CROMERR

From Exchange Network Wiki

Jump to: navigation, search

CROMERR stands for "Cross Media Electronic Reporting Rule" It is a rule issued by U.S. EPA in July 2000 that sets forth criteria for voluntary electronic environmental reporting and record keeping and intends to enable electronic submission of any document that the regulated community must submit or maintain under federal environmental laws. States/tribes must submit an application to EPA that explains how their electronic submittal system meets CROMERR requirements. More information on CROMERR is available at: www.epa.gov/cromerr/.

Contents

Purpose

CROMERR is a federal rule that sets standards for states/tribal systems to receive electronic reports from facilities they regulate under EPA-authorized programs. States/tribes must submit an application to EPA that explains how their electronic submittal system meets CROMERR requirements.

CROMERR topics include:


The driving force for CROMERR has been to make electronic submissions legally defensible by EPA lawyers.

The purpose of this Wiki page is to cut to the chase with useful information for states/tribes to help them save time in submitting a successful application.

For the official EPA information on CROMERR, go to http://www.epa.gov/cromerr/.

State Application Status

As of February 22, 2010, 43 States had submitted 60 applications to U.S. EPA; 15 applications have been approved in 13 States.

The original deadline was October 13, 2008, for submitting CROMERR applications for existing systems of authorized/delegated states/tribes/territories/local governments who receive 40 CFR reports electronically.

On December 24, 2008, a final rule (FR) (PDF) (4 pp, 58 K) to extend the current Cross-Media Electronic Reporting Regulation (CROMERR) deadline for authorized programs (states, tribes, or local governments) with existing electronic document receiving systems became effective. Under §3.1000(a)(3) of CROMERR, authorized program applicants that have an existing electronic document receiving system had until January 13, 2010, to submit their applications for EPA approval of their system under CROMERR.

Any new system being developed must be built to satisfy CROMERR and an application for approval of the system should be submitted at least 6 months prior to its expected deployment.

CROMERR Training and Meeting Announcements

    Past Sessions

March 5, CROMERR Technical Exchange Webinar Slides

Who is required to apply?

CROMERR does not apply to exchanges of data over the Exchange Network between "co-regulators". The rule applies only to how the Network Partner initally obtains the reported data.  Data obtained from the entity required to report (e.g. permit holder) may be subject to CROMERR when it is collected, and may be subsequently delivered to EPA using the Network.  This page recognizes that Exchange Network partners are often connected to online reporting efforts that will receive data from a regulated entity, and so may have an interenst in CROMERR. 

CROMERR could apply to any document submissions required by or permitted under any EPA or authorized program governed by EPA's regulations in Title 40 of the Code of Federal Regulations (CFR), if it is submitted electronically.

Ohio’s process for determining which programs in their agency had to apply is attached.

Ohio information gathering tool for Cover Sheet 2 of CROMERR Application
This tool with 40 CFR report-related information is provided as a reference document for those of you who are preparing applications for approval of upgraded or new CROMERR-compliant systems. It does not only include some priority reports as listed in Appendix 1 of CROMERR but also other 40 CFR reports received electronically. Ohio used this spreadsheet to gather information on its 40 CFR reports received electronically so that we could use it to fill out the 'Cover Sheets 2' of the application where reports are to be identified and listed for what will be received in the CROMERR-compliant system. This list may not cover all reports your state or local government collects. Each agency or department must not only refer to Appendix 1 for the priority reports but also work closely with their internal programs to identify all other 40 CFR reports. Note, Ohio's Solid and Infectious Waste program has no 40 CFR reports but its reports will still be received in our CROMERR-compliant system and so were identified in our exercise for internal management purposes. PLEASE USE THIS AS A REFERENCE TOOL FOR YOUR OWN ORGANIZATION'S EFFORT IN THE 40 CFR REPORT PORTION OF YOUR APPLICATION, if you wish. DO NOT CONSIDER THIS SPREADSHEET ALL INCLUSIVE or COMPLETE FOR ALL 40 CFR REPORTS.

Tips

  • To get on an email list for updates or training notification from the state co-chair, send a request to Adele Vogelgesang, in Ohio.
  • Lab to State: This is a module developed by an EPA contractor to receive information from labs that will go into the SDWIS-state application for drinking water. The module itself is CROMERR compliant. However, a CROMERR application will be required from each state proposing to use it for the following sections.
Item 8 (Transmission Error Checking and Documentation)
States need to implement through SSL and select a version of SSL consistent with their operational environment. If the state elects not to use SSL then they must establish their own business practice to support Item 8 and decribe those.
Item 9c (Providing the Copy of Record)
The primacy agency establishes a retention period (the number of days that the copy of record is retained by the SDWIS/Lab To State after certification) and develop procedure to archive copies of record after the retention period. Also provide means for the laboratories to request and receive copies of record.
Item 18a (True and correct copy of document received)
States must insure one of the following and include their business practice in the system checklist.
  1. At least one of the database to which copy of record is committed is read-only.
  2. Changes to the database are automatically tracked in an audit log (as a system function, not a business practice).
  3. Access to the database is limited to one person.
(as obtained from CROMERR System Checklist for EPA OW SDWIS/Lab To State)
EPA has asked to consult them if any state requires electronic signature on submission via Lab To State.

