[Federal Register Volume 66, Number 170 (Friday, August 31, 2001)]
[Proposed Rules]
[Pages 46162-46195]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-21810]
[[Page 46161]]
-----------------------------------------------------------------------
Part V
Environmental Protection Agency
-----------------------------------------------------------------------
40 CFR Parts 3, 51, et al.
Establishment of Electronic Reporting: Electronic Records; Proposed
Rule
��Federal Register / Vol. 66, No. 170 / Friday, August 31, 2001 /
Proposed Rules��
[[Page 46162]]
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
40 CFR Parts 3, 51, 60, 63, 70, 123, 142, 145, 162, 233, 257, 258,
271, 281, 403, 501, 745 and 763
[FRL-7045-5]
RIN 2025-AA07
Establishment of Electronic Reporting; Electronic Records
AGENCY: Environmental Protection Agency.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: EPA is proposing to allow electronic reporting to EPA by
permitting the use of electronic document receiving systems to receive
electronic documents in satisfaction of certain document submission
requirements in EPA's regulations. The proposal also sets forth the
conditions under which EPA will allow an electronic record to satisfy
federal environmental recordkeeping requirements in EPA's regulations.
In addition, under today's proposal, States and tribes will be able to
seek EPA approval to accept electronic documents or allow the
maintenance of electronic records to satisfy reporting and
recordkeeping requirements under authorized or delegated environmental
programs that they administer. The proposal includes criteria against
which a State's or tribe's electronic document receiving system will be
evaluated before EPA can approve changes to the authorized program to
allow electronic reporting. Similarly, the proposal includes criteria
against which EPA will evaluate a State's or tribe's provisions for
electronic recordkeeping.
Under today's proposal, electronic document submission or
electronic recordkeeping will be totally voluntary; EPA will not
require the submission of electronic documents or maintenance of
electronic records in lieu of paper documents or records. EPA will only
begin to accept direct submission of an electronic document once EPA
has provided public notice that its electronic document receiving
system is prepared to receive the document in electronic form.
Similarly, EPA will only begin to allow electronic records to satisfy a
specific EPA recordkeeping requirement once EPA has provided public
notice stating that electronic records will satisfy the identified
requirement.
DATES: In order to be considered, comments must be received on or
before November 29, 2001. Comments provided electronically will be
considered timely if they are submitted by 11:59 p.m. (Eastern time)
November 29, 2001.
ADDRESSES: Comments should be addressed to the United States
Environmental Protection Agency, Enforcement and Compliance Docket and
Information Center, (Mail Code 2201A), Attn: Docket Number EC-2000-007,
1200 Pennsylvania Avenue NW., Washington, DC, 20460. Commenters are
also requested to submit an original and 3 copies of their written
comments as well as an original and 3 copies of any attachments,
enclosures, or other documents referenced in the comments. Commenters
who would like EPA to acknowledge receipt of their comments should
include a self-addressed, stamped envelope. All comments must be
postmarked or delivered by hand by November 29, 2001. No facsimiles
(faxes) will be accepted. Public comments and supporting materials are
available for viewing in the Enforcement and Compliance Docket and
Information Center, located at 1200 Pennsylvania Avenue, NW., (Ariel
Rios Building), 2nd Floor, Room 2213, Washington, DC 20460. The
documents are available for viewing from 9 a.m. to 4 p.m., Monday
through Friday, excluding federal holidays. To review docket materials,
it is recommended that the public make an appointment by calling (202)
564-2614 or (202) 564-2119. The public may copy a maximum of 266 pages
from any regulatory document at no cost. Additional copies cost $0.15
per page. The rule and some supporting materials are also available
electronically on the Internet for public review, using a www browser
type, at http://www.epa.gov/.
EPA will also accept comments electronically. Comments should be
addressed to the following Internet address: [email protected].
Electronic comments must be submitted as an ASCII, WordPerfect 5.1/6.1/
8 format file and avoid the use of special characters or any form of
encryption. Comments in electronic format should also be identified by
the docket number EC-2000-007. Electronic comments will be transferred
into a paper version for the official record. EPA will attempt to
clarify electronic comments if there is an apparent error in
transmission. Comments provided electronically will be considered
timely if they are submitted electronically by 11:59 p.m. (Eastern
time) November 29, 2001.
FOR FURTHER INFORMATION CONTACT: For general information on this
proposed rule, contact the docket above. For more detailed information
on specific aspects of this rulemaking, contact David Schwarz (2823),
Office of Environmental Information, U.S. Environmental Protection
Agency, 1200 Pennsylvania Avenue NW, Washington, DC 20460, (202) 260-
2710, [email protected], or Evi Huffer (2823), Office of
Environmental Information, U.S. Environmental Protection Agency, 1200
Pennsylvania Avenue NW., Washington, DC 20460, (202) 260-8791,
[email protected].
SUPPLEMENTARY INFORMATION: Affected Entities. This rule will
potentially affect State and local governments which have been
authorized or which seek authorization to administer a federal
environmental program under Title 40 of the Code of Federal
Regulations. The rule will also potentially affect private parties
subject to any requirements in Title 40 of the Code of Federal
Regulations that a document be created, submitted, or retained.
Affected Entities include:
------------------------------------------------------------------------
Category Examples of affected entities
------------------------------------------------------------------------
Local government.................. Publicly Owned Treatment Works,
owners and operators of treatment
works treating domestic sewage,
local and regional air boards,
local and regional waste management
authorities, municipal and other
drinking water authorities.
Private........................... Industry owners and operators, waste
transporters, privately owned
treatment works or other treatment
works treating domestic sewage,
privately owned water works, small
businesses of various kinds,
sponsors such as laboratories that
submit or initiate/support studies,
and testing facilities that both
initiate and conducts studies.
State government.................. States or Tribes that manage any
federal environmental programs
authorized/approved by EPA under
Title 40 of the Code of Federal
Regulations.
Federal government................ Federally owned treatment works and
industrial dischargers; federal
facilities subject to hazardous
waste regulation.
------------------------------------------------------------------------
[[Page 46163]]
This table is not intended to be exhaustive, but rather provides a
guide for readers regarding entities likely to be affected by this
action. This table lists the types of entities that EPA is now aware
can potentially be affected by this action. Other types of entities not
listed in the table can also be affected. Note that while this proposal
will affect entities involved with hazardous waste management, it does
not apply to the Hazardous Waste Manifest, which EPA is addressing in a
separate electronic reporting rule. If you have questions regarding the
applicability of this action to a particular entity, consult the person
listed in the preceding FOR FURTHER INFORMATION CONTACT section.
Information in the preamble is organized as follows:
I. Overview
A. Why does the Agency want to allow electronic reporting and
record-keeping?
B. What will the proposed regulations do?
II. Background
A. What is EPA's current electronic reporting policy?
B. How will today's proposal change EPA's current electronic
reporting policy?
C. Why is EPA proposing these changes in electronic reporting
policy?
D. What is EPA's approach to electronic record-keeping?
E. What information is EPA seeking about electronic reporting
and record-keeping proposals?
F. How were stakeholders consulted in developing today's
proposal?
III. Scope of Today's Proposal
A. Who may submit electronic documents and maintain electronic
records?
B. How does today's proposal relate to the new E-SIGN
legislation?
C. Which documents can be filed electronically?
D. Which records can be maintained electronically?
E. How will today's proposal implement electronic reporting and
record-keeping?
IV. The Requirements in Today's Proposal
A. What are the proposed requirements for electronic reporting
to EPA?
B. What requirements must electronically maintained records
satisfy?
1. General approach.
2. EPA's proposed criteria for electronic record-retention
systems.
3. Electronic records associated with electronic signatures.
4. The relation of these requirements to Food and Drug
Administration (FDA) criteria under 21 CFR part 11.
5. Storage media issues.
6. Additional options.
C. What is the process that EPA will use to certify State
systems as functionally equivalent to the CDX?
D. What criteria are EPA proposing that State electronic report
receiving systems must satisfy?
1. General system-security requirements.
2. Electronic signature method.
3. Submitter registration process.
4. Electronic signature/certification scenario.
5. Transaction record.
6. System archives.
E. What are the costs and benefits associated with today's
proposal?
V. The Central Data Exchange (CDX)
A. What is EPA's concept of the CDX?
B. What are the CDX building blocks?
1. Public key infrastructure (PKI)-based digital signatures.
2. The CDX registration process.
3. The CDX architecture.
4. Electronic data interchange (EDI) standards.
5. The transaction environment.
VI. Regulatory Requirements
A. Executive Order 12866
B. Executive Order 13132
C. Paperwork Reduction Act
D. Regulatory Flexibility Act
E. Unfunded Mandates Reform Act
F. National Technology Transfer and Advancement Act
G. Executive Order 13045
H. Executive Order 13175
I. Executive Order 13211 (Energy Effects)
I. Overview
A. Why Does the Agency Want To Allow Electronic Reporting and Record-
Keeping?
More than ten years ago, EPA published a notice entitled:
``Electronic Reporting at EPA: Policy on Electronic Reporting,'' (FRL-
3815-4) announcing the goal of making electronic reporting available
under EPA regulatory programs. We gave as reasons for this goal our
expectation that enabling the submission and storage of electronic
documents in lieu of paper documents can:
Reduce the cost for both sender and recipient,
Improve data quality by automating quality control
functions and eliminating rekeying, and
Greatly improve the speed and ease with which the data can
be accessed by all who needed to use it.
Electronic reporting and record-keeping have a strong mandate in
federal policy and law. As stated in the March, 1996, Reinventing
Environmental Information Report, electronic reporting supports the
President's overall regulatory re-invention goals of reducing the
burden of compliance and streamlining regulatory reporting. In
addition, the Government Paperwork Elimination Act (GPEA) of 1998,
Public Law 105-277, requires that agencies be prepared to allow
electronic reporting and recordkeeping under their regulatory programs
by October 21, 2003. Given the enormous strides in data transfer and
management technologies since 1990--particularly in connection with the
Internet--replacing paper with electronic data transfer now promises
increased productivity across almost all facets of business and
government.
B. What Will the Proposed Regulations Do?
The proposed rule will remove existing regulatory obstacles to
electronic reporting and record-keeping across a broad spectrum of EPA
programs, and establish requirements to assure that electronic
documents and electronic records are--for all purposes--as valid and
authentic as their paper counterparts. These proposed requirements will
apply to regulated entities that choose to submit electronic documents
and/or keep electronic records, and under today's proposal, the choice
of using electronic rather than paper for future reports and records
will remain purely voluntary. Today's proposal will not amend
compliance requirements under existing regulations and statutes and
will not affect whether a document must be created, submitted, or
retained under the existing provisions of Title 40 of the Code of
Federal Regulations. Similarly, today's proposal will not affect the
period of required record-retention, whether the stored electronic
document must be signed, who is entitled to receive copies of the
record, the number of copies that must be maintained, or any other
requirements imposed by the underlying EPA, State, tribal or local
program regulations. Public access to environmental compliance
information will not be adversely affected by today's proposal.
Electronic reporting and record-keeping provisions in this proposal
will provide for continued public access to electronic documents
equivalent to that provided for paper records under existing law.
For purposes of this proposal, EPA is using the term ``electronic
reporting'' in a sense that excludes submission of a report via
magnetic media, for example via diskette, compact disk, or tape; we are
also excluding transmission via hard copy facsimile or ``fax''.
Likewise, our use of the term ``electronic document'' throughout this
Notice refers exclusively to documents that are transmitted via a
telecommunications network, excluding hard copy facsimile. However,
this proposal's exclusion of magnetic media submissions in no way
indicates EPA's rejection of this technology as a valid approach to
paperless reporting; we believe that in many cases magnetic media
submission fulfills the goals of the Government Paperwork Elimination
Act (GPEA). Many EPA programs have successfully used magnetic media
submissions to implement their regulatory reporting,
[[Page 46164]]
including Hazardous Waste, Toxic Release Inventory, and Pesticide
Registration. EPA expects these magnetic media approaches to paperless
reporting to continue, and nothing in today's proposal should be
understood to proscribe them.
For regulated entities that choose to submit electronic documents
directly to EPA, today's proposal will require that these documents be
submitted to a centralized Agency-wide electronic document receiving
system, called the `Central Data Exchange' (CDX), or to alternative
systems designated by the Administrator. Regulated entities that wish
to submit electronic documents directly to EPA will satisfy the
requirements in today's proposal by successfully submitting their
reports to the CDX. While we do not intend to codify any of the details
of how CDX operates or how it is constructed, EPA does solicit comments
on the characteristics of the CDX and the submission scenarios
described in this preamble. In addition, the CDX design specifications
will be included as a part of this rulemaking docket. For regulated
entities that choose to keep records electronically, today's proposal
requires the adoption of best practices for electronic records
management. Importantly, today's proposal will not authorize the
conversion of existing paper documents to an electronic format for
record-retention purposes because no mechanism currently exists that
can be relied upon in all cases to preserve the forensic data in an
existing paper document when it is converted to an electronic form.
However, today's proposal does not prohibit such conversions at the
Administrator's discretion on a case-by-case basis.
Many facilities do not submit documents directly to EPA, but rather
to States, tribes or local governments that are approved, authorized or
delegated to administer a federal environmental program on EPA's behalf
or to administer a state environmental program in lieu of the federal
regulatory program in that State. We will refer to these as
``authorized State and tribal programs.'' This proposal will allow for
EPA approval of changes to authorized State and tribal programs to
provide for electronic reporting, and EPA approval will be based
largely on an assessment of the State's or tribe's ``electronic
document receiving system'' that will be used to implement the
electronic reporting provisions. For this purpose, today's proposal
includes detailed criteria that EPA will use to determine that an
electronic document receiving system is acceptable. These criteria
address such issues as system security, the approach to electronic
signature and certification, chain-of-custody and archiving, including
provisions that address how a State, tribe or local government manages
electronic records that are directly associated with its electronic
document receiving system, as well as certain data transfers between
this system and regulated entities. Beyond this, today's proposal does
not address State, tribal or local government electronic recordkeeping
or data transfers carried out to administer their authorized programs.
Today's proposal does not address any data transfers between EPA and
States or tribes as a part of administrative arrangements to share
data. Finally, it is worth noting that EPA can approve changes to
authorized State or tribal programs that involve the use of CDX to
receive data submissions from their regulated communities. CDX has been
designed with the goal of fully satisfying the criteria that this
proposal specifies for assessing State or tribal electronic document
receiving systems; similarly, EPA will ensure that other systems the
Administrator designates to receive electronic submissions will satisfy
the criteria as well. In view of this, EPA is exploring opportunities
to leverage CDX resources for use by States, tribes and local
environmental agencies.
Similarly, many facilities maintain records to satisfy the
requirements of authorized State and tribal programs. This proposal
will also allow for EPA approval of changes to authorized State and
tribal programs to provide for electronic record-keeping. EPA approval
in this case will be based on a determination that the State's or
tribe's program will require best practices for electronic records
management, corresponding to EPA's provisions for electronic records
maintained to satisfy EPA recordkeeping requirements.
For both document submission and record-keeping, the point of the
proposed requirements is primarily to ensure that the authenticity and
integrity of these documents and records are preserved as they are
created, submitted, and/or maintained electronically, so that they
continue to provide strong evidence of what was intended by the
individuals who created and/or signed and certified them. Among other
things, today's proposal is intended to ensure that the federal laws
regarding the falsification of information submitted to the government
still apply to any and all electronic transactions, and that fraudulent
electronic submissions or record-keeping can be prosecuted to the
fullest extent of the law. In establishing clear requirements for
electronic reporting systems and electronic records, this proposed rule
will help to minimize fraud by assuring that the responsible
individuals can be readily identified.
While today's proposal will remove regulatory obstacles to
electronic reporting and record-keeping, EPA will make electronic
submission available as an option for specific reports or other
documents only as the systems become available to receive them.
Similarly, EPA will make electronic recordkeeping available as an
option for specific record-keeping requirements only as programs become
ready to adopt this change. In the case of electronic reporting, EPA
plans to move aggressively toward implementation of CDX for high volume
environmental reports submitted directly to EPA. EPA will publish
announcements in the Federal Register as CDX and other systems become
available for particular environmental reports and as programs become
ready to make electronic recordkeeping an option. These points are
discussed in more detail in Section III.C and D of this Preamble. To
implement electronic reporting and recordkeeping under authorized State
and tribal programs, EPA also plans to work with interested States and
tribes to approve the necessary program changes as quickly and
expeditiously as possible.
II. Background
A. What Is EPA's Current Electronic Reporting Policy?
On September 4, 1996, EPA published a document entitled ``Notice of
Agency's General Policy for Accepting Filing of Environmental Reports
via Electronic Data Interchange (EDI)'' (61 FR 46684) (hereinafter
referred to as ``the 1996 Policy''), where ``EDI'' generally refers to
the transmission, in a standard syntax, of unambiguous information
between computers of organizations that may be completely external to
each other (61 FR at 46685). This notice announced our basic policy for
accepting electronically submitted environmental reports, and its scope
was intended to include any regulatory, compliance, or informational
(voluntary) reporting to EPA via EDI.
In the context of EDI, the ``syntax'' of the computer-to-computer
transmissions may be thought of as the structure or format of the
transmitted data files. And, ``format'' here refers to such things as
the ordering and labeling of the individual elements of data, the
symbol used to separate elements, the way that related elements are
grouped together, and so on. For example, for a file consisting of
people's names, a simple
[[Page 46165]]
format specification might be that (i) the elements occur in order:
first-name, middle-name, last-name; (ii) the elements are labeled,
respectively, ``F'', ``M'', and ``L''; (iii) each group of first,
middle and last names is separated by a semi-colon; and (iv) there is a
comma between any two elements in a group.
For purposes of the 1996 policy, the standard transmission formats
used by EPA were to be based on the EDI standards developed and
maintained by the American National Standards Institute (ANSI)
Accredited Standards Committee (ASC) X12. By linking our approach to
the ANSI X12 standards, we hoped to take advantage of the robust ANSI-
based EDI infrastructure already in place for commercial transactions,
including a wide array of commercial off-the-shelf (COTS) software
packages and communications network services, and a growing industry
community of EDI experts available both to EPA and to the regulated
community. At the time EPA was writing this policy, ANSI-based EDI was
arguably the dominant mode of electronic commerce across almost all
business sectors, from aerospace to wood products, at least in the
United States. EDI was also widely used in the Federal Government, most
notably at the Department of Defense, but also, increasingly, at other
agencies, including the Social Security Administration, the General
Services Administration, the Department of Transportation, the Health
Care and Finance Administration, and the Department of Housing and
Urban Development, and the Department of Health and Human Services.
However, as the 1996 policy made clear, no specific EPA reporting
requirement can be satisfied via EDI until the Agency develops the
corresponding program-specific implementation guidance (61 FR 46686).
This guidance generally needs to do at least three things. First, it
needs to address such procedural matters as the interactions with the
communications network (for EDI purposes, usually stipulated as a
controlled-access, ``value-added network'' or ``VAN''), schedule for
submissions and acknowledgments, transaction records to be maintained,
and so on. Second, it needs to stipulate the specific ANSI X12 standard
transmission formats--referred to as ``transaction sets''--to be used
for the specified reports. This stipulation is essential, since ANSI
provides hundreds of different transaction sets, each corresponding to
a distinct type of commercial document, e.g. invoices, purchase orders,
shipping notices, product specifications, reports of test results, and
so on. Third, the guidance also needs to say how the stipulated
transactions sets are to be interpreted. X12 transaction sets are
generally designed to be somewhat generic--they typically leave a
number of their components as ``optional'', and use data-element
specifications that are open to multiple interpretations. (For a more
detailed explanation of EDI and these implementation guidance
documents, see section V.B.4 of this preamble.)
Given a public notice that the applicable implementation guidance
is ready, the September, 1996, policy allows facilities to submit
required reports electronically using EDI once they enter into a Terms
and Conditions Agreement (TCA) with the Agency (61 FR 46685). Where the
report in question requires a responsible individual at a facility to
certify to the truthfulness of the submitted data, the TCA must provide
for the use of a Personal Identification Number (PIN) as a form of
electronic signature. Under the policy, the individual entering into
the TCA is required to use a PIN assigned by EPA for this purpose (61
FR 46685). Finally, under the TCA, the facility is required to adhere
to security and audit requirements as described in the notice (61 FR
46687).
Finally, the 1996 policy also explained that the various programs
may require additional security procedures on a program-by-program
basis (61 FR 46684). Such procedures may be covered in the program-
specific implementation guidance, or can be provided through rule-
making.
B. How Would Today's Proposal Change EPA's Current Electronic Reporting
Policy?
For practical purposes, the most important changes that today's
proposal makes to current policy is in our technical approach to
electronic reporting. Generally, we propose to greatly broaden the
options available for electronic submission of data. For example, while
we will continue to support data transfer via standards-based EDI (as
explained in section V.B.4 of this preamble), we will also provide
options involving user-friendly ``smart'' electronic forms to be filled
out on-line, on the Internet, or downloaded for completion off-line at
the user's personal computer. In addition, we propose to support data
transfers through the Internet, via email, or via on-line interactions
with Web sites, in a variety of common application-based formats, such
as those output by spreadsheet packages. In terms of electronic
signature technology, while we may continue to allow PIN-based
approaches, our plan is to emphasize digital signatures based on
``public key infrastructure'' (PKI) certificates, given the increasing
support for--and acceptance of--PKI for commercial purposes. (For an
explanation of PKI, see Section V.B.1 of this preamble.) And, we plan
to consider and allow for other signature technologies as they become
viable for our applications.
This proposal also represents some important changes in EPA's
regulatory strategy as well. To begin with, we are proposing to abandon
any attempt to use regulations or formal policies to place technology-
specific or procedural requirements on regulated entities submitting
electronic documents. In place of the technology-specific/procedural
provisions, our regulation will require that electronic submissions be
made to designated EPA systems, or to State, tribal or local government
systems that are determined to satisfy a certain set of function-based
criteria. Thus, as a rulemaking, today's proposal will govern
electronic reporting by placing requirements on the systems that
receive the electronic documents--rather than on the regulated entities
submitting them--and by specifying these requirement in terms of
technology-neutral functionality.
This new regulatory strategy does not mean that we are proposing to
abandon any control over how electronic documents are submitted. We are
proposing instead to require the use of the ``Central Data Exchange''
(CDX) system or other EPA designated systems for submissions to EPA.
While the rule may be technology-neutral, CDX itself will incorporate a
suite of very specific technologies, including digital signatures based
on ``public key infrastructure'' (PKI) certificates, described in
detail below. In addition, while the rule itself will not require more
than the use of CDX for electronic submissions to EPA, using CDX will--
as a practical matter--impose a very well-determined set of
requirements on the reporting process for those who choose electronic
submission instead of paper when reporting directly to EPA. Section V
of this preamble will describe these requirements in some detail.
