, supporting papers, and the rationale for
concluding that the state's asbestos inspection and management program
provisions for which the request is made are at least as stringent as
the requirements of Subpart E of this part, and that, if the state
chooses to receive electronic documents, the state program includes, at
a minimum, the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
(d) * * *
(3) The state has an enforcement mechanism to allow it to implement
the program described in the waiver request and any electronic
reporting requirements are at least as stringent as 40 CFR part 3--
(Electronic reporting).
* * * * *
0
3. Appendix C to subpart E of part 763 is amended by adding paragraph
(I) to section I to read as follows:
Appendix C to Subpart E of Part 763--Asbestos Model Accreditation Plan
I. Asbestos Model Accreditation Plan for States
* * * * *
(I) Electronic Reporting.
States that choose to receive electronic documents must include,
at a minimum, the requirements of 40 CFR Part 3--(Electronic
reporting) in their programs.
* * * * *
[FR Doc. 05-19601 Filed 10-12-05; 8:45 am]
BILLING CODE 6560-50-P