Successful Applications

Oklahoma

Oklahoma DEQ's application is for all their electronic submittals. It uses PKI, and the application only includes the sections dealing with authentication.

Link to CROMERR Lessons Learned From Oklahoma, including:

Washington

On 8/6/2009 the Ammended Washington CROMERR Solution was Certified or approved by EPA. Formal notification was posted in the Federal Register on Thursday, August 13, 2009 page 40816. The solution is in final beta testing and will be deployed in late 2009 in the new netDRM system.

Since the solution is a set of .net 3.5 controls and other objects the same solution will be used in all CROMERR required systems going forward.

What States/Tribes Are Doing - Sharing Experiences

ECOS has compiled information contributed by States that is designed to help other States successfully apply for CROMERR approval. Please read about State experiences during the application process, State-to-State advice on getting started, and other tips for sending a successful application to EPA. State_CROMERR_Experiences_-_ECOS.pdf
The ECOS map depicts the status of State CROMERR applications nationwide. Media:ECOS_Cromerr_Status_Map_2-22-10.ppt  

STATE Updates

Please update your State's overview. . .or add a brief status on what your State or tribe is doing. To upload a document, go to the left panel, under toolbox (near the bottom), and click on Upload file. Then on the page add a link formatted like this example: File:ND Rgn8ExchNt2008.ppt

Kansas

Kansas submitted an application for eDMR in July 2007. It is poised to be approved soon (status as of 5-20-2008). They have had four to five conference calls with EPA. After one more change, it will go to the Technical Review.

Ohio

Ohio expects to submit its formal application by late October 2008. Ohio built a JAVA-based Web portal, the Ohio EPA eBusiness Center, where most of the 3.2000 CROMERR requirements are met. Existing client-server modules for submitting 40 CFR reports and applications were upgraded to Web-based modules where the remainder of the CROMERR requirements are met. Four programs and nine environmental reports and applications are accommodated via the portal. For more details, click on this document, Ohio CROMERR.

Washington

The Washington State Department of Ecology submitted two formal applications in October of 2008. The first application covers Annual RCRA Handler reporting information, the second is a consolidated application covering all other data systems that will meet CROMERR requirements in the future. Since Ecology has a common platform for all the identified system a corporate collection of objects will be developed that will be shared across all applications. Those objects will provide services for user credential creation and management, the act of signing on to an application, signing a 'document' and creation and management of the Copy of Record. Update as of 6/12/2009 a series of submissions of the applications has taken place over the past 6+ months.

Currently a Formal Submission is being evaluated by EPA. While the checklists have been updated and resubmitted the development of the Washington CROMERR solution has expanded to include server side .net 3.5 controls for credential management and document management. Signing of a document includes a series of classes and web services that manage the COR and associated metadata. The controls, classes and batch reconciliation processes developed will be reusable for all Ecology systems that will require CROMERR compliance. It is planned that this solution will be implemented in fall of 2009 in the new webDMR system. Further with this strategy future systems will be using the same controls and classes and the total time estimated to CROMERR Enable a system will be between two and five days depending on the consuming system. It is understood that the document manage portion which manages attachments for the submission, the credential management, the unique connectionstring management, the hashing and encrypting web service, and signing authorization can be used for other systems that require a second token of authentication beyond what is required in the CROMERR framework.

6/15/2009 - Washington was notified that the updated checklists were complete and that further voting for approval was starting.

7/2/2009 - The first prototype of the CROMERR Solution was presented in Beta to the Business Team to familiarize the different programs with how CROMERR will operate in their future applications.

8/6/2009 - The Ammended Washington CROMERR Solution was Certified or approved by EPA. Formal notification will be noted in the Federal Registry within two weeks after certification.

8/11/2009 - The new Washington webDMR system was presented to the User Group for ths first time. The system fully met the EPA CROMERR Requirements at that point. The solution includes functionality for both signing and finaling a document. Signing is done by an external submission that must meet the EPA CROMERR Rule, and Finaling is done when a report is snail mailed in and Ecology enters the data. All CROMERR rules are in play for both and CORs and associated objects are collected for both processes. The system also includes the ability of the submitter to include a collection of attachments which CROMERR also stores and certifies as part of the submission.

8/14/2009 - Scoping and analysis for the new Ecology Air Emissions Information system concluded that the new system would be built to be fully meet the CROMERR requirements. The new system will use the same CROMERR solution, code, controls, and other objects as webDMR with minimal new code being written. Implementation of the CROMERR soultion into the new system is imagined to take less the 2 weeks by one person an dit may take longer to train the users then it will to add the CROMERR controls to the system.