These changes in strategy are significant. They represent a
decision that the mechanics of electronically submitting data should
not be reflected in specific regulatory provisions. In addition, these
changes give EPA the flexibility to adapt our electronic reporting
systems to evolving technologies without having to amend our
regulations with each technological innovation. That is, CDX or other
[[Page 46166]]
designated systems can be changed as appropriate, so long as they
continue to satisfy the function-based criteria that the rule
establishes. In general, we believe that this strategy will enable EPA,
the States and tribes to offer regulated companies a very user-friendly
approach to electronic reporting that can be tailored to the level of
automation they wish to achieve, and can incorporate improved
technologies as they become available without the delay associated with
rulemaking.
C. Why Is EPA Proposing These Changes in Electronic Reporting Policy?
EPA is proposing these changes for three reasons. First, and most
important, the technology environment has changed substantially since
the September, 1996, policy was written. Web-based electronic commerce
and Public Key Infrastructure (PKI) provide two obvious examples. While
both were available and in use for some purposes in 1996, they had not
yet achieved the level of acceptance and use that they enjoy today. We
could not have anticipated in1996 that this evolution would occur as
rapidly as it has. Clearly, these developments require that we extend
our approach to electronic reporting beyond EDI and PINs. In addition,
they teach us that it is generally unwise to base regulatory
requirements on the existing information technology environment or on
assumptions about the speed and direction of technological evolution.
Second, we believe that technology-specific provisions would, of
necessity, be very complex and unwieldy. The resulting regulation would
likely place unacceptable burdens on regulated entities trying to
understand and comply with it, and might also be difficult for EPA to
administer and enforce.
Third, and finally, an electronic reporting architecture that makes
a centralized EPA, State or tribal system the platform for such
functions as electronic signature/certification is now quite viable--
and quite consistent with the standard practices of Web-based
electronic commerce. In many ways, regulated entities' electronic
transactions with the ``Central Data Exchange'' (CDX) will be similar
to doing business with an on-line travel agency, book store, or
brokerage, and with a similar client-server architecture. Given the
state of technology five years ago, we could not have considered this
approach in the September, 1996, policy.
D. What Is EPA's Approach to Electronic Record-Keeping?
Today's proposal sets forth the criteria under which the Agency
considers electronic records to be trustworthy, reliable, and generally
equivalent to paper records in satisfying regulatory requirements. The
intended effect of this proposed rule is to permit use of electronic
technologies in a manner that is consistent with EPA's overall mission
and that preserves the integrity of the Agency's enforcement
activities.
E. What Information Is EPA Seeking About Electronic Reporting and
Record-Keeping Proposals?
In proposing to allow regulated entities to submit electronic
documents and maintain electronic records, EPA has, at least, the
following three goals:
To reduce the cost and burden of data transfer and
maintenance for all parties to the data exchanges;
To improve the data--and the various business processes
associated with its use--in ways that may not be reflected directly in
cost-reductions, e.g. through improvements in data quality, and the
speed and convenience with which data may be transferred and used; and
To maintain or improve the level of corporate and
individual responsibility and accountability for electronic reports and
records that currently exists in the paper environment.
EPA is seeking comment and information on how well today's proposed
regulatory provisions and the associated Central Data Exchange
infrastructure will serve to fulfill these three goals. Concerning the
first--addressing cost and burden--EPA is particularly interested in
and seeks comment on whether today's proposal will make electronic
reporting and record-keeping a practical and attractive option for
smaller regulated entities, especially small businesses. Concerning the
second--addressing the data and the associated business process--we are
especially interested in comments on how our proposed approach to
electronic reporting and record-keeping will affect third parties, for
example State and local agencies that may collect and/or use the data
in implementing EPA programs as well as members of the public who have
an interest in the data as concerned citizens.
Concerning our third goal, it is essential that we continue to
ensure sufficient personal and corporate responsibility and
accountability in the submission of electronic reports and the
maintenance of electronic records; otherwise we place at risk the
continuing viability of self-monitoring and self-reporting that
provides the framework for compliance under most of our environmental
programs. Therefore, EPA is especially interested in any concerns or
issues that commenters may wish to raise about the effect that moving
from paper to the electronic medium may have on this compliance
structure--as well as assessments of the approaches EPA is proposing to
address these concerns.
F. How Were Stakeholders Consulted in Developing Today's Proposal?
Today's proposal reflects more than eight years of interaction with
stakeholders--including State and local governments, industry groups,
the legal community, environmental non-government organizations, ANSI
ASC X12 sub-committees, and other federal agencies. Many of our most
significant interactions involved electronic reporting pilot projects
conducted with State agency partners, including the States of
Pennsylvania, New York, Arizona, and several others. In addition, over
a two-year period beginning in May, 1997, EPA worked together with
approximately 35 States on the State Electronic Commerce/Electronic
Data Interchange Steering Committee (SEES) convened by the National
Governors' Association (NGA) Center for Best Practices (CBP). The
product of the SEES effort was a document entitled, ``A State Guide for
Electronic Reporting of Environmental Data,'' available in the docket
for this rulemaking, along with reports on some of the more recent
state/EPA electronic reporting pilots. Information on SEES is also
available at: www.nga.org/CBP/Activities/EnviroReporting.asp. Today's
proposal has benefitted greatly from the SEES discussions, and EPA
believes that the proposal is generally consistent with the SEES
``State Guide''.
Beginning in June, 1999, EPA also sponsored a series of conferences
and meetings with the explicit purpose of seeking stakeholder advice on
today's rulemaking. These included:
The Symposium on Legal Implications of Environmental
Electronic Reporting, June 23-25, 1999, convened by the Environmental
Law Institute;
Two NGA-convened State meetings, held in Cleveland, April
11-12, 2000, and in Phoenix, June 1-2, 2000; and
Two public meetings, held in Chicago, June 6, 2000, and in
Washington, D.C., July 11, 2000.
Reports of these conferences and meetings are also available in the
rulemaking docket.
[[Page 46167]]
III. Scope of Today's Proposal
A. Who May Submit Electronic Documents and Maintain Electronic Records?
Any regulated company or other entity that submits documents
addressed by today's proposal (see section III.B., below) directly to
EPA can submit them electronically as soon as EPA announces that the
Central Data Exchange or a designated alternative system is ready to
receive these reports. Any regulated company or other entity that
maintains records addressed by today's proposal (see section III.C.,
below) under EPA regulations can store them in an electronic form
subject to the proposed criteria for electronic record-keeping as soon
as EPA announces that the specified records may be kept electronically.
As noted in section I.B of this preamble, the rule will not authorize
the conversion of existing paper records to an electronic format.
Regulated companies or other entities that submit documents or maintain
records under authorized State or tribal programs may submit or
maintain them electronically as soon as EPA approves the changes to the
authorized programs that are necessary to implement the State's or
tribe's provisions for electronic reporting or recordkeeping.
Under today's proposal, the entities that can use electronic
reporting and record-keeping will not be required to do so; they can
still use the medium of paper for document submissions and records if
they choose. Nonetheless, nothing in this proposal will prohibit State,
tribal or local authorities from requiring electronic reporting or
record-keeping under applicable State, tribal and local law.
B. How Does Today's Proposal Relate to the New E-SIGN Legislation?
The environmental reports and records that are the subject of this
rule are generally not subject to the recently enacted ``Electronic
Signatures in Global and National Commerce Act of 2000'' (``E-SIGN'' or
``the Act''), Public Law 106-229, because most of these governmentally-
mandated documents are not amongst the ``transactions'' to which E-SIGN
applies. However, the EPA has authority to permit electronic reporting
under the statutes it administers and under the Government Paperwork
Elimination Act (GPEA) of 1998, Public Law 105-277, http://ec.fed.gove/gpedoc.htm. E-SIGN, establishes the legal equivalence between: (1)
Contracts written on paper and contracts in electronic form; (2) pen-
and-ink signatures and electronic signatures; and (3) other legally-
required written documents (termed ``records'' in the statute) and the
same information in electronic form. As a general rule, if parties to a
transaction in interstate commerce choose to use electronic signatures
and records, E-SIGN grants legal recognition to those methods. E-SIGN
provides that no contract, signature, or record relating to such a
transaction shall be denied legal effect solely because it is in
electronic form, nor may such a document be denied legal effect solely
because an electronic signature or record was used in its formation.
GPEA also provides such language for government filings covered by this
rule and provides similar legal validity for associated electronic
signatures. When E-SIGN takes effect on October 1, 2000, statutes or
agency rules containing paper-based requirements that might otherwise
deny effect to electronic signatures and records in consumer,
commercial or business transactions between two or more parties will be
superseded. E-SIGN does, however, permit federal and State agencies to
set technology-neutral standards and formats for the submission and
retention of electronic documents.
E-SIGN applies broadly to commercial, consumer, and business
transactions in or affecting interstate or foreign commerce, including
transactions regulated by both federal and State government. However,
the conferees who drafted this legislation specifically excluded
``governmental transactions'' from the definition of transactions that
are subject to E-SIGN; accordingly, E-SIGN does not cover transactions
that are uniquely governmental, such as the transmission of a
compliance report to a federal or State agency. Nonetheless, E-SIGN
does cover documents that are created in a commercial, consumer, or
business transaction, even if those documents are also submitted to a
governmental agency or retained by the regulated community for
governmental purposes. For example, an insurance contract that is
commemorated in an electronic document will be covered by the
provisions of E-SIGN, even if EPA or an authorized State requires that
the policy-holder maintain proof of insurance as part of a federal or
State environmental program. In order to ensure that these documents
will meet governmental needs, the Act permits the government to set
technology-neutral standards and formats for such records. In order
that governmental agencies have time to promulgate these standards and
formats, E-SIGN has a delayed effective date for its record-retention
provisions of March 1, 2001. If a federal or State regulatory agency
has proposed a standard or format for document retention by March 1,
2001, the Act will take effect with respect to those records on June 1,
2001.
C. Which Documents Could Be Filed Electronically?
With the exception of the Hazardous Waste Manifest (which EPA is
addressing in a separate electronic reporting rule), today's proposal
addresses document submissions required by or permitted under any EPA
or authorized State, tribal or local program governed by EPA's
regulations in Title 40 of the Code of Federal Regulations (CFR).
Nonetheless, EPA will need time to develop the hardware and software
components required for each individual type of document. Similarly,
EPA will need time to evaluate State, tribal, and local electronic
document receiving systems to ensure that they meet the criteria
articulated in today's proposal. Accordingly, once this rule takes
effect, documents subject to this rule submitted directly to EPA can
only be submitted electronically after EPA announces in the Federal
Register that the Central Data Exchange (CDX) or an alternative system
is ready to receive them. Documents subject to this rule submitted
under an authorized State or tribal program can only be submitted
electronically once EPA has approved the necessary changes to the
authorized program.
Both in developing the CDX, and in approving changes to authorized
State and tribal programs related to electronic reporting, EPA plans to
give priority to receipt of the relatively high volume environmental
compliance reports that do not involve the submission of confidential
business information (CBI). EPA believes that receipt of electronically
transmitted CBI requires considerably stronger security measures than
the initial version of CDX may be able to support, including provisions
for encryption. While EPA does plan to enhance CDX to accommodate CBI,
we will first want to gain experience implementing CDX in the non-CBI
arena and also take the time to explore CBI security issues with
companies that submit confidential data. EPA seeks comments and advice
on priorities for electronic reporting implementation. EPA also seeks
comments on this proposal's global approach, and whether specific
exclusions should be added to the rule.
[[Page 46168]]
D. Which Records Can Be Maintained Electronically and Which Can Not?
Today's proposal addresses records that EPA or authorized State,
tribal or local programs require regulated entities to maintain under
any of the environmental programs governed by Title 40 of the CFR or
related State, tribal and local laws and regulations. Nonetheless,
individual EPA programs may need additional time to consider more
specific provisions for administering the maintenance of electronic
records under their regulations. Similarly, EPA will need time to
evaluate State, tribal, and local programs' provisions for
administering electronic records maintenance to ensure that such
records will meet the criteria articulated in today's proposal.
Accordingly, once this rule takes effect, any records subject to
this rule submitted directly to EPA can only be maintained
electronically after EPA announces in the Federal Register that EPA is
ready to allow electronic records maintenance to satisfy the specified
record-keeping requirements. Records subject to this rule maintained
under an authorized State or tribal program can only be maintained
electronically once EPA has approved the necessary changes to the
authorized program. For electronic records specified in such Federal
Register announcements or authorized program changes, they can be
maintained in lieu of paper records so long as they meet the
requirements in this proposal, unless paper records are specifically
required in regulations promulgated on or after promulgation of this
final rule. However, today's proposal will not apply to paper records
that are already in existence--whether these are maintained under EPA
programs or under authorized State, tribal or local programs--and will
not provide that any of these paper records can be converted to an
electronic format. In addition, today's proposal does not address
contracts, grants, or financial management regulations contained in
Title 48 of the CFR. EPA is addressing such procurement-related
activities separately. Accordingly, today's proposal does not apply to
records maintained under these Title 48 regulations, whether this
record-keeping was administered by EPA or by a State, tribal or local
program under EPA authorization.
E. How Would Today's Proposal Implement Electronic Reporting and
Record-Keeping?
EPA proposes our overall policy and requirements for electronic
reporting and record-keeping as a new 40 CFR part 3, which consists of
four (4) Subparts. Subpart A provides that any reporting requirement in
Title 40 can be satisfied with an electronic submission to EPA that
meets certain conditions (specified in Subpart B) once EPA publishes a
notice that electronic document submission is available for this
requirement. Similarly, Subpart A provides that any record-keeping
requirement in Title 40 can be satisfied with electronic records that
meet certain conditions (specified in Subpart C) once EPA publishes a
notice that electronic record-keeping is available for this
requirement. Subpart A also provides that electronic reporting and
record-keeping can be made available under EPA-authorized State, tribal
or local environmental programs as soon as EPA approves the necessary
changes to these authorized programs (in accordance with Subpart D). In
addition, subpart A makes clear: (1) That electronic document
submission or record-keeping, while permissible under the terms of this
part, will not be required; and (2) that this regulation will confer no
right or privilege to submit data electronically and will not obligate
EPA or State, tribal or local agencies to accept electronic data except
as provided under this regulation.
Subpart B sets forth the general requirements for acceptable
electronic documents submitted to EPA. It provides that electronic
documents must be submitted either to EPA's Central Data Exchange (CDX)
or other EPA designated systems. It also includes general requirements
for electronic signatures. Subpart C sets forth requirements that
regulated entities must satisfy if they wish to maintain their
electronic records in satisfaction of EPA record-keeping requirements.
Finally, subpart D sets forth the process and criteria for EPA approval
of changes to authorized State, tribal and local environmental programs
to allow electronic document submissions or record-keeping to satisfy
requirements under these programs. With respect to electronic document
submissions, subpart D includes detailed criteria for acceptable State,
tribal or local agency electronic document receiving systems against
which EPA will assess authorized program implementations of electronic
reporting.
The table below describes the applicability of each of these
proposed new subparts.
------------------------------------------------------------------------
Subpart Applicability
------------------------------------------------------------------------
A. General Provisions............. Companies and other entities
regulated under Title 40 of the
Code of Federal Regulations, and
State, tribal and local agencies
with electronic document receiving
systems used to receive documents
under their authorized programs.
B. Electronic Reporting to EPA.... Companies and other entities
regulated under Title 40 of the
Code of Federal Regulations.
C. Electronic Record-keeping under Companies and other entities
EPA Programs. regulated under Title 40 of the
Code of Federal Regulations.
D. Approval of Electronic State, tribal and local agencies
Reporting and Record-keeping with electronic document receiving
under State Programs. systems or electronic record-
keeping programs for which EPA
approval is required.
------------------------------------------------------------------------
Given the proposed provisions of Subpart A, a regulated entity
wishing to determine whether electronic reporting or record-keeping was
available under some specific regulation will have to verify that EPA
has published a Federal Register notice announcing their availability
and will have to locate any additional provisions or instructions
governing the electronic option for the particular reporting or record-
keeping requirements. EPA seeks comments on whether the new Part 3
should include specific cross-references to such announcements and
instructions to the extent that these are codified elsewhere in Title
40. The cross references could be organized by CFR subparts of Title
40, and could provide a simple listing of program-specific regulations
for which EPA has implemented electronic reporting or record-keeping
under the provisions of today's proposal. EPA invites suggestions on
the most helpful cross-referencing scheme.
IV. The Requirements in Today's Proposal
A. What Are the Proposed Requirements for Electronic Reporting to EPA?
Today's proposal specifies just two requirements for electronic
reporting to
[[Page 46169]]
EPA. First, electronic documents must be submitted to an appropriate
EPA electronic document receiving system; generally this will be EPA's
Central Data Exchange (CDX), although EPA can also designate additional
systems for the receipt of electronic documents. Second, where an
electronic document must bear a signature under existing regulations or
guidance, it must be signed (by the person authorized to sign under the
current applicable provision) with an electronic signature that can be
validated using the appropriate EPA electronic document receiving
system. The proposal stipulates that the electronic signature will make
the person who signs the document responsible, or bound, or obligated
to the same extent as he or she would be signing the corresponding
paper document by hand. Only electronic submissions that meet these two
requirements will be recognized as satisfying a federal environmental
reporting requirement, although failure to satisfy these requirements
will not preclude EPA from bringing an enforcement action based on the
submission.
It should be noted that the second requirement, concerning
signatures, will apply only where the document would have to bear a
signature were it to be submitted on paper, either because this is
stipulated in regulations or guidance, or because a signature is
required to complete the paper form. Today's proposal is not intended
to require additional signatures on documents when they are migrated
from paper to electronic submission. The EPA electronic document
receiving system will indicate to the submitter whether a signature is
required to complete submission of an electronic document--although the
presence or absence of this indication will not affect whether or not a
signature is required for a document to have legal effect.
Beyond these two requirements, the proposed rule does not specify
any required hardware or software. Accordingly, the proposed rule text
does not include any detail about CDX per se or about what will be
required of regulated entities who wish to use it. Nonetheless, in
publishing today's proposal, one of EPA's goals is to share our plans
for the CDX and to invite comments on the technical approaches that it
represents. Therefore, section V, below, explains the details of CDX as
it is currently planned--including CDX technical approaches to
satisfying our proposed functional criteria, and what use of CDX to
submit electronic documents will require of the users. We are also
including the draft CDX design specifications in the docket for today's
proposed rule. In reviewing these materials, however, the reader should
bear in mind that the details of CDX that they specify have not been
finalized, and may be affected by the comments received on today's
proposal. In the preamble to the notice of final rulemaking for today's
proposal, EPA will describe the details of CDX as it will actually be
implemented, and will highlight any significant changes from the design
as described in this proposal.
Of course, even after the current CDX design is finalized and
implemented, the system may change--to take advantage of opportunities
offered by evolving technologies, as well as to correct any
deficiencies that operational experience reveals. Our proposed
regulatory strategy--avoiding the codification of technology-specific/
procedural provisions--is meant to accommodate such changes without
requiring that we amend our regulations. Nonetheless, EPA recognizes
that such changes can be disruptive to regulated entities that
participate in electronic reporting; therefore, we are adding
provisions that commit EPA to provide adequate public notice where a
contemplated change may have this impact. In general, we foresee four
kinds of cases:
Major changes that can be disruptive to regulated
entities; these will likely affect the kinds of hardware or software
required to submit electronic reports--examples may include required
changes to the file formats CDX will accept, or to the required
electronic signature technology, but will not generally include
optional upgrades to software, the provision of additional formatting
(or other technical) options, or changes to CDX that simply reflect
changes to the regulatory reporting requirements that the system is
supporting;
Minor changes that will likely not be disruptive; these
will affect the user interface but without affecting the hardware or
software required to submit electronic reports--examples may include
changes to screen layouts, or sequencing of user prompts;
Transparent changes that will affect CDX operation without
any apparent change in interaction with submitters--an example may be a
change to the CDX archiving process; and
Emergency changes necessary to protect the security or
operational integrity of CDX--an example may be an upgrade to the
system firewall protection.
Our approach will then be to provide public notice and seek comment
on major changes at least a year in advance of contemplated
implementation. For minor changes we will provide public notice at
least 60 days in advance of implementation. For transparent changes and
emergency changes we will make decisions on whether and when to provide
public notice on a case-by-case basis. EPA seeks comment on this
approach, including the kinds of cases we distinguish and the proposed
time-frames for notice. We are especially interested in views on the
appropriateness of the time-frame for notice of major changes--and
specifically on whether a shorter time-frame, e.g. 9 months or 6
months, would provide adequate notice while giving EPA greater
flexibility to make timely responses to changes in the technological
environment. We also seek comment on the more general question of
whether it is in the best interests of EPA and our regulated entities
to codify these public notice provisions at all, or whether they may
place at risk our ability to be sufficiently responsive to the changing
needs of our user community. We are also interested in the question of
whether the different kinds of cases are or can be defined with
sufficient precision to form the basis for workable regulatory
provisions, and we welcome any suggestions for alternative regulatory
language.
B. What Requirements Must Electronically Maintained Records Satisfy?
1. General Approach. In today's proposed rule, EPA is proposing a
set of criteria that will have to be met by regulated entities that
maintain electronic records in lieu of paper records, to satisfy
record-keeping requirements under EPA regulations in Title 40 of the
CFR. The proposed criteria address the minimal functional capabilities
that an electronic record-retention system must possess in order for an
electronic record or document to meet a federal environmental record-
keeping requirement. Regulated entities that use electronic systems to
create, modify, maintain, or transmit electronic records will need to
employ procedures and controls designed to meet the minimum criteria in
today's rule. These criteria are designed to insure that electronic
records are trustworthy and reliable, available to EPA and other
agencies and their authorized representatives in accordance with
applicable federal law, and admissible as evidence in a court of law to
the same extent as a corresponding paper record.
2. EPA's Proposed Criteria for Electronic Record-Retention Systems.
In general, EPA believes that for electronic records to be trustworthy
and reliable,
[[Page 46170]]
their corresponding electronic record-retention system must: (1)
Generate and maintain accurate and complete copies of records and
documents in a form that does not allow alteration of the record
without detection; (2) ensure that records are not altered throughout
the records' retention period; (3) produce accurate and complete copies
of an electronic record and render these copies readily available, in
both human readable and electronic form as required by predicate
regulations, throughout the entire retention period; (4) ensure that
any record bearing an electronic signature contains the name of the
signatory, the date and time of signature, and any information that
explains the meaning affixed to the signature; (5) protect electronic
signatures so that any signature that has been affixed to a record
cannot be detached, copied, or otherwise compromised; (6) use secure,
computer-generated, time-stamped audit trails to automatically record
the date and time of operator entries and actions that create, modify,
or delete electronic records; (An audit trail is an important element
of any acceptable electronic record, for it provides an electronic
record of key entries and actions to a record throughout its life
cycle. Such audit trail documentation needs to be retained for a period
at least as long as that required for the subject electronic records.
Audit trail documentation also needs to be available for agency
review.) (7) ensure that records are searchable and retrievable for
reference and secondary uses, including inspections, audits, legal
proceedings, third party disclosures, as required by predicate
regulations, throughout the entire retention period; (8) archive
electronic records in an electronic form that preserves the context,
metadata, and audit trail; (Depending on the record retention period
required in predicate regulations, regulated entities must insure that
the complete records, including the related metadata, can be maintained
in secure and accessible form on the preexisting system or migrated to
a new system, as needed, throughout the required retention period.) and
(9) make computer systems (including hardware and software), controls,
and attendant documentation readily available for agency inspection.
EPA believes that where these 9 criteria are met, records required to
be maintained under EPA regulations, can be kept electronically,
including where they involve or incorporate signatures.
3. Electronic Records with Electronic Signatures. Where electronic
records involve or incorporate electronic signatures meeting the
requirements under Subpart C of this proposal, EPA will consider the
electronic signatures to be equivalent to hand-written signatures. EPA
believes the criteria described in paragraph B.2. above address the
conditions for cases of electronic records involving signatures, such
as: first, a signed electronic record must contain information
associated with the signing that clearly indicates the name of the
signer, the date and time when the electronic record was signed, and,
the meaning associated with the signature (such as review, approval,
responsibility, authorship, etc.); second, electronic signatures must
be linked to their respective electronic records to ensure that the
signatures cannot be excised, copied or otherwise transferred so as to
falsify an electronic record by ordinary means; third, this information
will be subject to the same controls as those for electronic records
and must be included as part of any human readable form of the
electronic record (such as electronic display or printout). EPA seeks
comment on whether these criteria are appropriate and whether--taken
together with the general criteria--they are sufficient to ensure that
signatures associated with records fulfill their purpose. EPA also
seeks comment on whether these criteria are appropriate for the
maintenance of electronic records containing digital signatures. (For
an explanation of digital signatures, and their role in CDX, see
Section V.B.1 of this preamble.) The special issues involved in
maintaining digitally signed records are discussed in Section IV.D.6 of
this preamble--in connection with archiving requirements for electronic
document receiving systems--and EPA is interested in views on whether
these issues need to be more explicitly addressed by the criteria for
electronic record-retention systems discussed here, especially the
criterion provided in Sec. 3.100(5), which addresses the maintenance of
the electronic signature as a part of the electronic record. EPA seeks
comment on whether this provision should be expanded to accommodate
some of possible procedures for archiving digital signatures referred
to at the end of Section IV.D.6.
4. The Relation of These Requirements to Food and Drug
Administration (FDA) Criteria. The criteria set forth in today's
proposed rule--both the general and those specific to records with
associated signatures--are intended to be consistent with criteria set
forth for electronic document systems in other relevant regulations,
such as FDA's criteria in 21 CFR part 11. EPA seeks comment on whether
today's proposed requirements achieve this consistency, and whether
this consistency is an appropriate goal for this rulemaking.
5. Storage Media Issues. Given the fast-paced evolution of
technology, it is realistic to expect that electronic records will be
transferred from one media format to another during the required period
of record retention. While EPA allows for such transfers in today's
propose rule, any such transfer must occur in a fashion that ensures
that the entire electronic record is preserved without modification. As
noted earlier, the electronic record will include not only the
electronic document itself, but also the required information regarding
time of receipt, date of receipt, etc. Any method of migrating
electronic records from one electronic storage medium to another that
fails to meet this criterion will not produce records that meet federal
environmental record-retention requirements. For example, a CD-ROM
version of a record originally stored on electromagnetic tape will not
satisfy federal record-keeping requirements unless the method for
transferring the record from one medium to the other employs error-
checking software to ensure that the data is completely and faithfully
transcribed. EPA seeks comment on whether this criterion is sufficient
to ensure that the integrity and authenticity of the electronic record
is maintained throughout its required record retention period.
6. Additional Options. In addition to the criteria discussed above,
EPA is currently evaluating the need for additional controls for
electronic records under this rule. Over the course of the next five
(5) months, EPA plans to conduct additional analysis, and based on the
results of this analysis and the public comments received on the
electronic record provisions contained in today's proposal, EPA may
determine that additional provisions are required for electronic
records. If such a determination is made, prior to proposal of the
final rule, EPA will publish a supplemental notice detailing any
additional electronic record provisions to be included in the final
rule. We realize that the electronic records criteria in today's rule
are not as detailed as that contained in FDA's 21 CFR part 11 and seeks
comments on whether our proposed criteria are sufficient to ensure the
authenticity, integrity, and non-repudiation of electronic records
maintained by regulated facilities in fulfillment of their compliance
obligations. EPA is considering whether or not to include
[[Page 46171]]
additional provisions found in the FDA regulations in our final rule.
Such provisions could include the following: (1) Establishment and
implementation of written policies that limit system access to
authorized individuals, as well as the use of authority checks to
ensure that only authorized individuals can use the system,
electronically sign a document, access the operation or computer system
input or output device, alter a record, or perform the operation at
hand; (2) establishment and implementation of written policies that
hold individuals accountable and responsible for actions initiated
under their electronic signatures, in order to deter record and
signature falsification; (3) use of device (e.g., terminal) checks to
determine the validity of the source of data input or operational
instruction; (4) use of additional measures such as document encryption
and use of appropriate digital signature standards to ensure, record
authenticity, integrity, and non-repudiation; (5) routine and
documented validation of systems to ensure accuracy, reliability,
consistent intended performance, and the ability to discern invalid or
altered records; (6) establishment and implementation of written
policies governing education and training of personal and certification
that persons who develop, maintain, or use electronic record signature
systems have the education, training, and experience to perform their
assigned tasks. EPA is also seeking comment on the general feasibility
of converting existing paper documents--including litigation-sensitive
records--to electronic documents, as well as comments on the strengths
and weakness of existing technologies available for this purpose.
C. What Is the Process That EPA Will Use To Approve Changes To
Authorized State and Tribal Programs Related to Electronic Reporting
and Record-Keeping?
EPA expects that States, tribes and local agencies that administer
EPA-authorized environmental programs will wish to implement electronic
reporting and recordkeeping at least as quickly and extensively as EPA.
Therefore, in overseeing these programs, EPA wishes to balance multiple
objectives of minimizing administrative burden on States, providing
State flexibility for varying State approaches, and ensuring that State
systems are robust enough to meet the demands of a strong enforcement
capability. EPA considered several options for meeting these needs,
including program-by-program approval processes--in each case under
applicable EPA program-specific regulations--State self-certifications,
and a centralized approval process. This proposal provides for State
flexibility by specifying performance criteria rather than requiring
specific technologies, and balances other objectives though use of a
hybrid process for approving changes to authorized State and tribal
programs.
Under this process, EPA will provide a single set of substantive
performance criteria, listed in today's proposal, that will apply to
any authorized program where EPA determines that electronic reporting
and record-keeping will involve substantive changes to the program that
will require EPA approval. Today's proposal contains language that
would make compliance with these Part 3 criteria an element of all
authorized State, tribal, or local programs that wish to accept
electronic reports or allow electronic recordkeeping, although the
language does not change the procedural requirements for modifications
to any of these program. This means, for example, that a State planning
to institute electronic reporting for an authorized program will have
to meet the normal EPA approval requirements for that program--whether
the approval sought is for a single program or for an electronic
document receiving system that would support multiple authorized,
delegated, or approved environmental programs. In the case where
multiple programs will be affected, the State will still need to seek
modification of each such program under existing program approval or
revision procedures; however, EPA expects that it will evaluate such
multiple applications in a single internal review. Moreover, EPA
solicits comment on whether another approach should be taken to State
and tribal program modification or revision for electronic reporting or
record-keeping.
Alternatively, State, tribal or local agencies may wish to rely on
third-party systems to receive reports on their behalf, where these
systems are operated or owned by commercial or not-for-profit
organizations. Today's proposal will allow this on the condition that
the electronic document receiving system employed by the State, tribal
or local agency satisfy the substantive performance criteria that we
specify, and authorization approvals are obtained where necessary.
D. What Criteria Are EPA Proposing That State Electronic Report
Receiving Systems Must Satisfy?
In today's proposed rule, EPA is providing a set of criteria that
will have to be met by any system that is used to receive electronic
documents submitted to satisfy electronic document submission
requirements under any EPA-authorized State, tribal, or local
environmental program. The proposed criteria address the functional
capabilities that EPA believes a State's, tribe's or local government's
``electronic document receiving system'' must have if it is to ensure
the authenticity and non-repudiation of these electronic documents. EPA
has developed these criteria to ensure that any electronic document has
the same legal dependability as its paper counterparts. EPA does not
intend to imply that information or documents derived from electronic
reporting or record-keeping systems that do not meet all of EPA's
criteria, or from transactions that were not in compliance with all
applicable requirements and agreements, could not be introduced as
evidence at trial, would not constitute admissions, or would not
constitute records required by, or used for compliance with, applicable
statutes (e.g., Clean Water Act section 309(c)(4), Resource
Conservation and Recovery Act section 3008(d)(3)). EPA's criteria are
intended to result in systems and records that will provide the best
evidence for use by plaintiffs and prosecutors in enforcement actions,
and to facilitate the success of such enforcement actions.
These criteria are designed to ensure any electronic document used
as evidence in the course of prosecuting an environmental crime or
civil violation will have the same or better evidentiary value as its
paper equivalent. For example, the criteria are designed to ensure that
in prosecuting the crime of deliberate falsification of compliance
data, the identity of the person who signed a falsified document can be
established beyond a reasonable doubt. One of the criteria, entitled
``Validity of Data,'' and proposed in section 3.2000(b), addresses this
standard directly. In general, a system that is used to receive
electronic documents must be capable of reliably generating proof for
use in private litigation, enforcement proceedings, and criminal
proceedings in which the standard for conviction is proof beyond a
reasonable doubt that the electronic document was actually submitted by
the signatory and that the data it contains was not submitted in error.
To satisfy this general criterion, an electronic document receiving
system must establish: (1) That an electronic document was sent (or not
sent), (2) when the document was sent, (3) by whom the document was
sent, including both individual and the identity of any entity the
individual is authorized to represent, (4) when the
[[Page 46172]]
document was received, (5) that the document was not altered from the
time it was sent to the time it was received, and (6) the contents of
the document sent. In addition the electronic document receiving system
must store and be able to retrieve every electronic document without
alteration to its content or loss or the information regarding time of
transmission, receipt, and authorship. The remaining, more specific
criteria have been developed to meet these goals, while at the same
time taking account of what can reasonably be expected of the various
types of electronic reporting technologies currently available.
It should be noted that many of these criteria will not apply, or
not apply in full, where the electronic document receiving system will
not be used to receive documents bearing signatures or documents used
in litigation or enforcement proceedings. Generally, documents not
requiring signature are less likely to play a role in criminal
prosecutions; therefore, the criterion that refers to ``Validity of
Data'' might not apply to systems that receive such documents. In
addition, the specifications of ``electronic signature method,'' and
``electronic signature/certification scenario'' will be inapplicable,
along with any provision connected with ``system security
requirements,'' ``registration process,'' ``transaction record,'' and
``system archives'' that refers to signature. EPA invites comment on
the exclusion of these criteria in cases where systems will not receive
signed documents or documents used in litigation or enforcement and
criminal proceedings. EPA will consider the possibility of developing a
set of criteria explicitly addressing electronic document receiving
systems that will not receive electronically signed documents if it
appears that States, tribes or local governments want to implement such
systems for their authorized environmental programs. Such systems might
be appropriate, for example, in the cases where agencies wished to
accept electronic submissions of data but continued to require that
associated certification statements be signed and submitted on paper.
EPA invites comment on whether it would be worth developing the
alternative set of criteria for systems that exclude electronic
signatures.
1. General System-Security Requirements. Proposed section 3.2000(a)
requires every system used to receive electronic documents to (1) have
robust protections against unauthorized access to the system; (2) have
robust protections against the unauthorized use of any electronic
signature on documents received; (3) provide for the detection of
unauthorized access or attempted access to the system and unauthorized
use or attempted use of any electronic signature on documents received;
(4) provide safeguards to prevent the modification of an electronic
report once an electronic signature has been affixed; (5) ensure that
every electronic record is protected from modification or deletion; (6)
provide safeguards to ensure that the system clock is accurate and
protected from tampering or other compromise; and (7) provide
safeguards to prevent any other corruption or compromise of the system.
We believe each of the seven proposed requirements is important to
maintain the overall security of an electronic document receiving
system. We seek comment on whether--taken together--they are sufficient
to ensure that the system can maintain the integrity and authenticity
of the electronic documents it receives and maintains.
2. Electronic Signature Method. To support the goals articulated
under proposed section 3.2000(b) as the ``Validity of Data'' criterion,
proposed section 3.2000(c) stipulates that an electronic document
receiving system must validate only those electronic signatures that
are created by a method that (1) Involves a registration process that
identifies the bearer of an electronic signature; (2) includes all
elements of an adequate signature/certification scenario (described in
paragraph 4, below); (3) provides safeguards to prevent excise,
modification, or appropriation of an affixed electronic signature; (4)
provides safeguards to prevent use of an electronic signature by anyone
other than the individual to whom it has been issued; and (5) ensures
that it is impossible to modify an electronic document without
detection once the electronic signature has been affixed. This last
proposed requirement is sometimes expressed by saying that the
signature must be ``bound'' to the contents of the report. We seek
comment on whether these conditions are appropriate, and whether--taken
together--they suffice to ensure that electronic signatures affixed to
electronic documents will have the same or better evidentiary value as
handwritten signatures on paper documents for purposes of prosecuting
an environmental crime or civil violation.
3. Submitter Registration Process. In order to link a digital
signature to the bearer of that signature, proposed section 3.2000(d)
requires that an electronic document receiving system validate only
those electronic signatures that are established through a process
which registers identified individuals both as system users and as
signature holders. EPA also proposes to require that an individual may
not complete this registration process without first executing an
agreement with the administering agency to properly use and protect the
electronic signature.
Of course, the registration process must also establish the
identity of the registering individual and any entity that the
individual is authorized to represent. Given the general ``Validity of
Data'' criterion under section 3.2000(b), the process must establish
the registrant's identity with information that will be sufficient to
prove that this individual was the signature holder for purposes of
private litigation, enforcement proceedings, and criminal proceedings.
This requires at least that the registrant provide evidence of identity
which can be verified by information sources that are independent of
this individual and the regulated entity with which he or she is
associated.
As noted above, the rule requires that a registrant sign an
agreement to properly use and protect his or her electronic signature.
EPA proposes that the terms in any such agreement include, at a
minimum, a commitment to: (1) Protect the electronic signature from
unauthorized use; (2) be as legally-bound by use of the electronic
signature as by hand-written signature; (3) where the signature device
is based on a secret, e.g., a code, to maintain the secrecy of the
electronic signature device; (4) immediately report any evidence that
the electronic signature has been compromised; and (5) where the
assistance of third parties may be required to protect a signature from
unauthorized use--such as the assistance of system administrators in
ensuring computer security, to secure such assistance. EPA believes
that this agreement is important to ensure that the holder of an
electronic signature understands how to properly use and protect the
electronic signature. It is also important to ensure that the signature
holder understand the legal effect of affixing the electronic signature
to an electronic document. A proof that an individual's registered
electronic signature was affixed to a document will establish a
permissive inference that the individual who was issued that signature
affixed the signature and did so with the intent to sign the document.
To achieve these goals, EPA believes that the signature agreement
should
[[Page 46173]]
consist of at least the following language:
``In accepting the electronic signature issued by [specify name of
issuing agency or organization] to sign electronic documents submitted
to [specify the name of the electronic document receiving system] on
behalf of [specify the name of regulated entity the signature-holder
represents], I, [name of electronic signature holder],
(1) Agree to protect the signature from use by anyone except me,
and to confirm system security with third parties where necessary.
Specifically, I agree to [specify procedures appropriate to the form of
electronic signature, for example, to maintain the secrecy of the code
where the signature is based on a secret code];
(2) Understand and agree that I will be held as legally bound,
obligated, or responsible by my use of my electronic signature as I
would be using my hand-written signature, and that legal action can be
taken against me based on my use of my electronic signature in
submitting an electronic document to [specify the name of the receiving
agency];
(3) Agree never to delegate the use of my electronic signature or
make my signature available for use by anyone else;
(4) Understand that whenever I electronically sign and submit an
electronic document to [specify the name of the electronic document
receiving system], acknowledgments and a copy of my submission as
received will be made available to me;
(5) Agree to review the acknowledgments and copies of documents I
electronically sign and submit to [specify the name of the electronic
document receiving system];
(6) Agree to report to [specify the agency or organization to be
reported to], within twenty-four (24) hours of discovery, any evidence
of the loss, theft, or other compromise of any component of my
electronic signature;
(7) Agree to report to [specify the agency or organization to be
reported to], within twenty-four (24) hours of discovery, any evidence
of discrepancy between an electronic document I have signed and
submitted and what [specify the name of the electronic document
receiving system] has received from me;
(8) Agree to notify [specify the agency or organization to be
reported to] if I cease to represent [specify the name of regulated
entity the signature-holder represents] as signatory of that
organization's electronic submissions to [specify the name of the
electronic document receiving system] as soon as this change in
relationship occurs and to sign a surrender certification at that
time.''
In addition, given the importance of this agreement, EPA is also
proposing that the registration process require that the agreement be
renewed periodically, with the Administrator to determine the frequency
of and the exact terms of the renewal statement, as well as whether a
wet ink signature will be required. In making these determinations, EPA
is proposing that the Administrator ensure that electronic reporting
meets the overall goals of security and validity of data--articulated
under proposed sections 3.2000(a) and 3.2000(b)--while taking into
account the importance of keeping EPA practices consistent with
marketplace standards for issuance and use of electronic signature
devices in commerce. Given that both the technologies and marketplace
practices surrounding electronic signatures are still evolving rapidly,
EPA believes that the Administrator may need to revisit these
determinations more than once, the proposed provision for these renewal
agreements is intended to provide this flexibility.
In terms of frequency of renewal, likely candidates for the
Administrator to consider are once every two years or three years, but
he or she may certainly set a longer renewal cycle (either in general
or with regard to a particular State, tribal or local government
system) if less frequent renewal better corresponds to marketplace
standards and can be determined to still meet security and validity of
data goals. EPA seeks comment on the various alternatives for renewal
frequency--including one year and longer than three years--considering
both marketplace standards and the goals of security and validity of
data. EPA also seeks comment on whether any of the candidate renewal
cycles would raise any administrative issues for State, tribal or local
governments, and whether the Administrator's ability to revisit this
determination--with the implied potential for a change in system
requirements--poses any problems for systems planning or management.
Concerning the terms of the renewal agreement, EPA believes that in
the interest of supporting the goals of security and validity of data,
the Administrator is likely to require the holder of the electronic
signature to attest to compliance with the terms of the prior agreement
since the time it was signed. To accomplish this, the Administrator may
require that the signature-holder sign a statement that consists of at
least the following:
``In continuing to use the electronic signature issued by [specify
name of issuing agency or organization] to sign electronic documents
submitted to [specify the name of the electronic document receiving
system] on behalf of [specify the name of regulated entity the
signature-holder represents], I, [name of electronic signature holder]
continue to,
(1) Agree to protect the signature from use by anyone except me,
specifically, to [specify procedures appropriate to the form of
electronic signature, for example, to maintain the secrecy of the code
where the signature is based on a secret code];
(2) Understand and agree that I will be held as legally bound,
obligated, or responsible by my use of my electronic signature as I
would be by using my hand-written signature, and that legal action can
be taken against me based on my use of my electronic signature in
submitting an electronic document to [specify the name of the receiving
agency];
(3) Agree never to delegate the use of my electronic signature or
make my signature available for use by anyone else;
(4) Understand that whenever I electronically sign and submit an
electronic document to [specify the name of the electronic document
receiving system], acknowledgments and a copy of my submission as
received will be made available to me;
(5) Agree to review the acknowledgments and copies of documents I
electronically sign and submit to [specify the name of the electronic
document receiving system];
(6) Agree to report to [specify the agency or organization to be
reported to], within twenty-four (24) hours of discovery, any evidence
of the loss, theft, or other compromise of any component of my
electronic signature;
(7) Agree to report to [specify the agency or organization to be
reported to], within twenty-four (24) hours of discovery, any evidence
of discrepancy between an electronic document I have signed and
submitted and what [specify the name of the electronic document
receiving system] has received from me;
(8) Agree to notify [specify the agency or organization to be
reported to] if I cease to represent [specify the name of regulated
entity the signature-holder represents] as signatory of that
organization's electronic submissions to [specify the name of the
electronic document receiving system] as soon as this change in
relationship occurs and to sign a surrender certification at that time.
``Moreover, I certify that I have complied with the terms of the
signature registration agreement I signed on [insert date of prior
agreement], and
[[Page 46174]]
since that date I have reviewed, signed and submitted all the
electronic documents submitted with my electronic signature to [specify
the name of the electronic document receiving system] on behalf of
[specify the name of regulated entity the signature-holder
represents].''
EPA seeks comment on all of these proposed registration agreement
and renewal statement provisions, including the proposed provision for
administrative determination of the frequency and terms of the renewal
agreements. Given the purpose of these agreements and renewal
statements, EPA is particularly interested in comment on whether all of
them are necessary, particularly considering requirements for the on-
screen certification described under Electronic Signature/
Certification, in the next section of this preamble (Section IV.D.4).
To the extent that all these agreements and renewals are necessary, EPA
also seeks comment on whether the specific language suggested for each
provision is adequate or necessary. It should be noted that EPA is
currently not proposing to codify the specific language for these
certifications and statements in the rule, and EPA seeks comments on
the question of codification. It should also be noted that the proposed
rule specifies that the signature agreement be signed on paper or in
other media that EPA may designate. While EPA will initially require
signature agreements to be signed on paper--and the Administrator may
initially require this of renewals as well--EPA has the flexibility to
allow electronic signatures in the future, as circumstances may
warrant, and when EPA believes that electronic signatures can
effectively substitute for hand-written signatures on paper for these
electronic signature agreements and renewals. EPA seeks comment on
whether any or all of these agreements and statements should be signed
on paper.
EPA also seeks comment on a possible additional certification
statement, required to be signed when a signature holder surrenders the
signature for whatever reason--e.g., change of jobs or retirement--
although this requirement is not included as a provision in today's
proposal. In this surrender certification, the signature holder would
be required to truthfully attest to compliance with the terms of the
agreement since the most recent agreement was signed. If such a
requirement is added, then EPA believes that the surrender
certification signed by the signature holder should consist of at least
the following:
``I certify that, since the time that I was first issued the
electronic signature by [specify name of issuing agency or
organization] to sign electronic documents submitted to [specify the
name of the electronic document receiving system] on behalf of [specify
the name of regulated entity the signature-holder represents], I have
complied with the terms of agreement to which I then subscribed, and
specifically that I have:
(1) Protected the signature from use by anyone except me.