4/19/2010 - The new Washington webDMR system went into production with full CROMERR functionality on board.

7/13/2010 - Over 5000 reports have been finaled through the paper process, and just over 100 have been signed to date. Numbers of external submissions is increasing over time and we are about to start the process of recruiting and training new users who will submit from the wild.

Wisconsin

The Wisconsin Department of Natural Resources submitted a consolidated application covering our Water, Air, Waste, and Lab program systems. The commonality of our systems, under a portal approach not unlike Ohio's, makes documenting each system repetetive so we took a broad approach that documents individual differences. Our application covers our electronic reporting systems that use ink on paper certification statements, versus electronic signatures. We are working with the states Department of Administration on a new e-Directory with knowledge-based assurance tools that we can use to implement an electronic signature system.

Overview

Some reminders follow for what standards state, tribe, and local government electronic document receiving systems must satisfy:

  1. Timeliness of data generation
  2. Copy of record
  3. Integrity of the electronic document
  4. Submission knowingly
  5. Opportunity to review and repudiate copy of record
  6. Validity of the electronic signature
  7. Binding the signature to the document
  8. Opportunity to review
  9. Understanding the act of signing
  10. The electronic signature or subscriber agreement
  11. Acknowledgment of receipt
  12. Determining the identity of the individual uniquely entitled to use a signature device

CROMERR Rule Extracts

Copy of Record

A system that receives electronic documents submitted in lieu of paper documents to satisfy requirements under an authorized program must be able to generate data with respect to any such electronic document, as needed and in a timely manner, including a copy of record for the electronic document, sufficient to prove, in private litigation, civil enforcement proceedings, and criminal proceedings, that:

  1. The electronic document was not altered without detection during transmission or at any time after receipt;
  2. Any alterations to the electronic document during transmission or after receipt are fully documented;
  3. The electronic document was submitted knowingly and not by accident;
  4. Any individual identified in the electronic document submission as a submitter or signatory had the opportunity to review the copy of record in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information and had the opportunity to repudiate the electronic document based on this review; and

Electronic Signature

5. In the case of an electronic document that must bear electronic signatures of individuals as provided under paragraph (a)(2) of this section, that:
(i) Each electronic signature was a valid electronic signature at the time of signing;
(ii) The electronic document cannot be altered without detection at any time after being signed;
(iii) Each signatory had the opportunity to review in a human-readable format the content of the electronic document that he or she was certifying to, attesting to or agreeing to by signing;
(iv) Each signatory had the opportunity, at the time of signing, to review the content or meaning of the required certification statement, including any applicable provisions that false certification carries criminal penalties;
(v) Each signatory has signed either an electronic signature agreement or a subscriber agreement with respect to the electronic signature device used to create his or her electronic signature on the electronic document;
(vi) The electronic document receiving system has automatically responded to the receipt of the electronic document with an acknowledgment that identifies the electronic document received, including the signatory and the date and time of receipt, and is sent to at least one address that does not share the same access controls as the account used to make the electronic submission; and

Identity of the Individual

(vii) For each electronic signature device used to create an electronic signature on the document, the identity of the individual uniquely entitled to use the device and his or her relation to any entity for which he or she will sign electronic documents has been determined with legal certainty by the issuing state, tribe, or local government. In the case of priority reports identified in the table in Appendix 1 of Part 3, this determination has been made before the electronic document is received, by means of:
(A) Identifiers or attributes that are verified (and that may be re-verified at any time) by attestation of disinterested individuals to be uniquely true of (or attributable to) the individual in whose name the application is submitted, based on information or objects of independent origin, at least one item of which is not subject to change without governmental action or authorization; or
(B) A method of determining identity no less stringent than would be permitted under paragraph (b)(5)(vii)(A) of this section; or
(C) Collection of either a subscriber agreement or a certification from a local registration authority that such an agreement has been received and securely stored.

Authorized Program

An authorized program that receives electronic documents in lieu of paper documents must ensure that:

  1. A person is subject to any appropriate civil, criminal penalties or other remedies under state, tribe, or local law for failure to comply with a reporting requirement if the person fails to comply with the applicable provisions for electronic reporting.
  2. Where an electronic document submitted to satisfy a state, tribe, or local reporting requirement bears an electronic signature, the electronic signature legally binds or obligates the signatory, or makes the signatory responsible, to the same extent as the signatory’s handwritten signature on a paper document submitted to satisfy the same reporting requirement.
  3. Proof that a particular electronic signature device was used to create an electronic signature that is included in or logically associated with an electronic document submitted to satisfy a state, tribe, or local reporting requirement will suffice to establish that the individual uniquely entitled to use the device at the time of signature did so with the intent to sign the electronic document and give it effect.
  4. Nothing in the authorized program limits the use of electronic documents or information derived from electronic documents as evidence in enforcement proceedings.


Retrieved from "http://www.exchangenetworkwiki.com/wiki/index.php/CROMERR"
Personal tools