Specifically, I have [specify procedures appropriate to the form of
electronic signature, for example, maintained the secrecy of the code
where the signature is based on a secret code];
(2) Understood that I am held as legally bound, obligated, or
responsible by my use of my electronic signature as I would be using my
hand-written signature and that legal action can be taken against me
based on my use of my electronic signature in submitting an electronic
document to [specify the name of the receiving agency];
(3) Never delegated the use of my electronic signature or made my
signature available for use by anyone else;
(4) Understood that whenever I electronically signed and submitted
an electronic document to [specify the name of the electronic document
receiving system], acknowledgments and a copy of my submission as
received were made available to me;
(5) Reviewed the acknowledgments and copies of documents I
electronically signed and submitted to [specify the name of the
electronic document receiving system];
(6) Reported to [specify the agency or organization to be reported
to], within twenty-four (24) hours of discovery, if I ever had any
evidence of the loss, theft, or other compromise of any component of my
electronic signature;
(7) Reported to [specify the agency or organization to be reported
to], within twenty-four (24) hours of discovery, if I ever had any
evidence of discrepancy between an electronic document I signed and
submitted and what [specify the name of the electronic document
receiving system] had received from me.
``Moreover, I certify that I have complied with the terms of the
signature registration agreement I signed on [insert date of the
agreement signed when electronic signature was first issued], and since
that date I have reviewed, signed and submitted all the electronic
documents submitted with my electronic signature to [specify the name
of the electronic document receiving system] on behalf of [specify the
name of regulated entity the signature-holder represents].''
Finally, EPA also solicits comment on whether some other mechanism
is needed, in lieu of the registration agreement, to ensure that
holders of electronic signatures properly use and protect their
signatures. Specifically, EPA seeks comment on the possible alternative
of adding a provision paralleling 21 CFR section 11.100(c)(2) (under
the Food and Drug Administration's electronic signature rule) requiring
that signature holders, upon request, ``provide additional
certification or testimony that a specific electronic signature is the
legally binding equivalent of the signer's handwritten signature.'' EPA
seeks comment on whether codifying such a provision would provide a
better method of ensuring the proper use and protection of signatures
than the agreements, renewals and related certification statements that
we are currently proposing.
EPA also proposes to require that an electronic document receiving
system have a mechanism to automatically revoke an electronic signature
whenever 1) there is any evidence the submitter has violated the
registration agreement; 2) there is any evidence the electronic
signature has been compromised; or 3) there is notification from an
entity that the holder of an electronic signature previously authorized
to represent that entity is no longer authorized to represent the
entity. Revocation of a signature would not necessarily mean that the
signature holder cannot be held accountable for previous uses of that
signature, but it might lead the agency involved to require that
particular materials be resubmitted. EPA seeks comment on whether there
are other circumstances that should result in automatic invalidation of
an electronic signature.
It should be added that EPA proposes to require registration of any
individual who submits electronic documents to an electronic document
receiving system on behalf of an entity, regardless of whether the
individual is issued an electronic signature, because EPA believes that
registration strengthens system security and data integrity.
Accordingly, the registration process for an individual who is not
being issued an electronic signature will simply omit the signature-
specific requirements. EPA seeks comment on this more general
registration requirement.
4. Electronic Signature/Certification Scenario. In order for
electronic document receiving systems to provide the same functionality
as existing paper-based systems, the act of affixing an
[[Page 46175]]
electronic signature to an electronic document must have the same
meaning and legal effect as signing a paper document. In some
instances, a signature indicates an intent to be bound to the
commitments made in a document and constitutes an assertion that
contents of the document are both truthful and accurate. In order to
ensure that an electronic signature has the same meaning as its
handwritten, paper counterpart, proposed section 3.2000(e) would
require that an electronic document receiving system validate only
those electronic signatures that are generated or affixed to an
electronic document using a ``signature/certification scenario'' that
ensures that the signatory understands and intends the legal
consequence of affixing an electronic signature to an electronic
document. This feature of an electronic document receiving system is
important to ensure that each signed electronic document it receives
can be used in civil and criminal enforcement, including cases against
the holder of the electronic signature as signer of the electronic
document.
EPA proposes to require than an electronic document receiving
system must validate only electronic signatures that have been affixed
after: (1) The submitter has scrolled through on-screen pages that
present all the data to be certified in a familiar, human-readable
format (Sec. 3.2000(e)(1)(i)); (2) the screen displays a certification
statement that is similar or identical to the certifying language
required on the corresponding paper submissions of the report, this
display occurring just above the place on the screen where the
submitter is prompted to initiate the signing process
(Sec. 3.2000(e)(1)(ii)); and (3) the submitter has seen a warning--
prominently displayed together with the certification statement
described in (2)--that by initiating the signing process the submitter
agrees that he or she is using the signature in compliance with the
signature agreement that was signed when the signature device was
issued (Sec. 3.2000(e)(1)(ii)).
The point of the first proposed condition is to ensure that the
submitter reviews that data being submitted as a part of the signing
process. Accordingly, an acceptable system must display the data in a
format that clearly associates each data element with the name or label
of the corresponding data field and also allow the submitter to
carefully review all the data without time constraint. The point of the
third proposed condition is to make certain the submitter fully
understands that by activating the signature, he or she is taking a
step with the same legal implications as signing and sending a report
on paper. EPA is proposing this condition because of many environmental
programs under which signing and certifying a false report--whether on
paper or electronically--may subject the signatory to criminal
prosecution. At least for those cases where the ``click of a mouse''
may create the potential for criminal liability, then, EPA believes it
is important to ensure that the submitter understands what the
consequences of the act might be. For this purpose, EPA believes that
this warning statement should consist of at least the following:
``WARNING: By signing this report, you agree that you are [name of
authorized signature holder], have protected the security of your
electronic signature as required by the electronic signature agreement
which you signed on [date of most recent signing], and are otherwise
using your electronic signature in accordance with that agreement.''
--Although we are not proposing to codify this language in the rule.
EPA seeks comments on whether this language should be codified, and,
more generally, on whether the three conditions to be satisfied prior
to signing are necessary and sufficient to establish that the signature
was affixed with the requisite intent.
EPA also seeks comment on three alternative versions of this third
proposed condition that would replace the ``together with a prominently
displayed warning. * * *.'' language of (Sec. 3.2000(e)(1)(ii)) with a
separate provision to be inserted just before (Sec. 3.2000(e)(1)(ii)).
The simplest version would read:
``The signatory attests to compliance with an electronic signature
agreement that is presented on-screen, refers to the signatory by name,
and includes an acknowledgment that the signatory is the authorized
registrant to whom the signature was issued; and * * *''.
A more robust version would read:
``The signatory attests to a statement that he or she is the
authorized registrant--referred to by name--to whom the signature was
issued, has taken reasonable steps to protect the signature, and does
not have any reason to think that the signature has been used by anyone
else; and * * *''.
The most robust version would read:
``The signatory attests to compliance with an electronic signature
agreement that is presented on-screen, refers to the signatory by name,
and includes an acknowledgment that the signatory is the authorized
registrant to whom the signature was issued, has not in the past
authorized any other person to sign on his or her behalf, has not at
any time compromised the electronic signature, has reviewed all
automatic acknowledgments for past submissions as described in
paragraph (e)(2) of this section, and has no evidence that the
signatory's electronic signature or any other feature of the electronic
submission mechanism has been compromised; and * * *''
Corresponding to the three versions of the proposed regulatory
provision, the suggested (but not proposed to be codified) language
would be, starting with the simplest:
``(1) I, [name of signatory], am the authorized holder of the
electronic signature I am about to use;
(2) I understand and agree that I will be held as legally bound,
obligated, or responsible by my use of my electronic signature as I
would by using my hand-written signature.''
next, the more robust:
``(1) I, [name of signatory], am the authorized holder of the
electronic signature I am about to use;
(2) I have taken reasonable steps to protect my signature;
(3) To the best of my knowledge, my signature has never been used
by anyone else.''
and, finally, the most robust:
``(1) I, [name of signatory], am the authorized holder of the
electronic signature I am about to use;
(2) I have taken reasonable steps to protect my signature;
(3) To the best of my knowledge, my signature has never been used
by anyone else;
(4) I have no other evidence that any component of my electronic
signature has been lost, stolen or compromised in any way;
(5) I have reviewed all the acknowledgments and copies of my
previous submissions to [specify the name of the electronic document
receiving system].''
EPA seeks comment on the appropriateness of these variant
alternatives to the proposed `warning' provision--and their
corresponding suggested statements--for purposes of establishing the
intent with which the signature was applied, helping to show that the
signatory was in fact the authorized signature holder, and preventing
signature compromise or repudiation. EPA is especially interested in
the question of whether any of these provisions might tend to
discourage regulated entities from choosing to submit environmental
reports electronically. EPA is also interested in comments on the need
for
[[Page 46176]]
any version of this `warning' provision in view of the certifications
provided in conjunction with the renewals of signature agreement
discussed in the preceding section of this preamble (Section IV.D.3).
In addition, we are proposing that, once the electronic signature
is affixed, and the electronic document submitted, the signature/
certification scenario must include two responses from the electronic
document receiving system. The first is simply an automatic
acknowledgment that the report has been received and any affixed
electronic signature validated, with the time and date of receipt. The
purpose of this acknowledgment is, at least in part, to alert the
registered holder of an electronic signature if someone has
appropriated the registered electronic signature and used it to submit
spurious electronic documents. As noted above, the registered holder of
the electronic signature will not be allowed to sign another electronic
document once aware that it has been compromised.
EPA also proposes to require that the automatic acknowledgment be
sent to an address that does not share the same access control--for
example, that is not protected by the same passwords or confidential
log-in procedures--as the system from which the electronic report was
signed and sent. The intent of this requirement is to frustrate
unauthorized use of an electronic signature without detection. To elude
detection, the intruder will have to compromise not only the signature
protections, but also the additional system's access controls. The
additional address could be electronic or could be a United States
Postal Service address. In any event, the feature of the electronic
document receiving system should aid in the detection of compromised
electronic signatures and reduce the frequency and strength of false
claims that an electronic signature has been appropriated without the
knowledge of the registered holder of the electronic signature.
The second response is what we are calling the `copy of record',
also automatically created and made available to the submitter. The
copy of record must include the complete electronic document that was
submitted. The copy of record must be complete in the sense that it
must accurately associate all of the information provided by the
submitter with the descriptions or labeling of the information being
requested. In addition, to be complete, the copy of record must include
all the warnings, instructions and certification statements presented
to the submitter as a part of the signature/certification scenario.
Finally, this copy of record must: (1) Be viewable on-screen in a
human-readable format that makes clear the association between each of
the information elements provided by the submitter and the descriptions
or labels in terms of which these elements were requested; (2) include
the date and time of receipt; and (3) be signed with a secure,
immutable agency electronic signature that is ``bound'' to this
electronic document. As the name would suggest, the copy of record must
be archived by the agency system, made available to the submitter for
viewing and downloading, and protected from unauthorized access.
The proposed copy of record requirement is intended to detect
spurious or compromised submissions, enabling timely disavowal of
unintended submissions and reducing the frequency and strength of
claims that an electronic document has been modified in transmission or
unintentionally submitted. Under the signature/certification scenario
in today's proposed rule, the copy of record will be--strictly
speaking--made available to the registered holder of the electronic
signature. If the signature has somehow been compromised--or if the
data is somehow different from what was intended to be submitted--this
copy of record, together with the acknowledgments discussed above, will
give the signature-holder an opportunity to alert the agency to the
compromise of his/her signature and/or his/her data. This proposed
requirement is also intended to protect the agency from attempts to
falsely repudiate a submission.
EPA seeks comment on whether the number and type of responses from
the electronic document receiving system adequately address the issue
of spurious or compromised submissions. Specifically, we seek comment
on the requirements placed on the automatic acknowledgments. In
addition, we are interested in views on whether it will be generally
feasible for electronic document receiving systems to create copies of
record with all the attributes we are proposing that they have, and
whether all of these attributes are necessary for the copy of record to
fulfill its intended purpose.
5. Transaction Record. To help settle potential disputes over
whether certain submissions were made, when they were made, what they
contained, or who made them, an electronic document receiving system
must create a transaction record for every submission of an electronic
document. EPA will require that this record be created automatically,
and include the precise routing of the signed electronic document from
the submitter's computer to the receiving system and the copy of record
described above. In addition, based on the receiving system's clock,
this transaction record must include the precise date and time of: (1)
The initial receipt of the reported data; (2) the receipt of the
submitter's signed certification of the data (where this step is
subsequent to the initial data transfer); (3) the sending of the
acknowledgment notice; and (4) the creation of the copy of record.
These details may be regarded as providing the ``chain of custody'' for
the submitted report, and help to establish its authenticity. EPA seeks
comment on whether this transaction record specification is
sufficiently robust to provide for ``chain of custody''.
6. System Archives. EPA also proposes to require that electronic
document receiving systems maintain the contents of the transaction
record described above--including the copy of record--for as long as
they may be needed for enforcement or other programmatic purposes. In
addition we are also proposing that the system must maintain records
that show, for any given electronic submission not only what
information was displayed to the user during the submission process--
including the instructions, prompts, data labels, etc. captured in the
copy of record--but also how this information was displayed, including
the sequencing, functioning and overall appearance of these interface
elements. The reason is that it may be difficult to interpret what some
of the submission's data elements mean if we do not know the context
within which they were provided--e.g., to what on-screen display or
query a ``yes'' was responding. Depending on exactly how the signing
process is implemented, at least some of this interface information may
be captured within the scope of what is bound by the signature, e.g.,
if the signature is applied to the entire content of the screens that
are reviewed by the signatory during the signature/certification
scenario. To whatever extent this occurs, the archiving of the ``copy
of record'' would contribute to this archiving of the interface.
The system must maintain the archived records in a way that can be
shown to have preserved them without any modification since the time
they were created; the system must be able to make these records
available to users in a timely way as they are needed. EPA seeks
comments on these archiving criteria, and especially on whether there
are any issues raised by the need to maintain the copy of record--which
[[Page 46177]]
includes electronic signatures--over long periods of time. Of
particular concern are copies of record that include digital
signatures, as they will for electronic submissions received by the
Central Data Exchange (CDX). (For an explanation of digital signatures,
and their role in CDX, see Section V.B.1 of this preamble.) Ideally,
the system will preserve digital signatures in a form which allows them
to be validated at any point during the life of the archived records
that contain them; this is the standard implied by Sec. 3.2000(g)(2)(i)
that requires the copies of record to be preserved ``in their
entirety'' for the life of the archive. However, EPA realizes that this
ideal may be difficult to implement in practice for several reasons,
including:
The sensitivity of digital signatures to very minimal (and
unavoidable) deterioration of the magnetic medium in which the records
are stored--so that they no longer can be validated, even though the
records remain usable in every other way;
The possible software dependence of the validation
process--so that, as the archives' systems environment evolves over
long periods of time, it may become increasingly difficult to operate
the validation software designed to work with the archived signatures;
and
The dependence of validation on the accessibility of a
public key infrastructure (PKI) certificate that was valid when the
digital signature was created--so that, over time, it may become
increasingly difficult to determine the keys and identifying
information associated with the signature.
EPA seeks comments on these and related difficulties that may stand
in the way of validating archived digital signatures, and we welcome
any advice on how these might be overcome. If these difficulties cannot
be overcome, or overcome only at great expense, then EPA would seek to
revise Sec. 3.2000(g)(2), by specifying alternatives to maintenance of
the original signature and its validation as archived that would still
allow users to demonstrate both the validity of the signature and the
integrity of the record as a true picture of the data as it was signed.
A possible approach might involve an archivists' wet-ink-on-paper
certification that the digital signature was valid at the time the
record was placed in the archive, together with appropriate measures to
preserve the record unchanged. On another approach, the archivist might
digitally resign the document at certain intervals, adding appropriate
certifications about the validity of the original (or previous)
signature on the document. EPA also seeks comment on such alternative
approaches.
E. What Are the Costs and Benefits Associated With Today's Proposal?
EPA estimates that today's proposal could result in an average
annual reduction in reporting and record-keeping costs for those
information collections identified as potentially benefitting from
offering an electronic reporting option. Based on this analysis, EPA
estimates that CROMERRR could result in an average annual reduction in
burden of $52.3 million per year for those facilities reporting, $1.2
million per year for EPA, and $1.24 million for each of the 30 states
that were assumed to implement programs over the eight years of the
analysis. For details of this study, see the technical background
document, Cross Media Electronic Reporting and Recordkeeping Rule Cost
Benefit Analysis in the Docket for today's proposal. EPA requests
comment on whether the underlying assumptions and the methods used in
the cost benefit analysis provide a realistic estimate of the costs and
benefits associated with electronic reporting and recordkeeping.
1. Scope and Method. The purposes of the analysis was to estimate
the labor hour and total cost effects (either savings or increases)
attributable to each of the major elements of the CROMERRR proposal and
to assess, qualitatively, the environmental implications. The major
elements include: the use of modern electronic technologies for the
production, completion, signing, transmitting, and recording without
the use of paper copies. Within the assessment of technologies we chose
three forms of electronic reporting (web forms, EDI, and XML) that
EPA's CDX plans to support. For those entities using web forms, the
costs of reporting to EPA electronically would be negligible, as EPA
intends to provide the web forms and signature capabilities needed. In
the latter two approaches (EDI and XML), EPA anticipates additional up-
front cost will be incurred by regulated entities to establish EDI or
XML file generation capabilities, but the savings will be larger over
time, as these entities can more fully automate their reporting to EPA.
In the course of establishing projected estimates of costs and
savings of electronic reporting and recordkeeping, EPA had to establish
a baseline of current costs. The current costs of paper-based reporting
to EPA and States delegated the authority to manage an EPA reporting
program were based on an extensive assessment of EPA's official
information collection request (ICR) submissions that would be subject
to the CROMERRR rule, as well as more detailed cost estimates performed
on major EPA systems. In performing the analysis, over 50 ICRs were
extensively reviewed and approximately 70 other ICRs were more
summarily reviewed. A list of the ICRs, and the approach used to
analyze them, are contained in Appendix A of EPA's Cross Media
Electronic Reporting and Recordkeeping Rule Cost Benefit Analysis. In
the course of analyzing the ICR costs, reporting costs were broken into
discrete functional areas (such as data entry, mailing, reconciliation,
archiving and program management) and were analyzed for costs.
In addition to the ICR analysis, EPA performed analysis of the
general costs and benefits of electronic reporting experienced by
commercial and government agencies, as described in the EPA Electronic
Reporting Benefit/Cost Justification Report (June 30, 1999). EPA also
conducted in-depth analyses of business processes and associated costs
for several major EPA programs. These analyses include analyses for
Toxic Release Inventory (TRI), National Pollutant Discharge Elimination
System (NPDES), Public Water Supply System (PWSS) and selected Clean
Air Act reports. In addition, EPA, in conjunction with State partners
in the Arizona Department of Environmental Quality (ADEQ) and the Texas
Natural Resources Conservation Commission (TNRCC), conducted
assessments of the potential impacts and opportunities presented by
environmental electronic reporting on their EPA-delegated state
programs and affected regulated entities. These programmatic and state
analyses are available in the CROMERRR docket. EPA also reviewed
similar analyses performed for other EPA electronic reporting efforts,
such as the proposed Hazardous Waste Manifest Automation Rule. EPA
invites comments on the approach used for conducting the analysis and
on the list of ICRs analyzed--whether this list encompasses the
spectrum of EPA requirements impacted by CROMERRR and what additional
information collections, if any, should be incorporated into further
analysis.
Based on the combined review of the functional areas (including
data entry, mailing, reconciliation, archiving and program management)
of individual ICRs, EPA identified general trends in the relative
distribution of costs for each of the categories. Using the analyses
conducted under the more in-depth studies performed, EPA was able to
[[Page 46178]]
estimate the impacts of electronic reporting on each of the functional
areas (including data entry, mailing, reconciliation, archiving and
program management). For instance, by offering facilities the
electronic submission as an alternative to printing and mailing the
paper submissions, the percentage of costs attributed to ``mailing''
could be eliminated. Using this logic, EPA added the relative
percentages of reductions in each of these functional areas, and
determined that a general reduction of 11 percent in the overall cost
of reporting could be achieved through web-based submissions, and that
a 25 percent reduction could be achieved for those facilities that
implement EDI or XML based exchanges.
EPA is also considering a second series of analyses, using an
alternative form of calculating the costs and savings to the Agency. In
performing this alternative analysis EPA would still break the costs
for a program report into discrete functional areas (i.e., data entry,
mailing, etc.), however the estimates of reduction would use
``absolute'' values instead of percentages. As an example, EPA program
X has identified that the mailing of form B requires 10 minutes per
submission. The costs for facilities choosing to submit electronically
would take into account the elimination of mailing, and the costs for
electronic reporting under that program would be reduced by 10 minutes
for each submission. The advantage of this approach is that it offers
potentially greater accuracy for estimating costs for each reporting
program. A disadvantage is where the functional activity, such as
program management, is only partially impacted by electronic reporting,
determining an ``absolute'' value could involve arbitrary judgement
calls on a program by program basis. EPA requests comment on ways to
improve an analysis of this type as well as suggestions for other
approaches that may better identify the potential costs and benefits of
the proposed electronic reporting and recordkeeping rule.
As discussed further below, two sets of regulatory cost reduction
(savings) estimates were projected--one for web based submissions and
one for EDI/XML--based on a range of alternate assumptions regarding
the national adoption rates for automation options. In both cases, it
was assumed that 77 percent of all reports would be prepared,
transmitted, and recorded electronically at full implementation. The
implementation rates of facilities, however, will vary depending on the
degree to which the facility implements electronic reporting for
environmental requirements directly with EPA or with State regulatory
agencies managing EPA-delegated/authorized environmental programs. The
rates are also affected by the method (Web, EDI, or XML) the facility
chooses to use in reporting to EPA or the delegated State agency. The
table below describes the implementation rates for facilities under the
scenarios described. The table also presents the current ``As-Is''
rates of paper or diskette exchange and the impacts of electronic
reporting on these rates over an eight year period.
Facility Implementation Rates by Reporting Method
[In percentages]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Reporting method FY00 FY01 FY02 FY03 FY04 FY05 FY06 FY07
--------------------------------------------------------------------------------------------------------------------------------------------------------
As-is:
Delegated................................................... 100 100 95 89 81 73 64 56
Non-delegated............................................... 100 100 96 66 50 45 36 28
Mixed delegation............................................ 100 100 96 77 66 59 50 42
Web: 0 0 0 0 0 0 0 0
Delegated................................................... 0 0 4 8 12 18 24 30
Non-delegated............................................... 0 0 3 25 32 37 42 48
Mixed delegation............................................ 0 0 3 17 22 27 33 39
EDI: 0 0 0 0 0 0 0 0
Delegated................................................... 0 0 1 2 2 3 4 5
Non-delegated............................................... 0 0 1 4 6 6 7 8
Mixed delegation............................................ 0 0 1 3 4 5 6 6
XML: 0 0 0 0 0 0 0 0
Delegated................................................... 0 0 0 2 4 6 8 10
Non-delegated............................................... 0 0 0 4 12 12 14 16
Mixed delegation............................................ 0 0 0 3 8 9 11 13
--------------------------------------------------------------------------------------------------------------------------------------------------------
Recordkeeping rates are not presented in the table above. However, it
was also assumed that a very low number of facilities (0.5 percent) of
the current regulated entities, would elect to acquire new electronic
recordkeeping systems to implement the CROMERRR recordkeeping option.
EPA is seeking comments on the implementation rates for reporting and
recordkeeping as described in this proposed rule.
For EPA, the average annual cost to implement and operate
electronic reporting and record-keeping is $25.8 million, and the
average annual cost savings compared to equivalent paper-based systems
is $1.2 million. The average annual cost to implement an electronic
reporting system is $1.1 million for each state, and $1,273 for each
facility. The net average annual cost savings of electronic reporting
compared to an equivalent paper-based submission is $1.24 million for
each state, and $1,140 for each facility. The total average annual
costs of implementing and reporting electronically for all facilities
is $3,420 million, which presents a net average annual savings for all
facilities of $52.3 million over current paper-based reporting. The
average annual cost to implement a new electronic record keeping system
is $40,000 for each facility, and the net average annual cost savings
for operating the electronic record keeping system is $23,080.
These costs are based on FY 2000 dollars and include a 7.0 % annual
discount rate. Therefore, our estimates indicate that implementation of
electronic reporting will result in a net burden reduction for all
participants, but facilities may not find it cost-effective to develop
an electronic records system unless it addresses both EPA and non-EPA
business purposes. The table below summarizes the total cost of the
current ``as is'' paper system and the future ``to be'' electronic
reporting and record-keeping costs over the next eight (8) years for
EPA, States, and regulated entities. In preparing this
[[Page 46179]]
analysis, EPA chose to be conservative in assigning implementation
rates and used technology costs based on the current year.
Summary As-Is Versus To-Be Costs and Cumulative Savings ($M)
[In FY 2000 Dollars]
--------------------------------------------------------------------------------------------------------------------------------------------------------
Cost FY00 FY01 FY02 FY03 FY04 FY05 FY06 FY07
--------------------------------------------------------------------------------------------------------------------------------------------------------
As-Is costs:
Facilities.................................. 3,863.0 3,883.7 3,775.0 3,669.2 3,566.1 3,444.1 3,369.2 3,274.7
States...................................... 58.7 59.0 57.4 55.8 54.2 52.7 51.2 49.8
EPA......................................... 25.8 26.9 26.9 27.1 27.2 27.4 27.5 27.6
To-Be costs:
Facilities.................................. 3,863.0 3883.7 3,771.3 3,629.4 3,520.8 3,357.7 3,278.7 3,197.8
States...................................... 58.7 59.0 42.3 40.1 38.4 37.5 36.2 35.0
EPA......................................... 28.4 30.7 42.3 26.9 21.5 19.6 19.3 18.4
-------------------------------------------------------------------------------------------------------
Difference.............................. (2.6) (3.9) 3.5 55.6 66.8 109.3 113.8 101.0
--------------------------------------------------------------------------------------------------------------------------------------------------------
It should be stressed that the facility cost and cost-savings
estimates that these totals represent are averages per facility, and
these averages cannot be translated into costs/cost-savings per report
submitted electronically. The cost-related effects of introducing
electronic reporting for a particular report may depend on
circumstances that are unique to the data being reported, and these
specifics are not reflected in the per facility averages. Accordingly,
while the facility cost and cost-savings estimates are based in part on
considering the ICRs that are likely to be affected by the proposed
rule, the resulting cost/cost-savings numbers cannot be used `in
reverse' to calculate cost and burden reductions associated with
introducing electronic reporting for any individual ICR.
In addition, the actual costs and cost-savings for implementing
facilities will vary widely depending on the electronic submission
approach. Companies choosing to submit using web forms will have much
lower initial investment costs, but will receive less savings than
companies that choose to automate their systems to generate EDI or XML
file submissions to EPA. In the latter case, EPA assumes that costs
associated with the implementation of EDI or XML will result from
companies configuring existing XML or EDI software to EPA prescribed
formats, and companies will tend not to invest in EDI hardware or
software for the singular purpose of submitting data to EPA. If the
electronic commerce industry trends continue, the costs of implementing
technologies will decline and the number of facilities and states
implementing electronic reporting will increase, thereby increasing the
overall net benefits of the rule. EPA is also continuing to research
electronic record-keeping options that will improve the cost
effectiveness of electronic record-keeping while meeting federal
enforcement requirements. EPA is seeking comment from reviewers on
alternative record keeping approaches and on EPA's assumption that
facilities choosing to submit data via XML or EDI to EPA will not
acquire new hardware or software.
2. Qualitative Implications. In addition to the cost savings
identified through implementation of this proposal, EPA also has
identified a number of qualitative benefits through implementation of
an electronic system. These qualitative benefits of electronic
reporting include: enhanced quality of data received and entered into
our systems, faster public access to data submitted to EPA, better
tracking of compliance submissions by industry and government agencies,
and opportunities for re-engineering current paper processes. EPA's
Cross Media Electronic Reporting and Record-keeping Rule Cost Benefit
Analysis describes the qualitative aspects in more detail.
V. The Central Data Exchange (CDX)
A. What Is EPA's Concept of the CDX?
EPA's Office of Environmental Information (OEI) is currently
developing the specifications for a `central data exchange' that will
serve as EPA's primary gateway for electronic documents received by
EPA. As noted in section I.B of this preamble, CDX is being designed
with the goal of fully satisfying the criteria that this proposal
specifies for assessing State or tribal electronic document receiving
systems; similarly, EPA will ensure that other systems the
Administrator designates to receive electronic submissions satisfy the
criteria as well. With respect to the electronic document submission
process and criteria addressed by today's proposal, we intend CDX
functions to include:
Access management--allowing or denying an entity access to
CDX;
Data interchange--accepting and returning data via various
of file transfer mechanisms;
Signature/certification management--providing devices and
required scenarios for individuals to sign and certify what they
submit;
Submitter and data authentication--assuring that
electronic signatures are valid and data is uncorrupted;
Transaction logging--providing date, time, and source
information for data received to establish ``chain of custody'';
Acknowledgment and provision of copy of record--providing
the submitter with confirmations of the data received;
Archiving--placing files received and transmission logs
into secure, long-term storage;
Error-checking--flagging obvious errors in documents and
document transactions, including duplicate documents and unauthorized
submissions;
Translation and forwarding--converting submitted documents
into formats that will load to EPA databases, and forwarding them to
the appropriate systems;
Outreach--providing education and other customer services
(such as user manuals, help desk) to CDX users.
The idea is to eventually provide--to the greatest extent
possible--one way and one place for the regulated community to exchange
electronic documents with EPA. States may also choose to use CDX as a
gateway for electronic data submissions from their regulated community,
as a cost-effective alternative to building their own system. EPA is
exploring opportunities to leverage CDX resources for use by
authorized/approved state programs. CDX may also provide the platform
for State-EPA data exchanges that
[[Page 46180]]
implement administrative arrangements for data sharing. However, as
with the provisions of the proposed rule, the features and functions of
CDX described in this Section will generally be inapplicable to these
State-EPA exchanges.
With respect to EPA's electronic transactions with regulated
entities, our hope is that the uniformity of process and technology
that CDX provides will help both EPA and regulated entities realize
economies of scale from their investments in data exchange
technologies. This is not to say that use of CDX to submit electronic
documents will necessarily involve substantial investment; it will
require little more of a submitter than access to a computer with a
browser and an Internet connection. However, for organizations that
have invested heavily in the computerized management of their
environmental data, CDX is also being designed to support substantial
automation of the data transfer processes. In addition, EPA hopes that
CDX's centralization of data exchange will eventually provide the
platform for greater integration or consolidation of environmental
reporting.
B. What Are the CDX Building Blocks?
To support its various functions, we are designing CDX to
incorporate a number of key building blocks, including:
Digital signatures based on public key infrastructure
(PKI),
A process for registering users and managing their access
to the CDX,
A characteristic systems architecture,
Electronic data interchange (EDI) standards, and
A characteristic environment in which electronic reporting
transactions will be conducted.
These building blocks--as explained in detail in the following
sections--are meant to ensure that CDX can perform the functions of an
electronic document receiving system under the proposed rule. EPA
believes that these building blocks, taken together, will satisfy the
criteria in today's proposal for electronic document receiving systems,
but seeks comment on this general question.
1. Public Key Infrastructure (PKI)-Based Digital Signatures
PKI-based digital signatures are the product of two concepts:
``Asymmetric'' cryptography, and
An institutional framework for ``certifying'' the identity
of a signature-holder, provided by PKI.
Taking these in order, ``asymmetric'' cryptography is based on a
mathematical relationship that exists between certain pairs of numbers,
for example number A and number B, such that
If A is used to encrypt some message, B and only B can
decipher it, and
If B deciphers the message, it can only have been
encrypted with A.
For purposes of a digital signature, then, A and B are uniquely
assigned to individual X. (How this works is described below, in
connection with explaining the ``institutional framework'' provided by
PKI.) One of the numbers, say A, submitter X shares with no-one. This
is X's ``private key''. The other, B, is X's ``public key'', and X
shares B with anyone to whom X wishes to send a message--X may even
publish B together with information that identifies him/her as X.
Given his two keys, X then signs an electronic document as follows:
(1) X uses a standard formula or algorithm to produce a number uniquely
related to the content of the electronic document. This is referred to
as the ``message digest'' or ``hash'' of the document. (2) X uses A,
the private key, to encrypt this hash; this encrypted hash is X's
digital signature, and it is unique both to X and to the particular
message it signs. (3) X attaches this digital signature to his/her
message (which is otherwise not encrypted), and sends it.
When Y gets X's message, Y validates X's signature by: (1) Deriving
the hash of the message, using the same standard algorithm that X used;
(2) deciphering X's digital signature, using X's public key, B; and (3)
comparing the hash Y derived (in step1) with the deciphered signature.
The two numbers--the derived hash and the deciphered signature--should
agree. If (and only if) they do, then Y knows both that the signature
was produced using A (which belongs to X), and that the message has not
changed since X signed it.
Because the digital signature is specific to the particular
document, and is unique in each case, to say that X is a ``signature-
holder'' in this context is to refer to A and B, the private/public
key-pair. The A/B key-pair does belong to X and plays the same role in
each of the many digital signatures X may create through the process
described above. Accordingly, it is this key-pair--rather than the
individual signatures they are used to create--that is associated with
the process of certifying a signature-holder's identity that is
provided by PKI.
Turning to this, PKI is a way of reliably establishing and
maintaining the identity of the individual associated with a given key-
pair used in producing digital signatures. This protocol involves the
issuance of a ``PKI certificate'' by a ``trusted'' ``certificate
authority'' (CA). The CA is ``trusted'' in the sense that it operates
in conformance with an appropriate certificate policy, and has
demonstrated this conformance through its operations across a wide
range of electronic commerce applications.
Issuing a certificate for individual X typically involves the
following steps: (1) X applies to the CA for a certificate; (2) the CA
requests various pieces of personal information from X, and/or
notarized verifications of X's personal information, and/or X to appear
in person, to provide the CA with the bases for ``proving'' X's
identity; (3) the CA provides X with a way to generate his unique key
pair; (4) the CA conducts the ``identity proofing'' process--matching
what X has provided against information about X in various commercial
databases, official documents, etc.; (5) when the ``identify proofing''
is successfully completed, the CA creates a ``certificate'' for X that
incorporates his public key, along with various pieces of identifying
information about X; (6) the CA digitally signs the certificate to
certify its authenticity, and makes it available to users through
directory services. Some of these steps--especially the ``identity
proofing'' process--may vary considerably, depending on requirements
for security/certainty and the policies and practices of the particular
CA. In the approach that EPA is currently planning, certificate
issuance will be incorporated into a broader CDX registration process.
The discussion of registration in the next section will include some of
the proposed specifics of ``identity proofing'' and related steps for
CDX purposes.
The use of PKI-based digital signatures is itself supported by a
very robust infrastructure of electronic commerce tools and practices,
private- and public-sector policies and standards, as well as a very
large and growing body of theoretical research into the mathematical
foundations for this approach. Within the federal government, the
importance of PKI is recognized not only by the ACES initiative
(discussed below), but also by a standing ``Federal PKI Steering
Committee'' with the mandate to promote and coordinate the adoption of
PKI-based digital signatures for a broad range of applications across
all federal
[[Page 46181]]
agencies. In addition, federal agencies may rely on security and PKI
technical requirements published in the Federal Information Processing
Standards (FIPS) developed by the National Institute of Standards and
Technology, available at http://csrc.nist.gov/fips/.
2. The CDX Registration Process
Under the system EPA is designing, to submit electronic documents
to EPA you must first register with CDX, and--at least at the outset--
registration will be by invitation from EPA. Generally, as CDX is
readied to receive a specified report, EPA will extend registration
invitations to all individuals who currently submit that report to EPA
on behalf of their organizations, and are identified as having this
responsibility in EPA's Facility Registry System (FRS) database. If you
have this responsibility but do not receive an invitation, you will
have the opportunity to notify EPA and put yourself on our invitation
list. However, if you submit the specified report to a State, tribal or
local agency, you will not receive a CDX invitation, since your
reporting transaction would be with that agency's electronic document
receiving system, and not with CDX.
If you decide to accept an invitation to report electronically, you
will go through a registration process that involves three steps:
Invitation and verification,
Certificate issuance, and
Access and agreement.
Taking these in order, EPA will initiate the process by sending you
a letter, through the United States Postal Service. The letter will
indicate the opportunity to report electronically, provide a CDX web-
site address and access code, and invite you to start the registration
process by logging on to the CDX site and verifying your name, address,
organizational affiliation and area of reporting responsibility as
posted on that site. This verification session will conclude by
providing you with the web-site address for the Certificate Authority
(CA) that will take you through step 2 of the process.
Of course, you may not have the responsibilities that the CDX site
indicates. That is, you may not be the individual who signs and submits
the environmental reports the site specifies on behalf of your company.
In that case, you will be invited to indicate the individual(s) who
do(es) have these responsibilities, and that will conclude your own
interaction with CDX. EPA will then update FRS, and issue new
invitation letter(s) to the correct individual(s). Assuming you are the
correct individual, step 1 may in some cases involve EPA asking for a
letter from a responsible company official, on company letterhead,
confirming that you have the responsibility to the sign and submit the
environmental reports in question. Finally, as a part of step 1 you may
also be prompted to nominate one or two individuals as ``alternate''
submitters, to receive their own invitations to register and, via step
2, to obtain their own PKI certificates. EPA is considering this
provision for ``alternates'' so that there will always be someone at
the facility available to sign electronic submissions with their own
private key, in case you-- as the primary submitter--are unavailable
during a period when a document is due. EPA seeks comment on the value
of the confirming letter, and of providing for these ``alternates'',
and on whether these would impose any unacceptable costs or burdens on
regulated entities.
Moving on to step 2, certificate issuance will largely be in the
hands of the certificate authority (CA). EPA's current plan is to
secure CA services through the General Service Administration's (GSA)
Access Certificates for Electronic Services (ACES) program. Under ACES,
EPA will contract with one of the ACES vendors to issue and manage
certificates for individuals wishing to submit electronic reports to
CDX. More information on ACES is available at the ACES website:
www.gsa.gov/aces.
Assuming the ACES approach, then, issuance of your certificate will
consist of a sequence of events similar to the following:
You log onto the ACES CA's web-site, using the address
provided at the end of step 1, and the access code provided in the
initial invitation letter;
You provide personal and business information that may
include some of the following items--your name, home address, e-mail
address, social security number, telephone number, credit card number,
driver's license information, employer's address, common name of your
employer, legal company name of your employer, name and telephone
number of your direct manager, and name and telephone number of a human
resource contact;
During this initial ACES CA session, the CA will also
enable you to generate--on your own computer--a public and private key
pair, and your public key would automatically be included in your
certificate request;
The CA will use your personal and business information to
conduct the identity-proofing process; this takes approximately three
days;
After the CA validates your identity, you will receive a
letter via the US Postal Service notifying you that your certificate is
ready; notification will include a PIN for access to the certificate
retrieval website;
You may be asked to return to the ACES CA web site to
confirm the receipt of your certificate and acknowledge that you have
read and agree to abide by the conditions of your new EPA-sponsored
certificate;
You will download the certificate to your browser, the CA
notifies CDX that you have received your certificate, and CDX initiates
step 3.
Under the ACES approach, the personal information you supply for
purposes of ``identity proofing'' must include at least three items,
and at least one of these must be something assigned to you based on an
in-person identity verification process, e.g. a passport number or
driver's license number. In addition, because your identity as an
official of a regulated company is central to your relationship with
EPA, the ``identity proofing'' performed by the CA may also include
verification of your company's identity, including address, legal name,
names of directors and officers, and current operating status. EPA
seeks comment on any aspect of this ``identity proofing'' approach, and
specifically on the need to have the CA collect the personal and
business information listed above, as well as any comment on the ACES
certificate issuance process as a whole.
It is worth stressing that the items of personal information
selected for ``identity proofing'' will be submitted to the CA, and not
to EPA, and this personal information will not be available to or
maintained by EPA. However, some basic personal information--
specifically, your name, your contact information (email address,
phone/fax/mobile/pager numbers), your mailing address and your
organizational role (e.g., consultant, environmental manager, etc.) may
be submitted to (or verified as correct by) EPA as a part of step 1 of
the registration process, preceding ACES certificate issuance. Step 1
may also involve EPA's collecting or verifying some of the business-
related items that can also be associated ACES ``identity proofing''--
specifically, your employer's address, common name of your employer,
legal company name of your employer, name and telephone number of your
direct manager--plus, possibly, the following additional items of
information: facility name and address, EPA program reporting area
(e.g. Hazardous Waste, NPDES, etc.), EPA program or permit
identification number, and preferred
[[Page 46182]]
method of electronic reporting (e.g., web form, EDI, etc.). EPA seeks
comment on the need to collect/verify these items of personal and
business-related information as a part of step 1 of the registration
process.
In step 3, CDX will create a system account for you, including a
controlled-access mailbox, sending you by regular mail the password and
user identification code to gain access to your account. When you
initially use these to access your account, you will be instructed to
download any client desktop software from CDX that may serve to support
the digital signing of your electronic submissions. You will conclude
the registration process by printing out and signing on paper a
registration agreement included with the downloaded software. The
agreement will affirm your understanding that, among other things:
Digital signature/certification has the full legal force
of a corresponding signature created with wet ink on paper;
You must protect the access to your CDX mailbox, to your
client CDX desktop, and to the private key used to create your digital
signature;
You must never delegate the use of your private key, or
provide anyone else access to it in any other way;
You must immediately notify EPA if you have any reason to
suspect that your CDX mailbox, CDX-supplied client software, or private
key has been compromised
The full agreement would conform closely to the text suggested in
subsection IV.D.3 of this preamble.
Upon receiving this agreement, with wet-ink-on-paper signature, CDX
will recognize you as a fully-registered and authorized user. As
proposed in today's rule, CDX will require a process for you to renew
your registration, probably once every two years, although--
corresponding to the discussion in Section IV.D.3 of this preamble--EPA
seeks comment on less frequent renewals, for example, at intervals of
3, 4, or 5 years. This will include certifying that you have complied
with the terms of your initial registration agreement, and, in
particular, that you have not in any way compromised or delegated
access to your private key, to your private CDX account, or to your CDX
client software, and that you have no other evidence that any of these
items have been compromised. Again, the full text of this agreement
would conform closely to the text suggested for agreement renewal in
Section IV.D.3 of this preamble. This certification will probably be
printed out by your desktop software, require a wet-ink-on-paper
signature, and be submitted through the United States Postal Service.
Failure to submit this certification would terminate your access to
CDX, and could lead EPA to require supplemental certification of
previous submissions. The EPA is seeking comment on this proposed
approach to registration renewal, the requirement that the agreement be
renewed, and the frequency of the renewal. We are also seeking comment
on whether it could be accomplished via an electronic submission rather
than on paper.
3. The CDX Architecture
In designing the CDX architecture, EPA has been guided by three
goals:
Flexibility in exchanging data--that is, the ability to
support a number of different data exchange mechanisms, including batch
file transfers in various formats, web-based file uploads, as well as
on-line data entry;
Uniformity in signing/certifying submissions--that is,
providing for a uniform way for individuals to sign and certify their
electronic documents, no matter how the data they contain was
transferred; and
Adequate security for all aspects of CDX operation--that
is, the assurance that authorized users of CDX, including EPA, retain
control over the CDX operations for which they are responsible.
The goal of flexibility arises from knowledge that the
organizations that might want to submit electronic documents to CDX
apply information technology to environmental management many different
ways. At the one extreme may be large companies that have
correspondingly large quantities of data to submit--data that they
maintain in databases and would prefer transfer in as automated a mode
as possible. At the other extreme are small businesses that may be
equipped to enter their data into some sort of user-friendly `smart'
form--on-line or off-line--but would not otherwise computerize their
environmental data. And, in the middle, are organizations that may use
relatively simple database or spreadsheet tools for their environmental
data, but are not prepared to automate a data transfer process. In
designing CDX, EPA in trying to accommodate all of these varying levels
of computerization--providing organizations with modes of data transfer
that fit their capabilities while allowing them to take advantage of
whatever level of data capture and automation they have already
achieved.
While organizations may differ considerably in how they want and
are able to transfer data, there needs to be a consistent approach for
the responsible company official's review and certification--by
signing--to the truth and accuracy of the data transferred. In all
cases this will be accomplished by a human interaction with the medium
in which the data is displayed, and some human action to create the
signature in that medium. For any case that calls for a signature, CDX
will always provide the same uniform set of procedures for reviewing
the data and creating the signature.
The CDX will also be designed to provide the requisite system
security. Obviously, the CDX must involve protection for the data that
CDX receives and maintains from any unwanted intrusion or tampering. It
must also protect the data as it travels from the submitter to the CDX.
The system security must also include elements that ensure that the
signature/certification process is not compromised. For example, CDX
must provide certificate holders with a way to secure their private key
and to control access to any messages that confirm or respond to
submissions, so that they can be assured that no spurious transactions
with CDX will be conducted using their electronic signature.
To achieve these goals, EPA is planning to base CDX implementation
on client-server architecture. This means that CDX will manage the
transactions with submitters through a computer operated by EPA that
interacts with computers at the submitter's site. To provide for the
desired flexibility, the EPA server is being designed to accept data
via a variety of transfer mechanisms in variety of formats, ranging
from Internet File Transfer Protocol (FTP) submissions of spread-sheet
files to standards-based electronic data interchange (EDI)
transmissions via private value-added network (VAN). These file formats
and transfer protocols will be discussed below.
To ensure a uniform signature/certification process, CDX would
provide the computers from which it accepts electronic documents
(otherwise known as ``client'' personal computers (PCs)) with copy-
protected and password-protected client software that will support the
digital signing of your electronic documents. You will be prompted to
download and install this software once you complete the registration/
certification process, and access your password-protected mailbox on
the CDX server. (You would also be given a detailed user's guide, which
will provide step-by-step instructions on download and installation.).
To operate this CDX client software, and interact with the CDX
server, your PC system will have to have: Internet
[[Page 46183]]
access; at least a 486 processor (with Pentium recommended); 2 to 5 MB
of available hard-drive space to install program software; access to a
printer; and Microsoft Windows 95, 98 or NT 4.0. Given the planned use
of digital signature certificates, your system will also be required to
run one of the following Web browsers: Internet Explorer 4.01, Internet
Explorer 5.0, Netscape 3-4.05, Netscape 4, or subsequent versions of
these browsers. In addition, you should have backup capability of some
form (e.g. tape system, off-line disk storage, or access to a separate
network server.); an effective backup program provides protection
against system malfunctions and ensures that you can retain a copy of
your submissions as required by EPA regulations. EPA seeks comment on
whether these system requirements impose unacceptable costs or burdens
on regulated entities, and whether additional processors and operating
systems should be accommodated.
Concerning protection of the server, CDX will be designed to
incorporate ``firewall'' security, in addition to the usual system
security provisions to control physical access to the system and
prohibit unauthorized internal access. Very generally, a ``firewall''
is software that controls the flow of data files between a system and a
network to which it is connected, to ensure (among other things) that
only files from recognized and safe sources are allowed to enter. As
transmissions flow through the CDX firewall, for example, they will be
automatically virus-scanned, and the system would not attempt to
process a file that contains a suspected virus. (If a virus is
detected, the submitter would be notified and asked to resubmit the
report.) The server will also be protected with intrusion detection
software that alerts the system operators to suspected attempts to
penetrate or ``hack'' the system. The system operators will use the
logging capability of the firewall and the intrusion detection system
to monitor the health and status of the system and respond to
unauthorized efforts to use or modify the system. In terms of
protecting the system clock, CDX will be configured so that changes to
the clock can only be made under a single user ID and password, and the
server will be placed in a locked rack so that an unauthorized person
cannot use a reboot sequence to change the clock settings. In addition,
the system clock will be synchronized with the atomic clock at least
once a day to ensure that the system time is extremely accurate.
Once a submission passes through the firewall, CDX will initiate
the first of several processes that, among other things, will create a
robust archive of the original submission, including:
The submission files in their entirety, exactly as they
were sent, including any enveloping/addressing/routing/date-time
information. These will be captured and archived upon receipt by CDX,
immediately after a successful virus scan; archiving will include a
digital signing of the files by EPA to ensure file integrity;
The electronic document as it was signed with its
submitter digital signature affixed; these will be captured after the
digital signatures are verified, and will include data generated by the
verification process;
The electronic document as it was signed, with the
verified digital signature affixed, the date and time of receipt and
EPA's digital signature of the entire content; this will constitute the
``copy of record''
The submission acknowledgments sent back to the submitter
with EPA signatures, including the data and time these are transmitted.
If, at a later date, there is a question about the file that was
received, the EPA can use this sequence of archived files to verify
that no changes have been made to the original input from the
submitter. Of course, we believe the fact that these archived files are
digitally signed will make it impossible for any of these files to be
modified without detection. As noted earlier, a digital signature is a
function of the ``message digest'' or ``hash'' of the document or file
it is used to sign. Any modification to the file would change its
``hash''--which will be different for each variation of the file--and
this would automatically invalidate the signature. A change in even a
single character of a file or document would invalidate its digital
signature, and would trigger an error warning when processed by the CDX
server.
In terms of archive storage, the CDX will archive to multiple
formats: hard disk, tape, and optical media. This use of multiple
formats is designed to ensure that degradation of one format would not
jeopardize EPA's long-term storage capability for submitted data. The
CDX archives will be written out to an online disk system when they are
first created. They will be copied to an off-line disk system and also
backed up to magnetic tape every day, with full backups to tape on a
weekly basis. The schedule for backup to optical media--and the
requirements for rapidity of retrieval--have not yet been decided, and
EPA welcomes any suggestions in this area. The optical media archiving
is intended to provide for long-term storage, extending to periods of
20-50 years.
Finally, CDX will also provide security for data exchanges. To
protect client-server transactions, including the report submission and
transmission of acknowledgments, CDX will use a protocol that encrypts
the files being exchanged between a ``client'' PC and the CDX server
while these files travel through the network. In addition, the private
key, as already noted, will be password protected; it will also provide
separate password protection of access to the private key that
generates the digital signature. To further protect a user's account
from theft or spurious use by an intruder across a company network,
current planning calls for the CDX client software to be ``localized''
to the particular PC on which it is installed--preventing access to
this software installed on a particular PC from other PCs connected to
it via a network. It is worth adding that, when the private key is
created--in connection with the registration process--this can be done
in a way that prohibits its export. If this option is invoked, the
private key can never be moved--whether to a floppy or to another
computer--so if a signature-holder had to move to another machine, the
existing public/private key pair assigned to this individual will have
to be abandoned, and he or she will have to apply for a new
certificate. While EPA is not currently planning to require this
option, we are seeking comment both on whether it would involve too
much burden for users and on whether the option is necessary to protect
the private key from compromise.
4. Electronic Data Interchange (EDI) Standards
As discussed in section IIA, above, EPA has, historically, based
its approach to electronic reporting on EDI standards, specifically
those developed and maintained under ANSI ASC X12. Today's proposal
represents a departure from this approach, in that the regulatory
language itself does not specify any particular data formats or
transaction set standards. In addition, as already noted, the system
that EPA is proposing to use in implementing electronic reporting--the
`Central Data Exchange'--will not specify ANSI X12 standards as the
only syntax for automated transfers of compliance data. Nonetheless,
the EDI standards on which we have relied in the past will still serve
to define many of the data sets that we expect CDX to accept from our
submitters.
There are two reasons for this. The first is simply that a
significant minority
[[Page 46184]]
of very large company submitters conduct their electronic commerce
using ANSI-based EDI; we want to be able to accommodate these companies
and allow them to conduct their transactions with CDX using the same
infrastructure they use in commerce. The second reason, is generally
that ANSI standards continue to provide a precise, well-documented and
widely-recognized way of describing the structure of electronic
transactions--including the elements of data involved and how they are
related to each other. By providing this clarity, these standards-based
descriptions facilitate the implementation of an electronic transfer
even where ANSI X12 is replaced by another format for the data files--
that is, another way of ordering, grouping, labeling and separating the
elements of data. In addition, many of the commercial off-the-shell
(COTS) electronic commerce products can translate X12 syntax into other
formats, such as ``extended mark-up language'' (XML).
CDX will make EDI available for many, if not all, of the reports
and other documents it is set up to receive. Beyond issues of
configuring the CDX server software to recognize and process EDI-
formatted files, implementation of EDI is largely a matter of
developing the implementation guidance for each of the environmental
reports to be supported. As noted in Section II.A of this preamble, the
implementation guidance does three things. First, it addresses such
procedural matters as: interactions with the communications network
(which, under current plans, can be a `value-added network' or `VAN',
but can also be the Internet), schedule for submissions and
acknowledgments, transaction records to be maintained, and so on.
Second, it stipulates the specific ANSI X12 standard file transmission
formats--that is, ``transaction sets''--to be used for the specified
reports. Third, the guidance specifies how the stipulated transaction
sets being used are to be interpreted as they are applied to the
environmental report in question.
As noted in Section II.A, X12 transaction sets are generic in the
sense that they typically leave a number of their components as
`optional', and use data-element specifications that are open to
multiple interpretations. Therefore the implementation guidance must,
at the very least, establish the correlation between the generic data
elements and the specific data elements in the EPA report that would be
put into this format--in essence, this is to specify which data field
in the EPA report goes where in the transaction set format. This is
sometimes described as mapping the generic transaction set to the
particular set of data elements it will serve to format. The result of
this ``mapping'' process is often referred to as the ``implementation
convention'' (IC) of the transaction set for the report or document in
question. Accordingly, each EPA program-specific implementation
guidance will include the applicable ICs.
EPA has written and codified ICs for many of the Agency's major
compliance reports, and several more are under development. These ICs
have been (or will be) approved as a `Federal Implementation
Convention'. This approval process, which involves public notice and
comment, is managed by the Federal Electronic Data Interchange
Standards Management Coordinating Committee (FESMCC), under the Federal
Information Processing Standard Publication (FIPS PUB) 161-2, entitled
``Electronic Data Interchange.'' All approved Federal IC's are
registered with the National Institute of Standards and Technology
(NIST). The NIST registry, now including 863E, is posted at: http://snad.ncsl.nist.gov/fededi/. Whenever EPA intends to upgrade to a new
version or release of the ANSI X12 standards, or in any other way
modify the applicable IC, EPA will give notice of its intent in the
Federal Register and will establish a conversion date. Affected
regulated entities will then have a minimum of sixty (60) calendar days
from the conversion date to conform to the modified IC; EPA will
discontinue support of the previous version of the IC no sooner than
ninety (90) calendar days after the conversion date.
The full list of currently approved ICs is:
863E--Report of Test Results (Discharge Monitoring
Report): This IC is available in PDF, RTF, ASCII, SEF formats for
Version 4010 from http://snad.ncsl.nist.gov/dartg/edi/4010-ic.html
The 863S--Report of Test Results (Safe Drinking Water) IC
is currently in the FESMCC approval process. When approved, it will be
available in PDF, RTF, ASCII, SEF formats for Version 4010.
In addition, ANSI ASC X12 has recently approved a new transaction
set specifically developed by EPA to support environmental reporting,
the 179. The 179 consolidates several EPA reports into a single
transaction set. The 179 can convey a Discharge Monitoring Report,
Hazardous Waste Report, Toxic Release Inventory report, the Air
Emission Inventory report, or Risk Management Plan. The 179 was
published initially in the ANSI ASC Version 4031. The ICs for the 179
are being developed and will coordinated through the FESMCC process and
published on the NIST web site after approval.
5. The Transaction Environment
As explained in earlier sections, CDX would allow submitters to
transmit data either through automated file transfer, or via on-screen
``smart forms'' provided as a part of the downloaded ``desktop''. In
either case, however, the signature/certification ``scenario''--that
is, the series of steps surrounding the digital signing of the report--
will be the same, consisting of:
A data review sequence,
The signature process, and
An acknowledgment sequence.
These steps will largely be governed by operation of the CDX
software, and the interaction of the client PC with the CDX server.
Taking these in order, data review will take place online, with the
CDX server providing the transmitted data for submitter review in a
format that is easily read and understood, possibly with a visual
layout similar to the applicable paper form (if there is one). The
server will present the data one screen at a time--downloaded to the
client browser--and it will not allow the submitter to initiate the
signing process until the last screen has appeared. The review sequence
will end when the submitter clicks a button at the bottom of the last
data screen to initiate signature.
Once initiated, the signature process will first display the
certification statement, certifying to the truth of the data to be
submitted, and also including a warning that by initiating the signing
process the submitter agrees that he or she is using the signature in
compliance with the signature agreement that was signed when the
signature device was issued. The exact content and wording of the first
of these statements will be consistent with the language suggested for
this purpose in sub-section IV.D.4 of this preamble. In any event, the
submitter will be prompted to click agreement with this statement,
after which the submitter will be prompted to enter his or her password
launching the digital signature process. The digital signature will be
created by using the submitter's private key to encrypt a `hash' of all
the elements of the screens the submitter has reviewed--including
screen layout, data field labels, data elements, and certification
statements. Once the signature is created and affixed, the signed
report will be immediately transmitted to the server.
[[Page 46185]]
Transmission to the server will initiate the acknowledgment
sequence. Upon receipt of the transmission, CDX will automatically
create an acknowledgment that includes the date and time of receipt.
This acknowledgment will be posted to the submitter's password-
protected mailbox on the server, and/or to a submitter-specified email
address. In addition, the server will also create a ``copy of record''
of the submission, by applying an EPA digital signature to the entire
file received, including the submitter's digital signature. EPA will
count this ``copy of record'' as the ``original'' of the submission for
all legal purposes, and will maintain this electronic document in the
CDX archive. As currently planned, this ``copy of record'' will be
placed in the submitter's password-protected mailbox on the server.
When the submitter next logs into CDX, the first screen he or she sees
will present the list of copies of record (and acknowledgments, unless
these are sent by email) that currently await submitter review; the
submitter will be able to download and archive these documents. Of
course, the submitter will be encouraged to review these copies of
record to confirm that they correspond with what he or she intended to
submit, and to notify EPA immediately in the case of any discrepancy.
In our design of this three-part scenario (data review, signature
process, and acknowledgment), our major goals have been to make CDX
simple, intuitive and easy for submitters to use, while--at the same
time--ensuring that a submitter knows and understands what he or she is
certifying, the meaning of affixing a digital signature to the
electronic document, what has happened, and what EPA considers to be
the document that was submitted. EPA seeks comment on the
appropriateness of these goals and whether more or less should be
designed into CDX to ensure that it meets these goals.
VI. Regulatory Requirements
A. Executive Order 12866
``Pursuant to the terms of Executive Order 12866 (58 FR 51735,
October 4, 1993), it has been determined that this rule is a
``significant regulatory action'' because it raises novel legal and /or
policy issues. As such, this action was submitted to OMB for review.
Changes made in response to OMB suggestions or recommendations will be
documented in the public record.
B. Executive Order 13132
Executive Order 13132, entitled ``Federalism'' (64 FR 43255, August
10, 1999), requires EPA to develop an accountable process to ensure
``meaningful and timely input by State and local officials in the
development of regulatory policies that have federalism implications.''
``Policies that have federalism implications'' is defined in the
Executive Order to include regulations that have ``substantial direct
effects on the States, on the relationship between the national
government and the States, or on the distribution of power and
responsibilities among the various levels of government.''
Under Section 6 of Executive Order 13132, EPA may not issue a
regulation that has federalism implications, that imposes substantial
direct compliance costs, and that is not required by statute, unless
the Federal government provides the funds necessary to pay the direct
compliance costs incurred by State and local governments, or EPA
consults with State and local officials early in the process of
developing the proposed regulation. EPA also may not issue a regulation
that has federalism implications and that preempts State law, unless
the Agency consults with State and local officials early in the process
of developing the proposed regulation.
This proposed rule does not have federalism implications. It will
not have substantial direct effects on the States, on the relationship
between the national government and the States, or on the distribution
of power and responsibilities among the various levels of government,
as specified in Executive Order 13132. The proposed rule would not
require States to accept electronic reports. The effect of this rule
would be to provide additional regulatory flexibility to States because
States could choose to accept electronic data in satisfaction of EPA
reporting requirements. Authorized States that did choose to accept
electronic reports under this rule would incur expenses initially in
developing systems or modifying existing systems to meet the criteria
in this rule. However, the Cost/Benefit analysis associated with this
proposed rule, summarized in section IV.E of this preamble, estimates
that States' overall cost savings from implementing electronic
reporting will more than compensate for these initial expenses.
Additionally, EPA believes that even in the absence of this proposed
rule, States' implementing electronic reporting on their own initiative
would generally choose to meet the criteria that this rule proposes.
Thus, the requirements of section 6 of the Executive Order do not apply
to this rule. Although section 6 of Executive Order 13132 does not
apply to this rule, EPA did consult with State and local officials in
developing this rule.
C. Paperwork Reduction Act
The information collection requirements in this proposed rule have
been submitted for approval to the Office of Management and Budget
(OMB) under the Paperwork Reduction Act (PRA), 44 U.S.C. 3501 et seq.
An Information Collection Request (ICR) document has been prepared by
EPA (ICR No. 2002.02) and a copy may be obtained from Sandy Farmer by
mail at Collection Strategies Division; U.S. Environmental Protection
Agency (2822); 1200 Pennsylvania Ave., NW, Washington, DC 20460, by
email at [email protected], or by calling (202) 260-2740. A
copy may also be downloaded off the Internet at
http://www.epa.gov/icr.
The proposed rule would allow reporting entities to voluntarily
submit reports and other information electronically, thereby
streamlining and expediting the process for reporting. It will also
allow facilities to maintain electronic records for information/data
currently required by regulation or statute to be maintained by the
regulated entity onsite. EPA is proposing this rule on cross-media
electronic reporting and record-keeping, in part, under the authority
of the Government Paperwork Elimination Act, Public Law 105-277, which
amends the PRA.
The CROMERRR ICR primarily covers the registration information
which will be collected from individuals wishing to submit electronic
reports on behalf of a regulated entity and will be used to establish
the identity of that individual and the regulated entity he or she will
represent. It also covers activities incidental to electronic
reporting. Submission of reports in an electronic format will be
voluntary.
The total annual reporting and record-keeping burden this ICR
estimates for all facilities is 874,853 hours, which includes the tasks
of collecting data, managing the system, and keeping records. A more
detailed description of these activities includes the following:
registering with EPA or State electronic document receiving systems,
including invitation, verification, certificate issuance, and access
and agreement; renewing registration with the electronic document
receiving system once every two years; activities related to
maintaining the electronic signature, including renewing the signature
[[Page 46186]]
certificate, reporting loss, theft, or other compromise of any
component of an electronic signature, and surrender of electronic
signature; and facility electronic record-keeping, including generating
and maintaining complete e-records and documents. It is expected that
tasks associated with system registration will take an average of one
(1) hour per registrant/entity and the estimated number of likely
respondents is 324,370. For the first year, there will be start-up and
annual operation and maintenance (O&M) costs. Costs for the following
two years will only involve annual O&M, based on the assumption that
the registration will be valid for three years. Total annual start-up
costs are estimated at $10,700,000.00 and annual O&M costs are
estimated at $5,100,123.96.
Burden means the total time, effort, or financial resources
expended by persons to generate, maintain, retain, or disclose or
provide information to or for a Federal agency. This includes the time
needed to review instructions; develop, acquire, install, and utilize
technology and systems for the purposes of collecting, validating, and
verifying information, processing and maintaining information, and
disclosing and providing information; adjust the existing ways to
comply with any previously applicable instructions and requirements;
train personnel to be able to respond to a collection of information;
search data sources; complete and review the collection of information;
and transmit or otherwise disclose the information.
An Agency may not conduct or sponsor, and a person is not required
to respond to a collection of information unless it displays a
currently valid OMB control number. The OMB control numbers for EPA's
regulations are listed in 40 CFR part 9 and 48 CFR chapter 15.
Comments are requested on the Agency's need for this information,
the accuracy of the provided burden estimates, and any suggested
methods for minimizing respondent burden, including through the use of
automated collection techniques. Send comments on the ICR to the
Director, Collection Strategies Division; U.S. Environmental Protection
Agency (2822); 1200 Pennsylvania Ave., NW., Washington, DC 20460; and
to the Office of Information and Regulatory Affairs, Office of
Management and Budget, 725 17th St., NW., Washington, DC 20503, marked
``Attention: Desk Officer for EPA.'' Include the ICR number in any
correspondence. Since OMB is required to make a decision concerning the
ICR between 30 and 60 days after August 31, 2001, a comment to OMB is
best assured of having its full effect if OMB receives it by October 1,
2001. The final rule will respond to any OMB or public comments on the
information collection requirements contained in this proposal.
D. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), 5 U.S.C. 601 et seq.,
provides that, whenever an agency promulgates a proposed rule under
section 553 of the Administrative Procedures Act, after being required
by that section or any other law to publish a general notice of
rulemaking, the agency generally must prepare an initial regulatory
flexibility analysis (IRFA). The agency must prepare a Final Regulatory
Flexibility Analysis (FRFA) for a final rule unless the head of the
agency certifies that it will not have a significant economic impact on
a substantial number of small entities.
Today's rule is not subject to the RFA because electronic reporting
and record-keeping is voluntary and will only apply to those States and
tribes that seek EPA approval to allow electronic reporting and record-
keeping under their authorized programs and to regulated entities that
seek to maintain records or transmit compliance reports electronically
to EPA or authorized/approved States or tribes. These changes will
reduce the burden on all affected entities, including small businesses.
Accordingly, this rule is certified as having no Significant economic
impact on a substantial number of small businesses. Respondent burden
is the burden placed upon each individual reporting entity involved in
set up, configuration and implementation of electronic submission of
environmental compliance reports. Regulated entities will find that the
initial set up process requires some expenditure of time and resources,
but in the long run, this process will reduce the time spent on
submissions each year. The Cost/Benefit analysis associated with this
proposed rule, summarized in section IV.E, estimates that electronic
reporting and record-keeping, when fully implemented, will reduce
regulated facility compliance cost by more than $300 million per year.
The Administrator therefore certifies, pursuant to section 605(b) of
the RFA, that this rule will not have a significant economic impact on
a substantial number of small entities.
E. Unfunded Mandates Reform Act
Title II of the Unfunded Mandates Reform Act of 1995 (UMRA), Public
Law 104-4, establishes requirements for Federal agencies to assess the
effects of their regulatory actions on State, local, and tribal
governments and the private sector. Under section 202 of the UMRA, EPA
generally must prepare a written statement, including a cost-benefit
analysis, for proposed and final rules with ``Federal mandates'' that
may result in expenditures to State, local, and tribal governments, in
the aggregate, or to the private sector, of $100 million or more in any
one year. Before promulgating an EPA rule for which a written statement
is needed, section 205 of the UMRA generally requires EPA to identify
and consider a reasonable number of regulatory alternatives and adopt
the least costly, most cost-effective or least burdensome alternative
that achieves the objectives of the rule. The provisions of section 205
do not apply when they are inconsistent with applicable law. Moreover,
section 205 allows EPA to adopt an alternative other than the least
costly, most cost-effective or least burdensome alternative if the
Administrator publishes with the final rule an explanation why that
alternative was not adopted.
Before EPA establishes any regulatory requirements that may
significantly or uniquely affect small governments, including tribal
governments, it must have developed under section 203 of the UMRA a
small-government agency plan. The plan must provide for notifying
potentially affected small governments, enabling officials of affected
small governments to have meaningful and timely input in the
development of EPA regulatory proposals with significant Federal
intergovernmental mandates, and informing, educating, and advising
small governments on compliance with the regulatory requirements.
The Agency has determined that this rule does not contain a Federal
mandate that may result in expenditures of $100 million or more for
State, local and tribal governments, in the aggregate, or the private
sector in any one year. Today's rule provides additional flexibility to
the States in complying with current regulatory requirements and
reduces the burden on affected governments. Thus, today's rule is not
subject to the requirements in sections 202 and 205 of the UMRA.
The Agency has determined that this rule contains no regulatory
requirements that might significantly or uniquely affect small
governments and thus this rule is not subject to the requirements in
section 203 of UMRA. This rule will not significantly affect small
governments because it provides additional flexibility in complying
with pre-existing regulatory requirements.
[[Page 46187]]
F. National Technology Transfer and Advancement Act
Section 12(d) of the National Technology Transfer and Advancement
Act of 1995 (``NTTAA''), Public Law 104-113, section 12(d) (15 U.S.C.
272 note) directs EPA to use voluntary consensus standards in its
regulatory activities unless to do so would be inconsistent with
applicable law or otherwise impractical. Voluntary consensus standards
are technical standards (e.g., materials specifications, test methods,
sampling procedures, and business practices) that are developed or
adopted by voluntary consensus standards bodies. The NTTAA directs EPA
to provide Congress, through OMB, explanations when the Agency decides
not to use available and applicable voluntary consensus standards.
This rulemaking involves information technology standards for
electronic formats and for electronic signatures. EPA is exploring a
number of standards-based approaches to Web forms, including electronic
data exchange formats based upon the American National Standards
Institute (ANSI) Accredited Standards Committee's (ASC) X12 for
Electronic Data Interchange or EDI. EPA is also proposing Internet data
exchange formats based on the Extensible Mark-up Language (XML)
specifications developed by the World Wide Web Consortium (W3C). The
World Wide Web Consortium, however, is not a voluntary consensus
standards body within the meaning of the NTTAA, and EPA could not
identify an applicable consensus standard for creating and transmitting
data using XML. Therefore, EPA has decided to propose an XML data
exchange format, referred to as a document type definition for Internet
transmissions as an alternative to the ANSI ASC X12 formats that are
customarily transmitted across Value Added Networks. It is possible
that the ANSI ASC X12 standards body will develop standards for XML
document definitions in the future, and EPA will monitor this situation
as we develop a final rulemaking.
G. Executive Order 13045
The Executive order, Protection of Children from Environmental
Health Risks and Safety Risks (62 FR 19885, April 23, 1997) applies to
any rule that EPA determines (1) ``economically significant'' as
defined under Executive Order 12866 and (2) concerns an environmental
health or safety risk that EPA has reason to believe may have a
disproportionate effect on children. EPA interprets the Executive Order
13045 as encompassing only those regulatory actions that are risk-based
or health-based, such that the analysis required under section 5-501 of
the Executive Order has the potential to influence the regulation.
This rule is not subject to Executive Order 13045 because it is not
an economically significant action as defined by Executive Order 12866
and it does not involve decisions regarding environmental health or
safety risks. This rule develops technical procedures for the voluntary
submission of environmental compliance data electronically.
H. Executive Order 13175
Executive Order 13175, entitled, ``A Consultation and Coordination
with Indian Tribal Governments'' (65 FR 67249, November 6, 2000),
requires EPA to develop an accountable process to ensure ``meaningful
and timely input by tribal officials in the development of regulatory
policies that have tribal implications.'' ``Policies that have tribal
implications'' is defined in the Executive Order to include regulations
that have ``substantial direct effects on one or more Indian tribes, on
the relationship between the Federal government and the Indian tribes,
or on the distribution of power and responsibilities between the
Federal government and Indian tribes.''
This proposed rule does not have tribal implications. It will not
have substantial direct effects on tribal governments, on the
relationship between the Federal government and Indian tribes, or on
the distribution of power and responsibilities between the Federal
government and Indian tribes, as specified in Executive Order 13175.
The proposed rule would not require Indian tribes to accept electronic
reports. The effect of this rule would be to provide additional
regulatory flexibility to Indian tribes because tribes could choose to
accept electronic data in satisfaction of EPA reporting requirements.
Authorized tribal programs that did choose to accept electronic reports
under this rule would incur expenses initially in developing systems or
modifying existing systems to meet the criteria in this rule. However,
the Cost/Benefit analysis associated with this proposed rule,
summarized in section IV.E of this preamble, estimates that tribes'
overall cost savings from implementing electronic reporting will more
than compensate for these initial expenses. Additionally, EPA believes
that even in the absence of this proposed rule, Indian tribes'
implementing electronic reporting on their own initiative would
generally choose to meet the criteria that this rule proposes. Thus,
Executive Order 13175 does not apply to this rule. In the spirit of
Executive Order 13175, and consistent with EPA policy to promote
communications between EPA and tribal governments, EPA specifically
solicits additional comment on this proposed rule from tribal
officials.
I. Executive Order 13211 (Energy Effects)
This rule is not a ``significant energy action'' as defined in
Executive Order 13211, ``Actions Concerning Regulations That
Significantly Affect Energy Supply, Distribution, or Use'' (66 FR 28355
(May 22, 2001)) because it is not likely to have a significant adverse
effect on the supply, distribution, or use of energy. EPA has concluded
that this rule is not likely to have any adverse energy effects.
List of Subjects
40 CFR Part 3
Electronic Reporting and recordkeeping requirements, Electronic
reports, Electronic records, Intergovernmental relations.
40 CFR Part 51
Environmental protection, Administrative practice and procedure,
Air pollution control, Carbon monoxide, Intergovernmental relations,
Lead, Nitrogen dioxide, Ozone, Particulate matter, Reporting and
recordkeeping requirements, Sulfur oxides, Volatile organic compounds,
Electronic Reporting and recordkeeping requirements, electronic
reports, electronic records.
40 CFR Part 60
Environmental protection, Administrative practice and procedure,
Air pollution control, Intergovernmental relations, Reporting and
recordkeeping requirements, Electronic Reporting and recordkeeping
requirements, electronic reports, electronic records.
40 CFR Part 63
Environmental protection, Air pollution control, Hazardous
substances, Reporting and recordkeeping requirements, Electronic
Reporting and recordkeeping requirements, Electronic reports,
Electronic records, Intergovernmental relations.
40 CFR Part 70
Environmental protection, Administrative practice and procedure,
Intergovernmental relations, Electronic Reporting and recordkeeping
[[Page 46188]]
requirements, Electronic reports, Electronic records.
40 CFR Part 123
Environmental protection, Administrative practice and procedure,
Confidential business information, Hazardous substances, Indians-lands,
Intergovernmental relations, Penalties, Reporting and recordkeeping
requirements, Water pollution control, Electronic Reporting and
recordkeeping requirements, Electronic reports, Electronic records.
40 CFR Part 142
Environmental protection, Administrative practice and procedure,
Chemicals, Indians-lands, Radiation protection, Reporting and
recordkeeping requirements, Water supply, Electronic Reporting and
recordkeeping requirements, Electronic reports, Electronic records,
Intergovernmental relations.
40 CFR Part 145
Environmental protection, Confidential business information,
Indians-lands, Intergovernmental relations, Penalties, Reporting and
recordkeeping requirements, Water supply, Electronic Reporting and
recordkeeping requirements, Electronic reports, Electronic records.
40 CFR Part 162
Environmental protection, Administrative practice and procedure,
Reporting and recordkeeping requirements, Pesticides and pests, State
registration of pesticide products, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records,
Intergovernmental relations.
40 CFR Part 233
Environmental protection, Administrative practice and procedure,
Intergovernmental relations, Penalties, Reporting and recordkeeping
requirements, Water pollution control, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records.
40 CFR Part 257
Environmental protection, Waste treatment and disposal, Electronic
Reporting and recordkeeping requirements, Electronic reports,
Electronic records, Intergovernmental relations.
40 CFR Part 258
Environmental protection, Reporting and recordkeeping requirements,
Waste treatment and disposal, Water pollution control, Electronic
Reporting and recordkeeping requirements, Electronic reports,
Electronic records, Intergovernmental relations.
40 CFR Part 271
Environmental protection, Administrative practice and procedure,
Confidential business information, Hazardous materials transportation,
Hazardous waste, Indians-lands, Intergovernmental relations, Penalties,
Reporting and record-keeping requirements, Water pollution control,
Water supply, Electronic Reporting and recordkeeping requirements,
Electronic reports, Electronic records.
40 CFR Part 281
Environmental protection, Administrative practice and procedure,
Hazardous substances, Insurance, Intergovernmental relations, Oil
pollution, Reporting and recordkeeping requirements, Surety bonds,
Water pollution control, Water supply, Electronic Reporting and record-
keeping requirements, Electronic reports, Electronic records.
40 CFR Part 403
Environmental protection, Confidential business information,
Reporting and recordkeeping requirements, Waste treatment and disposal,
Water pollution control, Electronic Reporting and record-keeping
requirements, Electronic reports, Electronic records, Intergovernmental
relations.
40 CFR Part 501
Environmental protection, Administrative practice and procedure,
Intergovernmental relations, Penalties, Reporting and recordkeeping
requirements, Sewage disposal, Electronic Reporting and record-keeping
requirements, Electronic reports, Electronic records.
40 CFR Part 745
Environmental protection, Hazardous substances, Lead poisoning,
Reporting and recordkeeping requirements, Electronic Reporting and
record-keeping requirements, Electronic reports, Electronic records,
Intergovernmental relations.
40 CFR Part 763
Environmental protection, Administrative practice and procedure,
Toxic substances, Asbestos, Hazardous substances, Imports, Reporting
and recordkeeping requirements, Electronic Reporting and record-keeping
requirements, Electronic reports, Electronic records, Intergovernmental
relations.
Dated: August 23, 2001.
Christine Todd Whitman,
Administrator.
Therefore, it is proposed that title 40 chapter I of the Code of
Federal Regulations be amended by adding a new part 3, and revising
parts 51, 60, 63, 70, 123, 142, 145, 162, 233, 257, 258, 271, 281, 403,
501, 745, and 763 to read as follows:
PART 3--[NEW] ELECTRONIC REPORTING; ELECTRONIC RECORDS
Subpart A--General Provisions
Sec.
3.1 Scope.
3.2 Implementation.
3.3 Definitions.
3.4 [Reserved]
Subpart B--Electronic Reporting to EPA
3.10 What are the requirements for acceptable electronic documents?
3.20 How will EPA provide notice of changes to the Central Data
Exchange?
3.30 [Reserved]
Subpart C--Electronic Record-keeping Under EPA Programs
3.100 What are the requirements for acceptable electronic records?
3.200 [Reserved]
Subpart D--Electronic Reporting and Record-keeping Under EPA-Approved
State Programs
3.1000 How are authorized State, tribal or local environmental
programs modified to allow electronic reporting?
3.2000 What are the criteria for acceptable electronic document
receiving systems?
3.3000 How are authorized State, tribal or local environmental
programs modified to allow electronic record-keeping?
3.4000 [Reserved]
Authority: 7 U.S.C. 136 to 136y; 15 U.S.C. 2601 to 2692; 33
U.S.C. 1251 to 1387; 33 U.S.C. 1401 to 1445; 33 U.S.C. 2701 to 2761;
42 U.S.C. 300f to 300j-26; 42 U.S.C. 6901-6992k; 42 U.S.C. 7401 to
7671q; 42 U.S.C. 9601 to 9675; 42 U.S.C. 11001 to 11050; 15 U.S.C.
7001; 44 U.S.C. 3504 to 3506.
Subpart A--General Provisions
Sec. 3.1 Scope.
What Is Covered by This Part?
(a) This part sets forth the conditions under which EPA will accept
the submission of electronic reports and other electronic documents, as
well as the maintenance of electronic records, by regulated entities,
as satisfying requirements under this Title to submit reports or other
documents, or to keep records. This part also sets forth the standards
and process for EPA approval of changes to authorized State, tribal,
[[Page 46189]]
and local environmental programs to allow electronic report or document
submission or electronic record maintenance in satisfaction of
requirements under such authorized programs. This part does not require
submission of electronic reports or documents or electronic
recordkeeping in lieu of paper. This part confers no right or privilege
to submit or maintain data electronically and does not obligate EPA, or
State, tribal or local agencies to accept electronic data.
(b) Subpart C of this part applies to records in electronic form
that are created, modified, maintained, archived, retrieved, or
transmitted by regulated entities under any recordkeeping requirements
under this Title. However, Subpart C of this part does not provide for
the conversion of existing paper documents or records into electronic
form. Subpart C of this part also does not apply to the Agency's
recordkeeping requirements set forth in regulations governing
contracts, grants, and financial management programs.
Sec. 3.2 Implementation.
What Requirements May Be Satisfied by Electronic Reporting and
Electronic Recordkeeping?
(a) Electronic reporting to EPA. Any requirement in this Title that
a document be created and transmitted or otherwise provided to EPA may
be satisfied with an electronic document, in lieu of a paper document,
provided that:
(1) The electronic document satisfies the requirements of
Sec. 3.10; and
(2) EPA has published a notice in the Federal Register announcing
that EPA is prepared to receive in electronic form documents required
or permitted by the named Part or Subpart of this Title.
(b) Electronic recordkeeping under EPA programs. Except as provided
under paragraph (d) of this section or excluded under Sec. 3.1(b), any
requirement in this Title that a record be maintained may be satisfied
by maintaining an electronic record, in lieu of a paper record provided
that:
(1) The electronic record satisfies the requirements of Sec. 3.100;
and
(2) EPA has published a notice in the Federal Register announcing
that EPA is prepared to recognize electronic records under the named
Part or Subpart of this Title.
(c) Electronic reporting and recordkeeping under an EPA-authorized
State, tribal, or local environmental program. Except as provided under
paragraph (d) of this section, any requirement under authorized State,
tribal, or local environmental programs that reports or documents be
submitted or records be maintained may be satisfied with electronic
report or document submission, or with electronic record maintenance,
respectively, provided that: EPA has approved, in accordance with
Subpart D of this part, the changes to the authorized State, tribal, or
local environmental program to allow the electronic report or document
submission or the electronic record maintenance in satisfaction of the
authorized program requirement.
(d) Limitation on the use of electronic records under EPA programs
and EPA-authorized State, tribal, or local environmental programs.
Electronic records that meet the requirements of this Part may be used
in lieu of paper records unless paper records are specifically required
by other provisions in this Title that take effect on or after [date of
promulgation of this regulation].
Sec. 3.3 Definitions.
What definitions are applicable to this part? The definitions set
forth in this section apply when used in this part.
Acknowledgment means a confirmation of document receipt.
Administrator means the Administrator of the Environmental
Protection Agency.
Agency means the Environmental Protection Agency or a State,
tribal, local or other federal agency that administers a federal
environmental program under this Title.
Agency electronic signature means an electronic signature of an
individual who is authorized to sign an electronic document on an
agency's behalf.
Authorized State, Tribal, or local environmental program means an
environmental program which EPA has approved, authorized, or delegated
to a State, tribe or local government to administer under a federal
environmental program.
Communicate means to successfully and accurately convey a document,
data, or information from one entity to another.
Electronic document means a document that is submitted to an agency
or third-party as an electronic record, and communicated via a
telecommunications network. For purposes of this part, electronic
document excludes documents submitted on such magnetic media as
diskettes, compact disks or tapes; it also excludes facsimiles.
Electronic document receiving system means any set of apparatus,
procedures, software, records or documentation used to receive
documents communicated to it via a telecommunications network.
Electronic record means any combination of text, graphics, data,
audio, pictorial, or other information represented in digital form that
is created, modified, maintained, archived, retrieved or distributed by
a computer system.
Electronic record-retention system means any set of apparatus,
procedures, software, records or documentation used to retain exact
electronic copies of electronic records and electronic documents.
Electronic submission mechanism means any set of apparatus,
procedures, software, records or documentation used to communicate an
electronic document to an electronic document receiving system.
Electronic signature means any electronic record that is
incorporated into (or appended to) an electronic document for the
purpose of expressing the same meaning and intention that an
individual's handwritten signature would express if affixed in the same
relation to the document's content presented on paper.
Electronic signature device means a code or other mechanism that is
used to create electronic signatures. Where the device is used to
create an individual's electronic signature, then the code or mechanism
must uniquely belong to or be associated with or assigned to that
individual. Where the device is used to create an organization's
electronic signature, then the code or mechanism must uniquely belong
to or be associated with or assigned to that organization.
EPA means the United States Environmental Protection Agency.
Handwritten signature means the scripted name or legal mark of an
individual, handwritten by that individual with a writing or marking
instrument such as a pen or stylus and executed or adopted with the
present intention to authenticate a writing in a permanent form. The
physical instance of the scripted name or mark so created constitutes
the handwritten signature. The scripted name or legal mark, while
conventionally applied to paper, may also be applied to other hard
media.
Metadata means data that describes the properties of other data or
collections of data (e.g., a database); with respect to a database or
file containing data, metadata could include information about the
database's structure, the date and time that data was created or added
or changed, definitions of the data elements, descriptions of the
accuracy of the data, etc.
[[Page 46190]]
Receive means to successfully acquire electronic documents in a
format that can be processed by the receiving system.
Regulated entity means any entity that maintains records or submits
documents to EPA to satisfy requirements under this Title, or that
maintains records or submits documents to a State, tribal, or local
agency to satisfy requirements under programs authorized under this
Title. A State, tribal, or local agency or tribe may be a regulated
entity where it maintains records or submits documents to satisfy
requirements that apply to it under this Title (including regulations
governing authorized State, tribal, or local programs); a State,
tribal, or local agency will not be a regulated entity where it
maintains records or submits documents exclusively for other purposes,
for example as a part of administrative arrangements between States and
EPA to share data.
Submit means to communicate a document so that it is received by
the intended recipient.
Third-party system means an electronic document receiving system
that is owned or operated by an entity that is neither a submitter of
the electronic documents the system receives nor an agency to which
these electronic documents are submitted.
Sec. 3.4 [Reserved]
Subpart B--Electronic Reporting to EPA
Sec. 3.10 What are the requirements for acceptable electronic
documents?
(a) An electronic document will satisfy a federal environmental
reporting requirement or otherwise substitute for a paper submission
permitted or required under this Title only if:
(1) The electronic document is submitted to an electronic document
receiving system as provided under paragraph (b) of this section, and
(2) The electronic document bears valid electronic signatures, as
provided in paragraphs (c), (d) and (e) of this section, to the same
extent that the paper submission for which it substitutes would bear
handwritten signatures.
(b) Electronic documents submitted to EPA to satisfy a federal
environmental reporting requirement or otherwise substitute for a paper
submission permitted or required by a federal environmental program
must be submitted to either:
(1) EPA's Central Data Exchange; or
(2) Another EPA electronic document receiving system that the
Administrator may designate for the receipt of specified submissions.
(c) An electronic signature is valid if and only if:
(1) The electronic signature is created by a person who is
authorized to sign the document, with an electronic signature device
that this person is authorized to use; and
(2) The electronic signature meets the validation requirements of
the electronic document receiving system to which it is submitted.
(d) A valid electronic signature on any electronic document
submitted to satisfy a federal or federally authorized State, tribal or
local government environmental reporting requirement legally binds or
obligates the signatory, or makes the signatory responsible, to the
same extent as the signatory's hand-written signature on a paper
document submitted to satisfy the same federal or federally authorized
environmental reporting requirement.
(e) Proof that an individual's electronic signature was affixed to
an electronic document is evidence, and may suffice to establish, that
the individual who was issued that signature affixed the signature and
did so with the intent to sign the electronic document to give it
effect.
Sec. 3.20 How will EPA provide notice of changes to the Central Data
Exchange?
(a) Except as provided under paragraph (b) of this section,
whenever EPA plans to change Central Data Exchange hardware or software
in ways that would affect the submission process:
(1) Where the equipment, software or services needed to submit
electronic reports to the Central Data Exchange would be changed, EPA
will provide public notice and seek comment on the proposed change at
least a year in advance of the proposed implementation data;
(2) Otherwise, EPA will provide public notice at least sixty (60)
days in advance of implementation.
(b) Any change which the Administrator determines is needed to
ensure the security and integrity of the Central Data Exchange is
exempt from the provisions of paragraph (a) of this section. However,
to the extent consistent with ensuring the security and integrity of
the system, EPA will provide public notice of any change to the Central
Data Exchange made under the authority expressly reserved by this
subsection.
Sec. 3.30 [Reserved]
Subpart C--Electronic Recordkeeping under EPA Programs
Sec. 3.100 What are the requirements for acceptable electronic
records?
(a) An electronic record or electronic document will satisfy a
recordkeeping requirement of an EPA-administered federal environmental
program under this Title only if it is generated and maintained by an
acceptable electronic record-retention system as specified under this
subsection. For purposes of maintaining electronic records that satisfy
recordkeeping requirements under this Title, an acceptable electronic
record-retention system must:
(1) Generate and maintain accurate and complete electronic records
and electronic documents in a form that may not be altered without
detection;
(2) Maintain all electronic records and electronic documents
without alteration for the entirety of the required period of record
retention;
(3) Produce accurate and complete copies of any electronic record
or electronic document and render these copies readily available, in
both human readable and electronic form, for on-site inspection and
off-site review, for the entirety of the required period of record
retention;
(4) Provide that any electronic record or electronic document
bearing an electronic signature contain the name of the signatory, the
date and time of signature, and any information that explains the
meaning of the affixed signature;
(5) Prevent an electronic signature that has been affixed to an
electronic record or electronic document from being detached, copied,
or otherwise compromised;
(6) Use secure, computer-generated, time-stamped audit trails that
automatically record the date and time of operator entries and actions
that create, modify, or delete electronic records or documents;
(7) Ensure that record changes do not obscure previously recorded
information and that audit trail documentation is retained for a period
at least as long as that required for the subject electronic records or
electronic documents to be available for agency review;
(8) Ensure that electronic records and electronic documents are
searchable and retrievable for reference and secondary uses, including
inspections, audits, legal proceedings, third party disclosures, as
required by applicable regulations, for the entirety of the required
period of record retention;
[[Page 46191]]
(9) Archive electronic records and documents in an electronic form
which preserves the context, meta data, and audit trail, and, if
required, must ensure that:
(i) Complete records can be transferred to a new system;
(ii) Related meta data can be transferred to a new system;
(iii) Functionality necessary for use of records can be reproduced
in new system; and
(b) Computer systems (including hardware and software), controls,
and attendant documentation maintained under this Part must be readily
available for, and subject to, agency inspection.
(c) Where electronic records bear electronic signatures that meet
the requirements in paragraphs (a)(4) and (a)(5) of this section, EPA
will consider the electronic signatures to be equivalent to full
handwritten signatures, initials, and other general signings as
required by federal or federally authorized State, tribal or local
government environmental regulations, unless specifically excepted by
regulations(s) effective on or after [date of promulgation of this
regulation].
Sec. 3.200 [Reserved]
Subpart D--Electronic Reporting and Recordkeeping Under EPA-
Approved State Programs
Sec. 3.1000 How are authorized State, tribal or local environmental
programs modified to allow electronic reporting?
(a) State, tribes, or local environmental programs that wish to
receive electronic reports or documents in satisfaction of requirements
under such programs must revise or modify the EPA-approved State,
tribal, or local environmental program to ensure that it meets the
requirements of this part. The State, tribe, or local government must
use existing State, tribal, or local environmental program procedures
in making these program revisions or modifications.
(b) In order for EPA to approve a program revision under paragraph
(a) of this section the State, tribe, or local government must
demonstrate that electronic reporting under this program will:
(1) Use an acceptable electronic document receiving system as
specified under Sec. 3.2000;
(2) Require that any electronic report or document must bear valid
electronic signatures, as provided in Sec. 3.10(c), (d) and (e), to the
same extent that the paper submission for which it substitutes would
bear handwritten signatures under the State, tribal, or local
environmental program.
Sec. 3.2000 What are the criteria for acceptable electronic document
receiving systems?
An electronic document receiving system that is acceptable for
purposes of receiving electronic reports or documents submitted under
provisions of an authorized State, tribal or local environmental
program must meet all of the following requirements:
(a) General system-security. An acceptable electronic document
receiving system must:
(1) Have strong and effective protections against unauthorized
access to the system;
(2) Have strong and effective protections against the unauthorized
use of any electronic signature on electronic documents submitted or
received;
(3) Provide for the detection of unauthorized access or attempted
access to the system and unauthorized use or attempted use of any
electronic signature on electronic documents submitted or received;
(4) Prevent the modification of an electronic document once an
electronic signature has been affixed;
(5) Ensure that the electronic documents and other files necessary
to meet the requirements under paragraphs (f) and (g) of this section
are protected from modification or deletion;
(6) Ensure that the system clock is accurate and protected from
tampering or other compromise; and
(7) Have strong and effective protections against any other
foreseeable corruption or compromise of the system.
(b) Validity of data. An acceptable electronic document receiving
system must generate data sufficient to prove, in private litigation,
civil enforcement proceedings, and criminal proceedings, that:
(1) The electronic document was not altered in transmission or at
any time after receipt; and
(2) The electronic document was submitted knowingly and not by
accident; and
(3) In the case of documents requiring the signature of an
individual, that the document was actually submitted by the authorized
signature holder and not some other person.
(c) Electronic signature method. By virtue of its presence as a
part of an electronic document submitted or received, an electronic
signature must uniquely identify the particular individual who has used
it to sign an electronic document or otherwise certify to the truth or
accuracy of the document contents; therefore, an acceptable electronic
document receiving system must only validate electronic signatures
created with a method that:
(1) Meets the registration requirements of paragraph (d) of this
section;
(2) Meets the signature/certification requirements of paragraph (e)
of this section;
(3) Prevents an electronic signature from being excised, modified,
or copied for re-use without detection once it has been affixed to an
electronic document by the authorized individual;
(4) Provides protection against the use of a specific electronic
signature by unauthorized individuals;
(5) Ensures that it is impossible to modify an electronic document
without detection once the electronic signature has been affixed.
(d) Submitter registration process. An acceptable electronic
document receiving system must require that anyone who submits an
electronic document to the system first register with the agency to
which the document is to be submitted. The registration process must
establish the identities of both the registrant, who is the prospective
submitter, and any entity that the registrant is authorized to
represent, and must establish that the registrant is authorized to
submit the document in question for the entity being represented. In
addition, where the documents to be received will require signature,
the registration process must:
(1) Establish the registrant's identity, and the registrant's
relation to any entity for which the registrant will submit electronic
documents, with evidence that can be verified by information sources
that are independent of the registrant and the entity or entities in
question and that would be sufficient to identify the registrant as the
signature holder for purposes of supporting litigation consistent with
paragraph (b) of this section;
(2) Establish and document a unique correlation between the
registrant and the code or device that will constitute or create the
electronic signature of the registrant as a submitter;
(3) Require that the registrant sign on paper, or in such other
manner or medium as the Administrator in his or her discretion may
determine as appropriate for a category of electronic reports, an
electronic signature agreement specifying at a minimum that the
registrant agrees to:
(i) Protect the electronic signature from unauthorized use, and
follow any procedures specified by the agency for this purpose;
(ii) Be held as legally bound, obligated, or responsible by use of
the assigned electronic signature as by hand-written signature;
[[Page 46192]]
(iii) Where the signature method is based on a secret code or key,
maintain the confidentiality of each component of the electronic
signature;
(iv) In any case, never to delegate the use of the electronic
signature, or in any other way intentionally provide access to its use,
to any other individual for any reason; and
(v) Report to the entity specified in the electronic signature
agreement, within twenty-four hours of discovery, any evidence of the
loss, theft, or other compromise of any component of an electronic
signature;
(4) Provide for the automatic and immediate revocation of an
electronic signature in the event of:
(i) Any actual or apparent violation of the electronic signature
agreement;
(ii) Any evidence that the signature has been compromised, whether
or not this is reported by the registrant to whom the signature was
issued; or
(iii) Notification from an entity that the registrant is no longer
authorized by the entity to submit electronic documents on its behalf;
(5) Require that the registrant periodically renew his or her
electronic signature agreement, under terms that the Administrator
determines provide adequate assurance that the criteria of paragraphs
(a) and (b) of this section are met, taking into account both
applicable contractual provisions and industry standards for renewal or
re-issuance of signature codes or devices.
(e) Electronic signature/certification scenario. An acceptable
electronic document receiving system that may be used to accept
electronic documents bearing an electronic signature must:
(1) Not allow an electronic signature to be affixed to the
electronic document until:
(i) The signatory has been provided an opportunity to review all of
the data to be transmitted in an on-screen visual format that clearly
associates the descriptions or labeling of the information being
requested with the signatory's response and which format is identical
or nearly identical to the visual format in which a corresponding paper
document would be submitted; and
(ii) A certification statement that is identical to that which
would be required for a paper submission of the document appears on-
screen in an easily-read format immediately above a prompt to affix the
certifying signature, together with a prominently displayed warning
that by affixing the signature the signatory is agreeing that he or she
is the authorized signature holder--referred to by name--has protected
the security of the signature as required by the electronic signature
agreement signed under paragraph (d)(3) of this section and is
otherwise using the signature in compliance with the electronic
signature agreement;
(2) Automatically respond to the receipt of an electronic document
with transmission of an electronic acknowledgment that:
(i) States that the signed electronic document has been received,
clearly identifies the electronic document received, indicates how the
signatory may view and download a copy of the electronic document
received from a read-only source, and states the date and time of
receipt; and
(ii) Is sent to an address whose access is controlled by password,
codes or other mechanisms that are different than the controls used to
gain access to the system used to sign/certify and send the electronic
document;
(3) Automatically creates an electronic ``copy of record'' of the
submitted report that includes all the warnings, instructions and
certification statements presented to the signatory during the
signature/certification scenario as described under paragraph (e)(1) of
this section, and that:
(i) Can be viewed by the signatory, in its entirety, on-screen in a
human-readable format that clearly and accurately associates all of the
information provided by the signatory with the descriptions or labeling
of the information that was requested;
(ii) Includes the date and time of receipt stated in the electronic
acknowledgment required by paragraph (e)(2) of this section;
(iii) Has an agency electronic signature affixed that satisfies the
requirements for electronic signature method under paragraphs (c)(3),
(c)(4), and (c)(5) of this section;
(iv) Is archived by the system in compliance with requirements
paragraph (g) of this section;
(v) Is made available to the submitter for viewing and down-
loading; and
(vi) Is protected from a unauthorized access.
(f) Transaction Record. An acceptable electronic document receiving
system must create a transaction record for each received electronic
document that includes:
(1) The precise routing of the electronic report from the
submitter's computer to the electronic document receiving system;
(2) The precise date and time (based on the system clock) of:
(i) Initial receipt of the electronic document;
(ii) Sending of electronic acknowledgment under paragraph (e)(2) of
this section;
(iii) Copy of record created under paragraph (e)(3) of this
section;
(3) Copy of record as specified under paragraph (e)(3) of this
section.
(g) System archives. An acceptable electronic document receiving
system must:
(1) Maintain:
(i) The transaction records specified under paragraph (f) of this
section, and
(ii) Records of the system on-screen interface displayed to a user
under paragraph (e) of this section that can be correlated to the
submission of any particular report (including instructions, prompts,
warnings, data formats and labels, as well as the sequencing and
functioning of these elements);
(2) Maintain the records specified under paragraph (g)(1) of this
section for at least the same length of time as would be required for a
paper document that corresponds to the received electronic document,
and in a way that:
(i) Can be demonstrated to have preserved them in their entirety
without alteration since the time of their creation; and
(ii) Provides access to these records in a timely manner that meets
the needs of their authorized users.
Sec. 3.3000 How are authorized State, tribal or local environmental
programs modified to allow electronic recordkeeping?
(a) State, tribes, or local environmental programs that wish to
allow the maintenance of electronic records or documents in
satisfaction of requirements under such programs must revise or modify
the EPA-approved State, tribal, or local environmental program to
ensure that it meets the requirements of this part. The State, tribe,
or local government must use existing State, tribal or local
environmental program procedures in making these program revisions or
modifications.
(b) In order for EPA to approve a program revision under paragraph
(a) of this section the State, tribe, or local government must
demonstrate that records maintained electronically under this program
will satisfy the requirements under Sec. 3.100 of this part.
Sec. 3.4000 [Reserved]
PART 51--REQUIREMENTS FOR PREPARATION, ADOPTION, AND SUBMITTAL OF
IMPLEMENTATION PLANS
1. The authority citation for part 51 continues to read as follows:
[[Page 46193]]
Authority: 23 U.S.C. 101; 42 U.S.C. 7401-7671q.
2. Section 51.286 is added to Subpart O of this part to read as
follows:
Sec. 51.286 Electronic reporting.
States that wish to receive electronic documents or allow
electronic recordkeeping must revise the State Implementation Plan to
satisfy the requirements of 40 CFR part 3--(Electronic reporting).
PART 60--STANDARDS OF PERFORMANCE FOR NEW STATIONARY SOURCES
1. The authority citation for part 60 continues to read as follows:
Authority: 42 U.S.C. 7401-7601.
2. Section 60.7 is amended by revising introductory text in
paragraph (a) to read as follows:
Sec. 60.7 Notification and recordkeeping.
(a) Any owner or operator subject to the provisions of this part
shall furnish the Administrator written notification or, if acceptable
to both the Administrator and the owner or operator of a source,
electronic notification consistent with the requirements of 40 CFR part
3--(Electronic reporting), as follows:
* * * * *
PART 63--NATIONAL EMISSION STANDARDS FOR HAZARDOUS AIR POLLUTANTS
FOR SOURCE CATEGORIES
1. The authority citation for part 63 continues to read as follows:
Authority: 42 U.S.C. 7401 et seq.
2. Section 63.6 is amended by adding a new paragraph (k) to read as
follows:
Sec. 63.6 Compliance with standards and maintenance requirements.
* * * * *
(k) Electronic documents and recordkeeping. Submission of
electronic documents and retention of electronic records shall comply
with the requirements of 40 CFR part 3--(Electronic reporting).
PART 70--STATE OPERATING PERMIT PROGRAMS
1. The authority citation for part 70 continues to read as follows:
Authority: 42 U.S.C. 7401, et seq.
2. Section 70.1 is amended by adding a new paragraph (f) to read as
follows:
Sec. 70.1 Program overview.
* * * * *
(f) States that choose to receive electronic documents or allow
electronic recordkeeping must satisfy the requirements of 40 CFR part
3--(Electronic reporting) in their program.
PART 123--STATE PROGRAM REQUIREMENTS
1. The authority citation for part 123 continues to read as
follows:
Authority: Clean Water Act, 33 U.S.C. 1251 et seq.
2. Section 123.25 is amended by revising paragraphs (a)(44) and
(a)(45), and adding a new paragraph (a)(46) to read as follows:
Sec. 123.25 Requirements for permitting.
(a) * * *
(44) Section 122.35 (As an operator of a regulated small MS4, may I
share the responsibility to implement the minimum control measures with
other entities?);
(45) Section 122.36 (As an operator of a regulated small MS4, what
happens if I don't comply with the application or permit requirements
in Secs. 122.33 through 122.35?); and
(46) For States that wish to receive electronic documents or allow
electronic recordkeeping, 40 CFR part 3--(Electronic reporting).
* * * * *
PART 142--NATIONAL PRIMARY DRINKING WATER REGULATIONS
IMPLEMENTATION
1. The authority citation for part 142 continues to read as
follows:
Authority: 42 U.S.C. 300f, 300g-1, 300g-2, 300g-3, 300g-4, 300g-
5, 300g-6, 300j-4, 300j-9, and 300j-11.
2. Section 142.10 is amended by adding paragraph (h) to read as
follows:
Sec. 142.10 Requirements for a determination of primary enforcement
responsibility.
* * * * *
(h) Has adopted regulations consistent with 40 CFR part 3--
(Electronic reporting) if the State receives electronic documents or
allows electronic record-keeping.
PART 145--REQUIREMENTS FOR STATE PROGRAMS
1. The authority citation for part 145 continues to read as
follows:
Authority: 42 U.S.C. 300f et. seq.
2. Section 145.11 is amended by revising paragraphs (a)(30),
(a)(31), (a)(32), and adding paragraph (a)(33) to read as follows:
Sec. 145.11 Requirements for permitting.
(a) * * *
(30) Section 124.12(a)--(Public hearings);
(31) Section 124.17(a) and (c)--(Response to comments);
(32) Section 144.88--(What are the additional requirements?); and
(33) For States that wish to receive electronic documents or allow
electronic recordkeeping, 40 CFR part 3--(Electronic reporting).
* * * * *
PART 162--STATE REGISTRATION OF PESTICIDE PRODUCTS
1. The authority citation for part 162 continues to read as
follows:
Authority: U.S.C. 136v, 136w.
2. Section 162.153 is amended by adding a new paragraph (a)(6) to
read as follows:
(a) * * *
(6) Electronic reporting and Recordkeeping under State Registration
of Pesticide Products. States that choose to receive electronic
documents or allow electronic records under the regulations pertaining
to State registration of pesticides to meet special local needs, must
ensure that the requirements of 40 CFR part 3--(Electronic reporting)
are satisfied by their State registration program.
* * * * *
PART 233--404 STATE PROGRAM REGULATIONS
1. The authority citation for part 233 continues to read as
follows:
Authority: 33 U.S.C. 1251 et seq.
2. A new Sec. 233.39 is added to Subpart D of this part to read as
follows:
Sec. 233.39 Electronic Reporting and Recordkeeping.
States that choose to receive electronic documents or allow
electronic recordkeeping must include the requirements of 40 CFR part
3--(Electronic reporting) in their State program.
PART 257--CRITERIA FOR CLASSIFICATION OF SOLID WASTE DISPOSAL
FACILITIES AND PRACTICES
1. The authority citation for part 257 continues to read as
follows:
Authority: 42 U.S.C. 6907(a)(3), 6912(a)(1), 6944(a) and
6949(c), 33 U.S.C. 1345(d) and (e).
2. Section 257.30 is amended by adding a new paragraph (d) to read
as follows:
Sec. 257.30 Recordkeeping requirements.
* * * * *
[[Page 46194]]
(d) The Director of an approved State program may receive
electronic documents or allow electronic recordkeeping only if the
State program includes the requirements of 40 CFR part 3--(Electronic
reporting).
PART 258--CRITERIA FOR MUNICIPAL SOLID WASTE LANDFILLS
1. The authority citation for part 258 continues to read as
follows:
Authority: 33 U.S.C. 1345 (d) and (e); 42 U.S.C. 6902(a), 6907,
6912(a), 6944, 6945(c) and 6949a(c).
2. Section 258.29 is amended by adding a new paragraph (d) to read
as follows:
Sec. 258.29 Recordkeeping requirements.
* * * * *
(d) The Director of an approved State program may receive
electronic documents or allow electronic recordkeeping only if the
State program includes the requirements of 40 CFR part 3--(Electronic
reporting).
PART 271--REQUIREMENTS FOR AUTHORIZATION OF STATE HAZARDOUS WASTE
PROGRAMS
1. The authority citation for part 271 continues to read as
follows:
Authority: 42 U.S.C. 6905, 6912 and 6926.
2. Section 271.10 is amended by revising paragraph (d) to read as
follows:
Sec. 271.10 Requirements for generators of hazardous waste.
* * * * *
(b) The State shall have authority to require and shall require all
generators to comply with reporting and recordkeeping requirements
equivalent to those under 40 CFR 262.40 and 262.41. States must require
that generators keep these records at least 3 years. States that choose
to receive electronic documents or allow electronic recordkeeping must
include the requirements of 40 CFR part 3--(Electronic reporting) in
their Program (except that States that choose to receive electronic
manifests and/or permit the use of electronic manifests must comply
with paragraph (f) of this section).
* * * * *
2. Section 271.12 is amended by revising paragraph (h) to read as
follows:
Sec. 271.12 Requirements for hazardous waste management facilities.
* * * * *
(h) Inspections, monitoring, recordkeeping, and reporting. States
that choose to receive electronic documents or allow electronic
recordkeeping must include the requirements of 40 CFR part 3--
(Electronic reporting) in their Program (except that States that choose
to receive electronic manifests and/or permit the use of electronic
manifests must comply with paragraph (i) of this section);
* * * * *
PART 281--APPROVAL OF STATE UNDERGROUND STORAGE TANK PROGRAMS
1. The authority citation for part 281 continues to read as
follows:
Authority: 42 U.S.C. 6912, 6991 (c), (d), (e), (g).
(2) Section 281.40 is amended by revising paragraph (d) to read as
follows:
Sec. 281.40 Requirements for compliance monitoring program and
authority.
* * * * *
(d) State programs must have procedures for receipt, evaluation,
retention and investigation of records and reports required of owners
or operators and must provide for enforcement of failure to submit
these records and reports. States that choose to receive electronic
documents or allow electronic recordkeeping must include the
requirements of 40 CFR part 3--(Electronic reporting) in their State
program.
* * * * *
PART 403--GENERAL PRETREATMENT REGULATIONS FOR EXISTING AND NEW
SOURCES OF POLLUTION
1. The authority citation for part 403 continues to read as
follows:
Authority: 33 U.S.C. 1251 et seq.
2. Section 403.8 is amended by adding a new paragraph (g) to read
as follows:
Sec. 403.8 Pretreatment Program Requirements: Development and
Implementation by POTW.
* * * * *
(g) A POTW pretreatment program may receive electronic documents or
allow electronic recordkeeping only if the POTW pretreatment program
includes the requirements of 40 CFR part 3--(Electronic reporting).
2. Section 403.12 is amended by adding a new paragraph (q) to read
as follows:
Sec. 403.12.40 Reporting requirements for POTW's and industrial users.
* * * * *
(q) The Control Authority may receive electronic documents or allow
electronic recordkeeping only in compliance with the requirements of 40
CFR part 3--(Electronic reporting).
PART 501--STATE SLUDGE MANAGEMENT PROGRAM REGULATIONS
1. The authority citation for part 501 continues to read as
follows:
Authority: 33 U.S.C. 1251 et seq.
2. Section 501.15 is amended by adding a new paragraph (a)(4) to
read as follows:
Sec. 501.15 Requirements for permitting.
(a) * * *
(4) Information requirements: All treatment works treating domestic
sewage shall submit to the Director within the time frames established
in paragraph (d)(1)(ii) of this section the information listed in (i)-
(xii) of this paragraph. The Director of an approved State program may
receive electronic documents or allow electronic recordkeeping only if
the State program includes the requirements of 40 CFR part 3--
(Electronic reporting).
* * * * *
PART 745--LEAD-BASED PAINT POISONING PREVENTION IN CERTAIN
RESIDENTIAL STRUCTURES
1. The authority citation for part 745 continues to read as
follows:
Authority: 15 U.S.C. 2605, 2607, 2681-2692 and 42 U.S.C. 4852d.
2. Section 745.327 is amended by adding a new paragraph (f) to read
as follows:
Sec. 745.327 State or Indian Tribal lead-based paint compliance and
enforcement programs.
* * * * *
(f) Electronic reporting and Record-keeping under State or Indian
Tribal programs. States and Tribes that choose to receive electronic
documents or allow electronic records under the authorized State or
Indian Trial lead-based paint program, must ensure that the
requirements of 40 CFR part 3--(Electronic reporting) are satisfied in
their lead-based paint program.
PART 763--ABSESTOS
1. The authority citation for part 763 continues to read as
follows:
Authority: 15 U.S.C. 2605, 2607(c), 2643, and 2646.
2. Section 763.98 is amended by revising paragraphs (a)(1), (b)(3),
and (d)(3) to read as follows:
[[Page 46195]]
Sec. 763.98 Waiver; delegation to State.
(a) General. (1) Upon request from a State Governor and after
notice and comment and an opportunity for a public hearing in
accordance with paragraphs (b) and (c) of this section, EPA may waive
some or all of the requirements of this subpart E if the State has
established and is implementing or intends to implement a program of
asbestos inspection and management that contains requirements that are
at least as stringent as the requirements of this subpart. In addition,
if the State chooses to receive electronic documents or allow
electronic recordkeeping, the State program must include, at a minimum,
the requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
(b) * * *
(3) Detailed reasons, supporting papers, and the rationale for
concluding that the State's asbestos inspection and management program
provisions for which the request is made are at least as stringent as
the requirements of Subpart E of this part, and that, if the State
chooses to receive electronic documents or allow electronic
Recordkeeping, the State program includes, at a minimum, the
requirements of 40 CFR part 3--(Electronic reporting).
* * * * *
(d) * * *
(3) The State has an enforcement mechanism to allow it to implement
the program described in the waiver request and any electronic
reporting and recordkeeping requirements are at least as stringent as
40 CFR part 3--(Electronic reporting).
* * * * *
3. In part 763, paragraph I, of appendix C to subpart E of this
part is amended to add a new subparagraph (I) to read as follows:
Appendix C to Subpart E--Asbestos Model Accreditation Plan
I. Asbestos Model Accreditation Plan for States
* * * * *
(I) Electronic Reporting and Recordkeeping
States that choose to receive electronic documents or allow
electronic recordkeeping must include, at a minimum, the requirements
of 40 CFR part 3--(Electronic reporting) in their programs.
[FR Doc. 01-21810 Filed 8-30-01; 8:45 am]
BILLING CODE 6560-50-M